What is not working? On techniques that create an IAM role during warmup, I can't assume that new role. I'm running stratus with an already assumed role on my AWS account, not root. For example while looking at the IAM role that is created by https://github.com/DataDog/stratus-red-team/blob/main/v2/internal/attacktechniques/aws/credential-access/ec2-get-password-data/main.tf#L23, I get a trust relationship on the new role of :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<MY_ACCOUNT_ID>:root"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

When it should be something like:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<MY_ACCOUNT_ID>:role/MY_CURRENT_ROLE"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Looking at the Terraform in https://github.com/DataDog/stratus-red-team/blob/main/v2/internal/attacktechniques/aws/credential-access/ec2-get-password-data/main.tf#L33, I couldn't find a way to reference the role name instead of the root account.

What OS are you using? Mac OS X

What is your Stratus Red Team version? 2.4.1

Full output? Example error message from Cloudtrail:

"errorMessage": "User: arn:aws:sts::<MY_ACCOUNT_ID>:assumed-role/<MY_CURRENT_ROLE/stratus-session is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<MY_ACCOUNT_ID>:role/sample-role-used-by-stratus-for-ec2-password-data"

This PR changes the format of all resources created via terraform to be in the form "stratus-red-team-{attack shortname}-{resourceshortname}*". Some resources use random values at the end of the name to guarantee uniqueness, so these are left, but shortened in order to reduce risk of resource name length restrictions.

I have not been able to test this fully as I do not have personal GCP/AWS/Azure Accounts.

What is not working? stratus fails to use was credentials

What OS are you using? Ubuntu 18.04.5 x86_64

What is your Stratus Red Team version? 1.4.0

Full output?

./stratus warmup aws.exfiltration.ec2-security-group-open-port-22-ingress
2022/02/14 14:47:36 Checking your authentication against the AWS API
2022/02/14 14:47:36 You are not authenticated against AWS, or you have not set your region. Make sure you are authenticated against AWS, and you have a default region set in your AWS config or environment (export AWS_DEFAULT_REGION=us-east-1)

Files in $HOME/.stratus-red-team?

ls -altr /home/application/.stratus-red-team/
total 60620
drwxr--r--  2 application application     4096 Feb 11 16:11 aws.persistence.iam-backdoor-user
-rwx------  1 application application 61956096 Feb 11 16:11 terraform
drwxr--r--  2 application application     4096 Feb 11 16:28 k8s.privilege-escalation.privileged-pod
drwxr--r--  2 application application     4096 Feb 11 16:28 k8s.privilege-escalation.hostpath-volume
drwxr--r--  2 application application     4096 Feb 11 16:28 k8s.persistence.create-admin-clusterrole
drwxr--r--  2 application application     4096 Feb 11 16:28 k8s.credential-access.steal-serviceaccount-token
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.persistence.lambda-backdoor-function
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.persistence.iam-create-user-login-profile
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.persistence.iam-create-admin-user
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.persistence.iam-backdoor-role
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.exfiltration.s3-backdoor-bucket-policy
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.exfiltration.rds-share-snapshot
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.exfiltration.ec2-share-ebs-snapshot
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.exfiltration.ec2-share-ami
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.exfiltration.ec2-security-group-open-port-22-ingress
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.execution.ec2-user-data
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.discovery.ec2-enumerate-from-instance
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.discovery.ec2-download-user-data
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.defense-evasion.vpc-remove-flow-logs
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.defense-evasion.organizations-leave
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.defense-evasion.cloudtrail-stop
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.defense-evasion.cloudtrail-lifecycle-rule
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.defense-evasion.cloudtrail-event-selectors
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.defense-evasion.cloudtrail-delete
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.credential-access.ssm-retrieve-securestring-parameters
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.credential-access.secretsmanager-retrieve-secrets
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.credential-access.ec2-steal-instance-credentials
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.credential-access.ec2-get-password-data
drwxr--r-- 29 application application     4096 Feb 11 16:28 .
drwxr-xr-x 14 application application     4096 Feb 14 14:45 ..

It is also worth mentioning that running aws sts get-caller-identity returns the User ID, Account, and role being used. AWS_REGION and AWS_DEFAULT_REGION are both correctly set.

I'm trying to use stratus-red-team as a library from a custom orchestrator. Basic usage works fine but when trying to replicate the custom technique example, it doesn't seem to be usable outside of the stratus-red-team repo:

detonate_custom_technique.go:9:2: use of internal package github.com/datadog/stratus-red-team/internal/providers not allowed

It seems like the AWS provider is critical here and there isn't another way to access it, so to allow for use as a library it shouldn't be marked internal?

Full example of what I was trying in an empty directory:

$ go mod init test
go: creating new go.mod: module test
go: to add module requirements and sums:
	go mod tidy
$ curl -sO https://raw.githubusercontent.com/DataDog/stratus-red-team/main/examples/custom/detonate_custom_technique.go
$ curl -sO https://raw.githubusercontent.com/DataDog/stratus-red-team/main/examples/custom/prerequisites.tf            
$ go get github.com/datadog/stratus-red-team
go get: added github.com/datadog/stratus-red-team v1.7.0
$ go get -d                                 
$ go run detonate_custom_technique.go       
package command-line-arguments
	detonate_custom_technique.go:9:2: use of internal package github.com/datadog/stratus-red-team/internal/providers not allowed

What is not working? Detonation fails for aws.exfiltration.ec2-share-ami and aws.exfiltration.ec2-share-ebs-snapshot when EBS encryption by default is enabled for a region

What OS are you using? N/A

What is your Stratus Red Team version? stratus version

Full output?

$ stratus detonate aws.exfiltration.ec2-share-ami
2022/03/29 20:14:20 Checking your authentication against the AWS API
2022/03/29 20:14:21 Not warming up - aws.exfiltration.ec2-share-ami is already warm. Use --force to force
2022/03/29 20:14:21 Exfiltrating AMI ami-083ab591a70549402 by sharing it with an external AWS account
2022/03/29 20:14:21 Error while detonating attack technique aws.exfiltration.ec2-share-ami: Unable to share AMI with external AWS account: operation error EC2: ModifyImageAttribute, https response error StatusCode: 400, RequestID: 97354885-357c-497f-b784-3365a5294736, api error InvalidParameter: Snapshots encrypted with the AWS Managed CMK can't be shared. Specify another snapshot.

$ stratus detonate aws.exfiltration.ec2-share-ebs-snapshot
2022/03/29 20:20:23 Checking your authentication against the AWS API
2022/03/29 20:20:23 Not warming up - aws.exfiltration.ec2-share-ebs-snapshot is already warm. Use --force to force
2022/03/29 20:20:23 Sharing the volume snapshot snap-00d459dab53c44042 with an external AWS account...
2022/03/29 20:20:23 Error while detonating attack technique aws.exfiltration.ec2-share-ebs-snapshot: operation error EC2: ModifySnapshotAttribute, https response error StatusCode: 400, RequestID: 12f44aeb-7b3b-4488-ac46-a432d20cc7a9, api error OperationNotPermitted: Encrypted snapshots with EBS default key cannot be shared

Files in $HOME/.stratus-red-team? N/A

What is not working? When trying to run stratus warmup k8s.privilege-escalation.hostpath-volume I'm getting the following error:

2022/08/23 17:24:04 Checking your authentication against kubernetes
W0823 17:24:04.261007       1 client_config.go:617] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
W0823 17:24:04.261272       1 client_config.go:622] error creating inClusterConfig, falling back to default config: unable to load in-cluster configuration, KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT must be defined
2022/08/23 17:24:04 unable to build kube config: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable

I have set the env var KUBECONFIG=~/.kube/config and when running kubectl cluster-info I'm getting the connected cluster information.

My kubeconfig looks like this:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: ""
    server: https://<server_name>.eks.amazonaws.com
  name: <arn>
contexts:
- context:
    cluster: <arn>
    user: <arn>
  name: <arn>
current-context: <arn>
kind: Config
preferences: {}
users:
- name: <arn>
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - --region
      - <region>
      - eks
      - get-token
      - --cluster-name
      - <cluster_name>
      command: aws

What OS are you using? Linux

What is your Stratus Red Team version? stratus V2.1.0

What does this PR do?

• Add support for Azure techniques with a new provider

Motivation

• See #52

Checklist

• [x] Builds
• [x] Manual testing
• [x] Docs
• [x] Tests

What does this PR do?

Introduce a new TTP

Checklist

• [x] The attack technique emulates a single attack step, not a full attack chain
• [x] We have factual evidence & references that the attack technique was used by real malware, pentesters, or attackers - common privesc / persistence TTP
• [x] The attack technique makes no assumption about the state of the environment prior to warming it up

Discussion points

• Should this be privesc or persistence?

Sample output

2022/02/07 23:28:36 Checking your authentication against Kubernetes
2022/02/07 23:28:36 Creating Cluster Role stratus-red-team-clusterrole
2022/02/07 23:28:36 Creating Service Account stratus-red-team-serviceaccount
2022/02/07 23:28:36 Creating Cluster Role Binding to map the service account to the cluster role
2022/02/07 23:28:36 Successfully generate service account token:

eyJhbGciO...

Decoding to:

What is not working?

The Code42 SecOps team has identified two techniques which can get stuck in the DETONATED state and fail to CLEANUP or REVERT (even using force flags).

• aws.exfiltration.s3-backdoor-bucket-policy
• aws.defense-evasion.cloudtrail-lifecycle-rule

Techniques enter this state when the AWS infrastructure used to run the test has been deleted from the environment, but the local Stratus still has the state as DETONATED.

Neither the REVERT nor CELANUP with force flags were successful in restoring to a WARM or COLD state.

It appears that the CLEANUP and REVERT attempt to clean up the AWS infrastructure by making API calls to delete the resources that had been created when the technique was detonated. This makes sense. However, upon receipt of a 404 error, it simply prints the error and leaves the technique in the detonated state.

What SHOULD happen?

Upon receipt of a 404 error during CLEANUP (and/or REVERT), particularly with --force:

• Execution should continue to refresh the state file to indicate the resource no longer exists
• REVERT (--force)
  • Revert to WARM state, ready to run again (probably need checks to confirm warmup infrastructure exists)
• CLEANUP (--force)
  • Revert to COLD state

System Details

| OS Version | Stratus Version | - | - | | Mac OS X | 2.0.0 |

Full output?

$ stratus cleanup aws.defense-evasion.cloudtrail-lifecycle-rule --force
2022/09/06 11:51:53 Cleaning up aws.defense-evasion.cloudtrail-lifecycle-rule
2022/09/06 11:51:53 Reverting detonation of technique aws.defense-evasion.cloudtrail-lifecycle-rule
2022/09/06 11:51:53 Reverting S3 Lifecycle Rules on CloudTrail S3 bucket my-cloudtrail-bucket-gmctuebrbigvfczn
2022/09/06 11:51:54 unable to revert detonation of aws.defense-evasion.cloudtrail-lifecycle-rule: unable to revert detonation of aws.defense-evasion.cloudtrail-lifecycle-rule: unable to revert S3 Lifecycle Policy Rule: operation error S3: DeleteBucketLifecycle, https response error StatusCode: 404, RequestID: request_id, HostID: host_id, api error NoSuchBucket: The specified bucket does not exist
+-----------------------------------------------+------------------------------------------------------+-----------+
| ID                                            | NAME                                                 | STATUS    |
+-----------------------------------------------+------------------------------------------------------+-----------+
| aws.defense-evasion.cloudtrail-lifecycle-rule | CloudTrail Logs Impairment Through S3 Lifecycle Rule | DETONATED |
+-----------------------------------------------+------------------------------------------------------+-----------+

Files in $HOME/.stratus-red-team?

If these are needed, I can get my local in the correct state to recreate them.

Workaround - Return to COLD state

Manually deleting the files at $HOME/.stratus-red-team/technique restored to a COLD state.

What is not working?

Using a clean install/configuration of both aws-vault and stratus, the "aws.credential-access.ec2-steal-instance-credentials" technique fails to run the SSM command because stratus doesn't wait long enough for the EC2 instance to initialize and transition to a truly "ready" state. When running the warmup, detonate and cleanup commands manually, the attack works as expected.

What OS are you using?

macOS

What is your Stratus Red Team version?

❯ stratus version
1.6.1

Full output?

❯ stratus detonate aws.credential-access.ec2-steal-instance-credentials --cleanup
2022/03/29 10:56:21 Checking your authentication against AWS
2022/03/29 10:56:22 Warming up aws.credential-access.ec2-steal-instance-credentials
2022/03/29 10:56:22 Initializing Terraform to spin up technique prerequisites
2022/03/29 10:56:26 Applying Terraform to spin up technique prerequisites
2022/03/29 10:58:24 Instance id i-1234 in us-east-1a ready
2022/03/29 10:58:24 Running command through SSM on i-1234: curl 169.254.169.254/latest/meta-data/iam/security-credentials/stratus-ec2-credentials-instance-role/
2022/03/29 10:58:24 Cleaning up aws.credential-access.ec2-steal-instance-credentials
2022/03/29 10:58:24 Cleaning up technique prerequisites with terraform destroy
2022/03/29 10:59:25 Error while detonating attack technique aws.credential-access.ec2-steal-instance-credentials: unable to send SSM command to instance: operation error SSM: SendCommand, https response error StatusCode: 400, RequestID: 8d7d3000-ddd0-4116-9b38-83750ccd785c, InvalidInstanceId: Instances [[i-1234]] not in a valid state for account 5678

Files in $HOME/.stratus-red-team? ls -lahR

total 140240
drwxr--r--  31 user  staff   992B Mar 29 10:59 .
drwxr-x---+ 74 user  staff   2.3K Mar 29 11:01 ..
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.credential-access.ec2-get-password-data
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.credential-access.secretsmanager-retrieve-secrets
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.credential-access.ssm-retrieve-securestring-parameters
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.defense-evasion.cloudtrail-delete
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.defense-evasion.cloudtrail-event-selectors
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.defense-evasion.cloudtrail-lifecycle-rule
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.defense-evasion.cloudtrail-stop
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.defense-evasion.organizations-leave
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.defense-evasion.vpc-remove-flow-logs
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.discovery.ec2-download-user-data
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.discovery.ec2-enumerate-from-instance
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.execution.ec2-user-data
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.exfiltration.ec2-security-group-open-port-22-ingress
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.exfiltration.ec2-share-ami
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.exfiltration.ec2-share-ebs-snapshot
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.exfiltration.rds-share-snapshot
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.exfiltration.s3-backdoor-bucket-policy
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.persistence.iam-backdoor-role
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.persistence.iam-backdoor-user
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.persistence.iam-create-admin-user
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.persistence.iam-create-user-login-profile
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.persistence.lambda-backdoor-function
drwxr--r--   2 user  staff    64B Mar 28 15:24 k8s.credential-access.dump-secrets
drwxr--r--   2 user  staff    64B Mar 28 15:24 k8s.credential-access.steal-serviceaccount-token
drwxr--r--   2 user  staff    64B Mar 28 15:24 k8s.persistence.create-admin-clusterrole
drwxr--r--   2 user  staff    64B Mar 28 15:24 k8s.privilege-escalation.hostpath-volume
drwxr--r--   2 user  staff    64B Mar 28 15:24 k8s.privilege-escalation.nodes-proxy
drwxr--r--   2 user  staff    64B Mar 28 15:24 k8s.privilege-escalation.privileged-pod
-rwx------   1 user  staff    68M Mar 28 15:17 terraform

/Users/user/.stratus-red-team/aws.credential-access.ec2-get-password-data:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.credential-access.secretsmanager-retrieve-secrets:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.credential-access.ssm-retrieve-securestring-parameters:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.defense-evasion.cloudtrail-delete:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.defense-evasion.cloudtrail-event-selectors:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.defense-evasion.cloudtrail-lifecycle-rule:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.defense-evasion.cloudtrail-stop:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.defense-evasion.organizations-leave:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.defense-evasion.vpc-remove-flow-logs:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.discovery.ec2-download-user-data:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.discovery.ec2-enumerate-from-instance:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.execution.ec2-user-data:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.exfiltration.ec2-security-group-open-port-22-ingress:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.exfiltration.ec2-share-ami:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.exfiltration.ec2-share-ebs-snapshot:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.exfiltration.rds-share-snapshot:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.exfiltration.s3-backdoor-bucket-policy:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.persistence.iam-backdoor-role:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.persistence.iam-backdoor-user:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.persistence.iam-create-admin-user:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.persistence.iam-create-user-login-profile:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.persistence.lambda-backdoor-function:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/k8s.credential-access.dump-secrets:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/k8s.credential-access.steal-serviceaccount-token:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/k8s.persistence.create-admin-clusterrole:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/k8s.privilege-escalation.hostpath-volume:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/k8s.privilege-escalation.nodes-proxy:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/k8s.privilege-escalation.privileged-pod:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

What does this PR do?

• New attack technique

Motivation

• AWS has launched a new service called Roles Anywhere that provides a secure way for workloads such as servers, containers, and applications that run outside of AWS to obtain temporary AWS credentials. For being able to obtain AWS credentials, it is necessary to establish trust between the AWS environment and the public key infrastructure (PKI) by creating a trust anchor.

  As this is a new service there are no factual evidence that the attack technique was used by real malware, pentesters, or attackers, but because of its nature, it clearly allows gaining persistence in AWS (probably in some cases escalate privileges).

  As this service is new and not well known is the perfect candidate for adversaries to use to gain persistence and not be detected. For this reason, I think it's important to start looking at it and not wait till we see adversaries start abusing it.

Checklist

• [x] The attack technique emulates a single attack step, not a full attack chain
• [ ] We have factual evidence & references that the attack technique was used by real malware, pentesters, or attackers
• [x] The attack technique makes no assumption about the state of the environment prior to warming it up

Discussed in https://github.com/DataDog/stratus-red-team/discussions/193

What is not working? The k8s.persistence.create-token attack will work on GKE and EKS but although it requests a token with a one year lifespan those providers are silently limiting the token to 48 and 24 hours respectively.

As an example after running the attack on a GKE 1.22 cluster, the following issued and expiry times are present on the token returned

  "exp": 1660757418,
  "iat": 1660584618,

which is a 48 hour expiry. Probably the best way to fix this is to decode the token returned and confirm that the token duration requested matched the issued token.

What OS are you using? Mac OS X

What is your Stratus Red Team version? 2.3.0

What is not working? Running Kubernetes Attacks when the user is using a KUBECONFIG environment variable

What OS are you using? Mac OS X

What is your Stratus Red Team version? 2.3.0

Full output? First run with KUBECONFIG set, output looks like this

stratus detonate k8s.persistence.create-token
2022/08/15 18:30:03 Checking your authentication against kubernetes
2022/08/15 18:30:03 unable to build kube config: stat /Users/rory.mccune/.kube/config:/Users/rory.mccune/.kube/kubeconfigs/kubeadm2nodeconfig.yaml:/Users/rory.mccune/.kube/kubeconfigs/traceeclusterconfig.yaml:/Users/rory.mccune/.kube/kubeconfigs/kubeadm122config.yaml:/Users/rory.mccune/.kube/kubeconfigs/kubeadmcontainerd.yaml:/Users/rory.mccune/.kube/kubeconfigs/calicotracee.yaml:/Users/rory.mccune/.kube/kubeconfigs/kube123.yaml:/Users/rory.mccune/.kube/kubeconfigs/kubeadm118.yaml:/Users/rory.mccune/.kube/kubeconfigs/ubuntu2110.yaml:/Users/rory.mccune/.kube/kubeconfigs/kube124.yaml:/Users/rory.mccune/.kube/kubeconfigs/kubeadm123win.yaml: no such file or directory

If I then unset the KUBECONFIG variable the attack works ok.

stratus detonate k8s.persistence.create-token
2022/08/15 18:30:17 Checking your authentication against kubernetes
2022/08/15 18:30:18 Creating a long-lived token for the service account clusterrole-aggregation-controller in kube-system
2022/08/15 18:30:18 Successfully created a long-lived token valid for 1 year:

Background: To backdoor a project, an attacker could grant an external e-mail address permissions on the project, i.e.

gcloud projects add-iam-policy-binding [PROJECT] \
    --member user:[email protected] --role roles/editor

In an enterprise context, this is likely to be considered suspicious