search

RhinoSecurityLabs / pacu

The AWS exploitation framework, designed for testing the security of Amazon Web Services environments.
https://rhinosecuritylabs.com/aws/pacu-open-source-aws-exploitation-framework/
BSD 3-Clause "New" or "Revised" License
4.36k stars 692 forks source link

`disrupt_monitoring.py` should have disruptions for all of the same services that `enum_monitoring.py` enumerates #4

Closed Riebart closed 6 years ago

Riebart commented 6 years ago

Disrupting monitoring applies to a variety of services: VPC flow logs, CloudTrail, AWS Config, CloudWatch alarms, S3 events, etc... CloudTrail and GuardDuty detectors are great, but there's other things that qualify too; essentially anything that takes an automated action based on the state of something of an event can function as an alarm, depending on what we're trying to do/mutate.

SpenGietz commented 6 years ago

Finally have made these additions.

enum_monitoring now expands more into Config enumeration

disrupt_monitoring now can disrupt everything (at least everything relevant) that enum_monitoring enumerates, including VPC flow logs (delete), CloudTrail trails (delete, disable, modify), various Config resources (delete/disable), CloudWatch alarms (delete/disable actions), and GuardDuty detectors (delete/disable).

S3 events are on the roadmap, as well as another addition to GuardDuty, but this is what is currently implemented.

https://github.com/RhinoSecurityLabs/pacu/pull/40

I'll close this once it hits the master branch