diff --git a/docs/attack-techniques/AWS/index.md b/docs/attack-techniques/AWS/index.md index de1861a99..f1d00358c 100755 --- a/docs/attack-techniques/AWS/index.md +++ b/docs/attack-techniques/AWS/index.md @@ -4,128 +4,128 @@ This page contains the Stratus attack techniques for AWS, grouped by MITRE ATT&C Note that some Stratus attack techniques may correspond to more than a single ATT&CK Tactic. -## Credential Access - -- [Retrieve EC2 Password Data](./aws.credential-access.ec2-get-password-data.md) - -- [Steal EC2 Instance Credentials](./aws.credential-access.ec2-steal-instance-credentials.md) - -- [Retrieve a High Number of Secrets Manager secrets (Batch)](./aws.credential-access.secretsmanager-batch-retrieve-secrets.md) +## Initial Access + + - [Console Login without MFA](./aws.initial-access.console-login-without-mfa.md) + -- [Retrieve a High Number of Secrets Manager secrets](./aws.credential-access.secretsmanager-retrieve-secrets.md) +## Execution + + - [Launch Unusual EC2 instances](./aws.execution.ec2-launch-unusual-instances.md) + + - [Execute Commands on EC2 Instance via User Data](./aws.execution.ec2-user-data.md) + + - [Usage of ssm:SendCommand on multiple instances](./aws.execution.ssm-send-command.md) + + - [Usage of ssm:StartSession on multiple instances](./aws.execution.ssm-start-session.md) + -- [Retrieve And Decrypt SSM Parameters](./aws.credential-access.ssm-retrieve-securestring-parameters.md) +## Persistence + + - [Backdoor an IAM Role](./aws.persistence.iam-backdoor-role.md) + + - [Create an Access Key on an IAM User](./aws.persistence.iam-backdoor-user.md) + + - [Create an administrative IAM User](./aws.persistence.iam-create-admin-user.md) + + - [Create a backdoored IAM Role](./aws.persistence.iam-create-backdoor-role.md) + + - [Create a Login Profile on an IAM User](./aws.persistence.iam-create-user-login-profile.md) + + - [Backdoor Lambda Function Through Resource-Based Policy](./aws.persistence.lambda-backdoor-function.md) + + - [Add a Malicious Lambda Extension](./aws.persistence.lambda-layer-extension.md) + + - [Overwrite Lambda Function Code](./aws.persistence.lambda-overwrite-code.md) + + - [Create an IAM Roles Anywhere trust anchor](./aws.persistence.rolesanywhere-create-trust-anchor.md) + + - [Generate temporary AWS credentials using GetFederationToken](./aws.persistence.sts-federation-token.md) + +## Privilege Escalation + + - [Execute Commands on EC2 Instance via User Data](./aws.execution.ec2-user-data.md) + + - [Create an Access Key on an IAM User](./aws.persistence.iam-backdoor-user.md) + + - [Create an administrative IAM User](./aws.persistence.iam-create-admin-user.md) + + - [Create a Login Profile on an IAM User](./aws.persistence.iam-create-user-login-profile.md) + + - [Add a Malicious Lambda Extension](./aws.persistence.lambda-layer-extension.md) + + - [Create an IAM Roles Anywhere trust anchor](./aws.persistence.rolesanywhere-create-trust-anchor.md) + + - [Change IAM user password](./aws.privilege-escalation.iam-update-user-login-profile.md) + ## Defense Evasion + + - [Delete CloudTrail Trail](./aws.defense-evasion.cloudtrail-delete.md) + + - [Disable CloudTrail Logging Through Event Selectors](./aws.defense-evasion.cloudtrail-event-selectors.md) + + - [CloudTrail Logs Impairment Through S3 Lifecycle Rule](./aws.defense-evasion.cloudtrail-lifecycle-rule.md) + + - [Stop CloudTrail Trail](./aws.defense-evasion.cloudtrail-stop.md) + + - [Delete DNS query logs](./aws.defense-evasion.dns-delete-logs.md) + + - [Attempt to Leave the AWS Organization](./aws.defense-evasion.organizations-leave.md) + + - [Remove VPC Flow Logs](./aws.defense-evasion.vpc-remove-flow-logs.md) + -- [Delete CloudTrail Trail](./aws.defense-evasion.cloudtrail-delete.md) - -- [Disable CloudTrail Logging Through Event Selectors](./aws.defense-evasion.cloudtrail-event-selectors.md) - -- [CloudTrail Logs Impairment Through S3 Lifecycle Rule](./aws.defense-evasion.cloudtrail-lifecycle-rule.md) - -- [Stop CloudTrail Trail](./aws.defense-evasion.cloudtrail-stop.md) - -- [Delete DNS query logs](./aws.defense-evasion.dns-delete-logs.md) - -- [Attempt to Leave the AWS Organization](./aws.defense-evasion.organizations-leave.md) - -- [Remove VPC Flow Logs](./aws.defense-evasion.vpc-remove-flow-logs.md) - +## Credential Access + + - [Retrieve EC2 Password Data](./aws.credential-access.ec2-get-password-data.md) + + - [Steal EC2 Instance Credentials](./aws.credential-access.ec2-steal-instance-credentials.md) + + - [Retrieve a High Number of Secrets Manager secrets (Batch)](./aws.credential-access.secretsmanager-batch-retrieve-secrets.md) + + - [Retrieve a High Number of Secrets Manager secrets](./aws.credential-access.secretsmanager-retrieve-secrets.md) + + - [Retrieve And Decrypt SSM Parameters](./aws.credential-access.ssm-retrieve-securestring-parameters.md) + ## Discovery + + - [Execute Discovery Commands on an EC2 Instance](./aws.discovery.ec2-enumerate-from-instance.md) + + - [Download EC2 Instance User Data](./aws.discovery.ec2-download-user-data.md) + + - [Enumerate SES](./aws.discovery.ses-enumerate.md) + -- [Execute Discovery Commands on an EC2 Instance](./aws.discovery.ec2-enumerate-from-instance.md) - -- [Download EC2 Instance User Data](./aws.discovery.ec2-download-user-data.md) - -- [Enumerate SES](./aws.discovery.ses-enumerate.md) - - -## Execution - -- [Launch Unusual EC2 instances](./aws.execution.ec2-launch-unusual-instances.md) - -- [Execute Commands on EC2 Instance via User Data](./aws.execution.ec2-user-data.md) - -- [Usage of ssm:SendCommand on multiple instances](./aws.execution.ssm-send-command.md) - -- [Usage of ssm:StartSession on multiple instances](./aws.execution.ssm-start-session.md) - +## Lateral Movement + + - [Usage of EC2 Serial Console to push SSH public key](./aws.lateral-movement.ec2-serial-console-send-ssh-public-key.md) + + - [Usage of EC2 Instance Connect on multiple instances](./aws.lateral-movement.ec2-instance-connect.md) + ## Exfiltration - -- [Open Ingress Port 22 on a Security Group](./aws.exfiltration.ec2-security-group-open-port-22-ingress.md) - -- [Exfiltrate an AMI by Sharing It](./aws.exfiltration.ec2-share-ami.md) - -- [Exfiltrate EBS Snapshot by Sharing It](./aws.exfiltration.ec2-share-ebs-snapshot.md) - -- [Exfiltrate RDS Snapshot by Sharing](./aws.exfiltration.rds-share-snapshot.md) - -- [Backdoor an S3 Bucket via its Bucket Policy](./aws.exfiltration.s3-backdoor-bucket-policy.md) - + + - [Open Ingress Port 22 on a Security Group](./aws.exfiltration.ec2-security-group-open-port-22-ingress.md) + + - [Exfiltrate an AMI by Sharing It](./aws.exfiltration.ec2-share-ami.md) + + - [Exfiltrate EBS Snapshot by Sharing It](./aws.exfiltration.ec2-share-ebs-snapshot.md) + + - [Exfiltrate RDS Snapshot by Sharing](./aws.exfiltration.rds-share-snapshot.md) + + - [Backdoor an S3 Bucket via its Bucket Policy](./aws.exfiltration.s3-backdoor-bucket-policy.md) + ## Impact - -- [Invoke Bedrock Model](./aws.impact.bedrock-invoke-model.md) - -- [S3 Ransomware through batch file deletion](./aws.impact.s3-ransomware-batch-deletion.md) - -- [S3 Ransomware through client-side encryption](./aws.impact.s3-ransomware-client-side-encryption.md) - -- [S3 Ransomware through individual file deletion](./aws.impact.s3-ransomware-individual-deletion.md) - - -## Initial Access - -- [Console Login without MFA](./aws.initial-access.console-login-without-mfa.md) - - -## Lateral Movement - -- [Usage of EC2 Serial Console to push SSH public key](./aws.lateral-movement.ec2-serial-console-send-ssh-public-key.md) - -- [Usage of EC2 Instance Connect on multiple instances](./aws.lateral-movement.ec2-instance-connect.md) - - -## Persistence - -- [Backdoor an IAM Role](./aws.persistence.iam-backdoor-role.md) - -- [Create an Access Key on an IAM User](./aws.persistence.iam-backdoor-user.md) - -- [Create an administrative IAM User](./aws.persistence.iam-create-admin-user.md) - -- [Create a backdoored IAM Role](./aws.persistence.iam-create-backdoor-role.md) - -- [Create a Login Profile on an IAM User](./aws.persistence.iam-create-user-login-profile.md) - -- [Backdoor Lambda Function Through Resource-Based Policy](./aws.persistence.lambda-backdoor-function.md) - -- [Add a Malicious Lambda Extension](./aws.persistence.lambda-layer-extension.md) - -- [Overwrite Lambda Function Code](./aws.persistence.lambda-overwrite-code.md) - -- [Create an IAM Roles Anywhere trust anchor](./aws.persistence.rolesanywhere-create-trust-anchor.md) - -- [Generate temporary AWS credentials using GetFederationToken](./aws.persistence.sts-federation-token.md) - - -## Privilege Escalation - -- [Execute Commands on EC2 Instance via User Data](./aws.execution.ec2-user-data.md) - -- [Create an Access Key on an IAM User](./aws.persistence.iam-backdoor-user.md) - -- [Create an administrative IAM User](./aws.persistence.iam-create-admin-user.md) - -- [Create a Login Profile on an IAM User](./aws.persistence.iam-create-user-login-profile.md) - -- [Add a Malicious Lambda Extension](./aws.persistence.lambda-layer-extension.md) - -- [Create an IAM Roles Anywhere trust anchor](./aws.persistence.rolesanywhere-create-trust-anchor.md) - -- [Change IAM user password](./aws.privilege-escalation.iam-update-user-login-profile.md) - + + - [Invoke Bedrock Model](./aws.impact.bedrock-invoke-model.md) + + - [S3 Ransomware through batch file deletion](./aws.impact.s3-ransomware-batch-deletion.md) + + - [S3 Ransomware through client-side encryption](./aws.impact.s3-ransomware-client-side-encryption.md) + + - [S3 Ransomware through individual file deletion](./aws.impact.s3-ransomware-individual-deletion.md) + diff --git a/docs/attack-techniques/EKS/index.md b/docs/attack-techniques/EKS/index.md index 17114bcfd..24cbdb166 100755 --- a/docs/attack-techniques/EKS/index.md +++ b/docs/attack-techniques/EKS/index.md @@ -4,17 +4,17 @@ This page contains the Stratus attack techniques for EKS, grouped by MITRE ATT&C Note that some Stratus attack techniques may correspond to more than a single ATT&CK Tactic. -## Lateral Movement - -- [Create Admin EKS Access Entry](./eks.lateral-movement.create-access-entry.md) - - ## Persistence - -- [Backdoor aws-auth EKS ConfigMap](./eks.persistence.backdoor-aws-auth-configmap.md) - + + - [Backdoor aws-auth EKS ConfigMap](./eks.persistence.backdoor-aws-auth-configmap.md) + ## Privilege Escalation + + - [Backdoor aws-auth EKS ConfigMap](./eks.persistence.backdoor-aws-auth-configmap.md) + -- [Backdoor aws-auth EKS ConfigMap](./eks.persistence.backdoor-aws-auth-configmap.md) - +## Lateral Movement + + - [Create Admin EKS Access Entry](./eks.lateral-movement.create-access-entry.md) + diff --git a/docs/attack-techniques/GCP/index.md b/docs/attack-techniques/GCP/index.md index ed24cbaa2..25c2fbc55 100755 --- a/docs/attack-techniques/GCP/index.md +++ b/docs/attack-techniques/GCP/index.md @@ -4,36 +4,36 @@ This page contains the Stratus attack techniques for GCP, grouped by MITRE ATT&C Note that some Stratus attack techniques may correspond to more than a single ATT&CK Tactic. -## Credential Access - -- [Retrieve a High Number of Secret Manager secrets](./gcp.credential-access.secretmanager-retrieve-secrets.md) - - -## Exfiltration - -- [Exfiltrate Compute Disk by sharing it](./gcp.exfiltration.share-compute-disk.md) - -- [Exfiltrate Compute Image by sharing it](./gcp.exfiltration.share-compute-image.md) - -- [Exfiltrate Compute Disk by sharing a snapshot](./gcp.exfiltration.share-compute-snapshot.md) - - ## Persistence - -- [Backdoor a GCP Service Account through its IAM Policy](./gcp.persistence.backdoor-service-account-policy.md) - -- [Create an Admin GCP Service Account](./gcp.persistence.create-admin-service-account.md) - -- [Create a GCP Service Account Key](./gcp.persistence.create-service-account-key.md) - -- [Invite an External User to a GCP Project](./gcp.persistence.invite-external-user.md) - + + - [Backdoor a GCP Service Account through its IAM Policy](./gcp.persistence.backdoor-service-account-policy.md) + + - [Create an Admin GCP Service Account](./gcp.persistence.create-admin-service-account.md) + + - [Create a GCP Service Account Key](./gcp.persistence.create-service-account-key.md) + + - [Invite an External User to a GCP Project](./gcp.persistence.invite-external-user.md) + ## Privilege Escalation + + - [Create an Admin GCP Service Account](./gcp.persistence.create-admin-service-account.md) + + - [Create a GCP Service Account Key](./gcp.persistence.create-service-account-key.md) + + - [Impersonate GCP Service Accounts](./gcp.privilege-escalation.impersonate-service-accounts.md) + -- [Create an Admin GCP Service Account](./gcp.persistence.create-admin-service-account.md) - -- [Create a GCP Service Account Key](./gcp.persistence.create-service-account-key.md) - -- [Impersonate GCP Service Accounts](./gcp.privilege-escalation.impersonate-service-accounts.md) +## Credential Access + + - [Retrieve a High Number of Secret Manager secrets](./gcp.credential-access.secretmanager-retrieve-secrets.md) + +## Exfiltration + + - [Exfiltrate Compute Disk by sharing it](./gcp.exfiltration.share-compute-disk.md) + + - [Exfiltrate Compute Image by sharing it](./gcp.exfiltration.share-compute-image.md) + + - [Exfiltrate Compute Disk by sharing a snapshot](./gcp.exfiltration.share-compute-snapshot.md) + diff --git a/docs/attack-techniques/azure/index.md b/docs/attack-techniques/azure/index.md index bcf637e4e..fb73b6518 100755 --- a/docs/attack-techniques/azure/index.md +++ b/docs/attack-techniques/azure/index.md @@ -5,18 +5,18 @@ Note that some Stratus attack techniques may correspond to more than a single AT ## Execution - -- [Execute Command on Virtual Machine using Custom Script Extension](./azure.execution.vm-custom-script-extension.md) - -- [Execute Commands on Virtual Machine using Run Command](./azure.execution.vm-run-command.md) - - -## Exfiltration - -- [Export Disk Through SAS URL](./azure.exfiltration.disk-export.md) - + + - [Execute Command on Virtual Machine using Custom Script Extension](./azure.execution.vm-custom-script-extension.md) + + - [Execute Commands on Virtual Machine using Run Command](./azure.execution.vm-run-command.md) + ## Persistence + + - [Create Azure VM Bastion shareable link](./azure.persistence.create-bastion-shareable-link.md) + -- [Create Azure VM Bastion shareable link](./azure.persistence.create-bastion-shareable-link.md) - +## Exfiltration + + - [Export Disk Through SAS URL](./azure.exfiltration.disk-export.md) + diff --git a/docs/attack-techniques/entra-id/index.md b/docs/attack-techniques/entra-id/index.md index ff770c192..3cef2bef7 100755 --- a/docs/attack-techniques/entra-id/index.md +++ b/docs/attack-techniques/entra-id/index.md @@ -5,25 +5,25 @@ Note that some Stratus attack techniques may correspond to more than a single AT ## Persistence - -- [Backdoor Entra ID application through service principal](./entra-id.persistence.backdoor-application-sp.md) - -- [Backdoor Entra ID application](./entra-id.persistence.backdoor-application.md) - -- [Create Guest User](./entra-id.persistence.guest-user.md) - -- [Create Hidden Scoped Role Assignment Through HiddenMembership AU](./entra-id.persistence.hidden-au.md) - -- [Create Application](./entra-id.persistence.new-application.md) - -- [Create Sticky Backdoor User Through Restricted Management AU](./entra-id.persistence.restricted-au.md) - + + - [Backdoor Entra ID application through service principal](./entra-id.persistence.backdoor-application-sp.md) + + - [Backdoor Entra ID application](./entra-id.persistence.backdoor-application.md) + + - [Create Guest User](./entra-id.persistence.guest-user.md) + + - [Create Hidden Scoped Role Assignment Through HiddenMembership AU](./entra-id.persistence.hidden-au.md) + + - [Create Application](./entra-id.persistence.new-application.md) + + - [Create Sticky Backdoor User Through Restricted Management AU](./entra-id.persistence.restricted-au.md) + ## Privilege Escalation - -- [Backdoor Entra ID application through service principal](./entra-id.persistence.backdoor-application-sp.md) - -- [Backdoor Entra ID application](./entra-id.persistence.backdoor-application.md) - -- [Create Application](./entra-id.persistence.new-application.md) - + + - [Backdoor Entra ID application through service principal](./entra-id.persistence.backdoor-application-sp.md) + + - [Backdoor Entra ID application](./entra-id.persistence.backdoor-application.md) + + - [Create Application](./entra-id.persistence.new-application.md) + diff --git a/docs/attack-techniques/kubernetes/index.md b/docs/attack-techniques/kubernetes/index.md index 8011aaa68..bbb992f98 100755 --- a/docs/attack-techniques/kubernetes/index.md +++ b/docs/attack-techniques/kubernetes/index.md @@ -4,29 +4,29 @@ This page contains the Stratus attack techniques for Kubernetes, grouped by MITR Note that some Stratus attack techniques may correspond to more than a single ATT&CK Tactic. -## Credential Access - -- [Dump All Secrets](./k8s.credential-access.dump-secrets.md) - -- [Steal Pod Service Account Token](./k8s.credential-access.steal-serviceaccount-token.md) - - ## Persistence - -- [Create Admin ClusterRole](./k8s.persistence.create-admin-clusterrole.md) - -- [Create Client Certificate Credential](./k8s.persistence.create-client-certificate.md) - -- [Create Long-Lived Token](./k8s.persistence.create-token.md) - + + - [Create Admin ClusterRole](./k8s.persistence.create-admin-clusterrole.md) + + - [Create Client Certificate Credential](./k8s.persistence.create-client-certificate.md) + + - [Create Long-Lived Token](./k8s.persistence.create-token.md) + ## Privilege Escalation + + - [Create Admin ClusterRole](./k8s.persistence.create-admin-clusterrole.md) + + - [Container breakout via hostPath volume mount](./k8s.privilege-escalation.hostpath-volume.md) + + - [Privilege escalation through node/proxy permissions](./k8s.privilege-escalation.nodes-proxy.md) + + - [Run a Privileged Pod](./k8s.privilege-escalation.privileged-pod.md) + -- [Create Admin ClusterRole](./k8s.persistence.create-admin-clusterrole.md) - -- [Container breakout via hostPath volume mount](./k8s.privilege-escalation.hostpath-volume.md) - -- [Privilege escalation through node/proxy permissions](./k8s.privilege-escalation.nodes-proxy.md) - -- [Run a Privileged Pod](./k8s.privilege-escalation.privileged-pod.md) - +## Credential Access + + - [Dump All Secrets](./k8s.credential-access.dump-secrets.md) + + - [Steal Pod Service Account Token](./k8s.credential-access.steal-serviceaccount-token.md) + diff --git a/v2/pkg/stratus/mitreattack/tactics.go b/v2/pkg/stratus/mitreattack/tactics.go index 51d3e8db1..8d60e2822 100644 --- a/v2/pkg/stratus/mitreattack/tactics.go +++ b/v2/pkg/stratus/mitreattack/tactics.go @@ -67,3 +67,12 @@ func (t Tactic) UnmarshalYAML(node *yaml.Node) error { t, err := AttackTacticFromString(value) return err } + +func GetAllMitreAttackTactics() []Tactic { + allTactics := make([]Tactic, len(tactics)) + // Start with '1' to skip the 'Unspecified' tactic + for i := 1; i < len(tactics); i++ { + allTactics[i] = Tactic(i) + } + return allTactics +} diff --git a/v2/tools/generate-techniques-documentation.go b/v2/tools/generate-techniques-documentation.go index fc6c5bd72..453122654 100644 --- a/v2/tools/generate-techniques-documentation.go +++ b/v2/tools/generate-techniques-documentation.go @@ -76,6 +76,12 @@ func GenerateTechDocs(docsDirectory string, techniques []*stratus.AttackTechniqu } } + allTactics := mitreattack.GetAllMitreAttackTactics() + allTacticsString := make([]string, len(allTactics)) + for i := range allTactics { + allTacticsString[i] = mitreattack.AttackTacticToString(allTactics[i]) + } + // Pass 2: write index per platform for platform, tacticsMap := range index { platformIndexFile := filepath.Join(docsDirectory, "attack-techniques", string(platform), "index.md") @@ -83,10 +89,11 @@ func GenerateTechDocs(docsDirectory string, techniques []*stratus.AttackTechniqu result := "" buf := bytes.NewBufferString(result) vars := struct { + AllTactics []string TacticsMap map[string][]*stratus.AttackTechnique Platform stratus.Platform }{ - tacticsMap, platform, + allTacticsString, tacticsMap, platform, } err := tpl.Execute(buf, vars) if err != nil { diff --git a/v2/tools/index-by-platform.tpl b/v2/tools/index-by-platform.tpl index d1092d797..6d34b9a3a 100644 --- a/v2/tools/index-by-platform.tpl +++ b/v2/tools/index-by-platform.tpl @@ -3,9 +3,9 @@ This page contains the Stratus attack techniques for {{FormatPlatformName .Platform}}, grouped by MITRE ATT&CK Tactic. Note that some Stratus attack techniques may correspond to more than a single ATT&CK Tactic. -{{ range $tactic, $techniques := .TacticsMap }} +{{ range $tactic := .AllTactics }}{{ with $techniques := index $.TacticsMap $tactic }} ## {{ $tactic }} -{{ range $technique := $techniques }} -- [{{$technique.FriendlyName}}](./{{$technique.ID}}.md) -{{ end }} -{{ end }} \ No newline at end of file + {{ range $technique := $techniques }} + - [{{$technique.FriendlyName}}](./{{$technique.ID}}.md) + {{ end }} +{{ end }}{{ end }} \ No newline at end of file