attack_technique: T1580
display_name: 'Cloud Infrastructure Discovery'
atomic_tests:
- name: AWS - EC2 Enumeration from Cloud Instance
  auto_generated_guid: 99ee161b-dcb1-4276-8ecb-7cfdcb207820
  description: |
    This atomic runs several API calls (sts:GetCallerIdentity, s3:ListBuckets, iam:GetAccountSummary, iam:ListRoles, iam:ListUsers, iam:GetAccountAuthorizationDetails, ec2:DescribeSnapshots, cloudtrail:DescribeTrails, guardduty:ListDetectors) from the context of an EC2 instance role. This simulates an attacker compromising an EC2 instance and running initial discovery commands on it. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/
  supported_platforms:
  - linux
  - macos
  - iaas:aws
  input_arguments:
    stratus_path:
      description: Path of stratus binary
      type: path
      default: $PathToAtomicsFolder/T1580/src
    aws_region:
      description: AWS region to detonate
      type: string
      default: us-west-2
  dependency_executor_name: sh
  dependencies:
  - description: |
      Stratus binary must be present at the (#{stratus_path}/stratus)
    prereq_command: |
      if test -f "#{stratus_path}/stratus"; then exit 0; else exit 1; fi
    get_prereq_command: |
      if [ "$(uname)" = "Darwin" ]
      then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep -i Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
        tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
      elif [ "$(expr substr $(uname) 1 5)" = "Linux" ]
      then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep -i linux_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
        tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
      fi 
  - description: |
      Check if ~/.aws/credentials file has a default stanza is configured
    prereq_command: |
      cat ~/.aws/credentials | grep "default"
    get_prereq_command: |
      echo "Please install the aws-cli and configure your AWS default profile using: aws configure"
  executor:
    command: |
      export AWS_REGION=#{aws_region}
      cd #{stratus_path}
      echo "Stratus: Start Warmup."
      ./stratus warmup aws.discovery.ec2-enumerate-from-instance
      echo "Stratus: Start Detonate."
      ./stratus detonate aws.discovery.ec2-enumerate-from-instance
    cleanup_command: |
      cd #{stratus_path}
      echo "Stratus: Start Cleanup."
      ./stratus cleanup aws.discovery.ec2-enumerate-from-instance
      echo "Removing Stratus artifacts from local machine."
      rm -rf stratus*
    name: sh
    elevation_required: false
    
- name: AWS - EC2 Security Group Enumeration
  auto_generated_guid: 99b38f24-5acc-4aa3-85e5-b7f97a5d37ac
  description: "Simulate an attacker's action to enumerate EC2 Security Groups in a compromised AWS environment."
  supported_platforms:
    - iaas:aws
  input_arguments:
    aws_profile:
      description: AWS CLI profile name
      type: string
      default: default
    output_format:
      description: Desired output format (text, table, json)
      type: string
      default: json
  
  executor:
    name: command_prompt
    command: |
      aws ec2 describe-security-groups --profile #{aws_profile} --output #{output_format}
  
  dependencies:
  - description: AWS CLI installed and configured with the necessary access rights.
    prereq_command: type aws || aws --version
    get_prereq_command: |
      if [ "$(uname)" = "Darwin" ] || [ "$(expr substr $(uname) 1 5)" = "Linux" ]; then
        curl "https://aws.amazon.com/cli/" -o "Install-AWSCLI.sh" && sh Install-AWSCLI.sh
      elif [ "$(expr substr $(uname) 1 5)" = "MINGW" ]; then
        Invoke-WebRequest -Uri "https://aws.amazon.com/cli/" -OutFile "Install-AWSCLI.ps1"; .\Install-AWSCLI.ps1
      fi
  - description: Check if AWS CLI is installed and configured.
    prereq_command: |
      aws sts get-caller-identity --profile #{aws_profile}
    get_prereq_command: |
      if ! aws sts get-caller-identity --profile #{aws_profile}; then
        echo "AWS CLI not properly configured. Please configure AWS CLI."
      fi