From 9c20512b681fda677ae0864e7865230245e674a2 Mon Sep 17 00:00:00 2001 From: 0xv1n <11021725+0xv1n@users.noreply.github.com> Date: Sat, 4 Feb 2023 13:59:57 -0500 Subject: [PATCH 1/4] Begin T1580 Coverage - AWS This commit adds coverage for AWS Cloud Discovery commands run from EC2. Stratus is utilized to spin up and tear down needed testing infrastructure, similar to other cloud coverage in the ART repo previously. --- atomics/T1580/T1580.yaml | 56 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 atomics/T1580/T1580.yaml diff --git a/atomics/T1580/T1580.yaml b/atomics/T1580/T1580.yaml new file mode 100644 index 00000000..e81896ac --- /dev/null +++ b/atomics/T1580/T1580.yaml @@ -0,0 +1,56 @@ +attack_technique: T1580 +display_name: 'Cloud Infrastructure Discovery' +atomic_tests: +- name: AWS - EC2 Enumeration from Cloud Instance + description: | + This atomic runs several API calls (sts:GetCallerIdentity, s3:ListBuckets, iam:GetAccountSummary, iam:ListRoles, iam:ListUsers, iam:GetAccountAuthorizationDetails, ec2:DescribeSnapshots, cloudtrail:DescribeTrails, guardduty:ListDetectors) from the context of an EC2 instance role. This simulates an attacker compromising an EC2 instance and running initial discovery commands on it. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/ + supported_platforms: + - linux + - macos + input_arguments: + stratus_path: + description: Path of stratus binary + type: Path + default: $PathToAtomicsFolder/T1580/src + aws_region: + description: AWS region to detonate + type: String + default: us-west-2 + dependency_executor_name: sh + dependencies: + - description: | + Stratus binary must be present at the (#{stratus_path}/stratus) + prereq_command: | + if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi; + get_prereq_command: | + if [ "$(uname)" == "Darwin" ] + then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL + tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/ + elif [ "$(expr substr $(uname) 1 5)" == "Linux" ] + then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep linux_x86_64 | cut -d '"' -f 4) + wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL + tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/ + fi + - description: | + Check if ~/.aws/credentials file has a default stanza is configured + prereq_command: | + cat ~/.aws/credentials | grep "default" + get_prereq_command: | + echo Please install the aws-cli and configure your AWS defult profile using: aws configure + executor: + command: | + export AWS_REGION=#{aws_region} + cd #{stratus_path} + echo "starting warmup" + ./stratus warmup aws.discovery.ec2-enumerate-from-instance + echo "starting detonate" + ./stratus detonate aws.discovery.ec2-enumerate-from-instance --force + cleanup_command: | + export AWS_REGION=#{aws_region} + + echo "Cleanup detonation" + cd #{stratus_path} + ./stratus cleanup --all + rm -rf stratus* + name: sh + elevation_required: false From 39be578f27967bcd3ad7d408c9c4897c71d4641c Mon Sep 17 00:00:00 2001 From: 0xv1n <11021725+0xv1n@users.noreply.github.com> Date: Mon, 27 Feb 2023 12:51:02 -0500 Subject: [PATCH 2/4] updating T1580 --- atomics/T1580/T1580.yaml | 47 ++++++++++++++++++++-------------------- 1 file changed, 23 insertions(+), 24 deletions(-) diff --git a/atomics/T1580/T1580.yaml b/atomics/T1580/T1580.yaml index e81896ac..83b1563e 100644 --- a/atomics/T1580/T1580.yaml +++ b/atomics/T1580/T1580.yaml @@ -1,7 +1,8 @@ -attack_technique: T1580 +attack_technique: T1580 display_name: 'Cloud Infrastructure Discovery' atomic_tests: - name: AWS - EC2 Enumeration from Cloud Instance + auto_generated_guid: description: | This atomic runs several API calls (sts:GetCallerIdentity, s3:ListBuckets, iam:GetAccountSummary, iam:ListRoles, iam:ListUsers, iam:GetAccountAuthorizationDetails, ec2:DescribeSnapshots, cloudtrail:DescribeTrails, guardduty:ListDetectors) from the context of an EC2 instance role. This simulates an attacker compromising an EC2 instance and running initial discovery commands on it. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/ supported_platforms: @@ -10,47 +11,45 @@ atomic_tests: input_arguments: stratus_path: description: Path of stratus binary - type: Path - default: $PathToAtomicsFolder/T1580/src + type: path + default: /home/clouddev/AtomicRedTeam/atomics/T1580/bin aws_region: description: AWS region to detonate - type: String + type: string default: us-west-2 dependency_executor_name: sh dependencies: - description: | Stratus binary must be present at the (#{stratus_path}/stratus) prereq_command: | - if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi; + if test -f "#{stratus_path}/stratus"; then exit 0; else exit 1; fi get_prereq_command: | - if [ "$(uname)" == "Darwin" ] - then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL + if [ "$(uname)" = "Darwin" ] + then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep -i Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/ - elif [ "$(expr substr $(uname) 1 5)" == "Linux" ] - then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep linux_x86_64 | cut -d '"' -f 4) - wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL + elif [ "$(expr substr $(uname) 1 5)" = "Linux" ] + then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep -i linux_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/ - fi + fi - description: | - Check if ~/.aws/credentials file has a default stanza is configured + Check if ~/.aws/credentials file has a default stanza is configured prereq_command: | - cat ~/.aws/credentials | grep "default" + cat ~/.aws/credentials | grep "default" get_prereq_command: | - echo Please install the aws-cli and configure your AWS defult profile using: aws configure + echo "Please install the aws-cli and configure your AWS default profile using: aws configure" executor: command: | - export AWS_REGION=#{aws_region} - cd #{stratus_path} - echo "starting warmup" - ./stratus warmup aws.discovery.ec2-enumerate-from-instance - echo "starting detonate" - ./stratus detonate aws.discovery.ec2-enumerate-from-instance --force - cleanup_command: | export AWS_REGION=#{aws_region} - - echo "Cleanup detonation" cd #{stratus_path} - ./stratus cleanup --all + echo "Stratus: Start Warmup." + ./stratus warmup aws.discovery.ec2-enumerate-from-instance + echo "Stratus: Start Detonate." + ./stratus detonate aws.discovery.ec2-enumerate-from-instance + cleanup_command: | + cd #{stratus_path} + echo "Stratus: Start Cleanup." + ./status cleanup aws.discovery.ec2-enumerate-from-instance + echo "Removing Stratus artifacts from local machine." rm -rf stratus* name: sh elevation_required: false From 266a3f4321ae98d3f7e565ab891dfae862294a4c Mon Sep 17 00:00:00 2001 From: 0xv1n <11021725+0xv1n@users.noreply.github.com> Date: Mon, 27 Feb 2023 13:32:47 -0500 Subject: [PATCH 3/4] typo --- atomics/T1580/T1580.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1580/T1580.yaml b/atomics/T1580/T1580.yaml index 83b1563e..64049281 100644 --- a/atomics/T1580/T1580.yaml +++ b/atomics/T1580/T1580.yaml @@ -48,7 +48,7 @@ atomic_tests: cleanup_command: | cd #{stratus_path} echo "Stratus: Start Cleanup." - ./status cleanup aws.discovery.ec2-enumerate-from-instance + ./stratus cleanup aws.discovery.ec2-enumerate-from-instance echo "Removing Stratus artifacts from local machine." rm -rf stratus* name: sh From 1a12e7dc3ef30f62edf2bb743ea8ae4994b34fb6 Mon Sep 17 00:00:00 2001 From: 0xv1n <11021725+0xv1n@users.noreply.github.com> Date: Mon, 27 Feb 2023 14:25:02 -0500 Subject: [PATCH 4/4] Update T1580.yaml --- atomics/T1580/T1580.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/atomics/T1580/T1580.yaml b/atomics/T1580/T1580.yaml index 64049281..38f91106 100644 --- a/atomics/T1580/T1580.yaml +++ b/atomics/T1580/T1580.yaml @@ -2,7 +2,6 @@ attack_technique: T1580 display_name: 'Cloud Infrastructure Discovery' atomic_tests: - name: AWS - EC2 Enumeration from Cloud Instance - auto_generated_guid: description: | This atomic runs several API calls (sts:GetCallerIdentity, s3:ListBuckets, iam:GetAccountSummary, iam:ListRoles, iam:ListUsers, iam:GetAccountAuthorizationDetails, ec2:DescribeSnapshots, cloudtrail:DescribeTrails, guardduty:ListDetectors) from the context of an EC2 instance role. This simulates an attacker compromising an EC2 instance and running initial discovery commands on it. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/ supported_platforms: @@ -12,7 +11,7 @@ atomic_tests: stratus_path: description: Path of stratus binary type: path - default: /home/clouddev/AtomicRedTeam/atomics/T1580/bin + default: $PathToAtomicsFolder/T1580/src aws_region: description: AWS region to detonate type: string