DataDog · christophetd · Aug 25, 2023 · Aug 24, 2023 · Aug 24, 2023 · Aug 25, 2023
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -20,7 +20,7 @@ jobs:
       packages: write
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604
+        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
         with:
           egress-policy: block
           allowed-endpoints: >
@@ -34,6 +34,7 @@ jobs:
             proxy.golang.org:443
             registry-1.docker.io:443
             storage.googleapis.com:443
+            *.actions.githubusercontent.com:443
 
       - name: Checkout
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -19,13 +19,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604
+        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
         with:
           egress-policy: block
           allowed-endpoints: >
             files.pythonhosted.org:443
             github.com:443
             pypi.org:443
+            *.actions.githubusercontent.com:443
 
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
       - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -19,7 +19,7 @@ jobs:
       contents: write
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604
+        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
         with:
           egress-policy: block
           allowed-endpoints: >
@@ -31,6 +31,7 @@ jobs:
             storage.googleapis.com:443
             uploads.github.com:443
             sum.golang.org:443
+            *.actions.githubusercontent.com:443
 
       - name: Checkout
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9

diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml
@@ -17,14 +17,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604
+        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
         with:
           egress-policy: block
           allowed-endpoints: >
             github.com:443
             proxy.golang.org:443
             storage.googleapis.com:443
             sum.golang.org:443
+            *.actions.githubusercontent.com:443
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
         with:
           fetch-depth: 1

diff --git a/.github/workflows/terraform-lint.yml b/.github/workflows/terraform-lint.yml
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # tag:v2.5.0
+        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09  # tag:v2.5.1
         with:
           egress-policy: audit
 

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -16,13 +16,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604
+        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
         with:
           egress-policy: block
           allowed-endpoints:
             github.com:443
             proxy.golang.org:443
             storage.googleapis.com:443
+            *.actions.githubusercontent.com:443
       - name: Checkout repository
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
 
@@ -49,7 +50,7 @@ jobs:
             proxy.golang.org:443
             registry-1.docker.io:443
             storage.googleapis.com:443
-
+            *.actions.githubusercontent.com:443
       - name: Checkout repository
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
 

diff --git a/docs/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion.md b/docs/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion.md
@@ -0,0 +1,91 @@
+---
+title: S3 Ransomware through batch file deletion
+---
+
+# S3 Ransomware through batch file deletion
+
+
+
+
+Platform: AWS
+
+## MITRE ATT&CK Tactics
+
+
+- Impact
+
+## Description
+
+
+Simulates S3 ransomware activity that empties a bucket through batch deletion, then uploads a ransom note.
+
+<span style="font-variant: small-caps;">Warm-up</span>: 
+
+- Create an S3 bucket, with versioning enabled
+- Create a number of files in the bucket, with random content and extensions
+
+<span style="font-variant: small-caps;">Detonation</span>: 
+
+- List all available objects and their versions in the bucket
+- Delete all objects in the bucket in one request, using [DeleteObjects](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObjects.html)
+- Upload a ransom note to the bucket
+
+Note: The attack does not need to disable versioning, which does not protect against ransomware. This attack removes all versions of the objects in the bucket.
+
+References:
+
+- [The anatomy of a ransomware event targeting S3 (re:Inforce, 2022)](https://d1.awsstatic.com/events/aws-reinforce-2022/TDR431_The-anatomy-of-a-ransomware-event-targeting-data-residing-in-Amazon-S3.pdf)
+- [The anatomy of ransomware event targeting data residing in Amazon S3 (AWS Security Blog)](https://aws.amazon.com/blogs/security/anatomy-of-a-ransomware-event-targeting-data-in-amazon-s3/)
+- [Ransomware in the cloud](https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82)
+- https://www.firemon.com/what-you-need-to-know-about-ransomware-in-aws/
+- https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate aws.impact.s3-ransomware-batch-deletion
+```
+## Detection
+
+
+You can detect ransomware activity by identifying abnormal patterns of objects being downloaded or deleted in the bucket. 
+In general, this can be done through [CloudTrail S3 data events](https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html#cloudtrail-object-level-tracking) (<code>DeleteObject</code>, <code>DeleteObjects</code>, <code>GetObject</code>),
+[CloudWatch metrics](https://docs.aws.amazon.com/AmazonS3/latest/userguide/metrics-dimensions.html#s3-request-cloudwatch-metrics) (<code>NumberOfObjects</code>),
+or [GuardDuty findings](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html) (<code>[Exfiltration:S3/AnomalousBehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#exfiltration-s3-anomalousbehavior)</code>, <code>[Impact:S3/AnomalousBehavior.Delete](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-delete)</code>).
+
+Sample <code>DeleteObjects</code> event, shortened for readability:
+
+```json hl_lines="3 8"
+{
+  "eventSource": "s3.amazonaws.com",
+  "eventName": "DeleteObjects",
+  "eventCategory": "Data"
+  "managementEvent": false,
+  "readOnly": false
+  "requestParameters": {
+    "bucketName": "target-bucket",
+    "Host": "target-bucket.s3.us-east-1.amazonaws.com",
+    "delete": "",
+    "x-id": "DeleteObjects"
+  },
+  "responseElements": null,
+  "resources": [
+    {
+      "type": "AWS::S3::Object",
+      "ARNPrefix": "arn:aws:s3:::target-bucket/"
+    },
+    {
+      "accountId": "012345678901",
+      "type": "AWS::S3::Bucket",
+      "ARN": "arn:aws:s3:::target-bucket"
+    }
+  ],
+  "eventType": "AwsApiCall",
+  "recipientAccountId": "012345678901"
+}
+```
+
+Note that <code>DeleteObjects</code> does not indicate the list of files deleted, or how many files were removed (which can be up to 1'000 files per call).'
+
+
diff --git a/docs/attack-techniques/AWS/aws.impact.s3-ransomware-client-side-encryption.md b/docs/attack-techniques/AWS/aws.impact.s3-ransomware-client-side-encryption.md
@@ -0,0 +1,86 @@
+---
+title: S3 Ransomware through client-side encryption
+---
+
+# S3 Ransomware through client-side encryption
+
+
+
+
+Platform: AWS
+
+## MITRE ATT&CK Tactics
+
+
+- Impact
+
+## Description
+
+
+Simulates S3 ransomware activity that encrypts files in a bucket with a static key, through S3 [client-side encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingClientSideEncryption.html) feature.
+<span style="font-variant: small-caps;">Warm-up</span>: 
+
+- Create an S3 bucket
+- Create a number of files in the bucket, with random content and extensions
+
+<span style="font-variant: small-caps;">Detonation</span>: 
+
+- List all objects in the bucket
+- Overwrite every file in the bucket with an encrypted version, using [S3 client-side encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingClientSideEncryption.html)
+- Upload a ransom note to the bucket
+
+References:
+
+- https://www.firemon.com/what-you-need-to-know-about-ransomware-in-aws/
+- https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate aws.impact.s3-ransomware-client-side-encryption
+```
+## Detection
+
+
+You can detect ransomware activity by identifying abnormal patterns of objects being downloaded or deleted in the bucket. 
+In general, this can be done through [CloudTrail S3 data events](https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html#cloudtrail-object-level-tracking) (<code>DeleteObject</code>, <code>DeleteObjects</code>, <code>GetObject</code>, <code>CopyObject</code>),
+[CloudWatch metrics](https://docs.aws.amazon.com/AmazonS3/latest/userguide/metrics-dimensions.html#s3-request-cloudwatch-metrics) (<code>NumberOfObjects</code>),
+or [GuardDuty findings](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html) (<code>[Exfiltration:S3/AnomalousBehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#exfiltration-s3-anomalousbehavior)</code>, <code>[Impact:S3/AnomalousBehavior.Delete](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-delete)</code>).
+
+Sample CloudTrail event <code>CopyObject</code>, when a file is encrypted with a client-side key:
+
+```json hl_lines="3 9 11 12"
+{
+  "eventSource": "s3.amazonaws.com",
+  "eventName": "CopyObject",
+  "eventType": "AwsApiCall",
+  "eventCategory": "Data",
+  "managementEvent": false,
+  "readOnly": false,
+  "requestParameters": {
+    "bucketName": "target bucket",
+    "Host": "target bucket.s3.us-east-1.amazonaws.com",
+    "x-amz-server-side-encryption-customer-algorithm": "AES256",
+    "x-amz-copy-source": "target bucket/target file.txt",
+    "key": "target file.txt",
+    "x-id": "CopyObject"
+  },
+  "responseElements": {
+    "x-amz-server-side-encryption-customer-algorithm": "AES256"
+  },
+  "resources": [
+    {
+      "type": "AWS::S3::Object",
+      "ARN": "arn:aws:s3:::target bucket/target file.txt"
+    },
+    {
+      "accountId": "012345678901",
+      "type": "AWS::S3::Bucket",
+      "ARN": "arn:aws:s3:::target bucket"
+    }
+  ]
+}
+```
+
+
diff --git a/docs/attack-techniques/AWS/aws.impact.s3-ransomware-individual-deletion.md b/docs/attack-techniques/AWS/aws.impact.s3-ransomware-individual-deletion.md
@@ -0,0 +1,88 @@
+---
+title: S3 Ransomware through individual file deletion
+---
+
+# S3 Ransomware through individual file deletion
+
+
+
+
+Platform: AWS
+
+## MITRE ATT&CK Tactics
+
+
+- Impact
+
+## Description
+
+
+Simulates S3 ransomware activity that empties a bucket through individual file deletion, then uploads a ransom note.
+
+<span style="font-variant: small-caps;">Warm-up</span>: 
+
+- Create an S3 bucket, with versioning enabled
+- Create a number of files in the bucket, with random content and extensions
+
+<span style="font-variant: small-caps;">Detonation</span>: 
+
+- List all available objects and their versions in the bucket
+- Delete all objects in the bucket one by one, using [DeleteObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObject.html)
+- Upload a ransom note to the bucket
+
+Note: The attack does not need to disable versioning, which does not protect against ransomware. This attack removes all versions of the objects in the bucket.
+
+References:
+
+- [The anatomy of a ransomware event targeting S3 (re:Inforce, 2022)](https://d1.awsstatic.com/events/aws-reinforce-2022/TDR431_The-anatomy-of-a-ransomware-event-targeting-data-residing-in-Amazon-S3.pdf)
+- [The anatomy of ransomware event targeting data residing in Amazon S3 (AWS Security Blog)](https://aws.amazon.com/blogs/security/anatomy-of-a-ransomware-event-targeting-data-in-amazon-s3/)
+- [Ransomware in the cloud](https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82)
+- https://www.firemon.com/what-you-need-to-know-about-ransomware-in-aws/
+- https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate aws.impact.s3-ransomware-individual-deletion
+```
+## Detection
+
+
+You can detect ransomware activity by identifying abnormal patterns of objects being downloaded or deleted in the bucket. 
+In general, this can be done through [CloudTrail S3 data events](https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html#cloudtrail-object-level-tracking) (<code>DeleteObject</code>, <code>DeleteObjects</code>, <code>GetObject</code>),
+[CloudWatch metrics](https://docs.aws.amazon.com/AmazonS3/latest/userguide/metrics-dimensions.html#s3-request-cloudwatch-metrics) (<code>NumberOfObjects</code>),
+or [GuardDuty findings](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html) (<code>[Exfiltration:S3/AnomalousBehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#exfiltration-s3-anomalousbehavior)</code>, <code>[Impact:S3/AnomalousBehavior.Delete](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-delete)</code>).
+
+Sample CloudTrail event <code>DeleteObject</code>, shortened for readability:
+
+```json hl_lines="3 8 10"
+{
+  "eventSource": "s3.amazonaws.com",
+  "eventName": "DeleteObject",
+  "eventCategory": "Data",
+  "managementEvent": false,
+  "readOnly": false,
+  "requestParameters": {
+    "bucketName": "target-bucket",
+    "Host": "target-bucket.s3.us-east-1.amazonaws.com",
+    "key": "target-object-key",
+    "x-id": "DeleteObject"
+  },
+  "resources": [
+    {
+      "type": "AWS::S3::Object",
+      "ARN": "arn:aws:s3:::target-bucket/target-object-key"
+    },
+    {
+      "accountId": "012345678901",
+      "type": "AWS::S3::Bucket",
+      "ARN": "arn:aws:s3:::target-bucket"
+    }
+  ],
+  "eventType": "AwsApiCall",
+  "recipientAccountId": "012345678901"
+}
+```
+
+
diff --git a/docs/attack-techniques/AWS/aws.persistence.rolesanywhere-create-trust-anchor.md b/docs/attack-techniques/AWS/aws.persistence.rolesanywhere-create-trust-anchor.md
diff --git a/docs/attack-techniques/AWS/index.md b/docs/attack-techniques/AWS/index.md
@@ -57,6 +57,15 @@ Note that some Stratus attack techniques may correspond to more than a single AT
 - [Backdoor an S3 Bucket via its Bucket Policy](./aws.exfiltration.s3-backdoor-bucket-policy.md)
 
 
+## Impact
+
+- [S3 Ransomware through batch file deletion](./aws.impact.s3-ransomware-batch-deletion.md)
+
+- [S3 Ransomware through client-side encryption](./aws.impact.s3-ransomware-client-side-encryption.md)
+
+- [S3 Ransomware through individual file deletion](./aws.impact.s3-ransomware-individual-deletion.md)
+
+
 ## Initial Access
 
 - [Console Login without MFA](./aws.initial-access.console-login-without-mfa.md)

diff --git a/docs/attack-techniques/list.md b/docs/attack-techniques/list.md
@@ -28,6 +28,9 @@ This page contains the list of all Stratus Attack Techniques.
 | [Exfiltrate EBS Snapshot by Sharing It](./AWS/aws.exfiltration.ec2-share-ebs-snapshot.md) | [AWS](./AWS/index.md) | Exfiltration |
 | [Exfiltrate RDS Snapshot by Sharing](./AWS/aws.exfiltration.rds-share-snapshot.md) | [AWS](./AWS/index.md) | Exfiltration |
 | [Backdoor an S3 Bucket via its Bucket Policy](./AWS/aws.exfiltration.s3-backdoor-bucket-policy.md) | [AWS](./AWS/index.md) | Exfiltration |
+| [S3 Ransomware through batch file deletion](./AWS/aws.impact.s3-ransomware-batch-deletion.md) | [AWS](./AWS/index.md) | Impact |
+| [S3 Ransomware through client-side encryption](./AWS/aws.impact.s3-ransomware-client-side-encryption.md) | [AWS](./AWS/index.md) | Impact |
+| [S3 Ransomware through individual file deletion](./AWS/aws.impact.s3-ransomware-individual-deletion.md) | [AWS](./AWS/index.md) | Impact |
 | [Console Login without MFA](./AWS/aws.initial-access.console-login-without-mfa.md) | [AWS](./AWS/index.md) | Initial Access |
 | [Backdoor an IAM Role](./AWS/aws.persistence.iam-backdoor-role.md) | [AWS](./AWS/index.md) | Persistence |
 | [Create an Access Key on an IAM User](./AWS/aws.persistence.iam-backdoor-user.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation |