Text Editor

GitHub Repo
(Example) Attack Tree for S3 Bucket with Video Recordings reality Reality wayback API cache (e.g. Wayback Machine) reality->wayback #yolosec disallow_crawling Disallow crawling on site maps reality->disallow_crawling private_bucket Auth required / ACLs (private bucket) reality->private_bucket s3_asset Access video recordings in S3 bucket (attackers win) wayback->s3_asset #yolosec public_bucket S3 bucket set to public public_bucket->s3_asset subsystem_with_access Subsystem with access to bucket data lock_down_acls Lock down web client with creds / ACLs subsystem_with_access->lock_down_acls subsystem_with_access->s3_asset bucket_search AWS public buckets search bucket_search->public_bucket #yolosec brute_force Brute force phishing Phishing compromise_user_creds Compromise user credentials brute_force->compromise_user_creds phishing->compromise_user_creds compromise_admin_creds Compromise admin creds phishing->compromise_admin_creds compromise_aws_creds Compromise AWS admin creds phishing->compromise_aws_creds compromise_presigned Compromise presigned URLs phishing->compromise_presigned recon_on_s3 Recon on S3 buckets compromise_user_creds->subsystem_with_access analyze_web_client Manually analyze web client for access control misconfig access_control_server_side Perform all access control server side analyze_web_client->access_control_server_side analyze_web_client->s3_asset ssh_to_public_machine SSH to an accessible machine compromise_admin_creds->ssh_to_public_machine #yolosec 2fa 2FA compromise_admin_creds->2fa #yolosec compromise_aws_creds->ssh_to_public_machine compromise_aws_creds->2fa intercept_2fa Intercept 2FA intercept_2fa->ssh_to_public_machine ip_allowlist_for_ssh IP allowlist for SSH ssh_to_public_machine->ip_allowlist_for_ssh lateral_movement_to_machine_with_access Lateral movement to machine with access to target bucket lateral_movement_to_machine_with_access->s3_asset short_lived_presigning Make URL short lived compromise_presigned->short_lived_presigning compromise_presigned->s3_asset compromise_quickly Compromise URL within N time period disallow_bucket_urls Disallow the use of URLs to access buckets compromise_quickly->disallow_bucket_urls compromise_quickly->s3_asset find_systems_with_access Find systems with R/W access to target bucket recon_on_s3->find_systems_with_access #yolosec exploit_known_vulns Exploit known 3rd party library vulns find_systems_with_access->exploit_known_vulns internal_only_bucket No public system has R/W access (internal only) find_systems_with_access->internal_only_bucket vuln_scanning 3rd party library checking / vuln scanning exploit_known_vulns->vuln_scanning buy_0day Buy 0day discover_0day Manual discovery of 0day exploit_vulns Exploit vulns buy_0day->exploit_vulns discover_0day->exploit_vulns ips Exploit prevention / detection exploit_vulns->ips exploit_vulns->s3_asset aws_0day 0day in AWS multitenant systems single_tenant_hsm Use single tenant AWS HSM aws_0day->single_tenant_hsm aws_0day->s3_asset supply_chain_backdoor Supply chain compromise (backdoor) supply_chain_backdoor->s3_asset disallow_crawling->bucket_search private_bucket->brute_force private_bucket->phishing private_bucket->recon_on_s3 lock_down_acls->analyze_web_client access_control_server_side->phishing 2fa->intercept_2fa 2fa->recon_on_s3 ip_allowlist_for_ssh->lateral_movement_to_machine_with_access short_lived_presigning->compromise_quickly disallow_bucket_urls->recon_on_s3 vuln_scanning->buy_0day vuln_scanning->discover_0day ips->aws_0day single_tenant_hsm->supply_chain_backdoor internal_only_bucket->phishing

© Copyright 2023 Ryan Petrich & Kelly Shortridge (Team Bad, LLC)