Skip to content

Bug: race condition in aws.discovery.ec2-enumerate-from-instance #663

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rileydakota opened this issue Mar 29, 2025 · 0 comments · May be fixed by #664
Open

Bug: race condition in aws.discovery.ec2-enumerate-from-instance #663

rileydakota opened this issue Mar 29, 2025 · 0 comments · May be fixed by #664
Assignees
@christophetd

Comments

@rileydakota
Copy link
Contributor

What is not working?
When detonating the technique aws.discovery.ec2-enumerate-from-instance, the technique doesn't check if the EC2 instance is provisioned in SSM before firing the technique. This can lead to a race condition when detonating the technique without explicitly warming it first and cause it to fail. Creating this issue for documentation. Going to try and push a fix to this.

What OS are you using?
Observed both on Ubuntu WSL and MacOS

What is your Stratus Red Team version?
stratus version
local build from main codebase branch

Full output?
If applicable, please include the full output.

dakota@DESKTOP-140RREU:~/projects/stratus-red-team/v2$ go run cmd/stratus/*.go cleanup aws.discovery.ec2-enumerate-from-instance
2025/03/28 20:39:36 aws.discovery.ec2-enumerate-from-instance is already COLD and should already be clean, use --force to force cleanup
+-------------------------------------------+-----------------------------------------------+--------+
| ID                                        | NAME                                          | STATUS |
+-------------------------------------------+-----------------------------------------------+--------+
| aws.discovery.ec2-enumerate-from-instance | Execute Discovery Commands on an EC2 Instance | COLD   |
+-------------------------------------------+-----------------------------------------------+--------+
exit status 1
dakota@DESKTOP-140RREU:~/projects/stratus-red-team/v2$ go run cmd/stratus/*.go detonate aws.discovery.ec2-enumerate-from-instance
2025/03/28 20:39:59 Checking your authentication against AWS
2025/03/28 20:39:59 Note: This is a slow attack technique, it might take a long time to warm up or detonate
2025/03/28 20:39:59 Warming up aws.discovery.ec2-enumerate-from-instance
2025/03/28 20:39:59 Initializing Terraform to spin up technique prerequisites
2025/03/28 20:40:04 Applying Terraform to spin up technique prerequisites
2025/03/28 20:42:22 Instance id i-0aff01e24234725f7 in us-east-1a ready
2025/03/28 20:42:22 Running commands through SSM on i-0aff01e24234725f7:
  - export AWS_EXECUTION_ENV=stratus-red-team_d7ed8f4a-b0a1-4adf-81f0-911f2f1e2484
  - aws sts get-caller-identity || true
  - aws s3 ls || true
  - aws iam get-account-summary || true
  - aws iam list-roles || true
  - aws iam list-users || true
  - aws iam get-account-authorization-details >/dev/null || true
  - aws ec2 describe-snapshots || true
  - aws cloudtrail describe-trails || true
  - aws guardduty list-detectors || true
2025/03/28 20:42:22 Error while detonating attack technique aws.discovery.ec2-enumerate-from-instance: unable to send SSM command to instance: operation error SSM: SendCommand, https response error StatusCode: 400, RequestID: f8bb0811-9373-41d9-9da1-84f9217097a4, InvalidInstanceId: Instances [[i-0aff01e24234725f7]] not in a valid state for account 891377093447
exit status 1

Files in $HOME/.stratus-red-team?
ls -lahR
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@christophetd christophetd

Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@christophetd @rileydakota