T1580 - Cloud Infrastructure Discovery
An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a DescribeInstances
API within the Amazon EC2 API that can return information about one or more instances within an account, the ListBuckets
API that returns a list of all buckets owned by the authenticated sender of the request, the HeadBucket
API to determine a bucket’s existence along with access permissions of the request sender, or the GetPublicAccessBlock
API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list
command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command az vm list
lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as DescribeDBInstances
to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.
Atomic Tests
Atomic Test #1 - AWS - EC2 Enumeration from Cloud Instance
This atomic runs several API calls (sts:GetCallerIdentity, s3:ListBuckets, iam:GetAccountSummary, iam:ListRoles, iam:ListUsers, iam:GetAccountAuthorizationDetails, ec2:DescribeSnapshots, cloudtrail:DescribeTrails, guardduty:ListDetectors) from the context of an EC2 instance role. This simulates an attacker compromising an EC2 instance and running initial discovery commands on it. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/
Supported Platforms: Linux, macOS, Iaas:aws
auto_generated_guid: 99ee161b-dcb1-4276-8ecb-7cfdcb207820
| Name | Description | Type | Default Value |
|——|————-|——|—————|
| stratus_path | Path of stratus binary | path | $PathToAtomicsFolder/T1580/src|
| aws_region | AWS region to detonate | string | us-west-2|
Attack Commands: Run with
!
1
2
3
4
5
6
| export AWS_REGION=#{aws_region}
cd #{stratus_path}
echo "Stratus: Start Warmup."
./stratus warmup aws.discovery.ec2-enumerate-from-instance
echo "Stratus: Start Detonate."
./stratus detonate aws.discovery.ec2-enumerate-from-instance
|
Cleanup Commands:
1
2
3
4
5
| cd #{stratus_path}
echo "Stratus: Start Cleanup."
./stratus cleanup aws.discovery.ec2-enumerate-from-instance
echo "Removing Stratus artifacts from local machine."
rm -rf stratus*
|
Dependencies: Run with
!
Description: Stratus binary must be present at the (#{stratus_path}/stratus)
Check Prereq Commands:
1
| if test -f "#{stratus_path}/stratus"; then exit 0; else exit 1; fi
|
Get Prereq Commands:
1
2
3
4
5
6
7
| if [ "$(uname)" = "Darwin" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep -i Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
elif [ "$(expr substr $(uname) 1 5)" = "Linux" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep -i linux_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
fi
|
Check Prereq Commands:
1
| cat ~/.aws/credentials | grep "default"
|
Get Prereq Commands:
1
| echo "Please install the aws-cli and configure your AWS default profile using: aws configure"
|
Atomic Test #2 - AWS - EC2 Security Group Enumeration
Simulate an attacker’s action to enumerate EC2 Security Groups in a compromised AWS environment.
Supported Platforms: Iaas:aws
auto_generated_guid: 99b38f24-5acc-4aa3-85e5-b7f97a5d37ac
| Name | Description | Type | Default Value |
|——|————-|——|—————|
| aws_profile | AWS CLI profile name | string | default|
| output_format | Desired output format (text, table, json) | string | json|
Attack Commands: Run with
!
aws ec2 describe-security-groups --profile #{aws_profile} --output #{output_format}
Dependencies: Run with
!
Check Prereq Commands:
type aws || aws --version
Get Prereq Commands:
if [ "$(uname)" = "Darwin" ] || [ "$(expr substr $(uname) 1 5)" = "Linux" ]; then
curl "https://aws.amazon.com/cli/" -o "Install-AWSCLI.sh" && sh Install-AWSCLI.sh
elif [ "$(expr substr $(uname) 1 5)" = "MINGW" ]; then
Invoke-WebRequest -Uri "https://aws.amazon.com/cli/" -OutFile "Install-AWSCLI.ps1"; .\Install-AWSCLI.ps1
fi
Check Prereq Commands:
aws sts get-caller-identity --profile #{aws_profile}
Get Prereq Commands:
if ! aws sts get-caller-identity --profile #{aws_profile}; then
echo "AWS CLI not properly configured. Please configure AWS CLI."
fi