threatresponse / aws_ir Goto Github PK

https://github.com/ThreatResponse/aws_ir/blob/master/setup.py#L25
^^ This line above where setup.py includes requirements should include pluginbase.

New release has a bug:

(env) akrug-28119:incidents akrug$ aws_ir -b e-casebucket-1xt5mljpifmvs key-compromise --access-key-id AKIAINLHPIG64YJXPK5A
Traceback (most recent call last):
File "/Users/akrug/workspace/incidents/env/bin/aws_ir", line 7, in
from aws_ir.cli import cli
File "/Users/akrug/workspace/incidents/env/lib/python3.6/site-packages/aws_ir/cli.py", line 11, in
from aws_ir.libs import plugin
File "/Users/akrug/workspace/incidents/env/lib/python3.6/site-packages/aws_ir/libs/plugin.py", line 5, in
from pluginbase import PluginBase
ModuleNotFoundError: No module named 'pluginbase'

Hello,
Finally taking a bit of time to test aws_ir and having basic issues. Not using aws enough day-to-day.
Sorry if it's really basic

I setup a dedicated t2.micro as webserver to test IR and create a dedicated aws_ir user.
On user IAM, docs (https://aws-ir.readthedocs.io/en/latest/quickstart.html) say "Check back soon for an IAM policy featuring the minimum set of required permissions"
I tried with following blog post http://threatresponse.cloud/blog/2016/tips_for_least_privilege_iam_policies.html

But after install

# apt-get install libssl-dev python-dev python-pip libyaml-dev
# pip install awscli aws_ir
$ aws configure
[...]
$ aws ec2 describe-instances
[OK. Ensure Clock is fine (with or without *ntpd) and firewall too (curl -v https://ec2.us-east-1.amazonaws.com/ = HTTP 301). can be from systems inside and outside amazon]

# aws_ir instance-compromise --instance-ip 54.165.132.241 --user aws_ir --ssh-key awsweb.pem 
2017-04-01T19:38:42 - aws_ir.cli - INFO - Initialization successful proceeding to incident plan.
2017-04-01T19:38:42 - aws_ir.libs.case - INFO - Initial connection to AmazonWebServices made.
2017-04-01T19:38:52 - aws_ir.libs.case - INFO - Inventory AWS Regions Complete 14 found.
2017-04-01T19:38:52 - aws_ir.libs.case - INFO - Inventory Availability Zones Complete 35 found.
2017-04-01T19:38:52 - aws_ir.libs.case - INFO - Beginning inventory of resources world wide.  This might take a minute...
2017-04-01T19:39:04 - aws_ir.libs.case - INFO - Inventory complete.  Proceeding to resource identification.
Traceback (most recent call last):
  File "/usr/local/bin/aws_ir", line 10, in <module>
    c.run()
  File "/usr/local/lib/python2.7/dist-packages/aws_ir/cli.py", line 154, in run
    hc.mitigate()
  File "/usr/local/lib/python2.7/dist-packages/aws_ir/plans/host.py", line 79, in mitigate
    dry_run=False
  File "/usr/local/lib/python2.7/dist-packages/aws_ir/plugins/isolate_host.py", line 18, in __init__
    self.setup()
  File "/usr/local/lib/python2.7/dist-packages/aws_ir/plugins/isolate_host.py", line 21, in setup
    sg = self.__create_isolation_security_group()
  File "/usr/local/lib/python2.7/dist-packages/aws_ir/plugins/isolate_host.py", line 57, in __create_isolation_security_group
    return security_group_result['GroupId']
UnboundLocalError: local variable 'security_group_result' referenced before assignment

Current IAM policy a bit extended from above blog post

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudtrail:DescribeTrails",
                "cloudwatch:DescribeAlarms",
                "ec2:DescribeFlowLogs",
                "ec2:DescribeRegions",
                "ec2:DescribeVpcs",
                "ec2:DescribeInstances",
                "ec2:DescribeAvailabilityZones",
                "iam:GenerateCredentialReport",
                "iam:GetCredentialReport",
                "iam:ListAttachedUserPolicies",
                "iam:ListRoles",
                "s3:GetBucketAcl",
                "s3:GetBucketLogging",
                "s3:GetBucketVersioning",
                "s3:ListAllMyBuckets",
                "s3:CreateBucket",
                "s3:PutBucketAcl",
                "s3:PutBucketTagging",
                "s3:PutBucketVersioning",
                "s3:ListBucket"
            ],
            "Resource": "*"
        }
    ]
}

Thanks

(btw, IMHO it should be called instance-compromise to avoid misunderstandings with EC2 dedicated hosts).

None
Traceback (most recent call last):
File "/Users/akrug/workspace/andrewkrug-aws_ir/env/lib/python3.6/site-packages/aws_ir/libs/volatile.py", line 75, in get_memory
self.repo.init_gpg()
File "/Users/akrug/workspace/andrewkrug-aws_ir/env/lib/python3.6/site-packages/margaritashotgun/repository.py", line 48, in init_gpg
self.gpg = gnupg.GPG(gnupghome=gpg_home)
TypeError: init() got an unexpected keyword argument 'gnupghome'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "bin/aws_ir", line 10, in
c.run()
File "/Users/akrug/workspace/andrewkrug-aws_ir/env/lib/python3.6/site-packages/aws_ir/cli.py", line 196, in run
hc.mitigate()
File "/Users/akrug/workspace/andrewkrug-aws_ir/env/lib/python3.6/site-packages/aws_ir/plans/host.py", line 104, in mitigate
self.do_mem(client, compromised_resource)
File "/Users/akrug/workspace/andrewkrug-aws_ir/env/lib/python3.6/site-packages/aws_ir/plans/host.py", line 136, in do_mem
case_number=self.case.case_number
File "/Users/akrug/workspace/andrewkrug-aws_ir/env/lib/python3.6/site-packages/aws_ir/libs/volatile.py", line 80, in get_memory
self.repo.prompt_for_install()
File "/Users/akrug/workspace/andrewkrug-aws_ir/env/lib/python3.6/site-packages/margaritashotgun/repository.py", line 101, in prompt_for_install
" From : {2}".format(self.key_info['fingerprint'],
TypeError: 'NoneType' object is not subscriptable

Create a cloudwatch log group. Push output of aws_ir.

This isn't really blocked by this: #75 but the current log output sucks.

When attempting a run during mem acquisition the following error is thrown by marsho

2017-05-13T14:49:19 - aws_ir.plans.host - INFO - Attempting run margarita shotgun for ubuntu on 35.167.170.172 with /Users/krug/Downloads/testing.pem
2017-05-13T14:49:19 - margaritashotgun.client - CRITICAL - Repository signing key found at https://threatresponse-lime-modules.s3.amazonaws.com/REPO_SIGNING_KEY.asc is not trusted on the local system, fingerprint: 80DA92CB09161F241C8F9BC918BA980367172B17

Document or provide logic to install the key.

My OS is MacOS Sierra
Acquisition OS is 14.04 Ubuntu HVM

should be status, obviously!

Cross linking this feature from Black Hat '17 issues for tracking.

currently logged as python blob.

• Look for new KMS keys
• Check KMS key bypass-policy-lockout-safety-check flag
• Attempt to generate and then read a CloudTrail event to validate everything is working.

Atlassian makes an awesome thing called localstack:

https://github.com/atlassian/localstack

Let's try it out and see if it shortens our iterations on some of these plugins.

Use this issue to track progress cross these threads.

In the case where we don't have access to Instance inject an ssh key in order to do live analysis.

Suggestion: standardized JSON output saved in incident file.
Depends on: ThreatResponse/aws_ir_plugins#20

aws_ir key-compromise --access-key-id AKIA9288

I get the following error while executing this command

2018-01-19T22:47:56 - aws_ir.cli - INFO - Initialization successful proceeding to incident plan.
2018-01-19T22:47:56 - aws_ir.plans.key - INFO - Attempting key disable.
Traceback (most recent call last):
File "/usr/local/bin/aws_ir", line 10, in
c.run()
File "/usr/local/lib/python2.7/site-packages/aws_ir/cli.py", line 245, in run
kc.mitigate()
File "/usr/local/lib/python2.7/site-packages/aws_ir/plans/key.py", line 62, in mitigate
dry_run=False
File "/usr/local/lib/python2.7/site-packages/aws_ir_plugins/revokests_key.py", line 25, in init
self.setup()
File "/usr/local/lib/python2.7/site-packages/aws_ir_plugins/revokests_key.py", line 29, in setup
self.template = self._generate_inline_policy()
File "/usr/local/lib/python2.7/site-packages/aws_ir_plugins/revokests_key.py", line 77, in _generate_inline_policy
template_file = open(template_name)
TypeError: coercing to Unicode: need string or buffer, NoneType found

Just wanted to get a bug out there. All plugins class names should change to simply class Plugin(object): in order to support dynamic loading during custom incidents

@jvehent proposes if CIDR range is not provided to skip memory acquisition and default to DENY all network instead of allow all. ( ie lot's of constructors take default args as 0.0.0.0/0 )

If an instance is found to have an instance-profile support doing the following:

• Enumerate instance profile
• Create deny :
• Attach deny : policy to role.
• Log datetime role was quarantined.

ThreatResponse workstation currently only works in us-west-2

I'm receiving the following error when trying to launch aws_ir 0.3.1 built from git, with the compromise type of instance-compromise. There is a VPC ID assigned to the particular instance being passed to aws_ir. Are instances assigned to VPCs not supported?

Error found when running key-compromise
$ aws_ir key-compromise --access-key-id AKIASAMPLE
2017-02-22 04:22:27,834 - aws_ir.cli - INFO - Parsing successful proceeding to incident plan.
2017-02-22 04:22:32,717 - aws_ir.cli - INFO - Attempting key disable.
Traceback (most recent call last):
File "/usr/local/bin/aws_ir", line 10, in
c.run()
File "/usr/local/lib/python2.7/dist-packages/aws_ir/cli.py", line 168, in run
kc.mitigate()
File "/usr/local/lib/python2.7/dist-packages/aws_ir/plans/key.py", line 66, in mitigate
dry_run=False
File "/usr/local/lib/python2.7/dist-packages/aws_ir/plugins/revokests_key.py", line 21, in init
self.setup()
File "/usr/local/lib/python2.7/dist-packages/aws_ir/plugins/revokests_key.py", line 27, in setup
policy_document = self.__generate_inline_policy()
File "/usr/local/lib/python2.7/dist-packages/aws_ir/plugins/revokests_key.py", line 66, in __generate_inline_policy
template_file = open(template_name)
TypeError: coercing to Unicode: need string or buffer, NoneType found

aws_ir (0.2.1) installed with pip in EC2 / Ubuntu 14.04.5 LTS

Instance reservations include a datetime in the the launchTime

Would be nice to have a flag to remove empty case buckets or even case buckets generated that have stuff in them.

Multi-host acquisition currently fails with:
AttributeError: 'Case' object has no attribute 'aws_inventory'

My guess is the patch should look like this to cli.py:

211 if self.config.targets:
212 case_obj.prep_aws_connections()
213 logger.info(
214 'Alert : multi-host mode engaged targets in file will attempt processing.'
215 )

As a follow up need to write a travis test to cover this case.

Hi guys ,
I'm trying to run "./aws_ir --verbose --bucket-name XXXX --examiner-cidr-range XXXX comromise --target XXXX --user ec2-user --ssh-key XXXX " , but after attempting margerita shot gun part I'm receiving the error "2017-08-17T08:35:21 - aws_ir.libs.volatile - CRITICAL - GPG key not in trust chain attempting interactive installation." . I did add the aws certificate to the trust chain but it didn't help.
Can you please assist ?

AWS_IR should warn if gpg not on system

Current behavior

(aws_ir) roger:aws_ir krug$ bin/aws_ir instance-compromise --instance-ip 35.167.170.172 --user ubuntu --ssh-key ~/Downloads/testing.pem
2017-05-13T14:47:06 - aws_ir.cli - INFO - Initialization successful proceeding to incident plan.
2017-05-13T14:47:06 - aws_ir.libs.case - INFO - Initial connection to AmazonWebServices made.
2017-05-13T14:47:20 - aws_ir.libs.case - INFO - Inventory AWS Regions Complete 14 found.
2017-05-13T14:47:20 - aws_ir.libs.case - INFO - Inventory Availability Zones Complete 35 found.
2017-05-13T14:47:20 - aws_ir.libs.case - INFO - Beginning inventory of resources world wide.  This might take a minute...
2017-05-13T14:47:30 - aws_ir.libs.case - INFO - Inventory complete.  Proceeding to resource identification.
0.0.0.0/0
2017-05-13T14:47:32 - aws_ir.plans.host - INFO - Adding examiner exception to isolated instance.
2017-05-13T14:47:32 - aws_ir.plans.host - INFO - Attempting run margarita shotgun for ubuntu on 35.167.170.172 with /Users/krug/Downloads/testing.pem
2017-05-13T14:47:32 - margaritashotgun.client - CRITICAL - Unable to run gpg - it may not be available.

As a responder gathering data about target instances I want to run this tool and save the output.

https://github.com/forestmonster/AWSLeR

@joelferrier Capturing this here as a chore for setting up GPG key imports for users.

$ curl -I http://aws-ir.readthedocs.io/en/latest/user_guide.html                                                                                              
HTTP/1.1 404 Not Found

Should they point to quickstart instead?

meta-data capture occurs after isolation, but in order to see security group policy before isolation, we should capture before as well.

Follow best practices for assumeRole following the Netflix model of having an:

• Incident Read Role
• Incident Write Role

aws_ir should be able to create these roles for assumption should they not exist given appropriate privilege for the initial examiner.

@andrewkrug, @amccormack Do you guys see value in including the case-number into generated s3 bucket names?

Perhaps something like this:
cloud-response-0b41c684836f47518a7d05db3adc756e ->
cloud-response-cr-17-022605-3da6-0b41c684836f47518a7d05db3adc756e

This would also make it easier for aws_ir to reuse a case bucket for without forcing both the case-number and bucket-name to be specified.

Case logs are written to /tmp as expected, but are not uploaded to a user supplied, or generated case bucket.

@joelferrier looks like some code that was introduced in 116a9ab is causing the isolate plugin to fail. @jvehent caught this in some testing.

Here's how I might go about addressing this problem long term:

1. Remove this code from isolate
2. Create an additional plugin that can be called to allow this access needed for mem acquisition.
3. This plugin should run pre and post memory acquisition since we don't want to leave an open channel for longer than needed. Pre acquisition it would add the rule. Post it would remove the rule.

Short term +1 for just removing this from isolate so the isolation functions actually work.

Let's use Open threatExchange

https://github.com/AlienVault-Labs/OTX-Python-SDK

Basically if an env var exists for OTX API Key... go ahead and do this if CloudTrail happens to be enabled.

Everywhere we do things like this:

Extract into default config file so it can be modified.

Current targeting system for instance compromise does not support taking an instance-id. This seems weird to me and not super useful.

AWS Sends it's threat detection reports thusly:

DOS,i-fdksdfahsdfah,2017-01-01 12:00:00 PDT,8.8.8.8,TCP,*,80,us-east-1

Please support targeting based on instance ID

Two links to get started:
http://www.dougalmatthews.com/2016/Sep/01/automate-publishing-to-pypi-with-pbr-and-travis/
https://github.com/warner/python-versioneer

Receiving following error when attempt to run key-compromise. Any help greatly appreciated.

> (aws_ir_env) [ec2-user@ip-10-0-1-145 venv]$ aws_ir key-compromise --access-key-id ***ACCESSKEY***
> 2018-07-06T20:39:32 - aws_ir.cli - INFO - Initialization successful proceeding to incident plan.
> 2018-07-06T20:39:32 - aws_ir.plans.key - INFO - Attempting key disable.
> Traceback (most recent call last):
>   File "/home/ec2-user/venv/aws_ir_env/bin/aws_ir", line 10, in <module>
>     c.run()
>   File "/home/ec2-user/venv/aws_ir_env/lib/python3.7/site-packages/aws_ir/cli.py", line 245, in run
>     kc.mitigate()
>   File "/home/ec2-user/venv/aws_ir_env/lib/python3.7/site-packages/aws_ir/plans/key.py", line 62, in mitigate
>     dry_run=False
>   File "/home/ec2-user/venv/aws_ir_env/lib/python3.7/site-packages/aws_ir_plugins/revokests_key.py", line 25, in __init__
>     self.setup()
>   File "/home/ec2-user/venv/aws_ir_env/lib/python3.7/site-packages/aws_ir_plugins/revokests_key.py", line 33, in setup
>     policy_document = self.__generate_inline_policy()
> AttributeError: 'Plugin' object has no attribute '_Plugin__generate_inline_policy'

The current version available in pip3 package (aws-ir-0.3.0) doesn't work with either --profile or an assume-role equivalent. It fails on the initial bucket creation step:

Traceback (most recent call last):
  File "/home/aaron.gorka/Documents/venv-aws_ir/bin/aws_ir", line 10, in <module>
    c.run()
  File "/home/aaron.gorka/Documents/venv-aws_ir/lib64/python3.6/site-packages/aws_ir/cli.py", line 182, in run
    self.config.profile
  File "/home/aaron.gorka/Documents/venv-aws_ir/lib64/python3.6/site-packages/aws_ir/libs/case.py", line 53, in __init__
    self.case_bucket = self._setup_bucket(region='us-west-2')
  File "/home/aaron.gorka/Documents/venv-aws_ir/lib64/python3.6/site-packages/aws_ir/libs/case.py", line 167, in _setup_bucket
    self.s3_resource
  File "/home/aaron.gorka/Documents/venv-aws_ir/lib64/python3.6/site-packages/aws_ir/libs/s3bucket.py", line 12, in __init__
    self.bucket = self.find_or_create_by()
  File "/home/aaron.gorka/Documents/venv-aws_ir/lib64/python3.6/site-packages/aws_ir/libs/s3bucket.py", line 20, in find_or_create_by
    bucket = self._create_s3_bucket()
  File "/home/aaron.gorka/Documents/venv-aws_ir/lib64/python3.6/site-packages/aws_ir/libs/s3bucket.py", line 52, in _create_s3_bucket
    'LocationConstraint': self.region
  File "/home/aaron.gorka/Documents/venv-aws_ir/lib64/python3.6/site-packages/boto3/resources/factory.py", line 520, in do_action
    response = action(self, *args, **kwargs)
  File "/home/aaron.gorka/Documents/venv-aws_ir/lib64/python3.6/site-packages/boto3/resources/action.py", line 83, in __call__
    response = getattr(parent.meta.client, operation_name)(**params)
  File "/home/aaron.gorka/Documents/venv-aws_ir/lib64/python3.6/site-packages/botocore/client.py", line 317, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/home/aaron.gorka/Documents/venv-aws_ir/lib64/python3.6/site-packages/botocore/client.py", line 615, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the CreateBucket operation: Access Denied

The same error is returned if I omit the --profile flag and use awsume to get access keys for a role.

After installing from the master branch, both methods work fine.

Currently the plugins are not doing much in the way of adding to the log. Make the stream logger for what the plugin is doing more descriptive of actions and steps taken for timeline reconstruction.