Usage of EC2 Serial Console to push SSH public key

slow idempotent

Platform: AWS

Mappings

• MITRE ATT&CK
  • Lateral Movement

Description

Simulates an attacker using EC2 Instance Connect to push an SSH public key to multiple EC2 instances, using SendSerialConsoleSSHPublicKey. This allows anyone with the corresponding private key to connect directly to the systems via SSH, assuming they have appropriate network connectivity.

Warm-up:

• Create multiple EC2 instances and a VPC (takes a few minutes).

Detonation:

• Adds a public SSH key to the EC2 instances using SendSerialConsoleSSHPublicKey.

References:

• https://docs.aws.amazon.com/ec2-instance-connect/latest/APIReference/API_SendSerialConsoleSSHPublicKey.html
• https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
• https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf
• https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/
• https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/

Instructions

Detonate with Stratus Red Team

stratus detonate aws.lateral-movement.ec2-serial-console-send-ssh-public-key

Detection

Identify, through CloudTrail's SendSerialConsoleSSHPublicKey event, when a user is adding an SSH key to EC2 instances.

Detonation logs new!

The following CloudTrail events are generated when this technique is detonated¹:

• ec2-instance-connect:SendSerialConsoleSSHPublicKey

• ec2:EnableSerialConsoleAccess

View raw detonation logs

[
   {
      "awsRegion": "cniso-east-3r",
      "eventCategory": "Management",
      "eventID": "37ba412b-f943-44f2-ae48-4527f6e789d9",
      "eventName": "EnableSerialConsoleAccess",
      "eventSource": "ec2.amazonaws.com",
      "eventTime": "2024-11-26T15:35:22Z",
      "eventType": "AwsApiCall",
      "eventVersion": "1.10",
      "managementEvent": true,
      "readOnly": false,
      "recipientAccountId": "844015365555",
      "requestID": "e110338f-cc06-4284-bf16-6528a7df1561",
      "requestParameters": {
         "EnableSerialConsoleAccessRequest": ""
      },
      "responseElements": {
         "EnableSerialConsoleAccessResponse": {
            "requestId": "e110338f-cc06-4284-bf16-6528a7df1561",
            "serialConsoleAccessEnabled": true,
            "xmlns": "http://ec2.amazonaws.com/doc/2016-11-15/"
         }
      },
      "sourceIPAddress": "201.252.42.03",
      "tlsDetails": {
         "cipherSuite": "TLS_AES_128_GCM_SHA256",
         "clientProvidedHostHeader": "ec2.cniso-east-3r.amazonaws.com",
         "tlsVersion": "TLSv1.3"
      },
      "userAgent": "stratus-red-team_b0fedc91-bd4a-4ba1-a776-80e707fef2a0",
      "userIdentity": {
         "accessKeyId": "ASIA2HJRQF0DHNYEE9N1",
         "accountId": "844015365555",
         "arn": "arn:aws:sts::844015365555:assumed-role/AWSReservedSSOrandoml3I7nL6f7BmB@gmail.com",
         "principalId": "AROAEMHZD694LU95MUYOP:randomca0L529zwNAY@gmail.com",
         "sessionContext": {
            "attributes": {
               "creationDate": "2024-11-26T15:14:58Z",
               "mfaAuthenticated": "false"
            },
            "sessionIssuer": {
               "accountId": "844015365555",
               "arn": "arn:aws:iam::844015365555:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_account-admin_599c9e90e350d2ff",
               "principalId": "AROAEMHZD694LU95MUYOP",
               "type": "Role",
               "userName": "AWSReservedSSO_account-admin_599c9e90e350d2ff"
            }
         },
         "type": "AssumedRole"
      }
   },
   {
      "awsRegion": "cniso-east-3r",
      "eventCategory": "Management",
      "eventID": "787b2464-f27b-4d4c-91bc-6396f2297d0e",
      "eventName": "SendSerialConsoleSSHPublicKey",
      "eventSource": "ec2-instance-connect.amazonaws.com",
      "eventTime": "2024-11-26T15:35:23Z",
      "eventType": "AwsApiCall",
      "eventVersion": "1.08",
      "managementEvent": true,
      "readOnly": false,
      "recipientAccountId": "844015365555",
      "requestID": "c74b1e77-bc91-4174-b297-d06a71c89abf",
      "requestParameters": {
         "instanceId": "i-EFCb4e480CAbc4CF9",
         "monitorMode": false,
         "sSHPublicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtAlK45MAEWZ7MUY2QEmi3M6W+peGL3VCrc0qH54xRu",
         "serialPort": 0
      },
      "responseElements": {
         "requestId": "c74b1e77-bc91-4174-b297-d06a71c89abf",
         "success": true
      },
      "sourceIPAddress": "201.252.42.03",
      "tlsDetails": {
         "cipherSuite": "TLS_AES_128_GCM_SHA256",
         "clientProvidedHostHeader": "ec2-instance-connect.cniso-east-3r.amazonaws.com",
         "tlsVersion": "TLSv1.3"
      },
      "userAgent": "stratus-red-team_b0fedc91-bd4a-4ba1-a776-80e707fef2a0",
      "userIdentity": {
         "accessKeyId": "ASIA2HJRQF0DHNYEE9N1",
         "accountId": "844015365555",
         "arn": "arn:aws:sts::844015365555:assumed-role/AWSReservedSSOrandoml3I7nL6f7BmB@gmail.com",
         "principalId": "AROAEMHZD694LU95MUYOP:randomca0L529zwNAY@gmail.com",
         "sessionContext": {
            "attributes": {
               "creationDate": "2024-11-26T15:14:58Z",
               "mfaAuthenticated": "false"
            },
            "sessionIssuer": {
               "accountId": "844015365555",
               "arn": "arn:aws:iam::844015365555:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_account-admin_599c9e90e350d2ff",
               "principalId": "AROAEMHZD694LU95MUYOP",
               "type": "Role",
               "userName": "AWSReservedSSO_account-admin_599c9e90e350d2ff"
            },
            "webIdFederationData": {}
         },
         "type": "AssumedRole"
      }
   },
   {
      "awsRegion": "cniso-east-3r",
      "eventCategory": "Management",
      "eventID": "e49972cb-b394-43e2-aab5-602f1fb56f85",
      "eventName": "SendSerialConsoleSSHPublicKey",
      "eventSource": "ec2-instance-connect.amazonaws.com",
      "eventTime": "2024-11-26T15:35:23Z",
      "eventType": "AwsApiCall",
      "eventVersion": "1.08",
      "managementEvent": true,
      "readOnly": false,
      "recipientAccountId": "844015365555",
      "requestID": "d392c0ca-351f-472f-9ca3-b411beb9df9c",
      "requestParameters": {
         "instanceId": "i-B2ABDCa5b78E0f1dd",
         "monitorMode": false,
         "sSHPublicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtAlK45MAEWZ7MUY2QEmi3M6W+peGL3VCrc0qH54xRu",
         "serialPort": 0
      },
      "responseElements": {
         "requestId": "d392c0ca-351f-472f-9ca3-b411beb9df9c",
         "success": true
      },
      "sourceIPAddress": "201.252.42.03",
      "tlsDetails": {
         "cipherSuite": "TLS_AES_128_GCM_SHA256",
         "clientProvidedHostHeader": "ec2-instance-connect.cniso-east-3r.amazonaws.com",
         "tlsVersion": "TLSv1.3"
      },
      "userAgent": "stratus-red-team_b0fedc91-bd4a-4ba1-a776-80e707fef2a0",
      "userIdentity": {
         "accessKeyId": "ASIA2HJRQF0DHNYEE9N1",
         "accountId": "844015365555",
         "arn": "arn:aws:sts::844015365555:assumed-role/AWSReservedSSOrandoml3I7nL6f7BmB@gmail.com",
         "principalId": "AROAEMHZD694LU95MUYOP:randomca0L529zwNAY@gmail.com",
         "sessionContext": {
            "attributes": {
               "creationDate": "2024-11-26T15:14:58Z",
               "mfaAuthenticated": "false"
            },
            "sessionIssuer": {
               "accountId": "844015365555",
               "arn": "arn:aws:iam::844015365555:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_account-admin_599c9e90e350d2ff",
               "principalId": "AROAEMHZD694LU95MUYOP",
               "type": "Role",
               "userName": "AWSReservedSSO_account-admin_599c9e90e350d2ff"
            },
            "webIdFederationData": {}
         },
         "type": "AssumedRole"
      }
   },
   {
      "awsRegion": "cniso-east-3r",
      "eventCategory": "Management",
      "eventID": "f4dc86c9-6b22-4643-a0e8-fcb97fcfae68",
      "eventName": "SendSerialConsoleSSHPublicKey",
      "eventSource": "ec2-instance-connect.amazonaws.com",
      "eventTime": "2024-11-26T15:35:22Z",
      "eventType": "AwsApiCall",
      "eventVersion": "1.08",
      "managementEvent": true,
      "readOnly": false,
      "recipientAccountId": "844015365555",
      "requestID": "88c8e41e-7754-4377-983f-140f8ca5617e",
      "requestParameters": {
         "instanceId": "i-D46eD8FCdefED5aAE",
         "monitorMode": false,
         "sSHPublicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtAlK45MAEWZ7MUY2QEmi3M6W+peGL3VCrc0qH54xRu",
         "serialPort": 0
      },
      "responseElements": {
         "requestId": "88c8e41e-7754-4377-983f-140f8ca5617e",
         "success": true
      },
      "sourceIPAddress": "201.252.42.03",
      "tlsDetails": {
         "cipherSuite": "TLS_AES_128_GCM_SHA256",
         "clientProvidedHostHeader": "ec2-instance-connect.cniso-east-3r.amazonaws.com",
         "tlsVersion": "TLSv1.3"
      },
      "userAgent": "stratus-red-team_b0fedc91-bd4a-4ba1-a776-80e707fef2a0",
      "userIdentity": {
         "accessKeyId": "ASIA2HJRQF0DHNYEE9N1",
         "accountId": "844015365555",
         "arn": "arn:aws:sts::844015365555:assumed-role/AWSReservedSSOrandoml3I7nL6f7BmB@gmail.com",
         "principalId": "AROAEMHZD694LU95MUYOP:randomca0L529zwNAY@gmail.com",
         "sessionContext": {
            "attributes": {
               "creationDate": "2024-11-26T15:14:58Z",
               "mfaAuthenticated": "false"
            },
            "sessionIssuer": {
               "accountId": "844015365555",
               "arn": "arn:aws:iam::844015365555:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_account-admin_599c9e90e350d2ff",
               "principalId": "AROAEMHZD694LU95MUYOP",
               "type": "Role",
               "userName": "AWSReservedSSO_account-admin_599c9e90e350d2ff"
            },
            "webIdFederationData": {}
         },
         "type": "AssumedRole"
      }
   }
]

---

1. These logs have been gathered from a real detonation of this technique in a test environment using Grimoire, and anonymized using LogLicker. ↩