From 4151947be3874c2e6d7d5b4520b618f067bd32da Mon Sep 17 00:00:00 2001 From: Atomic Red Team doc generator Date: Mon, 15 Aug 2022 21:58:11 +0000 Subject: [PATCH] Generated docs from job=generate-docs branch=master [ci skip] --- atomics/Indexes/Indexes-CSV/iaas-index.csv | 1 + atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/linux-index.csv | 1 + .../Indexes/Indexes-Markdown/iaas-index.md | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/linux-index.md | 1 + atomics/Indexes/index.yaml | 32 +++++++++++ atomics/T1530/T1530.md | 56 +++++++++++++++++++ 8 files changed, 94 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/iaas-index.csv b/atomics/Indexes/Indexes-CSV/iaas-index.csv index 27039084..6a1e9eeb 100644 --- a/atomics/Indexes/Indexes-CSV/iaas-index.csv +++ b/atomics/Indexes/Indexes-CSV/iaas-index.csv @@ -13,3 +13,4 @@ persistence,T1098,Account Manipulation,6,Azure - adding user to Azure role in su persistence,T1098,Account Manipulation,7,Azure - adding service principal to Azure role in subscription,c8f4bc29-a151-48da-b3be-4680af56f404,powershell collection,T1530,Data from Cloud Storage Object,1,Azure - Enumerate Azure Blobs with MicroBurst,3dab4bcc-667f-4459-aea7-4162dd2d6590,powershell collection,T1530,Data from Cloud Storage Object,2,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell +collection,T1530,Data from Cloud Storage Object,3,AWS - Scan for Anonymous Access to S3,979356b9-b588-4e49-bba4-c35517c484f5,sh diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 981f12d3..a4916f94 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -845,6 +845,7 @@ collection,T1115,Clipboard Data,3,Execute commands from clipboard,1ac2247f-65f8- collection,T1115,Clipboard Data,4,Collect Clipboard Data via VBA,9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52,powershell collection,T1530,Data from Cloud Storage Object,1,Azure - Enumerate Azure Blobs with MicroBurst,3dab4bcc-667f-4459-aea7-4162dd2d6590,powershell collection,T1530,Data from Cloud Storage Object,2,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell +collection,T1530,Data from Cloud Storage Object,3,AWS - Scan for Anonymous Access to S3,979356b9-b588-4e49-bba4-c35517c484f5,sh collection,T1560.002,Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash collection,T1560.002,Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash collection,T1560.002,Archive via Library,3,Compressing data using zipfile in Python (Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,bash diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index 5c2ee2f1..8618deb4 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -107,6 +107,7 @@ collection,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash collection,T1530,Data from Cloud Storage Object,1,Azure - Enumerate Azure Blobs with MicroBurst,3dab4bcc-667f-4459-aea7-4162dd2d6590,powershell collection,T1530,Data from Cloud Storage Object,2,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell +collection,T1530,Data from Cloud Storage Object,3,AWS - Scan for Anonymous Access to S3,979356b9-b588-4e49-bba4-c35517c484f5,sh collection,T1560.002,Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash collection,T1560.002,Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash collection,T1560.002,Archive via Library,3,Compressing data using zipfile in Python (Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,bash diff --git a/atomics/Indexes/Indexes-Markdown/iaas-index.md b/atomics/Indexes/Indexes-Markdown/iaas-index.md index 8a30e6e4..2da96ca2 100644 --- a/atomics/Indexes/Indexes-Markdown/iaas-index.md +++ b/atomics/Indexes/Indexes-Markdown/iaas-index.md @@ -96,6 +96,7 @@ - [T1530 Data from Cloud Storage Object](../../T1530/T1530.md) - Atomic Test #1: Azure - Enumerate Azure Blobs with MicroBurst [iaas:azure] - Atomic Test #2: Azure - Scan for Anonymous Access to Azure Storage (Powershell) [iaas:azure] + - Atomic Test #3: AWS - Scan for Anonymous Access to S3 [iaas:aws] - T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1074 Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index c238f4f8..1d71e5a0 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1429,6 +1429,7 @@ - [T1530 Data from Cloud Storage Object](../../T1530/T1530.md) - Atomic Test #1: Azure - Enumerate Azure Blobs with MicroBurst [iaas:azure] - Atomic Test #2: Azure - Scan for Anonymous Access to Azure Storage (Powershell) [iaas:azure] + - Atomic Test #3: AWS - Scan for Anonymous Access to S3 [iaas:aws] - T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1005 Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1560.002 Archive via Library](../../T1560.002/T1560.002.md) diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index 48c40d3d..f4e92247 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -235,6 +235,7 @@ - [T1530 Data from Cloud Storage Object](../../T1530/T1530.md) - Atomic Test #1: Azure - Enumerate Azure Blobs with MicroBurst [iaas:azure] - Atomic Test #2: Azure - Scan for Anonymous Access to Azure Storage (Powershell) [iaas:azure] + - Atomic Test #3: AWS - Scan for Anonymous Access to S3 [iaas:aws] - T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1005 Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1560.002 Archive via Library](../../T1560.002/T1560.002.md) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 3eede8bf..943d6086 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -65400,6 +65400,38 @@ collection: ' name: powershell + - name: AWS - Scan for Anonymous Access to S3 + auto_generated_guid: 979356b9-b588-4e49-bba4-c35517c484f5 + description: "Upon successful execution, this test will test for anonymous access + to AWS S3 buckets and dumps all the files to a local folder. \n" + supported_platforms: + - iaas:aws + input_arguments: + s3_bucket_name: + description: Name of the bucket + type: String + default: redatomic-test2 + dependencies: + - description: 'Check if ~/.aws/credentials file has a default stanza is configured + + ' + prereq_command: | + cat ~/.aws/credentials | grep "default" + aws s3api create-bucket --bucket #{s3_bucket_name} + aws s3api put-bucket-policy --bucket #{s3_bucket_name} --policy file://$PathToAtomicsFolder/T1530/src/policy.json + touch /tmp/T1530.txt + aws s3 cp /tmp/T1530.txt s3://#{s3_bucket_name} + get_prereq_command: 'echo Please install the aws-cli and configure your AWS + default profile using: aws configure + + ' + executor: + command: 'aws --no-sign-request s3 cp --recursive s3://#{s3_bucket_name} /tmp/#{s3_bucket_name} + + ' + cleanup_command: "aws s3 rb s3://#{s3_bucket_name} --force \nrm -rf /tmp/#{s3_bucket_name}\n" + name: sh + elevation_required: false T1074.002: technique: x_mitre_platforms: diff --git a/atomics/T1530/T1530.md b/atomics/T1530/T1530.md index 6f22db04..4e2744e0 100644 --- a/atomics/T1530/T1530.md +++ b/atomics/T1530/T1530.md @@ -12,6 +12,8 @@ Misconfiguration by end users is a common problem. There have been numerous inci - [Atomic Test #2 - Azure - Scan for Anonymous Access to Azure Storage (Powershell)](#atomic-test-2---azure---scan-for-anonymous-access-to-azure-storage-powershell) +- [Atomic Test #3 - AWS - Scan for Anonymous Access to S3](#atomic-test-3---aws---scan-for-anonymous-access-to-s3) +
@@ -124,4 +126,58 @@ remove-item #{output_file} -erroraction silentlycontinue +
+
+ +## Atomic Test #3 - AWS - Scan for Anonymous Access to S3 +Upon successful execution, this test will test for anonymous access to AWS S3 buckets and dumps all the files to a local folder. + +**Supported Platforms:** Iaas:aws + + +**auto_generated_guid:** 979356b9-b588-4e49-bba4-c35517c484f5 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| s3_bucket_name | Name of the bucket | String | redatomic-test2| + + +#### Attack Commands: Run with `sh`! + + +```sh +aws --no-sign-request s3 cp --recursive s3://#{s3_bucket_name} /tmp/#{s3_bucket_name} +``` + +#### Cleanup Commands: +```sh +aws s3 rb s3://#{s3_bucket_name} --force +rm -rf /tmp/#{s3_bucket_name} +``` + + + +#### Dependencies: Run with `sh`! +##### Description: Check if ~/.aws/credentials file has a default stanza is configured +##### Check Prereq Commands: +```sh +cat ~/.aws/credentials | grep "default" +aws s3api create-bucket --bucket #{s3_bucket_name} +aws s3api put-bucket-policy --bucket #{s3_bucket_name} --policy file://$PathToAtomicsFolder/T1530/src/policy.json +touch /tmp/T1530.txt +aws s3 cp /tmp/T1530.txt s3://#{s3_bucket_name} +``` +##### Get Prereq Commands: +```sh +echo Please install the aws-cli and configure your AWS default profile using: aws configure +``` + + + +