Generated docs from job=generate-docs branch=master [ci skip]

2022-08-15 21:58:11 +00:00
parent bce192b221
commit 4151947be3
8 changed files with 94 additions and 0 deletions
@@ -13,3 +13,4 @@ persistence,T1098,Account Manipulation,6,Azure - adding user to Azure role in su
 persistence,T1098,Account Manipulation,7,Azure - adding service principal to Azure role in subscription,c8f4bc29-a151-48da-b3be-4680af56f404,powershell
 collection,T1530,Data from Cloud Storage Object,1,Azure - Enumerate Azure Blobs with MicroBurst,3dab4bcc-667f-4459-aea7-4162dd2d6590,powershell
 collection,T1530,Data from Cloud Storage Object,2,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell
+collection,T1530,Data from Cloud Storage Object,3,AWS - Scan for Anonymous Access to S3,979356b9-b588-4e49-bba4-c35517c484f5,sh
@@ -845,6 +845,7 @@ collection,T1115,Clipboard Data,3,Execute commands from clipboard,1ac2247f-65f8-
 collection,T1115,Clipboard Data,4,Collect Clipboard Data via VBA,9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52,powershell
 collection,T1530,Data from Cloud Storage Object,1,Azure - Enumerate Azure Blobs with MicroBurst,3dab4bcc-667f-4459-aea7-4162dd2d6590,powershell
 collection,T1530,Data from Cloud Storage Object,2,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell
+collection,T1530,Data from Cloud Storage Object,3,AWS - Scan for Anonymous Access to S3,979356b9-b588-4e49-bba4-c35517c484f5,sh
 collection,T1560.002,Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash
 collection,T1560.002,Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash
 collection,T1560.002,Archive via Library,3,Compressing data using zipfile in Python (Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,bash
@@ -107,6 +107,7 @@ collection,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a
 collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
 collection,T1530,Data from Cloud Storage Object,1,Azure - Enumerate Azure Blobs with MicroBurst,3dab4bcc-667f-4459-aea7-4162dd2d6590,powershell
 collection,T1530,Data from Cloud Storage Object,2,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell
+collection,T1530,Data from Cloud Storage Object,3,AWS - Scan for Anonymous Access to S3,979356b9-b588-4e49-bba4-c35517c484f5,sh
 collection,T1560.002,Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash
 collection,T1560.002,Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash
 collection,T1560.002,Archive via Library,3,Compressing data using zipfile in Python (Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,bash
@@ -96,6 +96,7 @@
 - [T1530 Data from Cloud Storage Object](../../T1530/T1530.md)
  - Atomic Test #1: Azure - Enumerate Azure Blobs with MicroBurst [iaas:azure]
  - Atomic Test #2: Azure - Scan for Anonymous Access to Azure Storage (Powershell) [iaas:azure]
+  - Atomic Test #3: AWS - Scan for Anonymous Access to S3 [iaas:aws]
 - T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1074 Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1429,6 +1429,7 @@
 - [T1530 Data from Cloud Storage Object](../../T1530/T1530.md)
  - Atomic Test #1: Azure - Enumerate Azure Blobs with MicroBurst [iaas:azure]
  - Atomic Test #2: Azure - Scan for Anonymous Access to Azure Storage (Powershell) [iaas:azure]
+  - Atomic Test #3: AWS - Scan for Anonymous Access to S3 [iaas:aws]
 - T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1005 Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1560.002 Archive via Library](../../T1560.002/T1560.002.md)
@@ -235,6 +235,7 @@
 - [T1530 Data from Cloud Storage Object](../../T1530/T1530.md)
  - Atomic Test #1: Azure - Enumerate Azure Blobs with MicroBurst [iaas:azure]
  - Atomic Test #2: Azure - Scan for Anonymous Access to Azure Storage (Powershell) [iaas:azure]
+  - Atomic Test #3: AWS - Scan for Anonymous Access to S3 [iaas:aws]
 - T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1005 Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1560.002 Archive via Library](../../T1560.002/T1560.002.md)
@@ -65400,6 +65400,38 @@ collection:

          '
        name: powershell
+    - name: AWS - Scan for Anonymous Access to S3
+      auto_generated_guid: 979356b9-b588-4e49-bba4-c35517c484f5
+      description: "Upon successful execution, this test will test for anonymous access
+        to AWS S3 buckets and dumps all the files to a local folder. \n"
+      supported_platforms:
+      - iaas:aws
+      input_arguments:
+        s3_bucket_name:
+          description: Name of the bucket
+          type: String
+          default: redatomic-test2
+      dependencies:
+      - description: 'Check if ~/.aws/credentials file has a default stanza is configured
+
+          '
+        prereq_command: |
+          cat ~/.aws/credentials | grep "default"
+          aws s3api create-bucket --bucket #{s3_bucket_name}
+          aws s3api put-bucket-policy --bucket #{s3_bucket_name} --policy file://$PathToAtomicsFolder/T1530/src/policy.json
+          touch /tmp/T1530.txt
+          aws s3 cp /tmp/T1530.txt s3://#{s3_bucket_name}
+        get_prereq_command: 'echo Please install the aws-cli and configure your AWS
+          default profile using: aws configure
+
+          '
+      executor:
+        command: 'aws --no-sign-request s3 cp --recursive s3://#{s3_bucket_name} /tmp/#{s3_bucket_name}
+
+          '
+        cleanup_command: "aws s3 rb s3://#{s3_bucket_name} --force \nrm -rf /tmp/#{s3_bucket_name}\n"
+        name: sh
+        elevation_required: false
  T1074.002:
    technique:
      x_mitre_platforms:
@@ -12,6 +12,8 @@ Misconfiguration by end users is a common problem. There have been numerous inci

 - [Atomic Test #2 - Azure - Scan for Anonymous Access to Azure Storage (Powershell)](#atomic-test-2---azure---scan-for-anonymous-access-to-azure-storage-powershell)

+- [Atomic Test #3 - AWS - Scan for Anonymous Access to S3](#atomic-test-3---aws---scan-for-anonymous-access-to-s3)
+

 <br/>

@@ -124,4 +126,58 @@ remove-item #{output_file} -erroraction silentlycontinue



+<br/>
+<br/>
+
+## Atomic Test #3 - AWS - Scan for Anonymous Access to S3
+Upon successful execution, this test will test for anonymous access to AWS S3 buckets and dumps all the files to a local folder.
+
+**Supported Platforms:** Iaas:aws
+
+
+**auto_generated_guid:** 979356b9-b588-4e49-bba4-c35517c484f5
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| s3_bucket_name | Name of the bucket | String | redatomic-test2|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+aws --no-sign-request s3 cp --recursive s3://#{s3_bucket_name} /tmp/#{s3_bucket_name}
+```
+
+#### Cleanup Commands:
+```sh
+aws s3 rb s3://#{s3_bucket_name} --force 
+rm -rf /tmp/#{s3_bucket_name}
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Check if ~/.aws/credentials file has a default stanza is configured
+##### Check Prereq Commands:
+```sh
+cat ~/.aws/credentials | grep "default"
+aws s3api create-bucket --bucket #{s3_bucket_name}
+aws s3api put-bucket-policy --bucket #{s3_bucket_name} --policy file://$PathToAtomicsFolder/T1530/src/policy.json
+touch /tmp/T1530.txt
+aws s3 cp /tmp/T1530.txt s3://#{s3_bucket_name}
+```
+##### Get Prereq Commands:
+```sh
+echo Please install the aws-cli and configure your AWS default profile using: aws configure
+```
+
+
+
+
 <br/>