grimoire: Generate datasets of cloud audit logs for common attacks

by ddos · September 13, 2024

Grimoire

Grimoire is a “REPL for detection engineering” that allows you to generate datasets of cloud audit logs for common attack techniques. It currently supports AWS.

How it works

First, Grimoire detonates an attack. It injects a unique user agent containing a UUID. Then, it polls CloudTrail to retrieve the audit logs caused by the detonation, and streams the resulting logs to an output file or to your terminal.

Supported detonators:

Stratus Red Team
AWS CLI interactive shell

Supported logs backend:

AWS CloudTrail (through the LookupEvents API)

Use

Grimoire has two main commands:

Detonate an attack technique with Stratus Red Team:

[pastacode lang=”markup” manual=”%24%20grimoire%20stratus-red-team%20-o%20%2Ftmp%2Flogs%20–attack-technique%20aws.credential-access.ssm-retrieve-securestring-parameters%0AINFO%5B0000%5D%20Warming%20up%20Stratus%20Red%20Team%20attack%20technique%20aws.credential-access.ssm-retrieve-securestring-parameters%0AINFO%5B0000%5D%20Detonating%20Stratus%20Red%20Team%20attack%20technique%20aws.credential-access.ssm-retrieve-securestring-parameters%0AINFO%5B0003%5D%20Stratus%20Red%20Team%20attack%20technique%20successfully%20detonated%0AINFO%5B0003%5D%20Searching%20for%20CloudTrail%20events…%0AINFO%5B0009%5D%20Found%20new%20CloudTrail%20event%20generated%20on%202024-07-30T20%3A58%3A43Z%20UTC%3A%20DescribeParameters%0AINFO%5B0009%5D%20Found%20new%20CloudTrail%20event%20generated%20on%202024-07-30T20%3A58%3A42Z%20UTC%3A%20DescribeParameters” message=”” highlight=”” provider=”manual”/]

In another terminal, you can tail /tmp/logs to see the logs as they’re discovered in CloudTrail. Alternatively, you can use -o - to print the logs in your terminal as they are found. You can safely use Ctrl+C to exit.

Keep in mind that some Stratus Red Team attack techniques may take some time to complete. These are marked with a Slow badge on their documentation page, such as Steal EC2 Instance Credentials.

Detonate an attack manually in an interactive shell

You can also detonate an attack manually in an interactive shell. In that case, Grimoire will spin up a new $SHELL for you, and inject the AWS_EXECUTION_ENV environment variable to ensure that the AWS CLI commands you run generate logs that Grimoire captures.

[pastacode lang=”markup” manual=”%24%20grimoire%20shell%20-o%20%2Ftmp%2Flogs%0AINFO%5B0000%5D%20Grimoire%20will%20now%20run%20your%20shell%20and%20automatically%20inject%20a%20unique%20identifier%20to%20your%20HTTP%20user%20agent%20when%20using%20the%20AWS%20CLI%0AINFO%5B0000%5D%20You%20can%20use%20the%20AWS%20CLI%20as%20usual.%20Press%20Ctrl%2BD%20or%20type%20’exit’%20to%20return%20to%20Grimoire.%0AINFO%5B0000%5D%20When%20you%20exit%20the%20shell%2C%20Grimoire%20will%20look%20for%20the%20CloudTrail%20events%20that%20your%20commands%20have%20generated.%0AINFO%5B0000%5D%20Press%20ENTER%20to%20continue%0A%0A%23%20We’re%20now%20in%20a%20%22Grimoire-instrumented%22%20shell%0A%24%20aws%20sts%20get-caller-identity%0A%24%20aws%20ec2%20describe-instances%0A%24%20exit%0AINFO%5B0040%5D%20Welcome%20back%20to%20Grimoire!%0AINFO%5B0040%5D%20Searching%20for%20CloudTrail%20events…%0AINFO%5B0090%5D%20Found%20event%3A%20DescribeInstances%0AINFO%5B0090%5D%20Found%20event%3A%20GetCallerIdentity” message=”” highlight=”” provider=”manual”/]

In the shell that Grimoire spawns, you can use the $GRIMOIRE_DETONATION_ID environment variable if you eed to propagate the user agent to other tools. For instance:

[pastacode lang=”markup” manual=”%24%20grimoire%20shell%20-o%20%2Ftmp%2Flogs%0A%24%20awscurl%20-H%20%22User-Agent%3A%20%24GRIMOIRE_DETONATION_ID%22%20–service%20ec2%20%5C%0A%20%20%20%20’https%3A%2F%2Fec2.amazonaws.com%3FAction%3DDescribeRegions%26Version%3D2013-10-15′” message=”” highlight=”” provider=”manual”/]

… will allow Grimoire to identify CloudTrail events generated by awscurl as well.

Detonate an attack manually by specifying commands

You can use grimoire shell in non-interactive mode, passing it a command or a script to run instead:

[pastacode lang=”markup” manual=”%24%20grimoire%20shell%20–command%20’aws%20sts%20get-caller-identity’%0AINFO%5B0000%5D%20Running%20detonation%20command%3A%20aws%20sts%20get-caller-identity%0A%7B%0A%20%20%20%20%22UserId%22%3A%20%22AIDAEXAMPLE%22%2C%0A%20%20%20%20%22Account%22%3A%20%22012345678901%22%2C%0A%20%20%20%20%22Arn%22%3A%20%22arn%3Aaws%3Aiam%3A%3A012345678901%3Auser%2Fchristophe%22%0A%7D%0AINFO%5B0002%5D%20Searching%20for%20CloudTrail%20events…%0AINFO%5B0140%5D%20Found%20event%3A%20GetCallerIdentity” message=”” highlight=”” provider=”manual”/]

Using a script:

[pastacode lang=”markup” manual=”%24%20cat%20%2Ftmp%2Fscript.sh%0Aaws%20sts%20get-caller-identity%0Aaws%20iam%20create-user%20–user-name%20foobar%0Aaws%20iam%20create-access-key%20–user-name%20foobar%0A%0A%24%20grimoire%20shell%20–script%20%2Ftmp%2Fscript.sh%0AINFO%5B0000%5D%20Running%20detonation%20script%3A%20%2Ftmp%2Fscript.sh%0A%2B%2Ftmp%2Fscript.sh%3A1%3E%20aws%20sts%20get-caller-identity%0A%2B%2Ftmp%2Fscript.sh%3A2%3E%20aws%20iam%20create-user%20–user-name%20foobar%0A%2B%2Ftmp%2Fscript.sh%3A3%3E%20aws%20iam%20create-access-key%20–user-name%20foobar%0AINFO%5B0005%5D%20Searching%20for%20CloudTrail%20events…” message=”” highlight=”” provider=”manual”/]

Advanced usage

You can use --timeout, --max-events, --include-events, --exclude-events and --only-write-events to control how long Grimoire should poll CloudTrail, how many events to retrieve, and which events to include or exclude.

[pastacode lang=”markup” manual=”%23%20Wait%20for%20a%20single%20sts%3AGetCallerIdentity%20event%20and%20exit%0Agrimoire%20shell%20–command%20’aws%20sts%20get-caller-identity’%20–include-events%20’sts%3AGetCallerIdentity’%20–max-events%201%0A%0A%23%20Only%20keep%20iam%3A*%20events%20and%20exit%20after%205%20minutes%20or%202%20events%20(whichever%20comes%20first)%0Agrimoire%20stratus-red-team%20–attack-technique%20aws.persistence.iam-create-admin-user%20–include-events%20’iam%3A*’%20–max-events%202%20–timeout%203m%0A%0A%23%20Only%20keep%20IAM%20write%20events%0Agrimoire%20shell%20–script%20%2Ftmp%2Fattack.sh%20–include-events%20’iam%3A*’%20–only-write-events%0A%0A%23%20Exclude%20sts%3AAssumeRole%20events%0Agrimoire%20shell%20–script%20%2Ftmp%2Fattack.sh%20–exclude-events%20’sts%3AGetCallerIdentity’%0A%0A%23%20Wait%20for%20at%20least%20one%20IAM%20or%20EC2%20write%20event%20and%20exit.%20Fail%20if%20the%20logs%20aren’t%20available%20within%2010%20minutes.%0Agrimoire%20shell%20–script%20%2Ftmp%2Fattack.sh%20–only-write-events%20–include-events%20’iam%3A*%2Cec2%3A*’%20–max-events%201%20–timeout%2010m” message=”” highlight=”” provider=”manual”/]

Install

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal