new events from aws (#15)

events/Bedrock/InvokeModel.json

@@ -20,6 +20,10 @@
         {
             "description": "Detecting AI resource-hijacking with Composite Alerts",
             "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"
+        },
+        {
+            "description": "New tactics and techniques for proactive threat detection",
+            "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"
         }
     ],
     "researchLinks": [],

events/Bedrock/InvokeModelWithResponseStream.json

@@ -14,6 +14,10 @@
         {
             "description": "Detecting AI resource-hijacking with Composite Alerts",
             "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"
+        },
+        {
+            "description": "New tactics and techniques for proactive threat detection",
+            "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"
         }
     ],
     "researchLinks": [],

events/CloudFormation/CreateStack.json

@@ -0,0 +1,29 @@
+{
+    "eventName": "CreateStack",
+    "eventSource": "cloudformation.amazonaws.com",
+    "awsService": "CloudFormation",
+    "description": "Creates a stack as specified in the template.",
+    "mitreAttackTactics": [
+        "TA0040 - Impact"
+    ],
+    "mitreAttackTechniques": [
+        "T1496 - Resource Hijacking"
+    ],
+    "usedInWild": true,
+    "incidents": [
+        {
+            "description": "New tactics and techniques for proactive threat detection",
+            "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"
+        }
+    ],
+    "researchLinks": [],
+    "securityImplications": "Attackers might use CreateStack to provision unauthorized resources",
+    "alerting": [],
+    "simulation": [
+        {
+            "type": "commandLine",
+            "value": "N/A"
+        }
+    ],
+    "permissions": "https://aws.permissions.cloud/iam/cloudformation#cloudformation-CreateStack"
+}

events/CloudTrail/PutEventSelectors.json

@@ -9,8 +9,13 @@
     "mitreAttackTechniques": [
         "T1562 - Impair Defenses"
     ],
-    "usedInWild": false,
-    "incidents": [],
+    "usedInWild": true,
+    "incidents": [
+        {
+            "description": "New tactics and techniques for proactive threat detection",
+            "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"
+        }
+    ],
     "researchLinks": [
         {
             "description": "cloudtrail_guardduty_bypass",

events/EC2/AuthorizeSecurityGroupIngress.json

@@ -44,6 +44,10 @@
         {
             "description": "Navigating the Cloud: Exploring Lateral Movement Techniques",
             "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/"
+        },
+        {
+            "description": "New tactics and techniques for proactive threat detection",
+            "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"
         }
     ],
     "researchLinks": [

events/EC2/RunInstances.json

@@ -62,6 +62,10 @@
         {
             "description": "Navigating the Cloud: Exploring Lateral Movement Techniques",
             "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/"
+        },
+        {
+            "description": "New tactics and techniques for proactive threat detection",
+            "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"
         }
     ],
     "researchLinks": [

events/ECS/CreateCluster.json

@@ -14,6 +14,10 @@
         {
             "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining",
             "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"
+        },
+        {
+            "description": "New tactics and techniques for proactive threat detection",
+            "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"
         }
     ],
     "researchLinks": [],

events/IAM/CreateOpenIDConnectProvider.json

@@ -0,0 +1,29 @@
+{
+    "eventName": "CreateOpenIDConnectProvider",
+    "eventSource": "iam.amazonaws.com",
+    "awsService": "IAM",
+    "description": "Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC)",
+    "mitreAttackTactics": [
+        "TA0003 - Persistence"
+    ],
+    "mitreAttackTechniques": [
+        "T1136 - Create Account"
+    ],
+    "usedInWild": true,
+    "incidents": [
+        {
+            "description": "New tactics and techniques for proactive threat detection",
+            "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"
+        }
+    ],
+    "researchLinks": [],
+    "securityImplications": "Attackers use CreateOpenIDConnectProvider to establish persistent footholds.",
+    "alerting": [],
+    "simulation": [
+        {
+            "type": "commandLine",
+            "value": "aws iam create-open-id-connect-provider --cli-input-json '{\"Url\": \"https://server.example.com\",\"ClientIDList\": [\"example-application-ID\"],\"ThumbprintList\": [\"c3768084dfb3d2b68b7897bf5f565da8eEXAMPLE\"]}'"
+        }
+    ],
+    "permissions": "https://aws.permissions.cloud/iam/iam#iam-CreateOpenIDConnectProvider"
+}

events/IAM/CreateSAMLProvider copy.json

@@ -0,0 +1,29 @@
+{
+    "eventName": "CreateSAMLProvider",
+    "eventSource": "iam.amazonaws.com",
+    "awsService": "IAM",
+    "description": "Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0.",
+    "mitreAttackTactics": [
+        "TA0003 - Persistence"
+    ],
+    "mitreAttackTechniques": [
+        "T1136 - Create Account"
+    ],
+    "usedInWild": true,
+    "incidents": [
+        {
+            "description": "New tactics and techniques for proactive threat detection",
+            "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"
+        }
+    ],
+    "researchLinks": [],
+    "securityImplications": "Attackers use CreateSAMLProvider to establish persistent footholds.",
+    "alerting": [],
+    "simulation": [
+        {
+            "type": "commandLine",
+            "value": "N/A"
+        }
+    ],
+    "permissions": "https://aws.permissions.cloud/iam/iam#iam-CreateSAMLProvider"
+}

events/IAM/CreateSAMLProvider.json

@@ -0,0 +1,29 @@
+{
+    "eventName": "StartSSO",
+    "eventSource": "sso.amazonaws.com",
+    "awsService": "SSO",
+    "description": "Initialize AWS IAM Identity Center",
+    "mitreAttackTactics": [
+        "TA0003 - Persistence"
+    ],
+    "mitreAttackTechniques": [
+        "T1136 - Create Account"
+    ],
+    "usedInWild": true,
+    "incidents": [
+        {
+            "description": "New tactics and techniques for proactive threat detection",
+            "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"
+        }
+    ],
+    "researchLinks": [],
+    "securityImplications": "Attackers use StartSSO to establish persistent footholds.",
+    "alerting": [],
+    "simulation": [
+        {
+            "type": "commandLine",
+            "value": "N/A"
+        }
+    ],
+    "permissions": "https://aws.permissions.cloud/iam/sso#sso-StartSSO"
+}

events/Organizations/InviteAccountToOrganization copy.json

@@ -0,0 +1,29 @@
+{
+    "eventName": "CreateAccount",
+    "eventSource": "organizations.amazonaws.com",
+    "awsService": "Organizations",
+    "description": "Creates an AWS account that is automatically a member of the organization whose credentials made the request.",
+    "mitreAttackTactics": [
+        "TA0005 - Defense Evasion"
+    ],
+    "mitreAttackTechniques": [
+        "T1535 - Unused/Unsupported Cloud Regions"
+    ],
+    "usedInWild": true,
+    "incidents": [
+        {
+            "description": "New tactics and techniques for proactive threat detection",
+            "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"
+        }
+    ],
+    "researchLinks": [],
+    "securityImplications": "Attackers might use CreateAccount to add a new account for defense evasion, resource hijacking.",
+    "alerting": [],
+    "simulation": [
+        {
+            "type": "commandLine",
+            "value": "aws organizations create-account --email traildiscover@example.com --account-name \"TrailDiscover Account\""
+        }
+    ],
+    "permissions": "https://aws.permissions.cloud/iam/organizations#organizations-CreateAccount"
+}

events/Organizations/InviteAccountToOrganization.json

@@ -0,0 +1,29 @@
+{
+    "eventName": "InviteAccountToOrganization",
+    "eventSource": "organizations.amazonaws.com",
+    "awsService": "Organizations",
+    "description": "Sends an invitation to another account to join your organization as a member account.",
+    "mitreAttackTactics": [
+        "TA0005 - Defense Evasion"
+    ],
+    "mitreAttackTechniques": [
+        "T1535 - Unused/Unsupported Cloud Regions"
+    ],
+    "usedInWild": true,
+    "incidents": [
+        {
+            "description": "New tactics and techniques for proactive threat detection",
+            "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"
+        }
+    ],
+    "researchLinks": [],
+    "securityImplications": "Attackers might use InviteAccountToOrganization to add an account they control for defense evasion, resource hijacking.",
+    "alerting": [],
+    "simulation": [
+        {
+            "type": "commandLine",
+            "value": "aws organizations invite-account-to-organization --target '{\"Type\": \"EMAIL\", \"Id\": \"traildiscover@example.com\"}'"
+        }
+    ],
+    "permissions": "https://aws.permissions.cloud/iam/organizations#organizations-InviteAccountToOrganization"
+}

events/Organizations/LeaveOrganization.json

@@ -7,10 +7,15 @@
         "TA0005 - Defense Evasion"
     ],
     "mitreAttackTechniques": [
-        "T1562 - Impair Defenses"
+        "T1070 - Indicator Removal"
     ],
     "usedInWild": false,
-    "incidents": [],
+    "incidents": [
+        {
+            "description": "New tactics and techniques for proactive threat detection",
+            "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"
+        }
+    ],
     "researchLinks": [
         {
             "description": "An AWS account attempted to leave the AWS Organization",

events/RDS/CreateDBSnapshot.json

@@ -14,6 +14,10 @@
         {
             "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability",
             "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"
+        },
+        {
+            "description": "New tactics and techniques for proactive threat detection",
+            "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"
         }
     ],
     "researchLinks": [

events/RDS/DeleteDBCluster.json

@@ -9,8 +9,13 @@
     "mitreAttackTechniques": [
         "T1485 - Data Destruction"
     ],
-    "usedInWild": false,
-    "incidents": [],
+    "usedInWild": true,
+    "incidents": [
+        {
+            "description": "New tactics and techniques for proactive threat detection",
+            "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"
+        }
+    ],
     "researchLinks": [
         {
             "description": "Hunting AWS RDS security events with Sysdig",

events/RDS/DeleteDBInstance.json

@@ -0,0 +1,29 @@
+{
+    "eventName": "DeleteDBInstance",
+    "eventSource": "rds.amazonaws.com",
+    "awsService": "RDS",
+    "description": "Deletes a previously provisioned DB instance.",
+    "mitreAttackTactics": [
+        "TA0040 - Impact"
+    ],
+    "mitreAttackTechniques": [
+        "T1485 - Data Destruction"
+    ],
+    "usedInWild": true,
+    "incidents": [
+        {
+            "description": "New tactics and techniques for proactive threat detection",
+            "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"
+        }
+    ],
+    "researchLinks": [],
+    "securityImplications": "Attackers might use DeleteDBInstance to delete crucial databases, causing data loss and service disruption.",
+    "alerting": [],
+    "simulation": [
+        {
+            "type": "commandLine",
+            "value": "aws rds delete-db-instance --db-instance-identifier TrailDiscoverDB"
+        }
+    ],
+    "permissions": "https://aws.permissions.cloud/iam/rds#rds-DeleteDBInstance"
+}

events/S3/DeleteBucket.json

@@ -0,0 +1,29 @@
+{
+    "eventName": "DeleteBucket",
+    "eventSource": "s3.amazonaws.com",
+    "awsService": "S3",
+    "description": "Deletes the S3 bucket.",
+    "mitreAttackTactics": [
+        "TA0040 - Impact"
+    ],
+    "mitreAttackTechniques": [
+        "T1485 - Data Destruction"
+    ],
+    "usedInWild": true,
+    "incidents": [
+        {
+            "description": "New tactics and techniques for proactive threat detection",
+            "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"
+        }
+    ],
+    "researchLinks": [],
+    "securityImplications": "Attackers might use DeleteBucket to delete resources.",
+    "alerting": [],
+    "simulation": [
+        {
+            "type": "commandLine",
+            "value": "aws s3api delete-bucket --bucket my-traildiscover-bucket --region us-east-1"
+        }
+    ],
+    "permissions": "https://aws.permissions.cloud/iam/s3#s3-DeleteBucket"
+}

events/S3/DeleteObject.json

@@ -26,6 +26,10 @@
         {
             "description": "Hacker Puts Hosting Service Code Spaces Out of Business",
             "link": "https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/"
+        },
+        {
+            "description": "New tactics and techniques for proactive threat detection",
+            "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"
         }
     ],
     "researchLinks": [],

events/S3/PutBucketLifecycle.json

@@ -14,6 +14,10 @@
         {
             "description": "USA VS Nickolas Sharp",
             "link": "https://www.justice.gov/usao-sdny/press-release/file/1452706/dl"
+        },
+        {
+            "description": "New tactics and techniques for proactive threat detection",
+            "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"
         }
     ],
     "researchLinks": [],