Implement initial EKS support and first attack techniques (#542)

* Implement initial EKS support and first attack technique (closes #374, #540)

* Add new EKS attack technique: backdoor EKS aws-auth configmap (closes #375)

* Bump AWS Go SDK

* Bump Go version from 1.18 to 1.19

* Update docs

* Replace io/ioutil with io due to the bump to Go 1.19

.github/workflows/release.yml

@@ -41,7 +41,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
         with:
-          go-version: 1.18
+          go-version: 1.19
       - name: Run GoReleaser
         timeout-minutes: 60
         uses: goreleaser/goreleaser-action@c21f56a7bc891b5f73bec61233c4102ef8273150 # v5.0.0

.github/workflows/static-analysis.yml

@@ -36,7 +36,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
         with:
-          go-version: 1.18
+          go-version: 1.19
       - uses: dominikh/staticcheck-action@ba605356b4b29a60e87ab9404b712f3461e566dc
         with:
           version: "2022.1"

.github/workflows/test.yml

@@ -34,7 +34,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
         with:
-          go-version: 1.18
+          go-version: 1.19
 
       - name: Run unit tests
         run: make test

README.md

@@ -33,7 +33,7 @@ See the documentation at **[stratus-red-team.cloud](https://stratus-red-team.clo
 
 ### Direct install
 
-Requires Go 1.18+
+Requires Go 1.19+
 
 ```
 go install -v github.com/datadog/stratus-red-team/v2/cmd/stratus@latest

docs/attack-techniques/EKS/eks.lateral-movement.create-access-entry.md

@@ -0,0 +1,85 @@
+---
+title: Create Admin EKS Access Entry
+---
+
+# Create Admin EKS Access Entry
+
+
+
+
+Platform: EKS
+
+## MITRE ATT&CK Tactics
+
+
+- Lateral Movement
+
+## Description
+
+
+Uses the EKS Cluster Access Management to assign cluster administrator privileges to an IAM role. This allows the role to perform any action inside the Kubernetes cluster.
+
+<span style="font-variant: small-caps;">Warm-up</span>:
+
+- Create an IAM role
+
+<span style="font-variant: small-caps;">Detonation</span>:
+
+- Create an access entry for the IAM role
+- Associate the access entry with the AmazonEKSClusterAdminPolicy access policy
+
+References: 
+
+- https://securitylabs.datadoghq.com/articles/eks-cluster-access-management-deep-dive/
+- https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate eks.lateral-movement.create-access-entry
+```
+## Detection
+
+
+You can use the following CloudTrail events to identify when someone grants access to your EKS cluster:
+
+- **CreateAccessEntry**, when someone creates an access entry for a principal (meaning it's the first this principal is granted privileges in the cluster)':
+
+```json
+{
+	"eventSource": "eks.amazonaws.com",
+	"eventName": "CreateAccessEntry",
+	"requestParameters": {
+		"name": "eks-cluster",
+		"principalArn": "arn:aws:iam::012345678901:role/stratus-red-team-eks-create-access-entry-role"
+	},
+	"responseElements": {
+		"accessEntry": {
+			"clusterName": "eks-cluster",
+			"type": "STANDARD",
+			"principalArn": "arn:aws:iam::012345678901:role/stratus-red-team-eks-create-access-entry-role",
+		}
+	}
+}
+```
+
+
+- **AssociateAccessPolicy**: when someone assigns an access policy to a principal
+
+```json
+{
+  "eventSource": "eks.amazonaws.com",
+  "eventName": "AssociateAccessPolicy",
+  "requestParameters": {
+    "policyArn": "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy",
+    "accessScope": {
+      "type": "cluster"
+    },
+    "name": "eks-cluster",
+    "principalArn": "arn%3Aaws%3Aiam%3A%3A012345678901%3Arole%2Fstratus-red-team-eks-create-access-entry-role"
+  }
+}
+```
+
+

docs/attack-techniques/EKS/eks.persistence.backdoor-aws-auth-configmap.md

@@ -0,0 +1,71 @@
+---
+title: Backdoor aws-auth EKS ConfigMap
+---
+
+# Backdoor aws-auth EKS ConfigMap
+
+
+
+
+Platform: EKS
+
+## MITRE ATT&CK Tactics
+
+
+- Persistence
+- Privilege Escalation
+
+## Description
+
+
+Backdoors the aws-auth ConfigMap in an EKS cluster to grant access to the cluster to a specific role.
+
+<span style="font-variant: small-caps;">Warm-up</span>:
+
+- Create an IAM role
+
+<span style="font-variant: small-caps;">Detonation</span>:
+
+- Add an entry to the aws-auth ConfigMap to grant administrator access to the cluster to the role
+
+References: 
+
+- https://securitylabs.datadoghq.com/articles/amazon-eks-attacking-securing-cloud-identities/#authorization-the-aws-auth-configmap-deprecated
+- https://docs.aws.amazon.com/eks/latest/userguide/auth-configmap.html
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate eks.persistence.backdoor-aws-auth-configmap
+```
+## Detection
+
+
+Through EKS API Server audit logs, by looking for changes to the aws-auth ConfigMap in the kube-system namespace. Here's what a relevant audit event looks like:
+
+```json
+{
+  "objectRef": {
+    "apiVersion": "v1",
+    "resource": "configmaps",
+    "name": "aws-auth"
+  },
+  "requestURI": "/api/v1/namespaces/kube-system/configmaps/aws-auth",
+  "requestObject": {
+    "metadata": {
+      "resourceVersion": "184358280",
+      "name": "aws-auth",
+      "namespace": "kube-system",
+      "creationTimestamp": "2022-07-20T13:13:30Z"
+    },
+    "apiVersion": "v1",
+    "data": {
+      "mapRoles": "- groups:\n    - system:masters\n  rolearn: arn:aws:iam::012345678901:role/account-admin\n  username: cluster-admin-{{SessionName}}\n- groups:\n    - system:bootstrappers\n    - system:nodes\n  rolearn: arn:aws:iam::012345678901:role/eksctl-cluser-NodeInstanceRole\n  username: system:node:{{EC2PrivateDNSName}}\n- groups:\n    - system:masters\n  rolearn: arn:aws:iam::012345678901:role/stratus-red-team-eks-backdoor-aws-auth-role\n  username: backdoor\n"
+    },
+    "kind": "ConfigMap"
+  }
+}
+```
+
+

docs/attack-techniques/EKS/index.md

@@ -0,0 +1,20 @@
+# EKS
+
+This page contains the Stratus attack techniques for EKS, grouped by MITRE ATT&CK Tactic.
+Note that some Stratus attack techniques may correspond to more than a single ATT&CK Tactic.
+
+
+## Lateral Movement
+
+- [Create Admin EKS Access Entry](./eks.lateral-movement.create-access-entry.md)
+
+
+## Persistence
+
+- [Backdoor aws-auth EKS ConfigMap](./eks.persistence.backdoor-aws-auth-configmap.md)
+
+
+## Privilege Escalation
+
+- [Backdoor aws-auth EKS ConfigMap](./eks.persistence.backdoor-aws-auth-configmap.md)
+

docs/attack-techniques/list.md

@@ -50,6 +50,8 @@ This page contains the list of all Stratus Attack Techniques.
 | [Execute Command on Virtual Machine using Custom Script Extension](./azure/azure.execution.vm-custom-script-extension.md) | [Azure](./azure/index.md) | Execution |
 | [Execute Commands on Virtual Machine using Run Command](./azure/azure.execution.vm-run-command.md) | [Azure](./azure/index.md) | Execution |
 | [Export Disk Through SAS URL](./azure/azure.exfiltration.disk-export.md) | [Azure](./azure/index.md) | Exfiltration |
+| [Create Admin EKS Access Entry](./EKS/eks.lateral-movement.create-access-entry.md) | [EKS](./EKS/index.md) | Lateral Movement |
+| [Backdoor aws-auth EKS ConfigMap](./EKS/eks.persistence.backdoor-aws-auth-configmap.md) | [EKS](./EKS/index.md) | Persistence, Privilege Escalation |
 | [Exfiltrate Compute Disk by sharing it](./GCP/gcp.exfiltration.share-compute-disk.md) | [GCP](./GCP/index.md) | Exfiltration |
 | [Exfiltrate Compute Image by sharing it](./GCP/gcp.exfiltration.share-compute-image.md) | [GCP](./GCP/index.md) | Exfiltration |
 | [Exfiltrate Compute Disk by sharing a snapshot](./GCP/gcp.exfiltration.share-compute-snapshot.md) | [GCP](./GCP/index.md) | Exfiltration |

docs/attack-techniques/supported-platforms.md

@@ -1,4 +1,4 @@
 # Supported Platforms
 
-Stratus Red Team currently supports AWS, Azure, GCP and Kubernetes. 
+Stratus Red Team currently supports AWS, Azure, GCP,  Kubernetes, and Amazon EKS.
 See [Connecting to your cloud account](https://stratus-red-team.cloud/user-guide/getting-started/#connecting-to-your-cloud-account) for setup instructions.

docs/index.yaml

@@ -329,6 +329,33 @@ AWS:
             - Privilege Escalation
           platform: AWS
           isIdempotent: false
+EKS:
+    Lateral Movement:
+        - id: eks.lateral-movement.create-access-entry
+          name: Create Admin EKS Access Entry
+          isSlow: false
+          mitreAttackTactics:
+            - Lateral Movement
+          platform: EKS
+          isIdempotent: false
+    Persistence:
+        - id: eks.persistence.backdoor-aws-auth-configmap
+          name: Backdoor aws-auth EKS ConfigMap
+          isSlow: false
+          mitreAttackTactics:
+            - Persistence
+            - Privilege Escalation
+          platform: EKS
+          isIdempotent: false
+    Privilege Escalation:
+        - id: eks.persistence.backdoor-aws-auth-configmap
+          name: Backdoor aws-auth EKS ConfigMap
+          isSlow: false
+          mitreAttackTactics:
+            - Persistence
+            - Privilege Escalation
+          platform: EKS
+          isIdempotent: false
 GCP:
     Exfiltration:
         - id: gcp.exfiltration.share-compute-disk

docs/user-guide/getting-started.md

@@ -2,7 +2,7 @@
 
 ## Installation
 
-Direct install (required Go 1.18+):
+Direct install (required Go 1.19+):
 
 ```
 go install -v github.com/datadog/stratus-red-team/v2/cmd/stratus@latest
@@ -94,7 +94,7 @@ For more information, see [Usage](./usage.md), [Examples](./examples.md) and the
 
 ## Connecting to your cloud account
 
-Stratus Red Team currently supports AWS and Kubernetes.
+Stratus Red Team currently supports AWS, Azure, Kubernetes, and Amazon EKS.
 
 !!! warning
 
@@ -108,6 +108,15 @@ In order to use Stratus attack techniques against AWS, you need to be authentica
 
 - Using static credentials in `~/.aws/config`, and setting your desired AWS profile using `export AWS_PROFILE=my-profile`
 
+### EKS
+
+Stratus Red Team does **not** create an EKS cluster for you. It assumes you're already authenticated to an EKS cluster.
+
+To use Stratus attack techniques against Amazon EKS, you need to be authenticated against AWS, as described above. Stratus Red Team will use the current AWS credentials and Kubernetes context to interact with the EKS cluster. It will check that the Kubernetes cluster you're connected to is an EKS cluster, and refuse to run otherwise.
+
+- Authenticate to AWS (for instance, using [`aws-vault`](https://github.com/99designs/aws-vault))
+- Run `aws eks update-kubeconfig --name your-cluster-name --region your-region` to update your `~/.kube/config` file with the EKS cluster configuration
+
 ### Azure
 
 - Use the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli) to authenticate against your Azure tenant:

v2/go.mod

@@ -1,20 +1,21 @@
 module github.com/datadog/stratus-red-team/v2
 
-go 1.18
+go 1.19
 
 require (
 	cloud.google.com/go/compute v1.10.0
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.4
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute v1.0.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0
-	github.com/aws/aws-sdk-go-v2 v1.26.1
+	github.com/aws/aws-sdk-go-v2 v1.30.3
 	github.com/aws/aws-sdk-go-v2/config v1.25.11
 	github.com/aws/aws-sdk-go-v2/credentials v1.16.9
 	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.15.4
 	github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.35.2
 	github.com/aws/aws-sdk-go-v2/service/ec2 v1.138.2
 	github.com/aws/aws-sdk-go-v2/service/ec2instanceconnect v1.20.6
+	github.com/aws/aws-sdk-go-v2/service/eks v1.46.0
 	github.com/aws/aws-sdk-go-v2/service/iam v1.28.2
 	github.com/aws/aws-sdk-go-v2/service/lambda v1.49.2
 	github.com/aws/aws-sdk-go-v2/service/organizations v1.23.2
@@ -24,10 +25,9 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.47.2
 	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.25.2
 	github.com/aws/aws-sdk-go-v2/service/ses v1.22.4
-	github.com/aws/aws-sdk-go-v2/service/sesv2 v1.27.3
 	github.com/aws/aws-sdk-go-v2/service/ssm v1.44.2
 	github.com/aws/aws-sdk-go-v2/service/sts v1.26.2
-	github.com/aws/smithy-go v1.20.2
+	github.com/aws/smithy-go v1.20.3
 	github.com/cenkalti/backoff/v4 v4.2.1
 	github.com/fatih/color v1.13.0
 	github.com/golang-jwt/jwt v3.2.2+incompatible
@@ -51,8 +51,8 @@ require (
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.3 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.9 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.13 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.13 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.7.1 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/v4a v1.2.8 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.3 // indirect