diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index aa9702c5..7531aedb 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -355,12 +355,15 @@ defense-evasion,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-4
defense-evasion,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt
defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt
-defense-evasion,T1562.008,Disable Cloud Logs,1,AWS CloudTrail Changes,9c10dc6b-20bd-403a-8e67-50ef7d07ed4e,sh
+defense-evasion,T1562.008,Disable Cloud Logs,1,AWS - CloudTrail Changes,9c10dc6b-20bd-403a-8e67-50ef7d07ed4e,sh
defense-evasion,T1562.008,Disable Cloud Logs,2,Azure - Eventhub Deletion,5e09bed0-7d33-453b-9bf3-caea32bff719,powershell
defense-evasion,T1562.008,Disable Cloud Logs,3,Office 365 - Exchange Audit Log Disabled,1ee572f3-056c-4632-a7fc-7e7c42b1543c,powershell
-defense-evasion,T1562.008,Disable Cloud Logs,4,Disable CloudTrail Logging Through Event Selectors via Stratus,a27418de-bdce-4ebd-b655-38f11142bf0c,sh
-defense-evasion,T1562.008,Disable Cloud Logs,5,AWS CloudWatch Log Group Deletes,89422c87-b57b-4a04-a8ca-802bb9d06121,sh
-defense-evasion,T1562.008,Disable Cloud Logs,6,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
+defense-evasion,T1562.008,Disable Cloud Logs,4,AWS - Disable CloudTrail Logging Through Event Selectors using Stratus,a27418de-bdce-4ebd-b655-38f11142bf0c,sh
+defense-evasion,T1562.008,Disable Cloud Logs,5,AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus,22d89a2f-d475-4895-b2d4-68626d49c029,sh
+defense-evasion,T1562.008,Disable Cloud Logs,6,AWS - Remove VPC Flow Logs using Stratus,93c150f5-ad7b-4ee3-8992-df06dec2ac79,sh
+defense-evasion,T1562.008,Disable Cloud Logs,7,AWS - CloudWatch Log Group Deletes,89422c87-b57b-4a04-a8ca-802bb9d06121,sh
+defense-evasion,T1562.008,Disable Cloud Logs,8,AWS - CloudWatch Log Stream Deletes,89422c87-b57b-4a04-a12a-802bb11d06121,sh
+defense-evasion,T1562.008,Disable Cloud Logs,9,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv
index d2195c8f..a0170a84 100644
--- a/atomics/Indexes/Indexes-CSV/linux-index.csv
+++ b/atomics/Indexes/Indexes-CSV/linux-index.csv
@@ -73,12 +73,15 @@ defense-evasion,T1553.004,Install Root Certificate,2,Install root CA on Debian/U
defense-evasion,T1027.004,Compile After Delivery,3,C compile,d0377aa6-850a-42b2-95f0-de558d80be57,bash
defense-evasion,T1027.004,Compile After Delivery,4,CC compile,da97bb11-d6d0-4fc1-b445-e443d1346efe,bash
defense-evasion,T1027.004,Compile After Delivery,5,Go compile,78bd3fa7-773c-449e-a978-dc1f1500bc52,bash
-defense-evasion,T1562.008,Disable Cloud Logs,1,AWS CloudTrail Changes,9c10dc6b-20bd-403a-8e67-50ef7d07ed4e,sh
+defense-evasion,T1562.008,Disable Cloud Logs,1,AWS - CloudTrail Changes,9c10dc6b-20bd-403a-8e67-50ef7d07ed4e,sh
defense-evasion,T1562.008,Disable Cloud Logs,2,Azure - Eventhub Deletion,5e09bed0-7d33-453b-9bf3-caea32bff719,powershell
defense-evasion,T1562.008,Disable Cloud Logs,3,Office 365 - Exchange Audit Log Disabled,1ee572f3-056c-4632-a7fc-7e7c42b1543c,powershell
-defense-evasion,T1562.008,Disable Cloud Logs,4,Disable CloudTrail Logging Through Event Selectors via Stratus,a27418de-bdce-4ebd-b655-38f11142bf0c,sh
-defense-evasion,T1562.008,Disable Cloud Logs,5,AWS CloudWatch Log Group Deletes,89422c87-b57b-4a04-a8ca-802bb9d06121,sh
-defense-evasion,T1562.008,Disable Cloud Logs,6,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
+defense-evasion,T1562.008,Disable Cloud Logs,4,AWS - Disable CloudTrail Logging Through Event Selectors using Stratus,a27418de-bdce-4ebd-b655-38f11142bf0c,sh
+defense-evasion,T1562.008,Disable Cloud Logs,5,AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus,22d89a2f-d475-4895-b2d4-68626d49c029,sh
+defense-evasion,T1562.008,Disable Cloud Logs,6,AWS - Remove VPC Flow Logs using Stratus,93c150f5-ad7b-4ee3-8992-df06dec2ac79,sh
+defense-evasion,T1562.008,Disable Cloud Logs,7,AWS - CloudWatch Log Group Deletes,89422c87-b57b-4a04-a8ca-802bb9d06121,sh
+defense-evasion,T1562.008,Disable Cloud Logs,8,AWS - CloudWatch Log Stream Deletes,89422c87-b57b-4a04-a12a-802bb11d06121,sh
+defense-evasion,T1562.008,Disable Cloud Logs,9,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
defense-evasion,T1070.004,File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index c5e4ac8c..82abbff6 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -523,12 +523,15 @@
- Atomic Test #2: MSBuild Bypass Using Inline Tasks (VB) [windows]
- T1088 Bypass User Account Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.008 Disable Cloud Logs](../../T1562.008/T1562.008.md)
- - Atomic Test #1: AWS CloudTrail Changes [iaas:aws]
+ - Atomic Test #1: AWS - CloudTrail Changes [iaas:aws]
- Atomic Test #2: Azure - Eventhub Deletion [iaas:azure]
- Atomic Test #3: Office 365 - Exchange Audit Log Disabled [office-365]
- - Atomic Test #4: Disable CloudTrail Logging Through Event Selectors via Stratus [linux, macos]
- - Atomic Test #5: AWS CloudWatch Log Group Deletes [iaas:aws]
- - Atomic Test #6: AWS CloudWatch Log Stream Deletes [iaas:aws]
+ - Atomic Test #4: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus [linux, macos]
+ - Atomic Test #5: AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus [linux, macos]
+ - Atomic Test #6: AWS - Remove VPC Flow Logs using Stratus [linux, macos]
+ - Atomic Test #7: AWS - CloudWatch Log Group Deletes [iaas:aws]
+ - Atomic Test #8: AWS - CloudWatch Log Stream Deletes [iaas:aws]
+ - Atomic Test #9: AWS CloudWatch Log Stream Deletes [iaas:aws]
- [T1564.003 Hidden Window](../../T1564.003/T1564.003.md)
- Atomic Test #1: Hidden Window [windows]
- T1147 Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md
index 6da30745..4e1e11eb 100644
--- a/atomics/Indexes/Indexes-Markdown/linux-index.md
+++ b/atomics/Indexes/Indexes-Markdown/linux-index.md
@@ -158,12 +158,15 @@
- Atomic Test #5: Go compile [linux, macos]
- T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.008 Disable Cloud Logs](../../T1562.008/T1562.008.md)
- - Atomic Test #1: AWS CloudTrail Changes [iaas:aws]
+ - Atomic Test #1: AWS - CloudTrail Changes [iaas:aws]
- Atomic Test #2: Azure - Eventhub Deletion [iaas:azure]
- Atomic Test #3: Office 365 - Exchange Audit Log Disabled [office-365]
- - Atomic Test #4: Disable CloudTrail Logging Through Event Selectors via Stratus [linux, macos]
- - Atomic Test #5: AWS CloudWatch Log Group Deletes [iaas:aws]
- - Atomic Test #6: AWS CloudWatch Log Stream Deletes [iaas:aws]
+ - Atomic Test #4: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus [linux, macos]
+ - Atomic Test #5: AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus [linux, macos]
+ - Atomic Test #6: AWS - Remove VPC Flow Logs using Stratus [linux, macos]
+ - Atomic Test #7: AWS - CloudWatch Log Group Deletes [iaas:aws]
+ - Atomic Test #8: AWS - CloudWatch Log Stream Deletes [iaas:aws]
+ - Atomic Test #9: AWS CloudWatch Log Stream Deletes [iaas:aws]
- T1564.003 Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1578.002 Create Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1500 Compile After Delivery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 122b1e3f..13a32253 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -21330,7 +21330,7 @@ defense-evasion:
- User
identifier: T1562.008
atomic_tests:
- - name: AWS CloudTrail Changes
+ - name: AWS - CloudTrail Changes
auto_generated_guid: 9c10dc6b-20bd-403a-8e67-50ef7d07ed4e
description: 'Creates a new cloudTrail in AWS, Upon successful creation it will
Update,Stop and Delete the cloudTrail
@@ -21464,13 +21464,13 @@ defense-evasion:
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $True
name: powershell
elevation_required: false
- - name: Disable CloudTrail Logging Through Event Selectors via Stratus
+ - name: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus
auto_generated_guid: a27418de-bdce-4ebd-b655-38f11142bf0c
description: 'Update event selectors in AWS CloudTrail to disable the logging
- of certain management events to evade defense. This atomic test leverages
- a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team).
+ of certain management events to evade defense. This Atomic test leverages
+ a tool called Stratus-Red-Team built by DataDog (https://github.com/DataDog/stratus-red-team).
Stratus Red Team is a self-contained binary. You can use it to easily detonate
- offensive attack techniques against a live cloud environment.
+ offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors/
'
supported_platforms:
@@ -21524,9 +21524,136 @@ defense-evasion:
echo "Cleanup detonation"
cd #{stratus_path}
./stratus cleanup --all
+ rm -rf stratus*
name: sh
elevation_required: false
- - name: AWS CloudWatch Log Group Deletes
+ - name: AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus
+ auto_generated_guid: 22d89a2f-d475-4895-b2d4-68626d49c029
+ description: 'This Atomic test will use the Stratus Red Team will first setup
+ a CloudTrail logging into an S3 bucket and will then make an API call to update
+ the lifecycle rule on that S3 bucket with an expiration date of 1 day. This
+ will essentially delete all the logs after one day. Adversaries often do this
+ actiivity to evade detection. Stratus Red Team is a self-contained binary.
+ You can use it to easily detonate offensive attack techniques against a live
+ cloud environment. ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/
+
+ '
+ supported_platforms:
+ - linux
+ - macos
+ input_arguments:
+ stratus_path:
+ description: Path of stratus binary
+ type: Path
+ default: "$PathToAtomicsFolder/T1562.008/src"
+ aws_region:
+ description: AWS region to detonate
+ type: String
+ default: us-west-2
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'Stratus binary must be present at the (#{stratus_path}/stratus)
+
+ '
+ prereq_command: 'if [ -f #{stratus_path}/stratus ]; then exit 0; else exit
+ 1; fi;
+
+ '
+ get_prereq_command: "if [ \"$(uname)\" == \"Darwin\" ]\nthen DOWNLOAD_URL=$(curl
+ -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
+ | grep browser_download_url | grep Darwin_x86_64 | cut -d '\"' -f 4); wget
+ -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n tar
+ -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nelif
+ [ \"$(expr substr $(uname) 1 5)\" == \"Linux\" ]\nthen DOWNLOAD_URL=$(curl
+ -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
+ | grep browser_download_url | grep linux_x86_64 | cut -d '\"' -f 4) \n wget
+ -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n tar
+ -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nfi\n"
+ - description: 'Check if ~/.aws/credentials file has a default stanza is configured
+
+ '
+ prereq_command: 'cat ~/.aws/credentials | grep "default"
+
+ '
+ get_prereq_command: 'echo Please install the aws-cli and configure your AWS
+ defult profile using: aws configure
+
+ '
+ executor:
+ command: "export AWS_REGION=#{aws_region} \ncd #{stratus_path}\necho \"starting
+ warmup\"\n./stratus warmup aws.defense-evasion.cloudtrail-lifecycle-rule\necho
+ \"starting detonate\"\n./stratus detonate aws.defense-evasion.cloudtrail-lifecycle-rule
+ --force\n"
+ cleanup_command: |
+ export AWS_REGION=#{aws_region}
+ echo "Cleanup detonation"
+ cd #{stratus_path}
+ ./stratus cleanup --all
+ rm -rf stratus*
+ name: sh
+ elevation_required: false
+ - name: AWS - Remove VPC Flow Logs using Stratus
+ auto_generated_guid: 93c150f5-ad7b-4ee3-8992-df06dec2ac79
+ description: 'This Atomic will attempt to remove AWS VPC Flow Logs configuration.
+ Stratus Red Team is a self-contained binary. You can use it to easily detonate
+ offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs/
+
+ '
+ supported_platforms:
+ - linux
+ - macos
+ input_arguments:
+ stratus_path:
+ description: Path of stratus binary
+ type: Path
+ default: "$PathToAtomicsFolder/T1562.008/src"
+ aws_region:
+ description: AWS region to detonate
+ type: String
+ default: us-west-2
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'Stratus binary must be present at the (#{stratus_path}/stratus)
+
+ '
+ prereq_command: 'if [ -f #{stratus_path}/stratus ]; then exit 0; else exit
+ 1; fi;
+
+ '
+ get_prereq_command: "if [ \"$(uname)\" == \"Darwin\" ]\nthen DOWNLOAD_URL=$(curl
+ -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
+ | grep browser_download_url | grep Darwin_x86_64 | cut -d '\"' -f 4); wget
+ -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n tar
+ -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nelif
+ [ \"$(expr substr $(uname) 1 5)\" == \"Linux\" ]\nthen DOWNLOAD_URL=$(curl
+ -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
+ | grep browser_download_url | grep linux_x86_64 | cut -d '\"' -f 4) \n wget
+ -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n tar
+ -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nfi\n"
+ - description: 'Check if ~/.aws/credentials file has a default stanza is configured
+
+ '
+ prereq_command: 'cat ~/.aws/credentials | grep "default"
+
+ '
+ get_prereq_command: 'echo Please install the aws-cli and configure your AWS
+ defult profile using: aws configure
+
+ '
+ executor:
+ command: "export AWS_REGION=#{aws_region} \ncd #{stratus_path}\necho \"starting
+ warmup\"\n./stratus warmup aws.defense-evasion.vpc-remove-flow-logs\necho
+ \"starting detonate\"\n./stratus detonate aws.defense-evasion.vpc-remove-flow-logs
+ --force\n"
+ cleanup_command: |
+ export AWS_REGION=#{aws_region}
+ echo "Cleanup detonation"
+ cd #{stratus_path}
+ ./stratus cleanup --all
+ rm -rf stratus*
+ name: sh
+ elevation_required: false
+ - name: AWS - CloudWatch Log Group Deletes
auto_generated_guid: 89422c87-b57b-4a04-a8ca-802bb9d06121
description: "Creates a new cloudWatch log group in AWS, Upon successful creation
it will Delete the group. Attackers can use this technique to evade defenses
@@ -21563,6 +21690,43 @@ defense-evasion:
cleanup_command:
name: sh
elevation_required: false
+ - name: AWS - CloudWatch Log Stream Deletes
+ auto_generated_guid: 89422c87-b57b-4a04-a12a-802bb11d06121
+ description: "Creates a new CloudWatch log group in AWS, Upon successful creation
+ it will Delete the group. Attackers can use this technique to evade defenses
+ by \ndeleting the log stream. Once it is deleted, the logs created by the
+ attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-group-deletion.html#aws-cloudwatch-log-group-deletion\n"
+ supported_platforms:
+ - iaas:aws
+ input_arguments:
+ cloudwatch_log_group_name:
+ description: Name of the cloudWatch log group
+ type: String
+ default: log-test
+ region:
+ description: Name of the region
+ type: String
+ default: us-east-1
+ dependencies:
+ - description: 'Check if ~/.aws/credentials file has a default stanza is configured
+
+ '
+ prereq_command: 'cat ~/.aws/credentials | grep "default"
+
+ '
+ get_prereq_command: 'echo Please install the aws-cli and configure your AWS
+ defult profile using: aws configure
+
+ '
+ executor:
+ command: |
+ aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
+ echo "*** Log Group Created ***"
+ aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
+ echo "*** Log Group Deleted ***"
+ cleanup_command:
+ name: sh
+ elevation_required: false
- name: AWS CloudWatch Log Stream Deletes
auto_generated_guid: 33ca84bc-4259-4943-bd36-4655dc420932
description: "Creates a new cloudWatch log stream in AWS, Upon successful creation
diff --git a/atomics/T1562.008/T1562.008.md b/atomics/T1562.008/T1562.008.md
index 425b5059..49ff48ba 100644
--- a/atomics/T1562.008/T1562.008.md
+++ b/atomics/T1562.008/T1562.008.md
@@ -6,22 +6,28 @@ Cloud environments allow for collection and analysis of audit and application lo
## Atomic Tests
-- [Atomic Test #1 - AWS CloudTrail Changes](#atomic-test-1---aws-cloudtrail-changes)
+- [Atomic Test #1 - AWS - CloudTrail Changes](#atomic-test-1---aws---cloudtrail-changes)
- [Atomic Test #2 - Azure - Eventhub Deletion](#atomic-test-2---azure---eventhub-deletion)
- [Atomic Test #3 - Office 365 - Exchange Audit Log Disabled](#atomic-test-3---office-365---exchange-audit-log-disabled)
-- [Atomic Test #4 - Disable CloudTrail Logging Through Event Selectors via Stratus](#atomic-test-4---disable-cloudtrail-logging-through-event-selectors-via-stratus)
+- [Atomic Test #4 - AWS - Disable CloudTrail Logging Through Event Selectors using Stratus](#atomic-test-4---aws---disable-cloudtrail-logging-through-event-selectors-using-stratus)
-- [Atomic Test #5 - AWS CloudWatch Log Group Deletes](#atomic-test-5---aws-cloudwatch-log-group-deletes)
+- [Atomic Test #5 - AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus](#atomic-test-5---aws---cloudtrail-logs-impairment-through-s3-lifecycle-rule-using-stratus)
-- [Atomic Test #6 - AWS CloudWatch Log Stream Deletes](#atomic-test-6---aws-cloudwatch-log-stream-deletes)
+- [Atomic Test #6 - AWS - Remove VPC Flow Logs using Stratus](#atomic-test-6---aws---remove-vpc-flow-logs-using-stratus)
+
+- [Atomic Test #7 - AWS - CloudWatch Log Group Deletes](#atomic-test-7---aws---cloudwatch-log-group-deletes)
+
+- [Atomic Test #8 - AWS - CloudWatch Log Stream Deletes](#atomic-test-8---aws---cloudwatch-log-stream-deletes)
+
+- [Atomic Test #9 - AWS CloudWatch Log Stream Deletes](#atomic-test-9---aws-cloudwatch-log-stream-deletes)
-## Atomic Test #1 - AWS CloudTrail Changes
+## Atomic Test #1 - AWS - CloudTrail Changes
Creates a new cloudTrail in AWS, Upon successful creation it will Update,Stop and Delete the cloudTrail
**Supported Platforms:** Iaas:aws
@@ -194,8 +200,8 @@ Import-Module ExchangeOnlineManagement
-## Atomic Test #4 - Disable CloudTrail Logging Through Event Selectors via Stratus
-Update event selectors in AWS CloudTrail to disable the logging of certain management events to evade defense. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment.
+## Atomic Test #4 - AWS - Disable CloudTrail Logging Through Event Selectors using Stratus
+Update event selectors in AWS CloudTrail to disable the logging of certain management events to evade defense. This Atomic test leverages a tool called Stratus-Red-Team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors/
**Supported Platforms:** Linux, macOS
@@ -231,6 +237,7 @@ export AWS_REGION=#{aws_region}
echo "Cleanup detonation"
cd #{stratus_path}
./stratus cleanup --all
+rm -rf stratus*
```
@@ -268,7 +275,157 @@ echo Please install the aws-cli and configure your AWS defult profile using: aws
-## Atomic Test #5 - AWS CloudWatch Log Group Deletes
+## Atomic Test #5 - AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus
+This Atomic test will use the Stratus Red Team will first setup a CloudTrail logging into an S3 bucket and will then make an API call to update the lifecycle rule on that S3 bucket with an expiration date of 1 day. This will essentially delete all the logs after one day. Adversaries often do this actiivity to evade detection. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/
+
+**Supported Platforms:** Linux, macOS
+
+
+**auto_generated_guid:** 22d89a2f-d475-4895-b2d4-68626d49c029
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| stratus_path | Path of stratus binary | Path | $PathToAtomicsFolder/T1562.008/src|
+| aws_region | AWS region to detonate | String | us-west-2|
+
+
+#### Attack Commands: Run with `sh`!
+
+
+```sh
+export AWS_REGION=#{aws_region}
+cd #{stratus_path}
+echo "starting warmup"
+./stratus warmup aws.defense-evasion.cloudtrail-lifecycle-rule
+echo "starting detonate"
+./stratus detonate aws.defense-evasion.cloudtrail-lifecycle-rule --force
+```
+
+#### Cleanup Commands:
+```sh
+export AWS_REGION=#{aws_region}
+echo "Cleanup detonation"
+cd #{stratus_path}
+./stratus cleanup --all
+rm -rf stratus*
+```
+
+
+
+#### Dependencies: Run with `sh`!
+##### Description: Stratus binary must be present at the (#{stratus_path}/stratus)
+##### Check Prereq Commands:
+```sh
+if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```sh
+if [ "$(uname)" == "Darwin" ]
+then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
+ tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
+elif [ "$(expr substr $(uname) 1 5)" == "Linux" ]
+then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep linux_x86_64 | cut -d '"' -f 4)
+ wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
+ tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
+fi
+```
+##### Description: Check if ~/.aws/credentials file has a default stanza is configured
+##### Check Prereq Commands:
+```sh
+cat ~/.aws/credentials | grep "default"
+```
+##### Get Prereq Commands:
+```sh
+echo Please install the aws-cli and configure your AWS defult profile using: aws configure
+```
+
+
+
+
+
+
+
+## Atomic Test #6 - AWS - Remove VPC Flow Logs using Stratus
+This Atomic will attempt to remove AWS VPC Flow Logs configuration. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs/
+
+**Supported Platforms:** Linux, macOS
+
+
+**auto_generated_guid:** 93c150f5-ad7b-4ee3-8992-df06dec2ac79
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| stratus_path | Path of stratus binary | Path | $PathToAtomicsFolder/T1562.008/src|
+| aws_region | AWS region to detonate | String | us-west-2|
+
+
+#### Attack Commands: Run with `sh`!
+
+
+```sh
+export AWS_REGION=#{aws_region}
+cd #{stratus_path}
+echo "starting warmup"
+./stratus warmup aws.defense-evasion.vpc-remove-flow-logs
+echo "starting detonate"
+./stratus detonate aws.defense-evasion.vpc-remove-flow-logs --force
+```
+
+#### Cleanup Commands:
+```sh
+export AWS_REGION=#{aws_region}
+echo "Cleanup detonation"
+cd #{stratus_path}
+./stratus cleanup --all
+rm -rf stratus*
+```
+
+
+
+#### Dependencies: Run with `sh`!
+##### Description: Stratus binary must be present at the (#{stratus_path}/stratus)
+##### Check Prereq Commands:
+```sh
+if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```sh
+if [ "$(uname)" == "Darwin" ]
+then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
+ tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
+elif [ "$(expr substr $(uname) 1 5)" == "Linux" ]
+then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep linux_x86_64 | cut -d '"' -f 4)
+ wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
+ tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
+fi
+```
+##### Description: Check if ~/.aws/credentials file has a default stanza is configured
+##### Check Prereq Commands:
+```sh
+cat ~/.aws/credentials | grep "default"
+```
+##### Get Prereq Commands:
+```sh
+echo Please install the aws-cli and configure your AWS defult profile using: aws configure
+```
+
+
+
+
+
+
+
+## Atomic Test #7 - AWS - CloudWatch Log Group Deletes
Creates a new cloudWatch log group in AWS, Upon successful creation it will Delete the group. Attackers can use this technique to evade defenses by
deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-group-deletion.html#aws-cloudwatch-log-group-deletion
@@ -318,7 +475,57 @@ echo Please install the aws-cli and configure your AWS defult profile using: aws
-## Atomic Test #6 - AWS CloudWatch Log Stream Deletes
+## Atomic Test #8 - AWS - CloudWatch Log Stream Deletes
+Creates a new CloudWatch log group in AWS, Upon successful creation it will Delete the group. Attackers can use this technique to evade defenses by
+deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-group-deletion.html#aws-cloudwatch-log-group-deletion
+
+**Supported Platforms:** Iaas:aws
+
+
+**auto_generated_guid:** 89422c87-b57b-4a04-a12a-802bb11d06121
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| cloudwatch_log_group_name | Name of the cloudWatch log group | String | log-test|
+| region | Name of the region | String | us-east-1|
+
+
+#### Attack Commands: Run with `sh`!
+
+
+```sh
+aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
+echo "*** Log Group Created ***"
+aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
+echo "*** Log Group Deleted ***"
+```
+
+
+
+
+#### Dependencies: Run with `sh`!
+##### Description: Check if ~/.aws/credentials file has a default stanza is configured
+##### Check Prereq Commands:
+```sh
+cat ~/.aws/credentials | grep "default"
+```
+##### Get Prereq Commands:
+```sh
+echo Please install the aws-cli and configure your AWS defult profile using: aws configure
+```
+
+
+
+
+
+
+
+## Atomic Test #9 - AWS CloudWatch Log Stream Deletes
Creates a new cloudWatch log stream in AWS, Upon successful creation it will Delete the stream. Attackers can use this technique to evade defenses by
deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-stream-deletion.html