There are multiple reports of this technique being exploited in the wild.
To exploit SendSerialConsoleSSHPublicKey, an attacker must first enable EC2 Serial Console access. I did not enable this in the warm-up phase because Permiso has observed this behavior as part of a larger attack. In their report, Permiso describes how attackers enable EC2 Serial Console access in compromised AWS accounts and then attempt to use SendSerialConsoleSSHPublicKey.
If EC2 Serial Console access is already enabled, I leave it as is to avoid disabling it.
I'm not sure if there is an automation to generate the logs with Grimoire, so I haven't added this.
Checklist
[x] The attack technique emulates a single attack step, not a full attack chain
[x] We have factual evidence & references that the attack technique was used by real malware, pentesters, or attackers
[x] The attack technique makes no assumption about the state of the environment prior to warming it up
What does this PR do?
Motivation
I saw that this was an open and prioritized issue https://github.com/DataDog/stratus-red-team/issues/487
There are multiple reports of this technique being exploited in the wild.
To exploit SendSerialConsoleSSHPublicKey, an attacker must first enable EC2 Serial Console access. I did not enable this in the warm-up phase because Permiso has observed this behavior as part of a larger attack. In their report, Permiso describes how attackers enable EC2 Serial Console access in compromised AWS accounts and then attempt to use SendSerialConsoleSSHPublicKey.
If EC2 Serial Console access is already enabled, I leave it as is to avoid disabling it.
I'm not sure if there is an automation to generate the logs with Grimoire, so I haven't added this.
Checklist