Merge pull request #149 from ian-barbour/TTX-AndromedaGales

SOSS Community Day NA 2024

docs/TTX/Andromeda_Gales/Event_Logs/13_Kubernetes_Audit_Log_for_Encoded_Command_Execution.yaml → docs/TTX/SOSS Community Day NA 2024/Event_Logs/13_Kubernetes_Audit_Log_for_Encoded_Command_Execution.yaml

@@ -1,23 +1,23 @@
-kind: Event
-apiVersion: audit.k8s.io/v1
-level: RequestResponse
-timestamp: "2024-02-29T21:00:00Z"
-auditID: a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6
-stage: ResponseComplete
-requestURI: "/api/v1/namespaces/default/pods/andromeda-web-app-container/exec"
-verb: create
-user:
-  username: system:serviceaccount:default:andromeda-service-account
-  uid: "123456"
-  groups:
-  - system:serviceaccounts
-  - system:serviceaccounts:default
-  - system:authenticated
-sourceIPs: ["192.0.2.123"]
-responseObject:
-  status: "Success"
-  reason: "Executed Encoded Command"
-annotations:
-  kubernetes.io/encoded-command: "[Redacted for Security]"
-  authorization.k8s.io/decision: "allow"
+kind: Event
+apiVersion: audit.k8s.io/v1
+level: RequestResponse
+timestamp: "2024-02-29T21:00:00Z"
+auditID: a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6
+stage: ResponseComplete
+requestURI: "/api/v1/namespaces/default/pods/andromeda-web-app-container/exec"
+verb: create
+user:
+  username: system:serviceaccount:default:andromeda-service-account
+  uid: "123456"
+  groups:
+  - system:serviceaccounts
+  - system:serviceaccounts:default
+  - system:authenticated
+sourceIPs: ["192.0.2.123"]
+responseObject:
+  status: "Success"
+  reason: "Executed Encoded Command"
+annotations:
+  kubernetes.io/encoded-command: "[Redacted for Security]"
+  authorization.k8s.io/decision: "allow"
   authorization.k8s.io/reason: "RBAC: allowed by RoleBinding andromeda-rb/default to ServiceAccount andromeda-service-account"

docs/TTX/Andromeda_Gales/Event_Logs/14_C2_Traffic_Masquerading_CloudWatch.json → docs/TTX/SOSS Community Day NA 2024/Event_Logs/14_C2_Traffic_Masquerading_CloudWatch.json

@@ -1,23 +1,23 @@
-{
-  "timestamp": "2024-02-29T21:05:00Z",
-  "logStream": "AndromedaWebCluster/andromeda-web-app-container",
-  "message": "Outbound connection attempt to masqueraded C2 hostname detected. Hostname matches internal service, but DNS resolution history is suspicious. Protocol pattern mimics legitimate service traffic, indicating potential obfuscation efforts.",
-  "kubernetes": {
-    "cluster": "AndromedaWebCluster",
-    "namespace": "default",
-    "pod": "andromeda-web-app-container",
-    "container": "andromeda-web-app"
-  },
-  "network": {
-    "destinationHostname": "internal-service.companydomain.com",
-    "resolvedIP": "malicious[.]ip[.]address",
-    "protocol": "HTTPS",
-    "action": "OutboundConnectionAttempt",
-    "outcome": "Success"
-  },
-  "threat": {
-    "indicator": "C2TrafficMasquerading",
-    "level": "High",
-    "response": "AlertGenerated"
-  }
+{
+  "timestamp": "2024-02-29T21:05:00Z",
+  "logStream": "AndromedaWebCluster/andromeda-web-app-container",
+  "message": "Outbound connection attempt to masqueraded C2 hostname detected. Hostname matches internal service, but DNS resolution history is suspicious. Protocol pattern mimics legitimate service traffic, indicating potential obfuscation efforts.",
+  "kubernetes": {
+    "cluster": "AndromedaWebCluster",
+    "namespace": "default",
+    "pod": "andromeda-web-app-container",
+    "container": "andromeda-web-app"
+  },
+  "network": {
+    "destinationHostname": "internal-service.companydomain.com",
+    "resolvedIP": "malicious[.]ip[.]address",
+    "protocol": "HTTPS",
+    "action": "OutboundConnectionAttempt",
+    "outcome": "Success"
+  },
+  "threat": {
+    "indicator": "C2TrafficMasquerading",
+    "level": "High",
+    "response": "AlertGenerated"
+  }
 }

docs/TTX/Andromeda_Gales/Event_Logs/15_Network_Boundary_Bridging_K8.yaml → docs/TTX/SOSS Community Day NA 2024/Event_Logs/15_Network_Boundary_Bridging_K8.yaml

@@ -1,18 +1,18 @@
-kind: Event
-apiVersion: audit.k8s.io/v1
-level: RequestResponse
-timestamp: "2024-02-29T22:30:00Z"
-auditID: d7e8f9g0-h1i2-j3k4-l5m6-n7o8p9q0r1s2
-stage: ResponseComplete
-requestURI: "/apis/networking.k8s.io/v1/namespaces/default/networkpolicies"
-verb: "list"
-user:
-  username: "system:serviceaccount:default:andromeda-service-account"
-sourceIPs: ["10.244.2.2"]
-responseObject:
-  kind: NetworkPolicyList
-  apiVersion: networking.k8s.io/v1
-annotations:
-  kubernetes.io/network-boundary-bridging: "Attempted enumeration of network policies to identify zero-trust boundary weaknesses."
-responseStatus:
+kind: Event
+apiVersion: audit.k8s.io/v1
+level: RequestResponse
+timestamp: "2024-02-29T22:30:00Z"
+auditID: d7e8f9g0-h1i2-j3k4-l5m6-n7o8p9q0r1s2
+stage: ResponseComplete
+requestURI: "/apis/networking.k8s.io/v1/namespaces/default/networkpolicies"
+verb: "list"
+user:
+  username: "system:serviceaccount:default:andromeda-service-account"
+sourceIPs: ["10.244.2.2"]
+responseObject:
+  kind: NetworkPolicyList
+  apiVersion: networking.k8s.io/v1
+annotations:
+  kubernetes.io/network-boundary-bridging: "Attempted enumeration of network policies to identify zero-trust boundary weaknesses."
+responseStatus:
   code: 200

docs/TTX/Andromeda_Gales/Event_Logs/16_Overly_Permissive_Roles_and_Policies_Exploitation_K8.yaml → docs/TTX/SOSS Community Day NA 2024/Event_Logs/16_Overly_Permissive_Roles_and_Policies_Exploitation_K8.yaml

@@ -1,15 +1,15 @@
-kind: Event
-apiVersion: audit.k8s.io/v1
-level: Metadata
-timestamp: "2024-02-29T22:40:00Z"
-auditID: u1v2w3x4-y5z6-a7b8-c9d0-e1f2g3h4i5j6
-stage: ResponseComplete
-requestURI: "/apis/rbac.authorization.k8s.io/v1/namespaces/default/roles"
-verb: "list"
-user:
-  username: "system:serviceaccount:default:andromeda-service-account"
-sourceIPs: ["10.244.2.3"]
-annotations:
-  kubernetes.io/role-exploitation: "Listed roles in the default namespace to find overly permissive configurations for privilege escalation."
-responseStatus:
+kind: Event
+apiVersion: audit.k8s.io/v1
+level: Metadata
+timestamp: "2024-02-29T22:40:00Z"
+auditID: u1v2w3x4-y5z6-a7b8-c9d0-e1f2g3h4i5j6
+stage: ResponseComplete
+requestURI: "/apis/rbac.authorization.k8s.io/v1/namespaces/default/roles"
+verb: "list"
+user:
+  username: "system:serviceaccount:default:andromeda-service-account"
+sourceIPs: ["10.244.2.3"]
+annotations:
+  kubernetes.io/role-exploitation: "Listed roles in the default namespace to find overly permissive configurations for privilege escalation."
+responseStatus:
   code: 200