def prep_aws_connections(self):
""" Get all the required information before doing the mitigation. """
client = connection.Connection(type='client', service='ec2').connect()
logger.info("Initial connection to AmazonWebServices made.")
self.amazon = aws.AmazonWebServices(
connection.Connection(type='client', service='ec2'))
self.available_regions = self.amazon.regions
logger.info(("Inventory AWS Regions Complete {region_count} "
"found.".format(region_count=len(self.amazon.regions))))
self.availability_zones = self.amazon.availability_zones
logger.info(
("Inventory Availability Zones Complete {zone_count} "
"found.".format(zone_count=len(self.amazon.availability_zones))))
logger.info(("Beginning inventory of resources world wide. "
"This might take a minute..."))
self.aws_inventory = inventory.Inventory(
connection.Connection(type='client', service='ec2'),
self.available_regions)
logger.info(("Inventory complete. Proceeding to resource "
"identification."))
self.inventory = self.aws_inventory.inventory
def __init__(self,
case_number=None,
examiner_cidr_range='0.0.0.0/0',
case_bucket=None,
profile='default',
case_type=None):
self.profile = profile
self.ec2_client = connection.Connection(type='client',
service='ec2',
region='us-west-2',
profile=self.profile)
self.s3_resource = connection.Connection(type='resource',
service='s3',
region='us-west-2',
profile=self.profile)
if case_number:
self.case_number = case_number
else:
self.case_number = self._generate_case_number()
if case_bucket:
self.case_bucket = case_bucket
else:
self.case_bucket = self._setup_bucket(region='us-west-2')
self.examiner_cidr_range = examiner_cidr_range
def mitigate(self):
if self._target_type() == 'ip-address':
search = self.case.aws_inventory.locate_instance_by_ip(self.target)
if self._target_type() == 'instance-id':
search = self.case.aws_inventory.locate_instance_by_id(self.target)
if search is None:
raise ValueError(
'Target ip-address or instance-id not found in inventory.')
compromised_resource = compromised.CompromisedMetadata(
compromised_object_inventory=search,
case_number=self.case.case_number,
type_of_compromise='host_compromise',
examiner_cidr_range=self.case.examiner_cidr_range).data()
session = connection.Connection(
type='session', region=compromised_resource['region']).connect()
logger.info(
"Proceeding with incident plan steps included are {steps}".format(
steps=self.steps))
for action in self.steps:
logger.info("Executing step {step}.".format(step=action))
if 'get_memory' not in action:
step = self.plugins.source.load_plugin(action)
step.Plugin(boto_session=session,
compromised_resource=compromised_resource,
dry_run=False)
elif 'get_memory' == action:
logger.info("attempting memory run")
self.do_mem(session, compromised_resource)
def mitigate(self):
"""Any steps that run as part of key compromises."""
access_key = self.compromised_access_key_id
compromised_resource = compromised.CompromisedMetadata(
compromised_object_inventory={
'access_key_id': access_key,
'region': self.region
},
case_number=self.case.case_number,
type_of_compromise='key_compromise').data()
client = connection.Connection(
type='client',
service='iam',
region=compromised_resource['region']).connect()
self.logger.event_to_logs("Attempting key disable.")
# step 1 - disable access key
disableaccess_key.Disableaccess(
client=client,
compromised_resource=compromised_resource,
dry_run=False)
# step 2 - revoke and STS tokens issued prior to now
revokests_key.RevokeSTS(client=client,
compromised_resource=compromised_resource,
dry_run=False)
self.logger.event_to_logs("STS Tokens revoked issued prior to NOW.")
self.logger.event_to_logs("Disable complete. Uploading results.")
self.case.teardown(region=self.region,
resource_id=self.compromised_access_key_id)
def _setup_bucket(self, region):
"""Wrap s3 find or create in object"""
client = connection.Connection(type='client', service='s3').connect()
bucket_name = s3bucket.CaseBucket(self.case_number, region, client,
self.s3_resource).bucket.name
return bucket_name
def mitigate(self):
"""Any steps that run as part of key compromises."""
access_key = self.compromised_access_key_id
compromised_resource = compromised.CompromisedMetadata(
compromised_object_inventory={
'access_key_id': access_key,
'region': self.region
},
case_number=self.case.case_number,
type_of_compromise='key_compromise').data()
session = connection.Connection(type='session',
region='us-west-2').connect()
logger.info("Attempting key disable.")
for action in self.steps:
step = self.plugins.source.load_plugin(action)
step.Plugin(boto_session=session,
compromised_resource=compromised_resource,
dry_run=False)
def mitigate(self):
self.case.prep_aws_connections()
search = self.case.aws_inventory.locate_instance(self.compromised_host_ip)
if search == None:
raise ValueError('Compromised IP Address not found in inventory.')
compromised_resource = compromised.CompromisedMetadata(
compromised_object_inventory = search,
case_number=self.case.case_number,
type_of_compromise='host_compromise',
examiner_cidr_range=self.case.examiner_cidr_range
).data()
client = connection.Connection(
type='client',
service='ec2',
region=compromised_resource['region']
).connect()
# step 1 - isolate
isolate_host.Plugin(
client=client,
compromised_resource = compromised_resource,
dry_run=False
)
# step 2 - apply compromised tag
tag_host.Plugin(
client=client,
compromised_resource = compromised_resource,
dry_run=False
)
#step 3 - get instance metadata and store it
gather_host.Plugin(
client=client,
compromised_resource = compromised_resource,
dry_run=False
)
# step 4 - create snapshot
snapshotdisks_host.Plugin(
client=client,
compromised_resource = compromised_resource,
dry_run=False
)
# step 5 - gather memory
if compromised_resource['platform'] == 'windows':
logger.info('Platform is Windows skipping live memory')
else:
logger.info(("Attempting run margarita shotgun for {user} on "
"{ip} with {keyfile}".format(
user=self.user,
ip=self.compromised_host_ip,
keyfile=self.ssh_key_file_path
)))
try:
volatile_data = volatile.Memory(
client=client,
compromised_resource = compromised_resource,
dry_run=False
)
results = volatile_data.get_memory(
bucket=self.case.case_bucket,
ip=self.compromised_host_ip,
user=self.user,
key=self.ssh_key_file_path,
case_number=self.case.case_number
)
logger.info(("memory capture completed for: {0}, "
"failed for: {1}".format(results['completed'],
results['failed'])))
except Exception as ex:
# raise keyboard interrupt passed during memory capture
if isinstance(ex, KeyboardInterrupt):
raise
else:
logger.error(("Memory acquisition failure with exception"
"{exception}. ".format(exception=ex)))
# step 6 - shutdown instance
stop_host.Plugin(
client=client,
compromised_resource = compromised_resource,
dry_run=False
)
self.case.teardown(
region=compromised_resource['region'],
resource_id=compromised_resource['instance_id']
)
def __get_case_bucket(self):
client = connection.Connection(type='resource', service='s3').connect()
return client.Bucket(self.case_bucket)