security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1651/T1651.md
T
Atomic Red Team doc generator 5ede8f21e4 Generated docs from job=generate-docs branch=master [ci skip]
2025-02-13 22:03:40 +00:00

84 lines
3.2 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# T1651 - Cloud Administration Command
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1651)
<blockquote>
Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)
If an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environments virtual machines. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) to execute commands in connected virtual machines.(Citation: MSTIC Nobelium Oct 2021)
</blockquote>
## Atomic Tests
- [Atomic Test #1 - AWS Run Command (and Control)](#atomic-test-1---aws-run-command-and-control)
<br/>
## Atomic Test #1 - AWS Run Command (and Control)
This test simulates an adversary using the AWS Run Command service to execute commands on EC2 instances.
**Supported Platforms:** Iaas:aws
**auto_generated_guid:** a3cc9c95-c160-4b86-af6f-84fba87bfd30
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| access_key | AWS Access Key | string | |
| secret_key | AWS Secret Key | string | |
| session_token | AWS Session Token | string | |
| profile | AWS profile | string | |
| region | AWS region to deploy the EC2 instance | string | us-east-2|
#### Attack Commands: Run with `powershell`!
```powershell
Import-Module "PathToAtomicsFolder/T1651/src/T1651-1/AWSSSMAttack.ps1" -Force
$access_key = "#{access_key}"
$secret_key = "#{secret_key}"
$session_token = "#{session_token}"
$aws_profile = "#{profile}"
$region = "#{region}"
Set-AWSAuthentication -AccessKey $access_key -SecretKey $secret_key -SessionToken $session_token -AWSProfile $aws_profile -AWSRegion $region
Invoke-Terraform -TerraformCommand init -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1"
Invoke-Terraform -TerraformCommand apply -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1" -TerraformVariables @("profile=T1651-1", "region=$region")
Invoke-SSMAttack -AWSProfile "T1651-1" -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1"
Invoke-Terraform -TerraformCommand destroy -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1" -TerraformVariables @("profile=T1651-1", "region=$region")
```
#### Dependencies: Run with `powershell`!
##### Description: The AWS PowerShell module must be installed.
##### Check Prereq Commands:
```powershell
try {if (Get-InstalledModule -Name AWSPowerShell -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
```
##### Get Prereq Commands:
```powershell
Install-Module -Name AWSPowerShell -Force
```
##### Description: Terraform must be installed.
##### Check Prereq Commands:
```powershell
terraform --version
```
##### Get Prereq Commands:
```powershell
Write-Host "Terraform is required. Download it from https://www.terraform.io/downloads.html"
```
<br/>
Reference in New Issue View Git Blame Copy Permalink