Skip to content

Open Ingress Port 22 on a Security Group

Platform: AWS

MITRE ATT&CK Tactics

  • Exfiltration

Description

Opens ingress traffic on port 22 from the Internet (0.0.0.0/0).

Warm-up:

  • Create a VPC and a security group inside it.

Detonation:

  • Call ec2:AuthorizeSecurityGroupIngress to allow ingress traffic on port 22 from 0.0.0.0/0.

Instructions

Detonate with Stratus Red Team
stratus detonate aws.exfiltration.ec2-security-group-open-port-22-ingress

Detection

You can use the CloudTrail event AuthorizeSecurityGroupIngress when:

  • requestParameters.cidrIp is 0.0.0.0/0 (or an unknown external IP)
  • and requestParameters.fromPort/requestParameters.toPort is not a commonly exposed port or corresponds to a known administrative protocol such as SSH or RDP

Detonation logs new!

The following CloudTrail events are generated when this technique is detonated1:

  • ec2:AuthorizeSecurityGroupIngress
View raw detonation logs 
[
   {
      "awsRegion": "us-northeast-1r",
      "eventCategory": "Management",
      "eventID": "9fd68588-ecbf-4528-a345-199fa6bb0821",
      "eventName": "AuthorizeSecurityGroupIngress",
      "eventSource": "ec2.amazonaws.com",
      "eventTime": "2024-08-01T12:23:55Z",
      "eventType": "AwsApiCall",
      "eventVersion": "1.09",
      "managementEvent": true,
      "readOnly": false,
      "recipientAccountId": "032092706103",
      "requestID": "dc1dabbf-d7cb-4966-a3de-ac69d5cfc633",
      "requestParameters": {
         "cidrIp": "208.236.235.254/0",
         "fromPort": 22,
         "groupId": "sg-003dc7f1f1c686164",
         "ipPermissions": {},
         "ipProtocol": "tcp",
         "toPort": 22
      },
      "responseElements": {
         "_return": true,
         "requestId": "dc1dabbf-d7cb-4966-a3de-ac69d5cfc633",
         "securityGroupRuleSet": {
            "items": [
               {
                  "cidrIpv4": "208.236.235.254/0",
                  "fromPort": 22,
                  "groupId": "sg-003dc7f1f1c686164",
                  "groupOwnerId": "032092706103",
                  "ipProtocol": "tcp",
                  "isEgress": false,
                  "securityGroupRuleId": "sgr-09b3e3d2ca1edf2a2",
                  "toPort": 22
               }
            ]
         }
      },
      "sourceIPAddress": "253.243.215.253",
      "tlsDetails": {
         "cipherSuite": "TLS_AES_128_GCM_SHA256",
         "clientProvidedHostHeader": "ec2.us-northeast-1r.amazonaws.com",
         "tlsVersion": "TLSv1.3"
      },
      "userAgent": "stratus-red-team_1004a4ff-b486-4981-a84b-6322905f37cc",
      "userIdentity": {
         "accessKeyId": "AKIAXW7UJ577KFYIAHIM",
         "accountId": "032092706103",
         "arn": "arn:aws:iam::032092706103:user/christophe",
         "principalId": "AIDAQ5Y2TGCDATQV6SRP",
         "type": "IAMUser",
         "userName": "christophe"
      }
   }
]

  1. These logs have been gathered from a real detonation of this technique in a test environment using Grimoire, and anonymized using LogLicker