EC2 DFIR Workshop
Lab 10: Determine if keys are present on compromised system
GOAL:
Determine if there are any compromised keys that need to be revoked or disabled. Identify Public Keys to identify entities that may have accessed the system previously.
SUMMARY OF STEPS:
- Look in the typical directories
- Perform an expanded search
- Look for Public Keys
Step 1: Look in the typical directories:
ls -als /mnt/linux_mount/home/ec2-user/.ssh/
ls –als /mnt/linux_mount/home/ec2-user/.aws/
VIDEO: Lab 10 Step 1 - Look in the typical directories
Step 2: Perform an expanded search
Perform an expanded search based on a regex pattern (there may be some false positives):
egrep -r AKIA[A-Z0-9]{16} /mnt/linux_mount/ --color=always \
| egrep -v "EXAMPLE"
egrep -r "PRIVATE KEY-----" /mnt/linux_mount/ --color=always | less -R
VIDEO: Lab 10 Step 2 - Perform an expanded search
Step 3: Look for public keys in authorized_keys file:
find /mnt/linux_mount/ -name 'authorized_keys' | xargs cat
VIDEO: Lab 10 Step 3 - Look for public keys in authorized_keys file