diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-aws.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-aws.json index 188f7cbb..c6381f2c 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-aws.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-aws.json @@ -1 +1 @@ -{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1562","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":3,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]} \ No newline at end of file +{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"comment":"\n- AWS - Retrieve EC2 Password Data using stratus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1562","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":5,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - Disable CloudTrail Logging Through Event Selectors using Stratus\n- AWS - Remove VPC Flow Logs using Stratus\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1580","score":1,"enabled":true,"comment":"\n- AWS - EC2 Enumeration from Cloud Instance\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json index 18d95285..4356810f 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json @@ -1 +1 @@ -{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":2,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]} \ No newline at end of file +{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":2,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json index 9d26d8bd..525f5b32 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json @@ -1 +1 @@ -{"name":"Atomic Red Team (Iaas)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Iaas) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":3,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n- Azure Persistence Automation Runbook Created or Modified\n- GCP - Create Custom IAM Role\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n- GCP - Delete Service Account Key\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1485","score":1,"enabled":true,"comment":"\n- GCP - Delete Bucket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":5,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- Azure - Eventhub Deletion\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n- GCP - Delete Activity Event Log\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]} \ No newline at end of file +{"name":"Atomic Red Team (Iaas)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Iaas) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":3,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n- Azure Persistence Automation Runbook Created or Modified\n- GCP - Create Custom IAM Role\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n- GCP - Delete Service Account Key\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1485","score":1,"enabled":true,"comment":"\n- GCP - Delete Bucket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}],"comment":"\n- AWS - Retrieve EC2 Password Data using stratus\n"},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":7,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- Azure - Eventhub Deletion\n- AWS - Disable CloudTrail Logging Through Event Selectors using Stratus\n- AWS - Remove VPC Flow Logs using Stratus\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n- GCP - Delete Activity Event Log\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1580","score":1,"enabled":true,"comment":"\n- AWS - EC2 Enumeration from Cloud Instance\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/iaas-index.csv b/atomics/Indexes/Indexes-CSV/iaas-index.csv index ef10245d..6309ff02 100644 --- a/atomics/Indexes/Indexes-CSV/iaas-index.csv +++ b/atomics/Indexes/Indexes-CSV/iaas-index.csv @@ -1,6 +1,8 @@ Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,1,AWS - CloudTrail Changes,9c10dc6b-20bd-403a-8e67-50ef7d07ed4e,sh defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,2,Azure - Eventhub Deletion,5e09bed0-7d33-453b-9bf3-caea32bff719,powershell +defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,4,AWS - Disable CloudTrail Logging Through Event Selectors using Stratus,a27418de-bdce-4ebd-b655-38f11142bf0c,sh +defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,6,AWS - Remove VPC Flow Logs using Stratus,93c150f5-ad7b-4ee3-8992-df06dec2ac79,sh defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,7,AWS - CloudWatch Log Group Deletes,89422c87-b57b-4a04-a8ca-802bb9d06121,sh defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,8,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,10,GCP - Delete Activity Event Log,d56152ec-01d9-42a2-877c-aac1f6ebe8e6,sh @@ -8,8 +10,10 @@ defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh credential-access,T1552.005,Unsecured Credentials: Cloud Instance Metadata API,2,Azure - Dump Azure Instance Metadata from Virtual Machines,cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7,powershell +credential-access,T1552,Unsecured Credentials,1,AWS - Retrieve EC2 Password Data using stratus,a21118de-b11e-4ebd-b655-42f11142df0c,sh credential-access,T1110.003,Brute Force: Password Spraying,9,AWS - Password Spray an AWS using GoAWSConsoleSpray,9c10d16b-20b1-403a-8e67-50ef7117ed4e,sh impact,T1485,Data Destruction,4,GCP - Delete Bucket,4ac71389-40f4-448a-b73f-754346b3f928,sh +discovery,T1580,Cloud Infrastructure Discovery,1,AWS - EC2 Enumeration from Cloud Instance,99ee161b-dcb1-4276-8ecb-7cfdcb207820,sh discovery,T1619,Cloud Storage Object Discovery,1,AWS S3 Enumeration,3c7094f8-71ec-4917-aeb8-a633d7ec4ef5,sh discovery,T1201,Password Policy Discovery,11,Examine AWS Password Policy,15330820-d405-450b-bd08-16b5be5be9f4,sh discovery,T1526,Cloud Service Discovery,1,Azure - Dump Subscription Data with MicroBurst,1e40bb1d-195e-401e-a86b-c192f55e005c,powershell diff --git a/atomics/Indexes/Indexes-Markdown/iaas-index.md b/atomics/Indexes/Indexes-Markdown/iaas-index.md index 77e7dd01..c791cb28 100644 --- a/atomics/Indexes/Indexes-Markdown/iaas-index.md +++ b/atomics/Indexes/Indexes-Markdown/iaas-index.md @@ -18,6 +18,8 @@ - [T1562.008 Impair Defenses: Disable Cloud Logs](../../T1562.008/T1562.008.md) - Atomic Test #1: AWS - CloudTrail Changes [iaas:aws] - Atomic Test #2: Azure - Eventhub Deletion [iaas:azure] + - Atomic Test #4: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus [linux, macos, iaas:aws] + - Atomic Test #6: AWS - Remove VPC Flow Logs using Stratus [linux, macos, iaas:aws] - Atomic Test #7: AWS - CloudWatch Log Group Deletes [iaas:aws] - Atomic Test #8: AWS CloudWatch Log Stream Deletes [iaas:aws] - Atomic Test #10: GCP - Delete Activity Event Log [iaas:gcp] @@ -37,7 +39,8 @@ - T1522 Cloud Instance Metadata API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1606.002 Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1040 Network Sniffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) -- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) +- [T1552 Unsecured Credentials](../../T1552/T1552.md) + - Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos, iaas:aws] - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1110.003 Brute Force: Password Spraying](../../T1110.003/T1110.003.md) - Atomic Test #9: AWS - Password Spray an AWS using GoAWSConsoleSpray [iaas:aws] @@ -72,11 +75,12 @@ - T1069.003 Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1040 Network Sniffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1082 System Information Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) -- T1580 Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) +- [T1580 Cloud Infrastructure Discovery](../../T1580/T1580.md) + - Atomic Test #1: AWS - EC2 Enumeration from Cloud Instance [linux, macos, iaas:aws] - T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1049 System Network Connections Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1619 Cloud Storage Object Discovery](../../T1619/T1619.md) - - Atomic Test #1: AWS S3 Enumeration [iaas:azure] + - Atomic Test #1: AWS S3 Enumeration [iaas:aws] - T1087.004 Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1201 Password Policy Discovery](../../T1201/T1201.md) - Atomic Test #11: Examine AWS Password Policy [iaas:aws] diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 286f38a6..d2872a3c 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -623,9 +623,9 @@ - Atomic Test #1: AWS - CloudTrail Changes [iaas:aws] - Atomic Test #2: Azure - Eventhub Deletion [iaas:azure] - Atomic Test #3: Office 365 - Exchange Audit Log Disabled [office-365] - - Atomic Test #4: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus [linux, macos] + - Atomic Test #4: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus [linux, macos, iaas:aws] - Atomic Test #5: AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus [linux, macos] - - Atomic Test #6: AWS - Remove VPC Flow Logs using Stratus [linux, macos] + - Atomic Test #6: AWS - Remove VPC Flow Logs using Stratus [linux, macos, iaas:aws] - Atomic Test #7: AWS - CloudWatch Log Group Deletes [iaas:aws] - Atomic Test #8: AWS CloudWatch Log Stream Deletes [iaas:aws] - Atomic Test #9: Office 365 - Set Audit Bypass For a Mailbox [office-365] @@ -1980,7 +1980,7 @@ - Atomic Test #7: WinPwn - Loot local Credentials - Wifi Credentials [windows] - Atomic Test #8: WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords [windows] - [T1552 Unsecured Credentials](../../T1552/T1552.md) - - Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos] + - Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos, iaas:aws] - T1139 Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -2275,7 +2275,7 @@ - T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1580 Cloud Infrastructure Discovery](../../T1580/T1580.md) - - Atomic Test #1: AWS - EC2 Enumeration from Cloud Instance [linux, macos] + - Atomic Test #1: AWS - EC2 Enumeration from Cloud Instance [linux, macos, iaas:aws] - [T1217 Browser Bookmark Discovery](../../T1217/T1217.md) - Atomic Test #1: List Mozilla Firefox Bookmark Database Files on Linux [linux] - Atomic Test #2: List Mozilla Firefox Bookmark Database Files on macOS [macos] @@ -2319,7 +2319,7 @@ - Atomic Test #4: System Discovery using SharpView [windows] - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1619 Cloud Storage Object Discovery](../../T1619/T1619.md) - - Atomic Test #1: AWS S3 Enumeration [iaas:azure] + - Atomic Test #1: AWS S3 Enumeration [iaas:aws] - T1087.004 Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1057 Process Discovery](../../T1057/T1057.md) - Atomic Test #1: Process Discovery - ps [macos, linux] diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index ac2be2cc..e1c88d8a 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -519,7 +519,7 @@ - T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1552 Unsecured Credentials](../../T1552/T1552.md) - - Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos] + - Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos, iaas:aws] - T1139 Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1145 Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) diff --git a/atomics/Indexes/Indexes-Markdown/macos-index.md b/atomics/Indexes/Indexes-Markdown/macos-index.md index 546d3fae..01dc38db 100644 --- a/atomics/Indexes/Indexes-Markdown/macos-index.md +++ b/atomics/Indexes/Indexes-Markdown/macos-index.md @@ -506,7 +506,7 @@ - T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1552 Unsecured Credentials](../../T1552/T1552.md) - - Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos] + - Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos, iaas:aws] - T1139 Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1145 Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) diff --git a/atomics/Indexes/iaas_aws-index.yaml b/atomics/Indexes/iaas_aws-index.yaml index 2506c30e..371e72cd 100644 --- a/atomics/Indexes/iaas_aws-index.yaml +++ b/atomics/Indexes/iaas_aws-index.yaml @@ -12752,6 +12752,132 @@ defense-evasion: terraform destroy -auto-approve name: sh elevation_required: false + - name: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus + auto_generated_guid: a27418de-bdce-4ebd-b655-38f11142bf0c + description: 'Update event selectors in AWS CloudTrail to disable the logging + of certain management events to evade defense. This Atomic test leverages + a tool called Stratus-Red-Team built by DataDog (https://github.com/DataDog/stratus-red-team). + Stratus Red Team is a self-contained binary. You can use it to easily detonate + offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors/ + + ' + supported_platforms: + - linux + - macos + - iaas:aws + input_arguments: + stratus_path: + description: Path of stratus binary + type: path + default: "$PathToAtomicsFolder/T1562.008/src" + aws_region: + description: AWS region to detonate + type: string + default: us-west-2 + dependency_executor_name: sh + dependencies: + - description: 'Stratus binary must be present at the (#{stratus_path}/stratus) + + ' + prereq_command: 'if [ -f #{stratus_path}/stratus ]; then exit 0; else exit + 1; fi; + + ' + get_prereq_command: "if [ \"$(uname)\" == \"Darwin\" ]\nthen DOWNLOAD_URL=$(curl + -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest + | grep browser_download_url | grep Darwin_x86_64 | cut -d '\"' -f 4); wget + -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n tar + -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nelif + [ \"$(expr substr $(uname) 1 5)\" == \"Linux\" ]\nthen DOWNLOAD_URL=$(curl + -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest + | grep browser_download_url | grep linux_x86_64 | cut -d '\"' -f 4) \n wget + -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n tar + -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nfi\n" + - description: 'Check if ~/.aws/credentials file has a default stanza is configured + + ' + prereq_command: 'cat ~/.aws/credentials | grep "default" + + ' + get_prereq_command: 'echo Please install the aws-cli and configure your AWS + defult profile using: aws configure + + ' + executor: + command: "export AWS_REGION=#{aws_region} \ncd #{stratus_path}\necho \"starting + warmup\"\n./stratus warmup aws.defense-evasion.cloudtrail-event-selectors\necho + \"starting detonate\"\n./stratus detonate aws.defense-evasion.cloudtrail-event-selectors + --force\n" + cleanup_command: | + export AWS_REGION=#{aws_region} + echo "Cleanup detonation" + cd #{stratus_path} + ./stratus cleanup --all + rm -rf stratus* + name: sh + elevation_required: false + - name: AWS - Remove VPC Flow Logs using Stratus + auto_generated_guid: 93c150f5-ad7b-4ee3-8992-df06dec2ac79 + description: 'This Atomic will attempt to remove AWS VPC Flow Logs configuration. + Stratus Red Team is a self-contained binary. You can use it to easily detonate + offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs/ + + ' + supported_platforms: + - linux + - macos + - iaas:aws + input_arguments: + stratus_path: + description: Path of stratus binary + type: path + default: "$PathToAtomicsFolder/T1562.008/src" + aws_region: + description: AWS region to detonate + type: string + default: us-west-2 + dependency_executor_name: sh + dependencies: + - description: 'Stratus binary must be present at the (#{stratus_path}/stratus) + + ' + prereq_command: 'if [ -f #{stratus_path}/stratus ]; then exit 0; else exit + 1; fi; + + ' + get_prereq_command: "if [ \"$(uname)\" == \"Darwin\" ]\nthen DOWNLOAD_URL=$(curl + -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest + | grep browser_download_url | grep Darwin_x86_64 | cut -d '\"' -f 4); wget + -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n tar + -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nelif + [ \"$(expr substr $(uname) 1 5)\" == \"Linux\" ]\nthen DOWNLOAD_URL=$(curl + -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest + | grep browser_download_url | grep linux_x86_64 | cut -d '\"' -f 4) \n wget + -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n tar + -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nfi\n" + - description: 'Check if ~/.aws/credentials file has a default stanza is configured + + ' + prereq_command: 'cat ~/.aws/credentials | grep "default" + + ' + get_prereq_command: 'echo Please install the aws-cli and configure your AWS + defult profile using: aws configure + + ' + executor: + command: "export AWS_REGION=#{aws_region} \ncd #{stratus_path}\necho \"starting + warmup\"\n./stratus warmup aws.defense-evasion.vpc-remove-flow-logs\necho + \"starting detonate\"\n./stratus detonate aws.defense-evasion.vpc-remove-flow-logs + --force\n" + cleanup_command: | + export AWS_REGION=#{aws_region} + echo "Cleanup detonation" + cd #{stratus_path} + ./stratus cleanup --all + rm -rf stratus* + name: sh + elevation_required: false - name: AWS - CloudWatch Log Group Deletes auto_generated_guid: 89422c87-b57b-4a04-a8ca-802bb9d06121 description: "Creates a new cloudWatch log group in AWS, Upon successful creation @@ -52151,7 +52277,73 @@ credential-access: x_mitre_attack_spec_version: 3.1.0 x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 identifier: T1552 - atomic_tests: [] + atomic_tests: + - name: AWS - Retrieve EC2 Password Data using stratus + auto_generated_guid: a21118de-b11e-4ebd-b655-42f11142df0c + description: 'This atomic runs an API call GetPasswordData from a role that + does not have permission to do so. This simulates an attacker attempting to + retrieve RDP passwords on a high number of Windows EC2 instances. This atomic + test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). + Stratus Red Team is a self-contained binary. You can use it to easily detonate + offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/ + + ' + supported_platforms: + - linux + - macos + - iaas:aws + input_arguments: + stratus_path: + description: Path of stratus binary + type: path + default: "$PathToAtomicsFolder/T1552/src" + aws_region: + description: AWS region to detonate + type: string + default: us-west-2 + dependency_executor_name: sh + dependencies: + - description: 'Stratus binary must be present at the (#{stratus_path}/stratus) + + ' + prereq_command: 'if [ -f #{stratus_path}/stratus ]; then exit 0; else exit + 1; fi; + + ' + get_prereq_command: "if [ \"$(uname)\" == \"Darwin\" ]\nthen DOWNLOAD_URL=$(curl + -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest + | grep browser_download_url | grep Darwin_x86_64 | cut -d '\"' -f 4); wget + -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n tar + -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nelif + [ \"$(expr substr $(uname) 1 5)\" == \"Linux\" ]\nthen DOWNLOAD_URL=$(curl + -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest + | grep browser_download_url | grep linux_x86_64 | cut -d '\"' -f 4) \n wget + -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n tar + -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nfi\n" + - description: 'Check if ~/.aws/credentials file has a default stanza is configured + + ' + prereq_command: 'cat ~/.aws/credentials | grep "default" + + ' + get_prereq_command: 'echo Please install the aws-cli and configure your AWS + defult profile using: aws configure + + ' + executor: + command: "export AWS_REGION=#{aws_region} \ncd #{stratus_path}\necho \"starting + warmup\"\n./stratus warmup aws.credential-access.ec2-get-password-data\necho + \"starting detonate\"\n./stratus detonate aws.credential-access.ec2-get-password-data + --force\n" + cleanup_command: | + export AWS_REGION=#{aws_region} + + echo "Cleanup detonation" + cd #{stratus_path} + ./stratus cleanup --all + rm -rf stratus* + name: sh + elevation_required: false T1139: technique: x_mitre_platforms: @@ -57272,7 +57464,78 @@ discovery: x_mitre_attack_spec_version: 2.1.0 x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 identifier: T1580 - atomic_tests: [] + atomic_tests: + - name: AWS - EC2 Enumeration from Cloud Instance + auto_generated_guid: 99ee161b-dcb1-4276-8ecb-7cfdcb207820 + description: 'This atomic runs several API calls (sts:GetCallerIdentity, s3:ListBuckets, + iam:GetAccountSummary, iam:ListRoles, iam:ListUsers, iam:GetAccountAuthorizationDetails, + ec2:DescribeSnapshots, cloudtrail:DescribeTrails, guardduty:ListDetectors) + from the context of an EC2 instance role. This simulates an attacker compromising + an EC2 instance and running initial discovery commands on it. This atomic + test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). + Stratus Red Team is a self-contained binary. You can use it to easily detonate + offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/ + + ' + supported_platforms: + - linux + - macos + - iaas:aws + input_arguments: + stratus_path: + description: Path of stratus binary + type: path + default: "$PathToAtomicsFolder/T1580/src" + aws_region: + description: AWS region to detonate + type: string + default: us-west-2 + dependency_executor_name: sh + dependencies: + - description: 'Stratus binary must be present at the (#{stratus_path}/stratus) + + ' + prereq_command: 'if test -f "#{stratus_path}/stratus"; then exit 0; else exit + 1; fi + + ' + get_prereq_command: "if [ \"$(uname)\" = \"Darwin\" ]\nthen DOWNLOAD_URL=$(curl + -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest + | grep browser_download_url | grep -i Darwin_x86_64 | cut -d '\"' -f 4); + wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n + \ tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nelif + [ \"$(expr substr $(uname) 1 5)\" = \"Linux\" ]\nthen DOWNLOAD_URL=$(curl + -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest + | grep browser_download_url | grep -i linux_x86_64 | cut -d '\"' -f 4); + wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n + \ tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nfi + \n" + - description: 'Check if ~/.aws/credentials file has a default stanza is configured + + ' + prereq_command: 'cat ~/.aws/credentials | grep "default" + + ' + get_prereq_command: 'echo "Please install the aws-cli and configure your AWS + default profile using: aws configure" + + ' + executor: + command: | + export AWS_REGION=#{aws_region} + cd #{stratus_path} + echo "Stratus: Start Warmup." + ./stratus warmup aws.discovery.ec2-enumerate-from-instance + echo "Stratus: Start Detonate." + ./stratus detonate aws.discovery.ec2-enumerate-from-instance + cleanup_command: | + cd #{stratus_path} + echo "Stratus: Start Cleanup." + ./stratus cleanup aws.discovery.ec2-enumerate-from-instance + echo "Removing Stratus artifacts from local machine." + rm -rf stratus* + name: sh + elevation_required: false T1217: technique: modified: '2023-04-16T14:24:40.625Z' @@ -57801,7 +58064,31 @@ discovery: x_mitre_attack_spec_version: 2.1.0 x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 identifier: T1619 - atomic_tests: [] + atomic_tests: + - name: AWS S3 Enumeration + auto_generated_guid: 3c7094f8-71ec-4917-aeb8-a633d7ec4ef5 + description: "This test will enumerate all the S3 buckets in the user account + and lists all the files in each bucket. \n" + supported_platforms: + - iaas:aws + dependencies: + - description: 'Check if ~/.aws/credentials file has a default stanza is configured + + ' + prereq_command: 'cat ~/.aws/credentials | grep "default" + + ' + get_prereq_command: 'echo Please install the aws-cli and configure your AWS + default profile using: aws configure + + ' + executor: + command: 'for bucket in "$(aws s3 ls | cut -d " " -f3)"; do aws s3api list-objects-v2 + --bucket $bucket --output text; done + + ' + name: sh + elevation_required: false T1087.004: technique: x_mitre_platforms: diff --git a/atomics/Indexes/iaas_azure-index.yaml b/atomics/Indexes/iaas_azure-index.yaml index 33a9051c..3c5a4c6e 100644 --- a/atomics/Indexes/iaas_azure-index.yaml +++ b/atomics/Indexes/iaas_azure-index.yaml @@ -58147,31 +58147,7 @@ discovery: x_mitre_attack_spec_version: 2.1.0 x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 identifier: T1619 - atomic_tests: - - name: AWS S3 Enumeration - auto_generated_guid: 3c7094f8-71ec-4917-aeb8-a633d7ec4ef5 - description: "This test will enumerate all the S3 buckets in the user account - and lists all the files in each bucket. \n" - supported_platforms: - - iaas:azure - dependencies: - - description: 'Check if ~/.aws/credentials file has a default stanza is configured - - ' - prereq_command: 'cat ~/.aws/credentials | grep "default" - - ' - get_prereq_command: 'echo Please install the aws-cli and configure your AWS - default profile using: aws configure - - ' - executor: - command: 'for bucket in "$(aws s3 ls | cut -d " " -f3)"; do aws s3api list-objects-v2 - --bucket $bucket --output text; done - - ' - name: sh - elevation_required: false + atomic_tests: [] T1087.004: technique: x_mitre_platforms: diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 1a1a17be..c9ebb1b7 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -24721,6 +24721,7 @@ defense-evasion: supported_platforms: - linux - macos + - iaas:aws input_arguments: stratus_path: description: Path of stratus binary @@ -24847,6 +24848,7 @@ defense-evasion: supported_platforms: - linux - macos + - iaas:aws input_arguments: stratus_path: description: Path of stratus binary @@ -88202,6 +88204,7 @@ credential-access: supported_platforms: - linux - macos + - iaas:aws input_arguments: stratus_path: description: Path of stratus binary @@ -99010,6 +99013,7 @@ discovery: supported_platforms: - linux - macos + - iaas:aws input_arguments: stratus_path: description: Path of stratus binary @@ -100367,7 +100371,7 @@ discovery: description: "This test will enumerate all the S3 buckets in the user account and lists all the files in each bucket. \n" supported_platforms: - - iaas:azure + - iaas:aws dependencies: - description: 'Check if ~/.aws/credentials file has a default stanza is configured diff --git a/atomics/Indexes/linux-index.yaml b/atomics/Indexes/linux-index.yaml index 553d6a02..787ac651 100644 --- a/atomics/Indexes/linux-index.yaml +++ b/atomics/Indexes/linux-index.yaml @@ -15232,6 +15232,7 @@ defense-evasion: supported_platforms: - linux - macos + - iaas:aws input_arguments: stratus_path: description: Path of stratus binary @@ -15358,6 +15359,7 @@ defense-evasion: supported_platforms: - linux - macos + - iaas:aws input_arguments: stratus_path: description: Path of stratus binary @@ -59261,6 +59263,7 @@ credential-access: supported_platforms: - linux - macos + - iaas:aws input_arguments: stratus_path: description: Path of stratus binary @@ -65390,6 +65393,7 @@ discovery: supported_platforms: - linux - macos + - iaas:aws input_arguments: stratus_path: description: Path of stratus binary diff --git a/atomics/Indexes/macos-index.yaml b/atomics/Indexes/macos-index.yaml index 747f2b55..98068da4 100644 --- a/atomics/Indexes/macos-index.yaml +++ b/atomics/Indexes/macos-index.yaml @@ -14426,6 +14426,7 @@ defense-evasion: supported_platforms: - linux - macos + - iaas:aws input_arguments: stratus_path: description: Path of stratus binary @@ -14552,6 +14553,7 @@ defense-evasion: supported_platforms: - linux - macos + - iaas:aws input_arguments: stratus_path: description: Path of stratus binary @@ -56603,6 +56605,7 @@ credential-access: supported_platforms: - linux - macos + - iaas:aws input_arguments: stratus_path: description: Path of stratus binary @@ -62344,6 +62347,7 @@ discovery: supported_platforms: - linux - macos + - iaas:aws input_arguments: stratus_path: description: Path of stratus binary diff --git a/atomics/T1552/T1552.md b/atomics/T1552/T1552.md index cc1dc32e..a4c0ad2e 100644 --- a/atomics/T1552/T1552.md +++ b/atomics/T1552/T1552.md @@ -12,7 +12,7 @@ ## Atomic Test #1 - AWS - Retrieve EC2 Password Data using stratus This atomic runs an API call GetPasswordData from a role that does not have permission to do so. This simulates an attacker attempting to retrieve RDP passwords on a high number of Windows EC2 instances. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/ -**Supported Platforms:** Linux, macOS +**Supported Platforms:** Linux, macOS, Iaas:aws **auto_generated_guid:** a21118de-b11e-4ebd-b655-42f11142df0c diff --git a/atomics/T1562.008/T1562.008.md b/atomics/T1562.008/T1562.008.md index 5b8e3ee2..f29a3f58 100644 --- a/atomics/T1562.008/T1562.008.md +++ b/atomics/T1562.008/T1562.008.md @@ -256,7 +256,7 @@ Import-Module ExchangeOnlineManagement ## Atomic Test #4 - AWS - Disable CloudTrail Logging Through Event Selectors using Stratus Update event selectors in AWS CloudTrail to disable the logging of certain management events to evade defense. This Atomic test leverages a tool called Stratus-Red-Team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors/ -**Supported Platforms:** Linux, macOS +**Supported Platforms:** Linux, macOS, Iaas:aws **auto_generated_guid:** a27418de-bdce-4ebd-b655-38f11142bf0c @@ -406,7 +406,7 @@ echo Please install the aws-cli and configure your AWS defult profile using: aws ## Atomic Test #6 - AWS - Remove VPC Flow Logs using Stratus This Atomic will attempt to remove AWS VPC Flow Logs configuration. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs/ -**Supported Platforms:** Linux, macOS +**Supported Platforms:** Linux, macOS, Iaas:aws **auto_generated_guid:** 93c150f5-ad7b-4ee3-8992-df06dec2ac79 diff --git a/atomics/T1580/T1580.md b/atomics/T1580/T1580.md index ddb7e360..bad0f599 100644 --- a/atomics/T1580/T1580.md +++ b/atomics/T1580/T1580.md @@ -16,7 +16,7 @@ An adversary may enumerate resources using a compromised user's access keys to d ## Atomic Test #1 - AWS - EC2 Enumeration from Cloud Instance This atomic runs several API calls (sts:GetCallerIdentity, s3:ListBuckets, iam:GetAccountSummary, iam:ListRoles, iam:ListUsers, iam:GetAccountAuthorizationDetails, ec2:DescribeSnapshots, cloudtrail:DescribeTrails, guardduty:ListDetectors) from the context of an EC2 instance role. This simulates an attacker compromising an EC2 instance and running initial discovery commands on it. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/ -**Supported Platforms:** Linux, macOS +**Supported Platforms:** Linux, macOS, Iaas:aws **auto_generated_guid:** 99ee161b-dcb1-4276-8ecb-7cfdcb207820 diff --git a/atomics/T1619/T1619.md b/atomics/T1619/T1619.md index a37bfb74..1d164072 100644 --- a/atomics/T1619/T1619.md +++ b/atomics/T1619/T1619.md @@ -14,7 +14,7 @@ Cloud service providers offer APIs allowing users to enumerate objects stored wi ## Atomic Test #1 - AWS S3 Enumeration This test will enumerate all the S3 buckets in the user account and lists all the files in each bucket. -**Supported Platforms:** Iaas:azure +**Supported Platforms:** Iaas:aws **auto_generated_guid:** 3c7094f8-71ec-4917-aeb8-a633d7ec4ef5