redcanaryco · patel-bhavin · Mar 13, 2024 · Jan 18, 2024 · Jan 18, 2024 · Jan 18, 2024
diff --git a/atomics/T1580/T1580.yaml b/atomics/T1580/T1580.yaml
@@ -54,3 +54,39 @@ atomic_tests:
       rm -rf stratus*
     name: sh
     elevation_required: false
+
+- name: AWS - EC2 Security Group Enumeration
+  description: "Simulate an attacker's action to enumerate EC2 Security Groups in a compromised AWS environment."
+  supported_platforms:
+    - iaas:aws
+  input_arguments:
+    aws_profile:
+      description: AWS CLI profile name
+      type: string
+      default: default
+    output_format:
+      description: Desired output format (text, table, json)
+      type: string
+      default: json
+
+  executor:
+    name: command_prompt
+    command: |
+      aws ec2 describe-security-groups --profile #{aws_profile} --output #{output_format}
+
+  dependencies:
+    - description: AWS CLI installed and configured with the necessary access rights.
+      prereq_command: type aws || aws --version
+      get_prereq_command: |
+        if [ "$(uname)" = "Darwin" ] || [ "$(expr substr $(uname) 1 5)" = "Linux" ]; then
+          curl "https://aws.amazon.com/cli/" -o "Install-AWSCLI.sh" && sh Install-AWSCLI.sh
+        elif [ "$(expr substr $(uname) 1 5)" = "MINGW" ]; then
+          Invoke-WebRequest -Uri "https://aws.amazon.com/cli/" -OutFile "Install-AWSCLI.ps1"; .\Install-AWSCLI.ps1
+        fi
+    - description: Check if AWS CLI is installed and configured.
+      prereq_command: |
+        aws sts get-caller-identity --profile #{aws_profile}
+      get_prereq_command: |
+        if ! aws sts get-caller-identity --profile #{aws_profile}; then
+          echo "AWS CLI not properly configured. Please configure AWS CLI."
+        fi