构思:哪些攻击技术与我们的组织相关? 研究:攻击技术是如何工作的?它生成什么日志或遥测数据? 收集要求:实现检测需要哪些日志?我们是否需要更多的可见性或更广泛的范围来实施检测? 开发:定义具体的检测策略以制定检测规则。 测试和部署:测试规则,最好是针对真实世界的数据,以确保它按预期工作,不会产生太多误报。 维护:持续收集检测规则生成的警报指标,并根据需要采取修改和维护。
1、本地命令执行 2、SSH命令执行 3、Stratus红队相关 4、AWS相关 5、Datadog Security信号警报匹配器
git clone https://github.com/DataDog/threatest.git
go test -timeout 99999s cloudsiem_alerts_test.go -v
=== RUN TestCloudSIEMAWSAlerts
Detonating 'aws.initial-access.console-login-without-mfa' with Stratus Red Team
2022/06/16 16:31:08 AWS console login: Confirmed that the expected signal (Datadog security signal 'An IAM user was created') was created in Datadog (took 17 seconds).
2022/06/16 16:31:08 AWS console login: Confirmed that the expected signal (Datadog security signal 'AWS Console login without MFA') was created in Datadog (took 17 seconds).
2022/06/16 16:31:08 AWS console login: All assertions passed
Detonating 'aws.persistence.iam-create-admin-user' with Stratus Red Team
2022/06/16 16:31:14 AWS persistence IAM user: Confirmed that the expected signal (Datadog security signal 'An IAM user was created') was created in Datadog (took 0 seconds).
2022/06/16 16:31:14 AWS persistence IAM user: All assertions passed
--- PASS: TestCloudSIEMAWSAlerts (126.53s)
PASS
go test cws_alerts_test.go -v
=== RUN TestCWSAlerts
Connecting over SSH
Connection succeeded
2022/06/16 16:25:20 curl to metadata service: Confirmed that the expected signal (Datadog security signal 'EC2 Instance Metadata Service Accessed via Network Utility') was created in Datadog (took 12 seconds).
2022/06/16 16:25:20 curl to metadata service: All assertions passed
2022/06/16 16:25:42 Java spawning shell: Confirmed that the expected signal (Datadog security signal 'Java process spawned shell/utility') was created in Datadog (took 19 seconds).
2022/06/16 16:25:42 Java spawning shell: All assertions passed
--- PASS: TestCWSAlerts (45.64s)
=== RUN TestCWSAlertsV2
Connecting over SSH
Connection succeeded
=== RUN TestCWSAlertsV2/curl_to_metadata_service
=== PAUSE TestCWSAlertsV2/curl_to_metadata_service
=== RUN TestCWSAlertsV2/java_spawns_shell
=== PAUSE TestCWSAlertsV2/java_spawns_shell
=== CONT TestCWSAlertsV2/java_spawns_shell
=== CONT TestCWSAlertsV2/curl_to_metadata_service
2022/06/16 16:26:02 curl to metadata service: Confirmed that the expected signal (Datadog security signal 'EC2 Instance Metadata Service Accessed via Network Utility') was created in Datadog (took 11 seconds).
2022/06/16 16:26:02 curl to metadata service: All assertions passed
2022/06/16 16:26:02 java spawns shell: Confirmed that the expected signal (Datadog security signal 'Java process spawned shell/utility') was created in Datadog (took 17 seconds).
2022/06/16 16:26:02 java spawns shell: All assertions passed
--- PASS: TestCWSAlertsV2 (0.06s)
--- PASS: TestCWSAlertsV2/java_spawns_shell (20.12s)
--- PASS: TestCWSAlertsV2/curl_to_metadata_service (20.24s)
PASS
threatest := Threatest()
threatest.Scenario("AWS console login").
WhenDetonating(StratusRedTeamTechnique("aws.initial-access.console-login-without-mfa")).
Expect(DatadogSecuritySignal("AWS Console login without MFA").WithSeverity("medium")).
WithTimeout(15 * time.Minute)
assert.NoError(t, threatest.Run())
ssh, _ := NewSSHCommandExecutor("test-box", "", "")
threatest := Threatest()
threatest.Scenario("curl to metadata service").
WhenDetonating(NewCommandDetonator(ssh, "curl http://169.254.169.254 --connect-timeout 1")).
Expect(DatadogSecuritySignal("EC2 Instance Metadata Service Accessed via Network Utility"))
assert.NoError(t, threatest.Run())
https://securitylabs.datadoghq.com/articles/threatest-end-to-end-testing-threat-detection/
精彩推荐