Merge branch 'main' into katie.knowles/stratus-administrative-units

.github/workflows/docker.yml

@@ -20,7 +20,7 @@ jobs:
       packages: write
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
         with:
           egress-policy: block
           allowed-endpoints: >
@@ -42,14 +42,14 @@ jobs:
           fetch-depth: 0
 
       - name: Log into registry ${{ env.REGISTRY }}
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56
+        uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85
         with:
           context: .
           push: true

.github/workflows/docs.yml

@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
         with:
           egress-policy: block
           allowed-endpoints: >
@@ -29,7 +29,7 @@ jobs:
             *.actions.githubusercontent.com:443
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
-      - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
         with:
           python-version: 3.x
       - run: pip install mkdocs-material mkdocs-awesome-pages-plugin

.github/workflows/release.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
         with:
           egress-policy: block
           allowed-endpoints: >

.github/workflows/scorecards.yml

@@ -30,7 +30,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # tag=v2.0.3
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # tag=v2.0.3
         with:
           results_file: results.sarif
           results_format: sarif
@@ -49,14 +49,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # tag=v3.0.0
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # tag=v3.0.0
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2
+        uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c
         with:
           sarif_file: results.sarif

.github/workflows/static-analysis.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
         with:
           egress-policy: block
           allowed-endpoints: >
@@ -37,7 +37,7 @@ jobs:
         uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
         with:
           go-version: 1.19
-      - uses: dominikh/staticcheck-action@ba605356b4b29a60e87ab9404b712f3461e566dc
+      - uses: dominikh/staticcheck-action@fe1dd0c3658873b46f8c9bb3291096a617310ca6
         with:
           version: "2022.1"
           install-go: false

.github/workflows/terraform-lint.yml

@@ -17,15 +17,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142  # tag:v2.7.0
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6  # tag:v2.8.1
         with:
           egress-policy: audit
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag:v2.5.0
         with:
           fetch-depth: 1
 
-      - uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 
+      - uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 
 
       - name: Lint Terraform
         run: terraform fmt -recursive -check

.github/workflows/test.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
         with:
           egress-policy: block
           allowed-endpoints:
@@ -43,7 +43,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
         with:
           egress-policy: block
           allowed-endpoints:

Dockerfile

@@ -6,7 +6,7 @@ WORKDIR /build
 ADD . /build
 RUN make BUILD_VERSION=${VERSION}
 
-FROM alpine:3.19.1@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b AS runner
+FROM alpine:3.20.2@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5 AS runner
 LABEL org.opencontainers.image.source="https://github.com/DataDog/stratus-red-team/"
 COPY --from=builder /build/bin/stratus /stratus
 RUN apk add --update git # git is needed for Terraform to download external modules at runtime

docs/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials.md

@@ -54,16 +54,16 @@ See also: [Known detection bypasses](https://hackingthe.cloud/aws/avoiding-detec
 The following CloudTrail events are generated when this technique is detonated[^1]:
 
 
-- `ssm:DescribeInstanceInformation`
-
-- `sts:GetCallerIdentity`
-
 - `ec2:DescribeInstances`
 
+- `ssm:DescribeInstanceInformation`
+
 - `ssm:GetCommandInvocation`
 
 - `ssm:SendCommand`
 
+- `sts:GetCallerIdentity`
+
 
 ??? "View raw detonation logs"
 

docs/attack-techniques/AWS/aws.credential-access.secretsmanager-batch-retrieve-secrets.md

@@ -31,6 +31,8 @@ An attacker may attempt to retrieve a high number of secrets by batch, to avoid
 
 References:
 
+- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
+- https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/
 - https://aws.amazon.com/blogs/security/how-to-use-the-batchgetsecretsvalue-api-to-improve-your-client-side-applications-with-aws-secrets-manager/
 
 

docs/attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets.md

@@ -28,6 +28,11 @@ Retrieves a high number of Secrets Manager secrets, through secretsmanager:GetSe
 - Enumerate the secrets through secretsmanager:ListSecrets
 - Retrieve each secret value, one by one through secretsmanager:GetSecretValue
 
+References:
+
+- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
+- https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/
+
 
 ## Instructions
 

docs/attack-techniques/AWS/aws.discovery.ec2-download-user-data.md

@@ -48,7 +48,7 @@ Through CloudTrail's <code>DescribeInstanceAttribute</code> event.
 
 See:
 
-* [Associated Sigma rule](https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/aws_ec2_download_userdata.yml)
+* [Associated Sigma rule](https://github.com/SigmaHQ/sigma/blob/master/unsupported/cloud/aws_ec2_download_userdata.yml)
 
 
 ## Detonation logs <span class="smallcaps w3-badge w3-light-green w3-round w3-text-sand">new!</span>

docs/attack-techniques/AWS/aws.execution.ec2-user-data.md

@@ -63,10 +63,10 @@ The following CloudTrail events are generated when this technique is detonated[^
 
 - `ec2:DescribeInstances`
 
-- `ec2:StartInstances`
-
 - `ec2:ModifyInstanceAttribute`
 
+- `ec2:StartInstances`
+
 - `ec2:StopInstances`
 
 

docs/attack-techniques/AWS/aws.execution.ssm-send-command.md

@@ -71,12 +71,12 @@ While this technique uses a single call to <code>ssm:SendCommand</code> on sever
 The following CloudTrail events are generated when this technique is detonated[^1]:
 
 
+- `ssm:DescribeInstanceInformation`
+
 - `ssm:GetCommandInvocation`
 
 - `ssm:SendCommand`
 
-- `ssm:DescribeInstanceInformation`
-
 
 ??? "View raw detonation logs"
 

docs/attack-techniques/AWS/aws.execution.ssm-start-session.md

@@ -68,10 +68,10 @@ The following CloudTrail events are generated when this technique is detonated[^
 
 - `ssm:DescribeInstanceInformation`
 
-- `ssm:TerminateSession`
-
 - `ssm:StartSession`
 
+- `ssm:TerminateSession`
+
 
 ??? "View raw detonation logs"
 

docs/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion.md

@@ -39,6 +39,8 @@ References:
 - [Ransomware in the cloud](https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82)
 - https://www.firemon.com/what-you-need-to-know-about-ransomware-in-aws/
 - https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
+- https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
+- https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/
 
 
 ## Instructions

docs/attack-techniques/AWS/aws.impact.s3-ransomware-client-side-encryption.md

@@ -33,6 +33,8 @@ References:
 
 - https://www.firemon.com/what-you-need-to-know-about-ransomware-in-aws/
 - https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
+- https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
+- https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/
 
 
 ## Instructions

docs/attack-techniques/AWS/aws.impact.s3-ransomware-individual-deletion.md

@@ -41,6 +41,8 @@ References:
 - https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
 - https://www.invictus-ir.com/news/ransomware-in-the-cloud
 - https://dfir.ch/posts/aws_ransomware/
+- https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
+- https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/
 
 
 ## Instructions

docs/attack-techniques/AWS/aws.persistence.iam-backdoor-user.md

@@ -31,6 +31,7 @@ Establishes persistence by creating an access key on an existing IAM user.
 References:
 
 - https://sysdig.com/blog/scarleteel-2-0/
+- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
 
 
 ## Instructions

docs/attack-techniques/AWS/aws.persistence.iam-create-admin-user.md

@@ -32,6 +32,9 @@ References:
 - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/
 - https://blog.darklab.hk/2021/07/06/trouble-in-paradise/
 - https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/
+- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
+- https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/
+- https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
 
 
 ## Instructions

docs/attack-techniques/AWS/aws.persistence.iam-create-backdoor-role.md

@@ -48,6 +48,7 @@ an external, fictitious attack AWS account.
 References:
 
 - https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
+- https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
 
 
 ## Instructions

docs/attack-techniques/AWS/aws.persistence.iam-create-user-login-profile.md

@@ -31,10 +31,12 @@ user intended to be used programmatically through the AWS console usual login pr
 
 References:
 
+- https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/
 - https://permiso.io/blog/s/approach-to-detection-androxgh0st-greenbot-persistence/
 - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/
 - https://blog.darklab.hk/2021/07/06/trouble-in-paradise/
 - https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/
+- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
 
 
 ## Instructions
@@ -56,11 +58,11 @@ In particular, it's suspicious when these events occur on IAM users intended to
 The following CloudTrail events are generated when this technique is detonated[^1]:
 
 
-- `sts:GetCallerIdentity`
+- `iam:CreateLoginProfile`
 
 - `iam:DeleteLoginProfile`
 
-- `iam:CreateLoginProfile`
+- `sts:GetCallerIdentity`
 
 
 ??? "View raw detonation logs"

docs/attack-techniques/AWS/aws.persistence.lambda-backdoor-function.md

@@ -27,6 +27,10 @@ Establishes persistence by backdooring a lambda function to allow its invocation
 
 - Modify the Lambda function resource-base policy to allow lambda:InvokeFunction from an external, fictitious AWS account.
 
+References:
+
+- https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
+
 
 ## Instructions