diff --git a/docs/attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets.md b/docs/attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets.md new file mode 100755 index 00000000..293f73f8 --- /dev/null +++ b/docs/attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets.md @@ -0,0 +1,24 @@ +# Retrieve a High Number of Secrets Manager secrets + +Platform: AWS + +## MITRE ATT&CK Tactics + + +- Credential Access + +## Description + + +Retrieves a high number of Secrets Manager secrets, through secretsmanager:GetSecretValue. + +Warm-up: Create multiple secrets in Secrets Manager. + +Detonation: Enumerate the secrets through secretsmanager:ListSecrets, then retrieve their value through secretsmanager:GetSecretValue. + + +## Instructions + +```bash title="Detonate with Stratus Red Team" +stratus detonate aws.credential-access.secretsmanager-retrieve-secrets +``` \ No newline at end of file diff --git a/docs/attack-techniques/AWS/index.md b/docs/attack-techniques/AWS/index.md index 8fea194b..4fae44a4 100755 --- a/docs/attack-techniques/AWS/index.md +++ b/docs/attack-techniques/AWS/index.md @@ -10,6 +10,8 @@ Note that some Stratus attack techniques may correspond to more than a single AT - [Steal EC2 Instance Credentials](./aws.credential-access.ec2-instance-credentials.md) +- [Retrieve a High Number of Secrets Manager secrets](./aws.credential-access.secretsmanager-retrieve-secrets.md) + ## Defense Evasion diff --git a/docs/attack-techniques/list.md b/docs/attack-techniques/list.md index 6ac4fc14..bd052632 100755 --- a/docs/attack-techniques/list.md +++ b/docs/attack-techniques/list.md @@ -11,6 +11,7 @@ This page contains the list of all Stratus Attack Techniques. | :----: | :------: | :------------------: | | [Retrieve EC2 password data](./AWS/aws.credential-access.ec2-get-password-data.md) | [AWS](./AWS/index.md) | Credential Access | | [Steal EC2 Instance Credentials](./AWS/aws.credential-access.ec2-instance-credentials.md) | [AWS](./AWS/index.md) | Credential Access | +| [Retrieve a High Number of Secrets Manager secrets](./AWS/aws.credential-access.secretsmanager-retrieve-secrets.md) | [AWS](./AWS/index.md) | Credential Access | | [Delete a CloudTrail Trail](./AWS/aws.defense-evasion.delete-cloudtrail.md) | [AWS](./AWS/index.md) | Defense Evasion | | [Stop a CloudTrail Trail](./AWS/aws.defense-evasion.stop-cloudtrail.md) | [AWS](./AWS/index.md) | Defense Evasion | | [Attempt to Leave the AWS Organization](./AWS/aws.defense-evasion.leave-organization.md) | [AWS](./AWS/index.md) | Defense Evasion | diff --git a/go.mod b/go.mod index f566354e..dde8c8de 100644 --- a/go.mod +++ b/go.mod @@ -12,6 +12,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/lambda v1.17.0 github.com/aws/aws-sdk-go-v2/service/organizations v1.12.0 github.com/aws/aws-sdk-go-v2/service/s3 v1.23.0 + github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.13.0 github.com/aws/aws-sdk-go-v2/service/ssm v1.20.0 github.com/aws/aws-sdk-go-v2/service/sts v1.14.0 github.com/hashicorp/terraform-exec v0.15.0 diff --git a/go.sum b/go.sum index 8793b767..34b7da96 100644 --- a/go.sum +++ b/go.sum @@ -125,6 +125,8 @@ github.com/aws/aws-sdk-go-v2/service/organizations v1.12.0 h1:/jCncc3LAMF6d7jBuL github.com/aws/aws-sdk-go-v2/service/organizations v1.12.0/go.mod h1:FtYMsBJ0gbt2dtgsjYvsHKNChM43hPMNexPhlchuQDM= github.com/aws/aws-sdk-go-v2/service/s3 v1.23.0 h1:4CUrngIysbIQpC56JchMWDNJpQCGVCElS5osSbr5qLc= github.com/aws/aws-sdk-go-v2/service/s3 v1.23.0/go.mod h1:l+Y3grd9VGhuO7IlmFwAFNSDPFIDi/5oNa9jlk89KIc= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.13.0 h1:VKvs4yx3nrcyBJcj4iSy5UI/Awdsa0fbDKesiNwPuZY= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.13.0/go.mod h1:5Oibvfj4kc6CE70qamrlOU+KSO/JWANgxIVbesvSMCE= github.com/aws/aws-sdk-go-v2/service/ssm v1.20.0 h1:MXz5QUThErWQa8axFIHOciP+Pq+5GZ3mku0xZTPqnak= github.com/aws/aws-sdk-go-v2/service/ssm v1.20.0/go.mod h1:PMKPCbgvdSQ/IYzF8FSYor1NSfiLXLXfKFmShw2tDNM= github.com/aws/aws-sdk-go-v2/service/sso v1.9.0 h1:1qLJeQGBmNQW3mBNzK2CFmrQNmoXWrscPqsrAaU1aTA= diff --git a/internal/attacktechniques/aws/credential-access/secretsmanager-retrieve-secrets/main.go b/internal/attacktechniques/aws/credential-access/secretsmanager-retrieve-secrets/main.go new file mode 100644 index 00000000..dddd45d3 --- /dev/null +++ b/internal/attacktechniques/aws/credential-access/secretsmanager-retrieve-secrets/main.go @@ -0,0 +1,66 @@ +package aws + +import ( + "context" + _ "embed" + "errors" + "github.com/aws/aws-sdk-go-v2/config" + "github.com/aws/aws-sdk-go-v2/service/secretsmanager" + "github.com/aws/aws-sdk-go-v2/service/secretsmanager/types" + "github.com/datadog/stratus-red-team/pkg/stratus" + "github.com/datadog/stratus-red-team/pkg/stratus/mitreattack" + "log" +) + +//go:embed main.tf +var tf []byte + +func init() { + stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{ + ID: "aws.credential-access.secretsmanager-retrieve-secrets", + FriendlyName: "Retrieve a High Number of Secrets Manager secrets", + Description: ` +Retrieves a high number of Secrets Manager secrets, through secretsmanager:GetSecretValue. + +Warm-up: Create multiple secrets in Secrets Manager. + +Detonation: Enumerate the secrets through secretsmanager:ListSecrets, then retrieve their value through secretsmanager:GetSecretValue. +`, + Platform: stratus.AWS, + MitreAttackTactics: []mitreattack.Tactic{mitreattack.CredentialAccess}, + PrerequisitesTerraformCode: tf, + Detonate: detonate, + }) +} + +const numCalls = 30 + +func detonate(params map[string]string) error { + cfg, _ := config.LoadDefaultConfig(context.Background()) + secretsManagerClient := secretsmanager.NewFromConfig(cfg) + + secretsResponse, err := secretsManagerClient.ListSecrets(context.Background(), &secretsmanager.ListSecretsInput{ + Filters: []types.Filter{ + {Key: types.FilterNameStringTypeTagKey, Values: []string{"StratusRedTeam"}}, + }, + MaxResults: 100, + }) + + if err != nil { + return errors.New("unable to list SecretsManager secrets: " + err.Error()) + } + + for i := range secretsResponse.SecretList { + secret := secretsResponse.SecretList[i] + log.Println("Retrieving value of secret " + *secret.ARN) + _, err := secretsManagerClient.GetSecretValue(context.Background(), &secretsmanager.GetSecretValueInput{ + SecretId: secret.ARN, + }) + + if err != nil { + return errors.New("unable to retrieve secret value: " + err.Error()) + } + } + + return nil +} diff --git a/internal/attacktechniques/aws/credential-access/secretsmanager-retrieve-secrets/main.tf b/internal/attacktechniques/aws/credential-access/secretsmanager-retrieve-secrets/main.tf new file mode 100644 index 00000000..6eaf4784 --- /dev/null +++ b/internal/attacktechniques/aws/credential-access/secretsmanager-retrieve-secrets/main.tf @@ -0,0 +1,44 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.71.0" + } + } +} +provider "aws" { + skip_region_validation = true + skip_credentials_validation = true + skip_get_ec2_platforms = true + skip_metadata_api_check = true + default_tags { + tags = { + StratusRedTeam = true + } + } +} + +locals { + num_secrets = 20 +} + +resource "random_string" "secrets" { + count = local.num_secrets + length = 16 + min_lower = 16 +} + +resource "aws_secretsmanager_secret" "secrets" { + count = local.num_secrets + name = "stratus-red-team-secret-${count.index}" +} + +resource "aws_secretsmanager_secret_version" "secret-values" { + count = local.num_secrets + secret_id = aws_secretsmanager_secret.secrets[count.index].id + secret_string = random_string.secrets[count.index].result +} + +output "display" { + value = format("%s Secrets Manager secrets ready", local.num_secrets) +} \ No newline at end of file diff --git a/internal/attacktechniques/main.go b/internal/attacktechniques/main.go index aec30c5b..03607661 100644 --- a/internal/attacktechniques/main.go +++ b/internal/attacktechniques/main.go @@ -3,6 +3,7 @@ package attacktechniques import ( _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/credential-access/ec2-get-password-data" _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/credential-access/ec2-instance-credentials" + _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/credential-access/secretsmanager-retrieve-secrets" _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/delete-cloudtrail" _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/disable-cloudtrail" _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/leave-organization"