{"id":13680343,"url":"https://github.com/ThreatResponse/aws_ir","last_synced_at":"2025-04-29T23:31:12.480Z","repository":{"id":48484575,"uuid":"63271084","full_name":"ThreatResponse/aws_ir","owner":"ThreatResponse","description":"Python installable command line utiltity for mitigation of host and key compromises. ","archived":false,"fork":false,"pushed_at":"2021-07-23T09:00:58.000Z","size":246,"stargazers_count":331,"open_issues_count":15,"forks_count":66,"subscribers_count":24,"default_branch":"master","last_synced_at":"2023-09-20T03:24:37.556Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ThreatResponse.png","metadata":{"files":{"readme":"README.rst","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-07-13T18:44:20.000Z","updated_at":"2023-09-16T20:59:02.000Z","dependencies_parsed_at":"2022-09-16T09:12:44.612Z","dependency_job_id":null,"html_url":"https://github.com/ThreatResponse/aws_ir","commit_stats":null,"previous_names":[],"tags_count":6,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ThreatResponse%2Faws_ir","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ThreatResponse%2Faws_ir/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ThreatResponse%2Faws_ir/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ThreatResponse%2Faws_ir/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ThreatResponse","download_url":"https://codeload.github.com/ThreatResponse/aws_ir/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251599939,"owners_count":21615604,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T13:01:16.114Z","updated_at":"2025-04-29T23:31:07.468Z","avatar_url":"https://github.com/ThreatResponse.png","language":"Python","funding_links":[],"categories":["Python","Infrastructure","事件响应工具","Incident Response tools"],"sub_categories":["沙箱","Sandboxes"],"readme":".. image:: https://travis-ci.org/ThreatResponse/aws_ir.svg?branch=master\n    :target: https://travis-ci.org/ThreatResponse/aws_ir\n\nAWS IR\n======\n\nPython installable command line utility for mitigation of instance and key compromises.\n\nDocumentation\n-------------\n\nRead the full documentation on `read the docs \u003chttps://aws_ir.readthedocs.io/en/latest/\u003e`__.\n\nQuickstart\n----------\n\nFor more information see the `quickstart \u003chttps://aws_ir.readthedocs.io/en/latest/quickstart.html\u003e`__.\n\nInstallation\n************\n\n``pip install aws_ir``\n\nOr see `installing \u003chttps://aws_ir.readthedocs.io/en/latest/installing.html\u003e`__.\n\nAWS Credentials\n***************\n\nEnsure aws credentials are configured under the user running aws_ir as documented `by amazon \u003chttps://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html\u003e`__.\n\nCheck back soon for an IAM policy featuring the minimum set of required permissions\n\nOptional Arguments\n******************\n\n.. code-block:: bash\n\n   usage: aws_ir [-h] [--version] [--verbose] [--profile PROFILE]\n                 [--case-number CASE_NUMBER]\n                 [--examiner-cidr-range EXAMINER_CIDR_RANGE]\n                 [--bucket-name BUCKET_NAME] [--dry-run]\n                 {instance-compromise,key-compromise} ...\n\n   Incident Response command line for Amazon Web Services. This command line\n   interface is designed to process host and key based incursions without delay\n   or error.\n\n   positional arguments:\n     {instance-compromise,key-compromise}\n       instance-compromise\n       key-compromise\n\n   optional arguments:\n     -h, --help            show this help message and exit\n\n     --version             show program's version number and exit\n     --verbose             log debug messages\n     --profile PROFILE     A named boto profile to use instead of the default\n                           profile.\n     --case-number CASE_NUMBER\n                           The case number to use., usually of the form\n                           \"cr-16-053018-2d2d\"\n     --examiner-cidr-range EXAMINER_CIDR_RANGE\n                           The IP/CIDR for the examiner and/or the tool. This\n                           will be added as the only allowed range in the\n                           isolated security group.\n     --bucket-name BUCKET_NAME\n                           Optional. The id of the s3 bucket to use. This must\n                           already exist\n     --dry-run             Dry run. Pass dry run parameter to perform API calls\n                           but will not modify any resources.\n\nKey Compromise\n**************\n\nThe ``aws_ir`` subcommand ``key-compromise`` disables access keys in the case of a key compromise.\nIt's single argument is the access key id, he compromised key is disabled via the AWS api.\n\n.. code-block:: bash\n\n   usage: aws_ir key-compromise [-h] --access-key-id ACCESS_KEY_ID\n                                [--plugins PLUGINS]\n\n   optional arguments:\n     -h, --help            show this help message and exit\n     --access-key-id ACCESS_KEY_ID\n     --plugins PLUGINS     Run some or all of the plugins in a custom order.\n                           Provided as a comma separated listSupported plugins:\n                           disableaccess_key,revokests_key\n\nBelow is the output of running the ``key-compromise`` subcommand.\n\n.. code-block:: bash\n\n   $ aws_ir key-compromise --access-key-id AKIAINLHPIG64YJXPK5A\n   2017-07-20T21:04:01 - aws_ir.cli - INFO - Initialization successful proceeding to incident plan.\n   2017-07-20T21:04:01 - aws_ir.plans.key - INFO - Attempting key disable.\n   2017-07-20T21:04:03 - aws_ir.plans.key - INFO - STS Tokens revoked issued prior to NOW.\n   2017-07-20T21:04:03 - aws_ir.plans.key - INFO - Disable complete.  Uploading results.\n   Processing complete for cr-17-072104-7d5f\n   Artifacts stored in s3://cloud-response-9cabd252416b4e5a893395c533f340b7\n\nInstance Compromise\n*******************\n\nThe ``aws_ir`` subcommand ``instance-compromise`` preserves forensic artifacts from a compromised instance after isolating the instance.\nOnce all artifacts are collected and tagged the compromised instance is powered off.\nThe ``instance-compromise`` subcommand takes three arguments, the ``instance-ip`` of the compromised instance, a ``user`` with ssh access to the target instance, and the ``ssh-key`` used for authentication.\n\nCurrently ``user`` must be capable of passwordless sudo for memory capture to complete.  If ``user`` does not have passwordless sudo capabilities all artifiacts save for the memory capture will be gathered.\n\n.. code-block:: bash\n   $ aws_ir instance-compromise -h\n   usage: aws_ir instance-compromise [-h] [--target TARGET] [--targets TARGETS]\n                                     [--user USER] [--ssh-key SSH_KEY]\n                                     [--plugins PLUGINS]\n\n   optional arguments:\n     -h, --help         show this help message and exit\n     --target TARGET    instance-id|instance-ip\n     --targets TARGETS  File of resources to process instance-id or ip-address.\n     --user USER        this is the privileged ssh user for acquiring memory from\n                        the instance. Required for memory only.\n     --ssh-key SSH_KEY  provide the path to the ssh private key for the user.\n                        Required for memory only.\n     --plugins PLUGINS  Run some or all of the plugins in a custom order.\n                        Provided as a comma separated list of supported plugins:\n                        examineracl_host,gather_host,isolate_host,snapsh\n                        otdisks_host,stop_host,tag_host,get_memory\n\nAWS IR saves all forensic artifacts except for disk snapshots in an s3 bucket created for each case.  Disk snapshots are tagged with the same case number as the rest of the rest of the artifacts.\n\nBelow is the output of running the ``instance-compromise`` subcommand.\n\n.. code-block:: bash\n\n   $  aws_ir --examiner-cidr-range '4.4.4.4/32' instance-compromise --target 52.40.162.126 --user ec2-user --ssh-key ~/Downloads/testing-041.pem\n      2017-07-20T21:10:50 - aws_ir.cli - INFO - Initialization successful proceeding to incident plan.\n      2017-07-20T21:10:50 - aws_ir.libs.case - INFO - Initial connection to AmazonWebServices made.\n      2017-07-20T21:11:03 - aws_ir.libs.case - INFO - Inventory AWS Regions Complete 14 found.\n      2017-07-20T21:11:03 - aws_ir.libs.case - INFO - Inventory Availability Zones Complete 37 found.\n      2017-07-20T21:11:03 - aws_ir.libs.case - INFO - Beginning inventory of resources world wide.  This might take a minute...\n      2017-07-20T21:11:03 - aws_ir.libs.inventory - INFO - Searching ap-south-1 for instance.\n      2017-07-20T21:11:05 - aws_ir.libs.inventory - INFO - Searching eu-west-2 for instance.\n      2017-07-20T21:11:05 - aws_ir.libs.inventory - INFO - Searching eu-west-1 for instance.\n      2017-07-20T21:11:06 - aws_ir.libs.inventory - INFO - Searching ap-northeast-2 for instance.\n      2017-07-20T21:11:07 - aws_ir.libs.inventory - INFO - Searching ap-northeast-1 for instance.\n      2017-07-20T21:11:08 - aws_ir.libs.inventory - INFO - Searching sa-east-1 for instance.\n      2017-07-20T21:11:09 - aws_ir.libs.inventory - INFO - Searching ca-central-1 for instance.\n      2017-07-20T21:11:09 - aws_ir.libs.inventory - INFO - Searching ap-southeast-1 for instance.\n      2017-07-20T21:11:10 - aws_ir.libs.inventory - INFO - Searching ap-southeast-2 for instance.\n      2017-07-20T21:11:11 - aws_ir.libs.inventory - INFO - Searching eu-central-1 for instance.\n      2017-07-20T21:11:12 - aws_ir.libs.inventory - INFO - Searching us-east-1 for instance.\n      2017-07-20T21:11:13 - aws_ir.libs.inventory - INFO - Searching us-east-2 for instance.\n      2017-07-20T21:11:13 - aws_ir.libs.inventory - INFO - Searching us-west-1 for instance.\n      2017-07-20T21:11:13 - aws_ir.libs.inventory - INFO - Searching us-west-2 for instance.\n      2017-07-20T21:11:14 - aws_ir.libs.case - INFO - Inventory complete.  Proceeding to resource identification.\n      2017-07-20T21:11:14 - aws_ir.plans.host - INFO - Proceeding with incident plan steps included are ['gather_host', 'isolate_host', 'tag_host', 'snapshotdisks_host', 'examineracl_host', 'get_memory', 'stop_host']\n      2017-07-20T21:11:14 - aws_ir.plans.host - INFO - Executing step gather_host.\n      2017-07-20T21:11:15 - aws_ir.plans.host - INFO - Executing step isolate_host.\n      2017-07-20T21:11:16 - aws_ir.plans.host - INFO - Executing step tag_host.\n      2017-07-20T21:11:17 - aws_ir.plans.host - INFO - Executing step snapshotdisks_host.\n      True\n      2017-07-20T21:11:17 - aws_ir.plans.host - INFO - Executing step examineracl_host.\n      2017-07-20T21:11:19 - aws_ir.plans.host - INFO - Executing step get_memory.\n      2017-07-20T21:11:19 - aws_ir.plans.host - INFO - attempting memory run\n      2017-07-20T21:11:19 - aws_ir.plans.host - INFO - Attempting run margarita shotgun for ec2-user on 52.40.162.126 with /Users/akrug/Downloads/testing-041.pem\n      2017-07-20T21:11:21 - margaritashotgun.repository - INFO - downloading https://threatresponse-lime-modules.s3.amazonaws.com/modules/lime-4.9.32-15.41.amzn1.x86_64.ko as lime-2017-07-21T04:11:21-4.9.32-15.41.amzn1.x86_64.ko\n      2017-07-20T21:11:25 - margaritashotgun.memory - INFO - 52.40.162.126: dumping memory to s3://cloud-response-a0f2d7e68ef44c36a79ccfe4dcef205a/52.40.162.126-2017-07-21T04:11:19-mem.lime\n      2017-07-20T21:15:43 - margaritashotgun.memory - INFO - 52.40.162.126: capture 10% complete\n      2017-07-20T21:19:37 - margaritashotgun.memory - INFO - 52.40.162.126: capture 20% complete\n      2017-07-20T21:23:41 - margaritashotgun.memory - INFO - 52.40.162.126: capture 30% complete\n      2017-07-20T21:28:17 - margaritashotgun.memory - INFO - 52.40.162.126: capture 40% complete\n      2017-07-20T21:32:42 - margaritashotgun.memory - INFO - 52.40.162.126: capture 50% complete\n      2017-07-20T21:37:18 - margaritashotgun.memory - INFO - 52.40.162.126: capture 60% complete\n      2017-07-20T21:39:18 - margaritashotgun.memory - INFO - 52.40.162.126: capture 70% complete\n      2017-07-20T22:00:13 - margaritashotgun.memory - INFO - 52.40.162.126: capture 80% complete\n      2017-07-20T22:04:19 - margaritashotgun.memory - INFO - 52.40.162.126: capture 90% complete\n      2017-07-20T22:17:32 - margaritashotgun.memory - INFO - 52.40.162.126: capture 100% complete\n      2017-07-20T21:41:52 - aws_ir.plans.host - INFO - memory capture completed for: ['52.40.162.126'], failed for: []\n      2017-07-20T21:41:52 - aws_ir.plans.host - INFO - Executing step stop_host.\n\n   Processing complete for cr-17-072104-7d5f\n   Artifacts stored in s3://cloud-response-a0f2d7e68ef44c36a79ccfe4dcef205a\n\nInstance Compromise -- Isolation Achieved\n*******************\n\nSee below that I've connected to the compromised workstation from my examiner IP address.  SSH is all\nthat is permitted due to the NACL and Security Group additions.\n\n.. code-block:: bash\n\n   [root@ip-172-31-9-119 ec2-user]# yum install iotop\n   Loaded plugins: priorities, update-motd, upgrade-helper\n   Resolving Dependencies\n   --\u003e Running transaction check\n   ---\u003e Package iotop.noarch 0:0.3.2-7.6.amzn1 will be installed\n   --\u003e Finished Dependency Resolution\n\n   Dependencies Resolved\n\n   iotop-0.3.2-7.6.amzn1.noarch.r FAILED\n   http://packages.us-west-1.amazonaws.com/2017.03/main/201703c0ffee/x86_64/Packages/iotop-0.3.2-7.6.amzn1.noarch.rpm?instance_id=i-0d4216a9fda54fcb6\u0026region=us-west-2: [Errno 12] Timeout on http://packages.us-west-1.amazonaws.com/2017.03/main/201703c0ffee/x86_64/Packages/iotop-0.3.2-7.6.amzn1.noarch.rpm?instance_id=i-0d4216a9fda54fcb6\u0026region=us-west-2: (28, 'Connection timed out after 10000 milliseconds')\n   Trying other mirror.\n   ^C\n\n   Exiting on user cancel\n   [root@ip-172-31-9-119 ec2-user]# ping 4.2.2.2\n   PING 4.2.2.2 (4.2.2.2) 56(84) bytes of data.\n   ^C\n   --- 4.2.2.2 ping statistics ---\n   4 packets transmitted, 0 received, 100% packet loss, time 3076ms\n\n   [root@ip-172-31-9-119 ec2-user]#\n\n\n\nUser Guide\n**********\n\nRead more about each subcommand in our `user guide \u003chttps://aws_ir.readthedocs.io/en/latest/user_guide.html\u003e`__.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FThreatResponse%2Faws_ir","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FThreatResponse%2Faws_ir","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FThreatResponse%2Faws_ir/lists"}