Leonidas is a framework for performing cloud attacks. Provides a YAML-based format for defining cloud intruder tactics, techniques and procedures (TTPs) and related detection properties. These definitions can then be grouped into:
- An online API that lists each test case as a single endpoint
- Sigma rules (https://github.com/Neo23x0/sigma) for detection
- Documentation - http://detectioninthe.cloud/ for example
Generator Locally Installation
- cd generator
- poetry install
Generating Sigma Rules
- poetry run ./generator.py sigma
The rules appear in ./output/sigma
- poetry run ./generator.py docs
- cd output
- mkdocs build
name: Enumerate Cloudtrails for a Given Region author: Nick Jones
Description: | An adversary may attempt to enumerate the configured trails, to identify what actions will be logged and where they will be logged to. In AWS, this may start with a single call to enumerate the trails applicable to the default region.
category: Discovery mitre_ids: - T1526
permissions: - cloudtrail:DescribeTrails
input_arguments: executors: sh: queues: | aws cloudtrail describe-trails leonidas_aws: implemented: True clients: - cloudtrail code: | result = customers[cloudtrail].describe_trails()
detection: sigma_id: 48653a63-085a-4a3b-88be-9680e9adb449 status: experimental
level: low sources: - name: cloudtrail
attributes: eventName: "DescribeTrails"
eventSource: "* .cloudtrail.amazonaws.com"
You can download the program from here.