security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1580/T1580.yaml
T
Phil Hagen fd399bb6ed fix nesting and remove empty entries (#2825) 
* fix nesting and remove empty entries

* missed an indent correction

---------

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
2024-07-03 16:31:05 -06:00

94 lines
4.6 KiB
YAML
Raw Permalink Blame History

attack_technique: T1580
display_name: 'Cloud Infrastructure Discovery'
atomic_tests:
- name: AWS - EC2 Enumeration from Cloud Instance
auto_generated_guid: 99ee161b-dcb1-4276-8ecb-7cfdcb207820
description: |
This atomic runs several API calls (sts:GetCallerIdentity, s3:ListBuckets, iam:GetAccountSummary, iam:ListRoles, iam:ListUsers, iam:GetAccountAuthorizationDetails, ec2:DescribeSnapshots, cloudtrail:DescribeTrails, guardduty:ListDetectors) from the context of an EC2 instance role. This simulates an attacker compromising an EC2 instance and running initial discovery commands on it. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/
supported_platforms:
- linux
- macos
- iaas:aws
input_arguments:
stratus_path:
description: Path of stratus binary
type: path
default: $PathToAtomicsFolder/T1580/src
aws_region:
description: AWS region to detonate
type: string
default: us-west-2
dependency_executor_name: sh
dependencies:
- description: |
Stratus binary must be present at the (#{stratus_path}/stratus)
prereq_command: |
if test -f "#{stratus_path}/stratus"; then exit 0; else exit 1; fi
get_prereq_command: |
if [ "$(uname)" = "Darwin" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep -i Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
elif [ "$(expr substr $(uname) 1 5)" = "Linux" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep -i linux_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
fi
- description: |
Check if ~/.aws/credentials file has a default stanza is configured
prereq_command: |
cat ~/.aws/credentials | grep "default"
get_prereq_command: |
echo "Please install the aws-cli and configure your AWS default profile using: aws configure"
executor:
command: |
export AWS_REGION=#{aws_region}
cd #{stratus_path}
echo "Stratus: Start Warmup."
./stratus warmup aws.discovery.ec2-enumerate-from-instance
echo "Stratus: Start Detonate."
./stratus detonate aws.discovery.ec2-enumerate-from-instance
cleanup_command: |
cd #{stratus_path}
echo "Stratus: Start Cleanup."
./stratus cleanup aws.discovery.ec2-enumerate-from-instance
echo "Removing Stratus artifacts from local machine."
rm -rf stratus*
name: sh
elevation_required: false
- name: AWS - EC2 Security Group Enumeration
auto_generated_guid: 99b38f24-5acc-4aa3-85e5-b7f97a5d37ac
description: "Simulate an attacker's action to enumerate EC2 Security Groups in a compromised AWS environment."
supported_platforms:
- iaas:aws
input_arguments:
aws_profile:
description: AWS CLI profile name
type: string
default: default
output_format:
description: Desired output format (text, table, json)
type: string
default: json
executor:
name: command_prompt
command: |
aws ec2 describe-security-groups --profile #{aws_profile} --output #{output_format}
dependencies:
- description: AWS CLI installed and configured with the necessary access rights.
prereq_command: type aws || aws --version
get_prereq_command: |
if [ "$(uname)" = "Darwin" ] || [ "$(expr substr $(uname) 1 5)" = "Linux" ]; then
curl "https://aws.amazon.com/cli/" -o "Install-AWSCLI.sh" && sh Install-AWSCLI.sh
elif [ "$(expr substr $(uname) 1 5)" = "MINGW" ]; then
Invoke-WebRequest -Uri "https://aws.amazon.com/cli/" -OutFile "Install-AWSCLI.ps1"; .\Install-AWSCLI.ps1
fi
- description: Check if AWS CLI is installed and configured.
prereq_command: |
aws sts get-caller-identity --profile #{aws_profile}
get_prereq_command: |
if ! aws sts get-caller-identity --profile #{aws_profile}; then
echo "AWS CLI not properly configured. Please configure AWS CLI."
fi
Reference in New Issue View Git Blame Copy Permalink