Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
AWS CloudTrail vulnerability: Undocumented API allows CloudTrail bypass
datadoghq - Nick FrichettePosted 3 Years Ago- AWS Admins use CloudTrail to monitor API activity within their accounts. This allows suspicious activity to be discovered quickly. So, what would happen if we could bypass this? An admin could miss a ton of malicious activity!
- While reviewing the network traffic, the author noticed several requests to an aws service with
iamadminin the name. This is different than the standardiamv2/api/iamAPI. Besides the name change, the functionality was completely different as well; the service name wasAWSIdentityManagementAdminServiceinstead ofAWSIdentityManagementV20100508. - The methods in this other set of APIs were similar to the regular API calls but NOT the same. For instance,
ListMFADevicesForMultipleUsersvs.iam:ListMFADevices. The authors SigV4 signed the request and it worked as expected. But what didn't work? CloudTrail! - Using the
ListMFADevicesForMultipleUsersendpoint did not log in CloudTrail at all. They expanded this concept to many of the APIs on the same service as well. The functionality was only possible on the nonmutable functions though. This undocumented API allowed them to make calls not logged. Time to avoid detection! - Overall, a pretty neat finding! With this complicated of an eco-system, small things like this are likely to slip through the cracks.
