-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
3922d79
commit ce4268e
Showing
24 changed files
with
2,114 additions
and
1,042 deletions.
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
{ | ||
"eventName": "CreateStack", | ||
"eventSource": "cloudformation.amazonaws.com", | ||
"awsService": "CloudFormation", | ||
"description": "Creates a stack as specified in the template.", | ||
"mitreAttackTactics": [ | ||
"TA0040 - Impact" | ||
], | ||
"mitreAttackTechniques": [ | ||
"T1496 - Resource Hijacking" | ||
], | ||
"usedInWild": true, | ||
"incidents": [ | ||
{ | ||
"description": "New tactics and techniques for proactive threat detection", | ||
"link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" | ||
} | ||
], | ||
"researchLinks": [], | ||
"securityImplications": "Attackers might use CreateStack to provision unauthorized resources", | ||
"alerting": [], | ||
"simulation": [ | ||
{ | ||
"type": "commandLine", | ||
"value": "N/A" | ||
} | ||
], | ||
"permissions": "https://aws.permissions.cloud/iam/cloudformation#cloudformation-CreateStack" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
{ | ||
"eventName": "CreateOpenIDConnectProvider", | ||
"eventSource": "iam.amazonaws.com", | ||
"awsService": "IAM", | ||
"description": "Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC)", | ||
"mitreAttackTactics": [ | ||
"TA0003 - Persistence" | ||
], | ||
"mitreAttackTechniques": [ | ||
"T1136 - Create Account" | ||
], | ||
"usedInWild": true, | ||
"incidents": [ | ||
{ | ||
"description": "New tactics and techniques for proactive threat detection", | ||
"link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" | ||
} | ||
], | ||
"researchLinks": [], | ||
"securityImplications": "Attackers use CreateOpenIDConnectProvider to establish persistent footholds.", | ||
"alerting": [], | ||
"simulation": [ | ||
{ | ||
"type": "commandLine", | ||
"value": "aws iam create-open-id-connect-provider --cli-input-json '{\"Url\": \"https://server.example.com\",\"ClientIDList\": [\"example-application-ID\"],\"ThumbprintList\": [\"c3768084dfb3d2b68b7897bf5f565da8eEXAMPLE\"]}'" | ||
} | ||
], | ||
"permissions": "https://aws.permissions.cloud/iam/iam#iam-CreateOpenIDConnectProvider" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
{ | ||
"eventName": "CreateSAMLProvider", | ||
"eventSource": "iam.amazonaws.com", | ||
"awsService": "IAM", | ||
"description": "Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0.", | ||
"mitreAttackTactics": [ | ||
"TA0003 - Persistence" | ||
], | ||
"mitreAttackTechniques": [ | ||
"T1136 - Create Account" | ||
], | ||
"usedInWild": true, | ||
"incidents": [ | ||
{ | ||
"description": "New tactics and techniques for proactive threat detection", | ||
"link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" | ||
} | ||
], | ||
"researchLinks": [], | ||
"securityImplications": "Attackers use CreateSAMLProvider to establish persistent footholds.", | ||
"alerting": [], | ||
"simulation": [ | ||
{ | ||
"type": "commandLine", | ||
"value": "N/A" | ||
} | ||
], | ||
"permissions": "https://aws.permissions.cloud/iam/iam#iam-CreateSAMLProvider" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
{ | ||
"eventName": "StartSSO", | ||
"eventSource": "sso.amazonaws.com", | ||
"awsService": "SSO", | ||
"description": "Initialize AWS IAM Identity Center", | ||
"mitreAttackTactics": [ | ||
"TA0003 - Persistence" | ||
], | ||
"mitreAttackTechniques": [ | ||
"T1136 - Create Account" | ||
], | ||
"usedInWild": true, | ||
"incidents": [ | ||
{ | ||
"description": "New tactics and techniques for proactive threat detection", | ||
"link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" | ||
} | ||
], | ||
"researchLinks": [], | ||
"securityImplications": "Attackers use StartSSO to establish persistent footholds.", | ||
"alerting": [], | ||
"simulation": [ | ||
{ | ||
"type": "commandLine", | ||
"value": "N/A" | ||
} | ||
], | ||
"permissions": "https://aws.permissions.cloud/iam/sso#sso-StartSSO" | ||
} |
29 changes: 29 additions & 0 deletions
29
events/Organizations/InviteAccountToOrganization copy.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
{ | ||
"eventName": "CreateAccount", | ||
"eventSource": "organizations.amazonaws.com", | ||
"awsService": "Organizations", | ||
"description": "Creates an AWS account that is automatically a member of the organization whose credentials made the request.", | ||
"mitreAttackTactics": [ | ||
"TA0005 - Defense Evasion" | ||
], | ||
"mitreAttackTechniques": [ | ||
"T1535 - Unused/Unsupported Cloud Regions" | ||
], | ||
"usedInWild": true, | ||
"incidents": [ | ||
{ | ||
"description": "New tactics and techniques for proactive threat detection", | ||
"link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" | ||
} | ||
], | ||
"researchLinks": [], | ||
"securityImplications": "Attackers might use CreateAccount to add a new account for defense evasion, resource hijacking.", | ||
"alerting": [], | ||
"simulation": [ | ||
{ | ||
"type": "commandLine", | ||
"value": "aws organizations create-account --email traildiscover@example.com --account-name \"TrailDiscover Account\"" | ||
} | ||
], | ||
"permissions": "https://aws.permissions.cloud/iam/organizations#organizations-CreateAccount" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
{ | ||
"eventName": "InviteAccountToOrganization", | ||
"eventSource": "organizations.amazonaws.com", | ||
"awsService": "Organizations", | ||
"description": "Sends an invitation to another account to join your organization as a member account.", | ||
"mitreAttackTactics": [ | ||
"TA0005 - Defense Evasion" | ||
], | ||
"mitreAttackTechniques": [ | ||
"T1535 - Unused/Unsupported Cloud Regions" | ||
], | ||
"usedInWild": true, | ||
"incidents": [ | ||
{ | ||
"description": "New tactics and techniques for proactive threat detection", | ||
"link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" | ||
} | ||
], | ||
"researchLinks": [], | ||
"securityImplications": "Attackers might use InviteAccountToOrganization to add an account they control for defense evasion, resource hijacking.", | ||
"alerting": [], | ||
"simulation": [ | ||
{ | ||
"type": "commandLine", | ||
"value": "aws organizations invite-account-to-organization --target '{\"Type\": \"EMAIL\", \"Id\": \"traildiscover@example.com\"}'" | ||
} | ||
], | ||
"permissions": "https://aws.permissions.cloud/iam/organizations#organizations-InviteAccountToOrganization" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
{ | ||
"eventName": "DeleteDBInstance", | ||
"eventSource": "rds.amazonaws.com", | ||
"awsService": "RDS", | ||
"description": "Deletes a previously provisioned DB instance.", | ||
"mitreAttackTactics": [ | ||
"TA0040 - Impact" | ||
], | ||
"mitreAttackTechniques": [ | ||
"T1485 - Data Destruction" | ||
], | ||
"usedInWild": true, | ||
"incidents": [ | ||
{ | ||
"description": "New tactics and techniques for proactive threat detection", | ||
"link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" | ||
} | ||
], | ||
"researchLinks": [], | ||
"securityImplications": "Attackers might use DeleteDBInstance to delete crucial databases, causing data loss and service disruption.", | ||
"alerting": [], | ||
"simulation": [ | ||
{ | ||
"type": "commandLine", | ||
"value": "aws rds delete-db-instance --db-instance-identifier TrailDiscoverDB" | ||
} | ||
], | ||
"permissions": "https://aws.permissions.cloud/iam/rds#rds-DeleteDBInstance" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
{ | ||
"eventName": "DeleteBucket", | ||
"eventSource": "s3.amazonaws.com", | ||
"awsService": "S3", | ||
"description": "Deletes the S3 bucket.", | ||
"mitreAttackTactics": [ | ||
"TA0040 - Impact" | ||
], | ||
"mitreAttackTechniques": [ | ||
"T1485 - Data Destruction" | ||
], | ||
"usedInWild": true, | ||
"incidents": [ | ||
{ | ||
"description": "New tactics and techniques for proactive threat detection", | ||
"link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" | ||
} | ||
], | ||
"researchLinks": [], | ||
"securityImplications": "Attackers might use DeleteBucket to delete resources.", | ||
"alerting": [], | ||
"simulation": [ | ||
{ | ||
"type": "commandLine", | ||
"value": "aws s3api delete-bucket --bucket my-traildiscover-bucket --region us-east-1" | ||
} | ||
], | ||
"permissions": "https://aws.permissions.cloud/iam/s3#s3-DeleteBucket" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.