AWS TTP Runner allows every security team to test their AWS controls by executing simple "tests" that exercise the same techniques used by adversaries (all mapped to Mitre's ATT&CK).
AWS TTP Runner is a library of simple tests that every security team can execute to test their controls. Tests are focused, have few dependencies, and are defined in a structured format that be used by automation frameworks.
- Add terraform resources
- Finalize TTPs
- Raw API output examples
- Build out scenarios
- Improve runner code
- Improve module comments
- Add weaponize option
- Metadata compromise (initial_Meta)
- Access Key Creation (modules/persist_AccessKey)
- User Creation w/ inline policy (modules/persist_CreateUser)
- EC2 w/ SSM run command payload (modules/persist_EC2_SSM)
- EC2 with Userdata payload (modules/persist_EC2_userdata)
- Lambda Function with external post of ec2 creds (modules/persist_Lambda)
- Add user to a group (modules/privesc_Group)
- Update user policy (modules/privesc_Policy)
- Create login profile (modules/privesc_Profile)
- User/Group/Roles/Polices Enumeration v1 (modules/enum_Iamv1)
- User/Group/Roles/Polices Enumeration v2 (modules/enum_Iamv2)
- EC2 Userdata Enumeration (modules/enum_Userdata)
- Lambda Functions Enumeration (modules/enum_Lambda)
- Secrets Storage Enumeration (modules/enum_Secrets)
- VPC Enumeration (modules/enum_Network)
- S3 Bucket (modules/exfil_S3)
- Snapshots (modules/exfil_Snapshots)
- Network (modules/exfil_Network)
- VPC Mirror (modules/collect_Mirror)
- Share snapshots with external account (modules/collect_Snapshots)
- S3 Bucket (modules/collect_S3)
- Change user agent (modules/evasion_Useragent)
- Dynamically change regions (modules/evasion_Region)
- IAM Hopping Keys, Roles (modules/evasion_IAM)
- Assume Role (modules/lateral_Assume)