You may have noticed that since the release of AWS_IR and MargaritaShotgun nearly two years ago that we have continued to add features. Features that were all based on the feedback of users like you.
Initially we supported the following steps during the run of a response plan:
One piece of feedback that we received from users time and time again was that they wanted to be able to select custom incident steps. So, we created the AWS_IR plugin system. This change abstracted the steps that ran and all of the code from each plugin. So now you can choose “only isolate” or “only snapshot” without stopping the instance.
Let’s say that you have a problematic instance or three. You’d like to do the following:
AWS_IR supports this style of acquisition in a very straight forward manor.
All you need to know is:
When running AWSIR you can pass in _examiner-cidr-range as an argument. If you do not pass in a range the tool will default to not allowing access. This is undesirable if you want to follow up with grabbing a memory dump.
Your examiner-cidr-range is equal to YOURPUBLICIP + /32.
aws_ir instance-compromise --help in order to see a list of supported plugins.
aws_ir instance-compromise --help usage: aws_ir instance-compromise [-h] [--target TARGET] [--targets TARGETS] [--user USER] [--ssh-key SSH_KEY] [--plugins PLUGINS] optional arguments: -h, --help show this help message and exit --target TARGET instance-id|instance-ip --targets TARGETS File of resources to process instance-id or ip-address. --user USER this is the privileged ssh user for acquiring memory from the instance. Required for memory only. --ssh-key SSH_KEY provide the path to the ssh private key for the user. Required for memory only. --plugins PLUGINS Run some or all of the plugins in a custom order. Provided as a comma separated list of supported plugins: examineracl_host,gather_host,isolate_host,snapshotdisks_h ost,stop_host,tag_host,get_memory
If all you intend is to reach containment I’d suggest running
gather_host,snapshotdisks_host,isolate_host,ttag_host,examineracl_host in that order.
If examiner acl is not the last plugin run you may deny yourself access to the instance unintentionally.
$ aws_ir --examiner-cidr-range 126.96.36.199/32 instance-compromise --target 188.8.131.52 --user ec2-user --ssh-key responder-key.pem --plugins gather_host,snapshotdisks_host,isolate_host,ttag_host,examineracl_host