Leonidas – Automated Attack Simulation In The Cloud, Complete With Detection Use Cases

Leonidas is a framework for executing attacker steps in the cloud. It delivers a YAML-primarily based structure for defining cloud attacker practices, methods and techniques (TTPs) and their affiliated detection homes. These definitions can then be compiled into:

• A web API exposing each individual check circumstance as an particular person endpoint
• Sigma policies (https://github.com/Neo23x0/sigma) for detection
• Documentation – see http://detectioninthe.cloud/ for an illustration

Deploying the API

The API is deployed by means of an AWS-indigenous CI/CD pipeline. Instructions for this can be located at Deploying Leonidas.

Working with the API

The API is invoked via world wide web requests secured by an API vital. Specifics on applying the API can be discovered at Utilizing Leonidas

Putting in the Generator Regionally

To construct documentation or Sigma policies, you can expect to need to install the generator locally. You can do this by:

• cd generator
• poetry put in

Making Sigma Rules

Sigma policies can be generated as follows:

• poetry operate ./generator.py sigma

The guidelines will then look in ./output/sigma

Building Documentation

The documentation is produced as follows:

• poetry run ./generator.py docs

This will make markdown variations of the documentation accessible at output/docs. This can be uploaded to an existing markdown-dependent documentation system, or the pursuing can be utilized to produce a prettified HTML edition of the docs:

• cd output
• mkdocs create

This will make a output/site folder made up of the HTML web-site. It is also probable to watch this domestically by operating mkdocs serve in the similar folder.

Creating Definitions

The definitions are penned in a YAML-based structure, for which an instance is delivered under. Documentation on how to compose these can be uncovered in Creating Definitions

---
name: Enumerate Cloudtrails for a Presented Region
creator: Nick Jones
description: |
  An adversary could endeavor to enumerate the configured trails, to establish what steps will be logged and where they will be logged to. In AWS, this may well get started with a single call to enumerate the trails relevant to the default location.
category: Discovery
mitre_ids:
  - T1526
platform: aws
permissions:
  - cloudtrail:DescribeTrails
input_arguments:
executors:
  sh:
    code: |
      aws cloudtrail explain-trails
  leonidas_aws:
    executed: Legitimate
    clients:
      - cloudtrail
    code: |
      end result = purchasers["cloudtrail"].describe_trails()
detection:
  sigma_id: 48653a63-085a-4a3b-88be-9680e9adb449
  standing: experimental
  degree: reduced
  sources:
    - title: "cloudtrail"
      attributes:
        eventName: "DescribeTrails"
        eventSource: "*.cloudtrail.a   mazonaws.com"

Credits

Job crafted and maintained by Nick Jones ( NJonesUK / @nojonesuk).

This challenge drew ideas and inspiration from a array of sources, together with:

• Pacu
• Rhino Security’s AWS IAM Privilege Escalations
• All of Scott Piper’s AWS security perform ( https://github.com/0xdabbad00 / @0xdabbad00 )
• MITRE ATT&CK
• MITRE CALDERA
• Red Canary’s Atomic Crimson Staff
• Sigma

Image and Article Resource backlink

Examine More on Pentesting Instruments