Run All Stratus Techniques¶
Description¶
The following script executes all available AWS Stratus techniques in the attack chain order of MITRE ATT&CK tactics. The purpose of the attack simulation is to showcase the breadth of detections by Detect for AWS against the stratus AWS techniques. Therefore, the simulation does not replicate real-world attack scenarios.
Two techniques will trigger detections under the identity of the EC2 instance, not under the IAM user. Since the EC2 instance IDs are dynamic, during the investigation phase of the lab, one can identify the instances by scanning the script console output, where the respective technique will generate each EC2 instance ID.
aws.credential-access.ec2-steal-instance-credentials
aws.discovery.ec2-enumerate-from-instance
This is long running script, roughly 30 minutes.
Vectra CDR Detections¶
AWS Suspect Admin Privilege Granting
AWS Suspect Credential Access from SSM
AWS Logging Disabled (to be Retired)
AWS Suspect Public EC2 Change
AWS EC2 Enumeration
AWS Suspect Public EBS Change
AWS Suspect Login Profile Manipulation
AWS Suspect External Access Granting
AWS Suspect Admin Privilege Granting
AWS User Permissions Enumeration
AWS Suspicious Credential Usage
Prerequisite¶
Create an IAM user and assign Administrator permissions to the user. It’s best to create a separate IAM user instead of using your AWS federated identity for each attack simulation. This approach helps track and identify all activities associated with a specific attack simulation by attributing them to the corresponding user. IAM User Creation Guide
Recommended name for IAM user: YOUR_INITIALS-run-all-stratus-techniques
Configure AWS profile using the IAM user credentials.
Run the following command to start the AWS CLI configuration process:
aws configure --profile REPLACE_WITH_YOUR_INITIALS-run-all-stratus-techniques
Enter your AWS Access Key ID and Secret Access Key when prompted. - These credentials are obtained from IAM user created above. - Make sure the IAM user associated with these credentials Administrator permissions.
AWS Access Key ID [None]: REPLACE_WITH_IAM_USER_ACCESS_KEY_ID
AWS Secret Access Key [None]: REPLACE_WITH_IAM_USER_SECRET_ACCESS_KEY
Specify the AWS region and output format with the following values when prompted.
Default region name [None]: us-west-2
Default output format [None]: json
You can verify the configuration by running the following command:
aws s3 ls --profile REPLACE_WITH_YOUR_INITIALS-run-all-stratus-techniques
Executing Attack Simulation Instructions:¶
Execute the run all stratus techniques attack simulation
export AWS_PROFILE=REPLACE_WITH_YOUR_INITIALS-run-all-stratus-techniques
export AWS_DEFAULT_REGION=us-west-2
cd attack_simulations/
bash ./run_all_stratus_techniques.sh
Note
Be prepared to provide the screenshot as proof of completing this exercise if requested
Access Vectra’s platform.
Navigate to the Respond page on the platform to locate your IAM user.
If you have followed recommended naming convention, you can utilize “YOUR_INITIALS-run-all-stratus-techniques” as a contains search filter. This will help you locate the the user more effectively.”
Click on the compromised user’s name to access the Account Detections screen.
Take a screenshot of the Account Detections screen.
AWS Suspect Admin Privilege Granting
AWS Suspect Credential Access from SSM
AWS Logging Disabled
AWS Suspect Public EC2 Change
AWS EC2 Enumeration
AWS Suspect Public EBS Change
AWS Suspect Login Profile Manipulation
AWS Suspect External Access Granting
AWS Suspect Admin Privilege Granting
There are two techniques that will trigger detections under the identity of the EC2 instance. During the attack simulation, two different flagged EC2 instances will appear for each detection. Since we lack control over the EC2 IDs, the way to identify these newly created instances is by searching through the Vectra prioritized EC2 entities flagged around the time when the attack simulation was conducted.
AWS User Permissions Enumeration
AWS Suspicious Credential Usage