added console login without mfa attack technique

SECURITY.md

@@ -0,0 +1,16 @@
+# Security Policy
+
+## Supported Versions
+
+Use this section to tell people about which versions of your project are
+currently being supported with security updates.
+
+| Version | Supported |
+| ------- | ------------------ |
+| 2.x | :white_check_mark: |
+| 1.x | :x: |
+
+
+## Reporting a Vulnerability
+
+E-mail [email protected]

attack-techniques/aws/initial-access/console-login-without-mfa/attack.tf

@@ -1,4 +1,97 @@
 data "google_service_account" "workflows-to-cloudrun-sa" {
  account_id = "workflows-to-cloudrun-sa"
 
+}
+
+resource "google_workflows_workflow" "workflow_to_invoke_aws_console_login_without_mfa_attack" {
+ name = "aws-console-login-without-mfa-srt"
+ description = "A workflow intended to match the functionality of the Status Red Team attack technique 'AWS Console Login without MFA': https://stratus-red-team.cloud/attack-techniques/AWS/aws.initial-access.console-login-without-mfa/"
+ service_account = data.google_service_account.workflows-to-cloudrun-sa.id
+ project = var.projectId
+ source_contents = <<-EOF
+
+######################################################################################
+## Attack Description
+######################################################################################
+
+## Simulates a login to the AWS Console for an IAM user without multi-factor authentication (MFA).
+## This workflow inspired by: https://naikordian.github.io/blog/posts/brute-force-aws-console/
+
+#####################################################################################
+## Input
+######################################################################################
+### None
+
+
+######################################################################################
+## User Agent
+######################################################################################
+#### Workflow executes with the User-Agent string: "AWS-Console-Login-Without-MFA-WORKFLOWEXECUTIONID"
+
+
+
+######################################################################################
+## Main Workflow Execution
+######################################################################################
+main:
+ steps:
+ - ConsoleLoginWithoutMFA:
+ call: ConsoleLoginWithoutMFA
+ result: response
+ - return:
+ return: $${response}
+
+
+######################################################################################
+## Submodules | Sub-Workflows
+######################################################################################
+ConsoleLoginWithoutMFA:
+ steps: 
+ - ConsoleLoginWithoutMFA:
+ call: http.post
+ args:
+ url: 'https://signin.aws.amazon.com/authenticate'
+ headers:
+ User-Agent: '"AWS-Console-Login-Without-MFA-"+sys.get_env("GOOGLE_CLOUD_WORKFLOW_EXECUTION_ID")}'
+ Referer: 'https://signin.aws.amazon.com'
+ Origin: https://signin.aws.amazon.com
+ Content-Type: application/x-www-form-urlencoded
+ Host: signin.aws.amazon.com
+ body:
+ action: "iam-user-authentication"
+ account: "${data.aws_caller_identity.current.account_id}"
+ username: "${aws_iam_user.console-user.name}"
+ password: "${aws_iam_user_login_profile.login-profile.password}"
+ client_id: "arn:aws:signin:::console/canvas"
+ redirect_uri: "https://console.aws.amazon.com/console/home"
+ result: response
+
+ - handle_result:
+ switch:
+ - condition: $${response.code == 200}
+ next: returnValidation
+ - condition: $${response.body.properties.result == "MFA"}
+ next: MFA
+ - condition: $${response.codee == 400}
+ next: error
+
+ - returnValidation:
+ return: 
+ - $${response.code}
+ - $${response.body}
+ - "SUCCESS - AWS Console Login without MFA"
+
+ - MFA:
+ return: 
+ - $${response.code}
+ - $${response.body}
+ - "FAILURE - AWS Console Login without MFA | User had MFA enabled"
+ - error:
+ return: 
+ - $${response.code}
+ - $${response.body}
+ - "FAILURE - AWS Console Login without MFA"
+
+ EOF
+
 }

attack-techniques/aws/initial-access/console-login-without-mfa/infra.tf

@@ -0,0 +1,35 @@
+data "aws_caller_identity" "current" {}
+
+resource "random_string" "suffix" {
+ length = 10
+ min_lower = 10
+ special = false
+}
+
+locals {
+ resource_prefix = "derf-login-user" 
+}
+
+resource "aws_iam_user" "console-user" {
+ name = "${local.resource_prefix}-${random_string.suffix.result}"
+ force_destroy = true
+}
+
+// Allows the IAM user to authenticate through the AWS Console
+resource "aws_iam_user_login_profile" "login-profile" {
+ user = aws_iam_user.console-user.name
+ password_length = 16
+ password_reset_required = false
+}
+
+output "account_id" {
+ value = data.aws_caller_identity.current.account_id
+}
+
+output "username" {
+ value = aws_iam_user.console-user.name
+}
+
+output "password" {
+ value = aws_iam_user_login_profile.login-profile.password
+}

docs/attack-techniques/aws/aws-console-login-without-mfa.md

@@ -0,0 +1,49 @@
+---
+title: Console Login without MFA
+---
+
+# Console Login without MFA
+
+
+Platform: AWS
+
+## MITRE ATT&CK Tactics
+
+
+- Initial Access
+
+## Description
+
+
+Simulates a login to the AWS Console for an IAM user without multi-factor authentication (MFA).
+
+#### Attacker Actions: 
+
+- Logs into the AWS Console with a User that does not have MFA enabled.
+ - Resulting event name: `ConsoleLogin`
+ - Assigned IAM Permission: NOne
+
+#### Workflow Inputs: 
+# None
+
+
+#### Clean Up: 
+# None
+
+## Execution Instructions
+
+- See User Guide for Execution Instructions via the Google Cloud Console
+- Programmatically execute this workflow with the following cli command:
+
+```
+gcloud workflows run aws-delete-cloudtrail-trail `--data={"user": "user01"}` 
+```
+
+
+## Detection Artifacts
+
+
+Using CloudTrail `ConsoleLogin`` event. The field `additionalEventData.MFAUse`r is set to No when the IAM User did not use MFA to log into the console.
+
+Note that for failed console authentication events, the field userIdentity.arn is not set (see https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html#cloudtrail-aws-console-sign-in-events-iam-user-failure).
+

docs/attack-techniques/aws/index.md

@@ -52,5 +52,9 @@ This page contains The DeRF attack techniques for available for AWS.
 
 - [Execute Commands on EC2 Instance via User Data](./ec2-modify-user-data.md)
 
+## Initial Access
+
+- [Console Login without MFA](./aws-console-login-without-mfa.md)
+
 
 

docs/attack-techniques/list.md

@@ -14,17 +14,18 @@ This page contains the list of all DeRF Attack Techniques.
 
 | Name | Platform | MITRE ATT&CK Tactics |
 | :----: | :------: | :------------------: |
-| [Delete CloudTrail Trail](./AWS/cloudtrail-delete.md) | [AWS](./AWS/index.md) | Defense Evasion |
-| [Stop CloudTrail Logging](./AWS/cloudtrail-stop.md) | [AWS](./AWS/index.md) | Defense Evasion |
-| [Disable CloudTrail Logging Through Event Selectors](./AWS/cloudtrail-event-selectors.md) | [AWS](./AWS/index.md) | Defense Evasion |
-| [CloudTrail Logs Impairment Through S3 Lifecycle Rule](./AWS/cloudtrail-lifecycle-rules.md) | [AWS](./AWS/index.md) | Defense Evasion |
-| [Attempt to Leave the AWS Organization](./AWS/organizations-leave.md) | [AWS](./AWS/index.md) | Defense Evasion |
-| [AWS Remove VPC Flow Logs](./AWS/vpc-remove-flow-log.md) | [AWS](./AWS/index.md) | Defense Evasion |
-| [Exfiltrate EBS Snapshot by Sharing It](./AWS/ec2-share-ebs-snapshot.md) | [AWS](./AWS/index.md) | Exfiltration |
-| [Download EC2 Instance User Data](./AWS/ec2-get-user-data.md) | [AWS](./AWS/index.md) | Discovery |
-| [Retrieve EC2 Password Data](./AWS/ec2-get-password-data.md) | [AWS](./AWS/index.md) | Credential Access |
-| [Steal EC2 Instance Credentials](./AWS/ec2-steal-instance-credentials.md) | [AWS](./AWS/index.md) | Credential Access |
-| [Retrieve and Decrypt SSM Parameters](./AWS/ssm-retrieve-securestring-parameters.md) | [AWS](./AWS/index.md) | Credential Access |
-| [AWS Retrieve a High Number of Secrets Manager secrets](./AWS/secretsmanager-retrieve-secrets.md) | [AWS](./AWS/index.md) | Credential Access |
-| [Execute Commands on EC2 Instance via User Data](./AWS/ec2-modify-user-data.md) | [AWS](./AWS/index.md) | Execution |
-| [Impersonate GCP Service Accounts](./GCP/impersonate-service-accounts.md) | [GCP](./GCP/index.md) | Privilege Escalation |
+| [Delete CloudTrail Trail](./aws/cloudtrail-delete.md) | [aws](./aws/index.md) | Defense Evasion |
+| [Stop CloudTrail Logging](./aws/cloudtrail-stop.md) | [aws](./aws/index.md) | Defense Evasion |
+| [Disable CloudTrail Logging Through Event Selectors](./aws/cloudtrail-event-selectors.md) | [aws](./aws/index.md) | Defense Evasion |
+| [CloudTrail Logs Impairment Through S3 Lifecycle Rule](./aws/cloudtrail-lifecycle-rules.md) | [aws](./aws/index.md) | Defense Evasion |
+| [Attempt to Leave the aws Organization](./aws/organizations-leave.md) | [aws](./aws/index.md) | Defense Evasion |
+| [aws Remove VPC Flow Logs](./aws/vpc-remove-flow-log.md) | [aws](./aws/index.md) | Defense Evasion |
+| [Exfiltrate EBS Snapshot by Sharing It](./aws/ec2-share-ebs-snapshot.md) | [aws](./aws/index.md) | Exfiltration |
+| [Download EC2 Instance User Data](./aws/ec2-get-user-data.md) | [aws](./aws/index.md) | Discovery |
+| [Retrieve EC2 Password Data](./aws/ec2-get-password-data.md) | [aws](./aws/index.md) | Credential Access |
+| [Steal EC2 Instance Credentials](./aws/ec2-steal-instance-credentials.md) | [aws](./aws/index.md) | Credential Access |
+| [Retrieve and Decrypt SSM Parameters](./aws/ssm-retrieve-securestring-parameters.md) | [aws](./aws/index.md) | Credential Access |
+| [aws Retrieve a High Number of Secrets Manager secrets](./aws/secretsmanager-retrieve-secrets.md) | [aws](./aws/index.md) | Credential Access |
+| [Execute Commands on EC2 Instance via User Data](./aws/ec2-modify-user-data.md) | [aws](./aws/index.md) | Execution |
+| [Console Login without MFA](.//aws/aws-console-login-without-mfa.md) | [aws](./aws/index.md) | Initial Access |
+| [Impersonate GCP Service Accounts](./gcp/impersonate-service-accounts.md) | [gcp](./gcp/index.md) | Privilege Escalation |

docs/index.md

@@ -1,6 +1,17 @@
 # DeRF Documentation Home
 
-Welcome to the Home Page of the DeRF Documentation.
+Welcome to the Home Page of the DeRF Documentation. Key features of this tool include: 
+
+• <b>User-Friendly Interface</b>: Since the DeRF is hosted in Google Cloud, End Users can invoke attacks through the cloud console UI without the need to install software or use the CLI.
+
+• <b>Accessibility for Non-Security Professionals</b>: The DeRF caters to a broad audience of End Users, including Engineering, Sales, Support Staff, or automated processes.
+
+• <b>Robust OpSec</b>: Long-Lived Credentials are not passed between operators, instead access to the DeRF and its attack techniques are controlled through GCP IAM Role-Based Access Control (RBAC)
+
+• <b>Extensibility at its Core</b>: Attack sequences are written in YAML, enabling easy configuration of new techniques.
+
+• <b>Turn-Key deployment</b>: Deploying (and destroying!) the DeRF is a fully automated process, completed in under 3 minutes.
+
 
 
 ## **High Level Architecture** 

env-prod/aws-attack-techniques.tf

@@ -297,4 +297,28 @@ module "aws_ec2_share_ebs_snapshot" {
  module.aws_permissions_required
  ]
 
+}
+
+##########################################################################################
+# Attacks in the Initial Access Category
+##########################################################################################
+
+module "aws_console_login_without_mfa" {
+ source = "../attack-techniques/aws/initial-access/console-login-without-mfa"
+ projectId = local.gcp_deployment_project_id
+
+ providers = {
+ google = google.derf
+ }
+
+## Attacks defined in Google Worksflows rely on the underlying infrastructure to be in place to
+## Work properly such as the Proxy App, Derf Execution Users and the Base GCP Project. 
+ depends_on = [
+ module.aws_derf_execution_users,
+ module.gcp_bootstrapping,
+ module.gcp-aws-proxy-app,
+ module.gcp_derf_user_secrets,
+ module.aws_permissions_required
+ ]
+
 }