From 68a14973a6b5f810f38f1747ad9ced9bd5758af1 Mon Sep 17 00:00:00 2001 From: Christophe Tafani-Dereeper Date: Wed, 19 Jan 2022 14:21:47 +0100 Subject: [PATCH] Rename force flag for cleanup command --- cmd/stratus/cleanup_cmd.go | 2 +- .../aws/exfiltration/ebs_direct_api/main.go | 54 ------------------- .../aws/exfiltration/ebs_direct_api/main.tf | 40 -------------- 3 files changed, 1 insertion(+), 95 deletions(-) delete mode 100644 internal/attacktechniques/aws/exfiltration/ebs_direct_api/main.go delete mode 100644 internal/attacktechniques/aws/exfiltration/ebs_direct_api/main.tf diff --git a/cmd/stratus/cleanup_cmd.go b/cmd/stratus/cleanup_cmd.go index 71bea4ee..659425b6 100644 --- a/cmd/stratus/cleanup_cmd.go +++ b/cmd/stratus/cleanup_cmd.go @@ -30,7 +30,7 @@ func buildCleanupCmd() *cobra.Command { } }, } - cleanupCmd.Flags().BoolVarP(&forceCleanup, "forceCleanup", "f", false, "Force cleanup even if the technique is already COLD") + cleanupCmd.Flags().BoolVarP(&forceCleanup, "force", "f", false, "Force cleanup even if the technique is already COLD") return cleanupCmd } diff --git a/internal/attacktechniques/aws/exfiltration/ebs_direct_api/main.go b/internal/attacktechniques/aws/exfiltration/ebs_direct_api/main.go deleted file mode 100644 index ca57d6ad..00000000 --- a/internal/attacktechniques/aws/exfiltration/ebs_direct_api/main.go +++ /dev/null @@ -1,54 +0,0 @@ -package aws - -import ( - _ "embed" - "github.com/datadog/stratus-red-team/pkg/stratus" - "github.com/datadog/stratus-red-team/pkg/stratus/mitreattack" -) - -//go:embed main.tf -var tf []byte - -func init() { - stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{ - ID: "aws.exfiltration.ebs-snapshot-downloaded-with-direct-access-api", - FriendlyName: "EBS Snapshot Exfiltration Through Direct API", - Platform: stratus.AWS, - MitreAttackTactics: []mitreattack.Tactic{mitreattack.Exfiltration}, - Description: ` -Exfiltrates an EBS snapshot by using the EBS Direct API. - -Warm-up: Creates an EBS volume and a snapshot. - -Detonation: Uses the EBS Direct API to access the raw data of the volume. -`, - PrerequisitesTerraformCode: tf, - Detonate: detonate, - }) -} - -func detonate(params map[string]string) error { - // := ebs.NewFromConfig(providers.AWS().GetConnection()) - - // Find the snapshot to exfiltrate - //ourSnapshotId := params["snapshot_id"] - - // Step 1: Put data in our EBS volume - /*data := "my data!" - checksum := base64.StdEncoding.EncodeToString(utils.SHA256([]byte(data))) - _, err := ebsClient.PutSnapshotBlock(context.Background(), &ebs.PutSnapshotBlockInput{ - SnapshotId: aws.String(ourSnapshotId), - BlockIndex: aws.Int32(0), - DataLength: aws.Int32(int32(len(data))), - BlockData: strings.NewReader(data), - Checksum: aws.String(checksum), - ChecksumAlgorithm: types.ChecksumAlgorithmChecksumAlgorithmSha256, - }) - - if err != nil { - return err - }*/ - panic("not implemented") - - return nil -} diff --git a/internal/attacktechniques/aws/exfiltration/ebs_direct_api/main.tf b/internal/attacktechniques/aws/exfiltration/ebs_direct_api/main.tf deleted file mode 100644 index 0426faee..00000000 --- a/internal/attacktechniques/aws/exfiltration/ebs_direct_api/main.tf +++ /dev/null @@ -1,40 +0,0 @@ -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 3.71.0" - } - } -} -provider "aws" { - skip_region_validation = true - skip_credentials_validation = true - skip_get_ec2_platforms = true - skip_metadata_api_check = true -} - -data "aws_availability_zones" "available" { - state = "available" -} - -resource "aws_ebs_volume" "volume" { - availability_zone = data.aws_availability_zones.available.names[0] - size = 1 - - tags = { - Name = "StratusRedTeamVolumeToExfiltrateThroughDirectAPI" - StratusRedTeam = true - } -} - -resource "aws_ebs_snapshot" "snapshot" { - volume_id = aws_ebs_volume.volume.id - - tags = { - StratusRedTeam = true - } -} - -output "snapshot_id" { - value = aws_ebs_snapshot.snapshot.id -} \ No newline at end of file