From 004e1869ad0ac5c7cd73fe8bf4e58e34f2b14c51 Mon Sep 17 00:00:00 2001
From: Nick Frichette <nick@frichetten.com>
Date: Sat, 22 Jan 2022 19:36:56 -0600
Subject: [PATCH] Update #109: Updated the credential exfiltration article due
 to the new changes to GuardDuty. Added information about the new bypass

---
 .../aws/avoiding-detection/steal-keys-undetected.md  | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/content/aws/avoiding-detection/steal-keys-undetected.md b/content/aws/avoiding-detection/steal-keys-undetected.md
index 223dc45..f5a07c0 100644
--- a/content/aws/avoiding-detection/steal-keys-undetected.md
+++ b/content/aws/avoiding-detection/steal-keys-undetected.md
@@ -4,6 +4,14 @@ title: Bypass Credential Exfiltration Detection
 description: When stealing IAM credentials from an EC2 instance you can avoid a GuardDuty detection by using the keys from another EC2 instance.
 ---
 
-A common occurrence while performing penetration testing on AWS is leveraging SSRF, XXE, command injection, etc. to steal IAM credentials from the meta data service. This can allow you to execute API calls you otherwise wouldn't be able to (especially if you can't get code execution on the EC2 instance), however it comes at a penalty. There is a GuardDuty rule which detects IAM credentials being used outside of EC2 called [IAMUser/InstanceCredentialExfiltration](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltration).
+Link to Tool: [SneakyEndpoints](https://github.com/Frichetten/SneakyEndpoints)
 
-The wording is very specific, "This finding informs you of attempts to run AWS API operations from a host outside of EC2". It does not mean outside of EC2 instances in your account. It mean outside of EC2 AT ALL. As a result, you can use those credentials on ANY EC2 instance, including one you control. Doing so will not trigger the credential exfiltration GuardDuty finding.
\ No newline at end of file
+A common technique when exploiting AWS environments is leveraging SSRF, XXE, command injection, etc. to steal IAM credentials from the [instance metadata service](https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/) of a target EC2 instance. This can allow you to execute AWS API calls within the victim's account, however, it comes with a risk. If you were to try to use those credentials outside of that host (for example, from your laptop) an alert would be triggered. There is a GuardDuty finding which detects when IAM credentials are being used outside of EC2 called [UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationoutsideaws).
+
+To get around this alert being triggered, attackers could use the stolen credentials from the attacker's EC2 instance. The alert only detected if the credentials were used outside of EC2, not the victim's specific EC2 instance. So by using their own, or exploiting another EC2 instance, attackers could bypass the GuardDuty alert.
+
+On January 20th 2022, AWS released a new GuardDuty finding called [UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationinsideaws). This new finding addressed the shortcomings of the previous one. Now, when IAM credentials are used from ANY EC2, if those credentials don't belong to the same account as the EC2 instance using them, it triggers the alert. Thus, simply using your own EC2 instance is no longer viable. This addresses a long standing concern within the cloud security community.
+
+However, there is currently a functioning bypass for this - [VPC Endpoints](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints.html). Using VPC Endpoints will not trigger the GuardDuty alert. What this means is that, as an attacker, `if you steal IAM credentials from an EC2 instance, you can use those credentials from your own EC2 instance while routing traffic through VPC Endpoints. This will not trigger the GuardDuty finding`.
+
+To make this setup faster (and easier) for Penetration Testers and Red Teamers, [SneakyEndpoints](https://github.com/Frichetten/SneakyEndpoints) was created. This project has all the Terraform configurations necessary to spin up an environment to attack from. It will create an EC2 instance in a private subnet (no internet access) and create a number of VPC Endpoints for you to use. This setup ensures we don't accidentally expose ourselves and trigger the alert.
\ No newline at end of file