New attack technique: Delete CloudTrail trail

DataDog · Jan 19, 2022 · 3d0024f · 3d0024f
1 parent 08ac16c
commit 3d0024f
Show file tree

Hide file tree

Showing 6 changed files with 168 additions and 0 deletions.
diff --git a/docs/attack-techniques/AWS/aws.defense-evasion.delete-cloudtrail.md b/docs/attack-techniques/AWS/aws.defense-evasion.delete-cloudtrail.md
@@ -0,0 +1,24 @@
+# Delete a CloudTrail Trail
+
+Platform: AWS
+
+## MITRE ATT&CK Tactics
+
+
+- Defense Evasion
+
+## Description
+
+
+Delete a CloudTrail trail.
+
+Warm-up: Creates a CloudTrail trail.
+
+Detonation: Deletes the CloudTrail trail.
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate aws.defense-evasion.delete-cloudtrail
+```
diff --git a/docs/attack-techniques/AWS/index.md b/docs/attack-techniques/AWS/index.md
@@ -13,6 +13,8 @@ Note that some Stratus attack techniques may correspond to more than a single AT
 
 ## Defense Evasion
 
+- [Delete a CloudTrail Trail](./aws.defense-evasion.delete-cloudtrail.md)
+
 - [Stop a CloudTrail Trail](./aws.defense-evasion.stop-cloudtrail.md)
 
 - [Attempt to Leave the AWS Organization](./aws.defense-evasion.leave-organization.md)

diff --git a/docs/attack-techniques/list.md b/docs/attack-techniques/list.md
@@ -11,6 +11,7 @@ This page contains the list of all Stratus Attack Techniques.
 | :----: | :------: | :------------------: |
 | [Retrieve EC2 password data](./AWS/aws.credential-access.ec2-get-password-data.md) | [AWS](./AWS/index.md) | Credential Access |
 | [Steal EC2 Instance Credentials](./AWS/aws.credential-access.ec2-instance-credentials.md) | [AWS](./AWS/index.md) | Credential Access |
+| [Delete a CloudTrail Trail](./AWS/aws.defense-evasion.delete-cloudtrail.md) | [AWS](./AWS/index.md) | Defense Evasion |
 | [Stop a CloudTrail Trail](./AWS/aws.defense-evasion.stop-cloudtrail.md) | [AWS](./AWS/index.md) | Defense Evasion |
 | [Attempt to Leave the AWS Organization](./AWS/aws.defense-evasion.leave-organization.md) | [AWS](./AWS/index.md) | Defense Evasion |
 | [Remove VPC flow logs](./AWS/aws.defense-evasion.remove-vpc-flow-logs.md) | [AWS](./AWS/index.md) | Defense Evasion |

diff --git a/internal/attacktechniques/aws/defense-evasion/delete-cloudtrail/main.go b/internal/attacktechniques/aws/defense-evasion/delete-cloudtrail/main.go
@@ -0,0 +1,63 @@
+package aws
+
+import (
+	"context"
+	_ "embed"
+	"errors"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/cloudtrail"
+	"github.com/datadog/stratus-red-team/internal/providers"
+	"github.com/datadog/stratus-red-team/pkg/stratus"
+	"github.com/datadog/stratus-red-team/pkg/stratus/mitreattack"
+	"log"
+)
+
+//go:embed main.tf
+var tf []byte
+
+func init() {
+	stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{
+		ID:                 "aws.defense-evasion.delete-cloudtrail",
+		FriendlyName:       "Delete a CloudTrail Trail",
+		Platform:           stratus.AWS,
+		MitreAttackTactics: []mitreattack.Tactic{mitreattack.DefenseEvasion},
+		Description: `
+Delete a CloudTrail trail.
+
+Warm-up: Creates a CloudTrail trail.
+
+Detonation: Deletes the CloudTrail trail.
+`,
+		PrerequisitesTerraformCode: tf,
+		Detonate:                   detonate,
+	})
+}
+
+func detonate(params map[string]string) error {
+	cloudtrailClient := cloudtrail.NewFromConfig(providers.AWS().GetConnection())
+	trailName := params["cloudtrail_trail_name"]
+
+	log.Println("Deleting CloudTrail trail " + trailName)
+
+	_, err := cloudtrailClient.DeleteTrail(context.Background(), &cloudtrail.DeleteTrailInput{
+		Name: aws.String(trailName),
+	})
+
+	if err != nil {
+		return errors.New("unable to delete CloudTrail logging: " + err.Error())
+	}
+
+	return nil
+}
+
+func revert(params map[string]string) error {
+	cloudtrailClient := cloudtrail.NewFromConfig(providers.AWS().GetConnection())
+	trailName := params["cloudtrail_trail_name"]
+
+	log.Println("Restarting CloudTrail trail " + trailName)
+	_, err := cloudtrailClient.StartLogging(context.Background(), &cloudtrail.StartLoggingInput{
+		Name: aws.String(trailName),
+	})
+
+	return err
+}
diff --git a/internal/attacktechniques/aws/defense-evasion/delete-cloudtrail/main.tf b/internal/attacktechniques/aws/defense-evasion/delete-cloudtrail/main.tf
@@ -0,0 +1,77 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 3.71.0"
+    }
+  }
+}
+provider "aws" {
+  skip_region_validation      = true
+  skip_credentials_validation = true
+  skip_get_ec2_platforms      = true
+  skip_metadata_api_check     = true
+  default_tags {
+    tags = {
+      StratusRedTeam = true
+    }
+  }
+}
+
+resource "aws_cloudtrail" "trail" {
+  name = "my-cloudtrail-trail-2"
+  s3_bucket_name = aws_s3_bucket.cloudtrail.id
+}
+
+resource "random_string" "suffix" {
+  length    = 16
+  min_lower = 16
+  special   = false
+}
+
+locals {
+  bucket-name = "my-cloudtrail-bucket-${random_string.suffix.result}"
+}
+resource "aws_s3_bucket" "cloudtrail" {
+  bucket        = local.bucket-name
+  force_destroy = true
+
+  policy = <<POLICY
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "AWSCloudTrailAclCheck",
+            "Effect": "Allow",
+            "Principal": {
+              "Service": "cloudtrail.amazonaws.com"
+            },
+            "Action": "s3:GetBucketAcl",
+            "Resource": "arn:aws:s3:::${local.bucket-name}"
+        },
+        {
+            "Sid": "AWSCloudTrailWrite",
+            "Effect": "Allow",
+            "Principal": {
+              "Service": "cloudtrail.amazonaws.com"
+            },
+            "Action": "s3:PutObject",
+            "Resource": "arn:aws:s3:::${local.bucket-name}/*",
+            "Condition": {
+                "StringEquals": {
+                    "s3:x-amz-acl": "bucket-owner-full-control"
+                }
+            }
+        }
+    ]
+}
+POLICY
+}
+
+output "cloudtrail_trail_name" {
+  value = aws_cloudtrail.trail.name
+}
+
+output "display" {
+  value = format("CloudTrail trail %s ready", aws_cloudtrail.trail.arn)
+}
diff --git a/internal/attacktechniques/main.go b/internal/attacktechniques/main.go
@@ -3,6 +3,7 @@ package attacktechniques
 import (
 	_ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/credential-access/ec2-get-password-data"
 	_ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/credential-access/ec2-instance-credentials"
+	_ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/delete-cloudtrail"
 	_ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/disable-cloudtrail"
 	_ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/leave-organization"
 	_ "github.com/datadog/stratus-red-team/internal/attacktechniques/aws/defense-evasion/remove-vpc-flow-logs"