diff --git a/ttps/cloud/aws/iam/create-new-iam-user/README.md b/ttps/cloud/aws/iam/create-new-iam-user/README.md new file mode 100644 index 0000000..7e9faf0 --- /dev/null +++ b/ttps/cloud/aws/iam/create-new-iam-user/README.md @@ -0,0 +1,43 @@ +# Create new IAM user + +![Meta TTP](https://img.shields.io/badge/Meta_TTP-blue) + +This TTP is used to create a new IAM user in AWS. It uses the AWS CLI to create a new user with the specified name. + If a user with given name exists, nothing is done and the TTP is closed. + If a user does not exist a new user is created. + It is also deleted during cleanup. `--no-cleanup` options should be explicity specified if we do not want the new user created to be deleted. + + +## Arguments + + +- **iam_user_name**: The name of the new IAM user to be created. + +## Steps + +1. Set up necessary cloud environment variables. +2. Check if an IAM user exists with provided user name +3. Create a new IAM user if no existing user is found with given IAM user name. +4. By deafult during the cleanup, delete the recently created IAM user. + +## Manual Reproduction Steps + +``` + +# Check if a user exists with provided user name +aws iam get-user --user-name "IAM_USER_NAME" + +# Create a new user +aws iam create-user --user-name "IAM_USER_NAME" + +# Setup persistence command in a RC SHELL script file: eg +aws iam delete-user --user-name "IAM_USER_NAME" + +``` + +## MITRE ATT&CK Mapping + +- **Tactics**: + - TA0003 Persistence +- **Techniques**: + - T1098 Account Manipulation diff --git a/ttps/cloud/aws/iam/create-new-iam-user/create-new-iam-user.yaml b/ttps/cloud/aws/iam/create-new-iam-user/create-new-iam-user.yaml new file mode 100644 index 0000000..52c0a86 --- /dev/null +++ b/ttps/cloud/aws/iam/create-new-iam-user/create-new-iam-user.yaml @@ -0,0 +1,49 @@ +--- +api_version: 2.0 +uuid: 29f9ab13-4c19-410f-8638-082c7f5c4127 +name: create_iam_user +description: | + This TTP is used to create a new IAM user in AWS. It uses the AWS CLI to create a new user with the specified name. + If a user with given name exists, nothing is done and the TTP is closed. + If a user does not exist a new user is created. It is also deleted during cleanup. + `--no-cleanup` options should be explicity specified if we do not want the new user created to be deleted. + +args: + - name: iam_user_name + description: The name of the new IAM user to be created. + default: purple_trojan + +mitre: + tactics: + - TA0003 Persistence + techniques: + - T1098 Account Manipulation + +steps: + - name: aws-connector + description: This step invokes the verifies aws creds are present and aws cli is available. + ttp: //helpers/cloud/aws/validate-aws-env-configured.yaml + args: + region: "{{ .Args.region }}" + - name: create_user_if_does_not_exist + description: Check if the specified IAM user exists. If not create a new one. + inline: | + echo "Checking if user {{.Args.iam_user_name}} exists..." + set +e + aws iam get-user --user-name {{.Args.iam_user_name}} 2>&1 + user_exists=$? + set -e + if [ $user_exists -ne 0 ]; then + echo -e "User {{.Args.iam_user_name}} does not exist. Proceeding with creating new one... \n" + aws iam create-user --user-name {{.Args.iam_user_name}} + else + echo "User {{.Args.iam_user_name}} exists. Quitting..." + exit 1 + fi + cleanup: + inline: | + user_exists=$(aws iam get-user --user-name {{.Args.iam_user_name}} 2>&1) + if ! [ $? -ne 0 ]; then + echo -e "User {{.Args.iam_user_name}} found. Proceeding with deleting the user during cleanup... \n " + aws iam delete-user --user-name {{.Args.iam_user_name}} + fi