suKTech24

Understanding and Mitigating the ‘Cat Flap’ Technique

Weekly #6-2025 – By suktech24, Tue 17 March 2025, Estimated reading time : 10 mins

Last week, I read the article, The Cat Flap – How to really Purrsist in AWS Accounts, by Dr. Michael “rootcat” Gschwender and Benedikt Haußner. I found the article particularly valuable in its comprehensive outline of the attack from both an attacker and defensive perspective, offering insightful analysis of real-world cloud security challenges. It provided valuable insights and inspired me to further explore this topic, particularly in relation to AWS Control Tower, AWSControlTowerExecution role and its security implications.

Introduction

The “Cat Flap – How to really Purrsist in AWS Accounts” blog post details a method for establishing a persistent backdoor in AWS environments by abusing the AWSControlTowerExecution role. This involves adding an external, attacker-controlled AWS account to the role’s trust policy, effectively granting administrative access. From a threat detection engineering perspective, this technique presents a unique challenge: blending malicious activity with legitimate configurations. In this week blog post, the followings will be explored :

  1. What is AWS Control Tower
  2. Understanding the Attack Vector
  3. Defensive Blind Spots
  4. Sigma Rule
  5. Mitigation Strategies

1. What is AWS Control Tower?

AWS Control Tower offers a straightforward way to set up and govern an AWS multi-account environment, following prescriptive best practices. AWS Control Tower orchestrates the capabilities of several other AWS services, including AWS Organizations, AWS Service Catalog, and AWS IAM Identity Center, to build a landing zone in less than an hour. Resources are set up and managed on your behalf.

This YouTube video gives a brief overview of AWS Control Tower. For more indepth content, you could check out this YouTube series.

2. Understanding the Attack Vector

The Cat Flap technique exploits AWS Control Tower, a service designed to enforce governance in multi-account environments. Attackers can leverage this service to establish persistent administrative access.

Attack Overview

  1. Initial Compromise
    • The attacker gains access to an AWS account through phishing, credential leaks, or misconfigured IAM policies.
  2. Role Enumeration and Modification ( some aws commands are added for learning purpose)
    • List IAM roles
      • The attacker can list IAM roles. Below command will list all the roles in the AWS account.
      • aws iam list-roles
    • Search for AWSControlTowerExecution Role
      • aws iam list-roles –query “Roles[?RoleName==’AWSControlTowerExecution’]”
      • –query (string) ==> A JMESPath query to use in filtering the response data.
    • Check Trust policy
      • Could check the trust policy
        • aws iam get-role –role-name AWSControlTowerExecution
        • get-role
          • Retrieves information about the specified role, including the role’s path, GUID, ARN, and the role’s trust policy that grants permission to assume the role.
  3. Manual enrollment of the compromised account into AWS Control Tower and Modify Role Trust Policy
  4. Assume the role
    • The attacker has successfully enrolled an external account into AWS Control Tower and gained elevated access using AWSControlTowerExecution role.
Image sourced from https://rootcat.de/blog/thecatflap

3. MITRE Attack Mapping

  • TA0005 : Defense Evasion
    • The adversary is trying to avoid being detected.
    • The attacker evades detection by enrolling a attacker owned compromised account into AWS Control Tower, blending their actions with legitimate administrative roles, making it harder for security teams to detect unauthorized access.
  • TA0004 : Privilege Escalation
    • The adversary is trying to gain higher-level permissions.
    • By modifying the AWSControlTowerExecution role, the attacker escalates their privileges to administrative level, granting them full control over the compromised AWS account.
  • T1078.004: Valid Accounts: Cloud Accounts
    • Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. 
    • The attacker’s initial compromise of a valid AWS account is the necessary first step.
    • The attacker then abuses/leverages valid cloud accounts within the compromised target to enroll the account into AWS Control Tower, enabling continued access and the ability to perform actions without raising alarms.
  • T1098.003 : Account Manipulation: Additional Cloud Roles
    • An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant.
    • The attacker adds AWSControlTowerExecution role which adds the attackers account to the roles trusted principals, and therefore gives the attacker the roles permissions.

3. Defensive Blind Spots

  • Legitimacy of the role
    • The AWSControlTowerExecution role appears legitimate since Control Tower is a trusted AWS service, making it less likely to raise suspicion during audits.
  • Tooling Bling spots
    • Security tools like Prowler ignore Control Tower roles due to allowlisting.
    • Prowler provides you a Default AWS Allowlist with the AWS Resources that should be allowlisted such as all resources created by AWS Control Tower when setting up a landing zone. You can execute Prowler with this allowlist using the following command:
      prowler aws --allowlist prowler/config/aws_allowlist.yaml
  • Scale Challenges
    • Manual auditing of hundred of IAM roles is rare due to their sheer volume in large environments, hence allowing the malicious trust policy to go unnoticed.
  • Persistence without detection
    • By adding their own account as a trusted principal, the attacker effectively creates a backdoor that bypasses standard access controls.
    • The modified trust policy grants long term access without requiring ongoing control of the initial entry point.
    • The attacker blends their malicious activity with the normal operation of a core AWS service.

4. Sigma Rule

title: Suspicious AWS Control Tower Execution Role Trust Policy Modification and External AssumeRole
id: add_id
status: developed_for_learning_purpose
description: Detects modifications to the AWSControlTowerExecution role trust policy that add external AWS accounts, followed by an external AssumeRole attempt.
references:
- https://rootcat.de/blog/thecatflap
author: suktech24
date: 2025-03-18
logsource:
  product: aws
  service: aws.cloudtrail
  category: iam
detection:
    policy_change:
        eventName: 'UpdateAssumeRolePolicy'
        requestParameters.roleName: 'AWSControlTowerExecution'
        requestParameters.policyDocument|contains:
            - 'arn:aws:iam:'
            - ':root'
            - 'sts:AssumeRole'
    assume_role:
        eventName: 'AssumeRole'
        requestParameters.roleArn|endswith: ':role/AWSControlTowerExecution'
    filter:
        userIdentity.arn|startswith:
            - 'arn:aws:iam::1234567890'  # Example of a trusted internal account ARN that you want to whitelist
    sequence:
        - policy_change
        - assume_role
    timeframe: 6h
condition: sequence
falsepositives:
    - Legitimate cross-account role assumptions within the organization.
    - Legitimate role modifications by AWS administrators.
    - Approved third-party integrations
    - Scheduled or automated trust policy changes.
level: critical
mitre:
  tactics:
  - TA0003 (Persistence)
  - TA0004 (Privilege Escalation)
  techniques:
  - T1098.003 (Account Manipulation: Additional Cloud Roles)
  - T1078.004 (Valid Accounts: Cloud Accounts)

NOTE : Please note that the provided Sigma rule is for learning purposes and has not been tested in a production environment; as I am still learning AWS, there may be inaccuracies or omissions.

5. Mitigation Strategies

  1. Restrict Role Modification Permissions:
    • Implement strict IAM policies to limit which users and roles can modify critical IAM roles, especially AWSControlTowerExecution. Enforce the principle of least privilege to minimize the risk of unauthorized modifications.
  2. Monitor Trust Policies
    • Implement automated checks and alerts for unexpected principals in trust policies. Specifically, monitor for the addition of external AWS accounts to the trust policies of critical roles.
  3. Enable and Leverage AWS Security Services
    • AWS CloudTrail
      • Enable CloudTrail and actively monitor logs for unusual sts:AssumeRole activity and API calls like UpdateAssumeRolePolicy.
    • AWS GuardDuty
      • Enable GuardDuty to detect anomalous API calls, including those related to role modifications and cross-account role assumptions.
  4. Regularly Audit high risk IAM and Control Tower Roles
    • Focus on roles associated with critical services (e.g., Control Tower, Organizations, S3 buckets containing sensitive data) to ensure that any unauthorized changes, such as adding attacker-controlled accounts to critical roles like AWSControlTowerExecution, are detected early.
  5. Enhance Monitoring and Alerting
    • SIEM Integration
      • Aggregating CloudTrail logs into a SIEM system such as Splunk or Elastic and setting alerts for new principals added to critical roles enables proactive detection of unauthorized activities, including attacker enrollment into AWS Control Tower.
  6. Update Compliance Scanners:
    • Customize security and compliance scanning tools, such as Prowler, to include scans of Control Tower roles. Override default exclusion lists or mutelists to ensure comprehensive coverage.

Summary

As demonstrated in the Cat Flap blog post, attackers can exploit the AWSControlTowerExecution role to establish persistent access, underscoring the critical need for proactive security measures in AWS. To mitigate such risks, organizations should prioritize hardening IAM policies, continuously monitor cross-account AssumeRole events via CloudTrail logs, and implement targeted detection rules like the Sigma example provided. However, detection engineers must also acknowledge the importance of iterative refinement: real-world environments often reveal gaps in rulesets, and evolving attacker tactics demand ongoing adjustments to ensure robust defense against stealthy backdoors..

Glossaries

  • Honorable mentioned 😸😸😸 ==> purrsist, pwomise, pawtentially, pawsiblities
  • AWS
    • AWS Control Tower
      • AWS Control Tower offers a straightforward way to set up and govern an AWS multi-account environment, following prescriptive best practices. AWS Control Tower orchestrates the capabilities of several other AWS services, including AWS Organizations, AWS Service Catalog, and AWS IAM Identity Center, to build a landing zone in less than an hour. Resources are set up and managed on your behalf.
    • AWSControlTowerExecution role
      • The AWSControlTowerExecution role must be present in all enrolled accounts. It allows AWS Control Tower to manage your individual accounts and report information about them to your Audit and Log Archive accounts.
      • For a single account enrollment, we ask customers to manually create the role and then enroll the account in AWS Control Tower.
      • To summarize, the AWSControlTowerExecution role and its associated policy gives you flexible control of security and compliance across your entire organization. Therefore, breaches of security or protocol are less likely to occur.
    • AWS IAM Identity Center
      • AWS IAM Identity Center is the AWS solution for connecting your workforce users to AWS managed applications such as Amazon Q Developer and Amazon QuickSight, and other AWS resources. You can connect your existing identity provider and synchronize users and groups from your directory, or create and manage your users directly in IAM Identity Center. You can then use IAM Identity Center for either or both of the following:
      • User access to applications
      • User access to AWS accounts
    • AWS CloudTrail
      • AWS CloudTrail is an AWS service that helps you enable operational and risk auditing, governance, and compliance of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
      • CloudTrail is active in your AWS account when you create it. When activity occurs in your AWS account, that activity is recorded in a CloudTrail event.
    • AWS GuardDuty
      • Amazon GuardDuty is a threat detection service that continuously monitors, analyzes, and processes AWS data sources and logs in your AWS environment. GuardDuty uses threat intelligence feeds, such as lists of malicious IP addresses and domains, file hashes, and machine learning (ML) models to identify suspicious and potentially malicious activity in your AWS environment. The following list provides an overview of potential threat scenarios that GuardDuty can help you detect:
      • Compromised and exfiltrated AWS credentials.
      • Data exfiltration and destruction that can lead to a ransomware event. Unusual patterns of login events in the supported engine versions of Amazon Aurora and Amazon RDS databases, that indicate anomalous behavior.
      • Unauthorized cryptomining activity in your Amazon Elastic Compute Cloud (Amazon EC2) instances and container workloads.
      • Presence of malware in your Amazon EC2 instances and container workloads, and newly uploaded files in your Amazon Simple Storage Service (Amazon S3) buckets.
      • Operating system-level, networking, and file events that indicate unauthorized behavior on your Amazon Elastic Kubernetes Service (Amazon EKS) clusters, Amazon Elastic Container Service (Amazon ECS) – AWS Fargate tasks, and Amazon EC2 instances and container workloads.
    • AWS IAM
      • AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. With IAM, you can manage permissions that control which AWS resources users can access. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources. IAM provides the infrastructure necessary to control authentication and authorization for your AWS accounts.
    • Landing Zone
      • A landing zone is a well-architected, multi-account AWS environment that is scalable and secure. This is a starting point from which your organization can quickly launch and deploy workloads and applications with confidence in your security and infrastructure environment. Building a landing zone involves technical and business decisions to be made across account structure, networking, security, and access management in accordance with your organization’s growth and business goals for the future.
    • AWS Organizations
      • AWS Organizations helps you centrally manage and govern your environment as you grow and scale your AWS resources. Using Organizations, you can create accounts and allocate resources, group accounts to organize your workflows, apply policies for governance, and simplify billing by using a single payment method for all of your accounts.
    • Service Control Policy (SCP)
      • Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for the IAM users and IAM roles in your organization. SCPs help you to ensure your accounts stay within your organization’s access control guidelines. SCPs are available only in an organization that has all features enabled. SCPs aren’t available if your organization has enabled only the consolidated billing features.
    • AWS Service Catalog
      • AWS Service Catalog enables organizations to create and manage catalogs of products that are approved for use in AWS.
    • AWS Security Token Service (STS)
      • AWS provides AWS Security Token Service (AWS STS) as a web service that enables you to request temporary, limited-privilege credentials for users.
    • sts:Assumerole
      • Returns a set of temporary security credentials that you can use to access Amazon Web Services resources. These temporary credentials consist of an access key ID, a secret access key, and a security token. Typically, you use AssumeRole within your account or for cross-account access.
  • Backdoors
    • Backdoor malware is generally classified as a Trojan. A Trojan is a malicious computer program pretending to be something it’s not for the purposes of delivering malware, stealing data, or opening up a backdoor on your system. Much like the Trojan horse of ancient Greek literature, computer Trojans always contain a nasty surprise.
    • What in want in a Backdoor
      • Hard to detect
      • Stable
      • Easy to Use
    • Once cybercriminals have their foot in the door, they might employ what’s known as a rootkit. A rootkit is a package of malware designed to avoid detection and conceal Internet activity (from you and your operating system). Rootkits provide attackers with continued access to infected systems. In essence, the rootkit is the doorstopper that keeps the backdoor open.
    • Interesting fact about Built-in or proprietary backdoors 
      • They are put in place by the hardware and software makers themselves. Unlike backdoor malware, built-in backdoors aren’t necessarily conceived with some criminal purpose in mind. More often than not, built-in backdoors exist as artifacts of the software creation process.
      • The members of the Five Eyes intelligence sharing pact (the US, UK, Canada, Australia, and New Zealand) have asked Apple, Facebook, and Google to install backdoors in their technology to aid in evidence gathering during criminal investigations. Though all three companies have declined, all three do provide downstream data to the extent required by law.
      • The Five Eyes nations have stressed that these backdoors are in the best interest of global security, but there’s a lot of potential for abuse.
  • Prowler
    • Prowler is an Open Source security tool to perform AWS, Azure, Google Cloud and Kubernetes security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness, and also remediations!
    • Default AWS Allowlist – Prowler provides you a Default AWS Allowlist with the AWS Resources that should be allowlisted such as all resources created by AWS Control Tower when setting up a landing zone. You can execute Prowler with this allowlist using the following command:

References

  1. The Cat Flap – How to really Purrsist in AWS Accounts, rootcat, https://rootcat.de/blog/thecatflap
  2. The Cat Flap, https://github.com/rootcathacking/TheCatFlap
  3. What Is AWS Control Tower?, https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html
  4. Other relevant references are embedded in the blog post.

Leave a comment