Fix local detonator and add example

DataDog · Aug 29, 2022 · d853732 · d853732
1 parent fedaafd
commit d853732
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 1 deletion.
diff --git a/examples/local_detonator_test.go b/examples/local_detonator_test.go
@@ -0,0 +1,32 @@
+package examples
+
+import (
+	"fmt"
+	_ "github.com/datadog/stratus-red-team/v2/pkg/stratus/loader" // Note: This import is needed
+	. "github.com/datadog/threatest/pkg/threatest"
+	. "github.com/datadog/threatest/pkg/threatest/detonators"
+	. "github.com/datadog/threatest/pkg/threatest/matchers/datadog"
+	"testing"
+	"time"
+)
+
+func TestLocalDetonator(t *testing.T) {
+	localExecutor := &LocalCommandExecutor{}
+
+	threatest := Threatest()
+
+	threatest.Scenario("curl to metadata service").
+		WhenDetonating(NewCommandDetonator(localExecutor, "curl http://169.254.169.254 --connect-timeout 5")).
+		Expect(DatadogSecuritySignal("EC2 Instance Metadata Service Accessed via Network Utility")).
+		WithTimeout(1 * time.Second)
+
+	threatest.Scenario("Java spawning shell").
+		WhenDetonating(NewCommandDetonator(localExecutor, `cp /bin/bash /tmp/java; /tmp/java -c "curl 1.1.1.1"`)).
+		Expect(DatadogSecuritySignal("Java process spawned shell/utility")).
+		WithTimeout(1 * time.Second)
+
+	if err := threatest.Run(); err != nil {
+		fmt.Println("Test failed: " + err.Error())
+		t.Fail()
+	}
+}
diff --git a/pkg/threatest/detonators/local_command_detonator.go b/pkg/threatest/detonators/local_command_detonator.go
@@ -11,7 +11,7 @@ type LocalCommandExecutor struct{}
 func (m *LocalCommandExecutor) RunCommand(command string) (string, error) {
 	fmt.Println("Executing " + command)
 	id, _ := uuid.GenerateUUID()
-	_, err := exec.Command(FormatCommand(command, id)).Output()
+	_, err := exec.Command("bash", "-c", FormatCommand(command, id)).Output()
 	if err != nil {
 		return "", err
 	}