Add TTP to simulate an S3 ransomware

docs/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion.md

@@ -0,0 +1,89 @@
+---
+title: S3 Ransomware through batch file deletion
+---
+
+# S3 Ransomware through batch file deletion
+
+
+
+
+Platform: AWS
+
+## MITRE ATT&CK Tactics
+
+
+- Impact
+
+## Description
+
+
+Simulates S3 ransomware activity that empties a bucket through batch deletion, then uploads a ransom note.
+
+<span style="font-variant: small-caps;">Warm-up</span>: 
+
+- Create an S3 bucket, with versioning enabled
+- Create a number of files in the bucket, with random content and extensions
+
+<span style="font-variant: small-caps;">Detonation</span>: 
+
+- List all available objects and their versions in the bucket
+- Delete all objects in the bucket in one request, using [DeleteObjects](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObjects.html)
+- Upload a ransom note to the bucket
+
+Note: The attack does not need to disable versioning, which does not protect against ransomware. This attack removes all versions of the objects in the bucket.
+
+References:
+
+- [The anatomy of a ransomware event targeting S3 (re:Inforce, 2022)](https://d1.awsstatic.com/events/aws-reinforce-2022/TDR431_The-anatomy-of-a-ransomware-event-targeting-data-residing-in-Amazon-S3.pdf)
+- [The anatomy of ransomware event targeting data residing in Amazon S3 (AWS Security Blog)](https://aws.amazon.com/blogs/security/anatomy-of-a-ransomware-event-targeting-data-in-amazon-s3/)
+- [Ransomware in the cloud](https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82)
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate aws.impact.s3-ransomware-batch-deletion
+```
+## Detection
+
+
+You can detect ransomware activity by identifying abnormal patterns of objects being downloaded or deleted in the bucket. 
+In general, this can be done through [CloudTrail S3 data events](https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html#cloudtrail-object-level-tracking) (<code>DeleteObject</code>, <code>DeleteObjects</code>, <code>GetObject</code>),
+[CloudWatch metrics](https://docs.aws.amazon.com/AmazonS3/latest/userguide/metrics-dimensions.html#s3-request-cloudwatch-metrics) (<code>NumberOfObjects</code>),
+or [GuardDuty findings](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html) (<code>[Exfiltration:S3/AnomalousBehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#exfiltration-s3-anomalousbehavior)</code>, <code>[Impact:S3/AnomalousBehavior.Delete](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-delete)</code>).
+
+Sample <code>DeleteObjects</code> event, shortened for readability:
+
+```json hl_lines="3 8"
+{
+  "eventSource": "s3.amazonaws.com",
+  "eventName": "DeleteObjects",
+  "eventCategory": "Data"
+  "managementEvent": false,
+  "readOnly": false
+  "requestParameters": {
+    "bucketName": "target-bucket",
+    "Host": "target-bucket.s3.us-east-1.amazonaws.com",
+    "delete": "",
+    "x-id": "DeleteObjects"
+  },
+  "responseElements": null,
+  "resources": [
+    {
+      "type": "AWS::S3::Object",
+      "ARNPrefix": "arn:aws:s3:::target-bucket/"
+    },
+    {
+      "accountId": "012345678901",
+      "type": "AWS::S3::Bucket",
+      "ARN": "arn:aws:s3:::target-bucket"
+    }
+  ],
+  "eventType": "AwsApiCall",
+  "recipientAccountId": "012345678901"
+}
+```
+
+Note that <code>DeleteObjects</code> does not indicate the list of files deleted, or how many files were removed (which can be up to 1'000 files per call).'
+
+

docs/attack-techniques/AWS/aws.impact.s3-ransomware-individual-deletion.md

@@ -0,0 +1,86 @@
+---
+title: S3 Ransomware through individual file deletion
+---
+
+# S3 Ransomware through individual file deletion
+
+
+
+
+Platform: AWS
+
+## MITRE ATT&CK Tactics
+
+
+- Impact
+
+## Description
+
+
+Simulates S3 ransomware activity that empties a bucket through individual file deletion, then uploads a ransom note.
+
+<span style="font-variant: small-caps;">Warm-up</span>: 
+
+- Create an S3 bucket, with versioning enabled
+- Create a number of files in the bucket, with random content and extensions
+
+<span style="font-variant: small-caps;">Detonation</span>: 
+
+- List all available objects and their versions in the bucket
+- Delete all objects in the bucket one by one, using [DeleteObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObject.html)
+- Upload a ransom note to the bucket
+
+Note: The attack does not need to disable versioning, which does not protect against ransomware. This attack removes all versions of the objects in the bucket.
+
+References:
+
+- [The anatomy of a ransomware event targeting S3 (re:Inforce, 2022)](https://d1.awsstatic.com/events/aws-reinforce-2022/TDR431_The-anatomy-of-a-ransomware-event-targeting-data-residing-in-Amazon-S3.pdf)
+- [The anatomy of ransomware event targeting data residing in Amazon S3 (AWS Security Blog)](https://aws.amazon.com/blogs/security/anatomy-of-a-ransomware-event-targeting-data-in-amazon-s3/)
+- [Ransomware in the cloud](https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82)
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate aws.impact.s3-ransomware-individual-deletion
+```
+## Detection
+
+
+You can detect ransomware activity by identifying abnormal patterns of objects being downloaded or deleted in the bucket. 
+In general, this can be done through [CloudTrail S3 data events](https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html#cloudtrail-object-level-tracking) (<code>DeleteObject</code>, <code>DeleteObjects</code>, <code>GetObject</code>),
+[CloudWatch metrics](https://docs.aws.amazon.com/AmazonS3/latest/userguide/metrics-dimensions.html#s3-request-cloudwatch-metrics) (<code>NumberOfObjects</code>),
+or [GuardDuty findings](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html) (<code>[Exfiltration:S3/AnomalousBehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#exfiltration-s3-anomalousbehavior)</code>, <code>[Impact:S3/AnomalousBehavior.Delete](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-delete)</code>).
+
+Sample CloudTrail event <code>DeleteObject</code>, shortened for readability:
+
+```json hl_lines="3 8 10"
+{
+  "eventSource": "s3.amazonaws.com",
+  "eventName": "DeleteObject",
+  "eventCategory": "Data",
+  "managementEvent": false,
+  "readOnly": false,
+  "requestParameters": {
+    "bucketName": "target-bucket",
+    "Host": "target-bucket.s3.us-east-1.amazonaws.com",
+    "key": "target-object-key",
+    "x-id": "DeleteObject"
+  },
+  "resources": [
+    {
+      "type": "AWS::S3::Object",
+      "ARN": "arn:aws:s3:::target-bucket/target-object-key"
+    },
+    {
+      "accountId": "012345678901",
+      "type": "AWS::S3::Bucket",
+      "ARN": "arn:aws:s3:::target-bucket"
+    }
+  ],
+  "eventType": "AwsApiCall",
+  "recipientAccountId": "012345678901"
+}
+```
+
+

docs/attack-techniques/AWS/index.md

@@ -59,7 +59,9 @@ Note that some Stratus attack techniques may correspond to more than a single AT
 
 ## Impact
 
-- [S3 Ransomware through DeleteObjects](./aws.impact.s3-ransomware-deleteobjects.md)
+- [S3 Ransomware through individual file deletion](./aws.impact.s3-ransomware-individual-deletion.md)
+
+- [S3 Ransomware through batch file deletion](./aws.impact.s3-ransomware-batch-deletion.md)
 
 
 ## Initial Access

docs/attack-techniques/list.md

@@ -28,7 +28,8 @@ This page contains the list of all Stratus Attack Techniques.
 | [Exfiltrate EBS Snapshot by Sharing It](./AWS/aws.exfiltration.ec2-share-ebs-snapshot.md) | [AWS](./AWS/index.md) | Exfiltration |
 | [Exfiltrate RDS Snapshot by Sharing](./AWS/aws.exfiltration.rds-share-snapshot.md) | [AWS](./AWS/index.md) | Exfiltration |
 | [Backdoor an S3 Bucket via its Bucket Policy](./AWS/aws.exfiltration.s3-backdoor-bucket-policy.md) | [AWS](./AWS/index.md) | Exfiltration |
-| [S3 Ransomware through DeleteObjects](./AWS/aws.impact.s3-ransomware-deleteobjects.md) | [AWS](./AWS/index.md) | Impact |
+| [S3 Ransomware through individual file deletion](./AWS/aws.impact.s3-ransomware-individual-deletion.md) | [AWS](./AWS/index.md) | Impact |
+| [S3 Ransomware through batch file deletion](./AWS/aws.impact.s3-ransomware-batch-deletion.md) | [AWS](./AWS/index.md) | Impact |
 | [Console Login without MFA](./AWS/aws.initial-access.console-login-without-mfa.md) | [AWS](./AWS/index.md) | Initial Access |
 | [Backdoor an IAM Role](./AWS/aws.persistence.iam-backdoor-role.md) | [AWS](./AWS/index.md) | Persistence |
 | [Create an Access Key on an IAM User](./AWS/aws.persistence.iam-backdoor-user.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation |

docs/index.yaml

@@ -139,8 +139,15 @@ AWS:
           platform: AWS
           isIdempotent: true
     Impact:
-        - id: aws.impact.s3-ransomware-deleteobjects
-          name: S3 Ransomware through DeleteObjects
+        - id: aws.impact.s3-ransomware-individual-deletion
+          name: S3 Ransomware through individual file deletion
+          isSlow: false
+          mitreAttackTactics:
+            - Impact
+          platform: AWS
+          isIdempotent: false
+        - id: aws.impact.s3-ransomware-batch-deletion
+          name: S3 Ransomware through batch file deletion
           isSlow: false
           mitreAttackTactics:
             - Impact