Leonidas : Automated Attack Simulation In The Cloud, Complete With Detection Use Cases

This is the repository containing Leonidas, a framework for executing attacker actions in the cloud. It provides a YAML-based format for defining cloud attacker tactics, techniques and procedures (TTPs) and their associated detection properties. These definitions can then be compiled into:

Deploying The API

The API is deployed via an AWS-native CI/CD pipeline. Instructions for this can be found at Deploying Leonidas.

Using The API

The API is invoked via web requests secured by an API key. Details on using the API can be found at Using Leonidas

Installing The Generator Locally

To build documentation or Sigma rules, you’ll need to install the generator locally. You can do this by:

cd generator
poetry install

Generating Sigma Rules

Sigma rules can be generated as follows:

poetry run ./generator.py sigma

The rules will then appear in ./output/sigma

Generating Documentation

The documentation is generated as follows:

poetry run ./generator.py docs

This will produce markdown versions of the documentation available at output/docs. This can be uploaded to an existing markdown-based documentation system, or the following can be used to create a prettified HTML version of the docs:

cd output
mkdocs build

This will create a output/site folder containing the HTML site. It is also possible to view this locally by running mkdocs serve in the same folder.

Writing Definitions

The definitions are written in a YAML-based format, for which an example is provided below. Documentation on how to write these can be found in Writing Definitions

---
name: Enumerate Cloudtrails for a Given Region
author: Nick Jones
description: |
  An adversary may attempt to enumerate the configured trails, to identify what actions will be logged and where they will be logged to. In AWS, this may start with a single call to enumerate the trails applicable to the default region.
category: Discovery
mitre_ids:
  - T1526
platform: aws
permissions:
  - cloudtrail:DescribeTrails
input_arguments:
executors:
  sh:
    code: |
      aws cloudtrail describe-trails
  leonidas_aws:
    implemented: True
    clients:
      - cloudtrail
    code: |
      result = clients["cloudtrail"].describe_trails()
detection:
  sigma_id: 48653a63-085a-4a3b-88be-9680e9adb449
  status: experimental
  level: low
  sources:
    - name: "cloudtrail"
      attributes:
        eventName: "DescribeTrails"
        eventSource: "*.cloudtrail.amazonaws.com"
R K

Recent Posts

Playwright-MCP : A Powerful Tool For Browser Automation

Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…

1 hour ago

JBDev : A Tool For Jailbreak And TrollStore Development

JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…

22 hours ago

Kereva LLM Code Scanner : A Revolutionary Tool For Python Applications Using LLMs

The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…

23 hours ago

Nuclei-Templates-Labs : A Hands-On Security Testing Playground

Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…

1 day ago

SSH-Stealer : The Stealthy Threat Of Advanced Credential Theft

SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…

1 day ago

ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…

1 day ago