AWS TTP Runner
AWS TTP Runner allows every security team to test their AWS controls by executing simple "tests" that exercise the same techniques used by adversaries (all mapped to Mitre's ATT&CK).
Philosophy
AWS TTP Runner is a library of simple tests that every security team can execute to test their controls. Tests are focused, have few dependencies, and are defined in a structured format that be used by automation frameworks.
Next Steps
- Add terraform resources
- Finalize TTPs
- Raw API output examples
- Build out scenarios
- Improve runner code
- Improve module comments
- Add weaponize option
Techniques
Initial Access
- Metadata compromise (initial_Meta)
Persistence
- Access Key Creation (modules/persist_AccessKey)
- User Creation w/ inline policy (modules/persist_CreateUser)
- EC2 w/ SSM run command payload (modules/persist_EC2_SSM)
- EC2 with Userdata payload (modules/persist_EC2_userdata)
- Lambda Function with external post of ec2 creds (modules/persist_Lambda)
Privilege escalalations
- Add user to a group (modules/privesc_Group)
- Update user policy (modules/privesc_Policy)
- Create login profile (modules/privesc_Profile)
Discovery
- User/Group/Roles/Polices Enumeration v1 (modules/enum_Iamv1)
- User/Group/Roles/Polices Enumeration v2 (modules/enum_Iamv2)
- EC2 Userdata Enumeration (modules/enum_Userdata)
- Lambda Functions Enumeration (modules/enum_Lambda)
- Secrets Storage Enumeration (modules/enum_Secrets)
- VPC Enumeration (modules/enum_Network)
Exfiltration
- S3 Bucket (modules/exfil_S3)
- Snapshots (modules/exfil_Snapshots)
- Network (modules/exfil_Network)
Collection
- VPC Mirror (modules/collect_Mirror)
- Share snapshots with external account (modules/collect_Snapshots)
- S3 Bucket (modules/collect_S3)
Defense Evasion
- Change user agent (modules/evasion_Useragent)
- Dynamically change regions (modules/evasion_Region)
- IAM Hopping Keys, Roles (modules/evasion_IAM)
Lateral Movement
- Assume Role (modules/lateral_Assume)