diff --git a/prowler/compliance/aws/mitre_attack_aws.json b/prowler/compliance/aws/mitre_attack_aws.json new file mode 100644 index 00000000..8d188d3b --- /dev/null +++ b/prowler/compliance/aws/mitre_attack_aws.json @@ -0,0 +1,2075 @@ +{ + "Framework": "MITRE-ATTACK", + "Version": "", + "Provider": "AWS", + "Description": "MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.", + "Requirements": [ + { + "Name": "Exploit Public-Facing Application", + "Id": "T1190", + "Tactics": [ + "Initial Access" + ], + "SubTechniques": [], + "Platforms": [ + "Containers", + "IaaS", + "Linux", + "Network", + "Windows", + "macOS" + ], + "Description": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1190/", + "Checks": [ + "drs_job_exist", + "config_recorder_all_regions_enabled", + "rds_instance_minor_version_upgrade_enabled", + "rds_instance_backup_enabled", + "securityhub_enabled", + "elbv2_waf_acl_attached", + "guardduty_is_enabled", + "inspector2_findings_exist", + "awslambda_function_not_publicly_accessible", + "ec2_instance_public_ip" + ], + "Attributes": [ + { + "AWSService": "AWS CloudEndure Disaster Recovery", + "Category": "Respond", + "Value": "Significant", + "Comment": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that a public-facing application or server is compromised, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant." + }, + { + "AWSService": "AWS Config", + "Category": "Protect", + "Value": "Partial", + "Comment": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that applications intended for internal use cannot be accessed externally for exploitation: 'api-gw-endpoint-type-check' can ensure that Amazon API Gateway APIs are private and can only be accessed from within VPCs, 'elasticsearch-in-vpc-only' can ensure that Amazon ElasticSearch Service (Amazon ES) domains are in the same VPC and the domain endpoint is not public, 'lambda-function-public-access-prohibited' can verify that AWS Lambda functions are not publicly available, and 'ec2-instance-no-public-ip' can verify whether EC2 instances have public IP addresses. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that insecure applications are not installed and installed packages are kept updated, reducing the likelihood of adversary exploitation: the 'ec2-managedinstance-applications-blacklisted' managed rule verifies that a pre-defined list of applications are not installed on specified managed instances. It can be used to identify the presence of vulnerable applications (prompting removal before they can be exploited) and/or to identify the presence of allowed packages below a minimum version (prompting updates before they can be exploited). The 'ec2-managedinstance-platform-check' managed rule verifies that managed instances are running desired platform types, including using a desired version (as opposed to an out-of-date one). Both can reduce instances' attack surface for adversary exploitation. 'rds-automatic-minor-version-upgrade-enabled' can verify that Amazon RDS is being patched, and 'elastic-beanstalk-managed-updates-enabled' can verify that Elastic Beanstalk is being patched. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services that can be used to host public-facing applications and will only protect against certain forms of identifiable exploitation, resulting in an overall score of Partial." + }, + { + "AWSService": "AWS RDS", + "Category": "Protect", + "Value": "Partial", + "Comment": "AWS RDS supports the automatic patching of minor versions of database instances. This can result in security flaws in the database instances being fixed before they can be exploited. This mapping is given a score of Partial because it does not protect against misconfigured database instances which may be susceptible to exploitation." + }, + { + "AWSService": "AWS RDS", + "Category": "Respond", + "Value": "Significant", + "Comment": "AWS RDS supports the replication and recovery of database instances. In the event that a database instance is compromised, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant." + }, + { + "AWSService": "Amazon GuardDuty", + "Category": "Detect", + "Value": "Minimal", + "Comment": "There is a GuardDuty finding type that captures when vulnerable publicly facing resources are leveraged to capture data not intended to be viewable (e.g., IAM credentials associated with the resource). UnauthorizedAccess:EC2/MetadataDNSRebind - This finding type only detects MetadataDNSRebind and is more focused on the EC2 instance and not the application running on the instance itself resulting in Minimal coverage." + }, + { + "AWSService": "AWS Security Hub", + "Category": "Detect", + "Value": "Partial", + "Comment": "AWS Security Hub reports on EC2 instances that are missing security patches for vulnerabilities which could enable an adversary to exploit vulnerabilities through the attack lifecycle. AWS Security Hub provides this detection with the following managed insight. EC2 instances that have missing security patches for important vulnerabilities. This is scored as Partial because the checks associated with Security Hub would only report on missing patches for known vulnerabilities. It doesn't not cover zero-day vulnerabilities." + }, + { + "AWSService": "AWS Web Application Firewall", + "Category": "Protect", + "Value": "Significant", + "Comment": "The AWS WAF protects public-facing applications against a range of vulnerabilities including those listed in the OWASP Top 10. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications. AWSManagedRulesCommonRuleSet AWSManagedRulesKnownBadInputRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesLinuxRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet. This is given a score of Significant because it protects against vulnerabilities across multiple operating systems (Windows, Linux, POSIX) and technologies (JavaScript, SQL, PHP, WordPress). Furthermore, it blocks the malicious content in near real-time." + }, + { + "AWSService": "Amazon Inspector", + "Category": "Protect", + "Value": "Partial", + "Comment": "Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints. Furthermore, the Amazon Inspector Best Practices assessment package can assess security controls for 'Enable Address Space Layout Randomization (ASLR)' and 'Enable Data Execution Prevention (DEP)' that makes it more difficult for an attacker to exploit vulnerabilities in software. This information can be used to patch, isolate, and remove vulnerable software and endpoints. Amazon Inspector does not directly protect against exploitation and it is not effective against zero-day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial." + } + ] + }, + { + "Name": "Trusted Relationship", + "Id": "T1199", + "Tactics": [ + "Initial Access" + ], + "SubTechniques": [], + "Platforms": [ + "Office 365", + "IaaS", + "Linux", + "SaaS", + "Windows", + "macOS" + ], + "Description": "Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1199/", + "Checks": [ + "ec2_networkacl_allow_ingress_any_port", + "ec2_networkacl_allow_ingress_tcp_port_22", + "ec2_networkacl_allow_ingress_tcp_port_3389", + "ec2_securitygroup_allow_ingress_from_internet_to_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23" + ], + "Attributes": [ + { + "AWSService": "Amazon Virtual Private Cloud", + "Category": "Protect", + "Value": "Partial", + "Comment": "VPC network access control lists (NACLs) can isolate portions of the network that do not require network-wide access, limiting some attackers that leverage trusted relationships such as remote access for vendor maintenance. Coverage partial, Temporal Immediate." + } + ] + }, + { + "Name": "Valid Accounts", + "Id": "T1078", + "Tactics": [ + "Defense Evasion", + "Persistence", + "Privilege Escalation", + "Initial Access" + ], + "SubTechniques": [ + "T1078.001 - Default Accounts", + "T1078.004 - Cloud Accounts" + ], + "Platforms": [ + "Azure AD", + "Containers", + "Google Workspace", + "IaaS", + "Linux", + "Network", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "Description": "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.[1] Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1078/", + "Checks": [ + "guardduty_is_enabled", + "config_recorder_all_regions_enabled", + "iam_administrator_access_with_mfa", + "iam_avoid_root_usage", + "iam_aws_attached_policy_no_administrative_privileges", + "iam_customer_attached_policy_no_administrative_privileges", + "iam_customer_unattached_policy_no_administrative_privileges", + "iam_no_expired_server_certificates_stored", + "iam_disable_30_days_credentials", + "iam_no_root_access_key", + "iam_no_custom_policy_permissive_role_assumption", + "iam_password_policy_expires_passwords_within_90_days_or_less", + "iam_password_policy_lowercase", + "iam_password_policy_minimum_length_14", + "iam_password_policy_number", + "iam_password_policy_reuse_24", + "iam_password_policy_symbol", + "iam_password_policy_uppercase", + "iam_policy_allows_privilege_escalation", + "iam_policy_no_full_access_to_cloudtrail", + "iam_policy_no_full_access_to_kms", + "iam_role_cross_account_readonlyaccess_policy", + "iam_role_cross_service_confused_deputy_prevention", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_rotate_access_key_90_days", + "iam_user_hardware_mfa_enabled", + "iam_user_mfa_enabled_console_access", + "iam_user_no_setup_initial_access_key", + "iam_user_two_active_access_key", + "organizations_account_part_of_organizations", + "organizations_delegated_administrators", + "organizations_scp_check_deny_regions", + "securityhub_enabled" + ], + "Attributes": [ + { + "AWSService": "Amazon GuardDuty", + "Category": "Detect", + "Value": "Partial", + "Comment": "GuardDuty implements a finding that flags occurrences unattended behavior from an IAM User in the Account. PenTest:IAMUser/KaliLinux, PenTest:IAMUser/ParrotLinux, PenTest:IAMUser/PentooLinux, Policy:IAMUser/RootCredentialUsage, PrivilegeEscalation:IAMUser/AdministrativePermissions, UnauthorizedAccess:IAMUser/ConsoleLogin, UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B, UnauthorizedAccess:IAMUser/MaliciousIPCaller, UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom, UnauthorizedAccess:IAMUser/TorIPCaller, Policy:S3/AccountBlockPublicAccessDisabled, Policy:S3/BucketAnonymousAccessGranted, Policy:S3/BucketBlockPublicAccessDisabled, Policy:S3/BucketPublicAccessGranted, CredentialAccess:IAMUser/AnomalousBehavior, DefenseEvasion:IAMUser/AnomalousBehavior, Discovery:IAMUser/AnomalousBehavior, Exfiltration:IAMUser/AnomalousBehavior, Impact:IAMUser/AnomalousBehavior, Persistence:IAMUser/AnomalousBehavior, Recon:IAMUser/MaliciousIPCaller, Recon:IAMUser/MaliciousIPCaller.Custom, UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration." + }, + { + "AWSService": "AWS Config", + "Category": "Protect", + "Value": "Minimal", + "Comment": "This control provides significant coverage for one of this technique's SubTechniques, resulting in an overall score of Minimal." + }, + { + "AWSService": "AWS IAM", + "Category": "Detect", + "Value": "Partial", + "Comment": "This control provides detection capability for one of this technique's SubTechniques and some of its procedure examples resulting in an overall Partial protection score." + }, + { + "AWSService": "AWS IAM", + "Category": "Protect", + "Value": "Partial", + "Comment": "This control provides protection capability for one of this technique's SubTechniques and some of its procedure examples resulting in an overall Partial protection score." + }, + { + "AWSService": "AWS Single Sign-On", + "Category": "Protect", + "Value": "Partial", + "Comment": "This control provides protection capability for one of this technique's SubTechniques and some of its procedure examples resulting in an overall Partial protection score." + }, + { + "AWSService": "AWS IoT Device Defender", + "Category": "Detect", + "Value": "Minimal", + "Comment": "This control provides partial detection capability for one of this technique's SubTechniques and a few of its procedure examples resulting in an overall Minimal protection score." + }, + { + "AWSService": "AWS IoT Device Defender", + "Category": "Protect", + "Value": "Minimal", + "Comment": "This control provides partial protection for one of this technique's SubTechniques and a few of its procedure examples resulting in an overall Minimal protection score." + }, + { + "AWSService": "AWS Organizations", + "Category": "Protect", + "Value": "Partial", + "Comment": "This control may protect against malicious use of cloud accounts but may not mitigate exploitation of local, domain, or default accounts present within deployed resources." + }, + { + "AWSService": "AWS Security Hub", + "Category": "Detect", + "Value": "Minimal", + "Comment": "AWS Security Hub detects suspicious activity by AWS accounts which could indicate valid accounts being leveraged by an adversary. AWS Security Hub provides these detections with the following managed insights. AWS principals with suspicious access key activity Credentials that may have leaked AWS resources with unauthorized access attempts IAM users with suspicious activity. AWS Security Hub also performs checks from the AWS Foundations CIS Benchmark and PCI-DSS security standard that, if implemented, would help towards detecting the misuse of valid accounts. AWS Security Hub provides these detections with the following checks. 3.1 Ensure a log metric filter and alarm exist for unauthorized API calls 3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA 3.3 Ensure a log metric filter and alarm exist for usage of root account 3.4 Ensure a log metric filter and alarm exist for IAM policy changes 3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures [PCI.CW.1] A log metric filter and alarm should exist for usage of the root user. By monitoring the root account, activity where accounts make unauthorized API calls, and changes to IAM permissions among other things, it may be possible to detect valid accounts that are being misused and are potentially compromised. This is scored as Minimal because it only supports a subset of the SubTechniques (1 of 4)." + }, + { + "AWSService": "Amazon Cognito", + "Category": "Protect", + "Value": "Minimal", + "Comment": "This control provides partial protection for one of this technique's SubTechniques and a few of its procedure examples resulting in an overall Minimal protection score." + } + ] + }, + { + "Name": "Command and Scripting Interpreter", + "Id": "T1059", + "Tactics": [ + "Execution" + ], + "SubTechniques": [ + "T1059.009 - Cloud API" + ], + "Platforms": [ + "Azure AD", + "IaaS", + "Google Workspace", + "Linux", + "Network", + "Office 365", + "Windows", + "macOS" + ], + "Description": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1059/", + "Checks": [ + "elbv2_waf_acl_attached" + ], + "Attributes": [ + { + "AWSService": "AWS Web Application Firewall", + "Category": "Protect", + "Value": "Partial", + "Comment": "The AWS WAF protects web applications from injection attacks that leverage command and scripting interpreters. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications. AWSManagedRulesCommonRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet. This is given a score of Partial (instead of Minimal) because while it only protects against a subset of SubTechniques (3 out of 8), it does provide protections for command and scripting interpreters that do not have SubTechniques (SQL, PHP, etc.). Furthermore, it blocks the malicious content in near real-time." + } + ] + }, + { + "Name": "Serverless Execution", + "Id": "T1648", + "Tactics": [ + "Execution" + ], + "SubTechniques": [], + "Platforms": [ + "IaaS", + "Office 365", + "SaaS" + ], + "Description": "Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer a variety of serverless resources, including compute engines, application integration services, and web servers.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1648/", + "Checks": [ + "iam_aws_attached_policy_no_administrative_privileges", + "iam_customer_attached_policy_no_administrative_privileges", + "iam_policy_allows_privilege_escalation", + "iam_policy_no_full_access_to_cloudtrail", + "iam_policy_no_full_access_to_kms" + ], + "Attributes": [ + { + "AWSService": "AWS IAM", + "Category": "Protect", + "Value": "Significant", + "Comment": "Remove permissions to create, modify, or run serverless resources from users that do not explicitly require them." + } + ] + }, + { + "Name": "User Execution", + "Id": "T1204", + "Tactics": [ + "Execution" + ], + "SubTechniques": [ + "T1204.003 - Malicious Image" + ], + "Platforms": [ + "IaaS", + "Containers", + "Linux", + "Windows", + "macOS" + ], + "Description": "An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1204/", + "Checks": [ + "config_recorder_all_regions_enabled" + ], + "Attributes": [ + { + "AWSService": "AWS Config", + "Category": "Detect", + "Value": "Minimal", + "Comment": "This control provides significant coverage for one of this technique's SubTechniques, resulting in an overall score of Minimal." + } + ] + }, + { + "Name": "Account Manipulation", + "Id": "T1098", + "Tactics": [ + "Persistence" + ], + "SubTechniques": [ + "T1098.001 - Additional Cloud Credentials", + "T1098.003 - Additional Cloud Roles", + "T1098.004 - SSH Authorized Keys" + ], + "Platforms": [ + "IaaS", + "Office 365", + "SaaS" + ], + "Description": "Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1098/", + "Checks": [ + "config_recorder_all_regions_enabled", + "iam_customer_attached_policy_no_administrative_privileges", + "iam_policy_allows_privilege_escalation", + "iam_policy_no_full_access_to_cloudtrail", + "iam_policy_no_full_access_to_kms", + "iam_administrator_access_with_mfa", + "iam_avoid_root_usage", + "iam_no_custom_policy_permissive_role_assumption", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_user_hardware_mfa_enabled", + "iam_user_mfa_enabled_console_access", + "guardduty_is_enabled", + "securityhub_enabled" + ], + "Attributes": [ + { + "AWSService": "AWS Config", + "Category": "Protect", + "Value": "Minimal", + "Comment": "This control provides significant coverage for one of this technique's SubTechniques, resulting in an overall score of Minimal." + }, + { + "AWSService": "AWS IAM", + "Category": "Detect", + "Value": "Minimal", + "Comment": "This control may generate logs for creation and manipulation of accounts but the relevant security information would be handled by another security control." + }, + { + "AWSService": "AWS Security Hub", + "Category": "Detect", + "Value": "Minimal", + "Comment": "AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the manipulation of accounts. AWS Security Hub provides this detection with the following check. 3.4 Ensure a log metric filter and alarm exist for IAM policy changes. This is scored as Minimal because it only supports a subset of the SubTechniques (1 of 4)." + }, + { + "AWSService": "Amazon GuardDuty", + "Category": "Detect", + "Value": "Partial", + "Comment": "GuardDuty has a finding types that flag events where an adversary may have compromised an AWS IAM User. Finding Type: Persistence:IAMUser/AnomalousBehavior." + } + ] + }, + { + "Name": "Create Account", + "Id": "T1136", + "Tactics": [ + "Persistence" + ], + "SubTechniques": [ + "T1136.003 - Cloud Account" + ], + "Platforms": [ + "Azure AD", + "Google Workspace", + "IaaS", + "Linux", + "Network", + "Office 365", + "Windows", + "macOS" + ], + "Description": "Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1136/", + "Checks": [ + "config_recorder_all_regions_enabled" + ], + "Attributes": [ + { + "AWSService": "AWS Config", + "Category": "Protect", + "Value": "Minimal", + "Comment": "This control provides partial coverage for one of this technique's SubTechniques, resulting in an overall score of Minimal." + } + ] + }, + { + "Name": "Event Triggered Execution", + "Id": "T1546", + "Tactics": [ + "Privilege Escalation", + "Persistence" + ], + "SubTechniques": [], + "Platforms": [ + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "Windows", + "macOS" + ], + "Description": "Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1546/", + "Checks": [], + "Attributes": [] + }, + { + "Name": "Cloud Administration Command", + "Id": "T1651", + "Tactics": [ + "Privilege Escalation", + "Persistence" + ], + "SubTechniques": [], + "Platforms": [ + "Azure AD", + "IaaS" + ], + "Description": "Adversaries may abuse cloud management services to execute commands within virtual machines or hybrid-joined devices. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. Similarly, in Azure AD environments, Microsoft Endpoint Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to the Azure AD.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1651/", + "Checks": [], + "Attributes": [] + }, + { + "Name": "Implant Internal Image", + "Id": "T1525", + "Tactics": [ + "Persistence" + ], + "SubTechniques": [], + "Platforms": [ + "IaaS", + "Containers" + ], + "Description": "Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike Upload Malware, this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1525/", + "Checks": [ + "config_recorder_all_regions_enabled" + ], + "Attributes": [ + { + "AWSService": "AWS Config", + "Category": "Detect", + "Value": "Minimal", + "Comment": "The following AWS Config managed rules can identify running instances that are not using AMIs within a specified allow list: 'approved-amis-by-id' and 'approved-amis-by-tag', both of which are run on configuration changes. This does not provide detection of the image implanting itself, but does provide detection for any subsequent use of images that are implanted and not present within the allow list, resulting in a score of Minimal." + } + ] + }, + { + "Name": "Modify Authentication Process", + "Id": "T1556", + "Tactics": [ + "Credential Access", + "Defense Evasion", + "Persistence" + ], + "SubTechniques": [ + "T1556.006 - Multi-Factor Authentication", + "T1556.007 - Hybrid Identity" + ], + "Platforms": [ + "Azure AD", + "Google Workspace", + "IaaS", + "Linux", + "Network", + "Office 365", + "Windows", + "macOS" + ], + "Description": "Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using Valid Accounts.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1556/", + "Checks": [ + "iam_root_mfa_enabled", + "iam_user_mfa_enabled_console_access", + "iam_user_hardware_mfa_enabled", + "iam_root_hardware_mfa_enabled" + ], + "Attributes": [ + { + "AWSService": "AWS IAM", + "Category": "Protect", + "Value": "Partial", + "Comment": "This control provides coverage for one of this technique's SubTechniques, resulting in an overall score of Partial. Enforce MFA in IAM Users." + } + ] + }, + { + "Name": "Impair Defenses", + "Id": "T1562", + "Tactics": [ + "Defense Evasion" + ], + "SubTechniques": [ + "T1562.006 - Disable or Modify Tools", + "T1562.007 - Disable or Modify Cloud Firewall", + "T1562.008 - Disable Cloud Logs" + ], + "Platforms": [ + "Containers", + "IaaS", + "Linux", + "Network", + "Office 365", + "Windows", + "macOS" + ], + "Description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1562/", + "Checks": [ + "config_recorder_all_regions_enabled", + "securityhub_enabled", + "guardduty_is_enabled", + "inspector2_findings_exist" + ], + "Attributes": [ + { + "AWSService": "AWS Config", + "Category": "Detect", + "Value": "Minimal", + "Comment": "This control provides significant coverage for a minority of this technique's SubTechniques, resulting in an overall score of Minimal." + }, + { + "AWSService": "AWS IoT Device Defender", + "Category": "Detect", + "Value": "Minimal", + "Comment": "This control provides partial coverage for a minority of this technique's SubTechniques, resulting in an overall score of Minimal." + }, + { + "AWSService": "AWS IoT Device Defender", + "Category": "Respond", + "Value": "Minimal", + "Comment": "This control provides partial coverage for a minority of this technique's SubTechniques, resulting in an overall score of Minimal." + } + ] + }, + { + "Name": "Modify Cloud Compute Infrastructure", + "Id": "T1578", + "Tactics": [ + "Defense Evasion" + ], + "SubTechniques": [ + "T1578.001 - Create Snapshot", + "T1578.002 - Create Cloud Instance", + "T1578.003 - Delete Cloud Instance", + "T1578.004 - Revert Cloud Instance" + ], + "Platforms": [ + "IaaS" + ], + "Description": "An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1578/", + "Checks": [ + "iam_aws_attached_policy_no_administrative_privileges", + "iam_customer_attached_policy_no_administrative_privileges", + "iam_policy_allows_privilege_escalation", + "iam_policy_no_full_access_to_cloudtrail", + "iam_policy_no_full_access_to_kms" + ], + "Attributes": [ + { + "AWSService": "AWS IAM", + "Category": "Protect", + "Value": "Significant", + "Comment": "Limit permissions for creating, deleting, and otherwise altering compute components in accordance with least privilege." + } + ] + }, + { + "Name": "Unused/Unsupported Cloud Regions", + "Id": "T1535", + "Tactics": [ + "Defense Evasion" + ], + "SubTechniques": [], + "Platforms": [ + "IaaS" + ], + "Description": "Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1535/", + "Checks": [ + "organizations_scp_check_deny_regions" + ], + "Attributes": [] + }, + { + "Name": "Use Alternate Authentication Material", + "Id": "T1550", + "Tactics": [ + "Defense Evasion", + "Lateral Movement" + ], + "SubTechniques": [ + "T1550.001 - Application Access Token", + "T1550.004 - Web Session Cookie" + ], + "Platforms": [ + "IaaS" + ], + "Description": "Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1550/", + "Checks": [ + "iam_administrator_access_with_mfa", + "iam_customer_attached_policy_no_administrative_privileges", + "iam_policy_allows_privilege_escalation", + "iam_policy_no_full_access_to_cloudtrail", + "iam_policy_no_full_access_to_kms", + "iam_disable_30_days_credentials", + "iam_no_root_access_key", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_rotate_access_key_90_days", + "iam_user_hardware_mfa_enabled", + "iam_user_mfa_enabled_console_access", + "iam_user_no_setup_initial_access_key", + "iam_user_two_active_access_key" + ], + "Attributes": [ + { + "AWSService": "AWS IAM", + "Category": "Protect", + "Value": "Minimal", + "Comment": "This control provides significant coverage for one of this technique's SubTechniques, resulting in an overall score of Minimal." + } + ] + }, + { + "Name": "Brute Force", + "Id": "T1110", + "Tactics": [ + "Credential Access" + ], + "SubTechniques": [ + "T1110.001 - Password Guessing", + "T1110.003 - Password Spraying", + "T1110.004 - Credential Stuffing" + ], + "Platforms": [ + "Azure AD", + "Containers", + "Google Workspace", + "IaaS", + "Linux", + "Network", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "Description": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1110/", + "Checks": [ + "guardduty_is_enabled", + "config_recorder_all_regions_enabled", + "iam_disable_30_days_credentials", + "iam_password_policy_expires_passwords_within_90_days_or_less", + "iam_password_policy_lowercase", + "iam_password_policy_minimum_length_14", + "iam_password_policy_number", + "iam_password_policy_reuse_24", + "iam_password_policy_symbol", + "iam_password_policy_uppercase", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_rotate_access_key_90_days", + "iam_user_hardware_mfa_enabled", + "iam_user_mfa_enabled_console_access", + "securityhub_enabled", + "inspector2_findings_exist" + ], + "Attributes": [ + { + "AWSService": "AWS Config", + "Category": "Protect", + "Value": "Significant", + "Comment": "This control provides significant coverage for all of this technique's sub-techniques, resulting in an overall score of Significant." + }, + { + "AWSService": "AWS IAM", + "Category": "Protect", + "Value": "Significant", + "Comment": "This control provides significant coverage for all of this technique's sub-techniques, resulting in an overall score of Significant." + }, + { + "AWSService": "AWS Single Sign-On", + "Category": "Protect", + "Value": "Partial", + "Comment": "This control may not provide any mitigation against password cracking." + }, + { + "AWSService": "Amazon Cognito", + "Category": "Protect", + "Value": "Significant", + "Comment": "Amazon Cognito's MFA capability provides significant protection against password compromises, requiring the adversary to complete an additional authentication method before their access is permitted." + }, + { + "AWSService": "AWS Security Hub", + "Category": "Detect", + "Value": "Minimal", + "Comment": "AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the brute forcing of accounts. AWS Security Hub provides this detection with the following checks. 3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures. This is scored as Minimal because it only applies to the AWS Management Console and not other access mechanisms (e.g., CLI, SDK, etc.) and it only supports a subset of the sub-techniques (3 of 4). Furthermore, it does not detect brute-forcing methods for other components such as EC2 instances." + }, + { + "AWSService": "Amazon GuardDuty", + "Category": "Detect", + "Value": "Minimal", + "Comment": "Finding types such as UnauthorizedAccess:EC2/RDPBruteForce, UnauthorizedAccess:EC2/SSHBruteForce, Impact:EC2/WinRMBruteForce, and Stealth:IAMUser/PasswordPolicyChange can detect when an EC2 instance may be involved in a brute force attack aimed at obtaining passwords. Due to the detection being limited to a specific set of application protocols, its coverage is Minimal resulting in a Minimal score." + }, + { + "AWSService": "Amazon Inspector", + "Category": "Protect", + "Value": "Minimal", + "Comment": "The Amazon Inspector Best Practices assessment package can detect security control settings related to authentication and password policies on Linux endpoints. Specific security controls it can assess include 'Disable password authentication over SSH', 'Configure password maximum age', 'Configure password minimum length', and 'Configure password complexity' all of which impact the ability to brute force a password. This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against brute force attacks. Given Amazon Inspector can only assess these security controls on Linux platforms (although it also supports Windows), the coverage score is Minimal leading to an overall Minimal score." + } + ] + }, + { + "Name": "Forge Web Credentials", + "Id": "T1606", + "Tactics": [ + "Credential Access" + ], + "SubTechniques": [ + "T1606.001 - Web Cookies", + "T1606.002 - SAML Tokens" + ], + "Platforms": [ + "Azure AD", + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "Description": "Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1606/", + "Checks": [ + "iam_no_custom_policy_permissive_role_assumption", + "iam_policy_allows_privilege_escalation" + ], + "Attributes": [ + { + "AWSService": "AWS IAM", + "Category": "Protect", + "Value": "Partial", + "Comment": "Limit IAM permissions from calling the sts:GetFederationToken API unless explicitly required, in accordance with least privilege." + } + ] + }, + { + "Name": "Multi-Factor Authentication Request Generation", + "Id": "T1621", + "Tactics": [ + "Credential Access" + ], + "SubTechniques": [], + "Platforms": [ + "Azure AD", + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "Description": "Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1621/", + "Checks": [], + "Attributes": [] + }, + { + "Name": "Network Sniffing", + "Id": "T1040", + "Tactics": [ + "Credential Access", + "Discovery" + ], + "SubTechniques": [], + "Platforms": [ + "IaaS", + "Linux", + "Network", + "Windows", + "macOS" + ], + "Description": "Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1040/", + "Checks": [ + "iam_no_custom_policy_permissive_role_assumption", + "iam_policy_allows_privilege_escalation", + "iam_customer_attached_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_user_hardware_mfa_enabled", + "iam_user_mfa_enabled_console_access", + "cloudwatch_log_group_kms_encryption_enabled", + "rds_instance_transport_encrypted", + "config_recorder_all_regions_enabled", + "acm_certificates_expiration_check", + "elb_ssl_listeners", + "elbv2_ssl_listeners", + "cloudfront_distributions_https_enabled", + "s3_bucket_secure_transport_policy" + ], + "Attributes": [ + { + "AWSService": "AWS CloudWatch", + "Category": "Protect", + "Value": "Significant", + "Comment": "AWS CloudWatch uses TLS/SSL connections to communicate with other AWS resources which protects against network sniffing attacks. As a result, this mapping is given a score of Significant." + }, + { + "AWSService": "AWS RDS", + "Category": "Protect", + "Value": "Significant", + "Comment": "AWS RDS and AWS RDS Proxy support TLS/SSL connections to database instances which protects against network sniffing attacks. As a result, this mapping is given a score of Significant." + }, + { + "AWSService": "Amazon Virtual Private Cloud", + "Category": "Protect", + "Value": "Significant", + "Comment": "The VPC service's support for the AWS Virtual Private Network (VPN) can be used to encrypt traffic traversing over untrusted networks which can prevent information from being gathered via network sniffing." + }, + { + "AWSService": "AWS IoT Device Defender", + "Category": "Protect", + "Value": "Partial", + "Comment": "The following AWS IoT Device Defender audit checks and corresponding mitigation actions can identify and resolve configuration problems that should be fixed in order to ensure SSL/TLS encryption is enabled and secure to protect network traffic to/from IoT devices: 'CA certificate expiring' ('CA_CERTIFICATE_EXPIRING_CHECK' in the CLI and API), 'CA certificate key quality' ('CA_CERTIFICATE_KEY_QUALITY_CHECK' in the CLI and API), and 'CA certificate revoked but device certificates still active' ('REVOKED_CA_CERTIFICATE_STILL_ACTIVE_CHECK' in the CLI and API) can identify problems with certificate authority (CA) certificates being used for signing and support the 'UPDATE_CA_CERTIFICATE' mitigation action which can resolve them. 'Device certificate expiring' ('DEVICE_CERTIFICATE_EXPIRING_CHECK' in the CLI and API), 'Device certificate key quality' ('DEVICE_CERTIFICATE_KEY_QUALITY_CHECK' in the CLI and API), 'Device certificate shared' ('DEVICE_CERTIFICATE_SHARED_CHECK' in the CLI and API), and 'Revoked device certificate still active' ('REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK' in the CLI and API) can identify problems with IoT devices' certificates and support the 'UPDATE_DEVICE_CERTIFICATE' and 'ADD_THINGS_TO_THING_GROUP' mitigation actions which can resolve them. Coverage factor is partial for these checks and mitigations, since they are specific to IoT device communication and can only mitigate behavior for adversaries who are unable to decrypt the relevant traffic, resulting in an overall score of Partial." + }, + { + "AWSService": "AWS Config", + "Category": "Protect", + "Value": "Partial", + "Comment": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure SSL/TLS encryption is enabled to protect network traffic: 'acm-certificate-expiration-check' for nearly expired certificates in AWS Certificate Manager (ACM); 'alb-http-to-https-redirection-check' for Application Load Balancer (ALB) HTTP listeners; 'api-gw-ssl-enabled' for API Gateway REST API stages; 'cloudfront-custom-ssl-certificate', 'cloudfront-sni-enabled', and 'cloudfront-viewer-policy-https', for Amazon CloudFront distributions; 'elb-acm-certificate-required', 'elb-custom-security-policy-ssl-check', 'elb-predefined-security-policy-ssl-check', and 'elb-tls-https-listeners-only' for Elastic Load Balancing (ELB) Classic Load Balancer listeners; 'redshift-require-tls-ssl' for Amazon Redshift cluster connections to SQL clients; 's3-bucket-ssl-requests-only' for requests for S3 bucket contents; and 'elasticsearch-node-to-node-encryption-check' for Amazon ElasticSearch Service node-to-node communications. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that private traffic is routed securely and only within VPCs rather than on the public Internet: 'api-gw-endpoint-type-check' for Amazon API Gateway APIs, 'elasticsearch-in-vpc-only' for Amazon ElasticSearch Service domains, and 'redshift-enhanced-vpc-routing-enabled' for Amazon Redshift cluster traffic. All of these are run on configuration changes except 'alb-http-to-https-redirection-check' and 'elasticsearch-in-vpc-only', which are run periodically. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and can only mitigate behavior for adversaries who are unable to decrypt the relevant traffic and/or do not have access to traffic within the relevant VPCs, resulting in an overall score of Partial." + } + ] + }, + { + "Name": "Unsecured Credentials", + "Id": "T1552", + "Tactics": [ + "Credential Access" + ], + "SubTechniques": [ + "T1552.001 - Credentials In Files", + "T1552.005 - Cloud Instance Metadata API" + ], + "Platforms": [ + "Azure AD", + "Containers", + "Google Workspace", + "IaaS", + "Linux", + "Network", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "Description": "Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).", + "TechniqueURL": "https://attack.mitre.org/techniques/T1552/", + "Checks": [ + "macie_is_enabled", + "guardduty_is_enabled", + "autoscaling_find_secrets_ec2_launch_configuration", + "ec2_instance_imdsv2_enabled", + "awslambda_function_no_secrets_in_code", + "awslambda_function_no_secrets_in_variables", + "cloudformation_stack_outputs_find_secrets", + "cloudwatch_log_group_no_secrets_in_logs", + "ec2_instance_secrets_user_data", + "ecs_task_definitions_no_environment_secrets", + "eks_cluster_kms_cmk_encryption_in_secrets_enabled", + "ssm_document_secrets", + "secretsmanager_automatic_rotation_enabled" + ], + "Attributes": [ + { + "AWSService": "AWS CloudHSM", + "Category": "Protect", + "Value": "Minimal", + "Comment": "This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal." + }, + { + "AWSService": "AWS Config", + "Category": "Protect", + "Value": "Significant", + "Comment": "The following AWS Config managed rules can identify insecure plaintext credentials within specific parts of a cloud environment: 'codebuild-project-envvar-awscred-check' for credentials (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) stored within environment variables, 'codebuild-project-source-repo-url-check' for personal access tokens and/or credentials within source repository URLs. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that the contents of secrets in AWS Secrets Manager (including credentials) are properly secured to avoid adversary access: 'secretsmanager-rotation-enabled-check', 'secretsmanager-scheduled-rotation-success-check', 'secretsmanager-secret-periodic-rotation', and 'secretsmanager-using-cmk'. This control provides partial coverage for a minority of this technique's sub-techniques, in addition to the parent coverage above, resulting in an overall score of Partial." + }, + { + "AWSService": "AWS IoT Device Defender", + "Category": "Detect", + "Value": "Minimal", + "Comment": "This control provides partial coverage for a minority of this technique's sub-techniques, resulting in an overall score of Minimal." + }, + { + "AWSService": "AWS Key Management Service", + "Category": "Protect", + "Value": "Minimal", + "Comment": "This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal." + }, + { + "AWSService": "AWS Secrets Manager", + "Category": "Protect", + "Value": "Partial", + "Comment": "This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user." + }, + { + "AWSService": "Amazon GuardDuty", + "Category": "Detect", + "Value": "Minimal", + "Comment": "This control provides minimal to partial coverage for a minority of this technique's sub-techniques, and without specific coverage for its procedures, resulting in an overall score of Minimal." + }, + { + "AWSService": "Amazon Macie", + "Category": "Protect", + "Value": "Minimal", + "Comment": "Macie only provides detection for the Credentials in Files sub-technique of this technique and only for the S3 storage type resulting in Minimal coverage and an overall Minimal score." + } + ] + }, + { + "Name": "Exfiltration Over Alternative Protocol", + "Id": "T1048", + "Tactics": [ + "Exfiltration" + ], + "SubTechniques": [], + "Platforms": [ + "Google Workspace", + "IaaS", + "Linux", + "Network", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "Description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1048/", + "Checks": [ + "networkfirewall_in_all_vpc", + "guardduty_is_enabled", + "ec2_networkacl_allow_ingress_any_port", + "ec2_networkacl_allow_ingress_tcp_port_22", + "ec2_networkacl_allow_ingress_tcp_port_3389", + "ec2_securitygroup_allow_ingress_from_internet_to_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23" + ], + "Attributes": [ + { + "AWSService": "AWS Network Firewall", + "Category": "Protect", + "Value": "Partial", + "Comment": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance and AWS Network Firewall wouldn't have deep packet inspection visibility into encrypted non-C2 protocols." + }, + { + "AWSService": "Amazon GuardDuty", + "Category": "Detect", + "Value": "Partial", + "Comment": "The following GuardDuty finding type flags events where adversaries may steal data by exfiltrating it over a different protocol than that of the existing command-and-control channel. Trojan:EC2/DNSDataExfiltration Behavior:EC2/TrafficVolumeUnusual." + }, + { + "AWSService": "AWS IoT Device Defender", + "Category": "Detect", + "Value": "Partial", + "Comment": "This control provides partial coverage for this technique and all of its sub-techniques, resulting in an overall score of Partial." + }, + { + "AWSService": "Amazon Virtual Private Cloud", + "Category": "Protect", + "Value": "Partial", + "Comment": "VPC security groups and network access control lists (NACLs) can limit access to external hosts and can therefore provide mitigation of this technique. For environments where Internet access is required, these controls can be used to block known malicious addresses. Because this latter protection is limited to known malicious endpoints, it provides Partial coverage resulting in an overall Partial score." + } + ] + }, + { + "Name": "Transfer Data to Cloud Account", + "Id": "T1537", + "Tactics": [ + "Exfiltration" + ], + "SubTechniques": [], + "Platforms": [ + "IaaS" + ], + "Description": "Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1537/", + "Checks": [ + "macie_is_enabled" + ], + "Attributes": [ + { + "AWSService": "Amazon Macie", + "Category": "Detect", + "Value": "Minimal", + "Comment": "The following Macie findings can detect attempts to replicate data objects from a monitored bucket to an Amazon Web Services account that isn't part of your organization: Policy:IAMUser/S3BucketReplicatedExternally Policy:IAMUser/S3BucketSharedExternally. This type of detection is limited to only the S3 storage type and not other storage types available on the platform (such as file or block storage) and therefore has Minimal coverage resulting in a Minimal score." + } + ] + }, + { + "Name": "Automated Collection", + "Id": "T1119", + "Tactics": [ + "Collection" + ], + "SubTechniques": [], + "Platforms": [ + "IaaS", + "Linux", + "SaaS", + "Windows", + "macOS" + ], + "Description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data. This functionality could also be built into remote access tools.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1119/", + "Checks": [ + "config_recorder_all_regions_enabled", + "ec2_ebs_default_encryption", + "ec2_ebs_snapshots_encrypted", + "ec2_ebs_volume_encryption", + "s3_bucket_default_encryption", + "rds_instance_storage_encrypted" + ], + "Attributes": [ + { + "AWSService": "AWS Config", + "Category": "Protect", + "Value": "Minimal", + "Comment": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that storage volumes are encrypted, which may mitigate adversary attempts to automate collection within cloud environments: 'ec2-ebs-encryption-by-default' which is run periodically and 'encrypted-volumes' which is run on configuration changes. Coverage factor is minimal for these rules, since they are specific to EBS volumes and will only prevent certain forms of collection since adversaries with access to mounted volumes may be able to decrypt their contents, resulting in an overall score of Minimal." + } + ] + }, + { + "Name": "Data from Cloud Storage", + "Id": "T1530", + "Tactics": [ + "Collection" + ], + "SubTechniques": [], + "Platforms": [ + "IaaS", + "SaaS" + ], + "Description": "Adversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.[5][6][7] There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1530/", + "Checks": [ + "config_recorder_all_regions_enabled", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "s3_bucket_level_public_access_block", + "emr_cluster_publicly_accesible", + "rds_snapshots_public_access", + "rds_instance_no_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "dynamodb_accelerator_cluster_encryption_enabled", + "dynamodb_tables_kms_cmk_encryption_enabled", + "efs_encryption_at_rest_enabled", + "efs_not_publicly_accessible", + "rds_instance_storage_encrypted", + "rds_instance_transport_encrypted", + "s3_bucket_default_encryption", + "sns_topics_kms_encryption_at_rest_enabled", + "redshift_cluster_public_access", + "sagemaker_notebook_instance_encryption_enabled", + "sagemaker_training_jobs_intercontainer_encryption_enabled", + "networkfirewall_in_all_vpc", + "securityhub_enabled", + "macie_is_enabled" + ], + "Attributes": [ + { + "AWSService": "AWS Config", + "Category": "Protect", + "Value": "Significant", + "Comment": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious access of data within Amazon Simple Storage Service (S3) storage: 's3-account-level-public-access-blocks', 's3-bucket-level-public-access-prohibited', 's3-bucket-public-read-prohibited', 's3-bucket-policy-not-more-permissive', 'cloudfront-origin-access-identity-enabled', and 'cloudfront-default-root-object-configured' identify objects that are publicly available or subject to overly permissive access policies; 's3-bucket-blacklisted-actions-prohibited' checks whether bucket policies prohibit disallowed actions for principals from other AWS accounts; and 's3-bucket-policy-grantee-check' checks whether bucket policies appropriately control which AWS principals, federated users, service principals, IP addresses, and VPCs have access. All of these controls are run on configuration changes. The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious access of data from other AWS services: 'dms-replication-not-public' for AWS Database Migration Service; 'emr-master-no-public-ip' for Amazon Elastic MapReduce (EMR); 'rds-cluster-iam-authentication-enabled', 'rds-instance-iam-authentication-enabled', 'rds-instance-public-access-check' and 'rds-snapshots-public-prohibited' for Amazon Relational Database Service; 'redshift-cluster-public-access-check' for Amazon Redshift; and 'sagemaker-notebook-no-direct-internet-access' for SageMaker. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that cloud storage data are encrypted to prevent malicious access: 'dax-encryption-enabled', 'dynamodb-table-encrypted-kms', and 'dynamodb-table-encryption-enabled' for Amazon DynamoDB table contents; 'efs-encrypted-check' for Amazon Elastic File System (EFS) file systems; 'elasticsearch-encrypted-at-rest' for Elasticsearch Service (ES) domains; 'rds-snapshot-encrypted' and 'rds-storage-encrypted' for Amazon Relational Database Service; 's3-bucket-server-side-encryption-enabled' and 's3-default-encryption-kms' for S3 storage; 'sns-encrypted-kms' for Amazon Simple Notification Service (SNS); 'redshift-cluster-configuration-check' and 'redshift-cluster-kms-enabled' for Redshift clusters; 'sagemaker-endpoint-configuration-kms-key-configured' and 'sagemaker-notebook-instance-kms-key-configured' for SageMaker. These rules provide a wide range of coverage for many AWS services, especially those most significant to procedures for this technique, resulting in an overall score of Significant." + }, + { + "AWSService": "AWS IoT Device Defender", + "Category": "Detect", + "Value": "Partial", + "Comment": "The following AWS IoT Device Defender cloud-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices and the Message Queuing Telemetry Transport (MQTT) protocol for unauthorized data transfer from cloud-side data sources: 'Source IP' ('aws:source-ip-address') values outside of expected IP address ranges may suggest that a device has been stolen. 'Messages sent' ('aws:num-messages-sent'), 'Messages received' ('aws:num-messages-received'), and 'Message size' ('aws:message-byte-size') values outside of expected norms may indicate that devices are sending and/or receiving non-standard traffic, which may include data retrieved from cloud storage. The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices and the Message Queuing Telemetry Transport (MQTT) protocol for unauthorized data transfer from cloud-side data sources: 'Bytes in' ('aws:all-bytes-in'), 'Bytes out' ('aws:all-bytes-out'), 'Packets in' ('aws:all-packets-in'), and 'Packets out' ('aws:all-packets-out') values outside of expected norms may indicate that devices are sending and/or receiving non-standard traffic, which may include data retrieved from cloud storage. Coverage factor is partial, since these metrics are limited to IoT device-based collection, resulting in an overall score of Partial." + }, + { + "AWSService": "AWS Network Firewall", + "Category": "Protect", + "Value": "Partial", + "Comment": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources such as cloud storage objects by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists). However, since cloud storage objects are located outside the virtual private cloud where the AWS Network Firewall protects, the mapping is only given a score of Partial." + }, + { + "AWSService": "AWS RDS", + "Category": "Protect", + "Value": "Significant", + "Comment": "AWS RDS supports the encryption of the underlying storage for database instances, backups, read replicas, and snapshots using the AES-256 encryption algorithm. This can protect against an adversary from gaining access to a database instance in the event they get access to the underlying system where the database instance is hosted or to S3 where the backups are stored. Furthermore, with AWS RDS, there is a setting that specifies whether or not a database instances is publicly accessible. When public accessibility is turned off, the database instance will not be available outside the VPC in which it was created. As a result, this mapping is given a score of Significant." + }, + { + "AWSService": "AWS S3", + "Category": "Protect", + "Value": "Significant", + "Comment": "S3 provides full control of access via Identity and Access Management (IAM) policies and with its access control lists (ACLs). The S3 Block Public Access feature allows for policies limiting public access to Amazon S3 resources that are enforced regardless of how the resources are created or associated IAM policies. Server-side encryption can be enabled for data at rest and allows for use of S3-managed keys, AWS Key Management Service managed keys, or customer-provided keys." + }, + { + "AWSService": "AWS Security Hub", + "Category": "Detect", + "Value": "Partial", + "Comment": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to data in cloud storage. AWS Security Hub provides this detection with the following managed insight. S3 buckets with public write or read permissions. AWS Security Hub also performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting improperly secured S3 buckets which could result in them being discovered. AWS Security Hub provides this detection with the following check. 3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes. This is scored as Partial because it only detects when S3 buckets have public read or write access and doesn't detect improperly secured data in other storage types (e.g., DBs, NFS, etc.)." + }, + { + "AWSService": "Amazon GuardDuty", + "Category": "Detect", + "Value": "Partial", + "Comment": "The following GuardDuty finding types flag events where adversaries may have access data objects from improperly secured cloud storage. UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller." + }, + { + "AWSService": "Amazon Macie", + "Category": "Detect", + "Value": "Minimal", + "Comment": "The following Macie findings can detect the collection of data from S3 buckets: Policy:IAMUser/S3BlockPublicAccessDisabled Policy:IAMUser/S3BucketEncryptionDisabled Policy:IAMUser/S3BucketPublic Policy:IAMUser/S3BucketReplicatedExternally Policy:IAMUser/S3BucketSharedExternally. This type of detection is limited to only the S3 storage type and not other storage types available on the platform (such as file or block storage) and therefore has Minimal coverage resulting in a Minimal score." + }, + { + "AWSService": "Amazon Macie", + "Category": "Protect", + "Value": "Minimal", + "Comment": "The following Macie findings can protect against collection of sensitive data from S3 buckets: SensitiveData:S3Object/Credentials SensitiveData:S3Object/CustomIdentifier SensitiveData:S3Object/Financial SensitiveData:S3Object/Multiple SensitiveData:S3Object/Personal. The ability to discover this type of sensitive data stored in a bucket may lead to hardening steps or removing the data altogether which would prevent an adversary from being able to collect the data. This type of protection is limited to only the S3 storage type and not other storage types available on the platform (such as file or block storage) and therefore has Minimal coverage resulting in a Minimal score." + } + ] + }, + { + "Name": "Data from Information Repositories", + "Id": "T1213", + "Tactics": [ + "Collection" + ], + "SubTechniques": [], + "Platforms": [ + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "Description": "Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1213/", + "Checks": [], + "Attributes": [] + }, + { + "Name": "Data from Cloud Storage", + "Id": "T1074", + "Tactics": [ + "Collection" + ], + "SubTechniques": [ + "T1074.002 - Remote Data Staging" + ], + "Platforms": [ + "IaaS", + "Linux", + "Windows", + "macOS" + ], + "Description": "Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1074/", + "Checks": [], + "Attributes": [] + }, + { + "Name": "Data Destruction", + "Id": "T1485", + "Tactics": [ + "Impact" + ], + "SubTechniques": [], + "Platforms": [ + "IaaS", + "Linux", + "Windows", + "macOS" + ], + "Description": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.[1][2][3][4][5][6] Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from Disk Content Wipe and Disk Structure Wipe because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1485/", + "Checks": [ + "drs_job_exist", + "rds_instance_deletion_protection", + "rds_instance_backup_enabled", + "efs_have_backup_enabled", + "backup_plans_exist", + "s3_bucket_object_lock", + "s3_bucket_no_mfa_delete", + "cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk", + "s3_bucket_policy_public_write_access", + "dynamodb_tables_pitr_enabled", + "s3_bucket_object_versioning", + "config_recorder_all_regions_enabled" + ], + "Attributes": [ + { + "AWSService": "AWS CloudEndure Disaster Recovery", + "Category": "Respond", + "Value": "Significant", + "Comment": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that data on servers is destroyed, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant." + }, + { + "AWSService": "AWS Config", + "Category": "Protect", + "Value": "Partial", + "Comment": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious write access to data within Amazon Simple Storage Service (S3) storage, which may include data destruction: 's3-bucket-blacklisted-actions-prohibited' checks whether bucket policies prohibit disallowed actions (including S3:DeleteObject) for principals from other AWS accounts, 's3-bucket-default-lock-enabled' checks whether a bucket that should be locked in write-once-read-many (WORM) mode is configured to prevent modification, and 's3-bucket-public-write-prohibited' checks whether a bucket is configured to allow public access and modification. All of these controls are run on configuration changes. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure backups and redundancy are in place which can mitigate the effects of data destruction: 'aurora-mysql-backtracking-enabled' for data in Aurora MySQL; 'db-instance-backup-enabled' and 'rds-in-backup-plan' for Amazon Relational Database Service (RDS) data; 'dynamodb-in-backup-plan' and 'dynamodb-pitr-enabled' for Amazon DynamoDB table contents; 'ebs-in-backup-plan' for Elastic Block Store (EBS) volumes; 'efs-in-backup-plan' for Amazon Elastic File System (EFS) file systems; 'elasticache-redis-cluster-automatic-backup-check' for Amazon ElastiCache Redis cluster data; 'redshift-backup-enabled' and 'redshift-cluster-maintenancesettings-check' for Redshift; 's3-bucket-replication-enabled' and 's3-bucket-versioning-enabled' for S3 storage; and 'cloudfront-origin-failover-enabled' for CloudFront. The following AWS Config managed rules provide specific detections for configuration problems that should be fixed in order to prevent malicious deletion of specific data: 'elb-deletion-protection-enabled' for Elastic Block Store (EBS) volumes, and 'rds-cluster-deletion-protection-enabled' and 'rds-instance-deletion-protection-enabled' for RDS data. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect certain types of data against destruction, resulting in an overall score of Partial." + }, + { + "AWSService": "AWS RDS", + "Category": "Detect", + "Value": "Partial", + "Comment": "AWS RDS generates events for database instances and includes the following events that may indicate that an adversary has destroyed the database instance. RDS-EVENT-0003: The DB instance has been deleted RDS-EVENT-0041: A DB snapshot has been deleted. This mapping is given a score of Partial because it can't differentiate between an authorized and unauthorized deletion." + }, + { + "AWSService": "AWS RDS", + "Category": "Protect", + "Value": "Significant", + "Comment": "AWS RDS provides deletion protection which prevents any user from deleting a database instance. If applied, the setting may mitigate attempts to delete a database instance. As a result, this mapping is given a score of Significant." + }, + { + "AWSService": "AWS RDS", + "Category": "Respond", + "Value": "Significant", + "Comment": "AWS RDS supports the replication and recovery of database instances. In the event that a database instance is deleted, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant." + }, + { + "AWSService": "AWS S3", + "Category": "Protect", + "Value": "Significant", + "Comment": "AWS S3 may protect against data destruction through application of several best practices. Multi-factor authentication can be enabled for delete operations and for changing the versioning state of a bucket. Versioning can be enabled to revert objects to a previous state after malicious destruction or corruption. S3 Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. In addition, S3 Cross Region Replication can be used to replicate S3 buckets to another AWS region for add protection." + }, + { + "AWSService": "AWS Security Hub", + "Category": "Detect", + "Value": "Minimal", + "Comment": "AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the scheduled destruction of Customer Master Keys (CMKs) which are critical for being able to decrypt data. AWS Security Hub provides this detection with the following check. Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs. This is scored as Minimal because CMKs only represent one type of data that could be destroyed by an adversary." + }, + { + "AWSService": "Amazon GuardDuty", + "Category": "Detect", + "Value": "Partial", + "Comment": "The following GuardDuty finding type flags events where adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Impact:S3/MaliciousIPCaller, Impact:IAMUser/AnomalousBehavior Stealth:S3/ServerAccessLoggingDisabled UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller PenTest:S3/PentooLinux PenTest:S3/ParrotLinux PenTest:S3/KaliLinux." + } + ] + }, + { + "Name": "Data Encrypted for Impact", + "Id": "T1486", + "Tactics": [ + "Impact" + ], + "SubTechniques": [], + "Platforms": [ + "IaaS", + "Linux", + "Windows", + "macOS" + ], + "Description": "Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1486/", + "Checks": [ + "drs_job_exist", + "s3_bucket_object_lock", + "s3_bucket_policy_public_write_access", + "dynamodb_tables_pitr_enabled", + "backup_plans_exist", + "s3_bucket_object_versioning", + "rds_instance_backup_enabled", + "efs_have_backup_enabled", + "config_recorder_all_regions_enabled" + ], + "Attributes": [ + { + "AWSService": "AWS CloudEndure Disaster Recovery", + "Category": "Respond", + "Value": "Significant", + "Comment": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that data on servers is destroyed, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant." + }, + { + "AWSService": "AWS Config", + "Category": "Protect", + "Value": "Partial", + "Comment": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious changes to data encryption within Amazon Simple Storage Service (S3) storage: 's3-bucket-blacklisted-actions-prohibited' checks whether bucket policies prohibit disallowed actions (including encryption configuration changes) for principals from other AWS accounts, 's3-bucket-default-lock-enabled' checks whether a bucket that should be locked in write-once-read-many (WORM) mode is configured to prevent modification, and 's3-bucket-public-write-prohibited' checks whether a bucket is configured to allow public access and modification. All of these controls are run on configuration changes. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure backups and redundancy are in place which can mitigate the effects of malicious changes to data encryption: 'aurora-mysql-backtracking-enabled' for data in Aurora MySQL; 'db-instance-backup-enabled' and 'rds-in-backup-plan' for Amazon Relational Database Service (RDS) data; 'dynamodb-in-backup-plan' and 'dynamodb-pitr-enabled' for Amazon DynamoDB table contents; 'ebs-in-backup-plan' for Elastic Block Store (EBS) volumes; 'efs-in-backup-plan' for Amazon Elastic File System (EFS) file systems; 'elasticache-redis-cluster-automatic-backup-check' for Amazon ElastiCache Redis cluster data; 'redshift-backup-enabled' and 'redshift-cluster-maintenancesettings-check' for Redshift; 's3-bucket-replication-enabled' and 's3-bucket-versioning-enabled' for S3 storage; and 'cloudfront-origin-failover-enabled' for CloudFront. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect certain types of data against malicious encryption changes, resulting in an overall score of Partial." + }, + { + "AWSService": "AWS RDS", + "Category": "Respond", + "Value": "Significant", + "Comment": "AWS RDS supports the replication and recovery of database instances. In the event that a database instance is encrypted by an adversary (e.g., ransomware), AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant." + }, + { + "AWSService": "Amazon GuardDuty", + "Category": "Detect", + "Value": "Partial", + "Comment": "The following GuardDuty finding type flags events where adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. Impact:S3/MaliciousIPCaller Stealth:S3/ServerAccessLoggingDisabled UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller PenTest:S3/PentooLinux PenTest:S3/ParrotLinux PenTest:S3/KaliLinux" + } + ] + }, + { + "Name": "Defacement", + "Id": "T1491", + "Tactics": [ + "Impact" + ], + "SubTechniques": [ + "T1491.002 - External Defacement" + ], + "Platforms": [ + "IaaS", + "Linux", + "Windows", + "macOS" + ], + "Description": "Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1491/", + "Checks": [ + "drs_job_exist", + "config_recorder_all_regions_enabled" + ], + "Attributes": [ + { + "AWSService": "AWS CloudEndure Disaster Recovery", + "Category": "Respond", + "Value": "Significant", + "Comment": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that servers are defaced, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. This mapping is given a score of Significant because it supports all of the sub-techniques (2 of 2)." + }, + { + "AWSService": "AWS Config", + "Category": "Protect", + "Value": "Significant", + "Comment": "This control provides significant coverage for all of this technique's sub-techniques, resulting in an overall score of Significant." + }, + { + "AWSService": "Amazon GuardDuty", + "Category": "Detect", + "Value": "Partial", + "Comment": "GuardDuty provides multiple finding types that flag malicious activity against resources. These findings focus on API calls that look suspicious and although they do not flag events such as Defacement specifically, it can be inferred that these findings can result in mitigating this technique's negative impact. With this assumption the score is capped at Partial." + } + ] + }, + { + "Name": "Endpoint Denial of Service", + "Id": "T1499", + "Tactics": [ + "Impact" + ], + "SubTechniques": [ + "T1499.002 - Service Exhaustion Flood", + "T1499.003 - Application Exhaustion Flood", + "T1499.004 - Application or System Exploitation" + ], + "Platforms": [ + "Azure AD", + "Containers", + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "Description": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes[1] and to support other malicious activities, including distraction[2], hacktivism, and extortion.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1499/", + "Checks": [ + "networkfirewall_in_all_vpc", + "config_recorder_all_regions_enabled", + "shield_advanced_protection_in_associated_elastic_ips", + "shield_advanced_protection_in_classic_load_balancers", + "shield_advanced_protection_in_cloudfront_distributions", + "shield_advanced_protection_in_global_accelerators", + "shield_advanced_protection_in_internet_facing_load_balancers", + "shield_advanced_protection_in_route53_hosted_zones", + "ec2_networkacl_allow_ingress_any_port", + "ec2_networkacl_allow_ingress_tcp_port_22", + "ec2_networkacl_allow_ingress_tcp_port_3389", + "ec2_securitygroup_allow_ingress_from_internet_to_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23" + ], + "Attributes": [ + { + "AWSService": "AWS Shield", + "Category": "Respond", + "Value": "Significant", + "Comment": "AWS Shield is a service that protects against Distributed Denial of Service attacks. There are two tiers for this service Standard and Advanced. AWS Shield Standard defends against most common, frequently occurring network and transport (Layer 3 and 4 attacks) layer DDoS attacks that target your web site or applications. AWS Shield Advanced adds on to standard by providing additional detection and mitigation against large and sophisticated DDoS attacks. There is near real-time visibility into attacks. AWS Shield Advanced also comes with 24x7 access to the AWS DDoS Response Team (DRT)." + }, + { + "AWSService": "AWS Config", + "Category": "Protect", + "Value": "Minimal", + "Comment": "This control provides minimal coverage for this technique's sub-techniques as well as its procedures, resulting in an overall score of Minimal." + }, + { + "AWSService": "AWS Network Firewall", + "Category": "Protect", + "Value": "Partial", + "Comment": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from carrying out denial of service attacks by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists) as well as which protocol traffic is permitted. That is, the AWS Network Firewall could block the source of the denial of service attack. This mapping is given a score of Partial because it only supports a subset of the sub-techniques (3 of 4) and because the source of the attack would have to be known before rules could be put in place to protect against it." + }, + { + "AWSService": "Amazon Virtual Private Cloud", + "Category": "Protect", + "Value": "Minimal", + "Comment": "VPC security groups and network access control lists (NACLs) provides minimal protection for a majority of this control's sub-techniques and procedure examples resulting in an overall score of Minimal." + } + ] + }, + { + "Name": "Inhibit System Recovery", + "Id": "T1490", + "Tactics": [ + "Impact" + ], + "SubTechniques": [], + "Platforms": [ + "IaaS", + "Linux", + "Network", + "Windows", + "macOS" + ], + "Description": "Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.[1][2] This may deny access to available backups and recovery options.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1490/", + "Checks": [ + "drs_job_exist", + "rds_instance_backup_enabled" + ], + "Attributes": [ + { + "AWSService": "AWS CloudEndure Disaster Recovery", + "Category": "Respond", + "Value": "Significant", + "Comment": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that servers are defaced, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. This mapping is given a score of Significant because it supports all of the sub-techniques (2 of 2)." + }, + { + "AWSService": "AWS RDS", + "Category": "Detect", + "Value": "Partial", + "Comment": "AWS RDS generates events for database instances and includes the following event that may indicate that an adversary has attempted to inhibit system recovery. RDS-EVENT-0028: Automatic backups for this DB instance have been disabled. This mapping is given a score of Partial because it can't differentiate between an authorized and unauthorized disabling of automatic backups." + }, + { + "AWSService": "AWS RDS", + "Category": "Respond", + "Value": "Significant", + "Comment": "AWS RDS supports the replication and recovery of database instances. In the event that a database instance is compromised and modified to disrupt recovery, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant." + } + ] + }, + { + "Name": "Resource Hijacking", + "Id": "T1496", + "Tactics": [ + "Impact" + ], + "SubTechniques": [], + "Platforms": [ + "IaaS", + "Linux", + "Containers", + "Windows", + "macOS" + ], + "Description": "Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems, which may impact system and/or hosted service availability.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1496/", + "Checks": [ + "config_recorder_all_regions_enabled", + "guardduty_is_enabled", + "rds_instance_enhanced_monitoring_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled", + "cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled", + "cloudwatch_log_metric_filter_authentication_failures", + "cloudwatch_log_metric_filter_aws_organizations_changes", + "cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk", + "cloudwatch_log_metric_filter_for_s3_bucket_policy_changes", + "cloudwatch_log_metric_filter_policy_changes", + "cloudwatch_log_metric_filter_root_usage", + "cloudwatch_log_metric_filter_security_group_changes", + "cloudwatch_log_metric_filter_sign_in_without_mfa", + "cloudwatch_log_metric_filter_unauthorized_api_calls" + ], + "Attributes": [ + { + "AWSService": "AWS CloudWatch", + "Category": "Detect", + "Value": "Partial", + "Comment": "AWS CloudWatch provides various metrics including CPU utilization, connections, disk space, memory, bytes sent/received, and the number of running containers among others. The following metrics (not an exhaustive list) could be used to detect if the usage of a resource has increased such as when an adversary hijacks a resource to perform intensive tasks. Linux/Mac OS ------------- cpu_time_active cpu_time_guest cpu_usage_active cpu_usage_guest disk_free disk_total disk_used ethtool_bw_in_allowance_exceeded ethtool_bw_out_allowance_exceeded ethtool_conntrack_allowance_exceeded mem_active mem_available_percent mem_free net_bytes_recv net_bytes_sent net_packets_sent net_packets_recv netstat_tcp_established netstat_tcp_listen processes_running processes_total swap_free swap_used. Containers ---------- CpuUtilized MemoryUtilized NetworkRxBytes NetworkTxBytes node_cpu_usage_total node_cpu_utilization node_filesystem_utilization node_memory_utilization. This mapping is given a score of Partial because it is not possible to differentiate between an authorized and unauthorized increase in resource utilization." + }, + { + "AWSService": "AWS Config", + "Category": "Detect", + "Value": "Partial", + "Comment": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure alarms exist for spikes in resource utilization, which help to identify malicious use of resources within a cloud environment: 'cloudwatch-alarm-action-check', 'cloudwatch-alarm-resource-check', 'cloudwatch-alarm-settings-check', 'desired-instance-tenancy', 'desired-instance-type', 'dynamodb-autoscaling-enabled', 'dynamodb-throughput-limit-check', 'ec2-instance-detailed-monitoring-enabled', and 'rds-enhanced-monitoring-enabled'. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only detect resource hijacking that results in a change in utilization that is significant enough to trigger alarms, resulting in an overall score of Partial." + }, + { + "AWSService": "AWS IoT Device Defender", + "Category": "Detect", + "Value": "Partial", + "Comment": "The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices' resources to perform resource-intensive operations like mining cryptocurrency or performing denial of service attacks on other environments: 'Destination IPs' ('aws:destination-ip-addresses') outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. 'Bytes in' ('aws:all-bytes-in'), 'Bytes out' ('aws:all-bytes-out'), 'Packets in' ('aws:all-packets-in'), and 'Packets out' ('aws:all-packets-out') values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include traffic related to resource hijacking activities. 'Listening TCP ports' ('aws:listening-tcp-ports'), 'Listening TCP port count' ('aws:num-listening-tcp-ports'), 'Established TCP connections count' ('aws:num-established-tcp-connections'), 'Listening UDP ports' ('aws:listening-udp-ports'), and 'Listening UDP port count' ('aws:num-listening-udp-ports') values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols which may include traffic related to resource hijacking activities. Coverage factor is partial, since these metrics are limited to IoT device hijacking, resulting in an overall score of Partial." + }, + { + "AWSService": "Amazon GuardDuty", + "Category": "Detect", + "Value": "Partial", + "Comment": "The following GuardDuty finding types flag events where adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. CryptoCurrency:EC2/BitcoinTool.B CryptoCurrency:EC2/BitcoinTool.B!DNS Impact:EC2/BitcoinDomainRequest.Reputation UnauthorizedAccess:EC2/TorRelay" + } + ] + }, + { + "Name": "Network Denial of Service", + "Id": "T1498", + "Tactics": [ + "Impact" + ], + "SubTechniques": [], + "Platforms": [ + "Azure AD", + "Containers", + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "Description": "Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes[1] and to support other malicious activities, including distraction[2], hacktivism, and extortion.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1498/", + "Checks": [ + "config_recorder_all_regions_enabled", + "networkfirewall_in_all_vpc", + "guardduty_is_enabled", + "shield_advanced_protection_in_associated_elastic_ips", + "shield_advanced_protection_in_classic_load_balancers", + "shield_advanced_protection_in_cloudfront_distributions", + "shield_advanced_protection_in_global_accelerators", + "shield_advanced_protection_in_internet_facing_load_balancers", + "shield_advanced_protection_in_route53_hosted_zones", + "ec2_networkacl_allow_ingress_any_port", + "ec2_networkacl_allow_ingress_tcp_port_22", + "ec2_networkacl_allow_ingress_tcp_port_3389", + "ec2_securitygroup_allow_ingress_from_internet_to_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23" + ], + "Attributes": [ + { + "AWSService": "AWS Config", + "Category": "Protect", + "Value": "Minimal", + "Comment": "This control provides minimal coverage for this technique's sub-techniques as well as its procedures, resulting in an overall score of Minimal." + }, + { + "AWSService": "AWS Network Firewall", + "Category": "Protect", + "Value": "Minimal", + "Comment": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block the sources of smaller-scale network denial of service attacks. While AWS Network Firewall supports both all sub-techniques (2 of 2), this mapping is given a score of Minimal because often times it is necessary to block the traffic at an Internet Service Provider or Content Provider Network level." + }, + { + "AWSService": "AWS Shield", + "Category": "Respond", + "Value": "Significant", + "Comment": "AWS Shield is a service that protects against Distributed Denial of Service attacks. There are two tiers for this service Standard and Advanced. AWS Shield Standard defends against most common, frequently occurring network and transport (Layer 3 and 4 attacks) layer DDoS attacks that target your web site or applications. AWS Shield Advanced adds on to standard by providing additional detection and mitigation against large and sophisticated DDoS attacks. There is near real-time visibility into attacks. AWS Shield Advanced also comes with 24x7 access to the AWS DDoS Response Team (DRT)." + }, + { + "AWSService": "Amazon GuardDuty", + "Category": "Detect", + "Value": "Partial", + "Comment": "The following finding types in GuardDuty flag events where adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Backdoor:EC2/DenialOfService.UdpOnTcpPorts Backdoor:EC2/DenialOfService.UnusualProtocol Backdoor:EC2/DenialOfService.Udp Backdoor:EC2/DenialOfService.Tcp Backdoor:EC2/DenialOfService.Dns" + }, + { + "AWSService": "Amazon Virtual Private Cloud", + "Category": "Protect", + "Value": "Minimal", + "Comment": "VPC security groups and network access control lists (NACLs) can be used to restrict access to endpoints but will prove effective at mitigating only low-end DOS attacks resulting in a Minimal score." + } + ] + }, + { + "Name": "Account Discovery", + "Id": "T1087", + "Tactics": [ + "Discovery" + ], + "SubTechniques": [ + "T1087.004 - Cloud Account" + ], + "Platforms": [ + "Azure AD", + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Network", + "Windows", + "macOS" + ], + "Description": "Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts).", + "TechniqueURL": "https://attack.mitre.org/techniques/T1087/", + "Checks": [ + "organizations_account_part_of_organizations" + ], + "Attributes": [ + { + "AWSService": "AWS Organizations", + "Category": "Protect", + "Value": "Minimal", + "Comment": "This control may protect against cloud account discovery but does not mitigate against other forms of account discovery." + } + ] + }, + { + "Name": "Cloud Infrastructure Discovery", + "Id": "T1580", + "Tactics": [ + "Discovery" + ], + "SubTechniques": [], + "Platforms": [ + "IaaS" + ], + "Description": "An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1580/", + "Checks": [ + "organizations_account_part_of_organizations", + "securityhub_enabled", + "guardduty_is_enabled", + "iam_aws_attached_policy_no_administrative_privileges", + "iam_customer_attached_policy_no_administrative_privileges", + "iam_no_custom_policy_permissive_role_assumption", + "iam_policy_allows_privilege_escalation", + "iam_policy_no_full_access_to_cloudtrail", + "iam_policy_no_full_access_to_kms" + ], + "Attributes": [ + { + "AWSService": "AWS Organizations", + "Category": "Protect", + "Value": "Partial", + "Comment": "This control may protect against cloud infrastructure discovery by segmenting accounts into separate organizational units and restricting infrastructure access by least privilege." + }, + { + "AWSService": "AWS Security Hub", + "Category": "Detect", + "Value": "Partial", + "Comment": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access as well as accessible EC2 instances that may result in an adversary learning about cloud infrastructure used by the organization. AWS Security Hub provides these detections with the following managed insights. S3 buckets with public write or read permissions EC2 instances that have ports accessible from the Internet EC2 instances that are open to the Internet. AWS Security Hub also performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting improperly secured S3 buckets which could result in them being discovered. AWS Security Hub provides this detection with the following check. 3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes. This is scored as Partial because S3 and EC2 only represent a subset of available cloud infrastructure components." + }, + { + "AWSService": "Amazon GuardDuty", + "Category": "Detect", + "Value": "Partial", + "Comment": "The following GuardDuty finding types flag events that are linked to Discovery techniques and can be used to capture events where a malicious user may be searching through the account looking for available resources. The finding types are also used to flag certain signatures of running services to detect malicious user activities from commonly used pentest operating systems. Discovery:IAMUser/AnomalousBehavior Discovery:S3/MaliciousIPCaller Discovery:S3/MaliciousIPCaller.Custom Discovery:S3/TorIPCaller PenTest:IAMUser/KaliLinux PenTest:IAMUser/ParrotLinux PenTest:IAMUser/PentooLinux PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux." + }, + { + "AWSService": "AWS IAM", + "Category": "Protect", + "Value": "Significant", + "Comment": "Limit IAM permissions to discover cloud infrastructure in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies." + } + ] + }, + { + "Name": "Cloud Service Dashboard", + "Id": "T1538", + "Tactics": [ + "Discovery" + ], + "SubTechniques": [], + "Platforms": [ + "Azure AD", + "Google Workspace", + "IaaS", + "Office 365" + ], + "Description": "An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1538/", + "Checks": [ + "organizations_account_part_of_organizations", + "iam_user_mfa_enabled_console_access", + "iam_customer_attached_policy_no_administrative_privileges", + "iam_aws_attached_policy_no_administrative_privileges" + ], + "Attributes": [ + { + "AWSService": "AWS Organizations", + "Category": "Protect", + "Value": "Partial", + "Comment": "This control may protect against cloud service dashboard abuse by segmenting accounts into separate organizational units and restricting dashboard access by least privilege." + }, + { + "AWSService": "AWS Config", + "Category": "Protect", + "Value": "Significant", + "Comment": "The 'mfa-enabled-for-iam-console-access' managed rule checks whether multi-factor authentication is enabled for all AWS IAM users that use a console password, protecting against misuse of those accounts' dashboard access. It is run periodically, and provides significant coverage, resulting in an overall score of Significant." + } + ] + }, + { + "Name": "Cloud Service Discovery", + "Id": "T1526", + "Tactics": [ + "Discovery" + ], + "SubTechniques": [], + "Platforms": [ + "Azure AD", + "Google Workspace", + "IaaS", + "Office 365", + "SaaS" + ], + "Description": "An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1526/", + "Checks": [ + "guardduty_is_enabled" + ], + "Attributes": [ + { + "AWSService": "Amazon GuardDuty", + "Category": "Detect", + "Value": "Partial", + "Comment": "GuardDuty has the following finding types to flag events where there is an attempt to discover information about resources on the account. Recon:IAMUser/MaliciousIPCaller Recon:IAMUser/MaliciousIPCaller.Custom Recon:IAMUser/TorIPCaller" + } + ] + }, + { + "Name": "Cloud Storage Object Discovery", + "Id": "T1619", + "Tactics": [ + "Discovery" + ], + "SubTechniques": [], + "Platforms": [ + "IaaS" + ], + "Description": "Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to File and Directory Discovery on a local host, after identifying available storage services (i.e. Cloud Infrastructure Discovery) adversaries may access the contents/objects stored in cloud infrastructure.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1619/", + "Checks": [ + "iam_customer_attached_policy_no_administrative_privileges", + "iam_aws_attached_policy_no_administrative_privileges", + "iam_policy_allows_privilege_escalation" + ], + "Attributes": [ + { + "AWSService": "AWS IAM", + "Category": "Protect", + "Value": "Significant", + "Comment": "Restrict granting of permissions related to listing objects in AWS S3 Buckets to necessary accounts." + } + ] + }, + { + "Name": "Network Service Discovery", + "Id": "T1046", + "Tactics": [ + "Discovery" + ], + "SubTechniques": [], + "Platforms": [ + "Containers", + "IaaS", + "Linux", + "Network", + "Windows", + "macOS" + ], + "Description": "Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1046/", + "Checks": [ + "networkfirewall_in_all_vpc", + "elbv2_waf_acl_attached", + "guardduty_is_enabled", + "inspector2_findings_exist", + "ec2_networkacl_allow_ingress_any_port", + "ec2_networkacl_allow_ingress_tcp_port_22", + "ec2_networkacl_allow_ingress_tcp_port_3389", + "ec2_securitygroup_allow_ingress_from_internet_to_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23" + ], + "Attributes": [ + { + "AWSService": "AWS IoT Device Defender", + "Category": "Detect", + "Value": "Partial", + "Comment": "The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices to search their networks for other hosts and their running services, possibly to subsequently carry out lateral movement techniques: 'Destination IPs' ('aws:destination-ip-addresses') outside of expected IP address ranges may suggest that a device is communicating with unexpected devices. 'Bytes in' ('aws:all-bytes-in'), 'Bytes out' ('aws:all-bytes-out'), 'Packets in' ('aws:all-packets-in'), and 'Packets out' ('aws:all-packets-out') values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may traffic used to discover other hosts/services. 'Listening TCP ports' ('aws:listening-tcp-ports'), 'Listening TCP port count' ('aws:num-listening-tcp-ports'), 'Established TCP connections count' ('aws:num-established-tcp-connections'), 'Listening UDP ports' ('aws:listening-udp-ports'), and 'Listening UDP port count' ('aws:num-listening-udp-ports') values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols that may suggest scanning is taking place. Coverage factor is partial, since these metrics are limited to IoT device communication and detection is only based on network traffic, resulting in an overall score of Partial." + }, + { + "AWSService": "AWS Network Firewall", + "Category": "Protect", + "Value": "Partial", + "Comment": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against network service scanning. This mapping is given a score of Partial because it only protects against network service scanning attacks that originate from outside the firewall and not from within network protected by the firewall." + }, + { + "AWSService": "AWS Web Application Firewall", + "Category": "Protect", + "Value": "Partial", + "Comment": "AWS WAF protects against bots that run scans against web applications such as Nessus (vulnerability assessments) and Nmap (IP address and port scans) among others. AWS WAF does this by blocking malicious traffic that indicate bad bots such as those listed above (e.g., via User-Agent values). AWS WAF uses the following rule sets to provide this protection. AWSManagedRulesCommonRuleSet AWSManagedRulesBotControlRuleSet. This is scored as Partial because the rule sets, while they block malicious traffic in near real-time, only protect web applications against scans performed by bots." + }, + { + "AWSService": "Amazon GuardDuty", + "Category": "Detect", + "Value": "Partial", + "Comment": "The following GuardDuty finding types reflect flagged events where there is an attempt to get a list of services running on a remote host. Recon:EC2/PortProbeEMRUnprotectedPort Recon:EC2/PortProbeUnprotectedPort Recon:EC2/Portscan Impact:EC2/PortSweep" + }, + { + "AWSService": "Amazon Inspector", + "Category": "Protect", + "Value": "Partial", + "Comment": "The Amazon Inspector Network Reachability assessment package can assess whether or not cloud/network components are vulnerable (e.g., publicly accessible from the Internet). Amazon Inspector does not directly protect cloud/network components rather reports on vulnerabilities that it identifies which can then be used to securely configure the cloud/network components. Due to this, the score is capped at Partial." + }, + { + "AWSService": "Amazon Virtual Private Cloud", + "Category": "Protect", + "Value": "Significant", + "Comment": "VPC security groups and network access control lists (NACLs) can filter both internal and external network traffic and therefore, can mitigate unauthorized network service scanning." + } + ] + }, + { + "Name": "Password Policy Discovery", + "Id": "T1201", + "Tactics": [ + "Discovery" + ], + "SubTechniques": [], + "Platforms": [ + "IaaS", + "Linux", + "Network", + "Windows", + "macOS" + ], + "Description": "Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through Brute Force. This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).", + "TechniqueURL": "https://attack.mitre.org/techniques/T1201/", + "Checks": [ + "iam_customer_attached_policy_no_administrative_privileges", + "iam_aws_attached_policy_no_administrative_privileges", + "iam_policy_allows_privilege_escalation" + ], + "Attributes": [ + { + "AWSService": "AWS IAM", + "Category": "Protect", + "Value": "Significant", + "Comment": "Ensure least privilege in IAM since password policies can be discovered in cloud environments using available APIs such as GetAccountPasswordPolicy in AWS." + } + ] + }, + { + "Name": "System Network Connections Discovery", + "Id": "T1049", + "Tactics": [ + "Discovery" + ], + "SubTechniques": [], + "Platforms": [ + "IaaS", + "Linux", + "Network", + "Windows", + "macOS" + ], + "Description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1049/", + "Checks": [], + "Attributes": [] + }, + { + "Name": "System Location Discovery", + "Id": "T1614", + "Tactics": [ + "Discovery" + ], + "SubTechniques": [], + "Platforms": [ + "IaaS", + "Linux", + "Windows", + "macOS" + ], + "Description": "Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from System Location Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1614/", + "Checks": [], + "Attributes": [] + }, + { + "Name": "System Information Discovery", + "Id": "T1082", + "Tactics": [ + "Discovery" + ], + "SubTechniques": [], + "Platforms": [ + "IaaS", + "Linux", + "Network", + "Windows", + "macOS" + ], + "Description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1082/", + "Checks": [], + "Attributes": [] + }, + { + "Name": "Software Discovery", + "Id": "T1518", + "Tactics": [ + "Discovery" + ], + "SubTechniques": [ + "T1518.001 - Security Software Discovery" + ], + "Platforms": [ + "Azure AD", + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "Description": "Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1518/", + "Checks": [], + "Attributes": [] + }, + { + "Name": "Permission Groups Discovery", + "Id": "T1069", + "Tactics": [ + "Discovery" + ], + "SubTechniques": [ + "T1069.003 - Cloud Groups" + ], + "Platforms": [ + "Azure AD", + "Containers", + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "Description": "Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.", + "TechniqueURL": "https://attack.mitre.org/techniques/T1069/", + "Checks": [], + "Attributes": [] + } + ] +} diff --git a/prowler/lib/check/compliance.py b/prowler/lib/check/compliance.py index 82309e3e..d48da292 100644 --- a/prowler/lib/check/compliance.py +++ b/prowler/lib/check/compliance.py @@ -2,10 +2,7 @@ import sys from pydantic import parse_obj_as -from prowler.lib.check.compliance_models import ( - Compliance_Base_Model, - Compliance_Requirement, -) +from prowler.lib.check.compliance_models import Compliance_Base_Model from prowler.lib.check.models import Check_Metadata_Model from prowler.lib.logger import logger @@ -22,16 +19,7 @@ def update_checks_metadata_with_compliance( compliance_requirements = [] # Verify if check is in the requirement if check in requirement.Checks: - # Create the Compliance_Requirement - requirement = Compliance_Requirement( - Id=requirement.Id, - Description=requirement.Description, - Attributes=requirement.Attributes, - Checks=requirement.Checks, - ) - # For the check metadata we don't need the "Checks" key - delattr(requirement, "Checks") - # Include the requirment into the check's framework requirements + # Include the requirement into the check's framework requirements compliance_requirements.append(requirement) # Create the Compliance_Model compliance = Compliance_Base_Model( diff --git a/prowler/lib/check/compliance_models.py b/prowler/lib/check/compliance_models.py index 83f43d02..29c9e0ea 100644 --- a/prowler/lib/check/compliance_models.py +++ b/prowler/lib/check/compliance_models.py @@ -8,8 +8,8 @@ from prowler.lib.logger import logger # ENS - Esquema Nacional de Seguridad - España -class ENS_Requirements_Nivel(str, Enum): - """ENS V3 Requirements Level""" +class ENS_Requirement_Attribute_Nivel(str, Enum): + """ENS V3 Requirement Attribute Level""" opcional = "opcional" bajo = "bajo" @@ -17,8 +17,8 @@ class ENS_Requirements_Nivel(str, Enum): alto = "alto" -class ENS_Requirements_Dimensiones(str, Enum): - """ENS V3 Requirements Dimensions""" +class ENS_Requirement_Attribute_Dimensiones(str, Enum): + """ENS V3 Requirement Attribute Dimensions""" confidencialidad = "confidencialidad" integridad = "integridad" @@ -27,8 +27,8 @@ class ENS_Requirements_Dimensiones(str, Enum): disponibilidad = "disponibilidad" -class ENS_Requirements_Tipos(str, Enum): - """ENS Requirements Tipos""" +class ENS_Requirement_Attribute_Tipos(str, Enum): + """ENS Requirement Attribute Tipos""" refuerzo = "refuerzo" requisito = "requisito" @@ -36,21 +36,21 @@ class ENS_Requirements_Tipos(str, Enum): medida = "medida" -class ENS_Requirements(BaseModel): - """ENS V3 Framework Requirements""" +class ENS_Requirement_Attribute(BaseModel): + """ENS V3 Framework Requirement Attribute""" IdGrupoControl: str Marco: str Categoria: str DescripcionControl: str - Tipo: ENS_Requirements_Tipos - Nivel: ENS_Requirements_Nivel - Dimensiones: list[ENS_Requirements_Dimensiones] + Tipo: ENS_Requirement_Attribute_Tipos + Nivel: ENS_Requirement_Attribute_Nivel + Dimensiones: list[ENS_Requirement_Attribute_Dimensiones] -# Generic Compliance Requirements -class Generic_Compliance_Requirements(BaseModel): - """Generic Compliance Requirements""" +# Generic Compliance Requirement Attribute +class Generic_Compliance_Requirement_Attribute(BaseModel): + """Generic Compliance Requirement Attribute""" ItemId: str Section: Optional[str] @@ -60,27 +60,27 @@ class Generic_Compliance_Requirements(BaseModel): Soc_Type: Optional[str] -class CIS_Requirements_Profile(str): - """CIS Requirements Profile""" +class CIS_Requirement_Attribute_Profile(str): + """CIS Requirement Attribute Profile""" Level_1 = "Level 1" Level_2 = "Level 2" -class CIS_Requirements_AssessmentStatus(str): - """CIS Requirements Assessment Status""" +class CIS_Requirement_Attribute_AssessmentStatus(str): + """CIS Requirement Attribute Assessment Status""" Manual = "Manual" Automated = "Automated" -# CIS Requirements -class CIS_Requirements(BaseModel): - """CIS Requirements""" +# CIS Requirement Attribute +class CIS_Requirement_Attribute(BaseModel): + """CIS Requirement Attribute""" Section: str - Profile: CIS_Requirements_Profile - AssessmentStatus: CIS_Requirements_AssessmentStatus + Profile: CIS_Requirement_Attribute_Profile + AssessmentStatus: CIS_Requirement_Attribute_AssessmentStatus Description: str RationaleStatement: str ImpactStatement: str @@ -90,9 +90,9 @@ class CIS_Requirements(BaseModel): References: str -# Well Architected Requirements -class AWS_Well_Architected_Requirements(BaseModel): - """AWS Well Architected Requirements""" +# Well Architected Requirement Attribute +class AWS_Well_Architected_Requirement_Attribute(BaseModel): + """AWS Well Architected Requirement Attribute""" Name: str WellArchitectedQuestionId: str @@ -105,9 +105,9 @@ class AWS_Well_Architected_Requirements(BaseModel): ImplementationGuidanceUrl: str -# ISO27001 Requirements -class ISO27001_2013_Requirements(BaseModel): - """ISO27001 Requirements""" +# ISO27001 Requirement Attribute +class ISO27001_2013_Requirement_Attribute(BaseModel): + """ISO27001 Requirement Attribute""" Category: str Objetive_ID: str @@ -115,6 +115,31 @@ class ISO27001_2013_Requirements(BaseModel): Check_Summary: str +# MITRE Requirement Attribute +class Mitre_Requirement_Attribute(BaseModel): + """MITRE Requirement Attribute""" + + AWSService: str + Category: str + Value: str + Comment: str + + +# MITRE Requirement +class Mitre_Requirement(BaseModel): + """Mitre_Requirement holds the model for every MITRE requirement""" + + Name: str + Id: str + Tactics: list[str] + SubTechniques: list[str] + Description: str + Platforms: list[str] + TechniqueURL: str + Attributes: list[Mitre_Requirement_Attribute] + Checks: list[str] + + # Base Compliance Model class Compliance_Requirement(BaseModel): """Compliance_Requirement holds the base model for every requirement within a compliance framework""" @@ -124,11 +149,11 @@ class Compliance_Requirement(BaseModel): Name: Optional[str] Attributes: list[ Union[ - CIS_Requirements, - ENS_Requirements, - Generic_Compliance_Requirements, - ISO27001_2013_Requirements, - AWS_Well_Architected_Requirements, + CIS_Requirement_Attribute, + ENS_Requirement_Attribute, + Generic_Compliance_Requirement_Attribute, + ISO27001_2013_Requirement_Attribute, + AWS_Well_Architected_Requirement_Attribute, ] ] Checks: list[str] @@ -141,7 +166,7 @@ class Compliance_Base_Model(BaseModel): Provider: str Version: Optional[str] Description: str - Requirements: list[Compliance_Requirement] + Requirements: list[Union[Mitre_Requirement, Compliance_Requirement]] @root_validator(pre=True) # noqa: F841 - since vulture raises unused variable 'cls' diff --git a/prowler/lib/outputs/compliance.py b/prowler/lib/outputs/compliance.py index 3f216af0..ee1b5922 100644 --- a/prowler/lib/outputs/compliance.py +++ b/prowler/lib/outputs/compliance.py @@ -13,7 +13,9 @@ from prowler.lib.outputs.models import ( Check_Output_CSV_CIS, Check_Output_CSV_ENS_RD2022, Check_Output_CSV_Generic_Compliance, + Check_Output_MITRE_ATTACK, generate_csv_fields, + unroll_list, ) @@ -84,11 +86,9 @@ def fill_compliance(output_options, finding, audit_info, file_descriptors): elif compliance.Framework == "CIS" and "cis_" in str( output_options.output_modes ): + compliance_output = "cis_" + compliance.Version + "_aws" # Only with the version of CIS that was selected - if "cis_" + compliance.Version + "_aws" in str( - output_options.output_modes - ): - compliance_output = "cis_" + compliance.Version + "_aws" + if compliance_output in str(output_options.output_modes): for requirement in compliance.Requirements: requirement_description = requirement.Description requirement_id = requirement.Id @@ -158,7 +158,9 @@ def fill_compliance(output_options, finding, audit_info, file_descriptors): CheckId=finding.check_metadata.CheckID, ) - csv_header = generate_csv_fields(Check_Output_CSV_AWS_Well_Architected) + csv_header = generate_csv_fields( + Check_Output_CSV_AWS_Well_Architected + ) elif ( compliance.Framework == "ISO27001" @@ -176,7 +178,7 @@ def fill_compliance(output_options, finding, audit_info, file_descriptors): for requirement in compliance.Requirements: requirement_description = requirement.Description requirement_id = requirement.Id - requirement.Name + requirement_name = requirement.Name for attribute in requirement.Attributes: compliance_row = Check_Output_CSV_AWS_ISO27001_2013( Provider=finding.check_metadata.Provider, @@ -185,6 +187,7 @@ def fill_compliance(output_options, finding, audit_info, file_descriptors): Region=finding.region, AssessmentDate=timestamp.isoformat(), Requirements_Id=requirement_id, + Requirements_Name=requirement_name, Requirements_Description=requirement_description, Requirements_Attributes_Category=attribute.Category, Requirements_Attributes_Objetive_ID=attribute.Objetive_ID, @@ -196,7 +199,60 @@ def fill_compliance(output_options, finding, audit_info, file_descriptors): CheckId=finding.check_metadata.CheckID, ) - csv_header = generate_csv_fields(Check_Output_CSV_AWS_ISO27001_2013) + csv_header = generate_csv_fields(Check_Output_CSV_AWS_ISO27001_2013) + + elif ( + compliance.Framework == "MITRE-ATTACK" + and compliance.Version == "" + and compliance.Provider == "AWS" + ): + compliance_output = compliance.Framework + if compliance.Version != "": + compliance_output += "_" + compliance.Version + if compliance.Provider != "": + compliance_output += "_" + compliance.Provider + + compliance_output = compliance_output.lower().replace("-", "_") + if compliance_output in output_options.output_modes: + for requirement in compliance.Requirements: + requirement_description = requirement.Description + requirement_id = requirement.Id + requirement_name = requirement.Name + attributes_aws_services = "" + attributes_categories = "" + attributes_values = "" + attributes_comments = "" + for attribute in requirement.Attributes: + attributes_aws_services += attribute.AWSService + "\n" + attributes_categories += attribute.Category + "\n" + attributes_values += attribute.Value + "\n" + attributes_comments += attribute.Comment + "\n" + compliance_row = Check_Output_MITRE_ATTACK( + Provider=finding.check_metadata.Provider, + Description=compliance.Description, + AccountId=audit_info.audited_account, + Region=finding.region, + AssessmentDate=timestamp.isoformat(), + Requirements_Id=requirement_id, + Requirements_Description=requirement_description, + Requirements_Name=requirement_name, + Requirements_Tactics=unroll_list(requirement.Tactics), + Requirements_SubTechniques=unroll_list( + requirement.SubTechniques + ), + Requirements_Platforms=unroll_list(requirement.Platforms), + Requirements_TechniqueURL=requirement.TechniqueURL, + Requirements_Attributes_AWSServices=attributes_aws_services, + Requirements_Attributes_Categories=attributes_categories, + Requirements_Attributes_Values=attributes_values, + Requirements_Attributes_Comments=attributes_comments, + Status=finding.status, + StatusExtended=finding.status_extended, + ResourceId=finding.resource_id, + CheckId=finding.check_metadata.CheckID, + ) + + csv_header = generate_csv_fields(Check_Output_MITRE_ATTACK) else: compliance_output = compliance.Framework @@ -230,7 +286,9 @@ def fill_compliance(output_options, finding, audit_info, file_descriptors): CheckId=finding.check_metadata.CheckID, ) - csv_header = generate_csv_fields(Check_Output_CSV_Generic_Compliance) + csv_header = generate_csv_fields( + Check_Output_CSV_Generic_Compliance + ) if compliance_row: csv_writer = DictWriter( @@ -309,7 +367,7 @@ def display_compliance_table( # Add results to table for marco in sorted(marcos): - ens_compliance_table["Proveedor"].append("aws") + ens_compliance_table["Proveedor"].append(compliance.Provider) ens_compliance_table["Marco/Categoria"].append(marco) ens_compliance_table["Estado"].append(marcos[marco]["Estado"]) ens_compliance_table["Opcional"].append( @@ -401,7 +459,7 @@ def display_compliance_table( # Add results to table sections = dict(sorted(sections.items())) for section in sections: - cis_compliance_table["Provider"].append("aws") + cis_compliance_table["Provider"].append(compliance.Provider) cis_compliance_table["Section"].append(section) if sections[section]["Level 1"]["FAIL"] > 0: cis_compliance_table["Level 1"].append( @@ -449,6 +507,77 @@ def display_compliance_table( print( f" - CSV: {output_directory}/{output_filename}_{compliance_framework}.csv\n" ) + elif "mitre_attack" in compliance_framework: + tactics = {} + mitre_compliance_table = { + "Provider": [], + "Tactic": [], + "Status": [], + } + pass_count = fail_count = 0 + for finding in findings: + check = bulk_checks_metadata[finding.check_metadata.CheckID] + check_compliances = check.Compliance + for compliance in check_compliances: + if ( + "MITRE-ATTACK" in compliance.Framework + and compliance.Version in compliance_framework + ): + compliance_fm = compliance.Framework + for requirement in compliance.Requirements: + for tactic in requirement.Tactics: + if tactic not in tactics: + tactics[tactic] = {"FAIL": 0, "PASS": 0} + if finding.status == "FAIL": + fail_count += 1 + tactics[tactic]["FAIL"] += 1 + elif finding.status == "PASS": + pass_count += 1 + tactics[tactic]["PASS"] += 1 + + # Add results to table + tactics = dict(sorted(tactics.items())) + for tactic in tactics: + mitre_compliance_table["Provider"].append(compliance.Provider) + mitre_compliance_table["Tactic"].append(tactic) + if tactics[tactic]["FAIL"] > 0: + mitre_compliance_table["Status"].append( + f"{Fore.RED}FAIL({tactics[tactic]['FAIL']}){Style.RESET_ALL}" + ) + else: + mitre_compliance_table["Status"].append( + f"{Fore.GREEN}PASS({tactics[tactic]['PASS']}){Style.RESET_ALL}" + ) + if fail_count + pass_count < 1: + print( + f"\n {Style.BRIGHT}There are no resources for {Fore.YELLOW}{compliance_fm}{Style.RESET_ALL}.\n" + ) + else: + print( + f"\nCompliance Status of {Fore.YELLOW}{compliance_fm}{Style.RESET_ALL} Framework:" + ) + overview_table = [ + [ + f"{Fore.RED}{round(fail_count/(fail_count+pass_count)*100, 2)}% ({fail_count}) FAIL{Style.RESET_ALL}", + f"{Fore.GREEN}{round(pass_count/(fail_count+pass_count)*100, 2)}% ({pass_count}) PASS{Style.RESET_ALL}", + ] + ] + print(tabulate(overview_table, tablefmt="rounded_grid")) + print( + f"\nFramework {Fore.YELLOW}{compliance_fm}{Style.RESET_ALL} Results:" + ) + print( + tabulate( + mitre_compliance_table, headers="keys", tablefmt="rounded_grid" + ) + ) + print( + f"{Style.BRIGHT}* Only sections containing results appear.{Style.RESET_ALL}" + ) + print(f"\nDetailed results of {compliance_fm} are in:") + print( + f" - CSV: {output_directory}/{output_filename}_{compliance_framework}.csv\n" + ) else: print(f"\nDetailed results of {compliance_framework.upper()} are in:") print( diff --git a/prowler/lib/outputs/file_descriptors.py b/prowler/lib/outputs/file_descriptors.py index eab5f19a..bd5ab690 100644 --- a/prowler/lib/outputs/file_descriptors.py +++ b/prowler/lib/outputs/file_descriptors.py @@ -19,6 +19,7 @@ from prowler.lib.outputs.models import ( Check_Output_CSV_CIS, Check_Output_CSV_ENS_RD2022, Check_Output_CSV_Generic_Compliance, + Check_Output_MITRE_ATTACK, Gcp_Check_Output_CSV, generate_csv_fields, ) @@ -187,6 +188,16 @@ def fill_file_descriptors(output_modes, output_directory, output_filename, audit ) file_descriptors.update({output_mode: file_descriptor}) + elif output_mode == "mitre_attack_aws": + filename = f"{output_directory}/{output_filename}_mitre_attack_aws{csv_file_suffix}" + file_descriptor = initialize_file_descriptor( + filename, + output_mode, + audit_info, + Check_Output_MITRE_ATTACK, + ) + file_descriptors.update({output_mode: file_descriptor}) + else: # Generic Compliance framework filename = f"{output_directory}/{output_filename}_{output_mode}{csv_file_suffix}" diff --git a/prowler/lib/outputs/models.py b/prowler/lib/outputs/models.py index 1b6f0cbf..9e199a88 100644 --- a/prowler/lib/outputs/models.py +++ b/prowler/lib/outputs/models.py @@ -265,7 +265,7 @@ def parse_json_tags(tags: list): def generate_csv_fields(format: Any) -> list[str]: """Generates the CSV headers for the given class""" csv_fields = [] - # __fields__ is alwayis available in the Pydantic's BaseModel class + # __fields__ is always available in the Pydantic's BaseModel class for field in format.__dict__.get("__fields__").keys(): csv_fields.append(field) return csv_fields @@ -487,6 +487,33 @@ class Gcp_Check_Output_JSON(Check_Output_JSON): super().__init__(**metadata) +class Check_Output_MITRE_ATTACK(BaseModel): + """ + Check_Output_MITRE_ATTACK generates a finding's output in CSV MITRE ATTACK format. + """ + + Provider: str + Description: str + AccountId: str + Region: str + AssessmentDate: str + Requirements_Id: str + Requirements_Name: str + Requirements_Description: str + Requirements_Tactics: str + Requirements_SubTechniques: str + Requirements_Platforms: str + Requirements_TechniqueURL: str + Requirements_Attributes_AWSServices: str + Requirements_Attributes_Categories: str + Requirements_Attributes_Values: str + Requirements_Attributes_Comments: str + Status: str + StatusExtended: str + ResourceId: str + CheckId: str + + class Check_Output_CSV_ENS_RD2022(BaseModel): """ Check_Output_CSV_ENS_RD2022 generates a finding's output in CSV ENS RD2022 format. diff --git a/tests/lib/outputs/outputs_test.py b/tests/lib/outputs/outputs_test.py index 21b6ba9e..09fc337e 100644 --- a/tests/lib/outputs/outputs_test.py +++ b/tests/lib/outputs/outputs_test.py @@ -20,7 +20,7 @@ from prowler.config.config import ( timestamp_utc, ) from prowler.lib.check.compliance_models import ( - CIS_Requirements, + CIS_Requirement_Attribute, Compliance_Base_Model, Compliance_Requirement, ) @@ -1351,7 +1351,7 @@ class Test_Outputs: Id="2.1.3", Description="Ensure MFA Delete is enabled on S3 buckets", Attributes=[ - CIS_Requirements( + CIS_Requirement_Attribute( Section="2.1. Simple Storage Service (S3)", Profile="Level 1", AssessmentStatus="Automated", @@ -1378,7 +1378,7 @@ class Test_Outputs: Id="2.1.3", Description="Ensure MFA Delete is enabled on S3 buckets", Attributes=[ - CIS_Requirements( + CIS_Requirement_Attribute( Section="2.1. Simple Storage Service (S3)", Profile="Level 1", AssessmentStatus="Automated",