Creates a new technique to test detections around disabling DNS quer…

…y logging in AWS (#479) * Create technique for Route53 resolver query logging configuration deleted * Remove old attack technique doc page * Update go.mod and go.sum in examples folder * re-autogenerate docs and minor code changes --------- Co-authored-by: William Giraldo <william.giraldo@datadoghq.com>
DataDog · Feb 6, 2024 · 5a46473 · 5a46473
1 parent ec3b561
commit 5a46473
Show file tree

Hide file tree

Showing 9 changed files with 160 additions and 0 deletions.
diff --git a/docs/attack-techniques/AWS/aws.defense-evasion.dns-delete-logs.md b/docs/attack-techniques/AWS/aws.defense-evasion.dns-delete-logs.md
@@ -0,0 +1,40 @@
+---
+title: Delete DNS query logs
+---
+
+# Delete DNS query logs
+
+
+
+
+Platform: AWS
+
+## MITRE ATT&CK Tactics
+
+
+- Defense Evasion
+
+## Description
+
+
+Deletes a Route53 DNS Resolver query logging configuration. Simulates an attacker disrupting DNS logging.
+
+<span style="font-variant: small-caps;">Warm-up</span>:
+
+- Create a DNS logging configuration.
+
+<span style="font-variant: small-caps;">Detonation</span>:
+
+- Delete the DNS logging configuration using <code>route53:DeleteQueryLoggingConfig</code>.
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate aws.defense-evasion.dns-delete-logs
+```
+## Detection
+
+
+Identify when a DNS logging configuration is deleted, through CloudTrail's <code>DeleteQueryLoggingConfig</code> event.
+
+
diff --git a/docs/attack-techniques/AWS/index.md b/docs/attack-techniques/AWS/index.md
@@ -27,6 +27,8 @@ Note that some Stratus attack techniques may correspond to more than a single AT
 
 - [Stop CloudTrail Trail](./aws.defense-evasion.cloudtrail-stop.md)
 
+- [Delete DNS query logs](./aws.defense-evasion.dns-delete-logs.md)
+
 - [Attempt to Leave the AWS Organization](./aws.defense-evasion.organizations-leave.md)
 
 - [Remove VPC Flow Logs](./aws.defense-evasion.vpc-remove-flow-logs.md)

diff --git a/docs/attack-techniques/list.md b/docs/attack-techniques/list.md
@@ -18,6 +18,7 @@ This page contains the list of all Stratus Attack Techniques.
 | [Disable CloudTrail Logging Through Event Selectors](./AWS/aws.defense-evasion.cloudtrail-event-selectors.md) | [AWS](./AWS/index.md) | Defense Evasion |
 | [CloudTrail Logs Impairment Through S3 Lifecycle Rule](./AWS/aws.defense-evasion.cloudtrail-lifecycle-rule.md) | [AWS](./AWS/index.md) | Defense Evasion |
 | [Stop CloudTrail Trail](./AWS/aws.defense-evasion.cloudtrail-stop.md) | [AWS](./AWS/index.md) | Defense Evasion |
+| [Delete DNS query logs](./AWS/aws.defense-evasion.dns-delete-logs.md) | [AWS](./AWS/index.md) | Defense Evasion |
 | [Attempt to Leave the AWS Organization](./AWS/aws.defense-evasion.organizations-leave.md) | [AWS](./AWS/index.md) | Defense Evasion |
 | [Remove VPC Flow Logs](./AWS/aws.defense-evasion.vpc-remove-flow-logs.md) | [AWS](./AWS/index.md) | Defense Evasion |
 | [Execute Discovery Commands on an EC2 Instance](./AWS/aws.discovery.ec2-enumerate-from-instance.md) | [AWS](./AWS/index.md) | Discovery |

diff --git a/docs/index.yaml b/docs/index.yaml
@@ -64,6 +64,13 @@ AWS:
             - Defense Evasion
           platform: AWS
           isIdempotent: true
+        - id: aws.defense-evasion.dns-delete-logs
+          name: Delete DNS query logs
+          isSlow: false
+          mitreAttackTactics:
+            - Defense Evasion
+          platform: AWS
+          isIdempotent: false
         - id: aws.defense-evasion.organizations-leave
           name: Attempt to Leave the AWS Organization
           isSlow: false

diff --git a/v2/go.mod b/v2/go.mod
@@ -56,6 +56,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.2.8 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.8 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.16.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/route53resolver v1.25.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.18.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect

diff --git a/v2/go.sum b/v2/go.sum
@@ -84,6 +84,8 @@ github.com/aws/aws-sdk-go-v2/service/rds v1.64.2 h1:PTOyeFw0q+Kikm+9PlUaZdYFrPOA
 github.com/aws/aws-sdk-go-v2/service/rds v1.64.2/go.mod h1:Ty2c2SC4jhY6hvGeeOe8T50m1PkioZD9lk6iiOsADkU=
 github.com/aws/aws-sdk-go-v2/service/rolesanywhere v1.6.2 h1:c7gZpO0xBXSbbm8nH2t/5W13rCcuemF7FXe47pItP2o=
 github.com/aws/aws-sdk-go-v2/service/rolesanywhere v1.6.2/go.mod h1:TbYAZgmTmONcilZvOzb6J6cJ33kp0wGrFum3Mkgeimo=
+github.com/aws/aws-sdk-go-v2/service/route53resolver v1.25.0 h1:wftl1cNbDzGzpZ9Bv54ZWkTOniXQEbyEvQfMkyAigwA=
+github.com/aws/aws-sdk-go-v2/service/route53resolver v1.25.0/go.mod h1:6cJ6NO+7rGkv3+QNG9woezF+jDf8eYcz71wKaEIbKtE=
 github.com/aws/aws-sdk-go-v2/service/s3 v1.47.2 h1:DLSAG8zpJV2pYsU+UPkj1IEZghyBnnUsvIRs6UuXSDU=
 github.com/aws/aws-sdk-go-v2/service/s3 v1.47.2/go.mod h1:thjZng67jGsvMyVZnSxlcqKyLwB0XTG8bHIRZPTJ+Bs=
 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.25.2 h1:JKbfiLwEqJp8zaOAOn6AVSMS96gdwP3TjBMvZYsbxqE=

diff --git a/v2/internal/attacktechniques/aws/defense-evasion/dns-delete-logs/main.go b/v2/internal/attacktechniques/aws/defense-evasion/dns-delete-logs/main.go
@@ -0,0 +1,57 @@
+package aws
+
+import (
+	"context"
+	_ "embed"
+	"errors"
+	"log"
+
+	"github.com/aws/aws-sdk-go-v2/service/route53resolver"
+	"github.com/datadog/stratus-red-team/v2/pkg/stratus"
+	"github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack"
+)
+
+//go:embed main.tf
+var tf []byte
+
+func init() {
+	stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{
+		ID:                 "aws.defense-evasion.dns-delete-logs",
+		FriendlyName:       "Delete DNS query logs",
+		Platform:           stratus.AWS,
+		MitreAttackTactics: []mitreattack.Tactic{mitreattack.DefenseEvasion},
+		Description: `
+Deletes a Route53 DNS Resolver query logging configuration. Simulates an attacker disrupting DNS logging.
+
+Warm-up:
+
+- Create a DNS logging configuration.
+
+Detonation:
+
+- Delete the DNS logging configuration using <code>route53:DeleteQueryLoggingConfig</code>.`,
+		Detection: `
+Identify when a DNS logging configuration is deleted, through CloudTrail's <code>DeleteQueryLoggingConfig</code> event.
+`,
+		IsIdempotent:               false, // can't delete a DNS logging configuration twice
+		PrerequisitesTerraformCode: tf,
+		Detonate:                   detonate,
+	})
+}
+
+func detonate(params map[string]string, providers stratus.CloudProviders) error {
+	resolverClient := route53resolver.NewFromConfig(providers.AWS().GetConnection())
+	queryLoggingConfigId := params["route53_logger_id"]
+
+	log.Println("Deleting DNS logging configuration " + queryLoggingConfigId)
+
+	_, err := resolverClient.DeleteResolverQueryLogConfig(context.Background(), &route53resolver.DeleteResolverQueryLogConfigInput{
+		ResolverQueryLogConfigId: &queryLoggingConfigId,
+	})
+
+	if err != nil {
+		return errors.New("unable to delete DNS logging configuration: " + err.Error())
+	}
+
+	return nil
+}
diff --git a/v2/internal/attacktechniques/aws/defense-evasion/dns-delete-logs/main.tf b/v2/internal/attacktechniques/aws/defense-evasion/dns-delete-logs/main.tf
@@ -0,0 +1,49 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0.0"
+    }
+  }
+}
+provider "aws" {
+  skip_region_validation      = true
+  skip_credentials_validation = true
+  default_tags {
+    tags = {
+      StratusRedTeam = true
+    }
+  }
+}
+
+resource "random_string" "suffix" {
+  length    = 10
+  min_lower = 10
+  special   = false
+}
+
+locals {
+  resource_prefix = "stratus-red-team-dns-delete"
+}
+
+locals {
+  bucket-name = "${local.resource_prefix}-bucket-${random_string.suffix.result}"
+}
+
+resource "aws_route53_resolver_query_log_config" "config" {
+  name            = "${local.resource_prefix}-config-${random_string.suffix.result}"
+  destination_arn = aws_s3_bucket.query_log.arn
+}
+
+resource "aws_s3_bucket" "query_log" {
+  bucket        = local.bucket-name
+  force_destroy = true
+}
+
+output "route53_logger_id" {
+  value = aws_route53_resolver_query_log_config.config.id
+}
+
+output "display" {
+  value = format("Route53 query log config %s is ready", aws_route53_resolver_query_log_config.config.name)
+}
diff --git a/v2/internal/attacktechniques/main.go b/v2/internal/attacktechniques/main.go
@@ -10,6 +10,7 @@ import (
 	_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-event-selectors"
 	_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-lifecycle-rule"
 	_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-stop"
+	_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/defense-evasion/dns-delete-logs"
 	_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/defense-evasion/organizations-leave"
 	_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/defense-evasion/vpc-remove-flow-logs"
 	_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/discovery/ec2-enumerate-from-instance"