From 6ce0bac500a48b8bddd9ffd73ef7c099e3f2a57a Mon Sep 17 00:00:00 2001 From: Christophe Tafani-Dereeper Date: Thu, 27 Jan 2022 11:58:18 +0100 Subject: [PATCH] Use consistent naming convention for all attack technique IDs --- cmd/stratus/cleanup_cmd.go | 2 +- cmd/stratus/detonate_cmd.go | 4 +- cmd/stratus/revert_cmd.go | 2 +- cmd/stratus/warmup_cmd.go | 2 +- ...l-access.ec2-steal-instance-credentials.md | 38 ++++++++++++++++ ...s.ssm-retrieve-securestring-parameters.md} | 2 +- ... aws.defense-evasion.cloudtrail-delete.md} | 2 +- ...=> aws.defense-evasion.cloudtrail-stop.md} | 2 +- ...ws.defense-evasion.organizations-leave.md} | 2 +- ...s.defense-evasion.vpc-remove-flow-logs.md} | 2 +- ....discovery.ec2-enumerate-from-instance.md} | 2 +- ...c2-security-group-open-port-22-ingress.md} | 2 +- ...g.md => aws.exfiltration.ec2-share-ami.md} | 2 +- ...ws.exfiltration.ec2-share-ebs-snapshot.md} | 2 +- ...=> aws.exfiltration.rds-share-snapshot.md} | 2 +- ...exfiltration.s3-backdoor-bucket-policy.md} | 2 +- ...d => aws.persistence.iam-backdoor-role.md} | 2 +- ...d => aws.persistence.iam-backdoor-user.md} | 2 +- ... aws.persistence.iam-create-admin-user.md} | 2 +- ...sistence.iam-create-user-login-profile.md} | 2 +- ...s.persistence.lambda-backdoor-function.md} | 2 +- docs/attack-techniques/AWS/index.md | 42 +++++++++--------- docs/attack-techniques/list.md | 34 +++++++------- docs/index.md | 2 +- docs/user-guide/commands/cleanup.md | 2 +- docs/user-guide/commands/detonate.md | 6 +-- docs/user-guide/commands/revert.md | 4 +- docs/user-guide/commands/status.md | 6 +-- docs/user-guide/commands/warmup.md | 8 ++-- docs/user-guide/examples.md | 44 +++++++++---------- docs/user-guide/getting-started.md | 8 ++-- docs/user-guide/usage.md | 18 ++++---- examples/basic/README.md | 10 ++--- .../detonate_stratus_red_team_technique.go | 2 +- .../main.go | 2 +- .../main.tf | 0 .../main.go | 2 +- .../main.tf | 0 .../main.go | 2 +- .../main.tf | 0 .../main.go | 2 +- .../main.tf | 0 .../main.go | 2 +- .../main.tf | 0 .../main.go | 2 +- .../main.tf | 0 .../main.go | 2 +- .../main.tf | 0 .../main.go | 2 +- .../main.tf | 0 .../{ami-sharing => ec2-share-ami}/main.go | 2 +- .../{ami-sharing => ec2-share-ami}/main.tf | 0 .../main.go | 2 +- .../main.tf | 0 .../main.go | 2 +- .../main.tf | 0 .../main.go | 2 +- .../main.tf | 0 .../malicious_policy.json | 0 .../main.go | 2 +- .../main.tf | 0 .../malicious_policy.json | 0 .../main.go | 2 +- .../main.tf | 0 .../main.go | 4 +- .../main.go | 2 +- .../main.tf | 0 .../main.go | 2 +- .../main.tf | 0 internal/attacktechniques/main.go | 35 +++++++-------- 70 files changed, 187 insertions(+), 150 deletions(-) create mode 100755 docs/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials.md rename docs/attack-techniques/AWS/{aws.credential-access.retrieve-all-ssm-parameters.md => aws.credential-access.ssm-retrieve-securestring-parameters.md} (91%) rename docs/attack-techniques/AWS/{aws.defense-evasion.delete-cloudtrail.md => aws.defense-evasion.cloudtrail-delete.md} (89%) rename docs/attack-techniques/AWS/{aws.defense-evasion.stop-cloudtrail.md => aws.defense-evasion.cloudtrail-stop.md} (92%) rename docs/attack-techniques/AWS/{aws.defense-evasion.leave-organization.md => aws.defense-evasion.organizations-leave.md} (94%) rename docs/attack-techniques/AWS/{aws.defense-evasion.remove-vpc-flow-logs.md => aws.defense-evasion.vpc-remove-flow-logs.md} (89%) rename docs/attack-techniques/AWS/{aws.discovery.basic-enumeration-from-ec2-instance.md => aws.discovery.ec2-enumerate-from-instance.md} (95%) rename docs/attack-techniques/AWS/{aws.exfiltration.open-port-22-ingress-on-security-group.md => aws.exfiltration.ec2-security-group-open-port-22-ingress.md} (88%) rename docs/attack-techniques/AWS/{aws.exfiltration.ami-sharing.md => aws.exfiltration.ec2-share-ami.md} (92%) rename docs/attack-techniques/AWS/{aws.exfiltration.ebs-snapshot-shared-with-external-account.md => aws.exfiltration.ec2-share-ebs-snapshot.md} (90%) rename docs/attack-techniques/AWS/{aws.exfiltration.rds-snapshot-sharing.md => aws.exfiltration.rds-share-snapshot.md} (94%) rename docs/attack-techniques/AWS/{aws.exfiltration.backdoor-s3-bucket-policy.md => aws.exfiltration.s3-backdoor-bucket-policy.md} (94%) rename docs/attack-techniques/AWS/{aws.persistence.backdoor-iam-role.md => aws.persistence.iam-backdoor-role.md} (95%) rename docs/attack-techniques/AWS/{aws.persistence.backdoor-iam-user.md => aws.persistence.iam-backdoor-user.md} (91%) rename docs/attack-techniques/AWS/{aws.persistence.malicious-iam-user.md => aws.persistence.iam-create-admin-user.md} (90%) rename docs/attack-techniques/AWS/{aws.persistence.iam-user-create-login-profile.md => aws.persistence.iam-create-user-login-profile.md} (91%) rename docs/attack-techniques/AWS/{aws.persistence.backdoor-lambda-function.md => aws.persistence.lambda-backdoor-function.md} (91%) rename internal/attacktechniques/aws/credential-access/{ec2-instance-credentials => ec2-steal-instance-credentials}/main.go (98%) rename internal/attacktechniques/aws/credential-access/{ec2-instance-credentials => ec2-steal-instance-credentials}/main.tf (100%) rename internal/attacktechniques/aws/credential-access/{ssm-get-all-parameters => ssm-retrieve-securestring-parameters}/main.go (96%) rename internal/attacktechniques/aws/credential-access/{ssm-get-all-parameters => ssm-retrieve-securestring-parameters}/main.tf (100%) rename internal/attacktechniques/aws/defense-evasion/{delete-cloudtrail => cloudtrail-delete}/main.go (95%) rename internal/attacktechniques/aws/defense-evasion/{delete-cloudtrail => cloudtrail-delete}/main.tf (100%) rename internal/attacktechniques/aws/defense-evasion/{disable-cloudtrail => cloudtrail-stop}/main.go (96%) rename internal/attacktechniques/aws/defense-evasion/{disable-cloudtrail => cloudtrail-stop}/main.tf (100%) rename internal/attacktechniques/aws/defense-evasion/{leave-organization => organizations-leave}/main.go (97%) rename internal/attacktechniques/aws/defense-evasion/{leave-organization => organizations-leave}/main.tf (100%) rename internal/attacktechniques/aws/defense-evasion/{remove-vpc-flow-logs => vpc-remove-flow-logs}/main.go (96%) rename internal/attacktechniques/aws/defense-evasion/{remove-vpc-flow-logs => vpc-remove-flow-logs}/main.tf (100%) rename internal/attacktechniques/aws/discovery/{discovery-commands-ec2-instance-role => ec2-enumerate-from-instance}/main.go (97%) rename internal/attacktechniques/aws/discovery/{discovery-commands-ec2-instance-role => ec2-enumerate-from-instance}/main.tf (100%) rename internal/attacktechniques/aws/exfiltration/{securitygroup-open-port-22-to-internet => ec2-security-group-open-port-22-ingress}/main.go (96%) rename internal/attacktechniques/aws/exfiltration/{securitygroup-open-port-22-to-internet => ec2-security-group-open-port-22-ingress}/main.tf (100%) rename internal/attacktechniques/aws/exfiltration/{ami-sharing => ec2-share-ami}/main.go (97%) rename internal/attacktechniques/aws/exfiltration/{ami-sharing => ec2-share-ami}/main.tf (100%) rename internal/attacktechniques/aws/exfiltration/{ebs-snapshot-share => ec2-share-ebs-snapshot}/main.go (96%) rename internal/attacktechniques/aws/exfiltration/{ebs-snapshot-share => ec2-share-ebs-snapshot}/main.tf (100%) rename internal/attacktechniques/aws/exfiltration/{rds-snapshot-sharing => rds-share-snapshot}/main.go (97%) rename internal/attacktechniques/aws/exfiltration/{rds-snapshot-sharing => rds-share-snapshot}/main.tf (100%) rename internal/attacktechniques/aws/exfiltration/{s3-bucket-backdoor-bucket-policy => s3-backdoor-bucket-policy}/main.go (96%) rename internal/attacktechniques/aws/exfiltration/{s3-bucket-backdoor-bucket-policy => s3-backdoor-bucket-policy}/main.tf (100%) rename internal/attacktechniques/aws/exfiltration/{s3-bucket-backdoor-bucket-policy => s3-backdoor-bucket-policy}/malicious_policy.json (100%) rename internal/attacktechniques/aws/persistence/{iam-role-backdoor-existing => iam-backdoor-role}/main.go (97%) rename internal/attacktechniques/aws/persistence/{iam-role-backdoor-existing => iam-backdoor-role}/main.tf (100%) rename internal/attacktechniques/aws/persistence/{iam-role-backdoor-existing => iam-backdoor-role}/malicious_policy.json (100%) rename internal/attacktechniques/aws/persistence/{iam-user-backdoor-existing => iam-backdoor-user}/main.go (97%) rename internal/attacktechniques/aws/persistence/{iam-user-backdoor-existing => iam-backdoor-user}/main.tf (100%) rename internal/attacktechniques/aws/persistence/{iam-user-create-new => iam-create-admin-user}/main.go (98%) rename internal/attacktechniques/aws/persistence/{iam-user-create-login-profile => iam-create-user-login-profile}/main.go (97%) rename internal/attacktechniques/aws/persistence/{iam-user-create-login-profile => iam-create-user-login-profile}/main.tf (100%) rename internal/attacktechniques/aws/persistence/{backdoor-lambda-function => lambda-backdoor-function}/main.go (97%) rename internal/attacktechniques/aws/persistence/{backdoor-lambda-function => lambda-backdoor-function}/main.tf (100%) diff --git a/cmd/stratus/cleanup_cmd.go b/cmd/stratus/cleanup_cmd.go index 3d278b5f..a383d978 100644 --- a/cmd/stratus/cleanup_cmd.go +++ b/cmd/stratus/cleanup_cmd.go @@ -16,7 +16,7 @@ func buildCleanupCmd() *cobra.Command { Use: "cleanup [attack-technique-id]... | --all", Aliases: []string{"clean"}, Short: "Cleans up any leftover infrastructure or configuration from a TTP.", - Example: "stratus cleanup aws.defense-evasion.stop-cloudtrail\nstratus cleanup --all", + Example: "stratus cleanup aws.defense-evasion.cloudtrail-stop\nstratus cleanup --all", DisableFlagsInUseLine: true, Args: func(cmd *cobra.Command, args []string) error { if len(args) == 0 && flagCleanupAll { diff --git a/cmd/stratus/detonate_cmd.go b/cmd/stratus/detonate_cmd.go index dd6ad4b1..8906eee7 100644 --- a/cmd/stratus/detonate_cmd.go +++ b/cmd/stratus/detonate_cmd.go @@ -18,8 +18,8 @@ func buildDetonateCmd() *cobra.Command { Use: "detonate attack-technique-id [attack-technique-id]...", Short: "Detonate one or multiple attack techniques", Example: strings.Join([]string{ - "stratus detonate aws.defense-evasion.stop-cloudtrail", - "stratus detonate aws.defense-evasion.stop-cloudtrail --cleanup", + "stratus detonate aws.defense-evasion.cloudtrail-stop", + "stratus detonate aws.defense-evasion.cloudtrail-stop --cleanup", }, "\n"), DisableFlagsInUseLine: true, PreRunE: func(cmd *cobra.Command, args []string) error { diff --git a/cmd/stratus/revert_cmd.go b/cmd/stratus/revert_cmd.go index b133c444..273d6eb8 100644 --- a/cmd/stratus/revert_cmd.go +++ b/cmd/stratus/revert_cmd.go @@ -15,7 +15,7 @@ func buildRevertCmd() *cobra.Command { detonateCmd := &cobra.Command{ Use: "revert attack-technique-id [attack-technique-id]...", Short: "Revert the detonation of an attack technique", - Example: "stratus revert aws.defense-evasion.stop-cloudtrail", + Example: "stratus revert aws.defense-evasion.cloudtrail-stop", DisableFlagsInUseLine: true, PreRunE: func(cmd *cobra.Command, args []string) error { if len(args) == 0 { diff --git a/cmd/stratus/warmup_cmd.go b/cmd/stratus/warmup_cmd.go index 1ba45801..72ea450d 100644 --- a/cmd/stratus/warmup_cmd.go +++ b/cmd/stratus/warmup_cmd.go @@ -15,7 +15,7 @@ func buildWarmupCmd() *cobra.Command { warmupCmd := &cobra.Command{ Use: "warmup attack-technique-id [attack-technique-id]...", Short: "\"Warm up\" an attack technique by spinning up the prerequisite infrastructure or configuration, without detonating it", - Example: "stratus warmup aws.defense-evasion.stop-cloudtrail", + Example: "stratus warmup aws.defense-evasion.cloudtrail-stop", DisableFlagsInUseLine: true, PreRunE: func(cmd *cobra.Command, args []string) error { if len(args) == 0 { diff --git a/docs/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials.md b/docs/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials.md new file mode 100755 index 00000000..330249fc --- /dev/null +++ b/docs/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials.md @@ -0,0 +1,38 @@ +--- +title: Steal EC2 Instance Credentials +--- + +# Steal EC2 Instance Credentials + + slow + idempotent + +Platform: AWS + +## MITRE ATT&CK Tactics + + +- Credential Access + +## Description + + +Simulates the theft of EC2 instance credentials from the Instance Metadata Service. + +Warm-up: + +- Create the prerequisite EC2 instance and VPC (takes a few minutes). + +Detonation: + +- Execute a SSM command on the instance to retrieve temporary credentials +- Use these credentials locally (outside the instance) to run the following commands: + - sts:GetCallerIdentity + - ec2:DescribeInstances + + +## Instructions + +```bash title="Detonate with Stratus Red Team" +stratus detonate aws.credential-access.ec2-steal-instance-credentials +``` \ No newline at end of file diff --git a/docs/attack-techniques/AWS/aws.credential-access.retrieve-all-ssm-parameters.md b/docs/attack-techniques/AWS/aws.credential-access.ssm-retrieve-securestring-parameters.md similarity index 91% rename from docs/attack-techniques/AWS/aws.credential-access.retrieve-all-ssm-parameters.md rename to docs/attack-techniques/AWS/aws.credential-access.ssm-retrieve-securestring-parameters.md index cd58d6f4..77155e68 100755 --- a/docs/attack-techniques/AWS/aws.credential-access.retrieve-all-ssm-parameters.md +++ b/docs/attack-techniques/AWS/aws.credential-access.ssm-retrieve-securestring-parameters.md @@ -32,5 +32,5 @@ Retrieves and decrypts a high number (30) of SSM Parameters available in an AWS ## Instructions ```bash title="Detonate with Stratus Red Team" -stratus detonate aws.credential-access.retrieve-all-ssm-parameters +stratus detonate aws.credential-access.ssm-retrieve-securestring-parameters ``` \ No newline at end of file diff --git a/docs/attack-techniques/AWS/aws.defense-evasion.delete-cloudtrail.md b/docs/attack-techniques/AWS/aws.defense-evasion.cloudtrail-delete.md similarity index 89% rename from docs/attack-techniques/AWS/aws.defense-evasion.delete-cloudtrail.md rename to docs/attack-techniques/AWS/aws.defense-evasion.cloudtrail-delete.md index a840e279..30cfb9aa 100755 --- a/docs/attack-techniques/AWS/aws.defense-evasion.delete-cloudtrail.md +++ b/docs/attack-techniques/AWS/aws.defense-evasion.cloudtrail-delete.md @@ -31,5 +31,5 @@ Delete a CloudTrail trail. Simulates an attacker disrupting CloudTrail logging. ## Instructions ```bash title="Detonate with Stratus Red Team" -stratus detonate aws.defense-evasion.delete-cloudtrail +stratus detonate aws.defense-evasion.cloudtrail-delete ``` \ No newline at end of file diff --git a/docs/attack-techniques/AWS/aws.defense-evasion.stop-cloudtrail.md b/docs/attack-techniques/AWS/aws.defense-evasion.cloudtrail-stop.md similarity index 92% rename from docs/attack-techniques/AWS/aws.defense-evasion.stop-cloudtrail.md rename to docs/attack-techniques/AWS/aws.defense-evasion.cloudtrail-stop.md index 8af753c9..e1732acd 100755 --- a/docs/attack-techniques/AWS/aws.defense-evasion.stop-cloudtrail.md +++ b/docs/attack-techniques/AWS/aws.defense-evasion.cloudtrail-stop.md @@ -31,5 +31,5 @@ Stops a CloudTrail Trail from logging. Simulates an attacker disrupting CloudTra ## Instructions ```bash title="Detonate with Stratus Red Team" -stratus detonate aws.defense-evasion.stop-cloudtrail +stratus detonate aws.defense-evasion.cloudtrail-stop ``` \ No newline at end of file diff --git a/docs/attack-techniques/AWS/aws.defense-evasion.leave-organization.md b/docs/attack-techniques/AWS/aws.defense-evasion.organizations-leave.md similarity index 94% rename from docs/attack-techniques/AWS/aws.defense-evasion.leave-organization.md rename to docs/attack-techniques/AWS/aws.defense-evasion.organizations-leave.md index 1c2b7733..556215f8 100755 --- a/docs/attack-techniques/AWS/aws.defense-evasion.leave-organization.md +++ b/docs/attack-techniques/AWS/aws.defense-evasion.organizations-leave.md @@ -34,5 +34,5 @@ Leaving the organization can disrupt or totally shut down these controls. ## Instructions ```bash title="Detonate with Stratus Red Team" -stratus detonate aws.defense-evasion.leave-organization +stratus detonate aws.defense-evasion.organizations-leave ``` \ No newline at end of file diff --git a/docs/attack-techniques/AWS/aws.defense-evasion.remove-vpc-flow-logs.md b/docs/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs.md similarity index 89% rename from docs/attack-techniques/AWS/aws.defense-evasion.remove-vpc-flow-logs.md rename to docs/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs.md index 321a8638..9d6aeda0 100755 --- a/docs/attack-techniques/AWS/aws.defense-evasion.remove-vpc-flow-logs.md +++ b/docs/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs.md @@ -31,5 +31,5 @@ Removes a VPC Flog Logs configuration from a VPC. ## Instructions ```bash title="Detonate with Stratus Red Team" -stratus detonate aws.defense-evasion.remove-vpc-flow-logs +stratus detonate aws.defense-evasion.vpc-remove-flow-logs ``` \ No newline at end of file diff --git a/docs/attack-techniques/AWS/aws.discovery.basic-enumeration-from-ec2-instance.md b/docs/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance.md similarity index 95% rename from docs/attack-techniques/AWS/aws.discovery.basic-enumeration-from-ec2-instance.md rename to docs/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance.md index de48e997..89c53d63 100755 --- a/docs/attack-techniques/AWS/aws.discovery.basic-enumeration-from-ec2-instance.md +++ b/docs/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance.md @@ -43,5 +43,5 @@ The commands will be run under the identity of the EC2 instance role, simulating ## Instructions ```bash title="Detonate with Stratus Red Team" -stratus detonate aws.discovery.basic-enumeration-from-ec2-instance +stratus detonate aws.discovery.ec2-enumerate-from-instance ``` \ No newline at end of file diff --git a/docs/attack-techniques/AWS/aws.exfiltration.open-port-22-ingress-on-security-group.md b/docs/attack-techniques/AWS/aws.exfiltration.ec2-security-group-open-port-22-ingress.md similarity index 88% rename from docs/attack-techniques/AWS/aws.exfiltration.open-port-22-ingress-on-security-group.md rename to docs/attack-techniques/AWS/aws.exfiltration.ec2-security-group-open-port-22-ingress.md index ebf6514a..d442e18a 100755 --- a/docs/attack-techniques/AWS/aws.exfiltration.open-port-22-ingress-on-security-group.md +++ b/docs/attack-techniques/AWS/aws.exfiltration.ec2-security-group-open-port-22-ingress.md @@ -31,5 +31,5 @@ Opens ingress traffic on port 22 from the Internet (0.0.0.0/0). ## Instructions ```bash title="Detonate with Stratus Red Team" -stratus detonate aws.exfiltration.open-port-22-ingress-on-security-group +stratus detonate aws.exfiltration.ec2-security-group-open-port-22-ingress ``` \ No newline at end of file diff --git a/docs/attack-techniques/AWS/aws.exfiltration.ami-sharing.md b/docs/attack-techniques/AWS/aws.exfiltration.ec2-share-ami.md similarity index 92% rename from docs/attack-techniques/AWS/aws.exfiltration.ami-sharing.md rename to docs/attack-techniques/AWS/aws.exfiltration.ec2-share-ami.md index e701acbb..bfcd7e1b 100755 --- a/docs/attack-techniques/AWS/aws.exfiltration.ami-sharing.md +++ b/docs/attack-techniques/AWS/aws.exfiltration.ec2-share-ami.md @@ -31,5 +31,5 @@ Exfiltrates an AMI by sharing it with an external AWS account. ## Instructions ```bash title="Detonate with Stratus Red Team" -stratus detonate aws.exfiltration.ami-sharing +stratus detonate aws.exfiltration.ec2-share-ami ``` \ No newline at end of file diff --git a/docs/attack-techniques/AWS/aws.exfiltration.ebs-snapshot-shared-with-external-account.md b/docs/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot.md similarity index 90% rename from docs/attack-techniques/AWS/aws.exfiltration.ebs-snapshot-shared-with-external-account.md rename to docs/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot.md index b527f810..8e144693 100755 --- a/docs/attack-techniques/AWS/aws.exfiltration.ebs-snapshot-shared-with-external-account.md +++ b/docs/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot.md @@ -31,5 +31,5 @@ Exfiltrates an EBS snapshot by sharing it with an external AWS account. ## Instructions ```bash title="Detonate with Stratus Red Team" -stratus detonate aws.exfiltration.ebs-snapshot-shared-with-external-account +stratus detonate aws.exfiltration.ec2-share-ebs-snapshot ``` \ No newline at end of file diff --git a/docs/attack-techniques/AWS/aws.exfiltration.rds-snapshot-sharing.md b/docs/attack-techniques/AWS/aws.exfiltration.rds-share-snapshot.md similarity index 94% rename from docs/attack-techniques/AWS/aws.exfiltration.rds-snapshot-sharing.md rename to docs/attack-techniques/AWS/aws.exfiltration.rds-share-snapshot.md index 54c23093..bd17c644 100755 --- a/docs/attack-techniques/AWS/aws.exfiltration.rds-snapshot-sharing.md +++ b/docs/attack-techniques/AWS/aws.exfiltration.rds-share-snapshot.md @@ -32,5 +32,5 @@ Shares a RDS Snapshot with an external AWS account to simulate an attacker exfil ## Instructions ```bash title="Detonate with Stratus Red Team" -stratus detonate aws.exfiltration.rds-snapshot-sharing +stratus detonate aws.exfiltration.rds-share-snapshot ``` \ No newline at end of file diff --git a/docs/attack-techniques/AWS/aws.exfiltration.backdoor-s3-bucket-policy.md b/docs/attack-techniques/AWS/aws.exfiltration.s3-backdoor-bucket-policy.md similarity index 94% rename from docs/attack-techniques/AWS/aws.exfiltration.backdoor-s3-bucket-policy.md rename to docs/attack-techniques/AWS/aws.exfiltration.s3-backdoor-bucket-policy.md index de9bc685..95a0e945 100755 --- a/docs/attack-techniques/AWS/aws.exfiltration.backdoor-s3-bucket-policy.md +++ b/docs/attack-techniques/AWS/aws.exfiltration.s3-backdoor-bucket-policy.md @@ -56,5 +56,5 @@ Exfiltrates data from an S3 bucket by backdooring its Bucket Policy to allow acc ## Instructions ```bash title="Detonate with Stratus Red Team" -stratus detonate aws.exfiltration.backdoor-s3-bucket-policy +stratus detonate aws.exfiltration.s3-backdoor-bucket-policy ``` \ No newline at end of file diff --git a/docs/attack-techniques/AWS/aws.persistence.backdoor-iam-role.md b/docs/attack-techniques/AWS/aws.persistence.iam-backdoor-role.md similarity index 95% rename from docs/attack-techniques/AWS/aws.persistence.backdoor-iam-role.md rename to docs/attack-techniques/AWS/aws.persistence.iam-backdoor-role.md index 717c0c58..61839d96 100755 --- a/docs/attack-techniques/AWS/aws.persistence.backdoor-iam-role.md +++ b/docs/attack-techniques/AWS/aws.persistence.iam-backdoor-role.md @@ -55,5 +55,5 @@ Establishes persistence by backdooring an existing IAM role, allowing it to be a ## Instructions ```bash title="Detonate with Stratus Red Team" -stratus detonate aws.persistence.backdoor-iam-role +stratus detonate aws.persistence.iam-backdoor-role ``` \ No newline at end of file diff --git a/docs/attack-techniques/AWS/aws.persistence.backdoor-iam-user.md b/docs/attack-techniques/AWS/aws.persistence.iam-backdoor-user.md similarity index 91% rename from docs/attack-techniques/AWS/aws.persistence.backdoor-iam-user.md rename to docs/attack-techniques/AWS/aws.persistence.iam-backdoor-user.md index 70261dfd..44ee5295 100755 --- a/docs/attack-techniques/AWS/aws.persistence.backdoor-iam-user.md +++ b/docs/attack-techniques/AWS/aws.persistence.iam-backdoor-user.md @@ -32,5 +32,5 @@ Establishes persistence by creating an access key on an existing IAM user. ## Instructions ```bash title="Detonate with Stratus Red Team" -stratus detonate aws.persistence.backdoor-iam-user +stratus detonate aws.persistence.iam-backdoor-user ``` \ No newline at end of file diff --git a/docs/attack-techniques/AWS/aws.persistence.malicious-iam-user.md b/docs/attack-techniques/AWS/aws.persistence.iam-create-admin-user.md similarity index 90% rename from docs/attack-techniques/AWS/aws.persistence.malicious-iam-user.md rename to docs/attack-techniques/AWS/aws.persistence.iam-create-admin-user.md index 12b605c0..8e2b2b31 100755 --- a/docs/attack-techniques/AWS/aws.persistence.malicious-iam-user.md +++ b/docs/attack-techniques/AWS/aws.persistence.iam-create-admin-user.md @@ -30,5 +30,5 @@ Establishes persistence by creating a new IAM user with administrative permissio ## Instructions ```bash title="Detonate with Stratus Red Team" -stratus detonate aws.persistence.malicious-iam-user +stratus detonate aws.persistence.iam-create-admin-user ``` \ No newline at end of file diff --git a/docs/attack-techniques/AWS/aws.persistence.iam-user-create-login-profile.md b/docs/attack-techniques/AWS/aws.persistence.iam-create-user-login-profile.md similarity index 91% rename from docs/attack-techniques/AWS/aws.persistence.iam-user-create-login-profile.md rename to docs/attack-techniques/AWS/aws.persistence.iam-create-user-login-profile.md index f2c7252d..1e1b166a 100755 --- a/docs/attack-techniques/AWS/aws.persistence.iam-user-create-login-profile.md +++ b/docs/attack-techniques/AWS/aws.persistence.iam-create-user-login-profile.md @@ -33,5 +33,5 @@ user intended to be used programmatically through the AWS console usual login pr ## Instructions ```bash title="Detonate with Stratus Red Team" -stratus detonate aws.persistence.iam-user-create-login-profile +stratus detonate aws.persistence.iam-create-user-login-profile ``` \ No newline at end of file diff --git a/docs/attack-techniques/AWS/aws.persistence.backdoor-lambda-function.md b/docs/attack-techniques/AWS/aws.persistence.lambda-backdoor-function.md similarity index 91% rename from docs/attack-techniques/AWS/aws.persistence.backdoor-lambda-function.md rename to docs/attack-techniques/AWS/aws.persistence.lambda-backdoor-function.md index 3989ece1..79a0c9f4 100755 --- a/docs/attack-techniques/AWS/aws.persistence.backdoor-lambda-function.md +++ b/docs/attack-techniques/AWS/aws.persistence.lambda-backdoor-function.md @@ -31,5 +31,5 @@ Establishes persistence by backdooring a lambda function to allow its invocation ## Instructions ```bash title="Detonate with Stratus Red Team" -stratus detonate aws.persistence.backdoor-lambda-function +stratus detonate aws.persistence.lambda-backdoor-function ``` \ No newline at end of file diff --git a/docs/attack-techniques/AWS/index.md b/docs/attack-techniques/AWS/index.md index 7681916a..8dc0243c 100755 --- a/docs/attack-techniques/AWS/index.md +++ b/docs/attack-techniques/AWS/index.md @@ -8,64 +8,64 @@ Note that some Stratus attack techniques may correspond to more than a single AT - [Retrieve EC2 Password Data](./aws.credential-access.ec2-get-password-data.md) -- [Steal EC2 Instance Credentials](./aws.credential-access.ec2-instance-credentials.md) +- [Steal EC2 Instance Credentials](./aws.credential-access.ec2-steal-instance-credentials.md) - [Retrieve a High Number of Secrets Manager secrets](./aws.credential-access.secretsmanager-retrieve-secrets.md) -- [Retrieve And Decrypt SSM Parameters](./aws.credential-access.retrieve-all-ssm-parameters.md) +- [Retrieve And Decrypt SSM Parameters](./aws.credential-access.ssm-retrieve-securestring-parameters.md) ## Defense Evasion +- [Delete CloudTrail Trail](./aws.defense-evasion.cloudtrail-delete.md) + - [Disable CloudTrail Logging Through Event Selectors](./aws.defense-evasion.cloudtrail-event-selectors.md) - [CloudTrail Logs Impairment Through S3 Lifecycle Rule](./aws.defense-evasion.cloudtrail-lifecycle-rule.md) -- [Delete CloudTrail Trail](./aws.defense-evasion.delete-cloudtrail.md) - -- [Stop CloudTrail Trail](./aws.defense-evasion.stop-cloudtrail.md) +- [Stop CloudTrail Trail](./aws.defense-evasion.cloudtrail-stop.md) -- [Attempt to Leave the AWS Organization](./aws.defense-evasion.leave-organization.md) +- [Attempt to Leave the AWS Organization](./aws.defense-evasion.organizations-leave.md) -- [Remove VPC Flow Logs](./aws.defense-evasion.remove-vpc-flow-logs.md) +- [Remove VPC Flow Logs](./aws.defense-evasion.vpc-remove-flow-logs.md) ## Discovery -- [Execute Discovery Commands on an EC2 Instance](./aws.discovery.basic-enumeration-from-ec2-instance.md) +- [Execute Discovery Commands on an EC2 Instance](./aws.discovery.ec2-enumerate-from-instance.md) ## Exfiltration -- [Exfiltrate an AMI by Sharing It](./aws.exfiltration.ami-sharing.md) +- [Open Ingress Port 22 on a Security Group](./aws.exfiltration.ec2-security-group-open-port-22-ingress.md) -- [Exfiltrate EBS Snapshot by Sharing It](./aws.exfiltration.ebs-snapshot-shared-with-external-account.md) +- [Exfiltrate an AMI by Sharing It](./aws.exfiltration.ec2-share-ami.md) -- [Exfiltrate RDS Snapshot by Sharing](./aws.exfiltration.rds-snapshot-sharing.md) +- [Exfiltrate EBS Snapshot by Sharing It](./aws.exfiltration.ec2-share-ebs-snapshot.md) -- [Backdoor an S3 Bucket via its Bucket Policy](./aws.exfiltration.backdoor-s3-bucket-policy.md) +- [Exfiltrate RDS Snapshot by Sharing](./aws.exfiltration.rds-share-snapshot.md) -- [Open Ingress Port 22 on a Security Group](./aws.exfiltration.open-port-22-ingress-on-security-group.md) +- [Backdoor an S3 Bucket via its Bucket Policy](./aws.exfiltration.s3-backdoor-bucket-policy.md) ## Persistence -- [Backdoor Lambda Function Through Resource-Based Policy](./aws.persistence.backdoor-lambda-function.md) +- [Backdoor an IAM Role](./aws.persistence.iam-backdoor-role.md) -- [Backdoor an IAM Role](./aws.persistence.backdoor-iam-role.md) +- [Create an Access Key on an IAM User](./aws.persistence.iam-backdoor-user.md) -- [Create an Access Key on an IAM User](./aws.persistence.backdoor-iam-user.md) +- [Create an administrative IAM User](./aws.persistence.iam-create-admin-user.md) -- [Create a Login Profile on an IAM User](./aws.persistence.iam-user-create-login-profile.md) +- [Create a Login Profile on an IAM User](./aws.persistence.iam-create-user-login-profile.md) -- [Create an administrative IAM User](./aws.persistence.malicious-iam-user.md) +- [Backdoor Lambda Function Through Resource-Based Policy](./aws.persistence.lambda-backdoor-function.md) ## Privilege Escalation -- [Create an Access Key on an IAM User](./aws.persistence.backdoor-iam-user.md) +- [Create an Access Key on an IAM User](./aws.persistence.iam-backdoor-user.md) -- [Create a Login Profile on an IAM User](./aws.persistence.iam-user-create-login-profile.md) +- [Create an administrative IAM User](./aws.persistence.iam-create-admin-user.md) -- [Create an administrative IAM User](./aws.persistence.malicious-iam-user.md) +- [Create a Login Profile on an IAM User](./aws.persistence.iam-create-user-login-profile.md) diff --git a/docs/attack-techniques/list.md b/docs/attack-techniques/list.md index 2dcc378e..5da76366 100755 --- a/docs/attack-techniques/list.md +++ b/docs/attack-techniques/list.md @@ -10,23 +10,23 @@ This page contains the list of all Stratus Attack Techniques. | Name | Platform | MITRE ATT&CK Tactics | | :----: | :------: | :------------------: | | [Retrieve EC2 Password Data](./AWS/aws.credential-access.ec2-get-password-data.md) | [AWS](./AWS/index.md) | Credential Access | -| [Steal EC2 Instance Credentials](./AWS/aws.credential-access.ec2-instance-credentials.md) | [AWS](./AWS/index.md) | Credential Access | +| [Steal EC2 Instance Credentials](./AWS/aws.credential-access.ec2-steal-instance-credentials.md) | [AWS](./AWS/index.md) | Credential Access | | [Retrieve a High Number of Secrets Manager secrets](./AWS/aws.credential-access.secretsmanager-retrieve-secrets.md) | [AWS](./AWS/index.md) | Credential Access | -| [Retrieve And Decrypt SSM Parameters](./AWS/aws.credential-access.retrieve-all-ssm-parameters.md) | [AWS](./AWS/index.md) | Credential Access | +| [Retrieve And Decrypt SSM Parameters](./AWS/aws.credential-access.ssm-retrieve-securestring-parameters.md) | [AWS](./AWS/index.md) | Credential Access | +| [Delete CloudTrail Trail](./AWS/aws.defense-evasion.cloudtrail-delete.md) | [AWS](./AWS/index.md) | Defense Evasion | | [Disable CloudTrail Logging Through Event Selectors](./AWS/aws.defense-evasion.cloudtrail-event-selectors.md) | [AWS](./AWS/index.md) | Defense Evasion | | [CloudTrail Logs Impairment Through S3 Lifecycle Rule](./AWS/aws.defense-evasion.cloudtrail-lifecycle-rule.md) | [AWS](./AWS/index.md) | Defense Evasion | -| [Delete CloudTrail Trail](./AWS/aws.defense-evasion.delete-cloudtrail.md) | [AWS](./AWS/index.md) | Defense Evasion | -| [Stop CloudTrail Trail](./AWS/aws.defense-evasion.stop-cloudtrail.md) | [AWS](./AWS/index.md) | Defense Evasion | -| [Attempt to Leave the AWS Organization](./AWS/aws.defense-evasion.leave-organization.md) | [AWS](./AWS/index.md) | Defense Evasion | -| [Remove VPC Flow Logs](./AWS/aws.defense-evasion.remove-vpc-flow-logs.md) | [AWS](./AWS/index.md) | Defense Evasion | -| [Execute Discovery Commands on an EC2 Instance](./AWS/aws.discovery.basic-enumeration-from-ec2-instance.md) | [AWS](./AWS/index.md) | Discovery | -| [Exfiltrate an AMI by Sharing It](./AWS/aws.exfiltration.ami-sharing.md) | [AWS](./AWS/index.md) | Exfiltration | -| [Exfiltrate EBS Snapshot by Sharing It](./AWS/aws.exfiltration.ebs-snapshot-shared-with-external-account.md) | [AWS](./AWS/index.md) | Exfiltration | -| [Exfiltrate RDS Snapshot by Sharing](./AWS/aws.exfiltration.rds-snapshot-sharing.md) | [AWS](./AWS/index.md) | Exfiltration | -| [Backdoor an S3 Bucket via its Bucket Policy](./AWS/aws.exfiltration.backdoor-s3-bucket-policy.md) | [AWS](./AWS/index.md) | Exfiltration | -| [Open Ingress Port 22 on a Security Group](./AWS/aws.exfiltration.open-port-22-ingress-on-security-group.md) | [AWS](./AWS/index.md) | Exfiltration | -| [Backdoor Lambda Function Through Resource-Based Policy](./AWS/aws.persistence.backdoor-lambda-function.md) | [AWS](./AWS/index.md) | Persistence | -| [Backdoor an IAM Role](./AWS/aws.persistence.backdoor-iam-role.md) | [AWS](./AWS/index.md) | Persistence | -| [Create an Access Key on an IAM User](./AWS/aws.persistence.backdoor-iam-user.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation | -| [Create a Login Profile on an IAM User](./AWS/aws.persistence.iam-user-create-login-profile.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation | -| [Create an administrative IAM User](./AWS/aws.persistence.malicious-iam-user.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation | +| [Stop CloudTrail Trail](./AWS/aws.defense-evasion.cloudtrail-stop.md) | [AWS](./AWS/index.md) | Defense Evasion | +| [Attempt to Leave the AWS Organization](./AWS/aws.defense-evasion.organizations-leave.md) | [AWS](./AWS/index.md) | Defense Evasion | +| [Remove VPC Flow Logs](./AWS/aws.defense-evasion.vpc-remove-flow-logs.md) | [AWS](./AWS/index.md) | Defense Evasion | +| [Execute Discovery Commands on an EC2 Instance](./AWS/aws.discovery.ec2-enumerate-from-instance.md) | [AWS](./AWS/index.md) | Discovery | +| [Open Ingress Port 22 on a Security Group](./AWS/aws.exfiltration.ec2-security-group-open-port-22-ingress.md) | [AWS](./AWS/index.md) | Exfiltration | +| [Exfiltrate an AMI by Sharing It](./AWS/aws.exfiltration.ec2-share-ami.md) | [AWS](./AWS/index.md) | Exfiltration | +| [Exfiltrate EBS Snapshot by Sharing It](./AWS/aws.exfiltration.ec2-share-ebs-snapshot.md) | [AWS](./AWS/index.md) | Exfiltration | +| [Exfiltrate RDS Snapshot by Sharing](./AWS/aws.exfiltration.rds-share-snapshot.md) | [AWS](./AWS/index.md) | Exfiltration | +| [Backdoor an S3 Bucket via its Bucket Policy](./AWS/aws.exfiltration.s3-backdoor-bucket-policy.md) | [AWS](./AWS/index.md) | Exfiltration | +| [Backdoor an IAM Role](./AWS/aws.persistence.iam-backdoor-role.md) | [AWS](./AWS/index.md) | Persistence | +| [Create an Access Key on an IAM User](./AWS/aws.persistence.iam-backdoor-user.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation | +| [Create an administrative IAM User](./AWS/aws.persistence.iam-create-admin-user.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation | +| [Create a Login Profile on an IAM User](./AWS/aws.persistence.iam-create-user-login-profile.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation | +| [Backdoor Lambda Function Through Resource-Based Policy](./AWS/aws.persistence.lambda-backdoor-function.md) | [AWS](./AWS/index.md) | Persistence | diff --git a/docs/index.md b/docs/index.md index 29e7d818..ce212511 100644 --- a/docs/index.md +++ b/docs/index.md @@ -21,7 +21,7 @@ Think of Stratus Red Team as "[Atomic Red Team](https://github.com/redcanaryco/a Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. ```bash title="Sample usage - Stopping a CloudTrail Trail (Defense Evasion)" -stratus detonate aws.defense-evasion.stop-cloudtrail +stratus detonate aws.defense-evasion.cloudtrail-stop ``` The attack techniques are mapped to [MITRE ATT&CK](https://attack.mitre.org/). diff --git a/docs/user-guide/commands/cleanup.md b/docs/user-guide/commands/cleanup.md index 51124545..49b10b5c 100644 --- a/docs/user-guide/commands/cleanup.md +++ b/docs/user-guide/commands/cleanup.md @@ -8,7 +8,7 @@ Cleans up any leftover infrastructure from an attack technique. ## Sample Usage ```bash title="Clean up an attack technique" -stratus cleanup aws.defense-evasion.stop-cloudtrail +stratus cleanup aws.defense-evasion.cloudtrail-stop ``` ```bash title="Clean up all attack techniques that can be cleaned up" diff --git a/docs/user-guide/commands/detonate.md b/docs/user-guide/commands/detonate.md index 00c8f030..4040f24c 100644 --- a/docs/user-guide/commands/detonate.md +++ b/docs/user-guide/commands/detonate.md @@ -11,13 +11,13 @@ Detonates an attack technique. ## Sample Usage ```bash title="Detonate an attack technique" -stratus detonate aws.exfiltration.backdoor-s3-bucket-policy +stratus detonate aws.exfiltration.s3-backdoor-bucket-policy ``` ```bash title="Detonate multiple attack techniques" -stratus detonate aws.exfiltration.backdoor-s3-bucket-policy aws.defense-evasion.stop-cloudtrail +stratus detonate aws.exfiltration.s3-backdoor-bucket-policy aws.defense-evasion.cloudtrail-stop ``` ```bash title="Detonate an attack technique, then automatically clean up any resources deployed on AWS" -stratus detonate aws.exfiltration.backdoor-s3-bucket-policy --cleanup +stratus detonate aws.exfiltration.s3-backdoor-bucket-policy --cleanup ``` \ No newline at end of file diff --git a/docs/user-guide/commands/revert.md b/docs/user-guide/commands/revert.md index d460eda0..0aa30d6f 100644 --- a/docs/user-guide/commands/revert.md +++ b/docs/user-guide/commands/revert.md @@ -6,14 +6,14 @@ title: revert Reverts the detonation of an attack technique, when applicable. Some attack techniques are not *idempotent*, meaning that you cannot detonate them multiple times because of their side effect. -For instance, [Stop a CloudTrail Trail](https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.stop-cloudtrail/) stops a CloudTrail Trail when detonated. Consequently, it cannot be detonated again (as the Trail is already stopped). +For instance, [Stop a CloudTrail Trail](https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-stop/) stops a CloudTrail Trail when detonated. Consequently, it cannot be detonated again (as the Trail is already stopped). `stratus revert` ensures that a non-idempotent technique is reverted to a state where it can be detonated again. ## Sample Usage ```bash title="Revert an attack technique" -stratus revert aws.persistence.backdoor-lambda-function +stratus revert aws.persistence.lambda-backdoor-function ``` ## Difference with `stratus cleanup` diff --git a/docs/user-guide/commands/status.md b/docs/user-guide/commands/status.md index 79354012..daced1df 100644 --- a/docs/user-guide/commands/status.md +++ b/docs/user-guide/commands/status.md @@ -19,9 +19,9 @@ stratus status +------------------------------------------------------------+--------------------------------------------------------+-------------+ | ID | NAME | STATUS | +------------------------------------------------------------+--------------------------------------------------------+-------------+ -| aws.defense-evasion.stop-cloudtrail | Stop a CloudTrail Trail | WARM | +| aws.defense-evasion.cloudtrail-stop | Stop a CloudTrail Trail | WARM | | aws.defense-evasion.leave-organization | Attempt to Leave the AWS Organization | COLD | -| aws.defense-evasion.remove-vpc-flow-logs | Remove VPC Flow Logs | WARM | -| aws.persistence.backdoor-iam-user | Create an Access Key on an IAM User | DETONATED | +| aws.defense-evasion.vpc-remove-flow-logs | Remove VPC Flow Logs | WARM | +| aws.persistence.iam-backdoor-user | Create an Access Key on an IAM User | DETONATED | +------------------------------------------------------------+--------------------------------------------------------+-------------+ ``` \ No newline at end of file diff --git a/docs/user-guide/commands/warmup.md b/docs/user-guide/commands/warmup.md index 0384f4ce..b45472c8 100644 --- a/docs/user-guide/commands/warmup.md +++ b/docs/user-guide/commands/warmup.md @@ -5,19 +5,19 @@ title: warmup "Warm up" an attack technique by spinning up the prerequisite infrastructure or configuration, without detonating it. -For example, the attack technique [Exfiltrate an AMI by Sharing It](https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ami-sharing/) needs an AMI before the detonation phase can detonate the attack, and share it with an external AWS account. +For example, the attack technique [Exfiltrate an AMI by Sharing It](https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/) needs an AMI before the detonation phase can detonate the attack, and share it with an external AWS account. ## Sample Usage ```bash title="Warm up an attack technique" -stratus warmup aws.exfiltration.ami-sharing +stratus warmup aws.exfiltration.ec2-share-ami ``` ```bash title="Warm up multiple attack techniques" -stratus warmup aws.exfiltration.ami-sharing aws.exfiltration.backdoor-s3-bucket-policy +stratus warmup aws.exfiltration.ec2-share-ami aws.exfiltration.s3-backdoor-bucket-policy ``` ```bash title="(advanced) Warm up again an attack technique that was already WARM, to ensure its prerequisites are met" -stratus warmup aws.exfiltration.ami-sharing --force +stratus warmup aws.exfiltration.ec2-share-ami --force ``` \ No newline at end of file diff --git a/docs/user-guide/examples.md b/docs/user-guide/examples.md index b51f102d..ab9d4792 100644 --- a/docs/user-guide/examples.md +++ b/docs/user-guide/examples.md @@ -34,24 +34,24 @@ $ stratus list --platform aws --mitre-attack-tactic persistence +-----------------------------------------------+-----------------------------------------+----------+----------------------+ | TECHNIQUE ID | TECHNIQUE NAME | PLATFORM | MITRE ATT&CK TACTIC | +-----------------------------------------------+-----------------------------------------+----------+----------------------+ -| aws.persistence.backdoor-iam-role | Backdoor an existing IAM Role | AWS | Persistence | -| aws.persistence.backdoor-iam-user | Create an IAM Access Key on an IAM User | AWS | Persistence | +| aws.persistence.iam-backdoor-role | Backdoor an existing IAM Role | AWS | Persistence | +| aws.persistence.iam-backdoor-user | Create an IAM Access Key on an IAM User | AWS | Persistence | | | | | Privilege Escalation | -| aws.persistence.iam-user-create-login-profile | Create a Login Profile on an IAM user | AWS | Persistence | +| aws.persistence.iam-create-user-login-profile | Create a Login Profile on an IAM user | AWS | Persistence | | | | | Privilege Escalation | -| aws.persistence.malicious-iam-user | Create an administrative IAM User | AWS | Persistence | +| aws.persistence.iam-create-admin-user | Create an administrative IAM User | AWS | Persistence | | | | | Privilege Escalation | +-----------------------------------------------+-----------------------------------------+----------+----------------------+ ``` ## Detonating an attack technique -We're interested in `aws.persistence.backdoor-iam-role`, an attack technique that backdoors an existing IAM role to add a trust relationship with a malicious AWS account. +We're interested in `aws.persistence.iam-backdoor-role`, an attack technique that backdoors an existing IAM role to add a trust relationship with a malicious AWS account. -Let's retrieve more information about the technique, either through its [automatically-generated documentation](https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.backdoor-iam-role/), or by running: +Let's retrieve more information about the technique, either through its [automatically-generated documentation](https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-backdoor-role/), or by running: ``` -$ stratus show aws.persistence.backdoor-iam-role +$ stratus show aws.persistence.iam-backdoor-role Establishes persistence by backdooring an existing IAM role, allowing it to be assumed from an external AWS account. Warm-up: Creates the prerequisite IAM role. @@ -64,9 +64,9 @@ We now know that Stratus Red Team will first create an IAM role in the warm-up p We could choose to perform the warm-up and detonation phase separately - but for simplicity, let's do it all together: ``` -$ stratus detonate aws.persistence.backdoor-iam-role +$ stratus detonate aws.persistence.iam-backdoor-role 2022/01/19 10:28:08 Checking your authentication against the AWS API -2022/01/19 10:28:09 Warming up aws.persistence.backdoor-iam-role +2022/01/19 10:28:09 Warming up aws.persistence.iam-backdoor-role 2022/01/19 10:28:09 Initializing Terraform 2022/01/19 10:28:18 Applying Terraform 2022/01/19 10:28:32 Backdooring IAM role by allowing sts:AssumeRole from an extenral AWS account @@ -81,7 +81,7 @@ $ stratus status +------------------------------------+-------------------------------+-----------+ | ID | NAME | STATUS | +------------------------------------+-------------------------------------------+ -| aws.persistence.backdoor-iam-role | Backdoor an existing IAM Role | DETONATED | +| aws.persistence.iam-backdoor-role | Backdoor an existing IAM Role | DETONATED | ... ``` @@ -118,7 +118,7 @@ When using `stratus detonate`, the resources spun up are not cleaned up by defau We can clean up any resources creates by Stratus Red Team using: ``` -stratus cleanup aws.persistence.backdoor-iam-role +stratus cleanup aws.persistence.iam-backdoor-role ``` ## Example 2: Advanced usage @@ -128,7 +128,7 @@ In this example, we want to prepare our live environment with the prerequisites We start by warming up the techniques we're interested in: ```bash -stratus warmup aws.defense-evasion.stop-cloudtrail aws.defense-evasion.remove-vpc-flow-logs aws.persistence.backdoor-iam-user +stratus warmup aws.defense-evasion.cloudtrail-stop aws.defense-evasion.vpc-remove-flow-logs aws.persistence.iam-backdoor-user ``` We now have the prerequisites ready: @@ -142,7 +142,7 @@ IAM user sample-legit-user ready At this point, we can choose to detonate these attack techniques at any point we want. We can do it right away, or in a few hours / days: ```bash -stratus detonate aws.defense-evasion.stop-cloudtrail aws.defense-evasion.remove-vpc-flow-logs aws.persistence.backdoor-iam-user +stratus detonate aws.defense-evasion.cloudtrail-stop aws.defense-evasion.vpc-remove-flow-logs aws.persistence.iam-backdoor-user ``` ```text @@ -154,13 +154,13 @@ Creating access key on legit IAM user to simulate backdoor Now, say we want to replay (i.e., detonate again) an attack technique a few times, for testing and to iterate building our threat detection rules on the side: ``` -stratus detonate aws.persistence.backdoor-iam-user +stratus detonate aws.persistence.iam-backdoor-user ``` You will notice that the second call raises an error: ``` -aws.persistence.backdoor-iam-user has already been detonated and is not idempotent. +aws.persistence.iam-backdoor-user has already been detonated and is not idempotent. Revert it with 'stratus revert' before detonating it again, or use --force ``` @@ -169,32 +169,32 @@ That's because the detonation of this attack technique is not idempotent, meanin Before re-detonating this technique, we need to revert it: ``` -stratus revert aws.persistence.backdoor-iam-user +stratus revert aws.persistence.iam-backdoor-user ``` ``` -2022/01/19 15:43:35 Reverting detonation of technique aws.persistence.backdoor-iam-user +2022/01/19 15:43:35 Reverting detonation of technique aws.persistence.iam-backdoor-user 2022/01/19 15:43:35 Removing access key from IAM user sample-legit-user 2022/01/19 15:43:36 Removing access key AKIA254BBSGPJNHEDHNR +-----------------------------------+-----------------------------------------+--------+ | ID | NAME | STATUS | +-----------------------------------+-----------------------------------------+--------+ -| aws.persistence.backdoor-iam-user | Create an IAM Access Key on an IAM User | WARM | +| aws.persistence.iam-backdoor-user | Create an IAM Access Key on an IAM User | WARM | +-----------------------------------+-----------------------------------------+--------+ ``` Our attack technique is now `WARM`, we can detonate it again: ```bash -stratus detonate aws.persistence.backdoor-iam-user +stratus detonate aws.persistence.iam-backdoor-user ``` Generally, we can detonate then revert an attack technique indefinitely: ```bash while true; do - stratus detonate aws.persistence.backdoor-iam-user - stratus revert aws.persistence.backdoor-iam-user + stratus detonate aws.persistence.iam-backdoor-user + stratus revert aws.persistence.iam-backdoor-user sleep 1 done ``` @@ -202,5 +202,5 @@ done Once we are done with our testing, we can clean up our techniques. Cleaning up a technique will revert its detonation logic (if applicable), then nuke all its prerequisite resources and infrastructure: ```bash -stratus cleanup aws.defense-evasion.stop-cloudtrail aws.defense-evasion.remove-vpc-flow-logs aws.persistence.backdoor-iam-user +stratus cleanup aws.defense-evasion.cloudtrail-stop aws.defense-evasion.vpc-remove-flow-logs aws.persistence.iam-backdoor-user ``` \ No newline at end of file diff --git a/docs/user-guide/getting-started.md b/docs/user-guide/getting-started.md index 01068745..f2067a0e 100644 --- a/docs/user-guide/getting-started.md +++ b/docs/user-guide/getting-started.md @@ -35,7 +35,7 @@ An attack technique is idempotent if it can be deto ## Example -Let's take an example with the attack technique [Exfiltrate EBS Snapshot through Snapshot Sharing](../../attack-techniques/AWS/aws.exfiltration.ebs-snapshot-shared-with-external-account/). +Let's take an example with the attack technique [Exfiltrate EBS Snapshot through Snapshot Sharing](../../attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/). - Warm-up: Create an EBS volume and a snapshot of it - Detonation: Share the EBS snapshot with an external AWS account @@ -64,14 +64,14 @@ stratus list Detonating a specific attack technique is as simple as running: ```bash -stratus detonate aws.exfiltration.ebs-snapshot-shared-with-external-account +stratus detonate aws.exfiltration.ec2-share-ebs-snapshot ``` You will get an output similar to: ``` 2022/01/18 22:32:11 Checking your authentication against the AWS API -2022/01/18 22:32:12 Warming up aws.exfiltration.ebs-snapshot-shared-with-external-account +2022/01/18 22:32:12 Warming up aws.exfiltration.ec2-share-ebs-snapshot 2022/01/18 22:32:12 Initializing Terraform 2022/01/18 22:32:19 Applying Terraform 2022/01/18 22:32:43 Sharing the volume snapshot with an external AWS account ID... @@ -80,7 +80,7 @@ You will get an output similar to: You can then clean up any leftovers from the technique, which in this case will remove the EBS volume and EBS snapshot: ```bash -stratus cleanup aws.exfiltration.ebs-snapshot-shared-with-external-account +stratus cleanup aws.exfiltration.ec2-share-ebs-snapshot ``` For more information, see [Usage](./usage.md), [Examples](./examples.md) and the [Command Reference](./commands). diff --git a/docs/user-guide/usage.md b/docs/user-guide/usage.md index 9727803a..6d180ecf 100644 --- a/docs/user-guide/usage.md +++ b/docs/user-guide/usage.md @@ -17,7 +17,7 @@ stratus list --platform aws View the detail of a specific technique: ```bash -$ stratus show aws.exfiltration.ebs-snapshot-shared-with-external-account +$ stratus show aws.exfiltration.ec2-share-ebs-snapshot Exfiltrates an EBS snapshot by sharing it with an external AWS account. Warm-up: Creates an EBS volume and a snapshot. @@ -27,7 +27,7 @@ Detonation: Calls ModifySnapshotAttribute to share the snapshot. Detonate an attack technique using: ```bash -stratus detonate aws.exfiltration.ebs-snapshot-shared-with-external-account +stratus detonate aws.exfiltration.ec2-share-ebs-snapshot ``` This will handle warm-up and detonation (but not clean-up - explicitly use `--clean-up` for this). @@ -35,14 +35,14 @@ This will handle warm-up and detonation (but not clean-up - explicitly use `--cl Alternatively, you can handle warm-up and detonation independently: ```bash -stratus warmup aws.exfiltration.ebs-snapshot-shared-with-external-account -stratus detonate aws.exfiltration.ebs-snapshot-shared-with-external-account +stratus warmup aws.exfiltration.ec2-share-ebs-snapshot +stratus detonate aws.exfiltration.ec2-share-ebs-snapshot ``` Cleanup can be done through: ```bash -stratus cleanup aws.exfiltration.ebs-snapshot-shared-with-external-account +stratus cleanup aws.exfiltration.ec2-share-ebs-snapshot ``` At any time, you can view the state of the TTPs: @@ -53,9 +53,9 @@ stratus status +------------------------------------------------------------+-----------+ | TECHNIQUE | STATUS | +------------------------------------------------------------+-----------+ -| aws.exfiltration.ebs-snapshot-shared-with-external-account | WARM | -| aws.persistence.backdoor-iam-user | DETONATED | -| aws.persistence.backdoor-iam-role | WARM | -| aws.persistence.malicious-iam-user | COLD | +| aws.exfiltration.ec2-share-ebs-snapshot | WARM | +| aws.persistence.iam-backdoor-user | DETONATED | +| aws.persistence.iam-backdoor-role | WARM | +| aws.persistence.iam-create-admin-user | COLD | +------------------------------------------------------------+-----------+ ``` \ No newline at end of file diff --git a/examples/basic/README.md b/examples/basic/README.md index 08b1e686..ad58147c 100644 --- a/examples/basic/README.md +++ b/examples/basic/README.md @@ -8,18 +8,18 @@ go run detonate_stratus_red_team_technique.go Sample output: ``` -aws.defense-evasion.stop-cloudtrail +aws.defense-evasion.cloudtrail-stop 2022/01/21 15:55:11 Checking your authentication against the AWS API -2022/01/21 15:55:12 Warming up aws.defense-evasion.stop-cloudtrail +2022/01/21 15:55:12 Warming up aws.defense-evasion.cloudtrail-stop 2022/01/21 15:55:12 Initializing Terraform to spin up technique prerequisites 2022/01/21 15:55:20 Applying Terraform to spin up technique prerequisites 2022/01/21 15:55:45 CloudTrail trail arn:aws:cloudtrail:us-east-1:751353041310:trail/my-cloudtrail-trail ready TTP is warm! Press enter to detonate it -2022/01/21 15:55:49 Not warming up - aws.defense-evasion.stop-cloudtrail is already warm. Use --force to force +2022/01/21 15:55:49 Not warming up - aws.defense-evasion.cloudtrail-stop is already warm. Use --force to force 2022/01/21 15:55:49 Stopping CloudTrail trail my-cloudtrail-trail -2022/01/21 15:55:49 Cleaning up aws.defense-evasion.stop-cloudtrail -2022/01/21 15:55:49 Reverting detonation of technique aws.defense-evasion.stop-cloudtrail +2022/01/21 15:55:49 Cleaning up aws.defense-evasion.cloudtrail-stop +2022/01/21 15:55:49 Reverting detonation of technique aws.defense-evasion.cloudtrail-stop 2022/01/21 15:55:49 Restarting CloudTrail trail my-cloudtrail-trail 2022/01/21 15:55:50 Cleaning up technique prerequisites with terraform destroy ``` \ No newline at end of file diff --git a/examples/basic/detonate_stratus_red_team_technique.go b/examples/basic/detonate_stratus_red_team_technique.go index d1f1587e..0a503ae4 100644 --- a/examples/basic/detonate_stratus_red_team_technique.go +++ b/examples/basic/detonate_stratus_red_team_technique.go @@ -11,7 +11,7 @@ import ( This example warms up, then detonates a specific Stratus Red Team attack technique once you press enter. */ func main() { - ttp := stratus.GetRegistry().GetAttackTechniqueByName("aws.defense-evasion.stop-cloudtrail") + ttp := stratus.GetRegistry().GetAttackTechniqueByName("aws.defense-evasion.cloudtrail-stop") fmt.Println(ttp) stratusRunner := stratusrunner.NewRunner(ttp, stratusrunner.StratusRunnerNoForce) diff --git a/internal/attacktechniques/aws/credential-access/ec2-instance-credentials/main.go b/internal/attacktechniques/aws/credential-access/ec2-steal-instance-credentials/main.go similarity index 98% rename from internal/attacktechniques/aws/credential-access/ec2-instance-credentials/main.go rename to internal/attacktechniques/aws/credential-access/ec2-steal-instance-credentials/main.go index 64f2af51..79307c41 100644 --- a/internal/attacktechniques/aws/credential-access/ec2-instance-credentials/main.go +++ b/internal/attacktechniques/aws/credential-access/ec2-steal-instance-credentials/main.go @@ -22,7 +22,7 @@ var tf []byte func init() { stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{ - ID: "aws.credential-access.ec2-instance-credentials", + ID: "aws.credential-access.ec2-steal-instance-credentials", FriendlyName: "Steal EC2 Instance Credentials", IsSlow: true, Description: ` diff --git a/internal/attacktechniques/aws/credential-access/ec2-instance-credentials/main.tf b/internal/attacktechniques/aws/credential-access/ec2-steal-instance-credentials/main.tf similarity index 100% rename from internal/attacktechniques/aws/credential-access/ec2-instance-credentials/main.tf rename to internal/attacktechniques/aws/credential-access/ec2-steal-instance-credentials/main.tf diff --git a/internal/attacktechniques/aws/credential-access/ssm-get-all-parameters/main.go b/internal/attacktechniques/aws/credential-access/ssm-retrieve-securestring-parameters/main.go similarity index 96% rename from internal/attacktechniques/aws/credential-access/ssm-get-all-parameters/main.go rename to internal/attacktechniques/aws/credential-access/ssm-retrieve-securestring-parameters/main.go index bb1c69ff..a1826d3e 100644 --- a/internal/attacktechniques/aws/credential-access/ssm-get-all-parameters/main.go +++ b/internal/attacktechniques/aws/credential-access/ssm-retrieve-securestring-parameters/main.go @@ -18,7 +18,7 @@ var tf []byte func init() { stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{ - ID: "aws.credential-access.retrieve-all-ssm-parameters", + ID: "aws.credential-access.ssm-retrieve-securestring-parameters", FriendlyName: "Retrieve And Decrypt SSM Parameters", Description: ` Retrieves and decrypts a high number (30) of SSM Parameters available in an AWS region. diff --git a/internal/attacktechniques/aws/credential-access/ssm-get-all-parameters/main.tf b/internal/attacktechniques/aws/credential-access/ssm-retrieve-securestring-parameters/main.tf similarity index 100% rename from internal/attacktechniques/aws/credential-access/ssm-get-all-parameters/main.tf rename to internal/attacktechniques/aws/credential-access/ssm-retrieve-securestring-parameters/main.tf diff --git a/internal/attacktechniques/aws/defense-evasion/delete-cloudtrail/main.go b/internal/attacktechniques/aws/defense-evasion/cloudtrail-delete/main.go similarity index 95% rename from internal/attacktechniques/aws/defense-evasion/delete-cloudtrail/main.go rename to internal/attacktechniques/aws/defense-evasion/cloudtrail-delete/main.go index 05d2b29e..deac463f 100644 --- a/internal/attacktechniques/aws/defense-evasion/delete-cloudtrail/main.go +++ b/internal/attacktechniques/aws/defense-evasion/cloudtrail-delete/main.go @@ -16,7 +16,7 @@ var tf []byte func init() { stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{ - ID: "aws.defense-evasion.delete-cloudtrail", + ID: "aws.defense-evasion.cloudtrail-delete", FriendlyName: "Delete CloudTrail Trail", Platform: stratus.AWS, MitreAttackTactics: []mitreattack.Tactic{mitreattack.DefenseEvasion}, diff --git a/internal/attacktechniques/aws/defense-evasion/delete-cloudtrail/main.tf b/internal/attacktechniques/aws/defense-evasion/cloudtrail-delete/main.tf similarity index 100% rename from internal/attacktechniques/aws/defense-evasion/delete-cloudtrail/main.tf rename to internal/attacktechniques/aws/defense-evasion/cloudtrail-delete/main.tf diff --git a/internal/attacktechniques/aws/defense-evasion/disable-cloudtrail/main.go b/internal/attacktechniques/aws/defense-evasion/cloudtrail-stop/main.go similarity index 96% rename from internal/attacktechniques/aws/defense-evasion/disable-cloudtrail/main.go rename to internal/attacktechniques/aws/defense-evasion/cloudtrail-stop/main.go index 72d7e892..cd07b500 100644 --- a/internal/attacktechniques/aws/defense-evasion/disable-cloudtrail/main.go +++ b/internal/attacktechniques/aws/defense-evasion/cloudtrail-stop/main.go @@ -16,7 +16,7 @@ var tf []byte func init() { stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{ - ID: "aws.defense-evasion.stop-cloudtrail", + ID: "aws.defense-evasion.cloudtrail-stop", FriendlyName: "Stop CloudTrail Trail", Platform: stratus.AWS, MitreAttackTactics: []mitreattack.Tactic{mitreattack.DefenseEvasion}, diff --git a/internal/attacktechniques/aws/defense-evasion/disable-cloudtrail/main.tf b/internal/attacktechniques/aws/defense-evasion/cloudtrail-stop/main.tf similarity index 100% rename from internal/attacktechniques/aws/defense-evasion/disable-cloudtrail/main.tf rename to internal/attacktechniques/aws/defense-evasion/cloudtrail-stop/main.tf diff --git a/internal/attacktechniques/aws/defense-evasion/leave-organization/main.go b/internal/attacktechniques/aws/defense-evasion/organizations-leave/main.go similarity index 97% rename from internal/attacktechniques/aws/defense-evasion/leave-organization/main.go rename to internal/attacktechniques/aws/defense-evasion/organizations-leave/main.go index 81aa748c..9468a47d 100644 --- a/internal/attacktechniques/aws/defense-evasion/leave-organization/main.go +++ b/internal/attacktechniques/aws/defense-evasion/organizations-leave/main.go @@ -20,7 +20,7 @@ var tf []byte func init() { stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{ - ID: "aws.defense-evasion.leave-organization", + ID: "aws.defense-evasion.organizations-leave", FriendlyName: "Attempt to Leave the AWS Organization", Platform: stratus.AWS, IsIdempotent: true, diff --git a/internal/attacktechniques/aws/defense-evasion/leave-organization/main.tf b/internal/attacktechniques/aws/defense-evasion/organizations-leave/main.tf similarity index 100% rename from internal/attacktechniques/aws/defense-evasion/leave-organization/main.tf rename to internal/attacktechniques/aws/defense-evasion/organizations-leave/main.tf diff --git a/internal/attacktechniques/aws/defense-evasion/remove-vpc-flow-logs/main.go b/internal/attacktechniques/aws/defense-evasion/vpc-remove-flow-logs/main.go similarity index 96% rename from internal/attacktechniques/aws/defense-evasion/remove-vpc-flow-logs/main.go rename to internal/attacktechniques/aws/defense-evasion/vpc-remove-flow-logs/main.go index 0a306619..963103d4 100644 --- a/internal/attacktechniques/aws/defense-evasion/remove-vpc-flow-logs/main.go +++ b/internal/attacktechniques/aws/defense-evasion/vpc-remove-flow-logs/main.go @@ -16,7 +16,7 @@ var tf []byte func init() { stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{ - ID: "aws.defense-evasion.remove-vpc-flow-logs", + ID: "aws.defense-evasion.vpc-remove-flow-logs", FriendlyName: "Remove VPC Flow Logs", Platform: stratus.AWS, IsIdempotent: false, // can't remove VPC flow logs once they have already been removed diff --git a/internal/attacktechniques/aws/defense-evasion/remove-vpc-flow-logs/main.tf b/internal/attacktechniques/aws/defense-evasion/vpc-remove-flow-logs/main.tf similarity index 100% rename from internal/attacktechniques/aws/defense-evasion/remove-vpc-flow-logs/main.tf rename to internal/attacktechniques/aws/defense-evasion/vpc-remove-flow-logs/main.tf diff --git a/internal/attacktechniques/aws/discovery/discovery-commands-ec2-instance-role/main.go b/internal/attacktechniques/aws/discovery/ec2-enumerate-from-instance/main.go similarity index 97% rename from internal/attacktechniques/aws/discovery/discovery-commands-ec2-instance-role/main.go rename to internal/attacktechniques/aws/discovery/ec2-enumerate-from-instance/main.go index e4d3d68b..bad681b6 100644 --- a/internal/attacktechniques/aws/discovery/discovery-commands-ec2-instance-role/main.go +++ b/internal/attacktechniques/aws/discovery/ec2-enumerate-from-instance/main.go @@ -19,7 +19,7 @@ var tf []byte func init() { stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{ - ID: "aws.discovery.basic-enumeration-from-ec2-instance", + ID: "aws.discovery.ec2-enumerate-from-instance", FriendlyName: "Execute Discovery Commands on an EC2 Instance", IsSlow: true, Description: ` diff --git a/internal/attacktechniques/aws/discovery/discovery-commands-ec2-instance-role/main.tf b/internal/attacktechniques/aws/discovery/ec2-enumerate-from-instance/main.tf similarity index 100% rename from internal/attacktechniques/aws/discovery/discovery-commands-ec2-instance-role/main.tf rename to internal/attacktechniques/aws/discovery/ec2-enumerate-from-instance/main.tf diff --git a/internal/attacktechniques/aws/exfiltration/securitygroup-open-port-22-to-internet/main.go b/internal/attacktechniques/aws/exfiltration/ec2-security-group-open-port-22-ingress/main.go similarity index 96% rename from internal/attacktechniques/aws/exfiltration/securitygroup-open-port-22-to-internet/main.go rename to internal/attacktechniques/aws/exfiltration/ec2-security-group-open-port-22-ingress/main.go index 86dfb0ed..46cbdd58 100644 --- a/internal/attacktechniques/aws/exfiltration/securitygroup-open-port-22-to-internet/main.go +++ b/internal/attacktechniques/aws/exfiltration/ec2-security-group-open-port-22-ingress/main.go @@ -17,7 +17,7 @@ var tf []byte func init() { stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{ - ID: "aws.exfiltration.open-port-22-ingress-on-security-group", + ID: "aws.exfiltration.ec2-security-group-open-port-22-ingress", FriendlyName: "Open Ingress Port 22 on a Security Group", Platform: stratus.AWS, IsIdempotent: false, // cannot call ec2:AuthorizeSecurityGroupIngress multiple times with the same parameters diff --git a/internal/attacktechniques/aws/exfiltration/securitygroup-open-port-22-to-internet/main.tf b/internal/attacktechniques/aws/exfiltration/ec2-security-group-open-port-22-ingress/main.tf similarity index 100% rename from internal/attacktechniques/aws/exfiltration/securitygroup-open-port-22-to-internet/main.tf rename to internal/attacktechniques/aws/exfiltration/ec2-security-group-open-port-22-ingress/main.tf diff --git a/internal/attacktechniques/aws/exfiltration/ami-sharing/main.go b/internal/attacktechniques/aws/exfiltration/ec2-share-ami/main.go similarity index 97% rename from internal/attacktechniques/aws/exfiltration/ami-sharing/main.go rename to internal/attacktechniques/aws/exfiltration/ec2-share-ami/main.go index 414e7c18..0cc87408 100644 --- a/internal/attacktechniques/aws/exfiltration/ami-sharing/main.go +++ b/internal/attacktechniques/aws/exfiltration/ec2-share-ami/main.go @@ -18,7 +18,7 @@ var tf []byte func init() { stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{ - ID: "aws.exfiltration.ami-sharing", + ID: "aws.exfiltration.ec2-share-ami", FriendlyName: "Exfiltrate an AMI by Sharing It", Description: ` Exfiltrates an AMI by sharing it with an external AWS account. diff --git a/internal/attacktechniques/aws/exfiltration/ami-sharing/main.tf b/internal/attacktechniques/aws/exfiltration/ec2-share-ami/main.tf similarity index 100% rename from internal/attacktechniques/aws/exfiltration/ami-sharing/main.tf rename to internal/attacktechniques/aws/exfiltration/ec2-share-ami/main.tf diff --git a/internal/attacktechniques/aws/exfiltration/ebs-snapshot-share/main.go b/internal/attacktechniques/aws/exfiltration/ec2-share-ebs-snapshot/main.go similarity index 96% rename from internal/attacktechniques/aws/exfiltration/ebs-snapshot-share/main.go rename to internal/attacktechniques/aws/exfiltration/ec2-share-ebs-snapshot/main.go index ee563829..3dcaa522 100644 --- a/internal/attacktechniques/aws/exfiltration/ebs-snapshot-share/main.go +++ b/internal/attacktechniques/aws/exfiltration/ec2-share-ebs-snapshot/main.go @@ -16,7 +16,7 @@ var tf []byte func init() { stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{ - ID: "aws.exfiltration.ebs-snapshot-shared-with-external-account", + ID: "aws.exfiltration.ec2-share-ebs-snapshot", FriendlyName: "Exfiltrate EBS Snapshot by Sharing It", Platform: stratus.AWS, IsIdempotent: true, diff --git a/internal/attacktechniques/aws/exfiltration/ebs-snapshot-share/main.tf b/internal/attacktechniques/aws/exfiltration/ec2-share-ebs-snapshot/main.tf similarity index 100% rename from internal/attacktechniques/aws/exfiltration/ebs-snapshot-share/main.tf rename to internal/attacktechniques/aws/exfiltration/ec2-share-ebs-snapshot/main.tf diff --git a/internal/attacktechniques/aws/exfiltration/rds-snapshot-sharing/main.go b/internal/attacktechniques/aws/exfiltration/rds-share-snapshot/main.go similarity index 97% rename from internal/attacktechniques/aws/exfiltration/rds-snapshot-sharing/main.go rename to internal/attacktechniques/aws/exfiltration/rds-share-snapshot/main.go index 31528e02..efeee03f 100644 --- a/internal/attacktechniques/aws/exfiltration/rds-snapshot-sharing/main.go +++ b/internal/attacktechniques/aws/exfiltration/rds-share-snapshot/main.go @@ -17,7 +17,7 @@ var tf []byte func init() { stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{ - ID: "aws.exfiltration.rds-snapshot-sharing", + ID: "aws.exfiltration.rds-share-snapshot", FriendlyName: "Exfiltrate RDS Snapshot by Sharing", Platform: stratus.AWS, IsSlow: true, diff --git a/internal/attacktechniques/aws/exfiltration/rds-snapshot-sharing/main.tf b/internal/attacktechniques/aws/exfiltration/rds-share-snapshot/main.tf similarity index 100% rename from internal/attacktechniques/aws/exfiltration/rds-snapshot-sharing/main.tf rename to internal/attacktechniques/aws/exfiltration/rds-share-snapshot/main.tf diff --git a/internal/attacktechniques/aws/exfiltration/s3-bucket-backdoor-bucket-policy/main.go b/internal/attacktechniques/aws/exfiltration/s3-backdoor-bucket-policy/main.go similarity index 96% rename from internal/attacktechniques/aws/exfiltration/s3-bucket-backdoor-bucket-policy/main.go rename to internal/attacktechniques/aws/exfiltration/s3-backdoor-bucket-policy/main.go index fefd00aa..c098baca 100644 --- a/internal/attacktechniques/aws/exfiltration/s3-bucket-backdoor-bucket-policy/main.go +++ b/internal/attacktechniques/aws/exfiltration/s3-backdoor-bucket-policy/main.go @@ -19,7 +19,7 @@ var backdooredPolicy string func init() { stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{ - ID: "aws.exfiltration.backdoor-s3-bucket-policy", + ID: "aws.exfiltration.s3-backdoor-bucket-policy", FriendlyName: "Backdoor an S3 Bucket via its Bucket Policy", Platform: stratus.AWS, IsIdempotent: true, diff --git a/internal/attacktechniques/aws/exfiltration/s3-bucket-backdoor-bucket-policy/main.tf b/internal/attacktechniques/aws/exfiltration/s3-backdoor-bucket-policy/main.tf similarity index 100% rename from internal/attacktechniques/aws/exfiltration/s3-bucket-backdoor-bucket-policy/main.tf rename to internal/attacktechniques/aws/exfiltration/s3-backdoor-bucket-policy/main.tf diff --git a/internal/attacktechniques/aws/exfiltration/s3-bucket-backdoor-bucket-policy/malicious_policy.json b/internal/attacktechniques/aws/exfiltration/s3-backdoor-bucket-policy/malicious_policy.json similarity index 100% rename from internal/attacktechniques/aws/exfiltration/s3-bucket-backdoor-bucket-policy/malicious_policy.json rename to internal/attacktechniques/aws/exfiltration/s3-backdoor-bucket-policy/malicious_policy.json diff --git a/internal/attacktechniques/aws/persistence/iam-role-backdoor-existing/main.go b/internal/attacktechniques/aws/persistence/iam-backdoor-role/main.go similarity index 97% rename from internal/attacktechniques/aws/persistence/iam-role-backdoor-existing/main.go rename to internal/attacktechniques/aws/persistence/iam-backdoor-role/main.go index 6097e5da..0f4ebfb1 100644 --- a/internal/attacktechniques/aws/persistence/iam-role-backdoor-existing/main.go +++ b/internal/attacktechniques/aws/persistence/iam-backdoor-role/main.go @@ -20,7 +20,7 @@ var maliciousIamPolicy string func init() { stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{ - ID: "aws.persistence.backdoor-iam-role", + ID: "aws.persistence.iam-backdoor-role", FriendlyName: "Backdoor an IAM Role", Description: ` Establishes persistence by backdooring an existing IAM role, allowing it to be assumed from an external AWS account. diff --git a/internal/attacktechniques/aws/persistence/iam-role-backdoor-existing/main.tf b/internal/attacktechniques/aws/persistence/iam-backdoor-role/main.tf similarity index 100% rename from internal/attacktechniques/aws/persistence/iam-role-backdoor-existing/main.tf rename to internal/attacktechniques/aws/persistence/iam-backdoor-role/main.tf diff --git a/internal/attacktechniques/aws/persistence/iam-role-backdoor-existing/malicious_policy.json b/internal/attacktechniques/aws/persistence/iam-backdoor-role/malicious_policy.json similarity index 100% rename from internal/attacktechniques/aws/persistence/iam-role-backdoor-existing/malicious_policy.json rename to internal/attacktechniques/aws/persistence/iam-backdoor-role/malicious_policy.json diff --git a/internal/attacktechniques/aws/persistence/iam-user-backdoor-existing/main.go b/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.go similarity index 97% rename from internal/attacktechniques/aws/persistence/iam-user-backdoor-existing/main.go rename to internal/attacktechniques/aws/persistence/iam-backdoor-user/main.go index bad2a900..b05a91e8 100644 --- a/internal/attacktechniques/aws/persistence/iam-user-backdoor-existing/main.go +++ b/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.go @@ -15,7 +15,7 @@ var tf []byte func init() { stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{ - ID: "aws.persistence.backdoor-iam-user", + ID: "aws.persistence.iam-backdoor-user", FriendlyName: "Create an Access Key on an IAM User", Description: ` Establishes persistence by creating an access key on an existing IAM user. diff --git a/internal/attacktechniques/aws/persistence/iam-user-backdoor-existing/main.tf b/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.tf similarity index 100% rename from internal/attacktechniques/aws/persistence/iam-user-backdoor-existing/main.tf rename to internal/attacktechniques/aws/persistence/iam-backdoor-user/main.tf diff --git a/internal/attacktechniques/aws/persistence/iam-user-create-new/main.go b/internal/attacktechniques/aws/persistence/iam-create-admin-user/main.go similarity index 98% rename from internal/attacktechniques/aws/persistence/iam-user-create-new/main.go rename to internal/attacktechniques/aws/persistence/iam-create-admin-user/main.go index 9a750100..3f9302a5 100644 --- a/internal/attacktechniques/aws/persistence/iam-user-create-new/main.go +++ b/internal/attacktechniques/aws/persistence/iam-create-admin-user/main.go @@ -18,7 +18,7 @@ var adminPolicyArn = aws.String("arn:aws:iam::aws:policy/AdministratorAccess") func init() { stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{ - ID: "aws.persistence.malicious-iam-user", + ID: "aws.persistence.iam-create-admin-user", FriendlyName: "Create an administrative IAM User", Description: ` Establishes persistence by creating a new IAM user with administrative permissions. @@ -82,7 +82,7 @@ func revert(map[string]string) error { if err != nil { return errors.New("unable to clean up IAM user access keys: " + err.Error()) } - + for i := range result.AccessKeyMetadata { accessKeyId := result.AccessKeyMetadata[i].AccessKeyId _, err := iamClient.DeleteAccessKey(context.Background(), &iam.DeleteAccessKeyInput{ diff --git a/internal/attacktechniques/aws/persistence/iam-user-create-login-profile/main.go b/internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.go similarity index 97% rename from internal/attacktechniques/aws/persistence/iam-user-create-login-profile/main.go rename to internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.go index 982e8087..a686783f 100644 --- a/internal/attacktechniques/aws/persistence/iam-user-create-login-profile/main.go +++ b/internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.go @@ -17,7 +17,7 @@ var tf []byte func init() { stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{ - ID: "aws.persistence.iam-user-create-login-profile", + ID: "aws.persistence.iam-create-user-login-profile", FriendlyName: "Create a Login Profile on an IAM User", Description: ` Establishes persistence by creating a Login Profile on an existing IAM user. This allows an attacker to access an IAM diff --git a/internal/attacktechniques/aws/persistence/iam-user-create-login-profile/main.tf b/internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.tf similarity index 100% rename from internal/attacktechniques/aws/persistence/iam-user-create-login-profile/main.tf rename to internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.tf diff --git a/internal/attacktechniques/aws/persistence/backdoor-lambda-function/main.go b/internal/attacktechniques/aws/persistence/lambda-backdoor-function/main.go similarity index 97% rename from internal/attacktechniques/aws/persistence/backdoor-lambda-function/main.go rename to internal/attacktechniques/aws/persistence/lambda-backdoor-function/main.go index 41d72e07..8702de40 100644 --- a/internal/attacktechniques/aws/persistence/backdoor-lambda-function/main.go +++ b/internal/attacktechniques/aws/persistence/lambda-backdoor-function/main.go @@ -17,7 +17,7 @@ var tf []byte func init() { stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{ - ID: "aws.persistence.backdoor-lambda-function", + ID: "aws.persistence.lambda-backdoor-function", FriendlyName: "Backdoor Lambda Function Through Resource-Based Policy", Description: ` Establishes persistence by backdooring a lambda function to allow its invocation from an external AWS account. diff --git a/internal/attacktechniques/aws/persistence/backdoor-lambda-function/main.tf b/internal/attacktechniques/aws/persistence/lambda-backdoor-function/main.tf similarity index 100% rename from internal/attacktechniques/aws/persistence/backdoor-lambda-function/main.tf rename to internal/attacktechniques/aws/persistence/lambda-backdoor-function/main.tf diff --git a/internal/attacktechniques/main.go b/internal/attacktechniques/main.go index 81c80fa7..7d3e4a4b 100644 --- a/internal/attacktechniques/main.go +++ b/internal/attacktechniques/main.go @@ -2,25 +2,24 @@ package attacktechniques import ( _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/credential-access/ec2-get-password-data" - _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/credential-access/ec2-instance-credentials" + _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/credential-access/ec2-steal-instance-credentials" _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/credential-access/secretsmanager-retrieve-secrets" - _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/credential-access/ssm-get-all-parameters" + _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/credential-access/ssm-retrieve-securestring-parameters" + _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/cloudtrail-delete" _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/cloudtrail-event-selectors" _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/cloudtrail-lifecycle-rule" - _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/delete-cloudtrail" - _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/disable-cloudtrail" - _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/leave-organization" - _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/remove-vpc-flow-logs" - _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/discovery/discovery-commands-ec2-instance-role" - _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/ami-sharing" - _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/ebs-snapshot-share" - _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/rds-snapshot-sharing" - - _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/s3-bucket-backdoor-bucket-policy" - _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/securitygroup-open-port-22-to-internet" - _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/persistence/backdoor-lambda-function" - _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/persistence/iam-role-backdoor-existing" - _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/persistence/iam-user-backdoor-existing" - _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/persistence/iam-user-create-login-profile" - _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/persistence/iam-user-create-new" + _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/cloudtrail-stop" + _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/organizations-leave" + _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/vpc-remove-flow-logs" + _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/discovery/ec2-enumerate-from-instance" + _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/ec2-security-group-open-port-22-ingress" + _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/ec2-share-ami" + _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/ec2-share-ebs-snapshot" + _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/rds-share-snapshot" + _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/s3-backdoor-bucket-policy" + _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/persistence/iam-backdoor-role" + _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/persistence/iam-backdoor-user" + _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/persistence/iam-create-admin-user" + _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/persistence/iam-create-user-login-profile" + _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/persistence/lambda-backdoor-function" )