josuebustos/cloud-siem-aws-threat-emulation

A guide to simplify the process of evaluating Datadog's Cloud SIEM security capabilities to detect AWS threats.

Datadog AWS Threat Emulation Guide

This guide simplifies the process of evaluating Datadog's Cloud SIEM security capabilities to detect AWS threats and alert in real-time. This is done by simulating attacks using Stratus Red Team.

Table of Contents

• Introduction
• Prerequisites
• Installation
• Emulating Attacks
• Validating Detections

Prerequisites

• A functional Datadog trial or production environment with:
  • Cloud SIEM enabled
  • AWS CloudTrail logging
• An AWS sandbox account - Stratus Red Team is meant to be used against a cloud account that does not handle production workloads or infrastructure.
• Stratus Red Team installed, to executing simulated attack techniques against the AWS environment (supports MacOS, Linux, Windows and Docker).
• Prior AWS authentication through the CLI using either aws-vault or the AWS CLI, with AdministratorAccess permissions

Stratus Red Team supports attacks for other platforms including Azure, Google Cloud and Kubernetes. This guide focuses on AWS.

Installation

To install Stratus Red Team, follow the Stratus Red Team installation guide.

Emulating Attacks

Detonate individual attacks

You can detonate the stratus attacks individually as shown below.

• Detonate an attack technique:

stratus detonate aws.exfiltration.s3-backdoor-bucket-policy

• Detonate multiple attack techniques:

stratus detonate aws.exfiltration.s3-backdoor-bucket-policy aws.defense-evasion.cloudtrail-stop

• Detonate an attack technique, then automatically clean up any resources deployed on AWS:

stratus detonate aws.exfiltration.s3-backdoor-bucket-policy --cleanup

Detonate all attacks

Utilizing the stratus.sh script, you can detonate all available stratus attacks at once. This process takes around 30 minutes to complete and might hit limits in your AWS account (e.g. number of VPCs), so we suggest detonating each attack individually.

Cleanup

• Cleanup a specific attack technique

stratus cleanup aws.defense-evasion.cloudtrail-stop

• Cleanup all detonated attack techniques

stratus cleanup --all

For more details on usage, refer to the Stratus Red Team Usage Guide and Stratus Red Team Command Reference

Validating Detections

Note that Datadog's out-of-the-box Cloud SIEM Rules are not limited to the attack techniques available in Stratus Red Team.

In Datadog, navigate to Security > Cloud SIEM > Signals and filter by source:cloudtrail @http.useragent:*stratus-red-team* to validate the signals generated by the emulation.

Expect the following detections:

Stratus Red Team attack technique	Cloud SIEM out-of-the-box detection
Retrieve EC2 Password Data	Encrypted administrator password retrieved for Windows EC2 instance
Steal EC2 Instance Credentials	AWS GuardDuty finding - Credentials for instance role stratus-red-team-ec2-steal-credentials-role used from external IP address
Delete CloudTrail Trail	AWS CloudTrail configuration modified
Disable CloudTrail Logging Through Event Selectors	AWS Disable Cloudtrail with event selectors
CloudTrail Logs Impairment Through S3 Lifecycle Rule	An AWS S3 bucket lifecycle policy expiration is set to < 90 days
Stop CloudTrail Trail	AWS CloudTrail configuration modified
Attempt to Leave the AWS Organization	An AWS account attempted to leave the AWS Organization
Remove VPC Flow Logs	AWS VPC Flow Log deleted
Execute Discovery Commands on an EC2 Instance	An EC2 instance attempted to enumerate S3 bucket
Execute Commands on EC2 Instance via User Data	Possible AWS EC2 privilege escalation via the modification of user data
Open Ingress Port 22 on a Security Group	AWS security group created, modified or deleted Potential administrative port open to the world via AWS security group
Exfiltrate an AMI by Sharing It	Amazon EC2 AMI exfiltration attempt
Exfiltrate EBS Snapshot by Sharing It	AWS EBS Snapshot possible exfiltration
Exfiltrate RDS Snapshot by Sharing	Possible RDS Snapshot Exfiltration
Backdoor an S3 Bucket via its Bucket Policy	Amazon S3 Bucket policy modified
Console Login without MFA	AWS Console login without MFA
Backdoor an IAM Role	AWS IAM AdministratorAccess policy was applied to a role
Create an administrative IAM User	AWS IAM AdministratorAccess policy was applied to a user
Create a Login Profile on an IAM User	Possible privilege escalation via AWS login profile manipulation