From 0b298b218880036ded24aafd7d1c34154ddfa5be Mon Sep 17 00:00:00 2001 From: patel-bhavin Date: Wed, 27 Jul 2022 16:36:03 -0700 Subject: [PATCH 01/13] 3 new aws stratus atomics --- atomics/T1562.008/T1562.008.yaml | 112 ++++++++++++++++++++++++++++++- 1 file changed, 110 insertions(+), 2 deletions(-) diff --git a/atomics/T1562.008/T1562.008.yaml b/atomics/T1562.008/T1562.008.yaml index 5734d5bc..c9a9eabe 100644 --- a/atomics/T1562.008/T1562.008.yaml +++ b/atomics/T1562.008/T1562.008.yaml @@ -128,10 +128,10 @@ atomic_tests: name: powershell elevation_required: false -- name: Disable CloudTrail Logging Through Event Selectors via Stratus +- name: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus auto_generated_guid: a27418de-bdce-4ebd-b655-38f11142bf0c description: | - Update event selectors in AWS CloudTrail to disable the logging of certain management events to evade defense. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. + Update event selectors in AWS CloudTrail to disable the logging of certain management events to evade defense. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors/ supported_platforms: - linux - macos @@ -181,3 +181,111 @@ atomic_tests: ./stratus cleanup --all name: sh elevation_required: false + +- name: AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus + auto_generated_guid: a27428de-bdce-4ebd-b655-38f11122bf0c + description: | + This atomic test will use the stratus red team will first setup a cloudtrail logging into an S3 bucket and will then make an API call to update the lifecycle rule on that S3 bucket with an expiration date of 1 day. This will essentially delete all the logs after one day. Adversaries often do this actiivity to evade detection. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/ + supported_platforms: + - linux + - macos + input_arguments: + stratus_path: + description: Path of stratus binary + type: Path + default: $PathToAtomicsFolder/T1562.008/src + aws_region: + description: AWS region to detonate + type: String + default: us-west-2 + dependency_executor_name: sh + dependencies: + - description: | + Stratus binary must be present at the (#{stratus_path}/stratus) + prereq_command: | + if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi; + get_prereq_command: | + if [ "$(uname)" == "Darwin" ] + then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL + tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/ + elif [ "$(expr substr $(uname) 1 5)" == "Linux" ] + then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep linux_x86_64 | cut -d '"' -f 4) + wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL + tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/ + fi + - description: | + Check if ~/.aws/credentials file has a default stanza is configured + prereq_command: | + cat ~/.aws/credentials | grep "default" + get_prereq_command: | + echo Please install the aws-cli and configure your AWS defult profile using: aws configure + + executor: + command: | + export AWS_REGION=#{aws_region} + cd #{stratus_path} + echo "starting warmup" + ./stratus warmup aws.defense-evasion.cloudtrail-lifecycle-rule + echo "starting detonate" + ./stratus detonate aws.defense-evasion.cloudtrail-lifecycle-rule --force + cleanup_command: | + export AWS_REGION=#{aws_region} + echo "Cleanup detonation" + cd #{stratus_path} + ./stratus cleanup --all + name: sh + elevation_required: false + +- name: AWS - Remove VPC Flow Logs using Stratus + auto_generated_guid: a27428qw-bdce-4ebd-b655-38f11122bf0c + description: | + This atomic will attempt to remove VPC Flow Logs configuration. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs/ + supported_platforms: + - linux + - macos + input_arguments: + stratus_path: + description: Path of stratus binary + type: Path + default: $PathToAtomicsFolder/T1562.008/src + aws_region: + description: AWS region to detonate + type: String + default: us-west-2 + dependency_executor_name: sh + dependencies: + - description: | + Stratus binary must be present at the (#{stratus_path}/stratus) + prereq_command: | + if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi; + get_prereq_command: | + if [ "$(uname)" == "Darwin" ] + then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL + tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/ + elif [ "$(expr substr $(uname) 1 5)" == "Linux" ] + then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep linux_x86_64 | cut -d '"' -f 4) + wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL + tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/ + fi + - description: | + Check if ~/.aws/credentials file has a default stanza is configured + prereq_command: | + cat ~/.aws/credentials | grep "default" + get_prereq_command: | + echo Please install the aws-cli and configure your AWS defult profile using: aws configure + + executor: + command: | + export AWS_REGION=#{aws_region} + cd #{stratus_path} + echo "starting warmup" + ./stratus warmup aws.defense-evasion.vpc-remove-flow-logs + echo "starting detonate" + ./stratus detonate aws.defense-evasion.vpc-remove-flow-logs --force + cleanup_command: | + export AWS_REGION=#{aws_region} + echo "Cleanup detonation" + cd #{stratus_path} + ./stratus cleanup --all + name: sh + elevation_required: false From e88796c915c6f94c155097f6ce2de4177bbd39a0 Mon Sep 17 00:00:00 2001 From: patel-bhavin Date: Thu, 28 Jul 2022 13:12:08 -0700 Subject: [PATCH 02/13] rm stratus --- atomics/T1562.008/T1562.008.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/atomics/T1562.008/T1562.008.yaml b/atomics/T1562.008/T1562.008.yaml index c9a9eabe..1ac65e3a 100644 --- a/atomics/T1562.008/T1562.008.yaml +++ b/atomics/T1562.008/T1562.008.yaml @@ -179,6 +179,7 @@ atomic_tests: echo "Cleanup detonation" cd #{stratus_path} ./stratus cleanup --all + rm -rf stratus* name: sh elevation_required: false @@ -233,6 +234,7 @@ atomic_tests: echo "Cleanup detonation" cd #{stratus_path} ./stratus cleanup --all + rm -rf stratus* name: sh elevation_required: false @@ -287,5 +289,6 @@ atomic_tests: echo "Cleanup detonation" cd #{stratus_path} ./stratus cleanup --all + rm -rf stratus* name: sh elevation_required: false From 0e99122cedfca6b7d3f808aaf479a5b18ac4fd58 Mon Sep 17 00:00:00 2001 From: patel-bhavin Date: Thu, 28 Jul 2022 16:28:20 -0700 Subject: [PATCH 03/13] update to cleaanup --- atomics/T1562.008/T1562.008.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1562.008/T1562.008.yaml b/atomics/T1562.008/T1562.008.yaml index 1ac65e3a..726a7248 100644 --- a/atomics/T1562.008/T1562.008.yaml +++ b/atomics/T1562.008/T1562.008.yaml @@ -291,4 +291,4 @@ atomic_tests: ./stratus cleanup --all rm -rf stratus* name: sh - elevation_required: false + elevation_required: false \ No newline at end of file From 11ebaedddfe5d75ce15565e46249f35624547416 Mon Sep 17 00:00:00 2001 From: patel-bhavin Date: Thu, 28 Jul 2022 17:22:54 -0700 Subject: [PATCH 04/13] uuid --- atomics/T1562.008/T1562.008.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/atomics/T1562.008/T1562.008.yaml b/atomics/T1562.008/T1562.008.yaml index 726a7248..416a87a4 100644 --- a/atomics/T1562.008/T1562.008.yaml +++ b/atomics/T1562.008/T1562.008.yaml @@ -184,7 +184,7 @@ atomic_tests: elevation_required: false - name: AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus - auto_generated_guid: a27428de-bdce-4ebd-b655-38f11122bf0c + auto_generated_guid: a27428de-bdce-411d-b655-38f11122bf0c description: | This atomic test will use the stratus red team will first setup a cloudtrail logging into an S3 bucket and will then make an API call to update the lifecycle rule on that S3 bucket with an expiration date of 1 day. This will essentially delete all the logs after one day. Adversaries often do this actiivity to evade detection. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/ supported_platforms: @@ -239,7 +239,7 @@ atomic_tests: elevation_required: false - name: AWS - Remove VPC Flow Logs using Stratus - auto_generated_guid: a27428qw-bdce-4ebd-b655-38f11122bf0c + auto_generated_guid: a11428qw-bdce-432d-b655-38f11122bf0c description: | This atomic will attempt to remove VPC Flow Logs configuration. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs/ supported_platforms: From 89019ac27e679a5248a6e7afcc59c11ab08a6169 Mon Sep 17 00:00:00 2001 From: patel-bhavin Date: Mon, 1 Aug 2022 14:37:29 -0700 Subject: [PATCH 05/13] uuid --- atomics/T1562.008/T1562.008.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/atomics/T1562.008/T1562.008.yaml b/atomics/T1562.008/T1562.008.yaml index 416a87a4..7bdd7d9a 100644 --- a/atomics/T1562.008/T1562.008.yaml +++ b/atomics/T1562.008/T1562.008.yaml @@ -129,7 +129,6 @@ atomic_tests: elevation_required: false - name: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus - auto_generated_guid: a27418de-bdce-4ebd-b655-38f11142bf0c description: | Update event selectors in AWS CloudTrail to disable the logging of certain management events to evade defense. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors/ supported_platforms: @@ -184,7 +183,6 @@ atomic_tests: elevation_required: false - name: AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus - auto_generated_guid: a27428de-bdce-411d-b655-38f11122bf0c description: | This atomic test will use the stratus red team will first setup a cloudtrail logging into an S3 bucket and will then make an API call to update the lifecycle rule on that S3 bucket with an expiration date of 1 day. This will essentially delete all the logs after one day. Adversaries often do this actiivity to evade detection. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/ supported_platforms: @@ -239,7 +237,6 @@ atomic_tests: elevation_required: false - name: AWS - Remove VPC Flow Logs using Stratus - auto_generated_guid: a11428qw-bdce-432d-b655-38f11122bf0c description: | This atomic will attempt to remove VPC Flow Logs configuration. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs/ supported_platforms: From d888deb5a03b002ff56504c7fb37437550cf4171 Mon Sep 17 00:00:00 2001 From: patel-bhavin Date: Mon, 1 Aug 2022 14:43:49 -0700 Subject: [PATCH 06/13] conflicts --- atomics/T1562.008/T1562.008.yaml | 75 ++++++++++++++++++++++++++++++-- 1 file changed, 72 insertions(+), 3 deletions(-) diff --git a/atomics/T1562.008/T1562.008.yaml b/atomics/T1562.008/T1562.008.yaml index 7bdd7d9a..b1615e2c 100644 --- a/atomics/T1562.008/T1562.008.yaml +++ b/atomics/T1562.008/T1562.008.yaml @@ -127,8 +127,8 @@ atomic_tests: Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $True name: powershell elevation_required: false - - name: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus + auto_generated_guid: a27418de-bdce-4ebd-b655-38f11142bf0c description: | Update event selectors in AWS CloudTrail to disable the logging of certain management events to evade defense. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors/ supported_platforms: @@ -181,7 +181,6 @@ atomic_tests: rm -rf stratus* name: sh elevation_required: false - - name: AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus description: | This atomic test will use the stratus red team will first setup a cloudtrail logging into an S3 bucket and will then make an API call to update the lifecycle rule on that S3 bucket with an expiration date of 1 day. This will essentially delete all the logs after one day. Adversaries often do this actiivity to evade detection. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/ @@ -235,7 +234,6 @@ atomic_tests: rm -rf stratus* name: sh elevation_required: false - - name: AWS - Remove VPC Flow Logs using Stratus description: | This atomic will attempt to remove VPC Flow Logs configuration. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs/ @@ -287,5 +285,76 @@ atomic_tests: cd #{stratus_path} ./stratus cleanup --all rm -rf stratus* + +- name: AWS CloudWatch Log Group Deletes + auto_generated_guid: 89422c87-b57b-4a04-a8ca-802bb9d06121 + description: | + Creates a new cloudWatch log group in AWS, Upon successful creation it will Delete the group. Attackers can use this technique to evade defenses by + deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-group-deletion.html#aws-cloudwatch-log-group-deletion + supported_platforms: + - iaas:aws + input_arguments: + cloudwatch_log_group_name: + description: Name of the cloudWatch log group + type: String + default: "log-test" + region: + description: Name of the region + type: String + default: "us-east-1" + dependencies: + - description: | + Check if ~/.aws/credentials file has a default stanza is configured + prereq_command: | + cat ~/.aws/credentials | grep "default" + get_prereq_command: | + echo Please install the aws-cli and configure your AWS defult profile using: aws configure + executor: + command: | + aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json + echo "*** Log Group Created ***" + aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json + echo "*** Log Group Deleted ***" + cleanup_command: + name: sh + elevation_required: false +- name: AWS CloudWatch Log Stream Deletes + auto_generated_guid: 33ca84bc-4259-4943-bd36-4655dc420932 + description: | + Creates a new cloudWatch log stream in AWS, Upon successful creation it will Delete the stream. Attackers can use this technique to evade defenses by + deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-stream-deletion.html + supported_platforms: + - iaas:aws + input_arguments: + cloudwatch_log_group_name: + description: Name of the cloudWatch log group + type: String + default: "test-logs" + cloudwatch_log_stream_name: + description: Name of the cloudWatch log stream + type: String + default: "20150601" + region: + description: Name of the region + type: String + default: "us-west-2" + dependencies: + - description: | + Check if ~/.aws/credentials file has a default stanza is configured + prereq_command: | + cat ~/.aws/credentials | grep "default" + get_prereq_command: | + echo Please install the aws-cli and configure your AWS defult profile using: aws configure + executor: + command: | + aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json + echo "*** Log Group Created ***" + aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} + echo "*** Log Stream Created ***" + aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} + echo "*** Log Stream Deleted ***" + aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json + echo "*** Log Group Deleted ***" + cleanup_command: name: sh elevation_required: false \ No newline at end of file From 6a1b55457988f10f57e1349d33563fb1d7d79d91 Mon Sep 17 00:00:00 2001 From: patel-bhavin Date: Mon, 1 Aug 2022 14:45:09 -0700 Subject: [PATCH 07/13] naming --- atomics/T1562.008/T1562.008.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/atomics/T1562.008/T1562.008.yaml b/atomics/T1562.008/T1562.008.yaml index b1615e2c..e029bfb7 100644 --- a/atomics/T1562.008/T1562.008.yaml +++ b/atomics/T1562.008/T1562.008.yaml @@ -1,7 +1,7 @@ attack_technique: T1562.008 display_name: 'Impair Defenses: Disable Cloud Logs' atomic_tests: -- name: AWS CloudTrail Changes +- name: AWS - CloudTrail Changes auto_generated_guid: 9c10dc6b-20bd-403a-8e67-50ef7d07ed4e description: | Creates a new cloudTrail in AWS, Upon successful creation it will Update,Stop and Delete the cloudTrail @@ -285,8 +285,7 @@ atomic_tests: cd #{stratus_path} ./stratus cleanup --all rm -rf stratus* - -- name: AWS CloudWatch Log Group Deletes +- name: AWS - CloudWatch Log Group Deletes auto_generated_guid: 89422c87-b57b-4a04-a8ca-802bb9d06121 description: | Creates a new cloudWatch log group in AWS, Upon successful creation it will Delete the group. Attackers can use this technique to evade defenses by @@ -318,7 +317,7 @@ atomic_tests: cleanup_command: name: sh elevation_required: false -- name: AWS CloudWatch Log Stream Deletes +- name: AWS - CloudWatch Log Stream Deletes auto_generated_guid: 33ca84bc-4259-4943-bd36-4655dc420932 description: | Creates a new cloudWatch log stream in AWS, Upon successful creation it will Delete the stream. Attackers can use this technique to evade defenses by From 77a5db8ead87e46aca7398e1977c858a943d13b0 Mon Sep 17 00:00:00 2001 From: patel-bhavin Date: Mon, 1 Aug 2022 15:01:08 -0700 Subject: [PATCH 08/13] vaslidate atomics --- atomics/T1562.008/T1562.008.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/atomics/T1562.008/T1562.008.yaml b/atomics/T1562.008/T1562.008.yaml index e029bfb7..4d45d7f4 100644 --- a/atomics/T1562.008/T1562.008.yaml +++ b/atomics/T1562.008/T1562.008.yaml @@ -181,6 +181,7 @@ atomic_tests: rm -rf stratus* name: sh elevation_required: false + - name: AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus description: | This atomic test will use the stratus red team will first setup a cloudtrail logging into an S3 bucket and will then make an API call to update the lifecycle rule on that S3 bucket with an expiration date of 1 day. This will essentially delete all the logs after one day. Adversaries often do this actiivity to evade detection. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/ @@ -285,6 +286,9 @@ atomic_tests: cd #{stratus_path} ./stratus cleanup --all rm -rf stratus* + name: sh + elevation_required: false + - name: AWS - CloudWatch Log Group Deletes auto_generated_guid: 89422c87-b57b-4a04-a8ca-802bb9d06121 description: | From 40ceeff8d9d953cdc41e9c924e0ec00a20609a47 Mon Sep 17 00:00:00 2001 From: patel-bhavin Date: Mon, 1 Aug 2022 15:05:19 -0700 Subject: [PATCH 09/13] uuid --- atomics/T1562.008/T1562.008.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1562.008/T1562.008.yaml b/atomics/T1562.008/T1562.008.yaml index 3bea298a..d2fa8e47 100644 --- a/atomics/T1562.008/T1562.008.yaml +++ b/atomics/T1562.008/T1562.008.yaml @@ -322,7 +322,7 @@ atomic_tests: name: sh elevation_required: false - name: AWS - CloudWatch Log Stream Deletes - auto_generated_guid: 89422c87-b57b-4a04-a8ca-802bb9d06121 + auto_generated_guid: 89422c87-b57b-4a04-a12a-802bb11d06121 description: | Creates a new cloudWatch log group in AWS, Upon successful creation it will Delete the group. Attackers can use this technique to evade defenses by deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-group-deletion.html#aws-cloudwatch-log-group-deletion From b830b6df568a71273452c5969f3cb169d79a659b Mon Sep 17 00:00:00 2001 From: patel-bhavin Date: Mon, 1 Aug 2022 15:08:30 -0700 Subject: [PATCH 10/13] uid --- atomics/T1562.008/T1562.008.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/atomics/T1562.008/T1562.008.yaml b/atomics/T1562.008/T1562.008.yaml index d2fa8e47..aeb8f852 100644 --- a/atomics/T1562.008/T1562.008.yaml +++ b/atomics/T1562.008/T1562.008.yaml @@ -183,6 +183,7 @@ atomic_tests: elevation_required: false - name: AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus + auto_generated_guid: 894fgc87-as7b-4114-a8ca-802bb9d06121 description: | This atomic test will use the stratus red team will first setup a cloudtrail logging into an S3 bucket and will then make an API call to update the lifecycle rule on that S3 bucket with an expiration date of 1 day. This will essentially delete all the logs after one day. Adversaries often do this actiivity to evade detection. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/ supported_platforms: @@ -236,6 +237,7 @@ atomic_tests: name: sh elevation_required: false - name: AWS - Remove VPC Flow Logs using Stratus + auto_generated_guid: a9s2fc87-b57b-4a04-18ca-802bb9d061as description: | This atomic will attempt to remove VPC Flow Logs configuration. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs/ supported_platforms: From 23c376e20c40a015d7741e197a83817e3f4e7b08 Mon Sep 17 00:00:00 2001 From: patel-bhavin Date: Mon, 1 Aug 2022 15:29:34 -0700 Subject: [PATCH 11/13] ugh --- atomics/T1562.008/T1562.008.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/atomics/T1562.008/T1562.008.yaml b/atomics/T1562.008/T1562.008.yaml index aeb8f852..7fc5963c 100644 --- a/atomics/T1562.008/T1562.008.yaml +++ b/atomics/T1562.008/T1562.008.yaml @@ -181,9 +181,8 @@ atomic_tests: rm -rf stratus* name: sh elevation_required: false - - name: AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus - auto_generated_guid: 894fgc87-as7b-4114-a8ca-802bb9d06121 + auto_generated_guid: 22d89a2f-d475-4895-b2d4-68626d49c029 description: | This atomic test will use the stratus red team will first setup a cloudtrail logging into an S3 bucket and will then make an API call to update the lifecycle rule on that S3 bucket with an expiration date of 1 day. This will essentially delete all the logs after one day. Adversaries often do this actiivity to evade detection. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/ supported_platforms: From c0a4b9d05a3d3c64d062e4a05aad08fd31594ead Mon Sep 17 00:00:00 2001 From: patel-bhavin Date: Mon, 1 Aug 2022 15:34:06 -0700 Subject: [PATCH 12/13] more uuid --- atomics/T1562.008/T1562.008.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/atomics/T1562.008/T1562.008.yaml b/atomics/T1562.008/T1562.008.yaml index 7fc5963c..60c67442 100644 --- a/atomics/T1562.008/T1562.008.yaml +++ b/atomics/T1562.008/T1562.008.yaml @@ -236,7 +236,7 @@ atomic_tests: name: sh elevation_required: false - name: AWS - Remove VPC Flow Logs using Stratus - auto_generated_guid: a9s2fc87-b57b-4a04-18ca-802bb9d061as + auto_generated_guid: 93c150f5-ad7b-4ee3-8992-df06dec2ac79 description: | This atomic will attempt to remove VPC Flow Logs configuration. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs/ supported_platforms: @@ -288,8 +288,7 @@ atomic_tests: ./stratus cleanup --all rm -rf stratus* name: sh - elevation_required: false - + elevation_required: false - name: AWS - CloudWatch Log Group Deletes auto_generated_guid: 89422c87-b57b-4a04-a8ca-802bb9d06121 description: | From b4e15fbd86e2427b9b694e79b113529c6fe4198b Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Mon, 1 Aug 2022 18:42:31 -0600 Subject: [PATCH 13/13] fixes --- atomics/T1562.008/T1562.008.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/atomics/T1562.008/T1562.008.yaml b/atomics/T1562.008/T1562.008.yaml index 60c67442..d4031a14 100644 --- a/atomics/T1562.008/T1562.008.yaml +++ b/atomics/T1562.008/T1562.008.yaml @@ -130,7 +130,7 @@ atomic_tests: - name: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus auto_generated_guid: a27418de-bdce-4ebd-b655-38f11142bf0c description: | - Update event selectors in AWS CloudTrail to disable the logging of certain management events to evade defense. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors/ + Update event selectors in AWS CloudTrail to disable the logging of certain management events to evade defense. This Atomic test leverages a tool called Stratus-Red-Team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors/ supported_platforms: - linux - macos @@ -184,7 +184,7 @@ atomic_tests: - name: AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus auto_generated_guid: 22d89a2f-d475-4895-b2d4-68626d49c029 description: | - This atomic test will use the stratus red team will first setup a cloudtrail logging into an S3 bucket and will then make an API call to update the lifecycle rule on that S3 bucket with an expiration date of 1 day. This will essentially delete all the logs after one day. Adversaries often do this actiivity to evade detection. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/ + This Atomic test will use the Stratus Red Team will first setup a CloudTrail logging into an S3 bucket and will then make an API call to update the lifecycle rule on that S3 bucket with an expiration date of 1 day. This will essentially delete all the logs after one day. Adversaries often do this actiivity to evade detection. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/ supported_platforms: - linux - macos @@ -238,7 +238,7 @@ atomic_tests: - name: AWS - Remove VPC Flow Logs using Stratus auto_generated_guid: 93c150f5-ad7b-4ee3-8992-df06dec2ac79 description: | - This atomic will attempt to remove VPC Flow Logs configuration. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs/ + This Atomic will attempt to remove AWS VPC Flow Logs configuration. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs/ supported_platforms: - linux - macos @@ -324,7 +324,7 @@ atomic_tests: - name: AWS - CloudWatch Log Stream Deletes auto_generated_guid: 89422c87-b57b-4a04-a12a-802bb11d06121 description: | - Creates a new cloudWatch log group in AWS, Upon successful creation it will Delete the group. Attackers can use this technique to evade defenses by + Creates a new CloudWatch log group in AWS, Upon successful creation it will Delete the group. Attackers can use this technique to evade defenses by deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-group-deletion.html#aws-cloudwatch-log-group-deletion supported_platforms: - iaas:aws