New attack technique: Usage of ec2instanceconnect:SendSSHPublicKey on multiple instances

[adanalvarez]

What does this PR do?

• New attack technique

Motivation

I saw that this was an open issue: https://github.com/DataDog/stratus-red-team/issues/59

From the 2023 Global Cloud Threat Report from Sysdig: "The attacker leveraged an API called SendSSHPublicKey to gain access to EC2 instances as seen in the image below. Using this API, the attacker pushed an attacker‑supplied Secure Shell (SSH) public key to the specified EC2 instances, which then allowed anyone with the corresponding private key to connect directly to the systems via SSH. Once in, an attacker could take control of the machines and move on to the next step of their operation."

This attack technique creates 3 EC2 instances (this can be changed easily as there is a variable instance_count) and its VPC in the warmup. In the attack phase, it adds a public SSH key to each instance (it lasts for 60s).

• I added a new public key but it probably makes sense to generate a new one.
• The current infra does not expose SSH so there is no way to access the EC2 instances. (I have code with public instances and SSH in case you prefer this way).

Checklist

• [x] The attack technique emulates a single attack step, not a full attack chain
• [x] We have factual evidence & references that the attack technique was used by real malware, pentesters, or attackers
• [x] The attack technique makes no assumption about the state of the environment prior to warming it up

[christophetd]

Thanks for the contribution! Will review it later today

[christophetd]

Added a few tweaks in 861e1ed, but looks great overall! Will get it merged and trigger a new release

[christophetd]

Now released as part of v2.13.0, thanks for the great contribution!