├── Dockerfile ├── LICENSE ├── LICENSE-3rdparty.csv ├── NOTICE ├── README.md ├── docker-compose.yaml ├── notrelevant.md ├── notrelevant_layer.json └── tools ├── README.md ├── cpuspiker-amd64 ├── cpuspiker-arm64 └── cpuspiker.go /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:jammy 2 | 3 | # Install PowerShell 4 | RUN \ 5 | apt-get update && \ 6 | apt-get install -y wget apt-transport-https software-properties-common lsb-core && \ 7 | wget -q "https://packages.microsoft.com/config/ubuntu/$(lsb_release -rs)/packages-microsoft-prod.deb" && \ 8 | dpkg -i packages-microsoft-prod.deb && \ 9 | rm packages-microsoft-prod.deb && \ 10 | apt-get update && \ 11 | apt-get install -y powershell 12 | 13 | # Install prerequisites 14 | RUN \ 15 | apt-get install -y sudo make kmod gcc nmap clang iproute2 curl 16 | 17 | # Install Atomic Red Team and download atomics 18 | RUN \ 19 | pwsh -Command "IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/v2.0.0.0/install-atomicredteam.ps1' -UseBasicParsing); Install-AtomicRedTeam -getAtomics" 20 | 21 | # Create a PowerShell profile so the Invoke-AtomicRedTeam 22 | # module is imported automatically 23 | RUN \ 24 | mkdir -p /root/.config/powershell && \ 25 | echo 'Import-Module "/root/AtomicRedTeam/invoke-atomicredteam/Invoke-AtomicRedTeam.psd1" -Force' > /root/.config/powershell/profile.ps1 26 | 27 | CMD ["sleep", "infinity"] -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. -------------------------------------------------------------------------------- /LICENSE-3rdparty.csv: -------------------------------------------------------------------------------- 1 | Component,Origin,License,Copyright 2 | evaluator,https://github.com/redcanaryco/atomic-red-team,MIT,Copyright (c) 2018 Red Canary, Inc. 3 | evaluator,https://github.com/redcanaryco/invoke-atomicredteam,MIT,Copyright (c) 2018 Red Canary, Inc. -------------------------------------------------------------------------------- /NOTICE: -------------------------------------------------------------------------------- 1 | Datadog Workload Security Evaluator 2 | Copyright [2023-Present] Datadog, Inc. 3 | 4 | This product includes software developed at Datadog ( -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Workload Security Evaluator provides tooling to simulate runtime attacks and test default runtime detections from Datadog Cloud Security Management. Tests are completed using [Atomic Red Team](https://atomicredteam.io/). 2 | 3 | Read the [corresponding blog post](https://datadoghq.com/blog/workload-security-evaluator) for more details. 4 | 5 | - [Requirements](#requirements) 6 | - [Getting started](#getting-started) 7 | - [Atomic test organization](#atomic-test-organization) 8 | - [Test against real-world threats](#test-against-real-world-threats) 9 | - [Techniques not relevant to production workloads](#techniques-not-relevant-to-production-workloads) 10 | 11 | ## Requirements 12 | 13 | Workload Security Evaluator runs on Docker. For the most accurate results, Datadog recommends launching a compute instance in your preferred cloud provider. Alternatively, use a virtual machine or Docker Desktop. Apple silicon is not supported. 14 | 15 | ## Getting started 16 | 17 | 1. Build and run the containers with the following commands. 18 | ``` 19 | export DD_API_KEY="" # Found at https://app.datadoghq.com/organization-settings/api-keys 20 | docker compose build 21 | docker compose up -d 22 | ``` 23 | 2. Enter the evaluator container and run atomics. 24 | ``` 25 | docker exec -it atomicredteam /usr/bin/pwsh 26 | Invoke-AtomicTest T1105-27 -ShowDetails 27 | Invoke-AtomicTest T1105-27 -GetPrereqs # Download packages or payloads 28 | Invoke-AtomicTest T1105-27 29 | ``` 30 | 3. Check for a signal in the Datadog [Signals Explorer](https://app.datadoghq.com/security?query=env%3Aemulation) page. Signals from Workload Security Evaluator are tagged with `env:emulation` to differentiate them from real security threats. 31 | 4. Revert the changes made by the atomic. 32 | ``` 33 | Invoke-AtomicTest T1053.003-2 -Cleanup 34 | ``` 35 | 5. Repeat with a different atomic. 36 | 6. Shutdown the containers. 37 | ``` 38 | docker compose down 39 | ``` 40 | 41 | ## Atomic test organization 42 | 43 | [Atomic Red Team](https://atomicredteam.io/) often contains multiple tests for the same ATT&CK technique. For example, the test identifier T1136.001-1 refers to the first test for MITRE ATT&CK technique T1136.001 (Create Account: Local Account). This test creates an account on a Linux system. The second test, T1136.001-2, creates an account on a MacOS system. 44 | 45 | ## Test against real-world threats 46 | 47 | The following atomics are recommended as a starting point. They emulate techniques that were observed in real attacks targeting cloud workloads. 48 | 49 | | Atomic ID | Atomic Name | Datadog Rule |Source| 50 | |-----------|-------------|--------------|------| 51 | |T1105-27|[Linux Download File and Run](https://atomicredteam.io/command-and-control/T1105/#atomic-test-27---linux-download-file-and-run)|[Executable bit added to new file](https://docs.datadoghq.com/security/default_rules/executable_bit_added/)|[Source](https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/)| 52 | |T1046-2|[Port Scan Nmap](https://atomicredteam.io/discovery/T1046/#atomic-test-2---port-scan-nmap)|[Network scanning utility executed](https://docs.datadoghq.com/security/default_rules/common_net_intrusion_util/)|[Source](https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/)| 53 | |T1574.006-1|[Shared Library Injection via /etc/ld.so.preload](https://atomicredteam.io/defense-evasion/T1574.006/#atomic-test-1---shared-library-injection-via-etcldsopreload)|[Suspected dynamic linker hijacking attempt](https://docs.datadoghq.com/security/default_rules/suspected_dynamic_linker_hijacking/)|[Source](https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/)| 54 | |T1053.003-2|[Cron - Add script to all cron subfolders](https://atomicredteam.io/privilege-escalation/T1053.003/#atomic-test-2---cron---add-script-to-all-cron-subfolders)|[Cron job modified](https://docs.datadoghq.com/security/default_rules/cron_at_job_injection/)|[Source](https://blog.talosintelligence.com/rocke-champion-of-monero-miners/) 55 | |T1070.003-1|[Clear Bash history (rm)](https://atomicredteam.io/defense-evasion/T1070.003/#atomic-test-1---clear-bash-history-(rm))|[Shell command history modified](https://docs.datadoghq.com/security/default_rules/shell_history_tamper/)|[Source](https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/)| 56 | 57 | For a full list of Datadog's runtime detections, visit the [Out-of-the-box (OOTB) rules](https://docs.datadoghq.com/security/default_rules/?category=cat-csm-threats) page. MITRE ATT&CK tactic and technique information is provided for every rule. 58 | 59 | ## Techniques not relevant to production workloads 60 | 61 | The MITRE ATT&CK [Linux Matrix](https://attack.mitre.org/matrices/enterprise/linux/) contains techniques for Linux hosts with a variety of purposes. Testing the techniques located in [notrelevant.md](notrelevant.md) is not recommended, because they are focused on Linux workstations or are unlikely to be detected using operating system events. 62 | 63 | [Visualize with ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator//#layerURL=https%3A%2F%2Fraw%2Egithubusercontent%2Ecom%2FDataDog%2Fworkload-security-evaluator%2Fmain%2Fnotrelevant_layer%2Ejson). -------------------------------------------------------------------------------- /docker-compose.yaml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | services: 3 | datadog: 4 | image: gcr.io/datadoghq/agent:7 5 | container_name: datadog 6 | pid: host 7 | security_opt: 8 | - apparmor:unconfined 9 | cap_add: 10 | - SYS_ADMIN 11 | - SYS_RESOURCE 12 | - SYS_PTRACE 13 | - NET_ADMIN 14 | - NET_BROADCAST 15 | - NET_RAW 16 | - IPC_LOCK 17 | - CHOWN 18 | volumes: 19 | - /var/run/docker.sock:/var/run/docker.sock:ro 20 | - /proc/:/host/proc/:ro 21 | - /sys/fs/cgroup/:/host/sys/fs/cgroup:ro 22 | - /etc/passwd:/etc/passwd:ro 23 | - /etc/group:/etc/group:ro 24 | - /:/host/root:ro 25 | - /sys/kernel/debug:/sys/kernel/debug 26 | - /etc/os-release:/etc/os-release 27 | environment: 28 | - DD_TAGS="env:emulation" 29 | - DD_API_KEY=${DD_API_KEY} 30 | - DD_SITE=datadoghq.com 31 | - DD_RUNTIME_SECURITY_CONFIG_ENABLED=true 32 | - DD_RUNTIME_SECURITY_CONFIG_NETWORK_ENABLED=true 33 | - DD_RUNTIME_SECURITY_CONFIG_REMOTE_CONFIGURATION_ENABLED=true 34 | - DD_RUNTIME_SECURITY_CONFIG_SECURITY_PROFILE_AUTO_SUPPRESSION_ENABLED=false 35 | - DD_RUNTIME_SECURITY_CONFIG_ACTIVITY_DUMP_AUTO_SUPPRESSION_ENABLED=false 36 | - DD_REMOTE_CONFIGURATION_ENABLED=true 37 | - HOST_ROOT=/host/root 38 | atomicredteam: 39 | build: . 40 | container_name: atomicredteam -------------------------------------------------------------------------------- /notrelevant.md: -------------------------------------------------------------------------------- 1 | | Tactic | Technique |Comment| 2 | |--------|-----------|-------| 3 | |TA0001 - Initial Access|T1200 - Hardware Additions|Focused on on-prem environments| 4 | |TA0002 - Execution|T1204 - User Execution|Focused on workstations| 5 | |TA0003 - Persistence|T1176 - Browser Executions|Focused on workstations| 6 | |TA0003 - Persistence|T1554 - Compromise Client Software Binary|Focused on workstations| 7 | |TA0003 - Persistence|T1525 - Implant Internal Image|Not suitable for runtime detection| 8 | |TA0005 - Defense Evasion|T1612 - Build Image on Host|Not suitable for runtime detection| 9 | |TA0005 - Defense Evasion|T1550 - Use Alternate Authentication Material|Not suitable for runtime detection| 10 | |TA0006 - Credential Access|T1555 - Credentials from Password Stores|Focused on workstations| 11 | |TA0006 - Credential Access|T1212 - Exploitation for Credential Access|Not suitable for runtime detection| 12 | |TA0006 - Credential Access|T1606 - Forge Web Credentials|Not suitable for runtime detection| 13 | |TA0006 - Credential Access|T1056 - Input Capture|Focused on workstations| 14 | |TA0006 - Credential Access|T1111 - Multi-Factor Authentication Interception|Not suitable for runtime detection| 15 | |TA0006 - Credential Access|T1621 - Multi-Factor Authentication Request Generation|Not suitable for runtime detection| 16 | |TA0006 - Credential Access|T1539 - Steal Web Session Cookie|Focused on workstations| 17 | |TA0007 - Discovery|T1010 - Application Window Discovery|Focused on workstations| 18 | |TA0007 - Discovery|T1217 - Browser Information Discovery|Focused on workstations| 19 | |TA0007 - Discovery|T1120 - Peripheral Device Discovery|Focused on workstations| 20 | |TA0008 - Lateral Movement|T1550 - Use Alternate Authentication Material|Not suitable for runtime detection| 21 | |TA0009 - Collection|T1123 - Audio Capture|Focused on workstations| 22 | |TA0009 - Collection|T1115 - Clipboard Data|Focused on workstations| 23 | |TA0009 - Collection|T1213 - Data from Information Repositories|Not suitable for runtime detection| 24 | |TA0009 - Collection|T1025 - Data from Removable Media|Focused on on-prem environments| 25 | |TA0009 - Collection|T1114 - Email Collection|Focused on workstations| 26 | |TA0009 - Collection|T1056 - Input Capture|Focused on workstations| 27 | |TA0009 - Collection|T1113 - Screen Capture|Focused on workstations| 28 | |TA0009 - Collection|T1125 - Video Capture|Focused on workstations| 29 | |TA0011 - Command and Control|T1092 - Communication Through Removable Media|Focused on on-prem environments| 30 | |TA0010 - Exfiltration|T1011 - Exfiltration Over Other Network Medium|Focused on on-prem environments| 31 | |TA0010 - Exfiltration|T1052 - Exfiltration Over Physical Medium|Focused on on-prem environments| -------------------------------------------------------------------------------- /notrelevant_layer.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Techniques not relevant to production workloads", 3 | "versions": { 4 | "attack": "13", 5 | "navigator": "4.8.2", 6 | "layer": "4.4" 7 | }, 8 | "domain": "enterprise-attack", 9 | "description": "These techniques are located in the Linux or Containers matrices, but are not relevant to cloud-native production workloads.", 10 | "filters": { 11 | "platforms": [ 12 | "Linux", 13 | "Containers" 14 | ] 15 | }, 16 | "sorting": 0, 17 | "layout": { 18 | "layout": "side", 19 | "aggregateFunction": "average", 20 | "showID": false, 21 | "showName": true, 22 | "showAggregateScores": false, 23 | "countUnscored": false 24 | }, 25 | "hideDisabled": false, 26 | "techniques": [ 27 | { 28 | "techniqueID": "T1113", 29 | "tactic": "collection", 30 | "color": "", 31 | "comment": "Focused on workstations", 32 | "enabled": false, 33 | "metadata": [], 34 | "links": [], 35 | "showSubtechniques": false 36 | }, 37 | { 38 | "techniqueID": "T1123", 39 | "tactic": "collection", 40 | "color": "", 41 | "comment": "Focused on workstations", 42 | "enabled": false, 43 | "metadata": [], 44 | "links": [], 45 | "showSubtechniques": false 46 | }, 47 | { 48 | "techniqueID": "T1539", 49 | "tactic": "credential-access", 50 | "color": "", 51 | "comment": "Focused on workstations", 52 | "enabled": false, 53 | "metadata": [], 54 | "links": [], 55 | "showSubtechniques": false 56 | }, 57 | { 58 | "techniqueID": "T1114", 59 | "tactic": "collection", 60 | "color": "", 61 | "comment": "Focused on workstations", 62 | "enabled": false, 63 | "metadata": [], 64 | "links": [], 65 | "showSubtechniques": false 66 | }, 67 | { 68 | "techniqueID": "T1025", 69 | "tactic": "collection", 70 | "color": "", 71 | "comment": "Focused on on-prem environments", 72 | "enabled": false, 73 | "metadata": [], 74 | "links": [], 75 | "showSubtechniques": false 76 | }, 77 | { 78 | "techniqueID": "T1115", 79 | "tactic": "collection", 80 | "color": "", 81 | "comment": "Focused on workstations", 82 | "enabled": false, 83 | "metadata": [], 84 | "links": [], 85 | "showSubtechniques": false 86 | }, 87 | { 88 | "techniqueID": "T1120", 89 | "tactic": "discovery", 90 | "color": "", 91 | "comment": "Focused on workstations", 92 | "enabled": false, 93 | "metadata": [], 94 | "links": [], 95 | "showSubtechniques": false 96 | }, 97 | { 98 | "techniqueID": "T1176", 99 | "tactic": "persistence", 100 | "color": "", 101 | "comment": "Focused on workstations", 102 | "enabled": false, 103 | "metadata": [], 104 | "links": [], 105 | "showSubtechniques": false 106 | }, 107 | { 108 | "techniqueID": "T1555", 109 | "tactic": "credential-access", 110 | "color": "", 111 | "comment": "Focused on workstations", 112 | "enabled": false, 113 | "metadata": [], 114 | "links": [], 115 | "showSubtechniques": false 116 | }, 117 | { 118 | "techniqueID": "T1010", 119 | "tactic": "discovery", 120 | "color": "", 121 | "comment": "Focused on workstations", 122 | "enabled": false, 123 | "metadata": [], 124 | "links": [], 125 | "showSubtechniques": false 126 | }, 127 | { 128 | "techniqueID": "T1525", 129 | "tactic": "persistence", 130 | "color": "", 131 | "comment": "Not suitable for runtime detection", 132 | "enabled": false, 133 | "metadata": [], 134 | "links": [], 135 | "showSubtechniques": false 136 | }, 137 | { 138 | "techniqueID": "T1550", 139 | "tactic": "defense-evasion", 140 | "color": "", 141 | "comment": "Not suitable for runtime detection", 142 | "enabled": false, 143 | "metadata": [], 144 | "links": [], 145 | "showSubtechniques": false 146 | }, 147 | { 148 | "techniqueID": "T1550", 149 | "tactic": "lateral-movement", 150 | "color": "", 151 | "comment": "Not suitable for runtime detection", 152 | "enabled": false, 153 | "metadata": [], 154 | "links": [], 155 | "showSubtechniques": false 156 | }, 157 | { 158 | "techniqueID": "T1011", 159 | "tactic": "exfiltration", 160 | "color": "", 161 | "comment": "Focused on on-prem environments", 162 | "enabled": false, 163 | "metadata": [], 164 | "links": [], 165 | "showSubtechniques": false 166 | }, 167 | { 168 | "techniqueID": "T1217", 169 | "tactic": "discovery", 170 | "color": "", 171 | "comment": "Focused on workstations", 172 | "enabled": false, 173 | "metadata": [], 174 | "links": [], 175 | "showSubtechniques": false 176 | }, 177 | { 178 | "techniqueID": "T1092", 179 | "tactic": "command-and-control", 180 | "color": "", 181 | "comment": "Focused on on-prem environments", 182 | "enabled": false, 183 | "metadata": [], 184 | "links": [], 185 | "showSubtechniques": false 186 | }, 187 | { 188 | "techniqueID": "T1125", 189 | "tactic": "collection", 190 | "color": "", 191 | "comment": "Focused on workstations", 192 | "enabled": false, 193 | "metadata": [], 194 | "links": [], 195 | "showSubtechniques": false 196 | }, 197 | { 198 | "techniqueID": "T1612", 199 | "tactic": "defense-evasion", 200 | "color": "", 201 | "comment": "Not suitable for runtime detection", 202 | "enabled": false, 203 | "metadata": [], 204 | "links": [], 205 | "showSubtechniques": false 206 | }, 207 | { 208 | "techniqueID": "T1204", 209 | "tactic": "execution", 210 | "color": "", 211 | "comment": "Focused on workstations", 212 | "enabled": false, 213 | "metadata": [], 214 | "links": [], 215 | "showSubtechniques": false 216 | }, 217 | { 218 | "techniqueID": "T1606", 219 | "tactic": "credential-access", 220 | "color": "", 221 | "comment": "Not suitable for runtime detection", 222 | "enabled": false, 223 | "metadata": [], 224 | "links": [], 225 | "showSubtechniques": false 226 | }, 227 | { 228 | "techniqueID": "T1621", 229 | "tactic": "credential-access", 230 | "color": "", 231 | "comment": "Not suitable for runtime detection", 232 | "enabled": false, 233 | "metadata": [], 234 | "links": [], 235 | "showSubtechniques": false 236 | }, 237 | { 238 | "techniqueID": "T1554", 239 | "tactic": "persistence", 240 | "color": "", 241 | "comment": "Focused on workstations", 242 | "enabled": false, 243 | "metadata": [], 244 | "links": [], 245 | "showSubtechniques": false 246 | }, 247 | { 248 | "techniqueID": "T1212", 249 | "tactic": "credential-access", 250 | "color": "", 251 | "comment": "Not suitable for runtime detection", 252 | "enabled": false, 253 | "metadata": [], 254 | "links": [], 255 | "showSubtechniques": false 256 | }, 257 | { 258 | "techniqueID": "T1056", 259 | "tactic": "collection", 260 | "color": "", 261 | "comment": "Focused on workstations", 262 | "enabled": false, 263 | "metadata": [], 264 | "links": [], 265 | "showSubtechniques": false 266 | }, 267 | { 268 | "techniqueID": "T1056", 269 | "tactic": "credential-access", 270 | "color": "", 271 | "comment": "Focused on workstations", 272 | "enabled": false, 273 | "metadata": [], 274 | "links": [], 275 | "showSubtechniques": false 276 | }, 277 | { 278 | "techniqueID": "T1213", 279 | "tactic": "collection", 280 | "color": "", 281 | "comment": "Not suitable for runtime detection", 282 | "enabled": false, 283 | "metadata": [], 284 | "links": [], 285 | "showSubtechniques": false 286 | }, 287 | { 288 | "techniqueID": "T1200", 289 | "tactic": "initial-access", 290 | "color": "", 291 | "comment": "Focused on on-prem environments", 292 | "enabled": false, 293 | "metadata": [], 294 | "links": [], 295 | "showSubtechniques": false 296 | }, 297 | { 298 | "techniqueID": "T1111", 299 | "tactic": "credential-access", 300 | "color": "", 301 | "comment": "Not suitable for runtime detection", 302 | "enabled": false, 303 | "metadata": [], 304 | "links": [], 305 | "showSubtechniques": false 306 | }, 307 | { 308 | "techniqueID": "T1052", 309 | "tactic": "exfiltration", 310 | "color": "", 311 | "comment": "Focused on on-prem environments", 312 | "enabled": false, 313 | "metadata": [], 314 | "links": [], 315 | "showSubtechniques": false 316 | } 317 | ], 318 | "gradient": { 319 | "colors": [ 320 | "#ff6666ff", 321 | "#ffe766ff", 322 | "#8ec843ff" 323 | ], 324 | "minValue": 0, 325 | "maxValue": 100 326 | }, 327 | "legendItems": [], 328 | "metadata": [], 329 | "links": [], 330 | "showTacticRowBackground": false, 331 | "tacticRowBackground": "#dddddd", 332 | "selectTechniquesAcrossTactics": true, 333 | "selectSubtechniquesWithParent": false 334 | } -------------------------------------------------------------------------------- /tools/README.md: -------------------------------------------------------------------------------- 1 | # CPU Spiker 2 | 3 | `cpuspiker` is a binary that can be used to test [malware detection](https://www.datadoghq.com/blog/cloud-security-malware-detection/) and [crypto mining protection](https://www.datadoghq.com/blog/datadog-csm-threats-cryptomining/) from Datadog [Cloud Security Management](https://www.datadoghq.com/product/cloud-security-management/). 4 | 5 | ## Usage 6 | 7 | ``` 8 | wget https://raw.githubusercontent.com/DataDog/workload-security-evaluator/main/tools/cpuspiker-amd64 -O cpuspiker 9 | chmod +x cpuspiker 10 | ./cpuspiker -cpu-priority 1 11 | ``` -------------------------------------------------------------------------------- /tools/cpuspiker-amd64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DataDog/workload-security-evaluator/40f52680e3ef95e4f245e74f9af8b23c30217516/tools/cpuspiker-amd64 -------------------------------------------------------------------------------- /tools/cpuspiker-arm64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DataDog/workload-security-evaluator/40f52680e3ef95e4f245e74f9af8b23c30217516/tools/cpuspiker-arm64 -------------------------------------------------------------------------------- /tools/cpuspiker.go: -------------------------------------------------------------------------------- 1 | // Datadog CPU spiker 2 | // Use this program to test detections for malware hashes and crypto mining 3 | package main 4 | 5 | import ( 6 | "flag" 7 | "fmt" 8 | ) 9 | 10 | func cpuTask(id int, data chan int) { 11 | for { 12 | } 13 | } 14 | 15 | func main() { 16 | 17 | priorityPtr := flag.Int("cpu-priority", 0, "Mining threads priority") 18 | noSignalPtr := flag.Bool("no-signal", false, "Execute without triggering a crypto mining signal") 19 | flag.Parse() 20 | 21 | if *priorityPtr != 0 || *noSignalPtr { 22 | fmt.Print("Spiking CPU to test Datadog security detections...\n") 23 | channel := make(chan int) 24 | 25 | for i := 0; i < 10; i++ { 26 | go cpuTask(i, channel) 27 | } 28 | 29 | for i := 0; i < 10; i++ { 30 | channel <- i 31 | } 32 | } else { 33 | flag.PrintDefaults() 34 | } 35 | } 36 | --------------------------------------------------------------------------------