Skip to content

Commit

Permalink
Properly encapsulate providers to allow for different detonation UUIDs
Browse files Browse the repository at this point in the history
  • Loading branch information
@christophetd
christophetd committed Jan 26, 2023
1 parent e1efb14 commit 4f90842
Show file tree
Hide file tree
Showing 56 changed files with 247 additions and 260 deletions.
4 changes: 2 additions & 2 deletions examples/custom/detonate_custom_technique.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,9 +31,9 @@ func buildCustomAttackTechnique() *stratus.AttackTechnique {
}
}

func detonate(params map[string]string) error {
func detonate(params map[string]string, providers stratus.CloudProviders) error {
iamUserName := params["iam_user_name"]
iamClient := iam.NewFromConfig(stratus.AWSProvider().GetConnection())
iamClient := iam.NewFromConfig(providers.AWS().GetConnection())

userResponse, err := iamClient.GetUser(context.Background(), &iam.GetUserInput{
UserName: &iamUserName,
Expand Down
4 changes: 2 additions & 2 deletions v2/internal/attacktechniques/aws/credential-access/ec2-get-password-data/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ import (
"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
"github.com/aws/aws-sdk-go-v2/service/ec2"
"github.com/aws/aws-sdk-go-v2/service/sts"
"github.com/datadog/stratus-red-team/v2/internal/providers"
"github.com/datadog/stratus-red-team/v2/internal/utils"
"github.com/datadog/stratus-red-team/v2/pkg/stratus"
"github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack"
Expand Down Expand Up @@ -49,8 +48,9 @@ Detonation:

const numCalls = 30

func detonate(params map[string]string) error {
func detonate(params map[string]string, providers stratus.CloudProviders) error {
roleArn := params["role_arn"]
providers.AWS().GetConnection()

awsConnection := providers.AWS().GetConnection()
stsClient := sts.NewFromConfig(awsConnection)
Expand Down
3 changes: 1 addition & 2 deletions v2/internal/attacktechniques/aws/credential-access/ec2-steal-instance-credentials/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ import (
"github.com/aws/aws-sdk-go-v2/service/ssm"
"github.com/aws/aws-sdk-go-v2/service/ssm/types"
"github.com/aws/aws-sdk-go-v2/service/sts"
"github.com/datadog/stratus-red-team/v2/internal/providers"
"github.com/datadog/stratus-red-team/v2/internal/utils"
"github.com/datadog/stratus-red-team/v2/pkg/stratus"
"github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack"
Expand Down Expand Up @@ -57,7 +56,7 @@ See also: [Known detection bypasses](https://hackingthe.cloud/aws/avoiding-detec
})
}

func detonate(params map[string]string) error {
func detonate(params map[string]string, providers stratus.CloudProviders) error {
ssmClient := ssm.NewFromConfig(providers.AWS().GetConnection())
instanceId := params["instance_id"]
instanceRoleName := params["instance_role_name"]
Expand Down
3 changes: 1 addition & 2 deletions v2/internal/attacktechniques/aws/credential-access/secretsmanager-retrieve-secrets/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ import (
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/secretsmanager"
"github.com/aws/aws-sdk-go-v2/service/secretsmanager/types"
"github.com/datadog/stratus-red-team/v2/internal/providers"
"github.com/datadog/stratus-red-team/v2/pkg/stratus"
"github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack"
"log"
Expand Down Expand Up @@ -47,7 +46,7 @@ The following may be use to tune the detection, or validate findings:
})
}

func detonate(map[string]string) error {
func detonate(_ map[string]string, providers stratus.CloudProviders) error {
secretsManagerClient := secretsmanager.NewFromConfig(providers.AWS().GetConnection())

secretsResponse, err := secretsManagerClient.ListSecrets(context.Background(), &secretsmanager.ListSecretsInput{
Expand Down
3 changes: 1 addition & 2 deletions ...ernal/attacktechniques/aws/credential-access/ssm-retrieve-securestring-parameters/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@ import (
"errors"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/ssm"
"github.com/datadog/stratus-red-team/v2/internal/providers"
"github.com/datadog/stratus-red-team/v2/pkg/stratus"
"github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack"
"log"
Expand Down Expand Up @@ -52,7 +51,7 @@ The following may be use to tune the detection, or validate findings:
})
}

func detonate(map[string]string) error {
func detonate(_ map[string]string, providers stratus.CloudProviders) error {
ssmClient := ssm.NewFromConfig(providers.AWS().GetConnection())

log.Println("Running ssm:DescribeParameters and ssm:GetParameters by batch of 10 to find all SSM Parameters in the current region")
Expand Down
3 changes: 1 addition & 2 deletions v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-delete/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ import (
_ "embed"
"errors"
"github.com/aws/aws-sdk-go-v2/service/cloudtrail"
"github.com/datadog/stratus-red-team/v2/internal/providers"
"github.com/datadog/stratus-red-team/v2/pkg/stratus"
"github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack"
"log"
Expand Down Expand Up @@ -42,7 +41,7 @@ GuardDuty also provides a dedicated finding type, [Stealth:IAMUser/CloudTrailLog
})
}

func detonate(params map[string]string) error {
func detonate(params map[string]string, providers stratus.CloudProviders) error {
cloudtrailClient := cloudtrail.NewFromConfig(providers.AWS().GetConnection())
trailName := params["cloudtrail_trail_name"]

Expand Down
5 changes: 2 additions & 3 deletions v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-event-selectors/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ import (
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/cloudtrail"
"github.com/aws/aws-sdk-go-v2/service/cloudtrail/types"
"github.com/datadog/stratus-red-team/v2/internal/providers"
"github.com/datadog/stratus-red-team/v2/pkg/stratus"
"github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack"
"log"
Expand Down Expand Up @@ -45,7 +44,7 @@ Identify when event selectors of a CloudTrail trail are updated, through CloudTr
})
}

func detonate(params map[string]string) error {
func detonate(params map[string]string, providers stratus.CloudProviders) error {
cloudtrailClient := cloudtrail.NewFromConfig(providers.AWS().GetConnection())
trailName := params["cloudtrail_trail_name"]

Expand All @@ -72,7 +71,7 @@ func detonate(params map[string]string) error {
return nil
}

func revert(params map[string]string) error {
func revert(params map[string]string, providers stratus.CloudProviders) error {
cloudtrailClient := cloudtrail.NewFromConfig(providers.AWS().GetConnection())
trailName := params["cloudtrail_trail_name"]

Expand Down
5 changes: 2 additions & 3 deletions v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-lifecycle-rule/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ import (
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/s3"
"github.com/aws/aws-sdk-go-v2/service/s3/types"
"github.com/datadog/stratus-red-team/v2/internal/providers"
"github.com/datadog/stratus-red-team/v2/pkg/stratus"
"github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack"
"log"
Expand Down Expand Up @@ -48,7 +47,7 @@ The CloudTrail event <code>PutBucketLifecycle</code> and its attribute
})
}

func detonate(params map[string]string) error {
func detonate(params map[string]string, providers stratus.CloudProviders) error {
s3Client := s3.NewFromConfig(providers.AWS().GetConnection())
bucketName := params["s3_bucket_name"]

Expand All @@ -75,7 +74,7 @@ func detonate(params map[string]string) error {
return nil
}

func revert(params map[string]string) error {
func revert(params map[string]string, providers stratus.CloudProviders) error {
s3Client := s3.NewFromConfig(providers.AWS().GetConnection())
bucketName := params["s3_bucket_name"]

Expand Down
5 changes: 2 additions & 3 deletions v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-stop/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ import (
_ "embed"
"errors"
"github.com/aws/aws-sdk-go-v2/service/cloudtrail"
"github.com/datadog/stratus-red-team/v2/internal/providers"
"github.com/datadog/stratus-red-team/v2/pkg/stratus"
"github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack"
"log"
Expand Down Expand Up @@ -43,7 +42,7 @@ GuardDuty also provides a dedicated finding type, [Stealth:IAMUser/CloudTrailLog
})
}

func detonate(params map[string]string) error {
func detonate(params map[string]string, providers stratus.CloudProviders) error {
cloudtrailClient := cloudtrail.NewFromConfig(providers.AWS().GetConnection())
trailName := params["cloudtrail_trail_name"]

Expand All @@ -60,7 +59,7 @@ func detonate(params map[string]string) error {
return nil
}

func revert(params map[string]string) error {
func revert(params map[string]string, providers stratus.CloudProviders) error {
cloudtrailClient := cloudtrail.NewFromConfig(providers.AWS().GetConnection())
trailName := params["cloudtrail_trail_name"]

Expand Down
3 changes: 1 addition & 2 deletions v2/internal/attacktechniques/aws/defense-evasion/organizations-leave/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ import (
"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
"github.com/aws/aws-sdk-go-v2/service/organizations"
"github.com/aws/aws-sdk-go-v2/service/sts"
"github.com/datadog/stratus-red-team/v2/internal/providers"
"github.com/datadog/stratus-red-team/v2/pkg/stratus"
"github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack"
"log"
Expand Down Expand Up @@ -48,7 +47,7 @@ Use the CloudTrail event <code>LeaveOrganization</code>.`,
})
}

func detonate(params map[string]string) error {
func detonate(params map[string]string, providers stratus.CloudProviders) error {
roleArn := params["role_arn"]

awsConnection := providers.AWS().GetConnection()
Expand Down
3 changes: 1 addition & 2 deletions v2/internal/attacktechniques/aws/defense-evasion/vpc-remove-flow-logs/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ import (
_ "embed"
"errors"
"github.com/aws/aws-sdk-go-v2/service/ec2"
"github.com/datadog/stratus-red-team/v2/internal/providers"
"github.com/datadog/stratus-red-team/v2/pkg/stratus"
"github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack"
"log"
Expand Down Expand Up @@ -43,7 +42,7 @@ only when <code>DeleteFlowLogs</code> is not closely followed by <code>DeleteVpc
})
}

func detonate(params map[string]string) error {
func detonate(params map[string]string, providers stratus.CloudProviders) error {
ec2Client := ec2.NewFromConfig(providers.AWS().GetConnection())

vpcId := params["vpc_id"]
Expand Down
3 changes: 1 addition & 2 deletions v2/internal/attacktechniques/aws/discovery/ec2-enumerate-from-instance/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@ import (
"errors"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/ssm"
"github.com/datadog/stratus-red-team/v2/internal/providers"
"github.com/datadog/stratus-red-team/v2/pkg/stratus"
"github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack"
"log"
Expand Down Expand Up @@ -63,7 +62,7 @@ arn:aws:sts::012345678901:assumed-role/my-instance-role/i-0adc17a5acb70d9ae
})
}

func detonate(params map[string]string) error {
func detonate(params map[string]string, providers stratus.CloudProviders) error {
ssmClient := ssm.NewFromConfig(providers.AWS().GetConnection())
instanceId := params["instance_id"]
commands := []string{
Expand Down
3 changes: 1 addition & 2 deletions v2/internal/attacktechniques/aws/discovery/ec2-get-user-data/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ package aws
import (
"context"
_ "embed"
"github.com/datadog/stratus-red-team/v2/internal/providers"
"github.com/datadog/stratus-red-team/v2/internal/utils"
"github.com/datadog/stratus-red-team/v2/pkg/stratus"
"github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack"
Expand Down Expand Up @@ -58,7 +57,7 @@ See:

const numCalls = 15

func detonate(params map[string]string) error {
func detonate(params map[string]string, providers stratus.CloudProviders) error {

awsConnection := providers.AWS().GetConnection()
stsClient := sts.NewFromConfig(awsConnection)
Expand Down
3 changes: 1 addition & 2 deletions v2/internal/attacktechniques/aws/execution/ec2-launch-unusual-instances/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ import (
"github.com/aws/aws-sdk-go-v2/service/ec2"
"github.com/aws/aws-sdk-go-v2/service/ec2/types"
"github.com/aws/aws-sdk-go-v2/service/sts"
"github.com/datadog/stratus-red-team/v2/internal/providers"
"github.com/datadog/stratus-red-team/v2/pkg/stratus"
"github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack"
"log"
Expand Down Expand Up @@ -50,7 +49,7 @@ Depending on your account limits you might also see <code>VcpuLimitExceeded</cod
})
}

func detonate(params map[string]string) error {
func detonate(params map[string]string, providers stratus.CloudProviders) error {
ctx := context.Background()
awsConnection := providers.AWS().GetConnection()

Expand Down
13 changes: 5 additions & 8 deletions v2/internal/attacktechniques/aws/execution/ec2-user-data/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ import (
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/ec2"
"github.com/aws/aws-sdk-go-v2/service/ec2/types"
"github.com/datadog/stratus-red-team/v2/internal/providers"
"github.com/datadog/stratus-red-team/v2/pkg/stratus"
"github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack"
"log"
Expand Down Expand Up @@ -62,11 +61,11 @@ provisioned before instantiation.
})
}

func detonate(params map[string]string) error {
func detonate(params map[string]string, providers stratus.CloudProviders) error {
ec2Client := ec2.NewFromConfig(providers.AWS().GetConnection())
instanceId := params["instance_id"]

err := stopInstance(instanceId)
err := stopInstance(instanceId, ec2Client)
if err != nil {
return err
}
Expand All @@ -80,7 +79,7 @@ func detonate(params map[string]string) error {
return errors.New("unable to update user data: " + err.Error())
}

err = startInstance(instanceId)
err = startInstance(instanceId, ec2Client)
if err != nil {
return err
}
Expand All @@ -93,8 +92,7 @@ func detonate(params map[string]string) error {
const maxWaitDuration = 2 * time.Minute

// Stops an EC2 instance, and synchronously returns only when it is stopped
func stopInstance(instanceId string) error {
ec2Client := ec2.NewFromConfig(providers.AWS().GetConnection())
func stopInstance(instanceId string, ec2Client *ec2.Client) error {
log.Println("Stopping instance " + instanceId)
_, err := ec2Client.StopInstances(context.Background(), &ec2.StopInstancesInput{
InstanceIds: []string{instanceId},
Expand All @@ -121,8 +119,7 @@ func stopInstance(instanceId string) error {
}

// Starts an EC2 instance, and synchronously returns only when it is running
func startInstance(instanceId string) error {
ec2Client := ec2.NewFromConfig(providers.AWS().GetConnection())
func startInstance(instanceId string, ec2Client *ec2.Client) error {
log.Println("Starting instance")
_, err := ec2Client.StartInstances(context.Background(), &ec2.StartInstancesInput{
InstanceIds: []string{instanceId},
Expand Down
5 changes: 2 additions & 3 deletions ...nternal/attacktechniques/aws/exfiltration/ec2-security-group-open-port-22-ingress/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@ import (
"errors"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/ec2"
"github.com/datadog/stratus-red-team/v2/internal/providers"
"github.com/datadog/stratus-red-team/v2/pkg/stratus"
"github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack"
"log"
Expand Down Expand Up @@ -45,7 +44,7 @@ You can use the CloudTrail event <code>AuthorizeSecurityGroupIngress</code> when
})
}

func detonate(params map[string]string) error {
func detonate(params map[string]string, providers stratus.CloudProviders) error {
ec2Client := ec2.NewFromConfig(providers.AWS().GetConnection())

// Find the snapshot to exfiltrate
Expand All @@ -69,7 +68,7 @@ func detonate(params map[string]string) error {
return nil
}

func revert(params map[string]string) error {
func revert(params map[string]string, providers stratus.CloudProviders) error {
ec2Client := ec2.NewFromConfig(providers.AWS().GetConnection())

// Find the snapshot to exfiltrate
Expand Down
5 changes: 2 additions & 3 deletions v2/internal/attacktechniques/aws/exfiltration/ec2-share-ami/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ import (
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/ec2"
"github.com/aws/aws-sdk-go-v2/service/ec2/types"
"github.com/datadog/stratus-red-team/v2/internal/providers"
"github.com/datadog/stratus-red-team/v2/internal/utils"
"github.com/datadog/stratus-red-team/v2/pkg/stratus"
"github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack"
Expand Down Expand Up @@ -62,7 +61,7 @@ var amiPermissions = []types.LaunchPermission{
{UserId: aws.String("012345678901")},
}

func detonate(params map[string]string) error {
func detonate(params map[string]string, providers stratus.CloudProviders) error {
ec2Client := ec2.NewFromConfig(providers.AWS().GetConnection())
amiId := params["ami_id"]

Expand All @@ -88,7 +87,7 @@ func detonate(params map[string]string) error {
return nil
}

func revert(params map[string]string) error {
func revert(params map[string]string, providers stratus.CloudProviders) error {
ec2Client := ec2.NewFromConfig(providers.AWS().GetConnection())
amiId := params["ami_id"]

Expand Down
5 changes: 2 additions & 3 deletions v2/internal/attacktechniques/aws/exfiltration/ec2-share-ebs-snapshot/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ import (
_ "embed"
"github.com/aws/aws-sdk-go-v2/service/ec2"
"github.com/aws/aws-sdk-go-v2/service/ec2/types"
"github.com/datadog/stratus-red-team/v2/internal/providers"
"github.com/datadog/stratus-red-team/v2/internal/utils"
"github.com/datadog/stratus-red-team/v2/pkg/stratus"
"github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack"
Expand Down Expand Up @@ -86,7 +85,7 @@ In that case, <code>userIdentity.accountId</code> contains the attacker's accoun

var ShareWithAccountId = "012345678912"

func detonate(params map[string]string) error {
func detonate(params map[string]string, providers stratus.CloudProviders) error {
ec2Client := ec2.NewFromConfig(providers.AWS().GetConnection())

// Find the snapshot to exfiltrate
Expand All @@ -113,7 +112,7 @@ func detonate(params map[string]string) error {
return err
}

func revert(params map[string]string) error {
func revert(params map[string]string, providers stratus.CloudProviders) error {
ec2Client := ec2.NewFromConfig(providers.AWS().GetConnection())
ourSnapshotId := params["snapshot_id"]

Expand Down
Loading

0 comments on commit 4f90842

Please sign in to comment.