Cloud Persistence Reference
Reference for 'Clearing the Fog' presentation
AWS
AWS Cloudtrail Examples]
AWS-EOD (Blast Radius Audit Tool)
Create User
•CreateUser
•AttachUserPolicy
•AddUserToGroup
Alternative Access Methods
•CreateAccessKey
•CreateLoginProfile
•UpdateAssumeRolePolicy
EC2 Instance Backdoor
•CreateKeyPair
•ImportKeyPair
•RunInstances
•CreateInstanceProfile
•AddRoleToInstanceProfile
Lambda Backdoor
• CreateFunction20150331
- CreateFunctionUrlConfig
• UpdateAssumeRolePolicy
Azure
Create User
| Operation Name | Action |
|---|---|
| Add User | Add user |
| Add member to role | Add member to role |
| Add member to group | Add member to group |
Guest Account
| Operation Name | Action |
|---|---|
| Invite external user | Invite external user |
| Redeem external user invite | Redeem external user invite |
Azure VM Instance Backdoor
| Operation Name | Action |
|---|---|
| Generate SSH Key Pair | Microsoft.Compute/sshPublicKeys/generateKeyPair/action |
| Create or Update SSH Public Key | Microsoft.Compute/sshPublicKeys/write |
| Create role assignment | Microsoft.Authorization/roleAssignments/write |
| Create or Update Virtual Machine | Microsoft.Compute/virtualMachines/write |
Azure Runbook Backdoor
| Operation Name | Action |
|---|---|
| Create or Update an Azure Automation Runbook | Microsoft.Automation/automationAccounts/runbooks/write |
| Generate a URI for an Azure Automation webhook | Microsoft.Automation/automationAccounts/webhooks/action |
| Publish an Azure Automation runbook draft | Microsoft.Automation/automationAccounts/runbooks/draft/write |
| Write Powershell7Modules | Microsoft.Automation/automationAccounts/powershell7Modules/write |