Attack technique: Retrieve a High Number of Secrets Manager secrets

DataDog · Jan 20, 2022 · a54527a · a54527a
1 parent 3150b1c
commit a54527a
Show file tree

Hide file tree

Showing 8 changed files with 141 additions and 0 deletions.
diff --git a/.../attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets.md b/.../attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets.md
@@ -0,0 +1,24 @@
+# Retrieve a High Number of Secrets Manager secrets
+
+Platform: AWS
+
+## MITRE ATT&CK Tactics
+
+
+- Credential Access
+
+## Description
+
+
+Retrieves a high number of Secrets Manager secrets, through secretsmanager:GetSecretValue.
+
+Warm-up: Create multiple secrets in Secrets Manager.
+
+Detonation: Enumerate the secrets through secretsmanager:ListSecrets, then retrieve their value through secretsmanager:GetSecretValue.
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate aws.credential-access.secretsmanager-retrieve-secrets
+```
diff --git a/docs/attack-techniques/AWS/index.md b/docs/attack-techniques/AWS/index.md
@@ -10,6 +10,8 @@ Note that some Stratus attack techniques may correspond to more than a single AT
 
 - [Steal EC2 Instance Credentials](./aws.credential-access.ec2-instance-credentials.md)
 
+- [Retrieve a High Number of Secrets Manager secrets](./aws.credential-access.secretsmanager-retrieve-secrets.md)
+
 
 ## Defense Evasion
 

diff --git a/docs/attack-techniques/list.md b/docs/attack-techniques/list.md
@@ -11,6 +11,7 @@ This page contains the list of all Stratus Attack Techniques.
 | :----: | :------: | :------------------: |
 | [Retrieve EC2 password data](./AWS/aws.credential-access.ec2-get-password-data.md) | [AWS](./AWS/index.md) | Credential Access |
 | [Steal EC2 Instance Credentials](./AWS/aws.credential-access.ec2-instance-credentials.md) | [AWS](./AWS/index.md) | Credential Access |
+| [Retrieve a High Number of Secrets Manager secrets](./AWS/aws.credential-access.secretsmanager-retrieve-secrets.md) | [AWS](./AWS/index.md) | Credential Access |
 | [Delete a CloudTrail Trail](./AWS/aws.defense-evasion.delete-cloudtrail.md) | [AWS](./AWS/index.md) | Defense Evasion |
 | [Stop a CloudTrail Trail](./AWS/aws.defense-evasion.stop-cloudtrail.md) | [AWS](./AWS/index.md) | Defense Evasion |
 | [Attempt to Leave the AWS Organization](./AWS/aws.defense-evasion.leave-organization.md) | [AWS](./AWS/index.md) | Defense Evasion |

diff --git a/go.mod b/go.mod
@@ -12,6 +12,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/lambda v1.17.0
 	github.com/aws/aws-sdk-go-v2/service/organizations v1.12.0
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.23.0
+	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.13.0
 	github.com/aws/aws-sdk-go-v2/service/ssm v1.20.0
 	github.com/aws/aws-sdk-go-v2/service/sts v1.14.0
 	github.com/hashicorp/terraform-exec v0.15.0

diff --git a/go.sum b/go.sum
@@ -125,6 +125,8 @@ github.com/aws/aws-sdk-go-v2/service/organizations v1.12.0 h1:/jCncc3LAMF6d7jBuL
 github.com/aws/aws-sdk-go-v2/service/organizations v1.12.0/go.mod h1:FtYMsBJ0gbt2dtgsjYvsHKNChM43hPMNexPhlchuQDM=
 github.com/aws/aws-sdk-go-v2/service/s3 v1.23.0 h1:4CUrngIysbIQpC56JchMWDNJpQCGVCElS5osSbr5qLc=
 github.com/aws/aws-sdk-go-v2/service/s3 v1.23.0/go.mod h1:l+Y3grd9VGhuO7IlmFwAFNSDPFIDi/5oNa9jlk89KIc=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.13.0 h1:VKvs4yx3nrcyBJcj4iSy5UI/Awdsa0fbDKesiNwPuZY=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.13.0/go.mod h1:5Oibvfj4kc6CE70qamrlOU+KSO/JWANgxIVbesvSMCE=
 github.com/aws/aws-sdk-go-v2/service/ssm v1.20.0 h1:MXz5QUThErWQa8axFIHOciP+Pq+5GZ3mku0xZTPqnak=
 github.com/aws/aws-sdk-go-v2/service/ssm v1.20.0/go.mod h1:PMKPCbgvdSQ/IYzF8FSYor1NSfiLXLXfKFmShw2tDNM=
 github.com/aws/aws-sdk-go-v2/service/sso v1.9.0 h1:1qLJeQGBmNQW3mBNzK2CFmrQNmoXWrscPqsrAaU1aTA=

diff --git a/internal/attacktechniques/aws/credential-access/secretsmanager-retrieve-secrets/main.go b/internal/attacktechniques/aws/credential-access/secretsmanager-retrieve-secrets/main.go
@@ -0,0 +1,66 @@
+package aws
+
+import (
+	"context"
+	_ "embed"
+	"errors"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/service/secretsmanager"
+	"github.com/aws/aws-sdk-go-v2/service/secretsmanager/types"
+	"github.com/datadog/stratus-red-team/pkg/stratus"
+	"github.com/datadog/stratus-red-team/pkg/stratus/mitreattack"
+	"log"
+)
+
+//go:embed main.tf
+var tf []byte
+
+func init() {
+	stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{
+		ID:           "aws.credential-access.secretsmanager-retrieve-secrets",
+		FriendlyName: "Retrieve a High Number of Secrets Manager secrets",
+		Description: `
+Retrieves a high number of Secrets Manager secrets, through secretsmanager:GetSecretValue.
+
+Warm-up: Create multiple secrets in Secrets Manager.
+
+Detonation: Enumerate the secrets through secretsmanager:ListSecrets, then retrieve their value through secretsmanager:GetSecretValue.
+`,
+		Platform:                   stratus.AWS,
+		MitreAttackTactics:         []mitreattack.Tactic{mitreattack.CredentialAccess},
+		PrerequisitesTerraformCode: tf,
+		Detonate:                   detonate,
+	})
+}
+
+const numCalls = 30
+
+func detonate(params map[string]string) error {
+	cfg, _ := config.LoadDefaultConfig(context.Background())
+	secretsManagerClient := secretsmanager.NewFromConfig(cfg)
+
+	secretsResponse, err := secretsManagerClient.ListSecrets(context.Background(), &secretsmanager.ListSecretsInput{
+		Filters: []types.Filter{
+			{Key: types.FilterNameStringTypeTagKey, Values: []string{"StratusRedTeam"}},
+		},
+		MaxResults: 100,
+	})
+
+	if err != nil {
+		return errors.New("unable to list SecretsManager secrets: " + err.Error())
+	}
+
+	for i := range secretsResponse.SecretList {
+		secret := secretsResponse.SecretList[i]
+		log.Println("Retrieving value of secret " + *secret.ARN)
+		_, err := secretsManagerClient.GetSecretValue(context.Background(), &secretsmanager.GetSecretValueInput{
+			SecretId: secret.ARN,
+		})
+
+		if err != nil {
+			return errors.New("unable to retrieve secret value: " + err.Error())
+		}
+	}
+
+	return nil
+}
diff --git a/internal/attacktechniques/aws/credential-access/secretsmanager-retrieve-secrets/main.tf b/internal/attacktechniques/aws/credential-access/secretsmanager-retrieve-secrets/main.tf
@@ -0,0 +1,44 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 3.71.0"
+    }
+  }
+}
+provider "aws" {
+  skip_region_validation      = true
+  skip_credentials_validation = true
+  skip_get_ec2_platforms      = true
+  skip_metadata_api_check     = true
+  default_tags {
+    tags = {
+      StratusRedTeam = true
+    }
+  }
+}
+
+locals {
+  num_secrets = 20
+}
+
+resource "random_string" "secrets" {
+  count = local.num_secrets
+  length = 16
+  min_lower = 16
+}
+
+resource "aws_secretsmanager_secret" "secrets" {
+  count = local.num_secrets
+  name = "stratus-red-team-secret-${count.index}"
+}
+
+resource "aws_secretsmanager_secret_version" "secret-values" {
+  count = local.num_secrets
+  secret_id     = aws_secretsmanager_secret.secrets[count.index].id
+  secret_string = random_string.secrets[count.index].result
+}
+
+output "display" {
+  value = format("%s Secrets Manager secrets ready", local.num_secrets)
+}
diff --git a/internal/attacktechniques/main.go b/internal/attacktechniques/main.go
@@ -3,6 +3,7 @@ package attacktechniques
 import (
 	_ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/credential-access/ec2-get-password-data"
 	_ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/credential-access/ec2-instance-credentials"
+	_ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/credential-access/secretsmanager-retrieve-secrets"
 	_ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/delete-cloudtrail"
 	_ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/disable-cloudtrail"
 	_ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/leave-organization"