{"id":27838148,"url":"https://github.com/FSecureLABS/leonidas","last_synced_at":"2025-05-02T23:01:52.143Z","repository":{"id":45220734,"uuid":"274744266","full_name":"WithSecureLabs/leonidas","owner":"WithSecureLabs","description":"Automated Attack Simulation in the Cloud, complete with detection use cases.","archived":false,"fork":false,"pushed_at":"2024-11-28T23:20:58.000Z","size":1213,"stargazers_count":565,"open_issues_count":9,"forks_count":67,"subscribers_count":27,"default_branch":"master","last_synced_at":"2025-04-30T03:02:39.032Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/WithSecureLabs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-06-24T18:43:15.000Z","updated_at":"2025-04-27T13:35:13.000Z","dependencies_parsed_at":"2024-01-08T21:46:27.225Z","dependency_job_id":"636a659b-6811-4d34-8720-4838c80921eb","html_url":"https://github.com/WithSecureLabs/leonidas","commit_stats":null,"previous_names":["fsecurelabs/leonidas"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WithSecureLabs%2Fleonidas","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WithSecureLabs%2Fleonidas/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WithSecureLabs%2Fleonidas/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WithSecureLabs%2Fleonidas/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/WithSecureLabs","download_url":"https://codeload.github.com/WithSecureLabs/leonidas/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252118316,"owners_count":21697583,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-05-02T23:01:51.413Z","updated_at":"2025-05-02T23:01:52.127Z","avatar_url":"https://github.com/WithSecureLabs.png","language":"Python","readme":"# Leonidas\r\n\r\nThis is the repository containing Leonidas, a framework for executing attacker actions in the cloud. It provides a YAML-based format for defining cloud attacker tactics, techniques and procedures (TTPs) and their associated detection properties. These definitions can then be compiled into:\r\n\r\n* A web API exposing each test case as an individual endpoint\r\n* Sigma rules (https://github.com/Neo23x0/sigma) for detection\r\n* Documentation  - see http://detectioninthe.cloud/ for an example\r\n\r\nThe project was originally designed for use in AWS environments, with the following architecture:\r\n\r\n![Leonidas Architecture](./docs/architecture.png)\r\nIn 2024, Leonidas was extended to support Kubernetes environments. Its resources can be deployed within the target cluster, as per the following architecture:\r\n![Leonidas K8S Architecture](./docs/k8s-architecture.png)\r\n\r\n## Deploying the API\r\n\r\nThe API is deployed into an AWS account via an AWS-native CI/CD pipeline, and into a Kubernetes cluster using auto-generated YAML manifests.\r\nInstructions for both environments can be found at [Deploying Leonidas](./docs/deploying-leonidas.md).\r\n\r\n## Using the API\r\n\r\nThe API is invoked via web requests secured by an API key. Details on using the API can be found at [Using Leonidas](./docs/using-leonidas.md)\r\n\r\n## Installing the Generator Locally\r\n\r\nTo build documentation or Sigma rules, you'll need to install the generator locally. You can do this by:\r\n\r\n* `cd generator`\r\n* `poetry install`\r\n\r\n## Generating Sigma Rules\r\n\r\nSigma rules can be generated as follows:\r\n\r\n* `poetry run ./generator.py sigma`\r\n\r\nThe rules will then appear in `./output/sigma`\r\n\r\n## Generating Documentation\r\n\r\nThe documentation is generated as follows:\r\n\r\n* `poetry run ./generator.py docs`\r\n\r\nThis will produce markdown versions of the documentation available at `output/docs`. This can be uploaded to an existing markdown-based documentation system, or the following can be used to create a prettified HTML version of the docs:\r\n\r\n* `cd ../output`\r\n* `mkdocs build`\r\n\r\nThis will create an `output/site` folder containing the HTML site. It is also possible to view this locally by running `mkdocs serve` in the same folder.\r\n\r\n## Writing Definitions\r\n\r\nThe definitions are written in a YAML-based format, for which an example is provided below. Documentation on how to write these can be found in [Writing Definitions](./docs/writing-definitions.md)\r\n\r\n```yaml\r\n---\r\nname: Enumerate Cloudtrails for a Given Region\r\nauthor: Nick Jones\r\ndescription: |\r\n  An adversary may attempt to enumerate the configured trails, to identify what actions will be logged and where they will be logged to. In AWS, this may start with a single call to enumerate the trails applicable to the default region.\r\ncategory: Discovery\r\nmitre_ids:\r\n  - T1526\r\nplatform: aws\r\npermissions:\r\n  - cloudtrail:DescribeTrails\r\ninput_arguments:\r\nexecutors:\r\n  sh:\r\n    code: |\r\n      aws cloudtrail describe-trails\r\n  leonidas_aws:\r\n    implemented: True\r\n    clients:\r\n      - cloudtrail\r\n    code: |\r\n      result = clients[\"cloudtrail\"].describe_trails()\r\ndetection:\r\n  sigma_id: 48653a63-085a-4a3b-88be-9680e9adb449\r\n  status: experimental\r\n  level: low\r\n  sources:\r\n    - name: \"cloudtrail\"\r\n      attributes:\r\n        eventName: \"DescribeTrails\"\r\n        eventSource: \"*.cloudtrail.amazonaws.com\"\r\n```\r\n\r\n## Credits\r\n\r\nProject built and maintained by Nick Jones ( [NJonesUK](https://github.com/NJonesUK) / [@nojonesuk](https://twitter.com/nojonesuk)).\r\n\r\nKubernetes support added by Leo Tsaousis ( [@laripping](https://github.com/LAripping) ).\r\n\r\nSpecial thanks also to Mohit Gupta ( @[Skybound1](https://github.com/Skybound1) ) for his invaluable contribution.\r\n\r\nThis project drew ideas and inspiration from a range of sources, including:\r\n\r\n* [Pacu](https://github.com/RhinoSecurityLabs/pacu)\r\n* [Rhino Security's AWS IAM Privilege Escalations](https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation)\r\n* All of Scott Piper's AWS security work ( [https://github.com/0xdabbad00](https://github.com/0xdabbad00) / [@0xdabbad00](https://twitter.com/0xdabbad00) )\r\n* [MITRE ATT\u0026CK](https://attack.mitre.org/matrices/enterprise/)\r\n* [MITRE CALDERA](https://github.com/mitre/caldera)\r\n* [Red Canary's Atomic Red Team](https://github.com/redcanaryco/atomic-red-team)\r\n* [Sigma](https://github.com/Neo23x0/sigma)\r\n","funding_links":[],"categories":["Penetration testing/learning","Python","Python (1887)"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FFSecureLABS%2Fleonidas","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FFSecureLABS%2Fleonidas","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FFSecureLABS%2Fleonidas/lists"}