Ensure all attack techniques display enough information (closes #10)

DataDog · Jan 19, 2022 · 7918a35 · 7918a35
1 parent 68a1497
commit 7918a35
Show file tree

Hide file tree

Showing 15 changed files with 53 additions and 16 deletions.
diff --git a/docs/attack-techniques/AWS/aws.credential-access.ec2-get-password-data.md b/docs/attack-techniques/AWS/aws.credential-access.ec2-get-password-data.md
@@ -13,9 +13,11 @@ Platform: AWS
 Runs ec2:GetPasswordData from a role that does not have permission to do so. This simulates an attacker attempting to
 retrieve RDP passwords of Windows EC2 instances.
 
+See https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetPasswordData.html
+
 Warm-up: Create an IAM role without permissions to run ec2:GetPasswordData
 
-Detonation: Assume the role and run a number of ec2:GetPasswordData calls (which will be denied
+Detonation: Assume the role and run a number of ec2:GetPasswordData calls (which will be denied)
 
 
 ## Instructions

diff --git a/internal/attacktechniques/aws/credential-access/ec2-get-password-data/main.go b/internal/attacktechniques/aws/credential-access/ec2-get-password-data/main.go
@@ -27,9 +27,11 @@ func init() {
 Runs ec2:GetPasswordData from a role that does not have permission to do so. This simulates an attacker attempting to
 retrieve RDP passwords of Windows EC2 instances.
 
+See https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetPasswordData.html
+
 Warm-up: Create an IAM role without permissions to run ec2:GetPasswordData
 
-Detonation: Assume the role and run a number of ec2:GetPasswordData calls (which will be denied
+Detonation: Assume the role and run a number of ec2:GetPasswordData calls (which will be denied)
 `,
 		Platform:                   stratus.AWS,
 		MitreAttackTactics:         []mitreattack.Tactic{mitreattack.CredentialAccess},

diff --git a/internal/attacktechniques/aws/defense-evasion/disable-cloudtrail/main.tf b/internal/attacktechniques/aws/defense-evasion/disable-cloudtrail/main.tf
@@ -70,4 +70,8 @@ POLICY
 
 output "cloudtrail_trail_name" {
   value = aws_cloudtrail.trail.name
+}
+
+output "display" {
+  value = format("CloudTrail trail %s ready", aws_cloudtrail.trail.arn)
 }
diff --git a/internal/attacktechniques/aws/defense-evasion/remove-vpc-flow-logs/main.tf b/internal/attacktechniques/aws/defense-evasion/remove-vpc-flow-logs/main.tf
@@ -86,5 +86,5 @@ output "flow_logs_id" {
 }
 
 output "display" {
-  value = format("VPC Flow Logs %s in VPC %s", aws_flow_log.flow-logs.id, aws_vpc.vpc.id)
+  value = format("VPC Flow Logs %s in VPC %s ready", aws_flow_log.flow-logs.id, aws_vpc.vpc.id)
 }
diff --git a/internal/attacktechniques/aws/discovery/discovery-commands-ec2-instance-role/main.tf b/internal/attacktechniques/aws/discovery/discovery-commands-ec2-instance-role/main.tf
@@ -95,5 +95,5 @@ output "instance_id" {
 }
 
 output "display" {
-  value = format("Instance id %s in %s", aws_instance.dev.id, data.aws_availability_zones.available.names[0])
+  value = format("Instance id %s in %s ready", aws_instance.dev.id, data.aws_availability_zones.available.names[0])
 }
diff --git a/internal/attacktechniques/aws/exfiltration/ebs-snapshot-share/main.go b/internal/attacktechniques/aws/exfiltration/ebs-snapshot-share/main.go
@@ -40,9 +40,9 @@ func detonate(params map[string]string) error {
 	ourSnapshotId := params["snapshot_id"]
 
 	// Exfiltrate it
-	log.Println("Sharing the volume snapshot with an external AWS account ID...")
+	log.Println("Sharing the volume snapshot " + ourSnapshotId + " with an external AWS account...")
 
-	_, err := ec2Client.ModifySnapshotAttribute(context.TODO(), &ec2.ModifySnapshotAttributeInput{
+	_, err := ec2Client.ModifySnapshotAttribute(context.Background(), &ec2.ModifySnapshotAttributeInput{
 		SnapshotId: aws.String(ourSnapshotId),
 		Attribute:  types.SnapshotAttributeNameCreateVolumePermission,
 		CreateVolumePermission: &types.CreateVolumePermissionModifications{

diff --git a/internal/attacktechniques/aws/exfiltration/ebs-snapshot-share/main.tf b/internal/attacktechniques/aws/exfiltration/ebs-snapshot-share/main.tf
@@ -37,4 +37,8 @@ resource "aws_ebs_snapshot" "snapshot" {
 
 output "snapshot_id" {
   value = aws_ebs_snapshot.snapshot.id
+}
+
+output "display" {
+  value = format("Snapshot %s of %s ready", aws_ebs_snapshot.snapshot.id, aws_ebs_volume.volume.id)
 }
diff --git a/internal/attacktechniques/aws/exfiltration/s3-bucket-backdoor-bucket-policy/main.tf b/internal/attacktechniques/aws/exfiltration/s3-bucket-backdoor-bucket-policy/main.tf
@@ -34,5 +34,5 @@ output "bucket_name" {
 }
 
 output "display" {
-  value = format("S3 bucket: %s", aws_s3_bucket.bucket.id)
+  value = format("S3 bucket %s ready", aws_s3_bucket.bucket.id)
 }
diff --git a/internal/attacktechniques/aws/exfiltration/securitygroup-open-port-22-to-internet/main.tf b/internal/attacktechniques/aws/exfiltration/securitygroup-open-port-22-to-internet/main.tf
@@ -56,5 +56,5 @@ output "security_group_id" {
 }
 
 output "display" {
-  value = format("Security group %s", aws_security_group.allow_tls.id)
+  value = format("Security group %s in VPC %s ready", aws_security_group.allow_tls.id, aws_vpc.vpc.id)
 }
diff --git a/internal/attacktechniques/aws/persistence/iam-role-backdoor-existing/main.go b/internal/attacktechniques/aws/persistence/iam-role-backdoor-existing/main.go
@@ -32,11 +32,12 @@ Detonation: Updates the assume role policy of the IAM role to backdoor it.
 		Platform:                   stratus.AWS,
 		MitreAttackTactics:         []mitreattack.Tactic{mitreattack.Persistence},
 		PrerequisitesTerraformCode: tf,
-		Detonate: func(terraformOutputs map[string]string) error {
+		Detonate: func(params map[string]string) error {
 			iamClient := iam.NewFromConfig(providers.AWS().GetConnection())
-			log.Println("Backdooring IAM role by allowing sts:AssumeRole from an extenral AWS account")
+			roleName := params["role_name"]
+			log.Println("Backdooring IAM role " + roleName + " by allowing sts:AssumeRole from an external AWS account")
 			_, err := iamClient.UpdateAssumeRolePolicy(context.Background(), &iam.UpdateAssumeRolePolicyInput{
-				RoleName:       aws.String("sample-legit-role"),
+				RoleName:       aws.String(roleName),
 				PolicyDocument: aws.String(maliciousIamPolicy),
 			})
 			if err != nil {

diff --git a/internal/attacktechniques/aws/persistence/iam-role-backdoor-existing/main.tf b/internal/attacktechniques/aws/persistence/iam-role-backdoor-existing/main.tf
@@ -33,4 +33,12 @@ resource "aws_iam_role" "legit-role" {
 resource "aws_iam_role_policy_attachment" "role-policy" {
   role       = aws_iam_role.legit-role.name
   policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+}
+
+output "role_name" {
+  value = aws_iam_role.legit-role.name
+}
+
+output "display" {
+  value = format("IAM role %s ready", aws_iam_role.legit-role.name)
 }
diff --git a/internal/attacktechniques/aws/persistence/iam-user-backdoor-existing/main.go b/internal/attacktechniques/aws/persistence/iam-user-backdoor-existing/main.go
@@ -28,26 +28,30 @@ Detonation: Create the access key.
 		Platform:                   stratus.AWS,
 		MitreAttackTactics:         []mitreattack.Tactic{mitreattack.Persistence, mitreattack.PrivilegeEscalation},
 		PrerequisitesTerraformCode: tf,
-		Detonate: func(terraformOutputs map[string]string) error {
+		Detonate: func(params map[string]string) error {
 			iamClient := iam.NewFromConfig(providers.AWS().GetConnection())
+			userName := params["user_name"]
 			log.Println("Creating access key on legit IAM user to simulate backdoor")
-			result, err := iamClient.CreateAccessKey(context.Background(), &iam.CreateAccessKeyInput{UserName: aws.String("sample-legit-user")})
+			result, err := iamClient.CreateAccessKey(context.Background(), &iam.CreateAccessKeyInput{
+				UserName: aws.String(userName),
+			})
 			if err != nil {
 				return err
 			}
 			log.Println("Successfully created access key " + *result.AccessKey.AccessKeyId)
 			return nil
 		},
 		Cleanup: func() error {
-			iamClient := iam.NewFromConfig(providers.AWS().GetConnection())
+			// TODO: https://github.com/DataDog/stratus-red-team/issues/12
+			/*iamClient := iam.NewFromConfig(providers.AWS().GetConnection())
 			log.Println("Removing access key from IAM user")
 			result, err := iamClient.ListAccessKeys(context.Background(), &iam.ListAccessKeysInput{UserName: aws.String("sample-legit-user")})
 			if err != nil {
 				return err
 			}
 			for i := range result.AccessKeyMetadata {
 				iamClient.DeleteAccessKey(context.Background(), &iam.DeleteAccessKeyInput{AccessKeyId: result.AccessKeyMetadata[i].AccessKeyId})
-			}
+			}*/
 
 			return nil
 		},

diff --git a/internal/attacktechniques/aws/persistence/iam-user-backdoor-existing/main.tf b/internal/attacktechniques/aws/persistence/iam-user-backdoor-existing/main.tf
@@ -21,4 +21,12 @@ provider "aws" {
 resource "aws_iam_user" "legit-user" {
   name          = "sample-legit-user" # TODO parametrize
   force_destroy = true
+}
+
+output "user_name" {
+  value = aws_iam_user.legit-user.name
+}
+
+output "display" {
+  value = format("IAM user %s ready", aws_iam_user.legit-user.name)
 }
diff --git a/internal/attacktechniques/aws/persistence/iam-user-create-login-profile/main.tf b/internal/attacktechniques/aws/persistence/iam-user-create-login-profile/main.tf
@@ -25,4 +25,8 @@ resource "aws_iam_user" "legit-user" {
 
 output "user_name" {
   value = aws_iam_user.legit-user.name
+}
+
+output "display" {
+  value = format("IAM user %s ready", aws_iam_user.legit-user.name)
 }
diff --git a/internal/attacktechniques/aws/persistence/iam-user-create-new/main.go b/internal/attacktechniques/aws/persistence/iam-user-create-new/main.go
@@ -29,7 +29,7 @@ Detonation: Creates the IAM user and attached 'AdministratorAccess' to it.
 `,
 		Platform:           stratus.AWS,
 		MitreAttackTactics: []mitreattack.Tactic{mitreattack.Persistence, mitreattack.PrivilegeEscalation},
-		Detonate: func(terraformOutputs map[string]string) error {
+		Detonate: func(params map[string]string) error {
 			iamClient := iam.NewFromConfig(providers.AWS().GetConnection())
 			log.Println("Creating a malicious IAM user")
 			_, err := iamClient.CreateUser(context.TODO(), &iam.CreateUserInput{