Add Grimoire detonation datasets (#547)

* Add first iteration of Grimoire detonation datasets to the docs * Fix dataset for SSM attack technique and move log location * Fix dataset * Refactor some attack techniques to properly propagate detonation IDs * Add detonation logs for additional attack techniques * gen docs
DataDog · Aug 9, 2024 · 0381e8b · 0381e8b
1 parent 2a1246d
commit 0381e8b
Show file tree

Hide file tree

Showing 81 changed files with 25,622 additions and 65 deletions.
diff --git a/docs/attack-techniques/AWS/aws.credential-access.ec2-get-password-data.md b/docs/attack-techniques/AWS/aws.credential-access.ec2-get-password-data.md
diff --git a/docs/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials.md b/docs/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials.md
diff --git a/...k-techniques/AWS/aws.credential-access.secretsmanager-batch-retrieve-secrets.md b/...k-techniques/AWS/aws.credential-access.secretsmanager-batch-retrieve-secrets.md
@@ -96,3 +96,221 @@ The following may be use to tune the detection, or validate findings:
 - Attempts to call GetBatchSecretValue resulting in access denied errors
 - Principals calling GetBatchSecretValue in several regions in a short period of time
 
+
+## Detonation logs <span class="smallcaps w3-badge w3-light-green w3-round w3-text-sand">new!</span>
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `secretsmanager:BatchGetSecretValue`
+
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="6 46 86 126 166"
+
+ [
+  {
+  "awsRegion": "eu-westwest-1r",
+  "eventCategory": "Management",
+  "eventID": "61619dbf-c10b-471e-9d78-8199a2f8233a",
+  "eventName": "BatchGetSecretValue",
+  "eventSource": "secretsmanager.amazonaws.com",
+  "eventTime": "2024-07-31T12:29:17Z",
+  "eventType": "AwsApiCall",
+  "eventVersion": "1.09",
+  "managementEvent": true,
+  "readOnly": true,
+  "recipientAccountId": "165109126369",
+  "requestID": "d493c657-4004-4105-81f0-8f468ba0c9b3",
+  "requestParameters": {
+  "filters": [
+  {
+  "key": "tag-key",
+  "values": [
+  "StratusRedTeam"
+  ]
+  }
+  ]
+  },
+  "responseElements": null,
+  "sourceIPAddress": "88.223.251.255",
+  "tlsDetails": {
+  "cipherSuite": "TLS_AES_128_GCM_SHA256",
+  "clientProvidedHostHeader": "secretsmanager.eu-westwest-1r.amazonaws.com",
+  "tlsVersion": "TLSv1.3"
+  },
+  "userAgent": "stratus-red-team_0a05817a-84d2-40d7-afde-8311715b1ee6",
+  "userIdentity": {
+  "accessKeyId": "AKIALK3Q0HKBKZJ2XBYP",
+  "accountId": "165109126369",
+  "arn": "arn:aws:iam::165109126369:user/christophe",
+  "principalId": "AIDAIOBKTJ7YOYY9TKC4",
+  "type": "IAMUser",
+  "userName": "christophe"
+  }
+  },
+  {
+  "awsRegion": "eu-westwest-1r",
+  "eventCategory": "Management",
+  "eventID": "7c7a69f9-867d-4b5b-beee-7fe62ba34d5c",
+  "eventName": "BatchGetSecretValue",
+  "eventSource": "secretsmanager.amazonaws.com",
+  "eventTime": "2024-07-31T12:29:17Z",
+  "eventType": "AwsApiCall",
+  "eventVersion": "1.09",
+  "managementEvent": true,
+  "readOnly": true,
+  "recipientAccountId": "165109126369",
+  "requestID": "6b6e2935-39ad-44d9-9a62-eeb63e95bd69",
+  "requestParameters": {
+  "filters": [
+  {
+  "key": "tag-key",
+  "values": [
+  "StratusRedTeam"
+  ]
+  }
+  ]
+  },
+  "responseElements": null,
+  "sourceIPAddress": "88.223.251.255",
+  "tlsDetails": {
+  "cipherSuite": "TLS_AES_128_GCM_SHA256",
+  "clientProvidedHostHeader": "secretsmanager.eu-westwest-1r.amazonaws.com",
+  "tlsVersion": "TLSv1.3"
+  },
+  "userAgent": "stratus-red-team_0a05817a-84d2-40d7-afde-8311715b1ee6",
+  "userIdentity": {
+  "accessKeyId": "AKIALK3Q0HKBKZJ2XBYP",
+  "accountId": "165109126369",
+  "arn": "arn:aws:iam::165109126369:user/christophe",
+  "principalId": "AIDAIOBKTJ7YOYY9TKC4",
+  "type": "IAMUser",
+  "userName": "christophe"
+  }
+  },
+  {
+  "awsRegion": "eu-westwest-1r",
+  "eventCategory": "Management",
+  "eventID": "cf4e352a-b575-4003-bd81-0c531f42e626",
+  "eventName": "BatchGetSecretValue",
+  "eventSource": "secretsmanager.amazonaws.com",
+  "eventTime": "2024-07-31T12:29:17Z",
+  "eventType": "AwsApiCall",
+  "eventVersion": "1.09",
+  "managementEvent": true,
+  "readOnly": true,
+  "recipientAccountId": "165109126369",
+  "requestID": "cd93c41b-cb19-4a2c-9f35-6a1becee24ce",
+  "requestParameters": {
+  "filters": [
+  {
+  "key": "tag-key",
+  "values": [
+  "StratusRedTeam"
+  ]
+  }
+  ]
+  },
+  "responseElements": null,
+  "sourceIPAddress": "88.223.251.255",
+  "tlsDetails": {
+  "cipherSuite": "TLS_AES_128_GCM_SHA256",
+  "clientProvidedHostHeader": "secretsmanager.eu-westwest-1r.amazonaws.com",
+  "tlsVersion": "TLSv1.3"
+  },
+  "userAgent": "stratus-red-team_0a05817a-84d2-40d7-afde-8311715b1ee6",
+  "userIdentity": {
+  "accessKeyId": "AKIALK3Q0HKBKZJ2XBYP",
+  "accountId": "165109126369",
+  "arn": "arn:aws:iam::165109126369:user/christophe",
+  "principalId": "AIDAIOBKTJ7YOYY9TKC4",
+  "type": "IAMUser",
+  "userName": "christophe"
+  }
+  },
+  {
+  "awsRegion": "eu-westwest-1r",
+  "eventCategory": "Management",
+  "eventID": "bddee0fb-2541-430d-aad5-b1fdd5d419f1",
+  "eventName": "BatchGetSecretValue",
+  "eventSource": "secretsmanager.amazonaws.com",
+  "eventTime": "2024-07-31T12:29:16Z",
+  "eventType": "AwsApiCall",
+  "eventVersion": "1.09",
+  "managementEvent": true,
+  "readOnly": true,
+  "recipientAccountId": "165109126369",
+  "requestID": "6bd1a472-24d2-46b5-abb6-83a9caf3e3ea",
+  "requestParameters": {
+  "filters": [
+  {
+  "key": "tag-key",
+  "values": [
+  "StratusRedTeam"
+  ]
+  }
+  ]
+  },
+  "responseElements": null,
+  "sourceIPAddress": "88.223.251.255",
+  "tlsDetails": {
+  "cipherSuite": "TLS_AES_128_GCM_SHA256",
+  "clientProvidedHostHeader": "secretsmanager.eu-westwest-1r.amazonaws.com",
+  "tlsVersion": "TLSv1.3"
+  },
+  "userAgent": "stratus-red-team_0a05817a-84d2-40d7-afde-8311715b1ee6",
+  "userIdentity": {
+  "accessKeyId": "AKIALK3Q0HKBKZJ2XBYP",
+  "accountId": "165109126369",
+  "arn": "arn:aws:iam::165109126369:user/christophe",
+  "principalId": "AIDAIOBKTJ7YOYY9TKC4",
+  "type": "IAMUser",
+  "userName": "christophe"
+  }
+  },
+  {
+  "awsRegion": "eu-westwest-1r",
+  "eventCategory": "Management",
+  "eventID": "cdc49957-9518-4ab3-a49e-b5a7c17903e6",
+  "eventName": "BatchGetSecretValue",
+  "eventSource": "secretsmanager.amazonaws.com",
+  "eventTime": "2024-07-31T12:29:16Z",
+  "eventType": "AwsApiCall",
+  "eventVersion": "1.09",
+  "managementEvent": true,
+  "readOnly": true,
+  "recipientAccountId": "165109126369",
+  "requestID": "be2e79d0-ef1a-47f1-90b4-bafbbaa7404c",
+  "requestParameters": {
+  "filters": [
+  {
+  "key": "tag-key",
+  "values": [
+  "StratusRedTeam"
+  ]
+  }
+  ]
+  },
+  "responseElements": null,
+  "sourceIPAddress": "88.223.251.255",
+  "tlsDetails": {
+  "cipherSuite": "TLS_AES_128_GCM_SHA256",
+  "clientProvidedHostHeader": "secretsmanager.eu-westwest-1r.amazonaws.com",
+  "tlsVersion": "TLSv1.3"
+  },
+  "userAgent": "stratus-red-team_0a05817a-84d2-40d7-afde-8311715b1ee6",
+  "userIdentity": {
+  "accessKeyId": "AKIALK3Q0HKBKZJ2XBYP",
+  "accountId": "165109126369",
+  "arn": "arn:aws:iam::165109126369:user/christophe",
+  "principalId": "AIDAIOBKTJ7YOYY9TKC4",
+  "type": "IAMUser",
+  "userName": "christophe"
+  }
+  }
+ ]
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).