GITBOOK-622: No subject

pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md

@@ -170,26 +170,19 @@ For more information about this specific technique check [https://rhinosecurityl
 
 Honeyokens are created to **detect exfiltration of sensitive information**. In case of AWS, they are **AWS keys whose use is monitored**, if something triggers an action with that key, then someone must have stolen that key.
 
-However, this monitorization is performed via **CloudTrail**, and there are some **AWS services that doesn't send logs to CloudTrail** (fin the [list here](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-unsupported-aws-services.html)). Some of those services will **respond** with an **error** containing the **ARN of the key role** if someone unauthorised (the honeytoken key) try to access it.
+However, Honeytokens like the ones created by [**Canarytokens**](https://canarytokens.org/generate)**,** [**SpaceCrab**](https://bitbucket.org/asecurityteam/spacecrab/issues?status=new\&status=open)**,** [**SpaceSiren**](https://github.com/spacesiren/spacesiren) are either using recognizable account name or using the same AWS account ID for all their customers. Therefore, if you can get the account name and/or account ID without making Cloudtrail create any log, **you could know if the key is a honeytoken or not**.
 
-This way, an **attacker can obtain the ARN of the key without triggering any log**. In the ARN the attacker can see the **AWS account ID and the name**, it's easy to know the HoneyToken's companies accounts ID and names, so this way an attacker can identify id the token is a HoneyToken.
-
-![](<../../../../.gitbook/assets/image (93).png>)
-
-#### **HoneyTokens Detection**
-
-[**Pacu**](https://github.com/RhinoSecurityLabs/pacu/blob/79cd7d58f7bff5693c6ae73b30a8455df6136cca/pacu/modules/iam\_\_detect\_honeytokens/main.py#L57) detects if a key belongs to [**Canarytokens**](https://canarytokens.org/generate)**,** [**SpaceCrab**](https://bitbucket.org/asecurityteam/spacecrab/issues?status=new\&status=open)**,** [**SpaceSiren**](https://github.com/spacesiren/spacesiren)**:**
+[**Pacu**](https://github.com/RhinoSecurityLabs/pacu/blob/79cd7d58f7bff5693c6ae73b30a8455df6136cca/pacu/modules/iam\_\_detect\_honeytokens/main.py#L57) has some rules to detect if a key belongs to [**Canarytokens**](https://canarytokens.org/generate)**,** [**SpaceCrab**](https://bitbucket.org/asecurityteam/spacecrab/issues?status=new\&status=open)**,** [**SpaceSiren**](https://github.com/spacesiren/spacesiren)**:**
 
 * If **`canarytokens.org`** appears in the role name or the account ID **`534261010715`** appears in the error message.
  * Testing them more recently, they are using the account **`717712589309`** and still has the **`canarytokens.com`** string in the name.
 * If **`SpaceCrab`** appears in the role name in the error message
 * **SpaceSiren** uses **uuids** to generate usernames: `[a-f0-9]{8}-[a-f0-9]{4}-4[a-f0-9]{3}-[89aAbB][a-f0-9]{3}-[a-f0-9]{12}`
 * If the **name looks like randomly generated**, there are high probabilities that it's a HoneyToken.
 
-{% hint style="danger" %}
-Note that all public APIs discovered to not being creating CloudTrail logs are now fixed, so maybe you need to find your own...
+#### Get the account ID from the Key ID
 
-Or you can get the **Account ID** from the **encoded** inside the **access key** as [**explained here**](https://medium.com/@TalBeerySec/a-short-note-on-aws-key-id-f88cc4317489) and check the account ID with your list of Honeytokens AWS accounts:
+You can get the **Account ID** from the **encoded** inside the **access key** as [**explained here**](https://medium.com/@TalBeerySec/a-short-note-on-aws-key-id-f88cc4317489) and check the account ID with your list of Honeytokens AWS accounts:
 
 ```python
 import base64
@@ -207,11 +200,30 @@ def AWSAccount_from_AWSKeyID(AWSKeyID):
  e = (z & mask)>>7
  return (e)
 
-print ("account id:" + "{:012d}".format(AWSAccount_from_AWSKeyID("ASIAQNZGKIQY56JQ7WML")))
+print("account id:" + "{:012d}".format(AWSAccount_from_AWSKeyID("ASIAQNZGKIQY56JQ7WML")))
 ```
-{% endhint %}
+
+Check more information in the [**orginal research**](https://medium.com/@TalBeerySec/a-short-note-on-aws-key-id-f88cc4317489).
+
+#### Do not generate a log
+
+The most effective technique for this is actually a simple one. Just use the key you just found to access some service inside your own attackers account. This will make **CloudTrail generate a log inside YOUR OWN AWS account and not inside the victims**.
+
+The things is that the output will show you an error indicating the account ID and the account name so **you will be able to see if it's a Honeytoken**.
+
+#### AWS services without logs
+
+In the past there were some **AWS services that doesn't send logs to CloudTrail** (find a [list here](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-unsupported-aws-services.html)). Some of those services will **respond** with an **error** containing the **ARN of the key role** if someone unauthorised (the honeytoken key) try to access it.
+
+This way, an **attacker can obtain the ARN of the key without triggering any log**. In the ARN the attacker can see the **AWS account ID and the name**, it's easy to know the HoneyToken's companies accounts ID and names, so this way an attacker can identify id the token is a HoneyToken.
+
+![](<../../../../.gitbook/assets/image (93).png>)
+
+{% hint style="danger" %}
+Note that all public APIs discovered to not being creating CloudTrail logs are now fixed, so maybe you need to find your own...
 
 For more information check the [**original research**](https://rhinosecuritylabs.com/aws/aws-iam-enumeration-2-0-bypassing-cloudtrail-logging/).
+{% endhint %}
 
 ### Accessing Third Infrastructure