threatresponse / aws_ir Goto Github PK
View Code? Open in Web Editor NEWPython installable command line utiltity for mitigation of host and key compromises.
License: MIT License
Python installable command line utiltity for mitigation of host and key compromises.
License: MIT License
https://github.com/ThreatResponse/aws_ir/blob/master/setup.py#L25
^^ This line above where setup.py includes requirements should include pluginbase.
New release has a bug:
(env) akrug-28119:incidents akrug$ aws_ir -b e-casebucket-1xt5mljpifmvs key-compromise --access-key-id AKIAINLHPIG64YJXPK5A
Traceback (most recent call last):
File "/Users/akrug/workspace/incidents/env/bin/aws_ir", line 7, in
from aws_ir.cli import cli
File "/Users/akrug/workspace/incidents/env/lib/python3.6/site-packages/aws_ir/cli.py", line 11, in
from aws_ir.libs import plugin
File "/Users/akrug/workspace/incidents/env/lib/python3.6/site-packages/aws_ir/libs/plugin.py", line 5, in
from pluginbase import PluginBase
ModuleNotFoundError: No module named 'pluginbase'
Hello,
Finally taking a bit of time to test aws_ir and having basic issues. Not using aws enough day-to-day.
Sorry if it's really basic
I setup a dedicated t2.micro as webserver to test IR and create a dedicated aws_ir user.
On user IAM, docs (https://aws-ir.readthedocs.io/en/latest/quickstart.html) say "Check back soon for an IAM policy featuring the minimum set of required permissions"
I tried with following blog post http://threatresponse.cloud/blog/2016/tips_for_least_privilege_iam_policies.html
But after install
# apt-get install libssl-dev python-dev python-pip libyaml-dev
# pip install awscli aws_ir
$ aws configure
[...]
$ aws ec2 describe-instances
[OK. Ensure Clock is fine (with or without *ntpd) and firewall too (curl -v https://ec2.us-east-1.amazonaws.com/ = HTTP 301). can be from systems inside and outside amazon]
# aws_ir instance-compromise --instance-ip 54.165.132.241 --user aws_ir --ssh-key awsweb.pem
2017-04-01T19:38:42 - aws_ir.cli - INFO - Initialization successful proceeding to incident plan.
2017-04-01T19:38:42 - aws_ir.libs.case - INFO - Initial connection to AmazonWebServices made.
2017-04-01T19:38:52 - aws_ir.libs.case - INFO - Inventory AWS Regions Complete 14 found.
2017-04-01T19:38:52 - aws_ir.libs.case - INFO - Inventory Availability Zones Complete 35 found.
2017-04-01T19:38:52 - aws_ir.libs.case - INFO - Beginning inventory of resources world wide. This might take a minute...
2017-04-01T19:39:04 - aws_ir.libs.case - INFO - Inventory complete. Proceeding to resource identification.
Traceback (most recent call last):
File "/usr/local/bin/aws_ir", line 10, in <module>
c.run()
File "/usr/local/lib/python2.7/dist-packages/aws_ir/cli.py", line 154, in run
hc.mitigate()
File "/usr/local/lib/python2.7/dist-packages/aws_ir/plans/host.py", line 79, in mitigate
dry_run=False
File "/usr/local/lib/python2.7/dist-packages/aws_ir/plugins/isolate_host.py", line 18, in __init__
self.setup()
File "/usr/local/lib/python2.7/dist-packages/aws_ir/plugins/isolate_host.py", line 21, in setup
sg = self.__create_isolation_security_group()
File "/usr/local/lib/python2.7/dist-packages/aws_ir/plugins/isolate_host.py", line 57, in __create_isolation_security_group
return security_group_result['GroupId']
UnboundLocalError: local variable 'security_group_result' referenced before assignment
Current IAM policy a bit extended from above blog post
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudtrail:DescribeTrails",
"cloudwatch:DescribeAlarms",
"ec2:DescribeFlowLogs",
"ec2:DescribeRegions",
"ec2:DescribeVpcs",
"ec2:DescribeInstances",
"ec2:DescribeAvailabilityZones",
"iam:GenerateCredentialReport",
"iam:GetCredentialReport",
"iam:ListAttachedUserPolicies",
"iam:ListRoles",
"s3:GetBucketAcl",
"s3:GetBucketLogging",
"s3:GetBucketVersioning",
"s3:ListAllMyBuckets",
"s3:CreateBucket",
"s3:PutBucketAcl",
"s3:PutBucketTagging",
"s3:PutBucketVersioning",
"s3:ListBucket"
],
"Resource": "*"
}
]
}
Thanks
(btw, IMHO it should be called instance-compromise to avoid misunderstandings with EC2 dedicated hosts).
None
Traceback (most recent call last):
File "/Users/akrug/workspace/andrewkrug-aws_ir/env/lib/python3.6/site-packages/aws_ir/libs/volatile.py", line 75, in get_memory
self.repo.init_gpg()
File "/Users/akrug/workspace/andrewkrug-aws_ir/env/lib/python3.6/site-packages/margaritashotgun/repository.py", line 48, in init_gpg
self.gpg = gnupg.GPG(gnupghome=gpg_home)
TypeError: init() got an unexpected keyword argument 'gnupghome'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "bin/aws_ir", line 10, in
c.run()
File "/Users/akrug/workspace/andrewkrug-aws_ir/env/lib/python3.6/site-packages/aws_ir/cli.py", line 196, in run
hc.mitigate()
File "/Users/akrug/workspace/andrewkrug-aws_ir/env/lib/python3.6/site-packages/aws_ir/plans/host.py", line 104, in mitigate
self.do_mem(client, compromised_resource)
File "/Users/akrug/workspace/andrewkrug-aws_ir/env/lib/python3.6/site-packages/aws_ir/plans/host.py", line 136, in do_mem
case_number=self.case.case_number
File "/Users/akrug/workspace/andrewkrug-aws_ir/env/lib/python3.6/site-packages/aws_ir/libs/volatile.py", line 80, in get_memory
self.repo.prompt_for_install()
File "/Users/akrug/workspace/andrewkrug-aws_ir/env/lib/python3.6/site-packages/margaritashotgun/repository.py", line 101, in prompt_for_install
" From : {2}".format(self.key_info['fingerprint'],
TypeError: 'NoneType' object is not subscriptable
Create a cloudwatch log group. Push output of aws_ir.
This isn't really blocked by this: #75 but the current log output sucks.
When attempting a run during mem acquisition the following error is thrown by marsho
2017-05-13T14:49:19 - aws_ir.plans.host - INFO - Attempting run margarita shotgun for ubuntu on 35.167.170.172 with /Users/krug/Downloads/testing.pem
2017-05-13T14:49:19 - margaritashotgun.client - CRITICAL - Repository signing key found at https://threatresponse-lime-modules.s3.amazonaws.com/REPO_SIGNING_KEY.asc is not trusted on the local system, fingerprint: 80DA92CB09161F241C8F9BC918BA980367172B17
Document or provide logic to install the key.
My OS is MacOS Sierra
Acquisition OS is 14.04 Ubuntu HVM
should be status, obviously!
Cross linking this feature from Black Hat '17 issues for tracking.
currently logged as python blob.
Atlassian makes an awesome thing called localstack:
https://github.com/atlassian/localstack
Let's try it out and see if it shortens our iterations on some of these plugins.
Use this issue to track progress cross these threads.
In the case where we don't have access to Instance inject an ssh key in order to do live analysis.
Suggestion: standardized JSON output saved in incident file.
Depends on: ThreatResponse/aws_ir_plugins#20
aws_ir key-compromise --access-key-id AKIA9288
I get the following error while executing this command
2018-01-19T22:47:56 - aws_ir.cli - INFO - Initialization successful proceeding to incident plan.
2018-01-19T22:47:56 - aws_ir.plans.key - INFO - Attempting key disable.
Traceback (most recent call last):
File "/usr/local/bin/aws_ir", line 10, in
c.run()
File "/usr/local/lib/python2.7/site-packages/aws_ir/cli.py", line 245, in run
kc.mitigate()
File "/usr/local/lib/python2.7/site-packages/aws_ir/plans/key.py", line 62, in mitigate
dry_run=False
File "/usr/local/lib/python2.7/site-packages/aws_ir_plugins/revokests_key.py", line 25, in init
self.setup()
File "/usr/local/lib/python2.7/site-packages/aws_ir_plugins/revokests_key.py", line 29, in setup
self.template = self._generate_inline_policy()
File "/usr/local/lib/python2.7/site-packages/aws_ir_plugins/revokests_key.py", line 77, in _generate_inline_policy
template_file = open(template_name)
TypeError: coercing to Unicode: need string or buffer, NoneType found
Just wanted to get a bug out there. All plugins class names should change to simply class Plugin(object): in order to support dynamic loading during custom incidents
@jvehent proposes if CIDR range is not provided to skip memory acquisition and default to DENY all network instead of allow all. ( ie lot's of constructors take default args as 0.0.0.0/0 )
If an instance is found to have an instance-profile support doing the following:
ThreatResponse workstation currently only works in us-west-2
Error found when running key-compromise
$ aws_ir key-compromise --access-key-id AKIASAMPLE
2017-02-22 04:22:27,834 - aws_ir.cli - INFO - Parsing successful proceeding to incident plan.
2017-02-22 04:22:32,717 - aws_ir.cli - INFO - Attempting key disable.
Traceback (most recent call last):
File "/usr/local/bin/aws_ir", line 10, in
c.run()
File "/usr/local/lib/python2.7/dist-packages/aws_ir/cli.py", line 168, in run
kc.mitigate()
File "/usr/local/lib/python2.7/dist-packages/aws_ir/plans/key.py", line 66, in mitigate
dry_run=False
File "/usr/local/lib/python2.7/dist-packages/aws_ir/plugins/revokests_key.py", line 21, in init
self.setup()
File "/usr/local/lib/python2.7/dist-packages/aws_ir/plugins/revokests_key.py", line 27, in setup
policy_document = self.__generate_inline_policy()
File "/usr/local/lib/python2.7/dist-packages/aws_ir/plugins/revokests_key.py", line 66, in __generate_inline_policy
template_file = open(template_name)
TypeError: coercing to Unicode: need string or buffer, NoneType found
aws_ir (0.2.1) installed with pip in EC2 / Ubuntu 14.04.5 LTS
Instance reservations include a datetime in the the launchTime
Would be nice to have a flag to remove empty case buckets or even case buckets generated that have stuff in them.
Multi-host acquisition currently fails with:
AttributeError: 'Case' object has no attribute 'aws_inventory'
My guess is the patch should look like this to cli.py:
211 if self.config.targets:
212 case_obj.prep_aws_connections()
213 logger.info(
214 'Alert : multi-host mode engaged targets in file will attempt processing.'
215 )
As a follow up need to write a travis test to cover this case.
Hi guys ,
I'm trying to run "./aws_ir --verbose --bucket-name XXXX --examiner-cidr-range XXXX comromise --target XXXX --user ec2-user --ssh-key XXXX " , but after attempting margerita shot gun part I'm receiving the error "2017-08-17T08:35:21 - aws_ir.libs.volatile - CRITICAL - GPG key not in trust chain attempting interactive installation." . I did add the aws certificate to the trust chain but it didn't help.
Can you please assist ?
AWS_IR should warn if gpg not on system
Current behavior
(aws_ir) roger:aws_ir krug$ bin/aws_ir instance-compromise --instance-ip 35.167.170.172 --user ubuntu --ssh-key ~/Downloads/testing.pem
2017-05-13T14:47:06 - aws_ir.cli - INFO - Initialization successful proceeding to incident plan.
2017-05-13T14:47:06 - aws_ir.libs.case - INFO - Initial connection to AmazonWebServices made.
2017-05-13T14:47:20 - aws_ir.libs.case - INFO - Inventory AWS Regions Complete 14 found.
2017-05-13T14:47:20 - aws_ir.libs.case - INFO - Inventory Availability Zones Complete 35 found.
2017-05-13T14:47:20 - aws_ir.libs.case - INFO - Beginning inventory of resources world wide. This might take a minute...
2017-05-13T14:47:30 - aws_ir.libs.case - INFO - Inventory complete. Proceeding to resource identification.
0.0.0.0/0
2017-05-13T14:47:32 - aws_ir.plans.host - INFO - Adding examiner exception to isolated instance.
2017-05-13T14:47:32 - aws_ir.plans.host - INFO - Attempting run margarita shotgun for ubuntu on 35.167.170.172 with /Users/krug/Downloads/testing.pem
2017-05-13T14:47:32 - margaritashotgun.client - CRITICAL - Unable to run gpg - it may not be available.
As a responder gathering data about target instances I want to run this tool and save the output.
@joelferrier Capturing this here as a chore for setting up GPG key imports for users.
$ curl -I http://aws-ir.readthedocs.io/en/latest/user_guide.html
HTTP/1.1 404 Not Found
Should they point to quickstart instead?
meta-data capture occurs after isolation, but in order to see security group policy before isolation, we should capture before as well.
Follow best practices for assumeRole following the Netflix model of having an:
aws_ir should be able to create these roles for assumption should they not exist given appropriate privilege for the initial examiner.
@andrewkrug, @amccormack Do you guys see value in including the case-number
into generated s3 bucket names?
Perhaps something like this:
cloud-response-0b41c684836f47518a7d05db3adc756e
->
cloud-response-cr-17-022605-3da6-0b41c684836f47518a7d05db3adc756e
This would also make it easier for aws_ir to reuse a case bucket for without forcing both the case-number
and bucket-name
to be specified.
Case logs are written to /tmp as expected, but are not uploaded to a user supplied, or generated case bucket.
@joelferrier looks like some code that was introduced in 116a9ab is causing the isolate plugin to fail. @jvehent caught this in some testing.
Here's how I might go about addressing this problem long term:
Short term +1 for just removing this from isolate so the isolation functions actually work.
Let's use Open threatExchange
https://github.com/AlienVault-Labs/OTX-Python-SDK
Basically if an env var exists for OTX API Key... go ahead and do this if CloudTrail happens to be enabled.
Everywhere we do things like this:
aws_ir/aws_ir/libs/volatile.py
Line 40 in 044b4b9
Extract into default config file so it can be modified.
Current targeting system for instance compromise does not support taking an instance-id. This seems weird to me and not super useful.
AWS Sends it's threat detection reports thusly:
DOS,i-fdksdfahsdfah,2017-01-01 12:00:00 PDT,8.8.8.8,TCP,*,80,us-east-1
Please support targeting based on instance ID
Receiving following error when attempt to run key-compromise. Any help greatly appreciated.
> (aws_ir_env) [ec2-user@ip-10-0-1-145 venv]$ aws_ir key-compromise --access-key-id ***ACCESSKEY***
> 2018-07-06T20:39:32 - aws_ir.cli - INFO - Initialization successful proceeding to incident plan.
> 2018-07-06T20:39:32 - aws_ir.plans.key - INFO - Attempting key disable.
> Traceback (most recent call last):
> File "/home/ec2-user/venv/aws_ir_env/bin/aws_ir", line 10, in <module>
> c.run()
> File "/home/ec2-user/venv/aws_ir_env/lib/python3.7/site-packages/aws_ir/cli.py", line 245, in run
> kc.mitigate()
> File "/home/ec2-user/venv/aws_ir_env/lib/python3.7/site-packages/aws_ir/plans/key.py", line 62, in mitigate
> dry_run=False
> File "/home/ec2-user/venv/aws_ir_env/lib/python3.7/site-packages/aws_ir_plugins/revokests_key.py", line 25, in __init__
> self.setup()
> File "/home/ec2-user/venv/aws_ir_env/lib/python3.7/site-packages/aws_ir_plugins/revokests_key.py", line 33, in setup
> policy_document = self.__generate_inline_policy()
> AttributeError: 'Plugin' object has no attribute '_Plugin__generate_inline_policy'
The current version available in pip3 package (aws-ir-0.3.0
) doesn't work with either --profile
or an assume-role equivalent. It fails on the initial bucket creation step:
Traceback (most recent call last):
File "/home/aaron.gorka/Documents/venv-aws_ir/bin/aws_ir", line 10, in <module>
c.run()
File "/home/aaron.gorka/Documents/venv-aws_ir/lib64/python3.6/site-packages/aws_ir/cli.py", line 182, in run
self.config.profile
File "/home/aaron.gorka/Documents/venv-aws_ir/lib64/python3.6/site-packages/aws_ir/libs/case.py", line 53, in __init__
self.case_bucket = self._setup_bucket(region='us-west-2')
File "/home/aaron.gorka/Documents/venv-aws_ir/lib64/python3.6/site-packages/aws_ir/libs/case.py", line 167, in _setup_bucket
self.s3_resource
File "/home/aaron.gorka/Documents/venv-aws_ir/lib64/python3.6/site-packages/aws_ir/libs/s3bucket.py", line 12, in __init__
self.bucket = self.find_or_create_by()
File "/home/aaron.gorka/Documents/venv-aws_ir/lib64/python3.6/site-packages/aws_ir/libs/s3bucket.py", line 20, in find_or_create_by
bucket = self._create_s3_bucket()
File "/home/aaron.gorka/Documents/venv-aws_ir/lib64/python3.6/site-packages/aws_ir/libs/s3bucket.py", line 52, in _create_s3_bucket
'LocationConstraint': self.region
File "/home/aaron.gorka/Documents/venv-aws_ir/lib64/python3.6/site-packages/boto3/resources/factory.py", line 520, in do_action
response = action(self, *args, **kwargs)
File "/home/aaron.gorka/Documents/venv-aws_ir/lib64/python3.6/site-packages/boto3/resources/action.py", line 83, in __call__
response = getattr(parent.meta.client, operation_name)(**params)
File "/home/aaron.gorka/Documents/venv-aws_ir/lib64/python3.6/site-packages/botocore/client.py", line 317, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/home/aaron.gorka/Documents/venv-aws_ir/lib64/python3.6/site-packages/botocore/client.py", line 615, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the CreateBucket operation: Access Denied
The same error is returned if I omit the --profile
flag and use awsume to get access keys for a role.
After installing from the master branch, both methods work fine.
Currently the plugins are not doing much in the way of adding to the log. Make the stream logger for what the plugin is doing more descriptive of actions and steps taken for timeline reconstruction.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.