Merge pull request #2314 from 0xv1n/cloud-discovery

Begin T1580 Coverage - AWS

atomics/T1580/T1580.yaml

@@ -0,0 +1,54 @@
+attack_technique: T1580
+display_name: 'Cloud Infrastructure Discovery'
+atomic_tests:
+- name: AWS - EC2 Enumeration from Cloud Instance
+  description: |
+    This atomic runs several API calls (sts:GetCallerIdentity, s3:ListBuckets, iam:GetAccountSummary, iam:ListRoles, iam:ListUsers, iam:GetAccountAuthorizationDetails, ec2:DescribeSnapshots, cloudtrail:DescribeTrails, guardduty:ListDetectors) from the context of an EC2 instance role. This simulates an attacker compromising an EC2 instance and running initial discovery commands on it. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/
+  supported_platforms:
+  - linux
+  - macos
+  input_arguments:
+    stratus_path:
+      description: Path of stratus binary
+      type: path
+      default: $PathToAtomicsFolder/T1580/src
+    aws_region:
+      description: AWS region to detonate
+      type: string
+      default: us-west-2
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      Stratus binary must be present at the (#{stratus_path}/stratus)
+    prereq_command: |
+      if test -f "#{stratus_path}/stratus"; then exit 0; else exit 1; fi
+    get_prereq_command: |
+      if [ "$(uname)" = "Darwin" ]
+      then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep -i Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
+        tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
+      elif [ "$(expr substr $(uname) 1 5)" = "Linux" ]
+      then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep -i linux_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
+        tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
+      fi 
+  - description: |
+      Check if ~/.aws/credentials file has a default stanza is configured
+    prereq_command: |
+      cat ~/.aws/credentials | grep "default"
+    get_prereq_command: |
+      echo "Please install the aws-cli and configure your AWS default profile using: aws configure"
+  executor:
+    command: |
+      export AWS_REGION=#{aws_region}
+      cd #{stratus_path}
+      echo "Stratus: Start Warmup."
+      ./stratus warmup aws.discovery.ec2-enumerate-from-instance
+      echo "Stratus: Start Detonate."
+      ./stratus detonate aws.discovery.ec2-enumerate-from-instance
+    cleanup_command: |
+      cd #{stratus_path}
+      echo "Stratus: Start Cleanup."
+      ./stratus cleanup aws.discovery.ec2-enumerate-from-instance
+      echo "Removing Stratus artifacts from local machine."
+      rm -rf stratus*
+    name: sh
+    elevation_required: false