Skip to content

AWS: Persist by creating an identity provider #646

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
christophetd opened this issue Mar 3, 2025 · 1 comment
Open

AWS: Persist by creating an identity provider #646

christophetd opened this issue Mar 3, 2025 · 1 comment
Labels
kind/new-technique platform/aws

Comments

@christophetd
Copy link
Contributor

from #541
@christophetd christophetd mentioned this issue Mar 3, 2025
Closed
@xvirgov
Copy link

xvirgov commented Mar 3, 2025

Hello, thanks for the reply!

I would be interested in adding this as well. Would that be okay? If yes, what do you think about this scenario?:

aws.persistence.iam-identity-provider-saml-backdoor

Establishes persistence by changing SAML metadata for an IAM IDP, resulting in a backdoor access to a IAM role.

Warm-up

  • create an IAM IDP configuration (use aws sample SAML config for the initial configuration)
  • create an IAM role with the IDP in the trust relationship

Detonation

  • replace the SAML metadata with the attacker's

References

Questions

  • do you prefer to test with SAML (as suggested above) or OIDC identity provider?
  • do you also want to generate the temporary credentials for the role - that attacker gains access to? Can also do :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/new-technique platform/aws
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@christophetd @xvirgov