diff --git a/docs/attack-techniques/AWS/aws.defense-evasion.dns-delete-logs.md b/docs/attack-techniques/AWS/aws.defense-evasion.dns-delete-logs.md
new file mode 100755
index 00000000..21707dc4
--- /dev/null
+++ b/docs/attack-techniques/AWS/aws.defense-evasion.dns-delete-logs.md
@@ -0,0 +1,40 @@
+---
+title: Delete DNS query logs
+---
+
+# Delete DNS query logs
+
+
+
+
+Platform: AWS
+
+## MITRE ATT&CK Tactics
+
+
+- Defense Evasion
+
+## Description
+
+
+Deletes a Route53 DNS Resolver query logging configuration. Simulates an attacker disrupting DNS logging.
+
+Warm-up:
+
+- Create a DNS logging configuration.
+
+Detonation:
+
+- Delete the DNS logging configuration using route53:DeleteQueryLoggingConfig
.
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate aws.defense-evasion.dns-delete-logs
+```
+## Detection
+
+
+Identify when a DNS logging configuration is deleted, through CloudTrail's DeleteQueryLoggingConfig
event.
+
+
diff --git a/docs/attack-techniques/AWS/index.md b/docs/attack-techniques/AWS/index.md
index bbaf2330..4fcddb7c 100755
--- a/docs/attack-techniques/AWS/index.md
+++ b/docs/attack-techniques/AWS/index.md
@@ -27,6 +27,8 @@ Note that some Stratus attack techniques may correspond to more than a single AT
- [Stop CloudTrail Trail](./aws.defense-evasion.cloudtrail-stop.md)
+- [Delete DNS query logs](./aws.defense-evasion.dns-delete-logs.md)
+
- [Attempt to Leave the AWS Organization](./aws.defense-evasion.organizations-leave.md)
- [Remove VPC Flow Logs](./aws.defense-evasion.vpc-remove-flow-logs.md)
diff --git a/docs/attack-techniques/list.md b/docs/attack-techniques/list.md
index 32d19d8c..2203c1d9 100755
--- a/docs/attack-techniques/list.md
+++ b/docs/attack-techniques/list.md
@@ -18,6 +18,7 @@ This page contains the list of all Stratus Attack Techniques.
| [Disable CloudTrail Logging Through Event Selectors](./AWS/aws.defense-evasion.cloudtrail-event-selectors.md) | [AWS](./AWS/index.md) | Defense Evasion |
| [CloudTrail Logs Impairment Through S3 Lifecycle Rule](./AWS/aws.defense-evasion.cloudtrail-lifecycle-rule.md) | [AWS](./AWS/index.md) | Defense Evasion |
| [Stop CloudTrail Trail](./AWS/aws.defense-evasion.cloudtrail-stop.md) | [AWS](./AWS/index.md) | Defense Evasion |
+| [Delete DNS query logs](./AWS/aws.defense-evasion.dns-delete-logs.md) | [AWS](./AWS/index.md) | Defense Evasion |
| [Attempt to Leave the AWS Organization](./AWS/aws.defense-evasion.organizations-leave.md) | [AWS](./AWS/index.md) | Defense Evasion |
| [Remove VPC Flow Logs](./AWS/aws.defense-evasion.vpc-remove-flow-logs.md) | [AWS](./AWS/index.md) | Defense Evasion |
| [Execute Discovery Commands on an EC2 Instance](./AWS/aws.discovery.ec2-enumerate-from-instance.md) | [AWS](./AWS/index.md) | Discovery |
diff --git a/docs/index.yaml b/docs/index.yaml
index b4d150d2..cbd16188 100644
--- a/docs/index.yaml
+++ b/docs/index.yaml
@@ -64,6 +64,13 @@ AWS:
- Defense Evasion
platform: AWS
isIdempotent: true
+ - id: aws.defense-evasion.dns-delete-logs
+ name: Delete DNS query logs
+ isSlow: false
+ mitreAttackTactics:
+ - Defense Evasion
+ platform: AWS
+ isIdempotent: false
- id: aws.defense-evasion.organizations-leave
name: Attempt to Leave the AWS Organization
isSlow: false
diff --git a/v2/go.mod b/v2/go.mod
index 4fa162f7..65f9fa41 100644
--- a/v2/go.mod
+++ b/v2/go.mod
@@ -56,6 +56,7 @@ require (
github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.2.8 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.8 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.16.8 // indirect
+ github.com/aws/aws-sdk-go-v2/service/route53resolver v1.25.0 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.18.2 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.2 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
diff --git a/v2/go.sum b/v2/go.sum
index 12321869..846c249b 100644
--- a/v2/go.sum
+++ b/v2/go.sum
@@ -84,6 +84,8 @@ github.com/aws/aws-sdk-go-v2/service/rds v1.64.2 h1:PTOyeFw0q+Kikm+9PlUaZdYFrPOA
github.com/aws/aws-sdk-go-v2/service/rds v1.64.2/go.mod h1:Ty2c2SC4jhY6hvGeeOe8T50m1PkioZD9lk6iiOsADkU=
github.com/aws/aws-sdk-go-v2/service/rolesanywhere v1.6.2 h1:c7gZpO0xBXSbbm8nH2t/5W13rCcuemF7FXe47pItP2o=
github.com/aws/aws-sdk-go-v2/service/rolesanywhere v1.6.2/go.mod h1:TbYAZgmTmONcilZvOzb6J6cJ33kp0wGrFum3Mkgeimo=
+github.com/aws/aws-sdk-go-v2/service/route53resolver v1.25.0 h1:wftl1cNbDzGzpZ9Bv54ZWkTOniXQEbyEvQfMkyAigwA=
+github.com/aws/aws-sdk-go-v2/service/route53resolver v1.25.0/go.mod h1:6cJ6NO+7rGkv3+QNG9woezF+jDf8eYcz71wKaEIbKtE=
github.com/aws/aws-sdk-go-v2/service/s3 v1.47.2 h1:DLSAG8zpJV2pYsU+UPkj1IEZghyBnnUsvIRs6UuXSDU=
github.com/aws/aws-sdk-go-v2/service/s3 v1.47.2/go.mod h1:thjZng67jGsvMyVZnSxlcqKyLwB0XTG8bHIRZPTJ+Bs=
github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.25.2 h1:JKbfiLwEqJp8zaOAOn6AVSMS96gdwP3TjBMvZYsbxqE=
diff --git a/v2/internal/attacktechniques/aws/defense-evasion/dns-delete-logs/main.go b/v2/internal/attacktechniques/aws/defense-evasion/dns-delete-logs/main.go
new file mode 100644
index 00000000..dc22660e
--- /dev/null
+++ b/v2/internal/attacktechniques/aws/defense-evasion/dns-delete-logs/main.go
@@ -0,0 +1,57 @@
+package aws
+
+import (
+ "context"
+ _ "embed"
+ "errors"
+ "log"
+
+ "github.com/aws/aws-sdk-go-v2/service/route53resolver"
+ "github.com/datadog/stratus-red-team/v2/pkg/stratus"
+ "github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack"
+)
+
+//go:embed main.tf
+var tf []byte
+
+func init() {
+ stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{
+ ID: "aws.defense-evasion.dns-delete-logs",
+ FriendlyName: "Delete DNS query logs",
+ Platform: stratus.AWS,
+ MitreAttackTactics: []mitreattack.Tactic{mitreattack.DefenseEvasion},
+ Description: `
+Deletes a Route53 DNS Resolver query logging configuration. Simulates an attacker disrupting DNS logging.
+
+Warm-up:
+
+- Create a DNS logging configuration.
+
+Detonation:
+
+- Delete the DNS logging configuration using route53:DeleteQueryLoggingConfig
.`,
+ Detection: `
+Identify when a DNS logging configuration is deleted, through CloudTrail's DeleteQueryLoggingConfig
event.
+`,
+ IsIdempotent: false, // can't delete a DNS logging configuration twice
+ PrerequisitesTerraformCode: tf,
+ Detonate: detonate,
+ })
+}
+
+func detonate(params map[string]string, providers stratus.CloudProviders) error {
+ resolverClient := route53resolver.NewFromConfig(providers.AWS().GetConnection())
+ queryLoggingConfigId := params["route53_logger_id"]
+
+ log.Println("Deleting DNS logging configuration " + queryLoggingConfigId)
+
+ _, err := resolverClient.DeleteResolverQueryLogConfig(context.Background(), &route53resolver.DeleteResolverQueryLogConfigInput{
+ ResolverQueryLogConfigId: &queryLoggingConfigId,
+ })
+
+ if err != nil {
+ return errors.New("unable to delete DNS logging configuration: " + err.Error())
+ }
+
+ return nil
+}
diff --git a/v2/internal/attacktechniques/aws/defense-evasion/dns-delete-logs/main.tf b/v2/internal/attacktechniques/aws/defense-evasion/dns-delete-logs/main.tf
new file mode 100644
index 00000000..2ba7c356
--- /dev/null
+++ b/v2/internal/attacktechniques/aws/defense-evasion/dns-delete-logs/main.tf
@@ -0,0 +1,49 @@
+terraform {
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.0.0"
+ }
+ }
+}
+provider "aws" {
+ skip_region_validation = true
+ skip_credentials_validation = true
+ default_tags {
+ tags = {
+ StratusRedTeam = true
+ }
+ }
+}
+
+resource "random_string" "suffix" {
+ length = 10
+ min_lower = 10
+ special = false
+}
+
+locals {
+ resource_prefix = "stratus-red-team-dns-delete"
+}
+
+locals {
+ bucket-name = "${local.resource_prefix}-bucket-${random_string.suffix.result}"
+}
+
+resource "aws_route53_resolver_query_log_config" "config" {
+ name = "${local.resource_prefix}-config-${random_string.suffix.result}"
+ destination_arn = aws_s3_bucket.query_log.arn
+}
+
+resource "aws_s3_bucket" "query_log" {
+ bucket = local.bucket-name
+ force_destroy = true
+}
+
+output "route53_logger_id" {
+ value = aws_route53_resolver_query_log_config.config.id
+}
+
+output "display" {
+ value = format("Route53 query log config %s is ready", aws_route53_resolver_query_log_config.config.name)
+}
diff --git a/v2/internal/attacktechniques/main.go b/v2/internal/attacktechniques/main.go
index c03db34e..e27a0260 100644
--- a/v2/internal/attacktechniques/main.go
+++ b/v2/internal/attacktechniques/main.go
@@ -10,6 +10,7 @@ import (
_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-event-selectors"
_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-lifecycle-rule"
_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-stop"
+ _ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/defense-evasion/dns-delete-logs"
_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/defense-evasion/organizations-leave"
_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/defense-evasion/vpc-remove-flow-logs"
_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/discovery/ec2-enumerate-from-instance"