Execute Commands on SageMaker Notebook Instance via Lifecycle Configuration

slow idempotent

Platform: AWS

Mappings

• MITRE ATT&CK
  • Execution
• Privilege Escalation

Description

An attacker with permissions to stop, update, and start a SageMaker Notebook instance can execute code inside this instance by attaching a malicious lifecycle configuration script to a stopped instance. When the instance is restarted, this script executes automatically, allowing the attacker execute arbitrary commands, for instance to exfiltrate the instance's IAM execution role credentials.

Warm-up:

• Create a SageMaker Notebook Instance with an IAM Execution Role that possesses sensitive privileges (the victim role).
• Create an Attacker IAM Identity with only the permissions to stop, update, and start the notebook and to inject a malicious lifecycle configuration script.

Detonation:

• Update the lifecycle configuration script via a Stop-Update-Start API sequence
• Execute malicious code

References:

• https://www.plerion.com/blog/privilege-escalation-with-sagemaker-and-execution-roles

Instructions

Detonate with Stratus Red Team

stratus detonate aws.execution.sagemaker-update-lifecycle-config

Detection

Through CloudTrail's UpdateNotebookInstance events. You can also watch for suspicious sequences of StopNotebookInstance and StopNotebookInstance events correlated with UpdateNotebookInstance events.