-
Notifications
You must be signed in to change notification settings - Fork 210
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add 3 attack techniques to simulate S3 ransomware activity
* Add TTP to simulate an S3 ransomware * terraform lint * Polish up first S3 ransomware TTP * Add second attack technique related to ransomware * Add third attack technique to cover client-side encryption S3 ransomware * Rename folders to match attack technique ID * autogenerate docs * Bump harden-runner to v2.5.1 due to step-security/harden-runner#331 * troubleshooot failing Ci test irresponeiv
- Loading branch information
1 parent
c5521ab
commit 8f1359c
Showing
25 changed files
with
2,103 additions
and
58 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
91 changes: 91 additions & 0 deletions
91
docs/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,91 @@ | ||
--- | ||
title: S3 Ransomware through batch file deletion | ||
--- | ||
|
||
# S3 Ransomware through batch file deletion | ||
|
||
|
||
|
||
|
||
Platform: AWS | ||
|
||
## MITRE ATT&CK Tactics | ||
|
||
|
||
- Impact | ||
|
||
## Description | ||
|
||
|
||
Simulates S3 ransomware activity that empties a bucket through batch deletion, then uploads a ransom note. | ||
|
||
<span style="font-variant: small-caps;">Warm-up</span>: | ||
|
||
- Create an S3 bucket, with versioning enabled | ||
- Create a number of files in the bucket, with random content and extensions | ||
|
||
<span style="font-variant: small-caps;">Detonation</span>: | ||
|
||
- List all available objects and their versions in the bucket | ||
- Delete all objects in the bucket in one request, using [DeleteObjects](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObjects.html) | ||
- Upload a ransom note to the bucket | ||
|
||
Note: The attack does not need to disable versioning, which does not protect against ransomware. This attack removes all versions of the objects in the bucket. | ||
|
||
References: | ||
|
||
- [The anatomy of a ransomware event targeting S3 (re:Inforce, 2022)](https://d1.awsstatic.com/events/aws-reinforce-2022/TDR431_The-anatomy-of-a-ransomware-event-targeting-data-residing-in-Amazon-S3.pdf) | ||
- [The anatomy of ransomware event targeting data residing in Amazon S3 (AWS Security Blog)](https://aws.amazon.com/blogs/security/anatomy-of-a-ransomware-event-targeting-data-in-amazon-s3/) | ||
- [Ransomware in the cloud](https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82) | ||
- https://www.firemon.com/what-you-need-to-know-about-ransomware-in-aws/ | ||
- https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/ | ||
|
||
|
||
## Instructions | ||
|
||
```bash title="Detonate with Stratus Red Team" | ||
stratus detonate aws.impact.s3-ransomware-batch-deletion | ||
``` | ||
## Detection | ||
|
||
|
||
You can detect ransomware activity by identifying abnormal patterns of objects being downloaded or deleted in the bucket. | ||
In general, this can be done through [CloudTrail S3 data events](https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html#cloudtrail-object-level-tracking) (<code>DeleteObject</code>, <code>DeleteObjects</code>, <code>GetObject</code>), | ||
[CloudWatch metrics](https://docs.aws.amazon.com/AmazonS3/latest/userguide/metrics-dimensions.html#s3-request-cloudwatch-metrics) (<code>NumberOfObjects</code>), | ||
or [GuardDuty findings](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html) (<code>[Exfiltration:S3/AnomalousBehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#exfiltration-s3-anomalousbehavior)</code>, <code>[Impact:S3/AnomalousBehavior.Delete](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-delete)</code>). | ||
|
||
Sample <code>DeleteObjects</code> event, shortened for readability: | ||
|
||
```json hl_lines="3 8" | ||
{ | ||
"eventSource": "s3.amazonaws.com", | ||
"eventName": "DeleteObjects", | ||
"eventCategory": "Data" | ||
"managementEvent": false, | ||
"readOnly": false | ||
"requestParameters": { | ||
"bucketName": "target-bucket", | ||
"Host": "target-bucket.s3.us-east-1.amazonaws.com", | ||
"delete": "", | ||
"x-id": "DeleteObjects" | ||
}, | ||
"responseElements": null, | ||
"resources": [ | ||
{ | ||
"type": "AWS::S3::Object", | ||
"ARNPrefix": "arn:aws:s3:::target-bucket/" | ||
}, | ||
{ | ||
"accountId": "012345678901", | ||
"type": "AWS::S3::Bucket", | ||
"ARN": "arn:aws:s3:::target-bucket" | ||
} | ||
], | ||
"eventType": "AwsApiCall", | ||
"recipientAccountId": "012345678901" | ||
} | ||
``` | ||
|
||
Note that <code>DeleteObjects</code> does not indicate the list of files deleted, or how many files were removed (which can be up to 1'000 files per call).' | ||
|
||
|
86 changes: 86 additions & 0 deletions
86
docs/attack-techniques/AWS/aws.impact.s3-ransomware-client-side-encryption.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,86 @@ | ||
--- | ||
title: S3 Ransomware through client-side encryption | ||
--- | ||
|
||
# S3 Ransomware through client-side encryption | ||
|
||
|
||
|
||
|
||
Platform: AWS | ||
|
||
## MITRE ATT&CK Tactics | ||
|
||
|
||
- Impact | ||
|
||
## Description | ||
|
||
|
||
Simulates S3 ransomware activity that encrypts files in a bucket with a static key, through S3 [client-side encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingClientSideEncryption.html) feature. | ||
<span style="font-variant: small-caps;">Warm-up</span>: | ||
|
||
- Create an S3 bucket | ||
- Create a number of files in the bucket, with random content and extensions | ||
|
||
<span style="font-variant: small-caps;">Detonation</span>: | ||
|
||
- List all objects in the bucket | ||
- Overwrite every file in the bucket with an encrypted version, using [S3 client-side encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingClientSideEncryption.html) | ||
- Upload a ransom note to the bucket | ||
|
||
References: | ||
|
||
- https://www.firemon.com/what-you-need-to-know-about-ransomware-in-aws/ | ||
- https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/ | ||
|
||
|
||
## Instructions | ||
|
||
```bash title="Detonate with Stratus Red Team" | ||
stratus detonate aws.impact.s3-ransomware-client-side-encryption | ||
``` | ||
## Detection | ||
|
||
|
||
You can detect ransomware activity by identifying abnormal patterns of objects being downloaded or deleted in the bucket. | ||
In general, this can be done through [CloudTrail S3 data events](https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html#cloudtrail-object-level-tracking) (<code>DeleteObject</code>, <code>DeleteObjects</code>, <code>GetObject</code>, <code>CopyObject</code>), | ||
[CloudWatch metrics](https://docs.aws.amazon.com/AmazonS3/latest/userguide/metrics-dimensions.html#s3-request-cloudwatch-metrics) (<code>NumberOfObjects</code>), | ||
or [GuardDuty findings](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html) (<code>[Exfiltration:S3/AnomalousBehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#exfiltration-s3-anomalousbehavior)</code>, <code>[Impact:S3/AnomalousBehavior.Delete](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-delete)</code>). | ||
|
||
Sample CloudTrail event <code>CopyObject</code>, when a file is encrypted with a client-side key: | ||
|
||
```json hl_lines="3 9 11 12" | ||
{ | ||
"eventSource": "s3.amazonaws.com", | ||
"eventName": "CopyObject", | ||
"eventType": "AwsApiCall", | ||
"eventCategory": "Data", | ||
"managementEvent": false, | ||
"readOnly": false, | ||
"requestParameters": { | ||
"bucketName": "target bucket", | ||
"Host": "target bucket.s3.us-east-1.amazonaws.com", | ||
"x-amz-server-side-encryption-customer-algorithm": "AES256", | ||
"x-amz-copy-source": "target bucket/target file.txt", | ||
"key": "target file.txt", | ||
"x-id": "CopyObject" | ||
}, | ||
"responseElements": { | ||
"x-amz-server-side-encryption-customer-algorithm": "AES256" | ||
}, | ||
"resources": [ | ||
{ | ||
"type": "AWS::S3::Object", | ||
"ARN": "arn:aws:s3:::target bucket/target file.txt" | ||
}, | ||
{ | ||
"accountId": "012345678901", | ||
"type": "AWS::S3::Bucket", | ||
"ARN": "arn:aws:s3:::target bucket" | ||
} | ||
] | ||
} | ||
``` | ||
|
||
|
88 changes: 88 additions & 0 deletions
88
docs/attack-techniques/AWS/aws.impact.s3-ransomware-individual-deletion.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
--- | ||
title: S3 Ransomware through individual file deletion | ||
--- | ||
|
||
# S3 Ransomware through individual file deletion | ||
|
||
|
||
|
||
|
||
Platform: AWS | ||
|
||
## MITRE ATT&CK Tactics | ||
|
||
|
||
- Impact | ||
|
||
## Description | ||
|
||
|
||
Simulates S3 ransomware activity that empties a bucket through individual file deletion, then uploads a ransom note. | ||
|
||
<span style="font-variant: small-caps;">Warm-up</span>: | ||
|
||
- Create an S3 bucket, with versioning enabled | ||
- Create a number of files in the bucket, with random content and extensions | ||
|
||
<span style="font-variant: small-caps;">Detonation</span>: | ||
|
||
- List all available objects and their versions in the bucket | ||
- Delete all objects in the bucket one by one, using [DeleteObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObject.html) | ||
- Upload a ransom note to the bucket | ||
|
||
Note: The attack does not need to disable versioning, which does not protect against ransomware. This attack removes all versions of the objects in the bucket. | ||
|
||
References: | ||
|
||
- [The anatomy of a ransomware event targeting S3 (re:Inforce, 2022)](https://d1.awsstatic.com/events/aws-reinforce-2022/TDR431_The-anatomy-of-a-ransomware-event-targeting-data-residing-in-Amazon-S3.pdf) | ||
- [The anatomy of ransomware event targeting data residing in Amazon S3 (AWS Security Blog)](https://aws.amazon.com/blogs/security/anatomy-of-a-ransomware-event-targeting-data-in-amazon-s3/) | ||
- [Ransomware in the cloud](https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82) | ||
- https://www.firemon.com/what-you-need-to-know-about-ransomware-in-aws/ | ||
- https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/ | ||
|
||
|
||
## Instructions | ||
|
||
```bash title="Detonate with Stratus Red Team" | ||
stratus detonate aws.impact.s3-ransomware-individual-deletion | ||
``` | ||
## Detection | ||
|
||
|
||
You can detect ransomware activity by identifying abnormal patterns of objects being downloaded or deleted in the bucket. | ||
In general, this can be done through [CloudTrail S3 data events](https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html#cloudtrail-object-level-tracking) (<code>DeleteObject</code>, <code>DeleteObjects</code>, <code>GetObject</code>), | ||
[CloudWatch metrics](https://docs.aws.amazon.com/AmazonS3/latest/userguide/metrics-dimensions.html#s3-request-cloudwatch-metrics) (<code>NumberOfObjects</code>), | ||
or [GuardDuty findings](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html) (<code>[Exfiltration:S3/AnomalousBehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#exfiltration-s3-anomalousbehavior)</code>, <code>[Impact:S3/AnomalousBehavior.Delete](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-delete)</code>). | ||
|
||
Sample CloudTrail event <code>DeleteObject</code>, shortened for readability: | ||
|
||
```json hl_lines="3 8 10" | ||
{ | ||
"eventSource": "s3.amazonaws.com", | ||
"eventName": "DeleteObject", | ||
"eventCategory": "Data", | ||
"managementEvent": false, | ||
"readOnly": false, | ||
"requestParameters": { | ||
"bucketName": "target-bucket", | ||
"Host": "target-bucket.s3.us-east-1.amazonaws.com", | ||
"key": "target-object-key", | ||
"x-id": "DeleteObject" | ||
}, | ||
"resources": [ | ||
{ | ||
"type": "AWS::S3::Object", | ||
"ARN": "arn:aws:s3:::target-bucket/target-object-key" | ||
}, | ||
{ | ||
"accountId": "012345678901", | ||
"type": "AWS::S3::Bucket", | ||
"ARN": "arn:aws:s3:::target-bucket" | ||
} | ||
], | ||
"eventType": "AwsApiCall", | ||
"recipientAccountId": "012345678901" | ||
} | ||
``` | ||
|
||
|
Empty file modified
0
docs/attack-techniques/AWS/aws.persistence.rolesanywhere-create-trust-anchor.md
100644 → 100755
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.