AWS

Data Collection with Storage

  • External block storage basically acts as a Cloud USB drive allowing the addition of storage to the cloud system.

  • If you provision more block storage, it will appear automatically in Windows

  • In Linux we can create a mount point 

sudo fdisk -l 
sudo mkdir /mnt/sdh1 && mount /dev/sdh1 /mnt/sdh1
#replace sdh1 with the actual device

Collection of AWS Storage

aws ec2 describe-volume | jq -r '.Volumes[] | select (.AvailabilityZone | contains("us-east-1") ) | .VolumeId'
#output will return a volume id
aws ec2 attatch-volume --volume-id vol-VOLUME_NUMBER --instance-id INSTANCE_ID --device /dev/sdh

Cloud Logging

  • When in possession of Cloud logs, manual analysis is extremely difficult, use automated tools

s3logparse.py useragent USER_AGENT_HERE
#search for a specific user-agent

  • Examine the logs in a web server like view 

zcat /path/to/logs/* > log_flow.txt
export LOG_TEXT=/home/logs/log_flow.txt
npm run build-graph 
npm run client
#will start on localhost:8080

Revoking Cloud Keys

  • Most compromises have to do with an unauthorized user gaining access to a cloud key

  • AWS IAM search by username or Key ID by clicking IAM --> Users

Set-ADAccountPassword -Identity jack -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "My_Password" -Force)
Set-ADAccountPassword -Identity jack -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "My_Password" -Force)

  • For Azure AD make sure to reset the password twice!!!

PreviousCloudNextOSINT

Last updated