Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -358,6 +358,7 @@ defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042
 defense-evasion,T1562.008,Disable Cloud Logs,1,AWS CloudTrail Changes,9c10dc6b-20bd-403a-8e67-50ef7d07ed4e,sh
 defense-evasion,T1562.008,Disable Cloud Logs,2,Azure - Eventhub Deletion,5e09bed0-7d33-453b-9bf3-caea32bff719,powershell
 defense-evasion,T1562.008,Disable Cloud Logs,3,Office 365 - Exchange Audit Log Disabled,1ee572f3-056c-4632-a7fc-7e7c42b1543c,powershell
+defense-evasion,T1562.008,Disable Cloud Logs,4,Disable CloudTrail Logging Through Event Selectors via Stratus,a27418de-bdce-4ebd-b655-38f11142bf0c,sh
 defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
 defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
 defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -76,6 +76,7 @@ defense-evasion,T1027.004,Compile After Delivery,5,Go compile,78bd3fa7-773c-449e
 defense-evasion,T1562.008,Disable Cloud Logs,1,AWS CloudTrail Changes,9c10dc6b-20bd-403a-8e67-50ef7d07ed4e,sh
 defense-evasion,T1562.008,Disable Cloud Logs,2,Azure - Eventhub Deletion,5e09bed0-7d33-453b-9bf3-caea32bff719,powershell
 defense-evasion,T1562.008,Disable Cloud Logs,3,Office 365 - Exchange Audit Log Disabled,1ee572f3-056c-4632-a7fc-7e7c42b1543c,powershell
+defense-evasion,T1562.008,Disable Cloud Logs,4,Disable CloudTrail Logging Through Event Selectors via Stratus,a27418de-bdce-4ebd-b655-38f11142bf0c,sh
 defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
 defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
 defense-evasion,T1070.004,File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh

atomics/Indexes/Indexes-Markdown/index.md

@@ -526,6 +526,7 @@
   - Atomic Test #1: AWS CloudTrail Changes [iaas:aws]
   - Atomic Test #2: Azure - Eventhub Deletion [iaas:azure]
   - Atomic Test #3: Office 365 - Exchange Audit Log Disabled [office-365]
+  - Atomic Test #4: Disable CloudTrail Logging Through Event Selectors via Stratus [linux, macos]
 - [T1564.003 Hidden Window](../../T1564.003/T1564.003.md)
   - Atomic Test #1: Hidden Window [windows]
 - T1147 Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -161,6 +161,7 @@
   - Atomic Test #1: AWS CloudTrail Changes [iaas:aws]
   - Atomic Test #2: Azure - Eventhub Deletion [iaas:azure]
   - Atomic Test #3: Office 365 - Exchange Audit Log Disabled [office-365]
+  - Atomic Test #4: Disable CloudTrail Logging Through Event Selectors via Stratus [linux, macos]
 - T1564.003 Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1578.002 Create Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1500 Compile After Delivery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/index.yaml

@@ -21450,6 +21450,68 @@ defense-evasion:
           Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $True
         name: powershell
         elevation_required: false
+    - name: Disable CloudTrail Logging Through Event Selectors via Stratus
+      auto_generated_guid: a27418de-bdce-4ebd-b655-38f11142bf0c
+      description: 'Update event selectors in AWS CloudTrail to disable the logging
+        of certain management events to evade defense. This atomic test leverages
+        a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team).
+        Stratus Red Team is a self-contained binary. You can use it to easily detonate
+        offensive attack techniques against a live cloud environment.
+
+        '
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        stratus_path:
+          description: Path of stratus binary
+          type: Path
+          default: "$PathToAtomicsFolder/T1562.008/src"
+        aws_region:
+          description: AWS region to detonate
+          type: String
+          default: us-west-2
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Stratus binary must be present at the (#{stratus_path}/stratus)
+
+          '
+        prereq_command: 'if [ -f #{stratus_path}/stratus ]; then exit 0; else exit
+          1; fi;
+
+          '
+        get_prereq_command: "if [ \"$(uname)\" == \"Darwin\" ]\nthen DOWNLOAD_URL=$(curl
+          -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
+          | grep browser_download_url | grep Darwin_x86_64 | cut -d '\"' -f 4); wget
+          -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n  tar
+          -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nelif
+          [ \"$(expr substr $(uname) 1 5)\" == \"Linux\" ]\nthen DOWNLOAD_URL=$(curl
+          -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
+          | grep browser_download_url | grep linux_x86_64 | cut -d '\"' -f 4) \n  wget
+          -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n  tar
+          -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nfi\n"
+      - description: 'Check if ~/.aws/credentials file has a default stanza is configured
+
+          '
+        prereq_command: 'cat ~/.aws/credentials | grep "default"
+
+          '
+        get_prereq_command: 'echo Please install the aws-cli and configure your AWS
+          defult profile using: aws configure
+
+          '
+      executor:
+        command: "export AWS_REGION=#{aws_region} \ncd #{stratus_path}\necho \"starting
+          warmup\"\n./stratus warmup aws.defense-evasion.cloudtrail-event-selectors\necho
+          \"starting detonate\"\n./stratus detonate aws.defense-evasion.cloudtrail-event-selectors
+          --force\n"
+        cleanup_command: |
+          export AWS_REGION=#{aws_region}
+          echo "Cleanup detonation"
+          cd #{stratus_path}
+          ./stratus cleanup --all
+        name: sh
+        elevation_required: false
   T1564.003:
     technique:
       x_mitre_platforms:

atomics/T1562.008/T1562.008.md

@@ -12,6 +12,8 @@ Cloud environments allow for collection and analysis of audit and application lo
 
 - [Atomic Test #3 - Office 365 - Exchange Audit Log Disabled](#atomic-test-3---office-365---exchange-audit-log-disabled)
 
+- [Atomic Test #4 - Disable CloudTrail Logging Through Event Selectors via Stratus](#atomic-test-4---disable-cloudtrail-logging-through-event-selectors-via-stratus)
+
 
 <br/>
 
@@ -185,4 +187,78 @@ Import-Module ExchangeOnlineManagement
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #4 - Disable CloudTrail Logging Through Event Selectors via Stratus
+Update event selectors in AWS CloudTrail to disable the logging of certain management events to evade defense. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment.
+
+**Supported Platforms:** Linux, macOS
+
+
+**auto_generated_guid:** a27418de-bdce-4ebd-b655-38f11142bf0c
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| stratus_path | Path of stratus binary | Path | $PathToAtomicsFolder/T1562.008/src|
+| aws_region | AWS region to detonate | String | us-west-2|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+export AWS_REGION=#{aws_region} 
+cd #{stratus_path}
+echo "starting warmup"
+./stratus warmup aws.defense-evasion.cloudtrail-event-selectors
+echo "starting detonate"
+./stratus detonate aws.defense-evasion.cloudtrail-event-selectors --force
+```
+
+#### Cleanup Commands:
+```sh
+export AWS_REGION=#{aws_region}
+echo "Cleanup detonation"
+cd #{stratus_path}
+./stratus cleanup --all
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Stratus binary must be present at the (#{stratus_path}/stratus)
+##### Check Prereq Commands:
+```sh
+if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```sh
+if [ "$(uname)" == "Darwin" ]
+then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
+  tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
+elif [ "$(expr substr $(uname) 1 5)" == "Linux" ]
+then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep linux_x86_64 | cut -d '"' -f 4) 
+  wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
+  tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
+fi
+```
+##### Description: Check if ~/.aws/credentials file has a default stanza is configured
+##### Check Prereq Commands:
+```sh
+cat ~/.aws/credentials | grep "default"
+```
+##### Get Prereq Commands:
+```sh
+echo Please install the aws-cli and configure your AWS defult profile using: aws configure
+```
+
+
+
+
 <br/>