Implement initial EKS support and first attack techniques (#542)

* Implement initial EKS support and first attack technique (closes #374, #540) * Add new EKS attack technique: backdoor EKS aws-auth configmap (closes #375) * Bump AWS Go SDK * Bump Go version from 1.18 to 1.19 * Update docs * Replace io/ioutil with io due to the bump to Go 1.19
DataDog · Jul 25, 2024 · c34afc0 · c34afc0
1 parent cea6917
commit c34afc0
Show file tree

Hide file tree

Showing 22 changed files with 751 additions and 25 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -41,7 +41,7 @@ jobs:
  - name: Set up Go
  uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
  with:
- go-version: 1.18
+ go-version: 1.19
  - name: Run GoReleaser
  timeout-minutes: 60
  uses: goreleaser/goreleaser-action@c21f56a7bc891b5f73bec61233c4102ef8273150 # v5.0.0

diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml
@@ -36,7 +36,7 @@ jobs:
  - name: Set up Go
  uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
  with:
- go-version: 1.18
+ go-version: 1.19
  - uses: dominikh/staticcheck-action@ba605356b4b29a60e87ab9404b712f3461e566dc
  with:
  version: "2022.1"

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -34,7 +34,7 @@ jobs:
  - name: Set up Go
  uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
  with:
- go-version: 1.18
+ go-version: 1.19
 
  - name: Run unit tests
  run: make test

diff --git a/README.md b/README.md
@@ -33,7 +33,7 @@ See the documentation at **[stratus-red-team.cloud](https://stratus-red-team.clo
 
 ### Direct install
 
-Requires Go 1.18+
+Requires Go 1.19+
 
 ```
 go install -v github.com/datadog/stratus-red-team/v2/cmd/stratus@latest

diff --git a/docs/attack-techniques/EKS/eks.lateral-movement.create-access-entry.md b/docs/attack-techniques/EKS/eks.lateral-movement.create-access-entry.md
@@ -0,0 +1,85 @@
+---
+title: Create Admin EKS Access Entry
+---
+
+# Create Admin EKS Access Entry
+
+
+
+
+Platform: EKS
+
+## MITRE ATT&CK Tactics
+
+
+- Lateral Movement
+
+## Description
+
+
+Uses the EKS Cluster Access Management to assign cluster administrator privileges to an IAM role. This allows the role to perform any action inside the Kubernetes cluster.
+
+<span style="font-variant: small-caps;">Warm-up</span>:
+
+- Create an IAM role
+
+<span style="font-variant: small-caps;">Detonation</span>:
+
+- Create an access entry for the IAM role
+- Associate the access entry with the AmazonEKSClusterAdminPolicy access policy
+
+References: 
+
+- https://securitylabs.datadoghq.com/articles/eks-cluster-access-management-deep-dive/
+- https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate eks.lateral-movement.create-access-entry
+```
+## Detection
+
+
+You can use the following CloudTrail events to identify when someone grants access to your EKS cluster:
+
+- **CreateAccessEntry**, when someone creates an access entry for a principal (meaning it's the first this principal is granted privileges in the cluster)':
+
+```json
+{
+ "eventSource": "eks.amazonaws.com",
+ "eventName": "CreateAccessEntry",
+ "requestParameters": {
+ "name": "eks-cluster",
+ "principalArn": "arn:aws:iam::012345678901:role/stratus-red-team-eks-create-access-entry-role"
+ },
+ "responseElements": {
+ "accessEntry": {
+ "clusterName": "eks-cluster",
+ "type": "STANDARD",
+ "principalArn": "arn:aws:iam::012345678901:role/stratus-red-team-eks-create-access-entry-role",
+ }
+ }
+}
+```
+
+
+- **AssociateAccessPolicy**: when someone assigns an access policy to a principal
+
+```json
+{
+ "eventSource": "eks.amazonaws.com",
+ "eventName": "AssociateAccessPolicy",
+ "requestParameters": {
+ "policyArn": "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy",
+ "accessScope": {
+ "type": "cluster"
+ },
+ "name": "eks-cluster",
+ "principalArn": "arn%3Aaws%3Aiam%3A%3A012345678901%3Arole%2Fstratus-red-team-eks-create-access-entry-role"
+ }
+}
+```
+
+
diff --git a/docs/attack-techniques/EKS/eks.persistence.backdoor-aws-auth-configmap.md b/docs/attack-techniques/EKS/eks.persistence.backdoor-aws-auth-configmap.md
@@ -0,0 +1,71 @@
+---
+title: Backdoor aws-auth EKS ConfigMap
+---
+
+# Backdoor aws-auth EKS ConfigMap
+
+
+
+
+Platform: EKS
+
+## MITRE ATT&CK Tactics
+
+
+- Persistence
+- Privilege Escalation
+
+## Description
+
+
+Backdoors the aws-auth ConfigMap in an EKS cluster to grant access to the cluster to a specific role.
+
+<span style="font-variant: small-caps;">Warm-up</span>:
+
+- Create an IAM role
+
+<span style="font-variant: small-caps;">Detonation</span>:
+
+- Add an entry to the aws-auth ConfigMap to grant administrator access to the cluster to the role
+
+References: 
+
+- https://securitylabs.datadoghq.com/articles/amazon-eks-attacking-securing-cloud-identities/#authorization-the-aws-auth-configmap-deprecated
+- https://docs.aws.amazon.com/eks/latest/userguide/auth-configmap.html
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate eks.persistence.backdoor-aws-auth-configmap
+```
+## Detection
+
+
+Through EKS API Server audit logs, by looking for changes to the aws-auth ConfigMap in the kube-system namespace. Here's what a relevant audit event looks like:
+
+```json
+{
+ "objectRef": {
+ "apiVersion": "v1",
+ "resource": "configmaps",
+ "name": "aws-auth"
+ },
+ "requestURI": "/api/v1/namespaces/kube-system/configmaps/aws-auth",
+ "requestObject": {
+ "metadata": {
+ "resourceVersion": "184358280",
+ "name": "aws-auth",
+ "namespace": "kube-system",
+ "creationTimestamp": "2022-07-20T13:13:30Z"
+ },
+ "apiVersion": "v1",
+ "data": {
+ "mapRoles": "- groups:\n - system:masters\n rolearn: arn:aws:iam::012345678901:role/account-admin\n username: cluster-admin-{{SessionName}}\n- groups:\n - system:bootstrappers\n - system:nodes\n rolearn: arn:aws:iam::012345678901:role/eksctl-cluser-NodeInstanceRole\n username: system:node:{{EC2PrivateDNSName}}\n- groups:\n - system:masters\n rolearn: arn:aws:iam::012345678901:role/stratus-red-team-eks-backdoor-aws-auth-role\n username: backdoor\n"
+ },
+ "kind": "ConfigMap"
+ }
+}
+```
+
+
diff --git a/docs/attack-techniques/EKS/index.md b/docs/attack-techniques/EKS/index.md
@@ -0,0 +1,20 @@
+# EKS
+
+This page contains the Stratus attack techniques for EKS, grouped by MITRE ATT&CK Tactic.
+Note that some Stratus attack techniques may correspond to more than a single ATT&CK Tactic.
+
+
+## Lateral Movement
+
+- [Create Admin EKS Access Entry](./eks.lateral-movement.create-access-entry.md)
+
+
+## Persistence
+
+- [Backdoor aws-auth EKS ConfigMap](./eks.persistence.backdoor-aws-auth-configmap.md)
+
+
+## Privilege Escalation
+
+- [Backdoor aws-auth EKS ConfigMap](./eks.persistence.backdoor-aws-auth-configmap.md)
+
diff --git a/docs/attack-techniques/list.md b/docs/attack-techniques/list.md
@@ -50,6 +50,8 @@ This page contains the list of all Stratus Attack Techniques.
 | [Execute Command on Virtual Machine using Custom Script Extension](./azure/azure.execution.vm-custom-script-extension.md) | [Azure](./azure/index.md) | Execution |
 | [Execute Commands on Virtual Machine using Run Command](./azure/azure.execution.vm-run-command.md) | [Azure](./azure/index.md) | Execution |
 | [Export Disk Through SAS URL](./azure/azure.exfiltration.disk-export.md) | [Azure](./azure/index.md) | Exfiltration |
+| [Create Admin EKS Access Entry](./EKS/eks.lateral-movement.create-access-entry.md) | [EKS](./EKS/index.md) | Lateral Movement |
+| [Backdoor aws-auth EKS ConfigMap](./EKS/eks.persistence.backdoor-aws-auth-configmap.md) | [EKS](./EKS/index.md) | Persistence, Privilege Escalation |
 | [Exfiltrate Compute Disk by sharing it](./GCP/gcp.exfiltration.share-compute-disk.md) | [GCP](./GCP/index.md) | Exfiltration |
 | [Exfiltrate Compute Image by sharing it](./GCP/gcp.exfiltration.share-compute-image.md) | [GCP](./GCP/index.md) | Exfiltration |
 | [Exfiltrate Compute Disk by sharing a snapshot](./GCP/gcp.exfiltration.share-compute-snapshot.md) | [GCP](./GCP/index.md) | Exfiltration |

diff --git a/docs/attack-techniques/supported-platforms.md b/docs/attack-techniques/supported-platforms.md
@@ -1,4 +1,4 @@
 # Supported Platforms
 
-Stratus Red Team currently supports AWS, Azure, GCP and Kubernetes. 
+Stratus Red Team currently supports AWS, Azure, GCP,  Kubernetes, and Amazon EKS.
 See [Connecting to your cloud account](https://stratus-red-team.cloud/user-guide/getting-started/#connecting-to-your-cloud-account) for setup instructions.
diff --git a/docs/index.yaml b/docs/index.yaml
@@ -329,6 +329,33 @@ AWS:
  - Privilege Escalation
  platform: AWS
  isIdempotent: false
+EKS:
+ Lateral Movement:
+ - id: eks.lateral-movement.create-access-entry
+ name: Create Admin EKS Access Entry
+ isSlow: false
+ mitreAttackTactics:
+ - Lateral Movement
+ platform: EKS
+ isIdempotent: false
+ Persistence:
+ - id: eks.persistence.backdoor-aws-auth-configmap
+ name: Backdoor aws-auth EKS ConfigMap
+ isSlow: false
+ mitreAttackTactics:
+ - Persistence
+ - Privilege Escalation
+ platform: EKS
+ isIdempotent: false
+ Privilege Escalation:
+ - id: eks.persistence.backdoor-aws-auth-configmap
+ name: Backdoor aws-auth EKS ConfigMap
+ isSlow: false
+ mitreAttackTactics:
+ - Persistence
+ - Privilege Escalation
+ platform: EKS
+ isIdempotent: false
 GCP:
  Exfiltration:
  - id: gcp.exfiltration.share-compute-disk

diff --git a/docs/user-guide/getting-started.md b/docs/user-guide/getting-started.md
@@ -2,7 +2,7 @@
 
 ## Installation
 
-Direct install (required Go 1.18+):
+Direct install (required Go 1.19+):
 
 ```
 go install -v github.com/datadog/stratus-red-team/v2/cmd/stratus@latest
@@ -94,7 +94,7 @@ For more information, see [Usage](./usage.md), [Examples](./examples.md) and the
 
 ## Connecting to your cloud account
 
-Stratus Red Team currently supports AWS and Kubernetes.
+Stratus Red Team currently supports AWS, Azure, Kubernetes, and Amazon EKS.
 
 !!! warning
 
@@ -108,6 +108,15 @@ In order to use Stratus attack techniques against AWS, you need to be authentica
 
 - Using static credentials in `~/.aws/config`, and setting your desired AWS profile using `export AWS_PROFILE=my-profile`
 
+### EKS
+
+Stratus Red Team does **not** create an EKS cluster for you. It assumes you're already authenticated to an EKS cluster.
+
+To use Stratus attack techniques against Amazon EKS, you need to be authenticated against AWS, as described above. Stratus Red Team will use the current AWS credentials and Kubernetes context to interact with the EKS cluster. It will check that the Kubernetes cluster you're connected to is an EKS cluster, and refuse to run otherwise.
+
+- Authenticate to AWS (for instance, using [`aws-vault`](https://github.com/99designs/aws-vault))
+- Run `aws eks update-kubeconfig --name your-cluster-name --region your-region` to update your `~/.kube/config` file with the EKS cluster configuration
+
 ### Azure
 
 - Use the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli) to authenticate against your Azure tenant:

diff --git a/v2/go.mod b/v2/go.mod
@@ -1,20 +1,21 @@
 module github.com/datadog/stratus-red-team/v2
 
-go 1.18
+go 1.19
 
 require (
  cloud.google.com/go/compute v1.10.0
  github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.4
  github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0
  github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute v1.0.0
  github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0
- github.com/aws/aws-sdk-go-v2 v1.26.1
+ github.com/aws/aws-sdk-go-v2 v1.30.3
  github.com/aws/aws-sdk-go-v2/config v1.25.11
  github.com/aws/aws-sdk-go-v2/credentials v1.16.9
  github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.15.4
  github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.35.2
  github.com/aws/aws-sdk-go-v2/service/ec2 v1.138.2
  github.com/aws/aws-sdk-go-v2/service/ec2instanceconnect v1.20.6
+ github.com/aws/aws-sdk-go-v2/service/eks v1.46.0
  github.com/aws/aws-sdk-go-v2/service/iam v1.28.2
  github.com/aws/aws-sdk-go-v2/service/lambda v1.49.2
  github.com/aws/aws-sdk-go-v2/service/organizations v1.23.2
@@ -24,10 +25,9 @@ require (
  github.com/aws/aws-sdk-go-v2/service/s3 v1.47.2
  github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.25.2
  github.com/aws/aws-sdk-go-v2/service/ses v1.22.4
- github.com/aws/aws-sdk-go-v2/service/sesv2 v1.27.3
  github.com/aws/aws-sdk-go-v2/service/ssm v1.44.2
  github.com/aws/aws-sdk-go-v2/service/sts v1.26.2
- github.com/aws/smithy-go v1.20.2
+ github.com/aws/smithy-go v1.20.3
  github.com/cenkalti/backoff/v4 v4.2.1
  github.com/fatih/color v1.13.0
  github.com/golang-jwt/jwt v3.2.2+incompatible
@@ -51,8 +51,8 @@ require (
  github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
  github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.3 // indirect
  github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.9 // indirect
- github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 // indirect
- github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 // indirect
+ github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.13 // indirect
+ github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.13 // indirect
  github.com/aws/aws-sdk-go-v2/internal/ini v1.7.1 // indirect
  github.com/aws/aws-sdk-go-v2/internal/v4a v1.2.8 // indirect
  github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.3 // indirect