AWS Logo

Intro

Welcome, Defender! As an incident responder, we’re granting you access to the AWS account called “Security” as an IAM user. This account contains a copy of the logs during the time period of the incident and has the ability to assume the “Security” role in the target account so you can look around to spot the misconfigurations that allowed for this attack to happen.

Suggested Tools

Walkthrough

1) What is the full AWS CLI command used to configure credentials?

Answer:

aws configure

2) What is the ‘last-modified’ date of the directory ‘flaws2-logs’ present in the s3 bucket?

aws --profile flaws2 --region us-east-1 s3 ls
2018-11-19 20:54:31 flaws2-logs

Answer (is incorrect in my opinion, but they were after):

2018-11-19 22:54:31

3) What is the name of the first generated event -according to time?

aws --profile flaws2 --region us-east-1s3://flaws2-logs . 
find . -type f -exec gunzip {} \;
find . -type f -exec cat {} \; | jq '.'

Answer:

AssumeRole

4) What source IP address generated the event dated 2018-11-28 at 23:03:20 UTC?

find . -type f -exec cat {} \; | jq '.Records[]|select(.eventTime=="2018-11-28T23:03:20Z")'
{
  "eventVersion": "1.04",
  "userIdentity": {
    "type": "AssumedRole",
    "principalId": "AROAIBATWWYQXZTTALNCE:level1",
    "arn": "arn:aws:sts::653711331788:assumed-role/level1/level1",
    "accountId": "653711331788",
...
      "sessionIssuer": {
        "type": "Role",
        "principalId": "AROAIBATWWYQXZTTALNCE",
        "arn": "arn:aws:iam::653711331788:role/service-role/level1",
        "accountId": "653711331788",
        "userName": "level1"
...
  "sourceIPAddress": "34.234.236.212",
...

Answer:

34.234.236.212

5) Which IP address does not belong to Amazon AWS infrastructure?

find . -type f -exec cat {} \; | jq '.Records[]|select(.sourceIPAddress)'|grep sourceIPAddress|sort|uniq -c
  27   "sourceIPAddress": "104.102.221.250",
   5   "sourceIPAddress": "34.234.236.212",
   2   "sourceIPAddress": "apigateway.amazonaws.com",
   2   "sourceIPAddress": "ecs-tasks.amazonaws.com",
   1   "sourceIPAddress": "lambda.amazonaws.com",

Answer:

104.102.221.250

6) Which user issued the ‘ListBuckets’ request?

find . -type f -exec cat {} \; | jq '.Records[]|select(.eventName=="ListBuckets")'
{
  "eventVersion": "1.05",
  "userIdentity": {
    "type": "AssumedRole",
    "principalId": "AROAJQMBDNUMIKLZKMF64:d190d14a-2404-45d6-9113-4eda22d7f2c7",
    "arn": "arn:aws:sts::653711331788:assumed-role/level3/d190d14a-2404-45d6-9113-4eda22d7f2c7",
...
      "sessionIssuer": {
        "type": "Role",
        "principalId": "AROAJQMBDNUMIKLZKMF64",
        "arn": "arn:aws:iam::653711331788:role/level3",
        "accountId": "653711331788",
        "userName": "level3"
      }
    }
  },
...

Answer:

level3

7) What was the first request issued by the user ‘level1’?

find . -type f -exec cat {} \; | jq '.Records[]|select(.userIdentity.sessionContext.sessionIssuer.userName=="level1")'|grep eventName
...
  "eventName": "CreateLogStream",
  "eventName": "ListImages",
  "eventName": "CreateLogStream",
  "eventName": "BatchGetImage",
  "eventName": "GetDownloadUrlForLayer",
  "eventName": "ListObjects",

Answer:

CreateLogStream

Share on: