Generated docs from job=generate-docs branch=master [ci skip]
This commit is contained in:
Atomic Red Team doc generator
@@ -1 +1 @@
|
||||
{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1562","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":3,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}
|
||||
{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"comment":"\n- AWS - Retrieve EC2 Password Data using stratus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1562","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":5,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - Disable CloudTrail Logging Through Event Selectors using Stratus\n- AWS - Remove VPC Flow Logs using Stratus\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1580","score":1,"enabled":true,"comment":"\n- AWS - EC2 Enumeration from Cloud Instance\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
|
||||
@@ -1 +1 @@
|
||||
{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":2,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
|
||||
{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":2,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}
|
||||
File diff suppressed because one or more lines are too long
@@ -1,6 +1,8 @@
|
||||
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
|
||||
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,1,AWS - CloudTrail Changes,9c10dc6b-20bd-403a-8e67-50ef7d07ed4e,sh
|
||||
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,2,Azure - Eventhub Deletion,5e09bed0-7d33-453b-9bf3-caea32bff719,powershell
|
||||
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,4,AWS - Disable CloudTrail Logging Through Event Selectors using Stratus,a27418de-bdce-4ebd-b655-38f11142bf0c,sh
|
||||
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,6,AWS - Remove VPC Flow Logs using Stratus,93c150f5-ad7b-4ee3-8992-df06dec2ac79,sh
|
||||
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,7,AWS - CloudWatch Log Group Deletes,89422c87-b57b-4a04-a8ca-802bb9d06121,sh
|
||||
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,8,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
|
||||
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,10,GCP - Delete Activity Event Log,d56152ec-01d9-42a2-877c-aac1f6ebe8e6,sh
|
||||
@@ -8,8 +10,10 @@ defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service
|
||||
defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
|
||||
defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
|
||||
credential-access,T1552.005,Unsecured Credentials: Cloud Instance Metadata API,2,Azure - Dump Azure Instance Metadata from Virtual Machines,cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7,powershell
|
||||
credential-access,T1552,Unsecured Credentials,1,AWS - Retrieve EC2 Password Data using stratus,a21118de-b11e-4ebd-b655-42f11142df0c,sh
|
||||
credential-access,T1110.003,Brute Force: Password Spraying,9,AWS - Password Spray an AWS using GoAWSConsoleSpray,9c10d16b-20b1-403a-8e67-50ef7117ed4e,sh
|
||||
impact,T1485,Data Destruction,4,GCP - Delete Bucket,4ac71389-40f4-448a-b73f-754346b3f928,sh
|
||||
discovery,T1580,Cloud Infrastructure Discovery,1,AWS - EC2 Enumeration from Cloud Instance,99ee161b-dcb1-4276-8ecb-7cfdcb207820,sh
|
||||
discovery,T1619,Cloud Storage Object Discovery,1,AWS S3 Enumeration,3c7094f8-71ec-4917-aeb8-a633d7ec4ef5,sh
|
||||
discovery,T1201,Password Policy Discovery,11,Examine AWS Password Policy,15330820-d405-450b-bd08-16b5be5be9f4,sh
|
||||
discovery,T1526,Cloud Service Discovery,1,Azure - Dump Subscription Data with MicroBurst,1e40bb1d-195e-401e-a86b-c192f55e005c,powershell
|
||||
|
||||
|
@@ -18,6 +18,8 @@
|
||||
- [T1562.008 Impair Defenses: Disable Cloud Logs](../../T1562.008/T1562.008.md)
|
||||
- Atomic Test #1: AWS - CloudTrail Changes [iaas:aws]
|
||||
- Atomic Test #2: Azure - Eventhub Deletion [iaas:azure]
|
||||
- Atomic Test #4: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus [linux, macos, iaas:aws]
|
||||
- Atomic Test #6: AWS - Remove VPC Flow Logs using Stratus [linux, macos, iaas:aws]
|
||||
- Atomic Test #7: AWS - CloudWatch Log Group Deletes [iaas:aws]
|
||||
- Atomic Test #8: AWS CloudWatch Log Stream Deletes [iaas:aws]
|
||||
- Atomic Test #10: GCP - Delete Activity Event Log [iaas:gcp]
|
||||
@@ -37,7 +39,8 @@
|
||||
- T1522 Cloud Instance Metadata API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1606.002 Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1040 Network Sniffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1552 Unsecured Credentials](../../T1552/T1552.md)
|
||||
- Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos, iaas:aws]
|
||||
- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1110.003 Brute Force: Password Spraying](../../T1110.003/T1110.003.md)
|
||||
- Atomic Test #9: AWS - Password Spray an AWS using GoAWSConsoleSpray [iaas:aws]
|
||||
@@ -72,11 +75,12 @@
|
||||
- T1069.003 Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1040 Network Sniffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1082 System Information Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1580 Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1580 Cloud Infrastructure Discovery](../../T1580/T1580.md)
|
||||
- Atomic Test #1: AWS - EC2 Enumeration from Cloud Instance [linux, macos, iaas:aws]
|
||||
- T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1049 System Network Connections Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1619 Cloud Storage Object Discovery](../../T1619/T1619.md)
|
||||
- Atomic Test #1: AWS S3 Enumeration [iaas:azure]
|
||||
- Atomic Test #1: AWS S3 Enumeration [iaas:aws]
|
||||
- T1087.004 Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1201 Password Policy Discovery](../../T1201/T1201.md)
|
||||
- Atomic Test #11: Examine AWS Password Policy [iaas:aws]
|
||||
|
||||
@@ -623,9 +623,9 @@
|
||||
- Atomic Test #1: AWS - CloudTrail Changes [iaas:aws]
|
||||
- Atomic Test #2: Azure - Eventhub Deletion [iaas:azure]
|
||||
- Atomic Test #3: Office 365 - Exchange Audit Log Disabled [office-365]
|
||||
- Atomic Test #4: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus [linux, macos]
|
||||
- Atomic Test #4: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus [linux, macos, iaas:aws]
|
||||
- Atomic Test #5: AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus [linux, macos]
|
||||
- Atomic Test #6: AWS - Remove VPC Flow Logs using Stratus [linux, macos]
|
||||
- Atomic Test #6: AWS - Remove VPC Flow Logs using Stratus [linux, macos, iaas:aws]
|
||||
- Atomic Test #7: AWS - CloudWatch Log Group Deletes [iaas:aws]
|
||||
- Atomic Test #8: AWS CloudWatch Log Stream Deletes [iaas:aws]
|
||||
- Atomic Test #9: Office 365 - Set Audit Bypass For a Mailbox [office-365]
|
||||
@@ -1980,7 +1980,7 @@
|
||||
- Atomic Test #7: WinPwn - Loot local Credentials - Wifi Credentials [windows]
|
||||
- Atomic Test #8: WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords [windows]
|
||||
- [T1552 Unsecured Credentials](../../T1552/T1552.md)
|
||||
- Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos]
|
||||
- Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos, iaas:aws]
|
||||
- T1139 Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -2275,7 +2275,7 @@
|
||||
- T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1580 Cloud Infrastructure Discovery](../../T1580/T1580.md)
|
||||
- Atomic Test #1: AWS - EC2 Enumeration from Cloud Instance [linux, macos]
|
||||
- Atomic Test #1: AWS - EC2 Enumeration from Cloud Instance [linux, macos, iaas:aws]
|
||||
- [T1217 Browser Bookmark Discovery](../../T1217/T1217.md)
|
||||
- Atomic Test #1: List Mozilla Firefox Bookmark Database Files on Linux [linux]
|
||||
- Atomic Test #2: List Mozilla Firefox Bookmark Database Files on macOS [macos]
|
||||
@@ -2319,7 +2319,7 @@
|
||||
- Atomic Test #4: System Discovery using SharpView [windows]
|
||||
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1619 Cloud Storage Object Discovery](../../T1619/T1619.md)
|
||||
- Atomic Test #1: AWS S3 Enumeration [iaas:azure]
|
||||
- Atomic Test #1: AWS S3 Enumeration [iaas:aws]
|
||||
- T1087.004 Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1057 Process Discovery](../../T1057/T1057.md)
|
||||
- Atomic Test #1: Process Discovery - ps [macos, linux]
|
||||
|
||||
@@ -519,7 +519,7 @@
|
||||
- T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1552 Unsecured Credentials](../../T1552/T1552.md)
|
||||
- Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos]
|
||||
- Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos, iaas:aws]
|
||||
- T1139 Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1145 Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
|
||||
@@ -506,7 +506,7 @@
|
||||
- T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1552 Unsecured Credentials](../../T1552/T1552.md)
|
||||
- Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos]
|
||||
- Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos, iaas:aws]
|
||||
- T1139 Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1145 Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
|
||||
@@ -12752,6 +12752,132 @@ defense-evasion:
|
||||
terraform destroy -auto-approve
|
||||
name: sh
|
||||
elevation_required: false
|
||||
- name: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus
|
||||
auto_generated_guid: a27418de-bdce-4ebd-b655-38f11142bf0c
|
||||
description: 'Update event selectors in AWS CloudTrail to disable the logging
|
||||
of certain management events to evade defense. This Atomic test leverages
|
||||
a tool called Stratus-Red-Team built by DataDog (https://github.com/DataDog/stratus-red-team).
|
||||
Stratus Red Team is a self-contained binary. You can use it to easily detonate
|
||||
offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors/
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
- macos
|
||||
- iaas:aws
|
||||
input_arguments:
|
||||
stratus_path:
|
||||
description: Path of stratus binary
|
||||
type: path
|
||||
default: "$PathToAtomicsFolder/T1562.008/src"
|
||||
aws_region:
|
||||
description: AWS region to detonate
|
||||
type: string
|
||||
default: us-west-2
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Stratus binary must be present at the (#{stratus_path}/stratus)
|
||||
|
||||
'
|
||||
prereq_command: 'if [ -f #{stratus_path}/stratus ]; then exit 0; else exit
|
||||
1; fi;
|
||||
|
||||
'
|
||||
get_prereq_command: "if [ \"$(uname)\" == \"Darwin\" ]\nthen DOWNLOAD_URL=$(curl
|
||||
-s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
|
||||
| grep browser_download_url | grep Darwin_x86_64 | cut -d '\"' -f 4); wget
|
||||
-q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n tar
|
||||
-xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nelif
|
||||
[ \"$(expr substr $(uname) 1 5)\" == \"Linux\" ]\nthen DOWNLOAD_URL=$(curl
|
||||
-s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
|
||||
| grep browser_download_url | grep linux_x86_64 | cut -d '\"' -f 4) \n wget
|
||||
-q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n tar
|
||||
-xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nfi\n"
|
||||
- description: 'Check if ~/.aws/credentials file has a default stanza is configured
|
||||
|
||||
'
|
||||
prereq_command: 'cat ~/.aws/credentials | grep "default"
|
||||
|
||||
'
|
||||
get_prereq_command: 'echo Please install the aws-cli and configure your AWS
|
||||
defult profile using: aws configure
|
||||
|
||||
'
|
||||
executor:
|
||||
command: "export AWS_REGION=#{aws_region} \ncd #{stratus_path}\necho \"starting
|
||||
warmup\"\n./stratus warmup aws.defense-evasion.cloudtrail-event-selectors\necho
|
||||
\"starting detonate\"\n./stratus detonate aws.defense-evasion.cloudtrail-event-selectors
|
||||
--force\n"
|
||||
cleanup_command: |
|
||||
export AWS_REGION=#{aws_region}
|
||||
echo "Cleanup detonation"
|
||||
cd #{stratus_path}
|
||||
./stratus cleanup --all
|
||||
rm -rf stratus*
|
||||
name: sh
|
||||
elevation_required: false
|
||||
- name: AWS - Remove VPC Flow Logs using Stratus
|
||||
auto_generated_guid: 93c150f5-ad7b-4ee3-8992-df06dec2ac79
|
||||
description: 'This Atomic will attempt to remove AWS VPC Flow Logs configuration.
|
||||
Stratus Red Team is a self-contained binary. You can use it to easily detonate
|
||||
offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs/
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
- macos
|
||||
- iaas:aws
|
||||
input_arguments:
|
||||
stratus_path:
|
||||
description: Path of stratus binary
|
||||
type: path
|
||||
default: "$PathToAtomicsFolder/T1562.008/src"
|
||||
aws_region:
|
||||
description: AWS region to detonate
|
||||
type: string
|
||||
default: us-west-2
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Stratus binary must be present at the (#{stratus_path}/stratus)
|
||||
|
||||
'
|
||||
prereq_command: 'if [ -f #{stratus_path}/stratus ]; then exit 0; else exit
|
||||
1; fi;
|
||||
|
||||
'
|
||||
get_prereq_command: "if [ \"$(uname)\" == \"Darwin\" ]\nthen DOWNLOAD_URL=$(curl
|
||||
-s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
|
||||
| grep browser_download_url | grep Darwin_x86_64 | cut -d '\"' -f 4); wget
|
||||
-q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n tar
|
||||
-xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nelif
|
||||
[ \"$(expr substr $(uname) 1 5)\" == \"Linux\" ]\nthen DOWNLOAD_URL=$(curl
|
||||
-s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
|
||||
| grep browser_download_url | grep linux_x86_64 | cut -d '\"' -f 4) \n wget
|
||||
-q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n tar
|
||||
-xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nfi\n"
|
||||
- description: 'Check if ~/.aws/credentials file has a default stanza is configured
|
||||
|
||||
'
|
||||
prereq_command: 'cat ~/.aws/credentials | grep "default"
|
||||
|
||||
'
|
||||
get_prereq_command: 'echo Please install the aws-cli and configure your AWS
|
||||
defult profile using: aws configure
|
||||
|
||||
'
|
||||
executor:
|
||||
command: "export AWS_REGION=#{aws_region} \ncd #{stratus_path}\necho \"starting
|
||||
warmup\"\n./stratus warmup aws.defense-evasion.vpc-remove-flow-logs\necho
|
||||
\"starting detonate\"\n./stratus detonate aws.defense-evasion.vpc-remove-flow-logs
|
||||
--force\n"
|
||||
cleanup_command: |
|
||||
export AWS_REGION=#{aws_region}
|
||||
echo "Cleanup detonation"
|
||||
cd #{stratus_path}
|
||||
./stratus cleanup --all
|
||||
rm -rf stratus*
|
||||
name: sh
|
||||
elevation_required: false
|
||||
- name: AWS - CloudWatch Log Group Deletes
|
||||
auto_generated_guid: 89422c87-b57b-4a04-a8ca-802bb9d06121
|
||||
description: "Creates a new cloudWatch log group in AWS, Upon successful creation
|
||||
@@ -52151,7 +52277,73 @@ credential-access:
|
||||
x_mitre_attack_spec_version: 3.1.0
|
||||
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
|
||||
identifier: T1552
|
||||
atomic_tests: []
|
||||
atomic_tests:
|
||||
- name: AWS - Retrieve EC2 Password Data using stratus
|
||||
auto_generated_guid: a21118de-b11e-4ebd-b655-42f11142df0c
|
||||
description: 'This atomic runs an API call GetPasswordData from a role that
|
||||
does not have permission to do so. This simulates an attacker attempting to
|
||||
retrieve RDP passwords on a high number of Windows EC2 instances. This atomic
|
||||
test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team).
|
||||
Stratus Red Team is a self-contained binary. You can use it to easily detonate
|
||||
offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
- macos
|
||||
- iaas:aws
|
||||
input_arguments:
|
||||
stratus_path:
|
||||
description: Path of stratus binary
|
||||
type: path
|
||||
default: "$PathToAtomicsFolder/T1552/src"
|
||||
aws_region:
|
||||
description: AWS region to detonate
|
||||
type: string
|
||||
default: us-west-2
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Stratus binary must be present at the (#{stratus_path}/stratus)
|
||||
|
||||
'
|
||||
prereq_command: 'if [ -f #{stratus_path}/stratus ]; then exit 0; else exit
|
||||
1; fi;
|
||||
|
||||
'
|
||||
get_prereq_command: "if [ \"$(uname)\" == \"Darwin\" ]\nthen DOWNLOAD_URL=$(curl
|
||||
-s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
|
||||
| grep browser_download_url | grep Darwin_x86_64 | cut -d '\"' -f 4); wget
|
||||
-q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n tar
|
||||
-xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nelif
|
||||
[ \"$(expr substr $(uname) 1 5)\" == \"Linux\" ]\nthen DOWNLOAD_URL=$(curl
|
||||
-s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
|
||||
| grep browser_download_url | grep linux_x86_64 | cut -d '\"' -f 4) \n wget
|
||||
-q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n tar
|
||||
-xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nfi\n"
|
||||
- description: 'Check if ~/.aws/credentials file has a default stanza is configured
|
||||
|
||||
'
|
||||
prereq_command: 'cat ~/.aws/credentials | grep "default"
|
||||
|
||||
'
|
||||
get_prereq_command: 'echo Please install the aws-cli and configure your AWS
|
||||
defult profile using: aws configure
|
||||
|
||||
'
|
||||
executor:
|
||||
command: "export AWS_REGION=#{aws_region} \ncd #{stratus_path}\necho \"starting
|
||||
warmup\"\n./stratus warmup aws.credential-access.ec2-get-password-data\necho
|
||||
\"starting detonate\"\n./stratus detonate aws.credential-access.ec2-get-password-data
|
||||
--force\n"
|
||||
cleanup_command: |
|
||||
export AWS_REGION=#{aws_region}
|
||||
|
||||
echo "Cleanup detonation"
|
||||
cd #{stratus_path}
|
||||
./stratus cleanup --all
|
||||
rm -rf stratus*
|
||||
name: sh
|
||||
elevation_required: false
|
||||
T1139:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -57272,7 +57464,78 @@ discovery:
|
||||
x_mitre_attack_spec_version: 2.1.0
|
||||
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
|
||||
identifier: T1580
|
||||
atomic_tests: []
|
||||
atomic_tests:
|
||||
- name: AWS - EC2 Enumeration from Cloud Instance
|
||||
auto_generated_guid: 99ee161b-dcb1-4276-8ecb-7cfdcb207820
|
||||
description: 'This atomic runs several API calls (sts:GetCallerIdentity, s3:ListBuckets,
|
||||
iam:GetAccountSummary, iam:ListRoles, iam:ListUsers, iam:GetAccountAuthorizationDetails,
|
||||
ec2:DescribeSnapshots, cloudtrail:DescribeTrails, guardduty:ListDetectors)
|
||||
from the context of an EC2 instance role. This simulates an attacker compromising
|
||||
an EC2 instance and running initial discovery commands on it. This atomic
|
||||
test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team).
|
||||
Stratus Red Team is a self-contained binary. You can use it to easily detonate
|
||||
offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
- macos
|
||||
- iaas:aws
|
||||
input_arguments:
|
||||
stratus_path:
|
||||
description: Path of stratus binary
|
||||
type: path
|
||||
default: "$PathToAtomicsFolder/T1580/src"
|
||||
aws_region:
|
||||
description: AWS region to detonate
|
||||
type: string
|
||||
default: us-west-2
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Stratus binary must be present at the (#{stratus_path}/stratus)
|
||||
|
||||
'
|
||||
prereq_command: 'if test -f "#{stratus_path}/stratus"; then exit 0; else exit
|
||||
1; fi
|
||||
|
||||
'
|
||||
get_prereq_command: "if [ \"$(uname)\" = \"Darwin\" ]\nthen DOWNLOAD_URL=$(curl
|
||||
-s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
|
||||
| grep browser_download_url | grep -i Darwin_x86_64 | cut -d '\"' -f 4);
|
||||
wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n
|
||||
\ tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nelif
|
||||
[ \"$(expr substr $(uname) 1 5)\" = \"Linux\" ]\nthen DOWNLOAD_URL=$(curl
|
||||
-s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
|
||||
| grep browser_download_url | grep -i linux_x86_64 | cut -d '\"' -f 4);
|
||||
wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n
|
||||
\ tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nfi
|
||||
\n"
|
||||
- description: 'Check if ~/.aws/credentials file has a default stanza is configured
|
||||
|
||||
'
|
||||
prereq_command: 'cat ~/.aws/credentials | grep "default"
|
||||
|
||||
'
|
||||
get_prereq_command: 'echo "Please install the aws-cli and configure your AWS
|
||||
default profile using: aws configure"
|
||||
|
||||
'
|
||||
executor:
|
||||
command: |
|
||||
export AWS_REGION=#{aws_region}
|
||||
cd #{stratus_path}
|
||||
echo "Stratus: Start Warmup."
|
||||
./stratus warmup aws.discovery.ec2-enumerate-from-instance
|
||||
echo "Stratus: Start Detonate."
|
||||
./stratus detonate aws.discovery.ec2-enumerate-from-instance
|
||||
cleanup_command: |
|
||||
cd #{stratus_path}
|
||||
echo "Stratus: Start Cleanup."
|
||||
./stratus cleanup aws.discovery.ec2-enumerate-from-instance
|
||||
echo "Removing Stratus artifacts from local machine."
|
||||
rm -rf stratus*
|
||||
name: sh
|
||||
elevation_required: false
|
||||
T1217:
|
||||
technique:
|
||||
modified: '2023-04-16T14:24:40.625Z'
|
||||
@@ -57801,7 +58064,31 @@ discovery:
|
||||
x_mitre_attack_spec_version: 2.1.0
|
||||
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
|
||||
identifier: T1619
|
||||
atomic_tests: []
|
||||
atomic_tests:
|
||||
- name: AWS S3 Enumeration
|
||||
auto_generated_guid: 3c7094f8-71ec-4917-aeb8-a633d7ec4ef5
|
||||
description: "This test will enumerate all the S3 buckets in the user account
|
||||
and lists all the files in each bucket. \n"
|
||||
supported_platforms:
|
||||
- iaas:aws
|
||||
dependencies:
|
||||
- description: 'Check if ~/.aws/credentials file has a default stanza is configured
|
||||
|
||||
'
|
||||
prereq_command: 'cat ~/.aws/credentials | grep "default"
|
||||
|
||||
'
|
||||
get_prereq_command: 'echo Please install the aws-cli and configure your AWS
|
||||
default profile using: aws configure
|
||||
|
||||
'
|
||||
executor:
|
||||
command: 'for bucket in "$(aws s3 ls | cut -d " " -f3)"; do aws s3api list-objects-v2
|
||||
--bucket $bucket --output text; done
|
||||
|
||||
'
|
||||
name: sh
|
||||
elevation_required: false
|
||||
T1087.004:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
|
||||
@@ -58147,31 +58147,7 @@ discovery:
|
||||
x_mitre_attack_spec_version: 2.1.0
|
||||
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
|
||||
identifier: T1619
|
||||
atomic_tests:
|
||||
- name: AWS S3 Enumeration
|
||||
auto_generated_guid: 3c7094f8-71ec-4917-aeb8-a633d7ec4ef5
|
||||
description: "This test will enumerate all the S3 buckets in the user account
|
||||
and lists all the files in each bucket. \n"
|
||||
supported_platforms:
|
||||
- iaas:azure
|
||||
dependencies:
|
||||
- description: 'Check if ~/.aws/credentials file has a default stanza is configured
|
||||
|
||||
'
|
||||
prereq_command: 'cat ~/.aws/credentials | grep "default"
|
||||
|
||||
'
|
||||
get_prereq_command: 'echo Please install the aws-cli and configure your AWS
|
||||
default profile using: aws configure
|
||||
|
||||
'
|
||||
executor:
|
||||
command: 'for bucket in "$(aws s3 ls | cut -d " " -f3)"; do aws s3api list-objects-v2
|
||||
--bucket $bucket --output text; done
|
||||
|
||||
'
|
||||
name: sh
|
||||
elevation_required: false
|
||||
atomic_tests: []
|
||||
T1087.004:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
|
||||
@@ -24721,6 +24721,7 @@ defense-evasion:
|
||||
supported_platforms:
|
||||
- linux
|
||||
- macos
|
||||
- iaas:aws
|
||||
input_arguments:
|
||||
stratus_path:
|
||||
description: Path of stratus binary
|
||||
@@ -24847,6 +24848,7 @@ defense-evasion:
|
||||
supported_platforms:
|
||||
- linux
|
||||
- macos
|
||||
- iaas:aws
|
||||
input_arguments:
|
||||
stratus_path:
|
||||
description: Path of stratus binary
|
||||
@@ -88202,6 +88204,7 @@ credential-access:
|
||||
supported_platforms:
|
||||
- linux
|
||||
- macos
|
||||
- iaas:aws
|
||||
input_arguments:
|
||||
stratus_path:
|
||||
description: Path of stratus binary
|
||||
@@ -99010,6 +99013,7 @@ discovery:
|
||||
supported_platforms:
|
||||
- linux
|
||||
- macos
|
||||
- iaas:aws
|
||||
input_arguments:
|
||||
stratus_path:
|
||||
description: Path of stratus binary
|
||||
@@ -100367,7 +100371,7 @@ discovery:
|
||||
description: "This test will enumerate all the S3 buckets in the user account
|
||||
and lists all the files in each bucket. \n"
|
||||
supported_platforms:
|
||||
- iaas:azure
|
||||
- iaas:aws
|
||||
dependencies:
|
||||
- description: 'Check if ~/.aws/credentials file has a default stanza is configured
|
||||
|
||||
|
||||
@@ -15232,6 +15232,7 @@ defense-evasion:
|
||||
supported_platforms:
|
||||
- linux
|
||||
- macos
|
||||
- iaas:aws
|
||||
input_arguments:
|
||||
stratus_path:
|
||||
description: Path of stratus binary
|
||||
@@ -15358,6 +15359,7 @@ defense-evasion:
|
||||
supported_platforms:
|
||||
- linux
|
||||
- macos
|
||||
- iaas:aws
|
||||
input_arguments:
|
||||
stratus_path:
|
||||
description: Path of stratus binary
|
||||
@@ -59261,6 +59263,7 @@ credential-access:
|
||||
supported_platforms:
|
||||
- linux
|
||||
- macos
|
||||
- iaas:aws
|
||||
input_arguments:
|
||||
stratus_path:
|
||||
description: Path of stratus binary
|
||||
@@ -65390,6 +65393,7 @@ discovery:
|
||||
supported_platforms:
|
||||
- linux
|
||||
- macos
|
||||
- iaas:aws
|
||||
input_arguments:
|
||||
stratus_path:
|
||||
description: Path of stratus binary
|
||||
|
||||
@@ -14426,6 +14426,7 @@ defense-evasion:
|
||||
supported_platforms:
|
||||
- linux
|
||||
- macos
|
||||
- iaas:aws
|
||||
input_arguments:
|
||||
stratus_path:
|
||||
description: Path of stratus binary
|
||||
@@ -14552,6 +14553,7 @@ defense-evasion:
|
||||
supported_platforms:
|
||||
- linux
|
||||
- macos
|
||||
- iaas:aws
|
||||
input_arguments:
|
||||
stratus_path:
|
||||
description: Path of stratus binary
|
||||
@@ -56603,6 +56605,7 @@ credential-access:
|
||||
supported_platforms:
|
||||
- linux
|
||||
- macos
|
||||
- iaas:aws
|
||||
input_arguments:
|
||||
stratus_path:
|
||||
description: Path of stratus binary
|
||||
@@ -62344,6 +62347,7 @@ discovery:
|
||||
supported_platforms:
|
||||
- linux
|
||||
- macos
|
||||
- iaas:aws
|
||||
input_arguments:
|
||||
stratus_path:
|
||||
description: Path of stratus binary
|
||||
|
||||
@@ -12,7 +12,7 @@
|
||||
## Atomic Test #1 - AWS - Retrieve EC2 Password Data using stratus
|
||||
This atomic runs an API call GetPasswordData from a role that does not have permission to do so. This simulates an attacker attempting to retrieve RDP passwords on a high number of Windows EC2 instances. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/
|
||||
|
||||
**Supported Platforms:** Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS, Iaas:aws
|
||||
|
||||
|
||||
**auto_generated_guid:** a21118de-b11e-4ebd-b655-42f11142df0c
|
||||
|
||||
@@ -256,7 +256,7 @@ Import-Module ExchangeOnlineManagement
|
||||
## Atomic Test #4 - AWS - Disable CloudTrail Logging Through Event Selectors using Stratus
|
||||
Update event selectors in AWS CloudTrail to disable the logging of certain management events to evade defense. This Atomic test leverages a tool called Stratus-Red-Team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors/
|
||||
|
||||
**Supported Platforms:** Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS, Iaas:aws
|
||||
|
||||
|
||||
**auto_generated_guid:** a27418de-bdce-4ebd-b655-38f11142bf0c
|
||||
@@ -406,7 +406,7 @@ echo Please install the aws-cli and configure your AWS defult profile using: aws
|
||||
## Atomic Test #6 - AWS - Remove VPC Flow Logs using Stratus
|
||||
This Atomic will attempt to remove AWS VPC Flow Logs configuration. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs/
|
||||
|
||||
**Supported Platforms:** Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS, Iaas:aws
|
||||
|
||||
|
||||
**auto_generated_guid:** 93c150f5-ad7b-4ee3-8992-df06dec2ac79
|
||||
|
||||
@@ -16,7 +16,7 @@ An adversary may enumerate resources using a compromised user's access keys to d
|
||||
## Atomic Test #1 - AWS - EC2 Enumeration from Cloud Instance
|
||||
This atomic runs several API calls (sts:GetCallerIdentity, s3:ListBuckets, iam:GetAccountSummary, iam:ListRoles, iam:ListUsers, iam:GetAccountAuthorizationDetails, ec2:DescribeSnapshots, cloudtrail:DescribeTrails, guardduty:ListDetectors) from the context of an EC2 instance role. This simulates an attacker compromising an EC2 instance and running initial discovery commands on it. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/
|
||||
|
||||
**Supported Platforms:** Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS, Iaas:aws
|
||||
|
||||
|
||||
**auto_generated_guid:** 99ee161b-dcb1-4276-8ecb-7cfdcb207820
|
||||
|
||||
@@ -14,7 +14,7 @@ Cloud service providers offer APIs allowing users to enumerate objects stored wi
|
||||
## Atomic Test #1 - AWS S3 Enumeration
|
||||
This test will enumerate all the S3 buckets in the user account and lists all the files in each bucket.
|
||||
|
||||
**Supported Platforms:** Iaas:azure
|
||||
**Supported Platforms:** Iaas:aws
|
||||
|
||||
|
||||
**auto_generated_guid:** 3c7094f8-71ec-4917-aeb8-a633d7ec4ef5
|
||||
|
||||
Reference in New Issue
Block a user