-
Notifications
You must be signed in to change notification settings - Fork 210
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Creates a new technique to test detections around disabling DNS quer…
…y logging in AWS (#479) * Create technique for Route53 resolver query logging configuration deleted * Remove old attack technique doc page * Update go.mod and go.sum in examples folder * re-autogenerate docs and minor code changes --------- Co-authored-by: William Giraldo <william.giraldo@datadoghq.com>
- Loading branch information
1 parent
ec3b561
commit 5a46473
Showing
9 changed files
with
160 additions
and
0 deletions.
There are no files selected for viewing
40 changes: 40 additions & 0 deletions
40
docs/attack-techniques/AWS/aws.defense-evasion.dns-delete-logs.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
--- | ||
title: Delete DNS query logs | ||
--- | ||
|
||
# Delete DNS query logs | ||
|
||
|
||
|
||
|
||
Platform: AWS | ||
|
||
## MITRE ATT&CK Tactics | ||
|
||
|
||
- Defense Evasion | ||
|
||
## Description | ||
|
||
|
||
Deletes a Route53 DNS Resolver query logging configuration. Simulates an attacker disrupting DNS logging. | ||
|
||
<span style="font-variant: small-caps;">Warm-up</span>: | ||
|
||
- Create a DNS logging configuration. | ||
|
||
<span style="font-variant: small-caps;">Detonation</span>: | ||
|
||
- Delete the DNS logging configuration using <code>route53:DeleteQueryLoggingConfig</code>. | ||
|
||
## Instructions | ||
|
||
```bash title="Detonate with Stratus Red Team" | ||
stratus detonate aws.defense-evasion.dns-delete-logs | ||
``` | ||
## Detection | ||
|
||
|
||
Identify when a DNS logging configuration is deleted, through CloudTrail's <code>DeleteQueryLoggingConfig</code> event. | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
57 changes: 57 additions & 0 deletions
57
v2/internal/attacktechniques/aws/defense-evasion/dns-delete-logs/main.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
package aws | ||
|
||
import ( | ||
"context" | ||
_ "embed" | ||
"errors" | ||
"log" | ||
|
||
"github.com/aws/aws-sdk-go-v2/service/route53resolver" | ||
"github.com/datadog/stratus-red-team/v2/pkg/stratus" | ||
"github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack" | ||
) | ||
|
||
//go:embed main.tf | ||
var tf []byte | ||
|
||
func init() { | ||
stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{ | ||
ID: "aws.defense-evasion.dns-delete-logs", | ||
FriendlyName: "Delete DNS query logs", | ||
Platform: stratus.AWS, | ||
MitreAttackTactics: []mitreattack.Tactic{mitreattack.DefenseEvasion}, | ||
Description: ` | ||
Deletes a Route53 DNS Resolver query logging configuration. Simulates an attacker disrupting DNS logging. | ||
Warm-up: | ||
- Create a DNS logging configuration. | ||
Detonation: | ||
- Delete the DNS logging configuration using <code>route53:DeleteQueryLoggingConfig</code>.`, | ||
Detection: ` | ||
Identify when a DNS logging configuration is deleted, through CloudTrail's <code>DeleteQueryLoggingConfig</code> event. | ||
`, | ||
IsIdempotent: false, // can't delete a DNS logging configuration twice | ||
PrerequisitesTerraformCode: tf, | ||
Detonate: detonate, | ||
}) | ||
} | ||
|
||
func detonate(params map[string]string, providers stratus.CloudProviders) error { | ||
resolverClient := route53resolver.NewFromConfig(providers.AWS().GetConnection()) | ||
queryLoggingConfigId := params["route53_logger_id"] | ||
|
||
log.Println("Deleting DNS logging configuration " + queryLoggingConfigId) | ||
|
||
_, err := resolverClient.DeleteResolverQueryLogConfig(context.Background(), &route53resolver.DeleteResolverQueryLogConfigInput{ | ||
ResolverQueryLogConfigId: &queryLoggingConfigId, | ||
}) | ||
|
||
if err != nil { | ||
return errors.New("unable to delete DNS logging configuration: " + err.Error()) | ||
} | ||
|
||
return nil | ||
} |
49 changes: 49 additions & 0 deletions
49
v2/internal/attacktechniques/aws/defense-evasion/dns-delete-logs/main.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
terraform { | ||
required_providers { | ||
aws = { | ||
source = "hashicorp/aws" | ||
version = "~> 5.0.0" | ||
} | ||
} | ||
} | ||
provider "aws" { | ||
skip_region_validation = true | ||
skip_credentials_validation = true | ||
default_tags { | ||
tags = { | ||
StratusRedTeam = true | ||
} | ||
} | ||
} | ||
|
||
resource "random_string" "suffix" { | ||
length = 10 | ||
min_lower = 10 | ||
special = false | ||
} | ||
|
||
locals { | ||
resource_prefix = "stratus-red-team-dns-delete" | ||
} | ||
|
||
locals { | ||
bucket-name = "${local.resource_prefix}-bucket-${random_string.suffix.result}" | ||
} | ||
|
||
resource "aws_route53_resolver_query_log_config" "config" { | ||
name = "${local.resource_prefix}-config-${random_string.suffix.result}" | ||
destination_arn = aws_s3_bucket.query_log.arn | ||
} | ||
|
||
resource "aws_s3_bucket" "query_log" { | ||
bucket = local.bucket-name | ||
force_destroy = true | ||
} | ||
|
||
output "route53_logger_id" { | ||
value = aws_route53_resolver_query_log_config.config.id | ||
} | ||
|
||
output "display" { | ||
value = format("Route53 query log config %s is ready", aws_route53_resolver_query_log_config.config.name) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters