From 1b9640585e81b0184a11ff473fb602ebe8237e78 Mon Sep 17 00:00:00 2001 From: CPol Date: Mon, 18 Dec 2023 13:13:42 +0000 Subject: [PATCH] GITBOOK-494: change request with no subject merged in GitBook --- .../aws-kinesis-data-firehose-enum.md | 26 ++++++++++++++- .../aws-firewall-manager-enum.md | 32 +++++++++++++++++++ 2 files changed, 57 insertions(+), 1 deletion(-) diff --git a/pentesting-cloud/aws-pentesting/aws-services/aws-kinesis-data-firehose-enum.md b/pentesting-cloud/aws-pentesting/aws-services/aws-kinesis-data-firehose-enum.md index 364a9054f8..a35d71aced 100644 --- a/pentesting-cloud/aws-pentesting/aws-services/aws-kinesis-data-firehose-enum.md +++ b/pentesting-cloud/aws-pentesting/aws-services/aws-kinesis-data-firehose-enum.md @@ -1,4 +1,4 @@ -# AWS - Kinesis Data Firehose +# AWS - Kinesis Data Firehose Enum
@@ -29,6 +29,30 @@ aws firehose describe-delivery-stream --delivery-stream-name aws firehose describe-delivery-stream --delivery-stream-name | grep -i RoleARN ``` +## Post-exploitation / Defense Bypass + +In case firehose is used to send logs or defense insights, using these functionalities an attacker could prevent it from working properly. + +### firehose:DeleteDeliveryStream + +``` +aws firehose delete-delivery-stream --delivery-stream-name --allow-force-delete +``` + +### firehose:UpdateDestination + +``` +aws firehose update-destination --delivery-stream-name --current-delivery-stream-version-id --destination-id +``` + +### firehose:PutRecord | firehose:PutRecordBatch + +``` +aws firehose put-record --delivery-stream-name my-stream --record '{"Data":"SGVsbG8gd29ybGQ="}' + +aws firehose put-record-batch --delivery-stream-name my-stream --records file://records.json +``` + ## References * [https://docs.amazonaws.cn/en\_us/firehose/latest/dev/what-is-this-service.html](https://docs.amazonaws.cn/en\_us/firehose/latest/dev/what-is-this-service.html) diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md index 7826188116..5848c20d8a 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md +++ b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md @@ -24,6 +24,38 @@ A **rule group** (a set of WAF rules together) can be added to an AWS Firewall M **Firewall Manager policies only allow "Block" or "Count"** options for a rule group (no "Allow" option). +## Enumeration + +``` +# Get admin account +aws fms get-admin-account + +# Get member accounts +aws fms list-member-accounts + +# Get policies +aws fms list-policies + +# Get App list +aws fms list-apps-lists --max-results 10 + +# Get notification channel (if any) +aws fms get-notification-channel + +# Get resource sets +aws fms list-resource-sets + +# Get admin scope: Get resources Firewall Manager can manage +aws fms get-admin-scope --admin-account # ReadOnly policy is not enough for this + +# Get Firewall Manager administrators within the organization that are onboarded to Firewall Manager by AssociateAdminAccount +aws fms list-admin-accounts-for-organization # ReadOnly policy is not enough for this +``` + +## Bypass Detection + +TODO, PRs accepted +
Support HackTricks and get benefits!