Merge pull request #2054 from redcanaryco/staratus_defense_evasion

3 new aws stratus atomics

atomics/T1562.008/T1562.008.yaml

@@ -1,7 +1,7 @@
 attack_technique: T1562.008
 display_name: 'Impair Defenses: Disable Cloud Logs'
 atomic_tests:
-- name: AWS CloudTrail Changes
+- name: AWS - CloudTrail Changes
   auto_generated_guid: 9c10dc6b-20bd-403a-8e67-50ef7d07ed4e
   description: |
     Creates a new cloudTrail in AWS, Upon successful creation it will Update,Stop and Delete the cloudTrail
@@ -127,10 +127,10 @@ atomic_tests:
       Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $True
     name: powershell
     elevation_required: false
-- name: Disable CloudTrail Logging Through Event Selectors via Stratus
+- name: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus
   auto_generated_guid: a27418de-bdce-4ebd-b655-38f11142bf0c
   description: |
-    Update event selectors in AWS CloudTrail to disable the logging of certain management events to evade defense. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment.
+    Update event selectors in AWS CloudTrail to disable the logging of certain management events to evade defense. This Atomic test leverages a tool called Stratus-Red-Team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors/
   supported_platforms:
   - linux
   - macos
@@ -178,9 +178,118 @@ atomic_tests:
       echo "Cleanup detonation"
       cd #{stratus_path}
       ./stratus cleanup --all
+      rm -rf stratus*
     name: sh
     elevation_required: false
-- name: AWS CloudWatch Log Group Deletes
+- name: AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus
+  auto_generated_guid: 22d89a2f-d475-4895-b2d4-68626d49c029
+  description: |
+    This Atomic test will use the Stratus Red Team will first setup a CloudTrail logging into an S3 bucket and will then make an API call to update the lifecycle rule on that S3 bucket with an expiration date of 1 day. This will essentially delete all the logs after one day. Adversaries often do this actiivity to evade detection. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/
+  supported_platforms:
+  - linux
+  - macos
+  input_arguments:
+    stratus_path:
+      description: Path of stratus binary
+      type: Path
+      default: $PathToAtomicsFolder/T1562.008/src
+    aws_region:
+      description: AWS region to detonate
+      type: String
+      default: us-west-2
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      Stratus binary must be present at the (#{stratus_path}/stratus)
+    prereq_command: |
+      if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      if [ "$(uname)" == "Darwin" ]
+      then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
+        tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
+      elif [ "$(expr substr $(uname) 1 5)" == "Linux" ]
+      then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep linux_x86_64 | cut -d '"' -f 4) 
+        wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
+        tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
+      fi
+  - description: |
+        Check if ~/.aws/credentials file has a default stanza is configured
+    prereq_command: |
+        cat ~/.aws/credentials | grep "default"
+    get_prereq_command: |
+        echo Please install the aws-cli and configure your AWS defult profile using: aws configure
+
+  executor:
+    command: |
+      export AWS_REGION=#{aws_region} 
+      cd #{stratus_path}
+      echo "starting warmup"
+      ./stratus warmup aws.defense-evasion.cloudtrail-lifecycle-rule
+      echo "starting detonate"
+      ./stratus detonate aws.defense-evasion.cloudtrail-lifecycle-rule --force
+    cleanup_command: |
+      export AWS_REGION=#{aws_region}
+      echo "Cleanup detonation"
+      cd #{stratus_path}
+      ./stratus cleanup --all
+      rm -rf stratus*
+    name: sh
+    elevation_required: false
+- name: AWS - Remove VPC Flow Logs using Stratus
+  auto_generated_guid: 93c150f5-ad7b-4ee3-8992-df06dec2ac79
+  description: |
+    This Atomic will attempt to remove AWS VPC Flow Logs configuration. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs/
+  supported_platforms:
+  - linux
+  - macos
+  input_arguments:
+    stratus_path:
+      description: Path of stratus binary
+      type: Path
+      default: $PathToAtomicsFolder/T1562.008/src
+    aws_region:
+      description: AWS region to detonate
+      type: String
+      default: us-west-2
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      Stratus binary must be present at the (#{stratus_path}/stratus)
+    prereq_command: |
+      if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      if [ "$(uname)" == "Darwin" ]
+      then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
+        tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
+      elif [ "$(expr substr $(uname) 1 5)" == "Linux" ]
+      then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep linux_x86_64 | cut -d '"' -f 4) 
+        wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
+        tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
+      fi
+  - description: |
+        Check if ~/.aws/credentials file has a default stanza is configured
+    prereq_command: |
+        cat ~/.aws/credentials | grep "default"
+    get_prereq_command: |
+        echo Please install the aws-cli and configure your AWS defult profile using: aws configure
+
+  executor:
+    command: |
+      export AWS_REGION=#{aws_region} 
+      cd #{stratus_path}
+      echo "starting warmup"
+      ./stratus warmup aws.defense-evasion.vpc-remove-flow-logs
+      echo "starting detonate"
+      ./stratus detonate aws.defense-evasion.vpc-remove-flow-logs --force
+    cleanup_command: |
+      export AWS_REGION=#{aws_region}
+      echo "Cleanup detonation"
+      cd #{stratus_path}
+      ./stratus cleanup --all
+      rm -rf stratus*
+    name: sh
+    elevation_required: false   
+- name: AWS - CloudWatch Log Group Deletes
   auto_generated_guid: 89422c87-b57b-4a04-a8ca-802bb9d06121
   description: |
     Creates a new cloudWatch log group in AWS, Upon successful creation it will Delete the group. Attackers can use this technique to evade defenses by 
@@ -212,6 +321,38 @@ atomic_tests:
     cleanup_command: 
     name: sh
     elevation_required: false
+- name: AWS - CloudWatch Log Stream Deletes
+  auto_generated_guid: 89422c87-b57b-4a04-a12a-802bb11d06121
+  description: |
+    Creates a new CloudWatch log group in AWS, Upon successful creation it will Delete the group. Attackers can use this technique to evade defenses by 
+    deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-group-deletion.html#aws-cloudwatch-log-group-deletion
+  supported_platforms:
+  - iaas:aws
+  input_arguments:
+    cloudwatch_log_group_name:
+      description: Name of the cloudWatch log group
+      type: String
+      default: "log-test"
+    region:
+      description: Name of the region
+      type: String
+      default: "us-east-1"
+  dependencies:
+    - description: |
+        Check if ~/.aws/credentials file has a default stanza is configured
+      prereq_command: |
+        cat ~/.aws/credentials | grep "default"
+      get_prereq_command: |
+        echo Please install the aws-cli and configure your AWS defult profile using: aws configure
+  executor:
+    command: |
+       aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
+       echo "*** Log Group Created ***"
+       aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
+       echo "*** Log Group Deleted ***"
+    cleanup_command: 
+    name: sh
+    elevation_required: false
 - name: AWS CloudWatch Log Stream Deletes
   auto_generated_guid: 33ca84bc-4259-4943-bd36-4655dc420932
   description: |