From c1474350a71cef989d8c28c265b0f8b663ecdaa2 Mon Sep 17 00:00:00 2001 From: RedinDisguise Date: Wed, 12 Jul 2023 12:29:35 -0400 Subject: [PATCH 1/4] Update T1562.008.yaml --- atomics/T1562.008/T1562.008.yaml | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/atomics/T1562.008/T1562.008.yaml b/atomics/T1562.008/T1562.008.yaml index d1ba724e..8e809d07 100644 --- a/atomics/T1562.008/T1562.008.yaml +++ b/atomics/T1562.008/T1562.008.yaml @@ -475,4 +475,32 @@ atomic_tests: prereq_command: | gcloud config get-value account get_prereq_command: | - gcloud auth login --no-launch-browser \ No newline at end of file + gcloud auth login --no-launch-browser +- name: AWS - GuardDuty Suspension or Deletion + auto_generated_guid: + description: | + Enables GuardDuty in AWS, upon successful creation this test will suspend and then delete the GuardDuty configuration. + supported_platforms: + - iaas:aws + input_arguments: + region: + description: Name of the specified region + type: string + default: us-east-1 + dependency_executor_name: bash + dependencies: + - description: | + Check if ~/.aws/credentials file has a default stanza is configured + prereq_command: | + cat ~/.aws/credentials | grep "default" + get_prereq_command: | + echo "Please install the aws-cli and configure your AWS default profile using: aws configure" + executor: + command: | + detectorId=$(aws guardduty create-detector --enable --region "#{region}" | grep -oP '(?<="DetectorId": ")[^"]*') + aws guardduty update-detector --no-enable --detector-id $detectorId + aws guardduty delete-detector --detector-id $detectorId + cleanup_command: | + echo "If test successfully ran, no cleanup required." + name: bash + elevation_required: false From 9faa7acc178ca23e48169bf693a77b5fc1101210 Mon Sep 17 00:00:00 2001 From: RedinDisguise Date: Wed, 12 Jul 2023 12:45:00 -0400 Subject: [PATCH 2/4] Update T1562.008.yaml Removing guid field. --- atomics/T1562.008/T1562.008.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/atomics/T1562.008/T1562.008.yaml b/atomics/T1562.008/T1562.008.yaml index 8e809d07..63ca0091 100644 --- a/atomics/T1562.008/T1562.008.yaml +++ b/atomics/T1562.008/T1562.008.yaml @@ -477,7 +477,6 @@ atomic_tests: get_prereq_command: | gcloud auth login --no-launch-browser - name: AWS - GuardDuty Suspension or Deletion - auto_generated_guid: description: | Enables GuardDuty in AWS, upon successful creation this test will suspend and then delete the GuardDuty configuration. supported_platforms: From bfd59b94b9f145ece646b17acdab117e88d0999e Mon Sep 17 00:00:00 2001 From: RedinDisguise Date: Wed, 26 Jul 2023 15:11:07 -0400 Subject: [PATCH 3/4] Update T1562.008.yaml --- atomics/T1562.008/T1562.008.yaml | 27 --------------------------- 1 file changed, 27 deletions(-) diff --git a/atomics/T1562.008/T1562.008.yaml b/atomics/T1562.008/T1562.008.yaml index 63ca0091..b4f9227d 100644 --- a/atomics/T1562.008/T1562.008.yaml +++ b/atomics/T1562.008/T1562.008.yaml @@ -476,30 +476,3 @@ atomic_tests: gcloud config get-value account get_prereq_command: | gcloud auth login --no-launch-browser -- name: AWS - GuardDuty Suspension or Deletion - description: | - Enables GuardDuty in AWS, upon successful creation this test will suspend and then delete the GuardDuty configuration. - supported_platforms: - - iaas:aws - input_arguments: - region: - description: Name of the specified region - type: string - default: us-east-1 - dependency_executor_name: bash - dependencies: - - description: | - Check if ~/.aws/credentials file has a default stanza is configured - prereq_command: | - cat ~/.aws/credentials | grep "default" - get_prereq_command: | - echo "Please install the aws-cli and configure your AWS default profile using: aws configure" - executor: - command: | - detectorId=$(aws guardduty create-detector --enable --region "#{region}" | grep -oP '(?<="DetectorId": ")[^"]*') - aws guardduty update-detector --no-enable --detector-id $detectorId - aws guardduty delete-detector --detector-id $detectorId - cleanup_command: | - echo "If test successfully ran, no cleanup required." - name: bash - elevation_required: false From ef1d5049bab25e765b1600d9f798fe6a532dedcd Mon Sep 17 00:00:00 2001 From: RedinDisguise Date: Wed, 26 Jul 2023 15:11:34 -0400 Subject: [PATCH 4/4] Update T1562.001.yaml --- atomics/T1562.001/T1562.001.yaml | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1562.001/T1562.001.yaml index cfe10abb..3bb722d1 100644 --- a/atomics/T1562.001/T1562.001.yaml +++ b/atomics/T1562.001/T1562.001.yaml @@ -890,4 +890,31 @@ atomic_tests: cleanup_command: | REG DELETE HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /f name: command_prompt - elevation_required: true \ No newline at end of file + elevation_required: true +- name: AWS - GuardDuty Suspension or Deletion + description: | + Enables GuardDuty in AWS, upon successful creation this test will suspend and then delete the GuardDuty configuration. + supported_platforms: + - iaas:aws + input_arguments: + region: + description: Name of the specified region + type: string + default: us-east-1 + dependency_executor_name: bash + dependencies: + - description: | + Check if ~/.aws/credentials file has a default stanza is configured + prereq_command: | + cat ~/.aws/credentials | grep "default" + get_prereq_command: | + echo "Please install the aws-cli and configure your AWS default profile using: aws configure" + executor: + command: | + detectorId=$(aws guardduty create-detector --enable --region "#{region}" | grep -oP '(?<="DetectorId": ")[^"]*') + aws guardduty update-detector --no-enable --detector-id $detectorId + aws guardduty delete-detector --detector-id $detectorId + cleanup_command: | + echo "If test successfully ran, no cleanup required." + name: bash + elevation_required: false