Leonidas is a framework for performing cloud attacks. Provides a YAML-based format for defining cloud intruder tactics, techniques and procedures (TTPs) and related detection properties. These definitions can then be grouped into:
- An online API that lists each test case as a single endpoint
- Sigma rules (https://github.com/Neo23x0/sigma) for detection
- Documentation - http://detectioninthe.cloud/ for example
Generator Locally Installation
- cd generator
- poetry install
Generating Sigma Rules
- poetry run ./generator.py sigma
The rules appear in ./output/sigma
- poetry run ./generator.py docs
- cd output
- mkdocs build
--- name: Enumerate Cloudtrails for a Given Region author: Nick Jones description: | An adversary may attempt to enumerate the configured trails, to identify what actions will be logged and where they will be logged to. In AWS, this may start with a single call to enumerate the trails applicable to the default region. category: Discovery mitre_ids: - T1526 platform: aws permissions: - cloudtrail: DescribeTrails input_arguments: executors: sh: code: | aws cloudtrail describe-trails leonidas_aws: implemented: True clients: - cloudtrail code: | result = clients ["cloudtrail"]. describe_trails () detection: sigma_id: 48653a63-085a-4a3b-88be-9680e9adb449 status: experimental level: low sources: - name: "cloudtrail" attributes: eventName: "DescribeTrails" eventSource: "* .cloudtrail.amazonaws.com "
You can download the program from here..