Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Creates a new technique to test detections around disabling DNS query logging in AWS #479

Merged
merged 4 commits into from
Feb 6, 2024
Merged

Creates a new technique to test detections around disabling DNS query logging in AWS #479

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
47c2914
Create technique for Route53 resolver query logging configuration de…
will-giraldo-d Feb 2, 2024
bb2c069
Remove old attack technique doc page
christophetd Jan 31, 2024
33e10e2
Update go.mod and go.sum in examples folder
christophetd Jan 31, 2024
c302c31
re-autogenerate docs and minor code changes
christophetd Feb 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions docs/attack-techniques/AWS/aws.defense-evasion.dns-delete-logs.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
---
title: Delete DNS query logs
---

# Delete DNS query logs




Platform: AWS

## MITRE ATT&CK Tactics


- Defense Evasion

## Description


Deletes a Route53 DNS Resolver query logging configuration. Simulates an attacker disrupting DNS logging.

<span style="font-variant: small-caps;">Warm-up</span>:

- Create a DNS logging configuration.

<span style="font-variant: small-caps;">Detonation</span>:

- Delete the DNS logging configuration using <code>route53:DeleteQueryLoggingConfig</code>.

## Instructions

```bash title="Detonate with Stratus Red Team"
stratus detonate aws.defense-evasion.dns-delete-logs
```
## Detection


Identify when a DNS logging configuration is deleted, through CloudTrail's <code>DeleteQueryLoggingConfig</code> event.


46 changes: 0 additions & 46 deletions docs/attack-techniques/AWS/aws.lateral-movement.ec2-send-ssh-public-key.md
View file
Open in desktop

This file was deleted.

2 changes: 2 additions & 0 deletions docs/attack-techniques/AWS/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ Note that some Stratus attack techniques may correspond to more than a single AT

- [Stop CloudTrail Trail](./aws.defense-evasion.cloudtrail-stop.md)

- [Delete DNS query logs](./aws.defense-evasion.dns-delete-logs.md)

- [Attempt to Leave the AWS Organization](./aws.defense-evasion.organizations-leave.md)

- [Remove VPC Flow Logs](./aws.defense-evasion.vpc-remove-flow-logs.md)
Expand Down
1 change: 1 addition & 0 deletions docs/attack-techniques/list.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ This page contains the list of all Stratus Attack Techniques.
| [Disable CloudTrail Logging Through Event Selectors](./AWS/aws.defense-evasion.cloudtrail-event-selectors.md) | [AWS](./AWS/index.md) | Defense Evasion |
| [CloudTrail Logs Impairment Through S3 Lifecycle Rule](./AWS/aws.defense-evasion.cloudtrail-lifecycle-rule.md) | [AWS](./AWS/index.md) | Defense Evasion |
| [Stop CloudTrail Trail](./AWS/aws.defense-evasion.cloudtrail-stop.md) | [AWS](./AWS/index.md) | Defense Evasion |
| [Delete DNS query logs](./AWS/aws.defense-evasion.dns-delete-logs.md) | [AWS](./AWS/index.md) | Defense Evasion |
| [Attempt to Leave the AWS Organization](./AWS/aws.defense-evasion.organizations-leave.md) | [AWS](./AWS/index.md) | Defense Evasion |
| [Remove VPC Flow Logs](./AWS/aws.defense-evasion.vpc-remove-flow-logs.md) | [AWS](./AWS/index.md) | Defense Evasion |
| [Execute Discovery Commands on an EC2 Instance](./AWS/aws.discovery.ec2-enumerate-from-instance.md) | [AWS](./AWS/index.md) | Discovery |
Expand Down
7 changes: 7 additions & 0 deletions docs/index.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,13 @@ AWS:
- Defense Evasion
platform: AWS
isIdempotent: true
- id: aws.defense-evasion.dns-delete-logs
name: Delete DNS query logs
isSlow: false
mitreAttackTactics:
- Defense Evasion
platform: AWS
isIdempotent: false
- id: aws.defense-evasion.organizations-leave
name: Attempt to Leave the AWS Organization
isSlow: false
Expand Down
100 changes: 50 additions & 50 deletions examples/basic/go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,38 +7,38 @@ replace github.com/datadog/stratus-red-team/v2 => ../../v2
require github.com/datadog/stratus-red-team/v2 v2.0.0-00010101000000-000000000000

require (
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.0.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.0.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.4 // indirect
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute v1.0.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0 // indirect
github.com/AzureAD/microsoft-authentication-library-for-go v0.4.0 // indirect
github.com/aws/aws-sdk-go-v2 v1.16.7 // indirect
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.1.0 // indirect
github.com/aws/aws-sdk-go-v2/config v1.13.0 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.8.0 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.10.0 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.14 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.8 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.4 // indirect
github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.13.0 // indirect
github.com/aws/aws-sdk-go-v2/service/ec2 v1.26.0 // indirect
github.com/aws/aws-sdk-go-v2/service/iam v1.14.0 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.6.0 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.7.0 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.10.0 // indirect
github.com/aws/aws-sdk-go-v2/service/lambda v1.17.0 // indirect
github.com/aws/aws-sdk-go-v2/service/organizations v1.12.0 // indirect
github.com/aws/aws-sdk-go-v2/service/rds v1.16.0 // indirect
github.com/aws/aws-sdk-go-v2/service/rolesanywhere v1.0.0 // indirect
github.com/aws/aws-sdk-go-v2/service/s3 v1.23.0 // indirect
github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.13.0 // indirect
github.com/aws/aws-sdk-go-v2/service/ssm v1.20.0 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.9.0 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.14.0 // indirect
github.com/aws/smithy-go v1.12.0 // indirect
github.com/AzureAD/microsoft-authentication-library-for-go v0.5.1 // indirect
github.com/aws/aws-sdk-go-v2 v1.24.1 // indirect
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.3 // indirect
github.com/aws/aws-sdk-go-v2/config v1.25.11 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.16.9 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.9 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.7.1 // indirect
github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.35.2 // indirect
github.com/aws/aws-sdk-go-v2/service/ec2 v1.138.2 // indirect
github.com/aws/aws-sdk-go-v2/service/iam v1.28.2 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.3 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.8 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.16.8 // indirect
github.com/aws/aws-sdk-go-v2/service/lambda v1.49.2 // indirect
github.com/aws/aws-sdk-go-v2/service/organizations v1.23.2 // indirect
github.com/aws/aws-sdk-go-v2/service/rds v1.64.2 // indirect
github.com/aws/aws-sdk-go-v2/service/rolesanywhere v1.6.2 // indirect
github.com/aws/aws-sdk-go-v2/service/s3 v1.47.2 // indirect
github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.25.2 // indirect
github.com/aws/aws-sdk-go-v2/service/ssm v1.44.2 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.18.2 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.26.2 // indirect
github.com/aws/smithy-go v1.19.0 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/go-logr/logr v1.2.0 // indirect
github.com/go-logr/logr v1.2.3 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
github.com/golang/protobuf v1.5.2 // indirect
Expand All @@ -48,10 +48,10 @@ require (
github.com/google/uuid v1.3.0 // indirect
github.com/googleapis/gnostic v0.5.5 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
github.com/hashicorp/go-version v1.4.0 // indirect
github.com/hashicorp/hc-install v0.3.2 // indirect
github.com/hashicorp/terraform-exec v0.15.0 // indirect
github.com/hashicorp/terraform-json v0.13.0 // indirect
github.com/hashicorp/go-version v1.6.0 // indirect
github.com/hashicorp/hc-install v0.4.0 // indirect
github.com/hashicorp/terraform-exec v0.17.3 // indirect
github.com/hashicorp/terraform-json v0.14.0 // indirect
github.com/imdario/mergo v0.3.12 // indirect
github.com/jmespath/go-jmespath v0.4.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
Expand All @@ -61,26 +61,26 @@ require (
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4 // indirect
github.com/spf13/pflag v1.0.5 // indirect
github.com/zclconf/go-cty v1.9.1 // indirect
golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88 // indirect
golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4 // indirect
golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
golang.org/x/sys v0.0.0-20220517195934-5e4e11fc645e // indirect
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
golang.org/x/text v0.3.7 // indirect
golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
github.com/zclconf/go-cty v1.11.0 // indirect
golang.org/x/crypto v0.14.0 // indirect
golang.org/x/net v0.17.0 // indirect
golang.org/x/oauth2 v0.0.0-20221006150949-b44042a4b9c1 // indirect
golang.org/x/sys v0.13.0 // indirect
golang.org/x/term v0.13.0 // indirect
golang.org/x/text v0.13.0 // indirect
golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/protobuf v1.27.1 // indirect
google.golang.org/protobuf v1.28.1 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
k8s.io/api v0.23.3 // indirect
k8s.io/apimachinery v0.23.3 // indirect
k8s.io/client-go v0.23.3 // indirect
k8s.io/klog/v2 v2.30.0 // indirect
k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 // indirect
k8s.io/utils v0.0.0-20211116205334-6203023598ed // indirect
sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/api v0.25.3 // indirect
k8s.io/apimachinery v0.25.3 // indirect
k8s.io/client-go v0.25.3 // indirect
k8s.io/klog/v2 v2.70.1 // indirect
k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect
k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed // indirect
sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
sigs.k8s.io/yaml v1.2.0 // indirect
)
Loading
Loading