From b80b06ad72e7018c0f321fa9067b7d2c96828545 Mon Sep 17 00:00:00 2001 From: sai prashanth pulisetti <40313110+prashanthpulisetti@users.noreply.github.com> Date: Thu, 18 Jan 2024 14:21:45 +0530 Subject: [PATCH 01/13] Update T1580.yaml AWS - EC2 Security Group Enumeration Simulate an attacker's action to enumerate EC2 Security Groups in a compromised AWS environment. --- atomics/T1580/T1580.yaml | 41 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/atomics/T1580/T1580.yaml b/atomics/T1580/T1580.yaml index c698d3e9..a69baa55 100644 --- a/atomics/T1580/T1580.yaml +++ b/atomics/T1580/T1580.yaml @@ -54,3 +54,44 @@ atomic_tests: rm -rf stratus* name: sh elevation_required: false + +- name: AWS - EC2 Security Group Enumeration + description: "Simulate an attacker's action to enumerate EC2 Security Groups in a compromised AWS environment." + supported_platforms: + - Linux + - macOS + - Windows + - IaaS: AWS + input_arguments: + aws_profile: + description: AWS CLI profile name + type: string + default: default + output_format: + description: Desired output format (text, table, json) + type: string + default: json + + executor: + name: command_prompt + command: | + aws ec2 describe-security-groups --profile #{aws_profile} --output #{output_format} + + dependencies: + - description: AWS CLI installed and configured with the necessary access rights. + get_prereq_command: | + if [ "$(uname)" = "Darwin" ] || [ "$(expr substr $(uname) 1 5)" = "Linux" ]; then + curl "https://aws.amazon.com/cli/" -o "Install-AWSCLI.sh" && sh Install-AWSCLI.sh + elif [ "$(expr substr $(uname) 1 5)" = "MINGW" ]; then + Invoke-WebRequest -Uri "https://aws.amazon.com/cli/" -OutFile "Install-AWSCLI.ps1"; .\Install-AWSCLI.ps1 + fi + - description: Check if AWS CLI is installed and configured. + prereq_command: | + aws sts get-caller-identity --profile #{aws_profile} + + cleanup_commands: + - description: No specific cleanup required as this test only reads information. + + notes: + - Ensure that this test is conducted in a controlled environment to prevent accidental exposure of sensitive information. + - The effectiveness of this test relies on the permissions associated with the AWS profile used. It should have read access to EC2 security groups. From 8ec468e6e26c27317927773f39ea1ed840da95b3 Mon Sep 17 00:00:00 2001 From: sai prashanth pulisetti <40313110+prashanthpulisetti@users.noreply.github.com> Date: Thu, 18 Jan 2024 14:27:31 +0530 Subject: [PATCH 02/13] Update T1580.yaml updated supported_platforms: iass:aws --- atomics/T1580/T1580.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1580/T1580.yaml b/atomics/T1580/T1580.yaml index a69baa55..2ff86e27 100644 --- a/atomics/T1580/T1580.yaml +++ b/atomics/T1580/T1580.yaml @@ -61,7 +61,7 @@ atomic_tests: - Linux - macOS - Windows - - IaaS: AWS + - IaaS:aws input_arguments: aws_profile: description: AWS CLI profile name From 1ba98b5f23706733e1ffdab86aeee2c75f92b48f Mon Sep 17 00:00:00 2001 From: sai prashanth pulisetti <40313110+prashanthpulisetti@users.noreply.github.com> Date: Thu, 18 Jan 2024 14:29:17 +0530 Subject: [PATCH 03/13] Update T1580.yaml updated : supported_platforms: - windows - macos - linux - iaas:aws --- atomics/T1580/T1580.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/atomics/T1580/T1580.yaml b/atomics/T1580/T1580.yaml index 2ff86e27..9fccb677 100644 --- a/atomics/T1580/T1580.yaml +++ b/atomics/T1580/T1580.yaml @@ -58,9 +58,9 @@ atomic_tests: - name: AWS - EC2 Security Group Enumeration description: "Simulate an attacker's action to enumerate EC2 Security Groups in a compromised AWS environment." supported_platforms: - - Linux + - linux - macOS - - Windows + - windows - IaaS:aws input_arguments: aws_profile: From 6796db1ee1e6acdb5f20648e4cc8874baf6afbe6 Mon Sep 17 00:00:00 2001 From: sai prashanth pulisetti <40313110+prashanthpulisetti@users.noreply.github.com> Date: Thu, 18 Jan 2024 14:31:00 +0530 Subject: [PATCH 04/13] Update T1580.yaml --- atomics/T1580/T1580.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1580/T1580.yaml b/atomics/T1580/T1580.yaml index 9fccb677..f07a9b9c 100644 --- a/atomics/T1580/T1580.yaml +++ b/atomics/T1580/T1580.yaml @@ -59,7 +59,7 @@ atomic_tests: description: "Simulate an attacker's action to enumerate EC2 Security Groups in a compromised AWS environment." supported_platforms: - linux - - macOS + - macos - windows - IaaS:aws input_arguments: From 73b75c2db7e3971dbef286d6d5ab31ef4a23e6bd Mon Sep 17 00:00:00 2001 From: sai prashanth pulisetti <40313110+prashanthpulisetti@users.noreply.github.com> Date: Thu, 18 Jan 2024 14:32:39 +0530 Subject: [PATCH 05/13] Update T1580.yaml --- atomics/T1580/T1580.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1580/T1580.yaml b/atomics/T1580/T1580.yaml index f07a9b9c..186cb5f0 100644 --- a/atomics/T1580/T1580.yaml +++ b/atomics/T1580/T1580.yaml @@ -61,7 +61,7 @@ atomic_tests: - linux - macos - windows - - IaaS:aws + - iaas:aws input_arguments: aws_profile: description: AWS CLI profile name From 13da08ba97972907a94f64384b55107d6cf43ce2 Mon Sep 17 00:00:00 2001 From: sai prashanth pulisetti <40313110+prashanthpulisetti@users.noreply.github.com> Date: Thu, 18 Jan 2024 14:37:01 +0530 Subject: [PATCH 06/13] Update T1580.yaml updated with dependencies: - description: AWS CLI installed and configured with the necessary access rights. prereq_command: type aws || aws --version get_prereq_command: | if [ "$(uname)" = "Darwin" ] || [ "$(expr substr $(uname) 1 5)" = "Linux" ]; then curl "https://aws.amazon.com/cli/" -o "Install-AWSCLI.sh" && sh Install-AWSCLI.sh elif [ "$(expr substr $(uname) 1 5)" = "MINGW" ]; then Invoke-WebRequest -Uri "https://aws.amazon.com/cli/" -OutFile "Install-AWSCLI.ps1"; .\Install-AWSCLI.ps1 fi --- atomics/T1580/T1580.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/atomics/T1580/T1580.yaml b/atomics/T1580/T1580.yaml index 186cb5f0..d8df03e9 100644 --- a/atomics/T1580/T1580.yaml +++ b/atomics/T1580/T1580.yaml @@ -79,6 +79,7 @@ atomic_tests: dependencies: - description: AWS CLI installed and configured with the necessary access rights. + prereq_command: type aws || aws --version get_prereq_command: | if [ "$(uname)" = "Darwin" ] || [ "$(expr substr $(uname) 1 5)" = "Linux" ]; then curl "https://aws.amazon.com/cli/" -o "Install-AWSCLI.sh" && sh Install-AWSCLI.sh From 5348c67b517a20256cff5a8a22c700973bb23185 Mon Sep 17 00:00:00 2001 From: sai prashanth pulisetti <40313110+prashanthpulisetti@users.noreply.github.com> Date: Fri, 19 Jan 2024 00:12:24 +0530 Subject: [PATCH 07/13] Update T1580.yaml removed un supported formats --- atomics/T1580/T1580.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/atomics/T1580/T1580.yaml b/atomics/T1580/T1580.yaml index d8df03e9..0098f08d 100644 --- a/atomics/T1580/T1580.yaml +++ b/atomics/T1580/T1580.yaml @@ -58,9 +58,6 @@ atomic_tests: - name: AWS - EC2 Security Group Enumeration description: "Simulate an attacker's action to enumerate EC2 Security Groups in a compromised AWS environment." supported_platforms: - - linux - - macos - - windows - iaas:aws input_arguments: aws_profile: From d626e7ed296feb74c78b3c1895a37fc5ce631107 Mon Sep 17 00:00:00 2001 From: sai prashanth pulisetti <40313110+prashanthpulisetti@users.noreply.github.com> Date: Fri, 19 Jan 2024 00:27:12 +0530 Subject: [PATCH 08/13] Update T1580.yaml --- atomics/T1580/T1580.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/atomics/T1580/T1580.yaml b/atomics/T1580/T1580.yaml index 0098f08d..81a41653 100644 --- a/atomics/T1580/T1580.yaml +++ b/atomics/T1580/T1580.yaml @@ -86,6 +86,10 @@ atomic_tests: - description: Check if AWS CLI is installed and configured. prereq_command: | aws sts get-caller-identity --profile #{aws_profile} + get_prereq_command: | + if ! aws sts get-caller-identity --profile #{aws_profile}; then + echo "AWS CLI not properly configured. Please configure AWS CLI." + fi cleanup_commands: - description: No specific cleanup required as this test only reads information. From 8a1987a42ad307060e05a674ef9db26dc1179511 Mon Sep 17 00:00:00 2001 From: publish bot Date: Sat, 20 Jan 2024 20:48:12 +0000 Subject: [PATCH 09/13] updating atomics count in README.md [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index bfd8a281..7d034d62 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ # Atomic Red Team -![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1504-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master) +![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1507-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master) Atomic Red Team™ is a library of tests mapped to the [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use From d50ce7648b335558febc331686bff5656f2e1616 Mon Sep 17 00:00:00 2001 From: sai prashanth pulisetti <40313110+prashanthpulisetti@users.noreply.github.com> Date: Sun, 21 Jan 2024 09:50:36 +0530 Subject: [PATCH 10/13] Update T1580.yaml removed notes and clean up command --- atomics/T1580/T1580.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/atomics/T1580/T1580.yaml b/atomics/T1580/T1580.yaml index 81a41653..d7139d31 100644 --- a/atomics/T1580/T1580.yaml +++ b/atomics/T1580/T1580.yaml @@ -90,10 +90,5 @@ atomic_tests: if ! aws sts get-caller-identity --profile #{aws_profile}; then echo "AWS CLI not properly configured. Please configure AWS CLI." fi - - cleanup_commands: - - description: No specific cleanup required as this test only reads information. - - notes: - Ensure that this test is conducted in a controlled environment to prevent accidental exposure of sensitive information. - The effectiveness of this test relies on the permissions associated with the AWS profile used. It should have read access to EC2 security groups. From 474cbdff8ab533ee28654c4f1fd3ca8a8a5e71ae Mon Sep 17 00:00:00 2001 From: sai prashanth pulisetti <40313110+prashanthpulisetti@users.noreply.github.com> Date: Sun, 21 Jan 2024 09:52:49 +0530 Subject: [PATCH 11/13] Update T1580.yaml --- atomics/T1580/T1580.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/atomics/T1580/T1580.yaml b/atomics/T1580/T1580.yaml index d7139d31..e5dec62d 100644 --- a/atomics/T1580/T1580.yaml +++ b/atomics/T1580/T1580.yaml @@ -90,5 +90,3 @@ atomic_tests: if ! aws sts get-caller-identity --profile #{aws_profile}; then echo "AWS CLI not properly configured. Please configure AWS CLI." fi - - Ensure that this test is conducted in a controlled environment to prevent accidental exposure of sensitive information. - - The effectiveness of this test relies on the permissions associated with the AWS profile used. It should have read access to EC2 security groups. From 4841583e48f477eb67cdff3ec98efe59a5098ab4 Mon Sep 17 00:00:00 2001 From: sai prashanth pulisetti <40313110+prashanthpulisetti@users.noreply.github.com> Date: Mon, 22 Jan 2024 20:08:58 +0530 Subject: [PATCH 12/13] Update T1580.yaml removed description --- atomics/T1580/T1580.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1580/T1580.yaml b/atomics/T1580/T1580.yaml index e5dec62d..563f1eb0 100644 --- a/atomics/T1580/T1580.yaml +++ b/atomics/T1580/T1580.yaml @@ -83,7 +83,7 @@ atomic_tests: elif [ "$(expr substr $(uname) 1 5)" = "MINGW" ]; then Invoke-WebRequest -Uri "https://aws.amazon.com/cli/" -OutFile "Install-AWSCLI.ps1"; .\Install-AWSCLI.ps1 fi - - description: Check if AWS CLI is installed and configured. + #Check if AWS CLI is installed and configured. prereq_command: | aws sts get-caller-identity --profile #{aws_profile} get_prereq_command: | From ad4029be683a1f4e453ae2f82d1388807aee962b Mon Sep 17 00:00:00 2001 From: sai prashanth pulisetti <40313110+prashanthpulisetti@users.noreply.github.com> Date: Mon, 22 Jan 2024 20:13:55 +0530 Subject: [PATCH 13/13] Update T1580.yaml --- atomics/T1580/T1580.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1580/T1580.yaml b/atomics/T1580/T1580.yaml index 563f1eb0..e5dec62d 100644 --- a/atomics/T1580/T1580.yaml +++ b/atomics/T1580/T1580.yaml @@ -83,7 +83,7 @@ atomic_tests: elif [ "$(expr substr $(uname) 1 5)" = "MINGW" ]; then Invoke-WebRequest -Uri "https://aws.amazon.com/cli/" -OutFile "Install-AWSCLI.ps1"; .\Install-AWSCLI.ps1 fi - #Check if AWS CLI is installed and configured. + - description: Check if AWS CLI is installed and configured. prereq_command: | aws sts get-caller-identity --profile #{aws_profile} get_prereq_command: |