From 69ce78765dcaace3a4fb00326e3cb8ba7e7af352 Mon Sep 17 00:00:00 2001 From: shou-ga-nai <117028779+shou-ga-nai@users.noreply.github.com> Date: Wed, 30 Apr 2025 07:38:13 +0900 Subject: [PATCH] Add T1578.001 - Cloud Snapshot Creation Tests (AWS, Azure, GCP) (#3103) Co-authored-by: Hare Sudhan Co-authored-by: Bhavin Patel --- atomics/T1578.001/T1578.001.md | 121 ++++++++++++++++++++++++++++ atomics/T1578.001/T1578.001.yaml | 133 +++++++++++++++++++++++++++++++ 2 files changed, 254 insertions(+) create mode 100644 atomics/T1578.001/T1578.001.md create mode 100644 atomics/T1578.001/T1578.001.yaml diff --git a/atomics/T1578.001/T1578.001.md b/atomics/T1578.001/T1578.001.md new file mode 100644 index 00000000..92a36440 --- /dev/null +++ b/atomics/T1578.001/T1578.001.md @@ -0,0 +1,121 @@ +# T1578.001 - Modify Cloud Compute Infrastructure: Create Snapshot +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1578/001) +
An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in Revert Cloud Instance where an adversary may revert to a snapshot to evade detection and remove evidenc... + +An adversary may Create Cloud Instance, mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.
+ +## Atomic Tests + +- [Atomic Test #1 - AWS - Create EBS Snapshot](#atomic-test-1---aws---create-ebs-snapshot) +- [Atomic Test #2 - Azure - Create Managed Disk Snapshot](#atomic-test-2---azure---create-managed-disk-snapshot) +- [Atomic Test #3 - GCP - Create Persistent Disk Snapshot](#atomic-test-3---gcp---create-persistent-disk-snapshot) + +
+ +## Atomic Test #1 - AWS - Create EBS Snapshot +Creates a snapshot of a specified EBS volume in AWS. + +**Supported Platforms:** iaas:aws + +**auto_generated_guid:** 1dbd9e45-2be4-4924-83b3-ff6a1cd106a7 + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| aws_volume_id | The AWS EBS Volume ID to create a snapshot from | string | vol-0123456789abcdef0 | +| aws_region | AWS region where the volume is located | string | us-east-1 | + +#### Attack Commands: Run with `sh`! +```sh +aws ec2 create-snapshot --region \#{aws_region} --volume-id \#{aws_volume_id} --description "Atomic Red Team Test Snapshot" --query "SnapshotId" --output text +``` + +#### Cleanup Commands: +```sh +SNAPSHOT_ID=$(aws ec2 describe-snapshots --region \#{aws_region} --filters "Name=volume-id,Values=\#{aws_volume_id}" --query "Snapshots[0].SnapshotId" --output text) +aws ec2 delete-snapshot --region \#{aws_region} --snapshot-id "$SNAPSHOT_ID" +``` + +#### Dependencies: Run with `sh`! +##### Description: AWS CLI must be installed +```sh +command -v aws +``` +##### Description: The specified EBS volume must exist +```sh +aws ec2 describe-volumes --volume-ids \#{aws_volume_id} --region \#{aws_region} +``` + +

+ +## Atomic Test #2 - Azure - Create Managed Disk Snapshot +Creates a snapshot of a managed disk in Azure. + +**Supported Platforms:** iaas:azure + +**auto_generated_guid:** 5c5b1e22-38d9-4f70-97c5-2bc31d32ab29 + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| azure_disk_name | The Azure disk name | string | myDiskName | +| azure_resource_group | The Azure resource group where the disk is located | string | myResourceGroup | +| azure_snapshot_name | The Azure snapshot name | string | mySnapshotName | + +#### Attack Commands: Run with `sh`! +```sh +az snapshot create --resource-group \#{azure_resource_group} --name \#{azure_snapshot_name} --source \#{azure_disk_name} --location eastus +``` + +#### Cleanup Commands: +```sh +az snapshot delete --resource-group \#{azure_resource_group} --name \#{azure_snapshot_name} +``` + +#### Dependencies: Run with `sh`! +##### Description: Azure CLI must be installed +```sh +command -v az +``` +##### Description: The specified disk must exist +```sh +az disk show --resource-group \#{azure_resource_group} --name \#{azure_disk_name} +``` + +

+ +## Atomic Test #3 - GCP - Create Persistent Disk Snapshot +Creates a snapshot of a persistent disk in Google Cloud Platform. + +**Supported Platforms:** iaas:gcp + +**auto_generated_guid:** 902c61df-c1bc-4e8b-9aa0-55e2e68e0934 + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| gcp_disk_name | The Google Cloud disk name | string | myDiskName | +| gcp_zone | The GCP zone where the disk is located | string | us-central1-a | +| gcp_snapshot_name | The Google Cloud snapshot name | string | mySnapshotName | + +#### Attack Commands: Run with `sh`! +```sh +gcloud compute snapshots create \#{gcp_snapshot_name} --source-disk=\#{gcp_disk_name} --zone=\#{gcp_zone} +``` + +#### Cleanup Commands: +```sh +gcloud compute snapshots delete \#{gcp_snapshot_name} --quiet +``` + +#### Dependencies: Run with `sh`! +##### Description: GCloud CLI must be installed +```sh +command -v gcloud +``` +##### Description: The specified disk must exist +```sh +gcloud compute disks describe \#{gcp_disk_name} --zone=\#{gcp_zone} +``` + +
diff --git a/atomics/T1578.001/T1578.001.yaml b/atomics/T1578.001/T1578.001.yaml new file mode 100644 index 00000000..0805990a --- /dev/null +++ b/atomics/T1578.001/T1578.001.yaml @@ -0,0 +1,133 @@ +attack_technique: T1578.001 +display_name: "Modify Cloud Compute Infrastructure: Create Snapshot" +atomic_tests: +- name: AWS - Create Snapshot from EBS Volume + auto_generated_guid: + description: | + Creates an EBS snapshot in AWS using the AWS CLI. + This simulates an adversary duplicating volume data via snapshots for persistence or exfiltration. + supported_platforms: + - iaas:aws + input_arguments: + aws_region: + description: AWS region where the volume is located. + type: string + default: us-east-1 + aws_volume_id: + description: The AWS EBS Volume ID to create a snapshot from. + type: string + default: vol-0123456789abcdef0 + dependencies: + - description: AWS CLI must be installed. + prereq_command: | + if command -v aws > /dev/null 2>&1; then exit 0; else exit 1; fi + get_prereq_command: | + echo "Install AWS CLI: https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html" + - description: AWS CLI must be authenticated. + prereq_command: | + if aws sts get-caller-identity --region #{aws_region} > /dev/null 2>&1; then exit 0; else exit 1; fi + get_prereq_command: | + echo "Configure AWS credentials with: aws configure" + - description: EBS volume must exist. + prereq_command: | + if aws ec2 describe-volumes --volume-ids #{aws_volume_id} --region #{aws_region} > /dev/null 2>&1; then exit 0; else exit 1; fi + get_prereq_command: | + echo "Ensure the volume ID exists in the target AWS account and region." + executor: + name: sh + elevation_required: false + command: | + aws ec2 create-snapshot --region #{aws_region} --volume-id #{aws_volume_id} --description "Atomic Red Team Test Snapshot" --query "SnapshotId" --output text + cleanup_command: | + SNAPSHOT_ID=$(aws ec2 describe-snapshots --region #{aws_region} --filters "Name=volume-id,Values=#{aws_volume_id}" --query "Snapshots[0].SnapshotId" --output text) + if [ "$SNAPSHOT_ID" != "None" ]; then + aws ec2 delete-snapshot --region #{aws_region} --snapshot-id "$SNAPSHOT_ID" + fi + +- name: Azure - Create Snapshot from Managed Disk + auto_generated_guid: + description: | + Creates a snapshot of a managed disk in Azure using the Azure CLI. + Simulates adversary snapshotting behavior for persistence or data duplication. + supported_platforms: + - iaas:azure + input_arguments: + azure_resource_group: + description: The Azure resource group where the disk is located. + type: string + default: myResourceGroup + azure_disk_name: + description: The Azure disk name. + type: string + default: myDiskName + azure_snapshot_name: + description: The Azure snapshot name. + type: string + default: mySnapshotName + dependencies: + - description: Azure CLI must be installed. + prereq_command: | + if command -v az > /dev/null 2>&1; then exit 0; else exit 1; fi + get_prereq_command: | + echo "Install Azure CLI: https://learn.microsoft.com/en-us/cli/azure/install-azure-cli" + - description: Azure CLI must be authenticated. + prereq_command: | + if az account show > /dev/null 2>&1; then exit 0; else exit 1; fi + get_prereq_command: | + echo "Login with: az login" + - description: Azure disk must exist. + prereq_command: | + if az disk show --resource-group #{azure_resource_group} --name #{azure_disk_name} > /dev/null 2>&1; then exit 0; else exit 1; fi + get_prereq_command: | + echo "Ensure the disk exists in the given resource group." + executor: + name: sh + elevation_required: false + command: | + az snapshot create --resource-group #{azure_resource_group} --name #{azure_snapshot_name} --source #{azure_disk_name} --location eastus + cleanup_command: | + az snapshot delete --resource-group #{azure_resource_group} --name #{azure_snapshot_name} + +- name: GCP - Create Snapshot from Persistent Disk + auto_generated_guid: + description: | + Creates a snapshot of a persistent disk in GCP using the gcloud CLI. + Emulates adversary behavior to gain access to volume data or replicate environment state. + supported_platforms: + - iaas:gcp + input_arguments: + gcp_disk_name: + description: The Google Cloud disk name. + type: string + default: myDiskName + gcp_zone: + description: The Google Cloud zone where the disk is located. + type: string + default: us-central1-a + gcp_snapshot_name: + description: The Google Cloud snapshot name. + type: string + default: mySnapshotName + dependencies: + - description: gcloud CLI must be installed. + prereq_command: | + if command -v gcloud > /dev/null 2>&1; then exit 0; else exit 1; fi + get_prereq_command: | + echo "Install gcloud CLI: https://cloud.google.com/sdk/docs/install" + - description: gcloud CLI must be authenticated. + prereq_command: | + if gcloud auth list --filter=status:ACTIVE --format="value(account)" | grep . > /dev/null; then exit 0; else exit 1; fi + get_prereq_command: | + echo "Authenticate with: gcloud auth login" + - description: GCP disk must exist. + prereq_command: | + if gcloud compute disks describe #{gcp_disk_name} --zone=#{gcp_zone} > /dev/null 2>&1; then exit 0; else exit 1; fi + get_prereq_command: | + echo "Ensure the disk exists in the specified zone." + executor: + name: sh + elevation_required: false + command: | + gcloud compute snapshots create #{gcp_snapshot_name} --source-disk=#{gcp_disk_name} --zone=#{gcp_zone} + cleanup_command: | + gcloud compute snapshots delete #{gcp_snapshot_name} --quiet