Shadow Admins
Our Shadow Admin engine discovers “Shadow Admin” cloud service users in IaaS providers who can perform privilege escalation but can’t manage the whole IAM model. This discovery can be performed by configuring authentication and authorization resources and by assigning roles to others.
An AWS shadow admin is a cloud service user (cloud identity) who can perform one of more of the actions listed in the following table, in one of the policies attached to it.
AWS Actions
|
Action |
Enables a cloud service user to... |
|---|---|
|
CreateAccessKey |
Create an access key for another IAM user. |
|
CreateLoginProfile |
Create a password for an IAM user. |
|
UpdateLoginProfile |
Reset their user password. |
|
AttachUserPolicy / AttachGroupPolicy / AttachRolePolicy |
Attach a different existing policy to an identity, which provides an easy way to escalate privileges. |
|
PutUserPolicy / PutGroupPolicy / PutRolePolicy |
Add or update the inline policy attached to the corresponding identity. |
|
CreatePolicy |
Create new policies including an inline policy attached directly to an identity. |
|
AddUserToGroup |
Add a user to existing groups, which grants the user all privileges for the group. |
|
UpdateAssumeRolePolicy |
Chain roles, allowing a non-privileged role to assume a privileged one. |
|
CreatePolicyVersion and SetDefaultPolicyVersion |
Update policy versions to escalate privileges. |
|
PassRole and (CreateInstanceProfile / AddRoleToInstanceProfile) |
An instance profile is a role that can be attached to an EC2 instance to allow the code on it to call other services. Creating an instance profile and assigning it to instances can be used to escalate privileges. |
|
iam:PassRole and lambda:CreateFunction and lambda:InvokeFunction |
This combination of privileges allows a user to assign a role to a newly created Lambda function and invoke it. This technique can be used to hide escalated privileges and exfiltrate information. |
|
iam:PassRole and lambda:CreateFunction and lambda:CreateEventSourceMapping |
The event source is the origin of event data. This combination of roles allows an identity to sniff incoming data. |
|
iam:PassRole and glue:CreateDevEndpoint |
Creating new development endpoints in glue and assigning a role to them provides a new environment with all privileges granted by this role. |
|
iam:PassRole and cloudformation:CreateStack |
Cloud formation allows users to create AWS assets even if the user doesn’t have full privileges to create all other resources. |
|
iam:PassRole and datapipeline:CreatePipeline and datapipeline:PutPipelineDefinition |
By creating new pipelines or updating roles assigned to existing ones, the attacker can control or "spy" on your organization’s data in different data sources. |
|
SetDefaultPolicyVersion |
The policy version defines the AWS internal version language that the policy supports. By downgrading the version, a user can ignore fields and gain privileges that were bound to specific variables. |
|
lambda:UpdateFunctionCode |
Functions can call other AWS resources based on different trust policies in the cloud service account. By updating the code of a function, a user can escalate privileges and exfiltrate information. |
|
glue:UpdateDevEndpoint |
Glue endpoints define the environment the code will run on. Changing the glue endpoint can push code to protected environments or break your infrastructure logic. |
Azure Permissions
|
Azure permission(s) |
Description |
|---|---|
|
Microsoft.Authorization/elevateAccess/action |
Enables a cloud service user/attacker to elevate their privileges to become admins. |
|
Microsoft.Authorization/roleDefinitions/write |
Enables an attacker to update roles and escalate to administrative privileges. |
|
Microsoft.Authorization/roleAssignments/write |
Enables the user to assign other users to roles, meaning a user entitled to this role can make other admins. |
|
microsoft.directory/users/password/update |
Enables the user to reset another user’s password, which can help them gain control over accounts. |
|
microsoft.directory/users/authenticationMethods/delete |
Enables removal of a user authentication method like MFA, helping an attacker to steal an account. |
|
Microsoft.Authorization/*/Write |
Enables the user to assign any role to an application and elevate its privileges. |
|
microsoft.directory/servicePrincipals/policies/update |
Enables the user to update the role assigned to a service principle, which can lead to escalated privileges. |
|
microsoft.directory/servicePrincipals/permissions/update |
|
|
microsoft.directory/servicePrincipals/enable |
Enables the user to re-enable a disabled service principle, so an attacker can find a disabled service principal with the right privileges and enable it. |
|
microsoft.directory/groups/members/update |
Enables the user to update group members, which allows the user to escalate privileges by adding the account to more privileged groups. |
|
Microsoft.ManagedIdentity/userAssignedIdentities/write |
Managed identities are like access keys; they limit the need to manage credentials and allow applications to access resources. |
|
microsoft.directory/users/create |
Enables the user to create new local users in active directory/Azure. |
|
microsoft.directory/users/password/update |
|
|
Microsoft.Authorization/classicAdministrators/write |
Enables the user to add other users as administrators. |
