diff --git a/cmd/stratus/cleanup_cmd.go b/cmd/stratus/cleanup_cmd.go
index 3d278b5f..a383d978 100644
--- a/cmd/stratus/cleanup_cmd.go
+++ b/cmd/stratus/cleanup_cmd.go
@@ -16,7 +16,7 @@ func buildCleanupCmd() *cobra.Command {
Use: "cleanup [attack-technique-id]... | --all",
Aliases: []string{"clean"},
Short: "Cleans up any leftover infrastructure or configuration from a TTP.",
- Example: "stratus cleanup aws.defense-evasion.stop-cloudtrail\nstratus cleanup --all",
+ Example: "stratus cleanup aws.defense-evasion.cloudtrail-stop\nstratus cleanup --all",
DisableFlagsInUseLine: true,
Args: func(cmd *cobra.Command, args []string) error {
if len(args) == 0 && flagCleanupAll {
diff --git a/cmd/stratus/detonate_cmd.go b/cmd/stratus/detonate_cmd.go
index dd6ad4b1..8906eee7 100644
--- a/cmd/stratus/detonate_cmd.go
+++ b/cmd/stratus/detonate_cmd.go
@@ -18,8 +18,8 @@ func buildDetonateCmd() *cobra.Command {
Use: "detonate attack-technique-id [attack-technique-id]...",
Short: "Detonate one or multiple attack techniques",
Example: strings.Join([]string{
- "stratus detonate aws.defense-evasion.stop-cloudtrail",
- "stratus detonate aws.defense-evasion.stop-cloudtrail --cleanup",
+ "stratus detonate aws.defense-evasion.cloudtrail-stop",
+ "stratus detonate aws.defense-evasion.cloudtrail-stop --cleanup",
}, "\n"),
DisableFlagsInUseLine: true,
PreRunE: func(cmd *cobra.Command, args []string) error {
diff --git a/cmd/stratus/revert_cmd.go b/cmd/stratus/revert_cmd.go
index b133c444..273d6eb8 100644
--- a/cmd/stratus/revert_cmd.go
+++ b/cmd/stratus/revert_cmd.go
@@ -15,7 +15,7 @@ func buildRevertCmd() *cobra.Command {
detonateCmd := &cobra.Command{
Use: "revert attack-technique-id [attack-technique-id]...",
Short: "Revert the detonation of an attack technique",
- Example: "stratus revert aws.defense-evasion.stop-cloudtrail",
+ Example: "stratus revert aws.defense-evasion.cloudtrail-stop",
DisableFlagsInUseLine: true,
PreRunE: func(cmd *cobra.Command, args []string) error {
if len(args) == 0 {
diff --git a/cmd/stratus/warmup_cmd.go b/cmd/stratus/warmup_cmd.go
index 1ba45801..72ea450d 100644
--- a/cmd/stratus/warmup_cmd.go
+++ b/cmd/stratus/warmup_cmd.go
@@ -15,7 +15,7 @@ func buildWarmupCmd() *cobra.Command {
warmupCmd := &cobra.Command{
Use: "warmup attack-technique-id [attack-technique-id]...",
Short: "\"Warm up\" an attack technique by spinning up the prerequisite infrastructure or configuration, without detonating it",
- Example: "stratus warmup aws.defense-evasion.stop-cloudtrail",
+ Example: "stratus warmup aws.defense-evasion.cloudtrail-stop",
DisableFlagsInUseLine: true,
PreRunE: func(cmd *cobra.Command, args []string) error {
if len(args) == 0 {
diff --git a/docs/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials.md b/docs/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials.md
new file mode 100755
index 00000000..330249fc
--- /dev/null
+++ b/docs/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials.md
@@ -0,0 +1,38 @@
+---
+title: Steal EC2 Instance Credentials
+---
+
+# Steal EC2 Instance Credentials
+
+ slow
+ idempotent
+
+Platform: AWS
+
+## MITRE ATT&CK Tactics
+
+
+- Credential Access
+
+## Description
+
+
+Simulates the theft of EC2 instance credentials from the Instance Metadata Service.
+
+Warm-up:
+
+- Create the prerequisite EC2 instance and VPC (takes a few minutes).
+
+Detonation:
+
+- Execute a SSM command on the instance to retrieve temporary credentials
+- Use these credentials locally (outside the instance) to run the following commands:
+ - sts:GetCallerIdentity
+ - ec2:DescribeInstances
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate aws.credential-access.ec2-steal-instance-credentials
+```
\ No newline at end of file
diff --git a/docs/attack-techniques/AWS/aws.credential-access.retrieve-all-ssm-parameters.md b/docs/attack-techniques/AWS/aws.credential-access.ssm-retrieve-securestring-parameters.md
similarity index 91%
rename from docs/attack-techniques/AWS/aws.credential-access.retrieve-all-ssm-parameters.md
rename to docs/attack-techniques/AWS/aws.credential-access.ssm-retrieve-securestring-parameters.md
index cd58d6f4..77155e68 100755
--- a/docs/attack-techniques/AWS/aws.credential-access.retrieve-all-ssm-parameters.md
+++ b/docs/attack-techniques/AWS/aws.credential-access.ssm-retrieve-securestring-parameters.md
@@ -32,5 +32,5 @@ Retrieves and decrypts a high number (30) of SSM Parameters available in an AWS
## Instructions
```bash title="Detonate with Stratus Red Team"
-stratus detonate aws.credential-access.retrieve-all-ssm-parameters
+stratus detonate aws.credential-access.ssm-retrieve-securestring-parameters
```
\ No newline at end of file
diff --git a/docs/attack-techniques/AWS/aws.defense-evasion.delete-cloudtrail.md b/docs/attack-techniques/AWS/aws.defense-evasion.cloudtrail-delete.md
similarity index 89%
rename from docs/attack-techniques/AWS/aws.defense-evasion.delete-cloudtrail.md
rename to docs/attack-techniques/AWS/aws.defense-evasion.cloudtrail-delete.md
index a840e279..30cfb9aa 100755
--- a/docs/attack-techniques/AWS/aws.defense-evasion.delete-cloudtrail.md
+++ b/docs/attack-techniques/AWS/aws.defense-evasion.cloudtrail-delete.md
@@ -31,5 +31,5 @@ Delete a CloudTrail trail. Simulates an attacker disrupting CloudTrail logging.
## Instructions
```bash title="Detonate with Stratus Red Team"
-stratus detonate aws.defense-evasion.delete-cloudtrail
+stratus detonate aws.defense-evasion.cloudtrail-delete
```
\ No newline at end of file
diff --git a/docs/attack-techniques/AWS/aws.defense-evasion.stop-cloudtrail.md b/docs/attack-techniques/AWS/aws.defense-evasion.cloudtrail-stop.md
similarity index 92%
rename from docs/attack-techniques/AWS/aws.defense-evasion.stop-cloudtrail.md
rename to docs/attack-techniques/AWS/aws.defense-evasion.cloudtrail-stop.md
index 8af753c9..e1732acd 100755
--- a/docs/attack-techniques/AWS/aws.defense-evasion.stop-cloudtrail.md
+++ b/docs/attack-techniques/AWS/aws.defense-evasion.cloudtrail-stop.md
@@ -31,5 +31,5 @@ Stops a CloudTrail Trail from logging. Simulates an attacker disrupting CloudTra
## Instructions
```bash title="Detonate with Stratus Red Team"
-stratus detonate aws.defense-evasion.stop-cloudtrail
+stratus detonate aws.defense-evasion.cloudtrail-stop
```
\ No newline at end of file
diff --git a/docs/attack-techniques/AWS/aws.defense-evasion.leave-organization.md b/docs/attack-techniques/AWS/aws.defense-evasion.organizations-leave.md
similarity index 94%
rename from docs/attack-techniques/AWS/aws.defense-evasion.leave-organization.md
rename to docs/attack-techniques/AWS/aws.defense-evasion.organizations-leave.md
index 1c2b7733..556215f8 100755
--- a/docs/attack-techniques/AWS/aws.defense-evasion.leave-organization.md
+++ b/docs/attack-techniques/AWS/aws.defense-evasion.organizations-leave.md
@@ -34,5 +34,5 @@ Leaving the organization can disrupt or totally shut down these controls.
## Instructions
```bash title="Detonate with Stratus Red Team"
-stratus detonate aws.defense-evasion.leave-organization
+stratus detonate aws.defense-evasion.organizations-leave
```
\ No newline at end of file
diff --git a/docs/attack-techniques/AWS/aws.defense-evasion.remove-vpc-flow-logs.md b/docs/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs.md
similarity index 89%
rename from docs/attack-techniques/AWS/aws.defense-evasion.remove-vpc-flow-logs.md
rename to docs/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs.md
index 321a8638..9d6aeda0 100755
--- a/docs/attack-techniques/AWS/aws.defense-evasion.remove-vpc-flow-logs.md
+++ b/docs/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs.md
@@ -31,5 +31,5 @@ Removes a VPC Flog Logs configuration from a VPC.
## Instructions
```bash title="Detonate with Stratus Red Team"
-stratus detonate aws.defense-evasion.remove-vpc-flow-logs
+stratus detonate aws.defense-evasion.vpc-remove-flow-logs
```
\ No newline at end of file
diff --git a/docs/attack-techniques/AWS/aws.discovery.basic-enumeration-from-ec2-instance.md b/docs/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance.md
similarity index 95%
rename from docs/attack-techniques/AWS/aws.discovery.basic-enumeration-from-ec2-instance.md
rename to docs/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance.md
index de48e997..89c53d63 100755
--- a/docs/attack-techniques/AWS/aws.discovery.basic-enumeration-from-ec2-instance.md
+++ b/docs/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance.md
@@ -43,5 +43,5 @@ The commands will be run under the identity of the EC2 instance role, simulating
## Instructions
```bash title="Detonate with Stratus Red Team"
-stratus detonate aws.discovery.basic-enumeration-from-ec2-instance
+stratus detonate aws.discovery.ec2-enumerate-from-instance
```
\ No newline at end of file
diff --git a/docs/attack-techniques/AWS/aws.exfiltration.open-port-22-ingress-on-security-group.md b/docs/attack-techniques/AWS/aws.exfiltration.ec2-security-group-open-port-22-ingress.md
similarity index 88%
rename from docs/attack-techniques/AWS/aws.exfiltration.open-port-22-ingress-on-security-group.md
rename to docs/attack-techniques/AWS/aws.exfiltration.ec2-security-group-open-port-22-ingress.md
index ebf6514a..d442e18a 100755
--- a/docs/attack-techniques/AWS/aws.exfiltration.open-port-22-ingress-on-security-group.md
+++ b/docs/attack-techniques/AWS/aws.exfiltration.ec2-security-group-open-port-22-ingress.md
@@ -31,5 +31,5 @@ Opens ingress traffic on port 22 from the Internet (0.0.0.0/0).
## Instructions
```bash title="Detonate with Stratus Red Team"
-stratus detonate aws.exfiltration.open-port-22-ingress-on-security-group
+stratus detonate aws.exfiltration.ec2-security-group-open-port-22-ingress
```
\ No newline at end of file
diff --git a/docs/attack-techniques/AWS/aws.exfiltration.ami-sharing.md b/docs/attack-techniques/AWS/aws.exfiltration.ec2-share-ami.md
similarity index 92%
rename from docs/attack-techniques/AWS/aws.exfiltration.ami-sharing.md
rename to docs/attack-techniques/AWS/aws.exfiltration.ec2-share-ami.md
index e701acbb..bfcd7e1b 100755
--- a/docs/attack-techniques/AWS/aws.exfiltration.ami-sharing.md
+++ b/docs/attack-techniques/AWS/aws.exfiltration.ec2-share-ami.md
@@ -31,5 +31,5 @@ Exfiltrates an AMI by sharing it with an external AWS account.
## Instructions
```bash title="Detonate with Stratus Red Team"
-stratus detonate aws.exfiltration.ami-sharing
+stratus detonate aws.exfiltration.ec2-share-ami
```
\ No newline at end of file
diff --git a/docs/attack-techniques/AWS/aws.exfiltration.ebs-snapshot-shared-with-external-account.md b/docs/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot.md
similarity index 90%
rename from docs/attack-techniques/AWS/aws.exfiltration.ebs-snapshot-shared-with-external-account.md
rename to docs/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot.md
index b527f810..8e144693 100755
--- a/docs/attack-techniques/AWS/aws.exfiltration.ebs-snapshot-shared-with-external-account.md
+++ b/docs/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot.md
@@ -31,5 +31,5 @@ Exfiltrates an EBS snapshot by sharing it with an external AWS account.
## Instructions
```bash title="Detonate with Stratus Red Team"
-stratus detonate aws.exfiltration.ebs-snapshot-shared-with-external-account
+stratus detonate aws.exfiltration.ec2-share-ebs-snapshot
```
\ No newline at end of file
diff --git a/docs/attack-techniques/AWS/aws.exfiltration.rds-snapshot-sharing.md b/docs/attack-techniques/AWS/aws.exfiltration.rds-share-snapshot.md
similarity index 94%
rename from docs/attack-techniques/AWS/aws.exfiltration.rds-snapshot-sharing.md
rename to docs/attack-techniques/AWS/aws.exfiltration.rds-share-snapshot.md
index 54c23093..bd17c644 100755
--- a/docs/attack-techniques/AWS/aws.exfiltration.rds-snapshot-sharing.md
+++ b/docs/attack-techniques/AWS/aws.exfiltration.rds-share-snapshot.md
@@ -32,5 +32,5 @@ Shares a RDS Snapshot with an external AWS account to simulate an attacker exfil
## Instructions
```bash title="Detonate with Stratus Red Team"
-stratus detonate aws.exfiltration.rds-snapshot-sharing
+stratus detonate aws.exfiltration.rds-share-snapshot
```
\ No newline at end of file
diff --git a/docs/attack-techniques/AWS/aws.exfiltration.backdoor-s3-bucket-policy.md b/docs/attack-techniques/AWS/aws.exfiltration.s3-backdoor-bucket-policy.md
similarity index 94%
rename from docs/attack-techniques/AWS/aws.exfiltration.backdoor-s3-bucket-policy.md
rename to docs/attack-techniques/AWS/aws.exfiltration.s3-backdoor-bucket-policy.md
index de9bc685..95a0e945 100755
--- a/docs/attack-techniques/AWS/aws.exfiltration.backdoor-s3-bucket-policy.md
+++ b/docs/attack-techniques/AWS/aws.exfiltration.s3-backdoor-bucket-policy.md
@@ -56,5 +56,5 @@ Exfiltrates data from an S3 bucket by backdooring its Bucket Policy to allow acc
## Instructions
```bash title="Detonate with Stratus Red Team"
-stratus detonate aws.exfiltration.backdoor-s3-bucket-policy
+stratus detonate aws.exfiltration.s3-backdoor-bucket-policy
```
\ No newline at end of file
diff --git a/docs/attack-techniques/AWS/aws.persistence.backdoor-iam-role.md b/docs/attack-techniques/AWS/aws.persistence.iam-backdoor-role.md
similarity index 95%
rename from docs/attack-techniques/AWS/aws.persistence.backdoor-iam-role.md
rename to docs/attack-techniques/AWS/aws.persistence.iam-backdoor-role.md
index 717c0c58..61839d96 100755
--- a/docs/attack-techniques/AWS/aws.persistence.backdoor-iam-role.md
+++ b/docs/attack-techniques/AWS/aws.persistence.iam-backdoor-role.md
@@ -55,5 +55,5 @@ Establishes persistence by backdooring an existing IAM role, allowing it to be a
## Instructions
```bash title="Detonate with Stratus Red Team"
-stratus detonate aws.persistence.backdoor-iam-role
+stratus detonate aws.persistence.iam-backdoor-role
```
\ No newline at end of file
diff --git a/docs/attack-techniques/AWS/aws.persistence.backdoor-iam-user.md b/docs/attack-techniques/AWS/aws.persistence.iam-backdoor-user.md
similarity index 91%
rename from docs/attack-techniques/AWS/aws.persistence.backdoor-iam-user.md
rename to docs/attack-techniques/AWS/aws.persistence.iam-backdoor-user.md
index 70261dfd..44ee5295 100755
--- a/docs/attack-techniques/AWS/aws.persistence.backdoor-iam-user.md
+++ b/docs/attack-techniques/AWS/aws.persistence.iam-backdoor-user.md
@@ -32,5 +32,5 @@ Establishes persistence by creating an access key on an existing IAM user.
## Instructions
```bash title="Detonate with Stratus Red Team"
-stratus detonate aws.persistence.backdoor-iam-user
+stratus detonate aws.persistence.iam-backdoor-user
```
\ No newline at end of file
diff --git a/docs/attack-techniques/AWS/aws.persistence.malicious-iam-user.md b/docs/attack-techniques/AWS/aws.persistence.iam-create-admin-user.md
similarity index 90%
rename from docs/attack-techniques/AWS/aws.persistence.malicious-iam-user.md
rename to docs/attack-techniques/AWS/aws.persistence.iam-create-admin-user.md
index 12b605c0..8e2b2b31 100755
--- a/docs/attack-techniques/AWS/aws.persistence.malicious-iam-user.md
+++ b/docs/attack-techniques/AWS/aws.persistence.iam-create-admin-user.md
@@ -30,5 +30,5 @@ Establishes persistence by creating a new IAM user with administrative permissio
## Instructions
```bash title="Detonate with Stratus Red Team"
-stratus detonate aws.persistence.malicious-iam-user
+stratus detonate aws.persistence.iam-create-admin-user
```
\ No newline at end of file
diff --git a/docs/attack-techniques/AWS/aws.persistence.iam-user-create-login-profile.md b/docs/attack-techniques/AWS/aws.persistence.iam-create-user-login-profile.md
similarity index 91%
rename from docs/attack-techniques/AWS/aws.persistence.iam-user-create-login-profile.md
rename to docs/attack-techniques/AWS/aws.persistence.iam-create-user-login-profile.md
index f2c7252d..1e1b166a 100755
--- a/docs/attack-techniques/AWS/aws.persistence.iam-user-create-login-profile.md
+++ b/docs/attack-techniques/AWS/aws.persistence.iam-create-user-login-profile.md
@@ -33,5 +33,5 @@ user intended to be used programmatically through the AWS console usual login pr
## Instructions
```bash title="Detonate with Stratus Red Team"
-stratus detonate aws.persistence.iam-user-create-login-profile
+stratus detonate aws.persistence.iam-create-user-login-profile
```
\ No newline at end of file
diff --git a/docs/attack-techniques/AWS/aws.persistence.backdoor-lambda-function.md b/docs/attack-techniques/AWS/aws.persistence.lambda-backdoor-function.md
similarity index 91%
rename from docs/attack-techniques/AWS/aws.persistence.backdoor-lambda-function.md
rename to docs/attack-techniques/AWS/aws.persistence.lambda-backdoor-function.md
index 3989ece1..79a0c9f4 100755
--- a/docs/attack-techniques/AWS/aws.persistence.backdoor-lambda-function.md
+++ b/docs/attack-techniques/AWS/aws.persistence.lambda-backdoor-function.md
@@ -31,5 +31,5 @@ Establishes persistence by backdooring a lambda function to allow its invocation
## Instructions
```bash title="Detonate with Stratus Red Team"
-stratus detonate aws.persistence.backdoor-lambda-function
+stratus detonate aws.persistence.lambda-backdoor-function
```
\ No newline at end of file
diff --git a/docs/attack-techniques/AWS/index.md b/docs/attack-techniques/AWS/index.md
index 7681916a..8dc0243c 100755
--- a/docs/attack-techniques/AWS/index.md
+++ b/docs/attack-techniques/AWS/index.md
@@ -8,64 +8,64 @@ Note that some Stratus attack techniques may correspond to more than a single AT
- [Retrieve EC2 Password Data](./aws.credential-access.ec2-get-password-data.md)
-- [Steal EC2 Instance Credentials](./aws.credential-access.ec2-instance-credentials.md)
+- [Steal EC2 Instance Credentials](./aws.credential-access.ec2-steal-instance-credentials.md)
- [Retrieve a High Number of Secrets Manager secrets](./aws.credential-access.secretsmanager-retrieve-secrets.md)
-- [Retrieve And Decrypt SSM Parameters](./aws.credential-access.retrieve-all-ssm-parameters.md)
+- [Retrieve And Decrypt SSM Parameters](./aws.credential-access.ssm-retrieve-securestring-parameters.md)
## Defense Evasion
+- [Delete CloudTrail Trail](./aws.defense-evasion.cloudtrail-delete.md)
+
- [Disable CloudTrail Logging Through Event Selectors](./aws.defense-evasion.cloudtrail-event-selectors.md)
- [CloudTrail Logs Impairment Through S3 Lifecycle Rule](./aws.defense-evasion.cloudtrail-lifecycle-rule.md)
-- [Delete CloudTrail Trail](./aws.defense-evasion.delete-cloudtrail.md)
-
-- [Stop CloudTrail Trail](./aws.defense-evasion.stop-cloudtrail.md)
+- [Stop CloudTrail Trail](./aws.defense-evasion.cloudtrail-stop.md)
-- [Attempt to Leave the AWS Organization](./aws.defense-evasion.leave-organization.md)
+- [Attempt to Leave the AWS Organization](./aws.defense-evasion.organizations-leave.md)
-- [Remove VPC Flow Logs](./aws.defense-evasion.remove-vpc-flow-logs.md)
+- [Remove VPC Flow Logs](./aws.defense-evasion.vpc-remove-flow-logs.md)
## Discovery
-- [Execute Discovery Commands on an EC2 Instance](./aws.discovery.basic-enumeration-from-ec2-instance.md)
+- [Execute Discovery Commands on an EC2 Instance](./aws.discovery.ec2-enumerate-from-instance.md)
## Exfiltration
-- [Exfiltrate an AMI by Sharing It](./aws.exfiltration.ami-sharing.md)
+- [Open Ingress Port 22 on a Security Group](./aws.exfiltration.ec2-security-group-open-port-22-ingress.md)
-- [Exfiltrate EBS Snapshot by Sharing It](./aws.exfiltration.ebs-snapshot-shared-with-external-account.md)
+- [Exfiltrate an AMI by Sharing It](./aws.exfiltration.ec2-share-ami.md)
-- [Exfiltrate RDS Snapshot by Sharing](./aws.exfiltration.rds-snapshot-sharing.md)
+- [Exfiltrate EBS Snapshot by Sharing It](./aws.exfiltration.ec2-share-ebs-snapshot.md)
-- [Backdoor an S3 Bucket via its Bucket Policy](./aws.exfiltration.backdoor-s3-bucket-policy.md)
+- [Exfiltrate RDS Snapshot by Sharing](./aws.exfiltration.rds-share-snapshot.md)
-- [Open Ingress Port 22 on a Security Group](./aws.exfiltration.open-port-22-ingress-on-security-group.md)
+- [Backdoor an S3 Bucket via its Bucket Policy](./aws.exfiltration.s3-backdoor-bucket-policy.md)
## Persistence
-- [Backdoor Lambda Function Through Resource-Based Policy](./aws.persistence.backdoor-lambda-function.md)
+- [Backdoor an IAM Role](./aws.persistence.iam-backdoor-role.md)
-- [Backdoor an IAM Role](./aws.persistence.backdoor-iam-role.md)
+- [Create an Access Key on an IAM User](./aws.persistence.iam-backdoor-user.md)
-- [Create an Access Key on an IAM User](./aws.persistence.backdoor-iam-user.md)
+- [Create an administrative IAM User](./aws.persistence.iam-create-admin-user.md)
-- [Create a Login Profile on an IAM User](./aws.persistence.iam-user-create-login-profile.md)
+- [Create a Login Profile on an IAM User](./aws.persistence.iam-create-user-login-profile.md)
-- [Create an administrative IAM User](./aws.persistence.malicious-iam-user.md)
+- [Backdoor Lambda Function Through Resource-Based Policy](./aws.persistence.lambda-backdoor-function.md)
## Privilege Escalation
-- [Create an Access Key on an IAM User](./aws.persistence.backdoor-iam-user.md)
+- [Create an Access Key on an IAM User](./aws.persistence.iam-backdoor-user.md)
-- [Create a Login Profile on an IAM User](./aws.persistence.iam-user-create-login-profile.md)
+- [Create an administrative IAM User](./aws.persistence.iam-create-admin-user.md)
-- [Create an administrative IAM User](./aws.persistence.malicious-iam-user.md)
+- [Create a Login Profile on an IAM User](./aws.persistence.iam-create-user-login-profile.md)
diff --git a/docs/attack-techniques/list.md b/docs/attack-techniques/list.md
index 2dcc378e..5da76366 100755
--- a/docs/attack-techniques/list.md
+++ b/docs/attack-techniques/list.md
@@ -10,23 +10,23 @@ This page contains the list of all Stratus Attack Techniques.
| Name | Platform | MITRE ATT&CK Tactics |
| :----: | :------: | :------------------: |
| [Retrieve EC2 Password Data](./AWS/aws.credential-access.ec2-get-password-data.md) | [AWS](./AWS/index.md) | Credential Access |
-| [Steal EC2 Instance Credentials](./AWS/aws.credential-access.ec2-instance-credentials.md) | [AWS](./AWS/index.md) | Credential Access |
+| [Steal EC2 Instance Credentials](./AWS/aws.credential-access.ec2-steal-instance-credentials.md) | [AWS](./AWS/index.md) | Credential Access |
| [Retrieve a High Number of Secrets Manager secrets](./AWS/aws.credential-access.secretsmanager-retrieve-secrets.md) | [AWS](./AWS/index.md) | Credential Access |
-| [Retrieve And Decrypt SSM Parameters](./AWS/aws.credential-access.retrieve-all-ssm-parameters.md) | [AWS](./AWS/index.md) | Credential Access |
+| [Retrieve And Decrypt SSM Parameters](./AWS/aws.credential-access.ssm-retrieve-securestring-parameters.md) | [AWS](./AWS/index.md) | Credential Access |
+| [Delete CloudTrail Trail](./AWS/aws.defense-evasion.cloudtrail-delete.md) | [AWS](./AWS/index.md) | Defense Evasion |
| [Disable CloudTrail Logging Through Event Selectors](./AWS/aws.defense-evasion.cloudtrail-event-selectors.md) | [AWS](./AWS/index.md) | Defense Evasion |
| [CloudTrail Logs Impairment Through S3 Lifecycle Rule](./AWS/aws.defense-evasion.cloudtrail-lifecycle-rule.md) | [AWS](./AWS/index.md) | Defense Evasion |
-| [Delete CloudTrail Trail](./AWS/aws.defense-evasion.delete-cloudtrail.md) | [AWS](./AWS/index.md) | Defense Evasion |
-| [Stop CloudTrail Trail](./AWS/aws.defense-evasion.stop-cloudtrail.md) | [AWS](./AWS/index.md) | Defense Evasion |
-| [Attempt to Leave the AWS Organization](./AWS/aws.defense-evasion.leave-organization.md) | [AWS](./AWS/index.md) | Defense Evasion |
-| [Remove VPC Flow Logs](./AWS/aws.defense-evasion.remove-vpc-flow-logs.md) | [AWS](./AWS/index.md) | Defense Evasion |
-| [Execute Discovery Commands on an EC2 Instance](./AWS/aws.discovery.basic-enumeration-from-ec2-instance.md) | [AWS](./AWS/index.md) | Discovery |
-| [Exfiltrate an AMI by Sharing It](./AWS/aws.exfiltration.ami-sharing.md) | [AWS](./AWS/index.md) | Exfiltration |
-| [Exfiltrate EBS Snapshot by Sharing It](./AWS/aws.exfiltration.ebs-snapshot-shared-with-external-account.md) | [AWS](./AWS/index.md) | Exfiltration |
-| [Exfiltrate RDS Snapshot by Sharing](./AWS/aws.exfiltration.rds-snapshot-sharing.md) | [AWS](./AWS/index.md) | Exfiltration |
-| [Backdoor an S3 Bucket via its Bucket Policy](./AWS/aws.exfiltration.backdoor-s3-bucket-policy.md) | [AWS](./AWS/index.md) | Exfiltration |
-| [Open Ingress Port 22 on a Security Group](./AWS/aws.exfiltration.open-port-22-ingress-on-security-group.md) | [AWS](./AWS/index.md) | Exfiltration |
-| [Backdoor Lambda Function Through Resource-Based Policy](./AWS/aws.persistence.backdoor-lambda-function.md) | [AWS](./AWS/index.md) | Persistence |
-| [Backdoor an IAM Role](./AWS/aws.persistence.backdoor-iam-role.md) | [AWS](./AWS/index.md) | Persistence |
-| [Create an Access Key on an IAM User](./AWS/aws.persistence.backdoor-iam-user.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation |
-| [Create a Login Profile on an IAM User](./AWS/aws.persistence.iam-user-create-login-profile.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation |
-| [Create an administrative IAM User](./AWS/aws.persistence.malicious-iam-user.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation |
+| [Stop CloudTrail Trail](./AWS/aws.defense-evasion.cloudtrail-stop.md) | [AWS](./AWS/index.md) | Defense Evasion |
+| [Attempt to Leave the AWS Organization](./AWS/aws.defense-evasion.organizations-leave.md) | [AWS](./AWS/index.md) | Defense Evasion |
+| [Remove VPC Flow Logs](./AWS/aws.defense-evasion.vpc-remove-flow-logs.md) | [AWS](./AWS/index.md) | Defense Evasion |
+| [Execute Discovery Commands on an EC2 Instance](./AWS/aws.discovery.ec2-enumerate-from-instance.md) | [AWS](./AWS/index.md) | Discovery |
+| [Open Ingress Port 22 on a Security Group](./AWS/aws.exfiltration.ec2-security-group-open-port-22-ingress.md) | [AWS](./AWS/index.md) | Exfiltration |
+| [Exfiltrate an AMI by Sharing It](./AWS/aws.exfiltration.ec2-share-ami.md) | [AWS](./AWS/index.md) | Exfiltration |
+| [Exfiltrate EBS Snapshot by Sharing It](./AWS/aws.exfiltration.ec2-share-ebs-snapshot.md) | [AWS](./AWS/index.md) | Exfiltration |
+| [Exfiltrate RDS Snapshot by Sharing](./AWS/aws.exfiltration.rds-share-snapshot.md) | [AWS](./AWS/index.md) | Exfiltration |
+| [Backdoor an S3 Bucket via its Bucket Policy](./AWS/aws.exfiltration.s3-backdoor-bucket-policy.md) | [AWS](./AWS/index.md) | Exfiltration |
+| [Backdoor an IAM Role](./AWS/aws.persistence.iam-backdoor-role.md) | [AWS](./AWS/index.md) | Persistence |
+| [Create an Access Key on an IAM User](./AWS/aws.persistence.iam-backdoor-user.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation |
+| [Create an administrative IAM User](./AWS/aws.persistence.iam-create-admin-user.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation |
+| [Create a Login Profile on an IAM User](./AWS/aws.persistence.iam-create-user-login-profile.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation |
+| [Backdoor Lambda Function Through Resource-Based Policy](./AWS/aws.persistence.lambda-backdoor-function.md) | [AWS](./AWS/index.md) | Persistence |
diff --git a/docs/index.md b/docs/index.md
index 29e7d818..ce212511 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -21,7 +21,7 @@ Think of Stratus Red Team as "[Atomic Red Team](https://github.com/redcanaryco/a
Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment.
```bash title="Sample usage - Stopping a CloudTrail Trail (Defense Evasion)"
-stratus detonate aws.defense-evasion.stop-cloudtrail
+stratus detonate aws.defense-evasion.cloudtrail-stop
```
The attack techniques are mapped to [MITRE ATT&CK](https://attack.mitre.org/).
diff --git a/docs/user-guide/commands/cleanup.md b/docs/user-guide/commands/cleanup.md
index 51124545..49b10b5c 100644
--- a/docs/user-guide/commands/cleanup.md
+++ b/docs/user-guide/commands/cleanup.md
@@ -8,7 +8,7 @@ Cleans up any leftover infrastructure from an attack technique.
## Sample Usage
```bash title="Clean up an attack technique"
-stratus cleanup aws.defense-evasion.stop-cloudtrail
+stratus cleanup aws.defense-evasion.cloudtrail-stop
```
```bash title="Clean up all attack techniques that can be cleaned up"
diff --git a/docs/user-guide/commands/detonate.md b/docs/user-guide/commands/detonate.md
index 00c8f030..4040f24c 100644
--- a/docs/user-guide/commands/detonate.md
+++ b/docs/user-guide/commands/detonate.md
@@ -11,13 +11,13 @@ Detonates an attack technique.
## Sample Usage
```bash title="Detonate an attack technique"
-stratus detonate aws.exfiltration.backdoor-s3-bucket-policy
+stratus detonate aws.exfiltration.s3-backdoor-bucket-policy
```
```bash title="Detonate multiple attack techniques"
-stratus detonate aws.exfiltration.backdoor-s3-bucket-policy aws.defense-evasion.stop-cloudtrail
+stratus detonate aws.exfiltration.s3-backdoor-bucket-policy aws.defense-evasion.cloudtrail-stop
```
```bash title="Detonate an attack technique, then automatically clean up any resources deployed on AWS"
-stratus detonate aws.exfiltration.backdoor-s3-bucket-policy --cleanup
+stratus detonate aws.exfiltration.s3-backdoor-bucket-policy --cleanup
```
\ No newline at end of file
diff --git a/docs/user-guide/commands/revert.md b/docs/user-guide/commands/revert.md
index d460eda0..0aa30d6f 100644
--- a/docs/user-guide/commands/revert.md
+++ b/docs/user-guide/commands/revert.md
@@ -6,14 +6,14 @@ title: revert
Reverts the detonation of an attack technique, when applicable.
Some attack techniques are not *idempotent*, meaning that you cannot detonate them multiple times because of their side effect.
-For instance, [Stop a CloudTrail Trail](https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.stop-cloudtrail/) stops a CloudTrail Trail when detonated. Consequently, it cannot be detonated again (as the Trail is already stopped).
+For instance, [Stop a CloudTrail Trail](https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-stop/) stops a CloudTrail Trail when detonated. Consequently, it cannot be detonated again (as the Trail is already stopped).
`stratus revert` ensures that a non-idempotent technique is reverted to a state where it can be detonated again.
## Sample Usage
```bash title="Revert an attack technique"
-stratus revert aws.persistence.backdoor-lambda-function
+stratus revert aws.persistence.lambda-backdoor-function
```
## Difference with `stratus cleanup`
diff --git a/docs/user-guide/commands/status.md b/docs/user-guide/commands/status.md
index 79354012..daced1df 100644
--- a/docs/user-guide/commands/status.md
+++ b/docs/user-guide/commands/status.md
@@ -19,9 +19,9 @@ stratus status
+------------------------------------------------------------+--------------------------------------------------------+-------------+
| ID | NAME | STATUS |
+------------------------------------------------------------+--------------------------------------------------------+-------------+
-| aws.defense-evasion.stop-cloudtrail | Stop a CloudTrail Trail | WARM |
+| aws.defense-evasion.cloudtrail-stop | Stop a CloudTrail Trail | WARM |
| aws.defense-evasion.leave-organization | Attempt to Leave the AWS Organization | COLD |
-| aws.defense-evasion.remove-vpc-flow-logs | Remove VPC Flow Logs | WARM |
-| aws.persistence.backdoor-iam-user | Create an Access Key on an IAM User | DETONATED |
+| aws.defense-evasion.vpc-remove-flow-logs | Remove VPC Flow Logs | WARM |
+| aws.persistence.iam-backdoor-user | Create an Access Key on an IAM User | DETONATED |
+------------------------------------------------------------+--------------------------------------------------------+-------------+
```
\ No newline at end of file
diff --git a/docs/user-guide/commands/warmup.md b/docs/user-guide/commands/warmup.md
index 0384f4ce..b45472c8 100644
--- a/docs/user-guide/commands/warmup.md
+++ b/docs/user-guide/commands/warmup.md
@@ -5,19 +5,19 @@ title: warmup
"Warm up" an attack technique by spinning up the prerequisite infrastructure or configuration, without detonating it.
-For example, the attack technique [Exfiltrate an AMI by Sharing It](https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ami-sharing/) needs an AMI before the detonation phase can detonate the attack, and share it with an external AWS account.
+For example, the attack technique [Exfiltrate an AMI by Sharing It](https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/) needs an AMI before the detonation phase can detonate the attack, and share it with an external AWS account.
## Sample Usage
```bash title="Warm up an attack technique"
-stratus warmup aws.exfiltration.ami-sharing
+stratus warmup aws.exfiltration.ec2-share-ami
```
```bash title="Warm up multiple attack techniques"
-stratus warmup aws.exfiltration.ami-sharing aws.exfiltration.backdoor-s3-bucket-policy
+stratus warmup aws.exfiltration.ec2-share-ami aws.exfiltration.s3-backdoor-bucket-policy
```
```bash title="(advanced) Warm up again an attack technique that was already WARM, to ensure its prerequisites are met"
-stratus warmup aws.exfiltration.ami-sharing --force
+stratus warmup aws.exfiltration.ec2-share-ami --force
```
\ No newline at end of file
diff --git a/docs/user-guide/examples.md b/docs/user-guide/examples.md
index b51f102d..ab9d4792 100644
--- a/docs/user-guide/examples.md
+++ b/docs/user-guide/examples.md
@@ -34,24 +34,24 @@ $ stratus list --platform aws --mitre-attack-tactic persistence
+-----------------------------------------------+-----------------------------------------+----------+----------------------+
| TECHNIQUE ID | TECHNIQUE NAME | PLATFORM | MITRE ATT&CK TACTIC |
+-----------------------------------------------+-----------------------------------------+----------+----------------------+
-| aws.persistence.backdoor-iam-role | Backdoor an existing IAM Role | AWS | Persistence |
-| aws.persistence.backdoor-iam-user | Create an IAM Access Key on an IAM User | AWS | Persistence |
+| aws.persistence.iam-backdoor-role | Backdoor an existing IAM Role | AWS | Persistence |
+| aws.persistence.iam-backdoor-user | Create an IAM Access Key on an IAM User | AWS | Persistence |
| | | | Privilege Escalation |
-| aws.persistence.iam-user-create-login-profile | Create a Login Profile on an IAM user | AWS | Persistence |
+| aws.persistence.iam-create-user-login-profile | Create a Login Profile on an IAM user | AWS | Persistence |
| | | | Privilege Escalation |
-| aws.persistence.malicious-iam-user | Create an administrative IAM User | AWS | Persistence |
+| aws.persistence.iam-create-admin-user | Create an administrative IAM User | AWS | Persistence |
| | | | Privilege Escalation |
+-----------------------------------------------+-----------------------------------------+----------+----------------------+
```
## Detonating an attack technique
-We're interested in `aws.persistence.backdoor-iam-role`, an attack technique that backdoors an existing IAM role to add a trust relationship with a malicious AWS account.
+We're interested in `aws.persistence.iam-backdoor-role`, an attack technique that backdoors an existing IAM role to add a trust relationship with a malicious AWS account.
-Let's retrieve more information about the technique, either through its [automatically-generated documentation](https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.backdoor-iam-role/), or by running:
+Let's retrieve more information about the technique, either through its [automatically-generated documentation](https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-backdoor-role/), or by running:
```
-$ stratus show aws.persistence.backdoor-iam-role
+$ stratus show aws.persistence.iam-backdoor-role
Establishes persistence by backdooring an existing IAM role, allowing it to be assumed from an external AWS account.
Warm-up: Creates the prerequisite IAM role.
@@ -64,9 +64,9 @@ We now know that Stratus Red Team will first create an IAM role in the warm-up p
We could choose to perform the warm-up and detonation phase separately - but for simplicity, let's do it all together:
```
-$ stratus detonate aws.persistence.backdoor-iam-role
+$ stratus detonate aws.persistence.iam-backdoor-role
2022/01/19 10:28:08 Checking your authentication against the AWS API
-2022/01/19 10:28:09 Warming up aws.persistence.backdoor-iam-role
+2022/01/19 10:28:09 Warming up aws.persistence.iam-backdoor-role
2022/01/19 10:28:09 Initializing Terraform
2022/01/19 10:28:18 Applying Terraform
2022/01/19 10:28:32 Backdooring IAM role by allowing sts:AssumeRole from an extenral AWS account
@@ -81,7 +81,7 @@ $ stratus status
+------------------------------------+-------------------------------+-----------+
| ID | NAME | STATUS |
+------------------------------------+-------------------------------------------+
-| aws.persistence.backdoor-iam-role | Backdoor an existing IAM Role | DETONATED |
+| aws.persistence.iam-backdoor-role | Backdoor an existing IAM Role | DETONATED |
...
```
@@ -118,7 +118,7 @@ When using `stratus detonate`, the resources spun up are not cleaned up by defau
We can clean up any resources creates by Stratus Red Team using:
```
-stratus cleanup aws.persistence.backdoor-iam-role
+stratus cleanup aws.persistence.iam-backdoor-role
```
## Example 2: Advanced usage
@@ -128,7 +128,7 @@ In this example, we want to prepare our live environment with the prerequisites
We start by warming up the techniques we're interested in:
```bash
-stratus warmup aws.defense-evasion.stop-cloudtrail aws.defense-evasion.remove-vpc-flow-logs aws.persistence.backdoor-iam-user
+stratus warmup aws.defense-evasion.cloudtrail-stop aws.defense-evasion.vpc-remove-flow-logs aws.persistence.iam-backdoor-user
```
We now have the prerequisites ready:
@@ -142,7 +142,7 @@ IAM user sample-legit-user ready
At this point, we can choose to detonate these attack techniques at any point we want. We can do it right away, or in a few hours / days:
```bash
-stratus detonate aws.defense-evasion.stop-cloudtrail aws.defense-evasion.remove-vpc-flow-logs aws.persistence.backdoor-iam-user
+stratus detonate aws.defense-evasion.cloudtrail-stop aws.defense-evasion.vpc-remove-flow-logs aws.persistence.iam-backdoor-user
```
```text
@@ -154,13 +154,13 @@ Creating access key on legit IAM user to simulate backdoor
Now, say we want to replay (i.e., detonate again) an attack technique a few times, for testing and to iterate building our threat detection rules on the side:
```
-stratus detonate aws.persistence.backdoor-iam-user
+stratus detonate aws.persistence.iam-backdoor-user
```
You will notice that the second call raises an error:
```
-aws.persistence.backdoor-iam-user has already been detonated and is not idempotent.
+aws.persistence.iam-backdoor-user has already been detonated and is not idempotent.
Revert it with 'stratus revert' before detonating it again, or use --force
```
@@ -169,32 +169,32 @@ That's because the detonation of this attack technique is not idempotent, meanin
Before re-detonating this technique, we need to revert it:
```
-stratus revert aws.persistence.backdoor-iam-user
+stratus revert aws.persistence.iam-backdoor-user
```
```
-2022/01/19 15:43:35 Reverting detonation of technique aws.persistence.backdoor-iam-user
+2022/01/19 15:43:35 Reverting detonation of technique aws.persistence.iam-backdoor-user
2022/01/19 15:43:35 Removing access key from IAM user sample-legit-user
2022/01/19 15:43:36 Removing access key AKIA254BBSGPJNHEDHNR
+-----------------------------------+-----------------------------------------+--------+
| ID | NAME | STATUS |
+-----------------------------------+-----------------------------------------+--------+
-| aws.persistence.backdoor-iam-user | Create an IAM Access Key on an IAM User | WARM |
+| aws.persistence.iam-backdoor-user | Create an IAM Access Key on an IAM User | WARM |
+-----------------------------------+-----------------------------------------+--------+
```
Our attack technique is now `WARM`, we can detonate it again:
```bash
-stratus detonate aws.persistence.backdoor-iam-user
+stratus detonate aws.persistence.iam-backdoor-user
```
Generally, we can detonate then revert an attack technique indefinitely:
```bash
while true; do
- stratus detonate aws.persistence.backdoor-iam-user
- stratus revert aws.persistence.backdoor-iam-user
+ stratus detonate aws.persistence.iam-backdoor-user
+ stratus revert aws.persistence.iam-backdoor-user
sleep 1
done
```
@@ -202,5 +202,5 @@ done
Once we are done with our testing, we can clean up our techniques. Cleaning up a technique will revert its detonation logic (if applicable), then nuke all its prerequisite resources and infrastructure:
```bash
-stratus cleanup aws.defense-evasion.stop-cloudtrail aws.defense-evasion.remove-vpc-flow-logs aws.persistence.backdoor-iam-user
+stratus cleanup aws.defense-evasion.cloudtrail-stop aws.defense-evasion.vpc-remove-flow-logs aws.persistence.iam-backdoor-user
```
\ No newline at end of file
diff --git a/docs/user-guide/getting-started.md b/docs/user-guide/getting-started.md
index 01068745..f2067a0e 100644
--- a/docs/user-guide/getting-started.md
+++ b/docs/user-guide/getting-started.md
@@ -35,7 +35,7 @@ An attack technique is idempotent if it can be deto
## Example
-Let's take an example with the attack technique [Exfiltrate EBS Snapshot through Snapshot Sharing](../../attack-techniques/AWS/aws.exfiltration.ebs-snapshot-shared-with-external-account/).
+Let's take an example with the attack technique [Exfiltrate EBS Snapshot through Snapshot Sharing](../../attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/).
- Warm-up: Create an EBS volume and a snapshot of it
- Detonation: Share the EBS snapshot with an external AWS account
@@ -64,14 +64,14 @@ stratus list
Detonating a specific attack technique is as simple as running:
```bash
-stratus detonate aws.exfiltration.ebs-snapshot-shared-with-external-account
+stratus detonate aws.exfiltration.ec2-share-ebs-snapshot
```
You will get an output similar to:
```
2022/01/18 22:32:11 Checking your authentication against the AWS API
-2022/01/18 22:32:12 Warming up aws.exfiltration.ebs-snapshot-shared-with-external-account
+2022/01/18 22:32:12 Warming up aws.exfiltration.ec2-share-ebs-snapshot
2022/01/18 22:32:12 Initializing Terraform
2022/01/18 22:32:19 Applying Terraform
2022/01/18 22:32:43 Sharing the volume snapshot with an external AWS account ID...
@@ -80,7 +80,7 @@ You will get an output similar to:
You can then clean up any leftovers from the technique, which in this case will remove the EBS volume and EBS snapshot:
```bash
-stratus cleanup aws.exfiltration.ebs-snapshot-shared-with-external-account
+stratus cleanup aws.exfiltration.ec2-share-ebs-snapshot
```
For more information, see [Usage](./usage.md), [Examples](./examples.md) and the [Command Reference](./commands).
diff --git a/docs/user-guide/usage.md b/docs/user-guide/usage.md
index 9727803a..6d180ecf 100644
--- a/docs/user-guide/usage.md
+++ b/docs/user-guide/usage.md
@@ -17,7 +17,7 @@ stratus list --platform aws
View the detail of a specific technique:
```bash
-$ stratus show aws.exfiltration.ebs-snapshot-shared-with-external-account
+$ stratus show aws.exfiltration.ec2-share-ebs-snapshot
Exfiltrates an EBS snapshot by sharing it with an external AWS account.
Warm-up: Creates an EBS volume and a snapshot.
@@ -27,7 +27,7 @@ Detonation: Calls ModifySnapshotAttribute to share the snapshot.
Detonate an attack technique using:
```bash
-stratus detonate aws.exfiltration.ebs-snapshot-shared-with-external-account
+stratus detonate aws.exfiltration.ec2-share-ebs-snapshot
```
This will handle warm-up and detonation (but not clean-up - explicitly use `--clean-up` for this).
@@ -35,14 +35,14 @@ This will handle warm-up and detonation (but not clean-up - explicitly use `--cl
Alternatively, you can handle warm-up and detonation independently:
```bash
-stratus warmup aws.exfiltration.ebs-snapshot-shared-with-external-account
-stratus detonate aws.exfiltration.ebs-snapshot-shared-with-external-account
+stratus warmup aws.exfiltration.ec2-share-ebs-snapshot
+stratus detonate aws.exfiltration.ec2-share-ebs-snapshot
```
Cleanup can be done through:
```bash
-stratus cleanup aws.exfiltration.ebs-snapshot-shared-with-external-account
+stratus cleanup aws.exfiltration.ec2-share-ebs-snapshot
```
At any time, you can view the state of the TTPs:
@@ -53,9 +53,9 @@ stratus status
+------------------------------------------------------------+-----------+
| TECHNIQUE | STATUS |
+------------------------------------------------------------+-----------+
-| aws.exfiltration.ebs-snapshot-shared-with-external-account | WARM |
-| aws.persistence.backdoor-iam-user | DETONATED |
-| aws.persistence.backdoor-iam-role | WARM |
-| aws.persistence.malicious-iam-user | COLD |
+| aws.exfiltration.ec2-share-ebs-snapshot | WARM |
+| aws.persistence.iam-backdoor-user | DETONATED |
+| aws.persistence.iam-backdoor-role | WARM |
+| aws.persistence.iam-create-admin-user | COLD |
+------------------------------------------------------------+-----------+
```
\ No newline at end of file
diff --git a/examples/basic/README.md b/examples/basic/README.md
index 08b1e686..ad58147c 100644
--- a/examples/basic/README.md
+++ b/examples/basic/README.md
@@ -8,18 +8,18 @@ go run detonate_stratus_red_team_technique.go
Sample output:
```
-aws.defense-evasion.stop-cloudtrail
+aws.defense-evasion.cloudtrail-stop
2022/01/21 15:55:11 Checking your authentication against the AWS API
-2022/01/21 15:55:12 Warming up aws.defense-evasion.stop-cloudtrail
+2022/01/21 15:55:12 Warming up aws.defense-evasion.cloudtrail-stop
2022/01/21 15:55:12 Initializing Terraform to spin up technique prerequisites
2022/01/21 15:55:20 Applying Terraform to spin up technique prerequisites
2022/01/21 15:55:45 CloudTrail trail arn:aws:cloudtrail:us-east-1:751353041310:trail/my-cloudtrail-trail ready
TTP is warm! Press enter to detonate it
-2022/01/21 15:55:49 Not warming up - aws.defense-evasion.stop-cloudtrail is already warm. Use --force to force
+2022/01/21 15:55:49 Not warming up - aws.defense-evasion.cloudtrail-stop is already warm. Use --force to force
2022/01/21 15:55:49 Stopping CloudTrail trail my-cloudtrail-trail
-2022/01/21 15:55:49 Cleaning up aws.defense-evasion.stop-cloudtrail
-2022/01/21 15:55:49 Reverting detonation of technique aws.defense-evasion.stop-cloudtrail
+2022/01/21 15:55:49 Cleaning up aws.defense-evasion.cloudtrail-stop
+2022/01/21 15:55:49 Reverting detonation of technique aws.defense-evasion.cloudtrail-stop
2022/01/21 15:55:49 Restarting CloudTrail trail my-cloudtrail-trail
2022/01/21 15:55:50 Cleaning up technique prerequisites with terraform destroy
```
\ No newline at end of file
diff --git a/examples/basic/detonate_stratus_red_team_technique.go b/examples/basic/detonate_stratus_red_team_technique.go
index d1f1587e..0a503ae4 100644
--- a/examples/basic/detonate_stratus_red_team_technique.go
+++ b/examples/basic/detonate_stratus_red_team_technique.go
@@ -11,7 +11,7 @@ import (
This example warms up, then detonates a specific Stratus Red Team attack technique once you press enter.
*/
func main() {
- ttp := stratus.GetRegistry().GetAttackTechniqueByName("aws.defense-evasion.stop-cloudtrail")
+ ttp := stratus.GetRegistry().GetAttackTechniqueByName("aws.defense-evasion.cloudtrail-stop")
fmt.Println(ttp)
stratusRunner := stratusrunner.NewRunner(ttp, stratusrunner.StratusRunnerNoForce)
diff --git a/internal/attacktechniques/aws/credential-access/ec2-instance-credentials/main.go b/internal/attacktechniques/aws/credential-access/ec2-steal-instance-credentials/main.go
similarity index 98%
rename from internal/attacktechniques/aws/credential-access/ec2-instance-credentials/main.go
rename to internal/attacktechniques/aws/credential-access/ec2-steal-instance-credentials/main.go
index 64f2af51..79307c41 100644
--- a/internal/attacktechniques/aws/credential-access/ec2-instance-credentials/main.go
+++ b/internal/attacktechniques/aws/credential-access/ec2-steal-instance-credentials/main.go
@@ -22,7 +22,7 @@ var tf []byte
func init() {
stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{
- ID: "aws.credential-access.ec2-instance-credentials",
+ ID: "aws.credential-access.ec2-steal-instance-credentials",
FriendlyName: "Steal EC2 Instance Credentials",
IsSlow: true,
Description: `
diff --git a/internal/attacktechniques/aws/credential-access/ec2-instance-credentials/main.tf b/internal/attacktechniques/aws/credential-access/ec2-steal-instance-credentials/main.tf
similarity index 100%
rename from internal/attacktechniques/aws/credential-access/ec2-instance-credentials/main.tf
rename to internal/attacktechniques/aws/credential-access/ec2-steal-instance-credentials/main.tf
diff --git a/internal/attacktechniques/aws/credential-access/ssm-get-all-parameters/main.go b/internal/attacktechniques/aws/credential-access/ssm-retrieve-securestring-parameters/main.go
similarity index 96%
rename from internal/attacktechniques/aws/credential-access/ssm-get-all-parameters/main.go
rename to internal/attacktechniques/aws/credential-access/ssm-retrieve-securestring-parameters/main.go
index bb1c69ff..a1826d3e 100644
--- a/internal/attacktechniques/aws/credential-access/ssm-get-all-parameters/main.go
+++ b/internal/attacktechniques/aws/credential-access/ssm-retrieve-securestring-parameters/main.go
@@ -18,7 +18,7 @@ var tf []byte
func init() {
stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{
- ID: "aws.credential-access.retrieve-all-ssm-parameters",
+ ID: "aws.credential-access.ssm-retrieve-securestring-parameters",
FriendlyName: "Retrieve And Decrypt SSM Parameters",
Description: `
Retrieves and decrypts a high number (30) of SSM Parameters available in an AWS region.
diff --git a/internal/attacktechniques/aws/credential-access/ssm-get-all-parameters/main.tf b/internal/attacktechniques/aws/credential-access/ssm-retrieve-securestring-parameters/main.tf
similarity index 100%
rename from internal/attacktechniques/aws/credential-access/ssm-get-all-parameters/main.tf
rename to internal/attacktechniques/aws/credential-access/ssm-retrieve-securestring-parameters/main.tf
diff --git a/internal/attacktechniques/aws/defense-evasion/delete-cloudtrail/main.go b/internal/attacktechniques/aws/defense-evasion/cloudtrail-delete/main.go
similarity index 95%
rename from internal/attacktechniques/aws/defense-evasion/delete-cloudtrail/main.go
rename to internal/attacktechniques/aws/defense-evasion/cloudtrail-delete/main.go
index 05d2b29e..deac463f 100644
--- a/internal/attacktechniques/aws/defense-evasion/delete-cloudtrail/main.go
+++ b/internal/attacktechniques/aws/defense-evasion/cloudtrail-delete/main.go
@@ -16,7 +16,7 @@ var tf []byte
func init() {
stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{
- ID: "aws.defense-evasion.delete-cloudtrail",
+ ID: "aws.defense-evasion.cloudtrail-delete",
FriendlyName: "Delete CloudTrail Trail",
Platform: stratus.AWS,
MitreAttackTactics: []mitreattack.Tactic{mitreattack.DefenseEvasion},
diff --git a/internal/attacktechniques/aws/defense-evasion/delete-cloudtrail/main.tf b/internal/attacktechniques/aws/defense-evasion/cloudtrail-delete/main.tf
similarity index 100%
rename from internal/attacktechniques/aws/defense-evasion/delete-cloudtrail/main.tf
rename to internal/attacktechniques/aws/defense-evasion/cloudtrail-delete/main.tf
diff --git a/internal/attacktechniques/aws/defense-evasion/disable-cloudtrail/main.go b/internal/attacktechniques/aws/defense-evasion/cloudtrail-stop/main.go
similarity index 96%
rename from internal/attacktechniques/aws/defense-evasion/disable-cloudtrail/main.go
rename to internal/attacktechniques/aws/defense-evasion/cloudtrail-stop/main.go
index 72d7e892..cd07b500 100644
--- a/internal/attacktechniques/aws/defense-evasion/disable-cloudtrail/main.go
+++ b/internal/attacktechniques/aws/defense-evasion/cloudtrail-stop/main.go
@@ -16,7 +16,7 @@ var tf []byte
func init() {
stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{
- ID: "aws.defense-evasion.stop-cloudtrail",
+ ID: "aws.defense-evasion.cloudtrail-stop",
FriendlyName: "Stop CloudTrail Trail",
Platform: stratus.AWS,
MitreAttackTactics: []mitreattack.Tactic{mitreattack.DefenseEvasion},
diff --git a/internal/attacktechniques/aws/defense-evasion/disable-cloudtrail/main.tf b/internal/attacktechniques/aws/defense-evasion/cloudtrail-stop/main.tf
similarity index 100%
rename from internal/attacktechniques/aws/defense-evasion/disable-cloudtrail/main.tf
rename to internal/attacktechniques/aws/defense-evasion/cloudtrail-stop/main.tf
diff --git a/internal/attacktechniques/aws/defense-evasion/leave-organization/main.go b/internal/attacktechniques/aws/defense-evasion/organizations-leave/main.go
similarity index 97%
rename from internal/attacktechniques/aws/defense-evasion/leave-organization/main.go
rename to internal/attacktechniques/aws/defense-evasion/organizations-leave/main.go
index 81aa748c..9468a47d 100644
--- a/internal/attacktechniques/aws/defense-evasion/leave-organization/main.go
+++ b/internal/attacktechniques/aws/defense-evasion/organizations-leave/main.go
@@ -20,7 +20,7 @@ var tf []byte
func init() {
stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{
- ID: "aws.defense-evasion.leave-organization",
+ ID: "aws.defense-evasion.organizations-leave",
FriendlyName: "Attempt to Leave the AWS Organization",
Platform: stratus.AWS,
IsIdempotent: true,
diff --git a/internal/attacktechniques/aws/defense-evasion/leave-organization/main.tf b/internal/attacktechniques/aws/defense-evasion/organizations-leave/main.tf
similarity index 100%
rename from internal/attacktechniques/aws/defense-evasion/leave-organization/main.tf
rename to internal/attacktechniques/aws/defense-evasion/organizations-leave/main.tf
diff --git a/internal/attacktechniques/aws/defense-evasion/remove-vpc-flow-logs/main.go b/internal/attacktechniques/aws/defense-evasion/vpc-remove-flow-logs/main.go
similarity index 96%
rename from internal/attacktechniques/aws/defense-evasion/remove-vpc-flow-logs/main.go
rename to internal/attacktechniques/aws/defense-evasion/vpc-remove-flow-logs/main.go
index 0a306619..963103d4 100644
--- a/internal/attacktechniques/aws/defense-evasion/remove-vpc-flow-logs/main.go
+++ b/internal/attacktechniques/aws/defense-evasion/vpc-remove-flow-logs/main.go
@@ -16,7 +16,7 @@ var tf []byte
func init() {
stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{
- ID: "aws.defense-evasion.remove-vpc-flow-logs",
+ ID: "aws.defense-evasion.vpc-remove-flow-logs",
FriendlyName: "Remove VPC Flow Logs",
Platform: stratus.AWS,
IsIdempotent: false, // can't remove VPC flow logs once they have already been removed
diff --git a/internal/attacktechniques/aws/defense-evasion/remove-vpc-flow-logs/main.tf b/internal/attacktechniques/aws/defense-evasion/vpc-remove-flow-logs/main.tf
similarity index 100%
rename from internal/attacktechniques/aws/defense-evasion/remove-vpc-flow-logs/main.tf
rename to internal/attacktechniques/aws/defense-evasion/vpc-remove-flow-logs/main.tf
diff --git a/internal/attacktechniques/aws/discovery/discovery-commands-ec2-instance-role/main.go b/internal/attacktechniques/aws/discovery/ec2-enumerate-from-instance/main.go
similarity index 97%
rename from internal/attacktechniques/aws/discovery/discovery-commands-ec2-instance-role/main.go
rename to internal/attacktechniques/aws/discovery/ec2-enumerate-from-instance/main.go
index e4d3d68b..bad681b6 100644
--- a/internal/attacktechniques/aws/discovery/discovery-commands-ec2-instance-role/main.go
+++ b/internal/attacktechniques/aws/discovery/ec2-enumerate-from-instance/main.go
@@ -19,7 +19,7 @@ var tf []byte
func init() {
stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{
- ID: "aws.discovery.basic-enumeration-from-ec2-instance",
+ ID: "aws.discovery.ec2-enumerate-from-instance",
FriendlyName: "Execute Discovery Commands on an EC2 Instance",
IsSlow: true,
Description: `
diff --git a/internal/attacktechniques/aws/discovery/discovery-commands-ec2-instance-role/main.tf b/internal/attacktechniques/aws/discovery/ec2-enumerate-from-instance/main.tf
similarity index 100%
rename from internal/attacktechniques/aws/discovery/discovery-commands-ec2-instance-role/main.tf
rename to internal/attacktechniques/aws/discovery/ec2-enumerate-from-instance/main.tf
diff --git a/internal/attacktechniques/aws/exfiltration/securitygroup-open-port-22-to-internet/main.go b/internal/attacktechniques/aws/exfiltration/ec2-security-group-open-port-22-ingress/main.go
similarity index 96%
rename from internal/attacktechniques/aws/exfiltration/securitygroup-open-port-22-to-internet/main.go
rename to internal/attacktechniques/aws/exfiltration/ec2-security-group-open-port-22-ingress/main.go
index 86dfb0ed..46cbdd58 100644
--- a/internal/attacktechniques/aws/exfiltration/securitygroup-open-port-22-to-internet/main.go
+++ b/internal/attacktechniques/aws/exfiltration/ec2-security-group-open-port-22-ingress/main.go
@@ -17,7 +17,7 @@ var tf []byte
func init() {
stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{
- ID: "aws.exfiltration.open-port-22-ingress-on-security-group",
+ ID: "aws.exfiltration.ec2-security-group-open-port-22-ingress",
FriendlyName: "Open Ingress Port 22 on a Security Group",
Platform: stratus.AWS,
IsIdempotent: false, // cannot call ec2:AuthorizeSecurityGroupIngress multiple times with the same parameters
diff --git a/internal/attacktechniques/aws/exfiltration/securitygroup-open-port-22-to-internet/main.tf b/internal/attacktechniques/aws/exfiltration/ec2-security-group-open-port-22-ingress/main.tf
similarity index 100%
rename from internal/attacktechniques/aws/exfiltration/securitygroup-open-port-22-to-internet/main.tf
rename to internal/attacktechniques/aws/exfiltration/ec2-security-group-open-port-22-ingress/main.tf
diff --git a/internal/attacktechniques/aws/exfiltration/ami-sharing/main.go b/internal/attacktechniques/aws/exfiltration/ec2-share-ami/main.go
similarity index 97%
rename from internal/attacktechniques/aws/exfiltration/ami-sharing/main.go
rename to internal/attacktechniques/aws/exfiltration/ec2-share-ami/main.go
index 414e7c18..0cc87408 100644
--- a/internal/attacktechniques/aws/exfiltration/ami-sharing/main.go
+++ b/internal/attacktechniques/aws/exfiltration/ec2-share-ami/main.go
@@ -18,7 +18,7 @@ var tf []byte
func init() {
stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{
- ID: "aws.exfiltration.ami-sharing",
+ ID: "aws.exfiltration.ec2-share-ami",
FriendlyName: "Exfiltrate an AMI by Sharing It",
Description: `
Exfiltrates an AMI by sharing it with an external AWS account.
diff --git a/internal/attacktechniques/aws/exfiltration/ami-sharing/main.tf b/internal/attacktechniques/aws/exfiltration/ec2-share-ami/main.tf
similarity index 100%
rename from internal/attacktechniques/aws/exfiltration/ami-sharing/main.tf
rename to internal/attacktechniques/aws/exfiltration/ec2-share-ami/main.tf
diff --git a/internal/attacktechniques/aws/exfiltration/ebs-snapshot-share/main.go b/internal/attacktechniques/aws/exfiltration/ec2-share-ebs-snapshot/main.go
similarity index 96%
rename from internal/attacktechniques/aws/exfiltration/ebs-snapshot-share/main.go
rename to internal/attacktechniques/aws/exfiltration/ec2-share-ebs-snapshot/main.go
index ee563829..3dcaa522 100644
--- a/internal/attacktechniques/aws/exfiltration/ebs-snapshot-share/main.go
+++ b/internal/attacktechniques/aws/exfiltration/ec2-share-ebs-snapshot/main.go
@@ -16,7 +16,7 @@ var tf []byte
func init() {
stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{
- ID: "aws.exfiltration.ebs-snapshot-shared-with-external-account",
+ ID: "aws.exfiltration.ec2-share-ebs-snapshot",
FriendlyName: "Exfiltrate EBS Snapshot by Sharing It",
Platform: stratus.AWS,
IsIdempotent: true,
diff --git a/internal/attacktechniques/aws/exfiltration/ebs-snapshot-share/main.tf b/internal/attacktechniques/aws/exfiltration/ec2-share-ebs-snapshot/main.tf
similarity index 100%
rename from internal/attacktechniques/aws/exfiltration/ebs-snapshot-share/main.tf
rename to internal/attacktechniques/aws/exfiltration/ec2-share-ebs-snapshot/main.tf
diff --git a/internal/attacktechniques/aws/exfiltration/rds-snapshot-sharing/main.go b/internal/attacktechniques/aws/exfiltration/rds-share-snapshot/main.go
similarity index 97%
rename from internal/attacktechniques/aws/exfiltration/rds-snapshot-sharing/main.go
rename to internal/attacktechniques/aws/exfiltration/rds-share-snapshot/main.go
index 31528e02..efeee03f 100644
--- a/internal/attacktechniques/aws/exfiltration/rds-snapshot-sharing/main.go
+++ b/internal/attacktechniques/aws/exfiltration/rds-share-snapshot/main.go
@@ -17,7 +17,7 @@ var tf []byte
func init() {
stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{
- ID: "aws.exfiltration.rds-snapshot-sharing",
+ ID: "aws.exfiltration.rds-share-snapshot",
FriendlyName: "Exfiltrate RDS Snapshot by Sharing",
Platform: stratus.AWS,
IsSlow: true,
diff --git a/internal/attacktechniques/aws/exfiltration/rds-snapshot-sharing/main.tf b/internal/attacktechniques/aws/exfiltration/rds-share-snapshot/main.tf
similarity index 100%
rename from internal/attacktechniques/aws/exfiltration/rds-snapshot-sharing/main.tf
rename to internal/attacktechniques/aws/exfiltration/rds-share-snapshot/main.tf
diff --git a/internal/attacktechniques/aws/exfiltration/s3-bucket-backdoor-bucket-policy/main.go b/internal/attacktechniques/aws/exfiltration/s3-backdoor-bucket-policy/main.go
similarity index 96%
rename from internal/attacktechniques/aws/exfiltration/s3-bucket-backdoor-bucket-policy/main.go
rename to internal/attacktechniques/aws/exfiltration/s3-backdoor-bucket-policy/main.go
index fefd00aa..c098baca 100644
--- a/internal/attacktechniques/aws/exfiltration/s3-bucket-backdoor-bucket-policy/main.go
+++ b/internal/attacktechniques/aws/exfiltration/s3-backdoor-bucket-policy/main.go
@@ -19,7 +19,7 @@ var backdooredPolicy string
func init() {
stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{
- ID: "aws.exfiltration.backdoor-s3-bucket-policy",
+ ID: "aws.exfiltration.s3-backdoor-bucket-policy",
FriendlyName: "Backdoor an S3 Bucket via its Bucket Policy",
Platform: stratus.AWS,
IsIdempotent: true,
diff --git a/internal/attacktechniques/aws/exfiltration/s3-bucket-backdoor-bucket-policy/main.tf b/internal/attacktechniques/aws/exfiltration/s3-backdoor-bucket-policy/main.tf
similarity index 100%
rename from internal/attacktechniques/aws/exfiltration/s3-bucket-backdoor-bucket-policy/main.tf
rename to internal/attacktechniques/aws/exfiltration/s3-backdoor-bucket-policy/main.tf
diff --git a/internal/attacktechniques/aws/exfiltration/s3-bucket-backdoor-bucket-policy/malicious_policy.json b/internal/attacktechniques/aws/exfiltration/s3-backdoor-bucket-policy/malicious_policy.json
similarity index 100%
rename from internal/attacktechniques/aws/exfiltration/s3-bucket-backdoor-bucket-policy/malicious_policy.json
rename to internal/attacktechniques/aws/exfiltration/s3-backdoor-bucket-policy/malicious_policy.json
diff --git a/internal/attacktechniques/aws/persistence/iam-role-backdoor-existing/main.go b/internal/attacktechniques/aws/persistence/iam-backdoor-role/main.go
similarity index 97%
rename from internal/attacktechniques/aws/persistence/iam-role-backdoor-existing/main.go
rename to internal/attacktechniques/aws/persistence/iam-backdoor-role/main.go
index 6097e5da..0f4ebfb1 100644
--- a/internal/attacktechniques/aws/persistence/iam-role-backdoor-existing/main.go
+++ b/internal/attacktechniques/aws/persistence/iam-backdoor-role/main.go
@@ -20,7 +20,7 @@ var maliciousIamPolicy string
func init() {
stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{
- ID: "aws.persistence.backdoor-iam-role",
+ ID: "aws.persistence.iam-backdoor-role",
FriendlyName: "Backdoor an IAM Role",
Description: `
Establishes persistence by backdooring an existing IAM role, allowing it to be assumed from an external AWS account.
diff --git a/internal/attacktechniques/aws/persistence/iam-role-backdoor-existing/main.tf b/internal/attacktechniques/aws/persistence/iam-backdoor-role/main.tf
similarity index 100%
rename from internal/attacktechniques/aws/persistence/iam-role-backdoor-existing/main.tf
rename to internal/attacktechniques/aws/persistence/iam-backdoor-role/main.tf
diff --git a/internal/attacktechniques/aws/persistence/iam-role-backdoor-existing/malicious_policy.json b/internal/attacktechniques/aws/persistence/iam-backdoor-role/malicious_policy.json
similarity index 100%
rename from internal/attacktechniques/aws/persistence/iam-role-backdoor-existing/malicious_policy.json
rename to internal/attacktechniques/aws/persistence/iam-backdoor-role/malicious_policy.json
diff --git a/internal/attacktechniques/aws/persistence/iam-user-backdoor-existing/main.go b/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.go
similarity index 97%
rename from internal/attacktechniques/aws/persistence/iam-user-backdoor-existing/main.go
rename to internal/attacktechniques/aws/persistence/iam-backdoor-user/main.go
index bad2a900..b05a91e8 100644
--- a/internal/attacktechniques/aws/persistence/iam-user-backdoor-existing/main.go
+++ b/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.go
@@ -15,7 +15,7 @@ var tf []byte
func init() {
stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{
- ID: "aws.persistence.backdoor-iam-user",
+ ID: "aws.persistence.iam-backdoor-user",
FriendlyName: "Create an Access Key on an IAM User",
Description: `
Establishes persistence by creating an access key on an existing IAM user.
diff --git a/internal/attacktechniques/aws/persistence/iam-user-backdoor-existing/main.tf b/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.tf
similarity index 100%
rename from internal/attacktechniques/aws/persistence/iam-user-backdoor-existing/main.tf
rename to internal/attacktechniques/aws/persistence/iam-backdoor-user/main.tf
diff --git a/internal/attacktechniques/aws/persistence/iam-user-create-new/main.go b/internal/attacktechniques/aws/persistence/iam-create-admin-user/main.go
similarity index 98%
rename from internal/attacktechniques/aws/persistence/iam-user-create-new/main.go
rename to internal/attacktechniques/aws/persistence/iam-create-admin-user/main.go
index 9a750100..3f9302a5 100644
--- a/internal/attacktechniques/aws/persistence/iam-user-create-new/main.go
+++ b/internal/attacktechniques/aws/persistence/iam-create-admin-user/main.go
@@ -18,7 +18,7 @@ var adminPolicyArn = aws.String("arn:aws:iam::aws:policy/AdministratorAccess")
func init() {
stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{
- ID: "aws.persistence.malicious-iam-user",
+ ID: "aws.persistence.iam-create-admin-user",
FriendlyName: "Create an administrative IAM User",
Description: `
Establishes persistence by creating a new IAM user with administrative permissions.
@@ -82,7 +82,7 @@ func revert(map[string]string) error {
if err != nil {
return errors.New("unable to clean up IAM user access keys: " + err.Error())
}
-
+
for i := range result.AccessKeyMetadata {
accessKeyId := result.AccessKeyMetadata[i].AccessKeyId
_, err := iamClient.DeleteAccessKey(context.Background(), &iam.DeleteAccessKeyInput{
diff --git a/internal/attacktechniques/aws/persistence/iam-user-create-login-profile/main.go b/internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.go
similarity index 97%
rename from internal/attacktechniques/aws/persistence/iam-user-create-login-profile/main.go
rename to internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.go
index 982e8087..a686783f 100644
--- a/internal/attacktechniques/aws/persistence/iam-user-create-login-profile/main.go
+++ b/internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.go
@@ -17,7 +17,7 @@ var tf []byte
func init() {
stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{
- ID: "aws.persistence.iam-user-create-login-profile",
+ ID: "aws.persistence.iam-create-user-login-profile",
FriendlyName: "Create a Login Profile on an IAM User",
Description: `
Establishes persistence by creating a Login Profile on an existing IAM user. This allows an attacker to access an IAM
diff --git a/internal/attacktechniques/aws/persistence/iam-user-create-login-profile/main.tf b/internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.tf
similarity index 100%
rename from internal/attacktechniques/aws/persistence/iam-user-create-login-profile/main.tf
rename to internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.tf
diff --git a/internal/attacktechniques/aws/persistence/backdoor-lambda-function/main.go b/internal/attacktechniques/aws/persistence/lambda-backdoor-function/main.go
similarity index 97%
rename from internal/attacktechniques/aws/persistence/backdoor-lambda-function/main.go
rename to internal/attacktechniques/aws/persistence/lambda-backdoor-function/main.go
index 41d72e07..8702de40 100644
--- a/internal/attacktechniques/aws/persistence/backdoor-lambda-function/main.go
+++ b/internal/attacktechniques/aws/persistence/lambda-backdoor-function/main.go
@@ -17,7 +17,7 @@ var tf []byte
func init() {
stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{
- ID: "aws.persistence.backdoor-lambda-function",
+ ID: "aws.persistence.lambda-backdoor-function",
FriendlyName: "Backdoor Lambda Function Through Resource-Based Policy",
Description: `
Establishes persistence by backdooring a lambda function to allow its invocation from an external AWS account.
diff --git a/internal/attacktechniques/aws/persistence/backdoor-lambda-function/main.tf b/internal/attacktechniques/aws/persistence/lambda-backdoor-function/main.tf
similarity index 100%
rename from internal/attacktechniques/aws/persistence/backdoor-lambda-function/main.tf
rename to internal/attacktechniques/aws/persistence/lambda-backdoor-function/main.tf
diff --git a/internal/attacktechniques/main.go b/internal/attacktechniques/main.go
index 81c80fa7..7d3e4a4b 100644
--- a/internal/attacktechniques/main.go
+++ b/internal/attacktechniques/main.go
@@ -2,25 +2,24 @@ package attacktechniques
import (
_ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/credential-access/ec2-get-password-data"
- _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/credential-access/ec2-instance-credentials"
+ _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/credential-access/ec2-steal-instance-credentials"
_ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/credential-access/secretsmanager-retrieve-secrets"
- _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/credential-access/ssm-get-all-parameters"
+ _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/credential-access/ssm-retrieve-securestring-parameters"
+ _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/cloudtrail-delete"
_ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/cloudtrail-event-selectors"
_ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/cloudtrail-lifecycle-rule"
- _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/delete-cloudtrail"
- _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/disable-cloudtrail"
- _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/leave-organization"
- _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/remove-vpc-flow-logs"
- _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/discovery/discovery-commands-ec2-instance-role"
- _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/ami-sharing"
- _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/ebs-snapshot-share"
- _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/rds-snapshot-sharing"
-
- _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/s3-bucket-backdoor-bucket-policy"
- _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/securitygroup-open-port-22-to-internet"
- _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/persistence/backdoor-lambda-function"
- _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/persistence/iam-role-backdoor-existing"
- _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/persistence/iam-user-backdoor-existing"
- _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/persistence/iam-user-create-login-profile"
- _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/persistence/iam-user-create-new"
+ _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/cloudtrail-stop"
+ _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/organizations-leave"
+ _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/vpc-remove-flow-logs"
+ _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/discovery/ec2-enumerate-from-instance"
+ _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/ec2-security-group-open-port-22-ingress"
+ _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/ec2-share-ami"
+ _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/ec2-share-ebs-snapshot"
+ _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/rds-share-snapshot"
+ _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/s3-backdoor-bucket-policy"
+ _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/persistence/iam-backdoor-role"
+ _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/persistence/iam-backdoor-user"
+ _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/persistence/iam-create-admin-user"
+ _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/persistence/iam-create-user-login-profile"
+ _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/persistence/lambda-backdoor-function"
)