Leonidas is a framework for performing cloud attacks. Provides a YAML-based format for defining cloud intruder tactics, techniques and procedures (TTPs) and related detection properties. These definitions can then be grouped into:
-
A on-line API that exposes each test case as a single endpoint
- sigma rules (https://github.com/Neo23x0/sigma) for detection
- Documentation - http://detectioninthe.cloud/ for example
Generator Locally Installation
- cd generator
- poetry installation
Generating Sigma Rules
- poetry run ./generator.py sigma
The rules appear in ./output/sigma
Generating Documentation
The documentation is created as follows:
- poetry run ./generator.py docs
This will generate markdown versions, available in output/docs. This can be uploaded to an existing one system based on markdown or the following can be used to create a predefined version of HTML documents:
- cd output
- mkdocs build
This will create an output / site folder that contains the HTML site. It is also possible to view it locally by running mkdocs serve services in the same folder.
Writing Definitions
The definitions are written in YAML format, for which an example is provided below. Documentation on how to write them can be found in Writing Definitions.
--- name: Enumerate Cloudtrails for a Given Region author: Nick Jones description: | An adversary may attempt to enumerate the configured trails, to identify what actions will be logged and where they will be logged to. In AWS, this may start with a single call to enumerate the trails applicable to the default region. category: Discovery mitre_ids: - T1526 platform: aws permissions: - cloudtrail:DescribeTrails input_arguments: executors: sh: code: | aws cloudtrail describe-trails leonidas_aws: implemented: True clients: - cloudtrail code: | result = clients["cloudtrail"].describe_trails() detection: sigma_id: 48653a63-085a-4a3b-88be-9680e9adb449 status: experimental level: low sources: - name: "cloudtrail" attributes: eventName: "DescribeTrails" eventSource: "*.cloudtrail.amazonaws.com"
You can download the program from here.