DataDog/threatest

# Threatest  

Threatest 是一个用于端到端测试威胁检测的 CLI 和 Go 框架。 Threatest 允许你**引爆**（detonate）一种攻击技术，并验证在你首选的安全平台中是否生成了预期的告警。 阅读公告博客文章：https://securitylabs.datadoghq.com/articles/threatest-end-to-end-testing-threat-detection/ ## 概念 ### 引爆器 **引爆器**（detonator）描述了攻击技术如何以及在何处执行。 支持的引爆器： * 本地命令执行 * SSH 命令执行 * Stratus Red Team * AWS CLI 引爆器 * AWS 引爆器（仅限编程方式，不适用于 CLI） ### 告警匹配器 **告警匹配器**（alert matcher）是一种特定平台的集成，用于检查是否触发了预期的告警。 支持的告警匹配器： * Datadog 安全信号 ### 引爆与告警关联 每次引爆都会分配一个 UUID。该 UUID 会反映在引爆过程中，并用于确保匹配的告警确切对应于此引爆。 具体实现方式取决于引爆器；例如，Stratus Red Team 和 AWS 引爆器会将其注入到 user-agent 中；SSH 引爆器则使用包含该 UUID 的父进程。 ## 用法 ### 通过 CLI Threatest 附带一个 CLI，你可以使用它来运行以 YAML 描述的测试场景，需遵循特定的 [schema](./schemas/threatest.schema.json)。你可以在编辑器中配置此 schema，以享受 IDE 内的代码检查和自动补全功能（使用 [YAML](https://marketplace.visualstudio.com/items?itemName=redhat.vscode-yaml) 扩展，参见 [VSCode 文档](https://marketplace.visualstudio.com/items?itemName=redhat.vscode-yaml#associating-a-schema-to-a-glob-pattern-via-yaml.schemas))。 通过下载 [二进制发布版本](https://github.com/DataDog/threatest/releases) 或使用 Homebrew 安装 CLI： ``` brew tap datadog/threatest https://github.com/datadog/threatest brew install datadog/threatest/threatest ``` 示例用法： ``` $ threatest lint scenarios.threatest.yaml All 6 scenarios are syntaxically valid # Local detonation $ threatest run local-scenarios.threatest.yaml # 通过 SSH 进行 Remote detonation $ threatest run scenarios.threatest.yaml --ssh-host test-box --ssh-username vagrant # 或者，从环境变量中指定 SSH 参数 $ export THREATEST_SSH_HOST=test-box $ export THREATEST_SSH_USERNAME=vagrant $ threatest run scenarios.threatest.yaml ``` **示例场景定义文件** * 通过 SSH 引爆 ``` scenarios: # Remote detonation over SSH # Note: SSH configuration is provided using the --ssh-host, --ssh-username and --ssh-keyfile CLI arguments - name: curl metadata service detonate: remoteDetonator: commands: ["curl http://169.254.169.254 --connect-timeout 1"] expectations: - timeout: 1m datadogSecuritySignal: name: "Network utility accessed cloud metadata service" severity: medium ``` * 使用 Stratus Red Team 引爆 ``` scenarios: # Stratus Red Team detonation # Note: You must be authenticated to the relevant cloud provider before running it # The example below is equivalent to manually running "stratus detonate aws.exfiltration.ec2-security-group-open-port-22-ingress" - name: opening a security group to the Internet detonate: stratusRedTeamDetonator: attackTechnique: aws.exfiltration.ec2-security-group-open-port-22-ingress expectations: - timeout: 15m datadogSecuritySignal: name: "Potential administrative port open to the world via AWS security group" ``` * 使用 AWS CLI 命令引爆 ``` scenarios: # AWS CLI detonation # Note: You must be authenticated to AWS before running it and have the AWS CLI installed - name: opening a security group to the Internet detonate: awsCliDetonator: script: | set -e # Setup vpc=$(aws ec2 create-vpc --cidr-block 10.0.0.0/16 --query Vpc.VpcId --output text) sg=$(aws ec2 create-security-group --group-name sample-sg --description "Test security group" --vpc-id $vpc --query GroupId --output text) # Open security group aws ec2 authorize-security-group-ingress --group-id $sg --protocol tcp --port 22 --cidr 0.0.0.0/0 # Cleanup aws ec2 delete-security-group --group-id $sg aws ec2 delete-vpc --vpc-id $vpc expectations: - timeout: 15m datadogSecuritySignal: name: "Potential administrative port open to the world via AWS security group" ``` 你可以将测试结果输出到 JSON 文件： ``` $ threatest run scenarios.threatest.yaml --output test-results.json $ cat test-results.json [ { "description": "change user password", "isSuccess": true, "errorMessage": "", "durationSeconds": 22.046627348, "timeDetonated": "2022-11-15T22:26:14.182844+01:00" }, { "description": "adding an SSH key", "isSuccess": true, "errorMessage": "", "durationSeconds": 23.604699625, "timeDetonated": "2022-11-15T22:26:14.182832+01:00" }, { "description": "change user password", "isSuccess": false, "errorMessage": "At least one scenario failed:\n\nchange user password returned: change user password: 1 assertions did not pass\n =\u003e Did not find Datadog security signal 'bar'\n", "durationSeconds": 3.505294235, "timeDetonated": "2022-11-15T22:26:36.229349+01:00" } ] ``` 默认情况下，场景以最大 5 个并行度运行。你可以使用 `--parallelism` 参数增加此设置。 请注意，当使用远程 SSH 引爆器时，每个运行的场景都会建立一个新的 SSH 连接。 ### 编程方式使用 Threatest 完整的编程用法示例请参见 [示例](./examples)。 #### 测试由 Stratus Red Team 触发的 Datadog Cloud SIEM 信号 ``` threatest := Threatest() threatest.Scenario("AWS console login"). WhenDetonating(StratusRedTeamTechnique("aws.initial-access.console-login-without-mfa")). Expect(DatadogSecuritySignal("AWS Console login without MFA").WithSeverity("medium")). WithTimeout(15 * time.Minute) assert.NoError(t, threatest.Run()) ``` ### 测试由通过 SSH 运行命令触发的 Datadog Cloud Workload Security 信号 ``` ssh, _ := NewSSHCommandExecutor("test-box", "", "") threatest := Threatest() threatest.Scenario("curl to metadata service"). WhenDetonating(NewCommandDetonator(ssh, "curl http://169.254.169.254 --connect-timeout 1")). Expect(DatadogSecuritySignal("EC2 Instance Metadata Service Accessed via Network Utility")) assert.NoError(t, threatest.Run()) ```

标签：AMSI绕过, CLI, Datadog, DevSecOps, EVTX分析, Go, Ruby工具, Stratus Red Team, WiFi技术, 上游代理, 内存分配, 多语言支持, 威胁检测, 安全测试框架, 开源, 攻击模拟, 数据展示, 文档结构分析, 日志审计, 私有化部署, 端到端测试, 红队, 警报验证, 防御规避, 驱动签名利用