关于Threatest
检测工程
构思:哪些攻击技术与我们的组织相关? 研究:攻击技术是如何工作的?它生成什么日志或遥测数据? 收集要求:实现检测需要哪些日志?我们是否需要更多的可见性或更广泛的范围来实施检测? 开发:定义具体的检测策略以制定检测规则。 测试和部署:测试规则,最好是针对真实世界的数据,以确保它按预期工作,不会产生太多误报。 维护:持续收集检测规则生成的警报指标,并根据需要采取修改和维护。
支持的渗透测试技术和警报匹配器
1、本地命令执行 2、SSH命令执行 3、Stratus红队相关 4、AWS相关 5、Datadog Security信号警报匹配器
工具下载
git clone https://github.com/DataDog/threatest.git(向右滑动、查看更多)
工具使用
测试Cloud SIEM规则
go test -timeout 99999s cloudsiem_alerts_test.go -v(向右滑动、查看更多)
=== RUN TestCloudSIEMAWSAlertsDetonating 'aws.initial-access.console-login-without-mfa' with Stratus Red Team2022/06/16 16:31:08 AWS console login: Confirmed that the expected signal (Datadog security signal 'An IAM user was created') was created in Datadog (took 17 seconds).2022/06/16 16:31:08 AWS console login: Confirmed that the expected signal (Datadog security signal 'AWS Console login without MFA') was created in Datadog (took 17 seconds).2022/06/16 16:31:08 AWS console login: All assertions passedDetonating 'aws.persistence.iam-create-admin-user' with Stratus Red Team2022/06/16 16:31:14 AWS persistence IAM user: Confirmed that the expected signal (Datadog security signal 'An IAM user was created') was created in Datadog (took 0 seconds).2022/06/16 16:31:14 AWS persistence IAM user: All assertions passed--- PASS: TestCloudSIEMAWSAlerts (126.53s)PASS
(向右滑动、查看更多)
测试CWS规则
go test cws_alerts_test.go -v
=== RUN TestCWSAlertsConnecting over SSHConnection succeeded2022/06/16 16:25:20 curl to metadata service: Confirmed that the expected signal (Datadog security signal 'EC2 Instance Metadata Service Accessed via Network Utility') was created in Datadog (took 12 seconds).2022/06/16 16:25:20 curl to metadata service: All assertions passed2022/06/16 16:25:42 Java spawning shell: Confirmed that the expected signal (Datadog security signal 'Java process spawned shell/utility') was created in Datadog (took 19 seconds).2022/06/16 16:25:42 Java spawning shell: All assertions passed--- PASS: TestCWSAlerts (45.64s)=== RUN TestCWSAlertsV2Connecting over SSHConnection succeeded=== RUN TestCWSAlertsV2/curl_to_metadata_service=== PAUSE TestCWSAlertsV2/curl_to_metadata_service=== RUN TestCWSAlertsV2/java_spawns_shell=== PAUSE TestCWSAlertsV2/java_spawns_shell=== CONT TestCWSAlertsV2/java_spawns_shell=== CONT TestCWSAlertsV2/curl_to_metadata_service2022/06/16 16:26:02 curl to metadata service: Confirmed that the expected signal (Datadog security signal 'EC2 Instance Metadata Service Accessed via Network Utility') was created in Datadog (took 11 seconds).2022/06/16 16:26:02 curl to metadata service: All assertions passed2022/06/16 16:26:02 java spawns shell: Confirmed that the expected signal (Datadog security signal 'Java process spawned shell/utility') was created in Datadog (took 17 seconds).2022/06/16 16:26:02 java spawns shell: All assertions passed--- PASS: TestCWSAlertsV2 (0.06s)--- PASS: TestCWSAlertsV2/java_spawns_shell (20.12s)--- PASS: TestCWSAlertsV2/curl_to_metadata_service (20.24s)PASS
(向右滑动、查看更多)
测试Stratus Red团队触发的Datadog Cloud SIEM信号
threatest := Threatest()threatest.Scenario("AWS console login").WhenDetonating(StratusRedTeamTechnique("aws.initial-access.console-login-without-mfa")).Expect(DatadogSecuritySignal("AWS Console login without MFA").WithSeverity("medium")).WithTimeout(15 * time.Minute)assert.NoError(t, threatest.Run())
(向右滑动、查看更多)
测试通过SSH运行命令触发的Datadog Cloud Workload Security信号
ssh, _ := NewSSHCommandExecutor("test-box", "", "")threatest := Threatest()threatest.Scenario("curl to metadata service").WhenDetonating(NewCommandDetonator(ssh, "curl http://169.254.169.254 --connect-timeout 1")).Expect(DatadogSecuritySignal("EC2 Instance Metadata Service Accessed via Network Utility"))assert.NoError(t, threatest.Run())
(向右滑动、查看更多)
许可证协议
项目地址
参考资料:
https://securitylabs.datadoghq.com/articles/threatest-end-to-end-testing-threat-detection/
精彩推荐
文章来源: http://mp.weixin.qq.com/s?__biz=MjM5NjA0NjgyMA==&mid=2651203333&idx=4&sn=211248e8de68b5cd28327a1f15958a03&chksm=bd1db58e8a6a3c981908961c9a520a0b96fc1dec046bafb909b3f01f5c8d1dbac2787e18e178#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh