From ce4268e19bc7343fda54aff2fb469ab9949ada62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adan=20=C3=81lvarez?= Date: Sun, 7 Jul 2024 13:27:37 +0200 Subject: [PATCH] new events from aws (#15) --- docs/datadog_dashboard.json | 2510 ++++++++++------- docs/events.csv | 34 +- docs/events.json | 306 +- events/Bedrock/InvokeModel.json | 4 + .../InvokeModelWithResponseStream.json | 4 + events/CloudFormation/CreateStack.json | 29 + events/CloudTrail/PutEventSelectors.json | 9 +- events/EC2/AuthorizeSecurityGroupIngress.json | 4 + events/EC2/RunInstances.json | 4 + events/ECS/CreateCluster.json | 4 + events/IAM/CreateOpenIDConnectProvider.json | 29 + events/IAM/CreateSAMLProvider copy.json | 29 + events/IAM/CreateSAMLProvider.json | 29 + .../InviteAccountToOrganization copy.json | 29 + .../InviteAccountToOrganization.json | 29 + events/Organizations/LeaveOrganization.json | 9 +- events/RDS/CreateDBSnapshot.json | 4 + events/RDS/DeleteDBCluster.json | 9 +- events/RDS/DeleteDBInstance.json | 29 + events/S3/DeleteBucket.json | 29 + events/S3/DeleteObject.json | 4 + events/S3/PutBucketLifecycle.json | 4 + .../GetFederationToken.json | 6 +- .../SecurityTokenService/GetSessionToken.json | 9 +- 24 files changed, 2114 insertions(+), 1042 deletions(-) create mode 100644 events/CloudFormation/CreateStack.json create mode 100644 events/IAM/CreateOpenIDConnectProvider.json create mode 100644 events/IAM/CreateSAMLProvider copy.json create mode 100644 events/IAM/CreateSAMLProvider.json create mode 100644 events/Organizations/InviteAccountToOrganization copy.json create mode 100644 events/Organizations/InviteAccountToOrganization.json create mode 100644 events/RDS/DeleteDBInstance.json create mode 100644 events/S3/DeleteBucket.json diff --git a/docs/datadog_dashboard.json b/docs/datadog_dashboard.json index c2839a7..3df8e00 100644 --- a/docs/datadog_dashboard.json +++ b/docs/datadog_dashboard.json @@ -106,7 +106,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:(ChangeResourceRecordSets OR RegisterDomain OR CreateHostedZone OR Publish OR CreateFunction20150331 OR UpdateFunctionCode20150331v2 OR Invoke OR DeleteFileSystem OR DeleteMountTarget OR DeleteRule OR RemoveTargets OR DisableRule OR PutRule OR CreateInstances OR GenerateDataKeyWithoutPlaintext OR ScheduleKeyDeletion OR Encrypt OR PutObject OR PutBucketVersioning OR PutBucketLifecycle OR DeleteObject OR InvokeModel OR PutFoundationModelEntitlement OR InvokeModelWithResponseStream OR PutUseCaseForModelAccess OR CreateFoundationModelAgreement OR DeleteVolume OR StartInstances OR CreateDefaultVpc OR TerminateInstances OR StopInstances OR DeleteSnapshot OR RunInstances OR DeleteGlobalCluster OR DeleteDBCluster OR CreateEmailIdentity OR UpdateAccountSendingEnabled OR VerifyEmailIdentity OR RegisterTaskDefinition OR CreateService OR CreateCluster OR RequestServiceQuotaIncrease) $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:(ChangeResourceRecordSets OR RegisterDomain OR CreateHostedZone OR CreateStack OR Publish OR CreateFunction20150331 OR UpdateFunctionCode20150331v2 OR Invoke OR DeleteFileSystem OR DeleteMountTarget OR DeleteRule OR RemoveTargets OR DisableRule OR PutRule OR CreateInstances OR GenerateDataKeyWithoutPlaintext OR ScheduleKeyDeletion OR Encrypt OR PutObject OR PutBucketVersioning OR PutBucketLifecycle OR DeleteBucket OR DeleteObject OR InvokeModel OR PutFoundationModelEntitlement OR InvokeModelWithResponseStream OR PutUseCaseForModelAccess OR CreateFoundationModelAgreement OR DeleteVolume OR StartInstances OR CreateDefaultVpc OR TerminateInstances OR StopInstances OR DeleteSnapshot OR RunInstances OR DeleteGlobalCluster OR DeleteDBCluster OR DeleteDBInstance OR CreateEmailIdentity OR UpdateAccountSendingEnabled OR VerifyEmailIdentity OR RegisterTaskDefinition OR CreateService OR CreateCluster OR RequestServiceQuotaIncrease) $userIdentity.arn $network.client.ip $account" }, "group_by": [], "storage": "hot" @@ -136,7 +136,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:(LeaveOrganization OR PutLogEvents OR DeleteAlarms OR DeleteLogGroup OR DeleteLogStream OR PutLogEvents OR CreateLogStream OR DeleteRule OR RemoveTargets OR DisableRule OR PutRule OR CreateInstances OR DeleteMembers OR DetachRolePolicy OR DeleteUserPolicy OR DeleteAccessKey OR DeleteUser OR DetachUserPolicy OR DeleteLoginProfile OR DeactivateMFADevice OR CreateRule OR StopLogging OR UpdateTrail OR DeleteTrail OR PutEventSelectors OR UpdateGraphqlApi OR CreateApiKey OR UpdateResolver OR DeleteBucketPolicy OR DeleteFlowLogs OR DeleteNetworkAcl OR TerminateInstances OR DeleteNetworkAclEntry OR StopInstances OR AuthorizeDBSecurityGroupIngress OR ModifyActivityStream OR DeleteIdentity OR UpdateIPSet OR DeleteInvitations OR UpdateDetector OR DeleteDetector OR DeletePublishingDestination OR DisassociateMembers OR DisassociateFromMasterAccount OR StopMonitoringMembers OR CreateIPSet OR CreateFilter OR DeleteMembers OR DeleteConfigurationRecorder OR DeleteDeliveryChannel OR StopConfigurationRecorder OR DeleteConfigRule OR DeleteRuleGroup OR UpdateIPSet OR DeleteWebACL) $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:(InviteAccountToOrganization OR CreateAccount OR LeaveOrganization OR PutLogEvents OR DeleteAlarms OR DeleteLogGroup OR DeleteLogStream OR PutLogEvents OR CreateLogStream OR DeleteRule OR RemoveTargets OR DisableRule OR PutRule OR CreateInstances OR DeleteMembers OR DetachRolePolicy OR DeleteUserPolicy OR DeleteAccessKey OR DeleteUser OR DetachUserPolicy OR DeleteLoginProfile OR DeactivateMFADevice OR CreateRule OR StopLogging OR UpdateTrail OR DeleteTrail OR PutEventSelectors OR UpdateGraphqlApi OR CreateApiKey OR UpdateResolver OR DeleteBucketPolicy OR DeleteFlowLogs OR DeleteNetworkAcl OR TerminateInstances OR DeleteNetworkAclEntry OR StopInstances OR AuthorizeDBSecurityGroupIngress OR ModifyActivityStream OR DeleteIdentity OR UpdateIPSet OR DeleteInvitations OR UpdateDetector OR DeleteDetector OR DeletePublishingDestination OR DisassociateMembers OR DisassociateFromMasterAccount OR StopMonitoringMembers OR CreateIPSet OR CreateFilter OR DeleteMembers OR DeleteConfigurationRecorder OR DeleteDeliveryChannel OR StopConfigurationRecorder OR DeleteConfigRule OR DeleteRuleGroup OR UpdateIPSet OR DeleteWebACL) $userIdentity.arn $network.client.ip $account" }, "group_by": [], "storage": "hot" @@ -181,7 +181,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:(GetFederationToken OR AssumeRole OR CreateFunction20150331 OR UpdateFunctionConfiguration20150331v2 OR UpdateFunctionCode20150331v2 OR PutTargets OR PutRule OR UpdateLoginProfile OR UpdateAccessKey OR UpdateAssumeRolePolicy OR CreateAccessKey OR AttachUserPolicy OR PutUserPolicy OR ChangePassword OR CreateLoginProfile OR CreateUser OR CreateRole OR UpdateGraphqlApi OR CreateApiKey OR UpdateResolver OR StartInstances OR CreateSecurityGroup OR CreateDefaultVpc OR CreateNetworkAclEntry OR CreateKeyPair OR AuthorizeSecurityGroupIngress OR RunInstances OR ImportKeyPair) $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:(GetFederationToken OR AssumeRole OR CreateFunction20150331 OR UpdateFunctionConfiguration20150331v2 OR UpdateFunctionCode20150331v2 OR PutTargets OR PutRule OR CreateSAMLProvider OR UpdateLoginProfile OR UpdateAccessKey OR UpdateAssumeRolePolicy OR CreateAccessKey OR StartSSO OR CreateOpenIDConnectProvider OR AttachUserPolicy OR PutUserPolicy OR ChangePassword OR CreateLoginProfile OR CreateUser OR CreateRole OR UpdateGraphqlApi OR CreateApiKey OR UpdateResolver OR StartInstances OR CreateSecurityGroup OR CreateDefaultVpc OR CreateNetworkAclEntry OR CreateKeyPair OR AuthorizeSecurityGroupIngress OR RunInstances OR ImportKeyPair) $userIdentity.arn $network.client.ip $account" }, "group_by": [], "storage": "hot" @@ -309,7 +309,7 @@ } ], "search": { - "query": "source:cloudtrail @evt.name:(ChangeResourceRecordSets OR RegisterDomain OR CreateHostedZone OR DescribeOrganization OR ListOrganizationalUnitsForParent OR ListAccounts OR AssumeRole OR GetCallerIdentity OR GetSMSAttributes OR Publish OR GetSMSSandboxAccountStatus OR PutLogEvents OR DescribeLogGroups OR DescribeSubscriptionFilters OR DescribeLogStreams OR GetLogRecord OR PutLogEvents OR CreateLogStream OR PasswordRecoveryRequested OR ConsoleLogin OR CreateFunction20150331 OR Invoke OR GetQueryResults OR PutTargets OR PutRule OR CreateInstances OR GetCostAndUsage OR ListGroupsForUser OR ListAccessKeys OR DetachRolePolicy OR UpdateLoginProfile OR SimulatePrincipalPolicy OR ListGroups OR ListUsers OR CreateAccessKey OR DeleteUserPolicy OR ListRoles OR ListSAMLProviders OR GetUser OR DeleteAccessKey OR DeleteUser OR AttachRolePolicy OR AttachUserPolicy OR ListAttachedRolePolicies OR PutUserPolicy OR ListServiceSpecificCredentials OR ListRolePolicies OR CreateLoginProfile OR CreateUser OR ListSigningCertificates OR ListInstanceProfiles OR DetachUserPolicy OR ListSSHPublicKeys OR ListOpenIDConnectProviders OR CreateRole OR DeleteLoginProfile OR GetLoginProfile OR GetSecretValue OR DescribeSecret OR ListSecrets OR CreateUser OR CreateServer OR Search OR GenerateDataKeyWithoutPlaintext OR Encrypt OR LookupEvents OR PutObject OR GetBucketVersioning OR PutBucketVersioning OR GetBucketLogging OR GetBucketPolicy OR ListBuckets OR GetBucketReplication OR GetObject OR PutBucketLifecycle OR GetBucketAcl OR HeadObject OR ListVaults OR GetPublicAccessBlock OR GetBucketTagging OR DeleteObject OR ListObjects OR InvokeModel OR GetUseCaseForModelAccess OR ListProvisionedModelThroughputs OR PutFoundationModelEntitlement OR InvokeModelWithResponseStream OR PutUseCaseForModelAccess OR GetFoundationModelAvailability OR ListFoundationModels OR ListFoundationModelAgreementOffers OR GetModelInvocationLoggingConfiguration OR CreateFoundationModelAgreement OR GetConsoleScreenshot OR DeleteVolume OR DescribeSnapshotTierStatus OR DescribeImages OR GetEbsDefaultKmsKeyId OR EnableSerialConsoleAccess OR DescribeAvailabilityZones OR GetPasswordData OR CreateVolume OR StartInstances OR CreateSecurityGroup OR DescribeInstances OR GetTransitGatewayRouteTableAssociations OR ModifySnapshotAttribute OR CreateDefaultVpc OR GetLaunchTemplateData OR DescribeKeyPairs OR GetEbsEncryptionByDefault OR CreateKeyPair OR SharedSnapshotCopyInitiated OR DescribeCarrierGateways OR TerminateInstances OR GetFlowLogsIntegrationTemplate OR DescribeTransitGatewayMulticastDomains OR StopInstances OR DescribeInstanceAttribute OR DescribeDhcpOptions OR AuthorizeSecurityGroupIngress OR DescribeVpcEndpointConnectionNotifications OR DescribeFlowLogs OR SendSSHPublicKey OR DescribeSnapshotAttribute OR DescribeVolumesModifications OR DescribeRegions OR DeleteSnapshot OR SharedSnapshotVolumeCreated OR CreateSnapshot OR ReplaceIamInstanceProfileAssociation OR RunInstances OR DescribeSecurityGroups OR DescribeVpcs OR AttachVolume OR ImportKeyPair OR DescribeBundleTasks OR DescribeAccountAttributes OR DescribeVolumes OR DescribeInstanceTypes OR DescribeClientVpnRoutes OR GetLaunchTemplateData OR CreateImage OR AuthorizeSecurityGroupEgress OR SendSerialConsoleSSHPublicKey OR ModifyDBSnapshotAttribute OR CreateDBSnapshot OR ModifyActivityStream OR SendCommand OR StartSession OR DescribeInstanceInformation OR CreateEmailIdentity OR GetIdentityVerificationAttributes OR UpdateAccountSendingEnabled OR ListIdentities OR GetSendQuota OR VerifyEmailIdentity OR GetAccount OR DeleteIdentity OR DeleteInvitations OR GetFindings OR ListFindings OR ListDetectors OR DeleteDetector OR GetDetector OR DisassociateFromMasterAccount OR RegisterTaskDefinition OR CreateService OR CreateCluster OR ListServiceQuotas OR RequestServiceQuotaIncrease) $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:(ChangeResourceRecordSets OR RegisterDomain OR CreateHostedZone OR InviteAccountToOrganization OR DescribeOrganization OR ListOrganizationalUnitsForParent OR CreateAccount OR ListAccounts OR CreateStack OR GetFederationToken OR GetSessionToken OR AssumeRole OR GetCallerIdentity OR GetSMSAttributes OR Publish OR GetSMSSandboxAccountStatus OR PutLogEvents OR DescribeLogGroups OR DescribeSubscriptionFilters OR DescribeLogStreams OR GetLogRecord OR PutLogEvents OR CreateLogStream OR PasswordRecoveryRequested OR ConsoleLogin OR CreateFunction20150331 OR Invoke OR GetQueryResults OR PutTargets OR PutRule OR CreateInstances OR GetCostAndUsage OR ListGroupsForUser OR CreateSAMLProvider OR ListAccessKeys OR DetachRolePolicy OR UpdateLoginProfile OR SimulatePrincipalPolicy OR ListGroups OR ListUsers OR CreateAccessKey OR DeleteUserPolicy OR ListRoles OR StartSSO OR ListSAMLProviders OR GetUser OR DeleteAccessKey OR DeleteUser OR AttachRolePolicy OR CreateOpenIDConnectProvider OR AttachUserPolicy OR ListAttachedRolePolicies OR PutUserPolicy OR ListServiceSpecificCredentials OR ListRolePolicies OR CreateLoginProfile OR CreateUser OR ListSigningCertificates OR ListInstanceProfiles OR DetachUserPolicy OR ListSSHPublicKeys OR ListOpenIDConnectProviders OR CreateRole OR DeleteLoginProfile OR GetLoginProfile OR GetSecretValue OR DescribeSecret OR ListSecrets OR CreateUser OR CreateServer OR Search OR GenerateDataKeyWithoutPlaintext OR Encrypt OR LookupEvents OR PutEventSelectors OR PutObject OR GetBucketVersioning OR PutBucketVersioning OR GetBucketLogging OR GetBucketPolicy OR ListBuckets OR GetBucketReplication OR GetObject OR PutBucketLifecycle OR DeleteBucket OR GetBucketAcl OR HeadObject OR ListVaults OR GetPublicAccessBlock OR GetBucketTagging OR DeleteObject OR ListObjects OR InvokeModel OR GetUseCaseForModelAccess OR ListProvisionedModelThroughputs OR PutFoundationModelEntitlement OR InvokeModelWithResponseStream OR PutUseCaseForModelAccess OR GetFoundationModelAvailability OR ListFoundationModels OR ListFoundationModelAgreementOffers OR GetModelInvocationLoggingConfiguration OR CreateFoundationModelAgreement OR GetConsoleScreenshot OR DeleteVolume OR DescribeSnapshotTierStatus OR DescribeImages OR GetEbsDefaultKmsKeyId OR EnableSerialConsoleAccess OR DescribeAvailabilityZones OR GetPasswordData OR CreateVolume OR StartInstances OR CreateSecurityGroup OR DescribeInstances OR GetTransitGatewayRouteTableAssociations OR ModifySnapshotAttribute OR CreateDefaultVpc OR GetLaunchTemplateData OR DescribeKeyPairs OR GetEbsEncryptionByDefault OR CreateKeyPair OR SharedSnapshotCopyInitiated OR DescribeCarrierGateways OR TerminateInstances OR GetFlowLogsIntegrationTemplate OR DescribeTransitGatewayMulticastDomains OR StopInstances OR DescribeInstanceAttribute OR DescribeDhcpOptions OR AuthorizeSecurityGroupIngress OR DescribeVpcEndpointConnectionNotifications OR DescribeFlowLogs OR SendSSHPublicKey OR DescribeSnapshotAttribute OR DescribeVolumesModifications OR DescribeRegions OR DeleteSnapshot OR SharedSnapshotVolumeCreated OR CreateSnapshot OR ReplaceIamInstanceProfileAssociation OR RunInstances OR DescribeSecurityGroups OR DescribeVpcs OR AttachVolume OR ImportKeyPair OR DescribeBundleTasks OR DescribeAccountAttributes OR DescribeVolumes OR DescribeInstanceTypes OR DescribeClientVpnRoutes OR GetLaunchTemplateData OR CreateImage OR AuthorizeSecurityGroupEgress OR SendSerialConsoleSSHPublicKey OR ModifyDBSnapshotAttribute OR DeleteDBCluster OR DeleteDBInstance OR CreateDBSnapshot OR ModifyActivityStream OR SendCommand OR StartSession OR DescribeInstanceInformation OR CreateEmailIdentity OR GetIdentityVerificationAttributes OR UpdateAccountSendingEnabled OR ListIdentities OR GetSendQuota OR VerifyEmailIdentity OR GetAccount OR DeleteIdentity OR DeleteInvitations OR GetFindings OR ListFindings OR ListDetectors OR DeleteDetector OR GetDetector OR DisassociateFromMasterAccount OR RegisterTaskDefinition OR CreateService OR CreateCluster OR ListServiceQuotas OR RequestServiceQuotaIncrease) $userIdentity.arn $network.client.ip $account" } } ], @@ -361,7 +361,7 @@ } }, { - "id": 3776046879, + "id": 3588297525, "definition": { "type": "group", "layout_type": "ordered", @@ -370,7 +370,7 @@ "show_title": true, "widgets": [ { - "id": 1500168988, + "id": 136735265, "definition": { "type": "note", "content": "### [AssumeRoleWithWebIdentity](https://traildiscover.cloud/#STS-AssumeRoleWithWebIdentity)\n\n**Description:** Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider.\n\n**Related Research:**\n- [From GitHub To Account Takeover: Misconfigured Actions Place GCP & AWS Accounts At Risk](https://www.rezonate.io/blog/github-misconfigurations-put-gcp-aws-in-account-takeover-risk/)\n", @@ -389,7 +389,7 @@ } }, { - "id": 603671517, + "id": 1788491321, "definition": { "title": "AssumeRoleWithWebIdentity", "title_size": "16", @@ -431,10 +431,10 @@ } }, { - "id": 3677726936, + "id": 839006797, "definition": { "type": "note", - "content": "### [GetSessionToken](https://traildiscover.cloud/#STS-GetSessionToken)\n\n**Description:** Returns a set of temporary credentials for an AWS account or IAM user.\n\n**Related Research:**\n- [AWS STS GetSessionToken Abuse](https://www.elastic.co/guide/en/security/7.17/aws-sts-getsessiontoken-abuse.html)\n", + "content": "### [GetSessionToken](https://traildiscover.cloud/#STS-GetSessionToken)\n\n**Description:** Returns a set of temporary credentials for an AWS account or IAM user.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [AWS STS GetSessionToken Abuse](https://www.elastic.co/guide/en/security/7.17/aws-sts-getsessiontoken-abuse.html)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -450,7 +450,7 @@ } }, { - "id": 2781229465, + "id": 343279205, "definition": { "title": "GetSessionToken", "title_size": "16", @@ -492,7 +492,7 @@ } }, { - "id": 2485052917, + "id": 3960622053, "definition": { "type": "note", "content": "### [AssumeRole](https://traildiscover.cloud/#STS-AssumeRole)\n\n**Description:** Returns a set of temporary security credentials that you can use to access AWS resources.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n**Related Research:**\n- [Role Chain Juggling](https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/)\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -511,7 +511,7 @@ } }, { - "id": 1687894333, + "id": 1317410813, "definition": { "title": "AssumeRole", "title_size": "16", @@ -553,7 +553,7 @@ } }, { - "id": 3675961305, + "id": 1225062937, "definition": { "type": "note", "content": "### [AssumeRoleWithSAML](https://traildiscover.cloud/#STS-AssumeRoleWithSAML)\n\n**Description:** Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response.\n\n**Related Research:**\n- [AWS - STS Privesc](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc)\n", @@ -572,7 +572,7 @@ } }, { - "id": 2779463834, + "id": 729335345, "definition": { "title": "AssumeRoleWithSAML", "title_size": "16", @@ -614,7 +614,7 @@ } }, { - "id": 3429512177, + "id": 459735978, "definition": { "type": "note", "content": "### [PasswordRecoveryRequested ](https://traildiscover.cloud/#SignIn-PasswordRecoveryRequested )\n\n**Description:** This is the CloudTrail event generated when you request a password recovery.\n\n**Related Incidents:**\n- [An Ongoing AWS Phishing Campaign](https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/)\n- [Disclosure of Security Incidents on imToken](https://support.token.im/hc/en-us/articles/360005681954-Disclosure-of-Security-Incidents-on-imToken)\n", @@ -633,7 +633,7 @@ } }, { - "id": 2632353593, + "id": 4258975682, "definition": { "title": "PasswordRecoveryRequested ", "title_size": "16", @@ -675,7 +675,7 @@ } }, { - "id": 4246526173, + "id": 3283749503, "definition": { "type": "note", "content": "### [ConsoleLogin](https://traildiscover.cloud/#SignIn-ConsoleLogin)\n\n**Description:** This is the CloudTrail event generated when you sign-in.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Responding to an attack in AWS](https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac)\n- [Credential Phishing](https://ramimac.me/aws-phishing#credential-phishing)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies](https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/)\n**Related Research:**\n- [Compromising AWS Console credentials](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/compromising-aws-console-credentials/)\n- [Create a Console Session from IAM Credentials](https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n", @@ -694,7 +694,7 @@ } }, { - "id": 3350028702, + "id": 640538263, "definition": { "title": "ConsoleLogin", "title_size": "16", @@ -745,7 +745,7 @@ } }, { - "id": 1882811693, + "id": 2996386953, "definition": { "type": "group", "layout_type": "ordered", @@ -754,7 +754,7 @@ "show_title": true, "widgets": [ { - "id": 3056149781, + "id": 3323236379, "definition": { "type": "note", "content": "### [SendCommand](https://traildiscover.cloud/#SSM-SendCommand)\n\n**Description:** Runs commands on one or more managed nodes.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Run Shell Commands on EC2 with Send Command or Session Manager](https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -773,7 +773,7 @@ } }, { - "id": 2159652310, + "id": 680025139, "definition": { "title": "SendCommand", "title_size": "16", @@ -815,7 +815,7 @@ } }, { - "id": 1185364541, + "id": 3012716631, "definition": { "type": "note", "content": "### [StartSession](https://traildiscover.cloud/#SSM-StartSession)\n\n**Description:** Initiates a connection to a target (for example, a managed node) for a Session Manager session.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Run Shell Commands on EC2 with Send Command or Session Manager](https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/)\n", @@ -834,7 +834,7 @@ } }, { - "id": 288867070, + "id": 369505391, "definition": { "title": "StartSession", "title_size": "16", @@ -876,7 +876,7 @@ } }, { - "id": 2899053131, + "id": 2969203002, "definition": { "type": "note", "content": "### [ResumeSession](https://traildiscover.cloud/#SSM-ResumeSession)\n\n**Description:** Reconnects a session to a managed node after it has been disconnected.\n\n**Related Research:**\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -895,7 +895,7 @@ } }, { - "id": 2002555660, + "id": 2473475410, "definition": { "title": "ResumeSession", "title_size": "16", @@ -946,7 +946,7 @@ } }, { - "id": 160161285, + "id": 1659333303, "definition": { "type": "group", "layout_type": "ordered", @@ -955,10 +955,10 @@ "show_title": true, "widgets": [ { - "id": 2149206830, + "id": 3747166130, "definition": { "type": "note", - "content": "### [GetFederationToken](https://traildiscover.cloud/#STS-GetFederationToken)\n\n**Description:** Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a user.\n\n**Related Incidents:**\n- [How Adversaries Can Persist with AWS User Federation](https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/)\n**Related Research:**\n- [Create a Console Session from IAM Credentials](https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/)\n- [Survive Access Key Deletion with sts:GetFederationToken](https://hackingthe.cloud/aws/post_exploitation/survive_access_key_deletion_with_sts_getfederationtoken/)\n", + "content": "### [GetFederationToken](https://traildiscover.cloud/#STS-GetFederationToken)\n\n**Description:** Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a user.\n\n**Related Incidents:**\n- [How Adversaries Can Persist with AWS User Federation](https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [Create a Console Session from IAM Credentials](https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/)\n- [Survive Access Key Deletion with sts:GetFederationToken](https://hackingthe.cloud/aws/post_exploitation/survive_access_key_deletion_with_sts_getfederationtoken/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -974,7 +974,7 @@ } }, { - "id": 1352048246, + "id": 3251438538, "definition": { "title": "GetFederationToken", "title_size": "16", @@ -1016,7 +1016,7 @@ } }, { - "id": 2117445661, + "id": 3327941570, "definition": { "type": "note", "content": "### [AssumeRole](https://traildiscover.cloud/#STS-AssumeRole)\n\n**Description:** Returns a set of temporary security credentials that you can use to access AWS resources.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n**Related Research:**\n- [Role Chain Juggling](https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/)\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -1035,7 +1035,7 @@ } }, { - "id": 3467770725, + "id": 684730330, "definition": { "title": "AssumeRole", "title_size": "16", @@ -1077,7 +1077,7 @@ } }, { - "id": 1835600702, + "id": 215583257, "definition": { "type": "note", "content": "### [CreateFunction20150331](https://traildiscover.cloud/#Lambda-CreateFunction20150331)\n\n**Description:** Creates a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -1096,7 +1096,7 @@ } }, { - "id": 1038442118, + "id": 1867339313, "definition": { "title": "CreateFunction20150331", "title_size": "16", @@ -1138,7 +1138,7 @@ } }, { - "id": 2429323935, + "id": 3112022501, "definition": { "type": "note", "content": "### [UpdateFunctionConfiguration20150331v2](https://traildiscover.cloud/#Lambda-UpdateFunctionConfiguration20150331v2)\n\n**Description:** Modify the version-specific settings of a Lambda function.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [LambdaSpy - Implanting the Lambda execution environment (Part two)](https://www.clearvector.com/blog/lambda-spy/)\n", @@ -1157,7 +1157,7 @@ } }, { - "id": 1532826464, + "id": 2616294909, "definition": { "title": "UpdateFunctionConfiguration20150331v2", "title_size": "16", @@ -1199,7 +1199,7 @@ } }, { - "id": 3385787293, + "id": 310072961, "definition": { "type": "note", "content": "### [UpdateFunctionCode20150331v2](https://traildiscover.cloud/#Lambda-UpdateFunctionCode20150331v2)\n\n**Description:** Updates a Lambda function's code. If code signing is enabled for the function, the code package must be signed by a trusted publisher.\n\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", @@ -1218,7 +1218,7 @@ } }, { - "id": 341806174, + "id": 4109312665, "definition": { "title": "UpdateFunctionCode20150331v2", "title_size": "16", @@ -1260,7 +1260,7 @@ } }, { - "id": 4127557336, + "id": 369032707, "definition": { "type": "note", "content": "### [PutTargets](https://traildiscover.cloud/#events-PutTargets)\n\n**Description:** Adds the specified targets to the specified rule, or updates the targets if they are already associated with the rule.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -1279,7 +1279,7 @@ } }, { - "id": 1083576217, + "id": 4168272411, "definition": { "title": "PutTargets", "title_size": "16", @@ -1321,7 +1321,7 @@ } }, { - "id": 3547405139, + "id": 4082383453, "definition": { "type": "note", "content": "### [PutRule](https://traildiscover.cloud/#events-PutRule)\n\n**Description:** Creates or updates the specified rule.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -1340,7 +1340,7 @@ } }, { - "id": 503424020, + "id": 3586655861, "definition": { "title": "PutRule", "title_size": "16", @@ -1382,10 +1382,10 @@ } }, { - "id": 2471966862, + "id": 2199122828, "definition": { "type": "note", - "content": "### [UpdateLoginProfile](https://traildiscover.cloud/#IAM-UpdateLoginProfile)\n\n**Description:** Changes the password for the specified IAM user. You can use the AWS CLI, the AWS API, or the Users page in the IAM console to change the password for any IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [CreateSAMLProvider](https://traildiscover.cloud/#IAM-CreateSAMLProvider)\n\n**Description:** Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -1401,9 +1401,9 @@ } }, { - "id": 3722953039, + "id": 1703395236, "definition": { - "title": "UpdateLoginProfile", + "title": "CreateSAMLProvider", "title_size": "16", "title_align": "left", "type": "query_value", @@ -1421,7 +1421,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateLoginProfile $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateSAMLProvider $userIdentity.arn $network.client.ip $account" } } ], @@ -1443,10 +1443,10 @@ } }, { - "id": 3916644791, + "id": 3289875963, "definition": { "type": "note", - "content": "### [UpdateAccessKey](https://traildiscover.cloud/#IAM-UpdateAccessKey)\n\n**Description:** Changes the status of the specified access key from Active to Inactive, or vice versa.\n\n**Related Research:**\n- [AWS - IAM Privesc](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc)\n", + "content": "### [UpdateLoginProfile](https://traildiscover.cloud/#IAM-UpdateLoginProfile)\n\n**Description:** Changes the password for the specified IAM user. You can use the AWS CLI, the AWS API, or the Users page in the IAM console to change the password for any IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -1462,9 +1462,9 @@ } }, { - "id": 872663672, + "id": 646664723, "definition": { - "title": "UpdateAccessKey", + "title": "UpdateLoginProfile", "title_size": "16", "title_align": "left", "type": "query_value", @@ -1482,7 +1482,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateAccessKey $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:UpdateLoginProfile $userIdentity.arn $network.client.ip $account" } } ], @@ -1504,10 +1504,10 @@ } }, { - "id": 3770888334, + "id": 2957385177, "definition": { "type": "note", - "content": "### [UpdateAssumeRolePolicy](https://traildiscover.cloud/#IAM-UpdateAssumeRolePolicy)\n\n**Description:** Updates the policy that grants an IAM entity permission to assume a role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", + "content": "### [UpdateAccessKey](https://traildiscover.cloud/#IAM-UpdateAccessKey)\n\n**Description:** Changes the status of the specified access key from Active to Inactive, or vice versa.\n\n**Related Research:**\n- [AWS - IAM Privesc](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -1523,7 +1523,68 @@ } }, { - "id": 2874390863, + "id": 2461657585, + "definition": { + "title": "UpdateAccessKey", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "search": { + "query": "source:cloudtrail @evt.name:UpdateAccessKey $userIdentity.arn $network.client.ip $account" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 6, + "width": 2, + "height": 2 + } + }, + { + "id": 986550266, + "definition": { + "type": "note", + "content": "### [UpdateAssumeRolePolicy](https://traildiscover.cloud/#IAM-UpdateAssumeRolePolicy)\n\n**Description:** Updates the policy that grants an IAM entity permission to assume a role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "has_padding": true + }, + "layout": { + "x": 4, + "y": 6, + "width": 2, + "height": 2 + } + }, + { + "id": 2538967435, "definition": { "title": "UpdateAssumeRolePolicy", "title_size": "16", @@ -1558,14 +1619,14 @@ "precision": 2 }, "layout": { - "x": 2, + "x": 6, "y": 6, "width": 2, "height": 2 } }, { - "id": 3311550092, + "id": 657542373, "definition": { "type": "note", "content": "### [CreateAccessKey](https://traildiscover.cloud/#IAM-CreateAccessKey)\n\n**Description:** Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", @@ -1577,14 +1638,14 @@ "has_padding": true }, "layout": { - "x": 4, + "x": 8, "y": 6, "width": 2, "height": 2 } }, { - "id": 267568973, + "id": 2309298429, "definition": { "title": "CreateAccessKey", "title_size": "16", @@ -1619,14 +1680,136 @@ "precision": 2 }, "layout": { - "x": 6, + "x": 10, "y": 6, "width": 2, "height": 2 } }, { - "id": 4216541587, + "id": 756187096, + "definition": { + "type": "note", + "content": "### [StartSSO](https://traildiscover.cloud/#SSO-StartSSO)\n\n**Description:** Initialize AWS IAM Identity Center\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "has_padding": true + }, + "layout": { + "x": 0, + "y": 8, + "width": 2, + "height": 2 + } + }, + { + "id": 2407943152, + "definition": { + "title": "StartSSO", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "search": { + "query": "source:cloudtrail @evt.name:StartSSO $userIdentity.arn $network.client.ip $account" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 8, + "width": 2, + "height": 2 + } + }, + { + "id": 3123983699, + "definition": { + "type": "note", + "content": "### [CreateOpenIDConnectProvider](https://traildiscover.cloud/#IAM-CreateOpenIDConnectProvider)\n\n**Description:** Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC)\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "has_padding": true + }, + "layout": { + "x": 4, + "y": 8, + "width": 2, + "height": 2 + } + }, + { + "id": 480772459, + "definition": { + "title": "CreateOpenIDConnectProvider", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "search": { + "query": "source:cloudtrail @evt.name:CreateOpenIDConnectProvider $userIdentity.arn $network.client.ip $account" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 6, + "y": 8, + "width": 2, + "height": 2 + } + }, + { + "id": 2477981653, "definition": { "type": "note", "content": "### [AttachUserPolicy](https://traildiscover.cloud/#IAM-AttachUserPolicy)\n\n**Description:** Attaches the specified managed policy to the specified user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -1639,13 +1822,13 @@ }, "layout": { "x": 8, - "y": 6, + "y": 8, "width": 2, "height": 2 } }, { - "id": 1172560468, + "id": 1982254061, "definition": { "title": "AttachUserPolicy", "title_size": "16", @@ -1681,13 +1864,13 @@ }, "layout": { "x": 10, - "y": 6, + "y": 8, "width": 2, "height": 2 } }, { - "id": 2021964796, + "id": 1429413464, "definition": { "type": "note", "content": "### [PutUserPolicy](https://traildiscover.cloud/#IAM-PutUserPolicy)\n\n**Description:** Adds or updates an inline policy document that is embedded in the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -1700,13 +1883,13 @@ }, "layout": { "x": 0, - "y": 8, + "y": 10, "width": 2, "height": 2 } }, { - "id": 1224806212, + "id": 933685872, "definition": { "title": "PutUserPolicy", "title_size": "16", @@ -1742,13 +1925,13 @@ }, "layout": { "x": 2, - "y": 8, + "y": 10, "width": 2, "height": 2 } }, { - "id": 2542301040, + "id": 1343372718, "definition": { "type": "note", "content": "### [ChangePassword](https://traildiscover.cloud/#IAM-ChangePassword)\n\n**Description:** Changes the password of the IAM user who is calling this operation.\n\n**Related Research:**\n- [AWS CloudTrail cheat sheet](https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet)\n- [IAM User Changes Alarm](https://asecure.cloud/a/cwalarm_iam_user_changes/)\n", @@ -1761,13 +1944,13 @@ }, "layout": { "x": 4, - "y": 8, + "y": 10, "width": 2, "height": 2 } }, { - "id": 3793287217, + "id": 2995128774, "definition": { "title": "ChangePassword", "title_size": "16", @@ -1803,13 +1986,13 @@ }, "layout": { "x": 6, - "y": 8, + "y": 10, "width": 2, "height": 2 } }, { - "id": 1459178230, + "id": 2796625157, "definition": { "type": "note", "content": "### [CreateLoginProfile](https://traildiscover.cloud/#IAM-CreateLoginProfile)\n\n**Description:** Creates a password for the specified IAM user. A password allows an IAM user to access AWS services through the AWS Management Console.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", @@ -1822,13 +2005,13 @@ }, "layout": { "x": 8, - "y": 8, + "y": 10, "width": 2, "height": 2 } }, { - "id": 2809503294, + "id": 2300897565, "definition": { "title": "CreateLoginProfile", "title_size": "16", @@ -1864,13 +2047,13 @@ }, "layout": { "x": 10, - "y": 8, + "y": 10, "width": 2, "height": 2 } }, { - "id": 2792039541, + "id": 615394069, "definition": { "type": "note", "content": "### [CreateUser](https://traildiscover.cloud/#IAM-CreateUser)\n\n**Description:** Creates a new IAM user for your AWS account.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Responding to an attack in AWS](https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Exposed long-lived access key resulted in unauthorized access](https://twitter.com/jhencinski/status/1578371249792724992?t=6oYeGYgGZq1B-LXFZzIqhQ)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [Insider Threat Risks to Flat Environments](https://www.mandiant.com/sites/default/files/2021-09/rpt-mtrends-2021-3.pdf)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Sendtech Pte. Ltd](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Sendtech-Pte-Ltd---220721.ashx?la=en)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [Creating a new IAM user](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/creating-new-iam-user/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -1883,13 +2066,13 @@ }, "layout": { "x": 0, - "y": 10, + "y": 12, "width": 2, "height": 2 } }, { - "id": 1994880957, + "id": 119666477, "definition": { "title": "CreateUser", "title_size": "16", @@ -1925,13 +2108,13 @@ }, "layout": { "x": 2, - "y": 10, + "y": 12, "width": 2, "height": 2 } }, { - "id": 3159772453, + "id": 2891451944, "definition": { "type": "note", "content": "### [CreateRole](https://traildiscover.cloud/#IAM-CreateRole)\n\n**Description:** Creates a new role for your AWS account.\n\n**Related Incidents:**\n- [Attack Scenario 2: From Misconfigured Firewall to Cryptojacking Botnet](https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/unit42-cloud-threat-report-volume7.pdf)\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -1944,13 +2127,13 @@ }, "layout": { "x": 4, - "y": 10, + "y": 12, "width": 2, "height": 2 } }, { - "id": 2362613869, + "id": 2395724352, "definition": { "title": "CreateRole", "title_size": "16", @@ -1986,13 +2169,13 @@ }, "layout": { "x": 6, - "y": 10, + "y": 12, "width": 2, "height": 2 } }, { - "id": 1417641780, + "id": 2442492271, "definition": { "type": "note", "content": "### [UpdateGraphqlApi](https://traildiscover.cloud/#AppSync-UpdateGraphqlApi)\n\n**Description:** Updates a GraphqlApi object.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", @@ -2005,13 +2188,13 @@ }, "layout": { "x": 8, - "y": 10, + "y": 12, "width": 2, "height": 2 } }, { - "id": 521144309, + "id": 1946764679, "definition": { "title": "UpdateGraphqlApi", "title_size": "16", @@ -2047,13 +2230,13 @@ }, "layout": { "x": 10, - "y": 10, + "y": 12, "width": 2, "height": 2 } }, { - "id": 3343520255, + "id": 4246563145, "definition": { "type": "note", "content": "### [CreateApiKey](https://traildiscover.cloud/#AppSync-CreateApiKey)\n\n**Description:** Creates a unique key that you can distribute to clients who invoke your API.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", @@ -2066,13 +2249,13 @@ }, "layout": { "x": 0, - "y": 12, + "y": 14, "width": 2, "height": 2 } }, { - "id": 299539136, + "id": 3750835553, "definition": { "title": "CreateApiKey", "title_size": "16", @@ -2108,13 +2291,13 @@ }, "layout": { "x": 2, - "y": 12, + "y": 14, "width": 2, "height": 2 } }, { - "id": 2268449601, + "id": 3439835315, "definition": { "type": "note", "content": "### [UpdateResolver](https://traildiscover.cloud/#AppSync-UpdateResolver)\n\n**Description:** Updates a Resolver object.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", @@ -2127,13 +2310,13 @@ }, "layout": { "x": 4, - "y": 12, + "y": 14, "width": 2, "height": 2 } }, { - "id": 1371952130, + "id": 2944107723, "definition": { "title": "UpdateResolver", "title_size": "16", @@ -2169,13 +2352,13 @@ }, "layout": { "x": 6, - "y": 12, + "y": 14, "width": 2, "height": 2 } }, { - "id": 1323074939, + "id": 371316818, "definition": { "type": "note", "content": "### [StartInstances](https://traildiscover.cloud/#EC2-StartInstances)\n\n**Description:** Starts an Amazon EBS-backed instance that you've previously stopped.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -2188,13 +2371,13 @@ }, "layout": { "x": 8, - "y": 12, + "y": 14, "width": 2, "height": 2 } }, { - "id": 2574061116, + "id": 1923733987, "definition": { "title": "StartInstances", "title_size": "16", @@ -2230,13 +2413,13 @@ }, "layout": { "x": 10, - "y": 12, + "y": 14, "width": 2, "height": 2 } }, { - "id": 75974345, + "id": 528933223, "definition": { "type": "note", "content": "### [CreateSecurityGroup](https://traildiscover.cloud/#EC2-CreateSecurityGroup)\n\n**Description:** Creates a security group.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -2249,13 +2432,13 @@ }, "layout": { "x": 0, - "y": 14, + "y": 16, "width": 2, "height": 2 } }, { - "id": 1426299409, + "id": 33205631, "definition": { "title": "CreateSecurityGroup", "title_size": "16", @@ -2291,13 +2474,13 @@ }, "layout": { "x": 2, - "y": 14, + "y": 16, "width": 2, "height": 2 } }, { - "id": 2686206523, + "id": 92199317, "definition": { "type": "note", "content": "### [CreateDefaultVpc](https://traildiscover.cloud/#EC2-CreateDefaultVpc)\n\n**Description:** Creates a default VPC with a size /16 IPv4 CIDR block and a default subnet in each Availability Zone.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -2310,13 +2493,13 @@ }, "layout": { "x": 4, - "y": 14, + "y": 16, "width": 2, "height": 2 } }, { - "id": 3937192700, + "id": 3891439021, "definition": { "title": "CreateDefaultVpc", "title_size": "16", @@ -2352,13 +2535,13 @@ }, "layout": { "x": 6, - "y": 14, + "y": 16, "width": 2, "height": 2 } }, { - "id": 2033716540, + "id": 230528264, "definition": { "type": "note", "content": "### [CreateNetworkAclEntry](https://traildiscover.cloud/#EC2-CreateNetworkAclEntry)\n\n**Description:** Creates an entry (a rule) in a network ACL with the specified rule number.\n\n**Related Research:**\n- [AWS EC2 Network Access Control List Creation](https://www.elastic.co/guide/en/security/current/aws-ec2-network-access-control-list-creation.html)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n", @@ -2371,13 +2554,13 @@ }, "layout": { "x": 8, - "y": 14, + "y": 16, "width": 2, "height": 2 } }, { - "id": 1137219069, + "id": 4029767968, "definition": { "title": "CreateNetworkAclEntry", "title_size": "16", @@ -2413,13 +2596,13 @@ }, "layout": { "x": 10, - "y": 14, + "y": 16, "width": 2, "height": 2 } }, { - "id": 572259551, + "id": 3511201690, "definition": { "type": "note", "content": "### [CreateKeyPair](https://traildiscover.cloud/#EC2-CreateKeyPair)\n\n**Description:** Creates an ED25519 or 2048-bit RSA key pair with the specified name and in the specified PEM or PPK format.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -2432,13 +2615,13 @@ }, "layout": { "x": 0, - "y": 16, + "y": 18, "width": 2, "height": 2 } }, { - "id": 1823245728, + "id": 3015474098, "definition": { "title": "CreateKeyPair", "title_size": "16", @@ -2474,16 +2657,16 @@ }, "layout": { "x": 2, - "y": 16, + "y": 18, "width": 2, "height": 2 } }, { - "id": 1911142039, + "id": 2142486532, "definition": { "type": "note", - "content": "### [AuthorizeSecurityGroupIngress](https://traildiscover.cloud/#EC2-AuthorizeSecurityGroupIngress)\n\n**Description:** Adds the specified inbound (ingress) rules to a security group.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Finding evil in AWS](https://expel.com/blog/finding-evil-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Opening a security group to the Internet](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/opening-security-group-port/)\n", + "content": "### [AuthorizeSecurityGroupIngress](https://traildiscover.cloud/#EC2-AuthorizeSecurityGroupIngress)\n\n**Description:** Adds the specified inbound (ingress) rules to a security group.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Finding evil in AWS](https://expel.com/blog/finding-evil-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [Opening a security group to the Internet](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/opening-security-group-port/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -2493,13 +2676,13 @@ }, "layout": { "x": 4, - "y": 16, + "y": 18, "width": 2, "height": 2 } }, { - "id": 3162128216, + "id": 1646758940, "definition": { "title": "AuthorizeSecurityGroupIngress", "title_size": "16", @@ -2535,16 +2718,16 @@ }, "layout": { "x": 6, - "y": 16, + "y": 18, "width": 2, "height": 2 } }, { - "id": 3126092237, + "id": 517938745, "definition": { "type": "note", - "content": "### [RunInstances](https://traildiscover.cloud/#EC2-RunInstances)\n\n**Description:** Launches the specified number of instances using an AMI for which you have permissions.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [DXC spills AWS private keys on public GitHub](https://www.theregister.com/2017/11/14/dxc_github_aws_keys_leaked/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Clear and Uncommon Story About Overcoming Issues With AWS](https://topdigital.agency/clear-and-uncommon-story-about-overcoming-issues-with-aws/)\n- [onelogin 2017 Security Incident](https://web.archive.org/web/20210620180614/https://www.onelogin.com/blog/may-31-2017-security-incident)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Launching EC2 instances](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/launching-ec2-instances/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", + "content": "### [RunInstances](https://traildiscover.cloud/#EC2-RunInstances)\n\n**Description:** Launches the specified number of instances using an AMI for which you have permissions.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [DXC spills AWS private keys on public GitHub](https://www.theregister.com/2017/11/14/dxc_github_aws_keys_leaked/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Clear and Uncommon Story About Overcoming Issues With AWS](https://topdigital.agency/clear-and-uncommon-story-about-overcoming-issues-with-aws/)\n- [onelogin 2017 Security Incident](https://web.archive.org/web/20210620180614/https://www.onelogin.com/blog/may-31-2017-security-incident)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [Launching EC2 instances](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/launching-ec2-instances/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -2554,13 +2737,13 @@ }, "layout": { "x": 8, - "y": 16, + "y": 18, "width": 2, "height": 2 } }, { - "id": 2229594766, + "id": 2169694801, "definition": { "title": "RunInstances", "title_size": "16", @@ -2596,13 +2779,13 @@ }, "layout": { "x": 10, - "y": 16, + "y": 18, "width": 2, "height": 2 } }, { - "id": 2833764934, + "id": 2044158600, "definition": { "type": "note", "content": "### [ImportKeyPair](https://traildiscover.cloud/#EC2-ImportKeyPair)\n\n**Description:** Imports the public key from an RSA or ED25519 key pair that you created with a third-party tool.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n", @@ -2615,13 +2798,13 @@ }, "layout": { "x": 0, - "y": 18, + "y": 20, "width": 2, "height": 2 } }, { - "id": 2036606350, + "id": 3695914656, "definition": { "title": "ImportKeyPair", "title_size": "16", @@ -2657,7 +2840,7 @@ }, "layout": { "x": 2, - "y": 18, + "y": 20, "width": 2, "height": 2 } @@ -2668,11 +2851,11 @@ "x": 0, "y": 15, "width": 12, - "height": 22 + "height": 24 } }, { - "id": 3798791322, + "id": 1503107282, "definition": { "type": "group", "layout_type": "ordered", @@ -2681,7 +2864,7 @@ "show_title": true, "widgets": [ { - "id": 1022588847, + "id": 3505131373, "definition": { "type": "note", "content": "### [AssumeRole](https://traildiscover.cloud/#STS-AssumeRole)\n\n**Description:** Returns a set of temporary security credentials that you can use to access AWS resources.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n**Related Research:**\n- [Role Chain Juggling](https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/)\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -2700,7 +2883,7 @@ } }, { - "id": 126091376, + "id": 762581246, "definition": { "title": "AssumeRole", "title_size": "16", @@ -2742,7 +2925,7 @@ } }, { - "id": 3663175269, + "id": 3447325670, "definition": { "type": "note", "content": "### [GetCredentialsForIdentity](https://traildiscover.cloud/#CognitoIdentity-GetCredentialsForIdentity)\n\n**Description:** Returns credentials for the provided identity ID. Any provided logins will be validated against supported login providers.\n\n**Related Research:**\n- [Overpermissioned AWS Cognito Identity Pools](https://hackingthe.cloud/aws/exploitation/cognito_identity_pool_excessive_privileges/#exploitation)\n", @@ -2761,7 +2944,7 @@ } }, { - "id": 619194150, + "id": 2951598078, "definition": { "title": "GetCredentialsForIdentity", "title_size": "16", @@ -2803,7 +2986,7 @@ } }, { - "id": 772163590, + "id": 1481010747, "definition": { "type": "note", "content": "### [GetId](https://traildiscover.cloud/#CognitoIdentity-GetId)\n\n**Description:** Generates (or retrieves) IdentityID. Supplying multiple logins will create an implicit linked account.\n\n**Related Research:**\n- [Overpermissioned AWS Cognito Identity Pools](https://hackingthe.cloud/aws/exploitation/cognito_identity_pool_excessive_privileges/#exploitation)\n", @@ -2822,7 +3005,7 @@ } }, { - "id": 2122488654, + "id": 985283155, "definition": { "title": "GetId", "title_size": "16", @@ -2864,7 +3047,7 @@ } }, { - "id": 4230390334, + "id": 2540256708, "definition": { "type": "note", "content": "### [CreateFunction20150331](https://traildiscover.cloud/#Lambda-CreateFunction20150331)\n\n**Description:** Creates a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -2883,7 +3066,7 @@ } }, { - "id": 1186409215, + "id": 4192012764, "definition": { "title": "CreateFunction20150331", "title_size": "16", @@ -2925,7 +3108,7 @@ } }, { - "id": 4049156439, + "id": 1935993835, "definition": { "type": "note", "content": "### [CreateEventSourceMapping20150331](https://traildiscover.cloud/#Lambda-CreateEventSourceMapping20150331)\n\n**Description:** Creates a mapping between an event source and an AWS Lambda function.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -2944,7 +3127,7 @@ } }, { - "id": 3152658968, + "id": 1440266243, "definition": { "title": "CreateEventSourceMapping20150331", "title_size": "16", @@ -2986,7 +3169,7 @@ } }, { - "id": 1028994391, + "id": 2062131361, "definition": { "type": "note", "content": "### [AddPermission20150331v2](https://traildiscover.cloud/#Lambda-AddPermission20150331v2)\n\n**Description:** Grants an AWS service, AWS account, or AWS organization permission to use a function.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3005,7 +3188,7 @@ } }, { - "id": 132496920, + "id": 1566403769, "definition": { "title": "AddPermission20150331v2", "title_size": "16", @@ -3047,7 +3230,7 @@ } }, { - "id": 3944799601, + "id": 3455005799, "definition": { "type": "note", "content": "### [Invoke](https://traildiscover.cloud/#Lambda-Invoke)\n\n**Description:** Invokes a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3066,7 +3249,7 @@ } }, { - "id": 900818482, + "id": 811794559, "definition": { "title": "Invoke", "title_size": "16", @@ -3108,7 +3291,7 @@ } }, { - "id": 726455443, + "id": 4075956426, "definition": { "type": "note", "content": "### [UpdateEventSourceMapping20150331](https://traildiscover.cloud/#Lambda-UpdateEventSourceMapping20150331)\n\n**Description:** Updates an event source mapping. You can change the function that AWS Lambda invokes, or pause invocation and resume later from the same location.\n\n**Related Research:**\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n", @@ -3127,7 +3310,7 @@ } }, { - "id": 1977441620, + "id": 3580228834, "definition": { "title": "UpdateEventSourceMapping20150331", "title_size": "16", @@ -3169,7 +3352,7 @@ } }, { - "id": 1736143798, + "id": 4156885466, "definition": { "type": "note", "content": "### [DeleteRolePolicy](https://traildiscover.cloud/#IAM-DeleteRolePolicy)\n\n**Description:** Deletes the specified inline policy that is embedded in the specified IAM role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3188,7 +3371,7 @@ } }, { - "id": 839646327, + "id": 3661157874, "definition": { "title": "DeleteRolePolicy", "title_size": "16", @@ -3230,7 +3413,7 @@ } }, { - "id": 2604161271, + "id": 3011860223, "definition": { "type": "note", "content": "### [DetachRolePolicy](https://traildiscover.cloud/#IAM-DetachRolePolicy)\n\n**Description:** Removes the specified managed policy from the specified role.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3249,7 +3432,7 @@ } }, { - "id": 3954486335, + "id": 368648983, "definition": { "title": "DetachRolePolicy", "title_size": "16", @@ -3291,7 +3474,7 @@ } }, { - "id": 1277771161, + "id": 2073182094, "definition": { "type": "note", "content": "### [UpdateLoginProfile](https://traildiscover.cloud/#IAM-UpdateLoginProfile)\n\n**Description:** Changes the password for the specified IAM user. You can use the AWS CLI, the AWS API, or the Users page in the IAM console to change the password for any IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3310,7 +3493,7 @@ } }, { - "id": 2628096225, + "id": 3724938150, "definition": { "title": "UpdateLoginProfile", "title_size": "16", @@ -3352,7 +3535,7 @@ } }, { - "id": 3378992563, + "id": 664961769, "definition": { "type": "note", "content": "### [AddUserToGroup](https://traildiscover.cloud/#IAM-AddUserToGroup)\n\n**Description:** Adds the specified user to the specified group.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3371,7 +3554,7 @@ } }, { - "id": 434350331, + "id": 2316717825, "definition": { "title": "AddUserToGroup", "title_size": "16", @@ -3413,7 +3596,7 @@ } }, { - "id": 3918855431, + "id": 3160163956, "definition": { "type": "note", "content": "### [UpdateAssumeRolePolicy](https://traildiscover.cloud/#IAM-UpdateAssumeRolePolicy)\n\n**Description:** Updates the policy that grants an IAM entity permission to assume a role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", @@ -3432,7 +3615,7 @@ } }, { - "id": 974213199, + "id": 516952716, "definition": { "title": "UpdateAssumeRolePolicy", "title_size": "16", @@ -3474,7 +3657,7 @@ } }, { - "id": 1312033541, + "id": 2930494950, "definition": { "type": "note", "content": "### [CreateAccessKey](https://traildiscover.cloud/#IAM-CreateAccessKey)\n\n**Description:** Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", @@ -3493,7 +3676,7 @@ } }, { - "id": 415536070, + "id": 2434767358, "definition": { "title": "CreateAccessKey", "title_size": "16", @@ -3535,7 +3718,7 @@ } }, { - "id": 876152976, + "id": 1629039534, "definition": { "type": "note", "content": "### [CreatePolicyVersion](https://traildiscover.cloud/#IAM-CreatePolicyVersion)\n\n**Description:** Creates a new version of the specified managed policy.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3554,7 +3737,7 @@ } }, { - "id": 4274622801, + "id": 3280795590, "definition": { "title": "CreatePolicyVersion", "title_size": "16", @@ -3596,7 +3779,7 @@ } }, { - "id": 2757754426, + "id": 1116737238, "definition": { "type": "note", "content": "### [DeleteUserPolicy](https://traildiscover.cloud/#IAM-DeleteUserPolicy)\n\n**Description:** Deletes the specified inline policy that is embedded in the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3615,7 +3798,7 @@ } }, { - "id": 1861256955, + "id": 2768493294, "definition": { "title": "DeleteUserPolicy", "title_size": "16", @@ -3657,7 +3840,7 @@ } }, { - "id": 2463989380, + "id": 3121902456, "definition": { "type": "note", "content": "### [PutRolePermissionsBoundary](https://traildiscover.cloud/#IAM-PutRolePermissionsBoundary)\n\n**Description:** Adds or updates the policy that is specified as the IAM role's permissions boundary.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3676,7 +3859,7 @@ } }, { - "id": 1666830796, + "id": 2626174864, "definition": { "title": "PutRolePermissionsBoundary", "title_size": "16", @@ -3718,7 +3901,7 @@ } }, { - "id": 2028811793, + "id": 2788531622, "definition": { "type": "note", "content": "### [PutUserPermissionsBoundary](https://traildiscover.cloud/#IAM-PutUserPermissionsBoundary)\n\n**Description:** Adds or updates the policy that is specified as the IAM user's permissions boundary.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3737,7 +3920,7 @@ } }, { - "id": 3379136857, + "id": 2292804030, "definition": { "title": "PutUserPermissionsBoundary", "title_size": "16", @@ -3779,7 +3962,7 @@ } }, { - "id": 4137699138, + "id": 3301969340, "definition": { "type": "note", "content": "### [DeleteUserPermissionsBoundary](https://traildiscover.cloud/#IAM-DeleteUserPermissionsBoundary)\n\n**Description:** Deletes the permissions boundary for the specified IAM user.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3798,7 +3981,7 @@ } }, { - "id": 3241201667, + "id": 2806241748, "definition": { "title": "DeleteUserPermissionsBoundary", "title_size": "16", @@ -3840,7 +4023,7 @@ } }, { - "id": 793876953, + "id": 2314784856, "definition": { "type": "note", "content": "### [AttachRolePolicy](https://traildiscover.cloud/#IAM-AttachRolePolicy)\n\n**Description:** Attaches the specified managed policy to the specified IAM role. When you attach a managed policy to a role, the managed policy becomes part of the role's permission (access) policy.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3859,7 +4042,7 @@ } }, { - "id": 4291685665, + "id": 1819057264, "definition": { "title": "AttachRolePolicy", "title_size": "16", @@ -3901,7 +4084,7 @@ } }, { - "id": 2401893401, + "id": 3597055404, "definition": { "type": "note", "content": "### [SetDefaultPolicyVersion](https://traildiscover.cloud/#IAM-SetDefaultPolicyVersion)\n\n**Description:** Sets the specified version of the specified policy as the policy's default (operative) version.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3920,7 +4103,7 @@ } }, { - "id": 3652879578, + "id": 3101327812, "definition": { "title": "SetDefaultPolicyVersion", "title_size": "16", @@ -3962,7 +4145,7 @@ } }, { - "id": 2217025036, + "id": 1261287784, "definition": { "type": "note", "content": "### [AttachUserPolicy](https://traildiscover.cloud/#IAM-AttachUserPolicy)\n\n**Description:** Attaches the specified managed policy to the specified user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3981,7 +4164,7 @@ } }, { - "id": 1320527565, + "id": 765560192, "definition": { "title": "AttachUserPolicy", "title_size": "16", @@ -4023,7 +4206,7 @@ } }, { - "id": 128062396, + "id": 3613095787, "definition": { "type": "note", "content": "### [CreateGroup](https://traildiscover.cloud/#IAM-CreateGroup)\n\n**Description:** Creates a new group.\n\n**Related Research:**\n- [AWS IAM Group Creation](https://www.elastic.co/guide/en/security/current/aws-iam-group-creation.html)\n", @@ -4042,7 +4225,7 @@ } }, { - "id": 3526532221, + "id": 969884547, "definition": { "title": "CreateGroup", "title_size": "16", @@ -4084,7 +4267,7 @@ } }, { - "id": 3074591630, + "id": 1554882393, "definition": { "type": "note", "content": "### [PutUserPolicy](https://traildiscover.cloud/#IAM-PutUserPolicy)\n\n**Description:** Adds or updates an inline policy document that is embedded in the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4103,7 +4286,7 @@ } }, { - "id": 2178094159, + "id": 3206638449, "definition": { "title": "PutUserPolicy", "title_size": "16", @@ -4145,7 +4328,7 @@ } }, { - "id": 3485725353, + "id": 4077155787, "definition": { "type": "note", "content": "### [DeleteRolePermissionsBoundary](https://traildiscover.cloud/#IAM-DeleteRolePermissionsBoundary)\n\n**Description:** Deletes the permissions boundary for the specified IAM role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4164,7 +4347,7 @@ } }, { - "id": 2688566769, + "id": 3581428195, "definition": { "title": "DeleteRolePermissionsBoundary", "title_size": "16", @@ -4206,7 +4389,7 @@ } }, { - "id": 1941781999, + "id": 4059681117, "definition": { "type": "note", "content": "### [PutGroupPolicy](https://traildiscover.cloud/#IAM-PutGroupPolicy)\n\n**Description:** Adds or updates an inline policy document that is embedded in the specified IAM group.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4225,7 +4408,7 @@ } }, { - "id": 1045284528, + "id": 3563953525, "definition": { "title": "PutGroupPolicy", "title_size": "16", @@ -4267,7 +4450,7 @@ } }, { - "id": 2690268137, + "id": 3616325295, "definition": { "type": "note", "content": "### [ChangePassword](https://traildiscover.cloud/#IAM-ChangePassword)\n\n**Description:** Changes the password of the IAM user who is calling this operation.\n\n**Related Research:**\n- [AWS CloudTrail cheat sheet](https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet)\n- [IAM User Changes Alarm](https://asecure.cloud/a/cwalarm_iam_user_changes/)\n", @@ -4286,7 +4469,7 @@ } }, { - "id": 1893109553, + "id": 3120597703, "definition": { "title": "ChangePassword", "title_size": "16", @@ -4328,7 +4511,7 @@ } }, { - "id": 364321416, + "id": 2069155223, "definition": { "type": "note", "content": "### [CreateLoginProfile](https://traildiscover.cloud/#IAM-CreateLoginProfile)\n\n**Description:** Creates a password for the specified IAM user. A password allows an IAM user to access AWS services through the AWS Management Console.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", @@ -4347,7 +4530,7 @@ } }, { - "id": 1615307593, + "id": 1573427631, "definition": { "title": "CreateLoginProfile", "title_size": "16", @@ -4389,7 +4572,7 @@ } }, { - "id": 2382868047, + "id": 3138128220, "definition": { "type": "note", "content": "### [DetachUserPolicy](https://traildiscover.cloud/#IAM-DetachUserPolicy)\n\n**Description:** Removes the specified managed policy from the specified user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4408,7 +4591,7 @@ } }, { - "id": 3633854224, + "id": 494916980, "definition": { "title": "DetachUserPolicy", "title_size": "16", @@ -4450,7 +4633,7 @@ } }, { - "id": 878879657, + "id": 2176892204, "definition": { "type": "note", "content": "### [PutRolePolicy](https://traildiscover.cloud/#IAM-PutRolePolicy)\n\n**Description:** Adds or updates an inline policy document that is embedded in the specified IAM role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4469,7 +4652,7 @@ } }, { - "id": 81721073, + "id": 1681164612, "definition": { "title": "PutRolePolicy", "title_size": "16", @@ -4511,7 +4694,7 @@ } }, { - "id": 2046949308, + "id": 3242141544, "definition": { "type": "note", "content": "### [AddRoleToInstanceProfile](https://traildiscover.cloud/#IAM-AddRoleToInstanceProfile)\n\n**Description:** Adds the specified IAM role to the specified instance profile.\n\n**Related Research:**\n- [Cloudgoat AWS CTF solution- Scenerio 5 (iam_privesc_by_attachment)](https://pswalia2u.medium.com/cloudgoat-aws-ctf-solution-scenerio-5-iam-privesc-by-attachment-22145650f5f5)\n", @@ -4530,7 +4713,7 @@ } }, { - "id": 1249790724, + "id": 2746413952, "definition": { "title": "AddRoleToInstanceProfile", "title_size": "16", @@ -4572,7 +4755,7 @@ } }, { - "id": 418621141, + "id": 1701251402, "definition": { "type": "note", "content": "### [AttachGroupPolicy](https://traildiscover.cloud/#IAM-AttachGroupPolicy)\n\n**Description:** Attaches the specified managed policy to the specified IAM group.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4591,7 +4774,7 @@ } }, { - "id": 3916429853, + "id": 1106184923, "definition": { "title": "AttachGroupPolicy", "title_size": "16", @@ -4633,7 +4816,7 @@ } }, { - "id": 2613734707, + "id": 432184432, "definition": { "type": "note", "content": "### [AssociateAccessPolicy](https://traildiscover.cloud/#EKS-AssociateAccessPolicy)\n\n**Description:** Associates an access policy and its scope to an access entry.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", @@ -4652,7 +4835,7 @@ } }, { - "id": 3964059771, + "id": 4231424136, "definition": { "title": "AssociateAccessPolicy", "title_size": "16", @@ -4694,7 +4877,7 @@ } }, { - "id": 1408794526, + "id": 1247675485, "definition": { "type": "note", "content": "### [CreateAccessEntry](https://traildiscover.cloud/#EKS-CreateAccessEntry)\n\n**Description:** Creates an access entry.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", @@ -4713,7 +4896,7 @@ } }, { - "id": 2659780703, + "id": 2899431541, "definition": { "title": "CreateAccessEntry", "title_size": "16", @@ -4755,7 +4938,7 @@ } }, { - "id": 1095923573, + "id": 589398513, "definition": { "type": "note", "content": "### [ModifyInstanceAttribute](https://traildiscover.cloud/#EC2-ModifyInstanceAttribute)\n\n**Description:** Modifies the specified attribute of the specified instance.\n\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [EC2 Privilege Escalation Through User Data](https://hackingthe.cloud/aws/exploitation/local_ec2_priv_esc_through_user_data/)\n- [User Data Script Persistence](https://hackingthe.cloud/aws/post_exploitation/user_data_script_persistence/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -4774,7 +4957,7 @@ } }, { - "id": 298764989, + "id": 2241154569, "definition": { "title": "ModifyInstanceAttribute", "title_size": "16", @@ -4816,7 +4999,7 @@ } }, { - "id": 1174376961, + "id": 776907477, "definition": { "type": "note", "content": "### [ReplaceIamInstanceProfileAssociation](https://traildiscover.cloud/#EC2-ReplaceIamInstanceProfileAssociation)\n\n**Description:** Replaces an IAM instance profile for the specified running instance.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n", @@ -4835,7 +5018,7 @@ } }, { - "id": 277879490, + "id": 281179885, "definition": { "title": "ReplaceIamInstanceProfileAssociation", "title_size": "16", @@ -4877,7 +5060,7 @@ } }, { - "id": 3663011709, + "id": 3813985218, "definition": { "type": "note", "content": "### [CreateDevEndpoint](https://traildiscover.cloud/#Glue-CreateDevEndpoint)\n\n**Description:** Creates a new development endpoint.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4896,7 +5079,7 @@ } }, { - "id": 2766514238, + "id": 3318257626, "definition": { "title": "CreateDevEndpoint", "title_size": "16", @@ -4938,7 +5121,7 @@ } }, { - "id": 1191496113, + "id": 3455897844, "definition": { "type": "note", "content": "### [UpdateJob](https://traildiscover.cloud/#Glue-UpdateJob)\n\n**Description:** Updates an existing job definition.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4957,7 +5140,7 @@ } }, { - "id": 2541821177, + "id": 2960170252, "definition": { "title": "UpdateJob", "title_size": "16", @@ -4999,7 +5182,7 @@ } }, { - "id": 721514547, + "id": 1009613561, "definition": { "type": "note", "content": "### [CreateJob](https://traildiscover.cloud/#Glue-CreateJob)\n\n**Description:** Creates a new job definition.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -5018,7 +5201,7 @@ } }, { - "id": 4119984372, + "id": 513885969, "definition": { "title": "CreateJob", "title_size": "16", @@ -5060,7 +5243,7 @@ } }, { - "id": 1749441289, + "id": 3789170845, "definition": { "type": "note", "content": "### [UpdateDevEndpoint](https://traildiscover.cloud/#Glue-UpdateDevEndpoint)\n\n**Description:** Updates a specified development endpoint.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -5079,7 +5262,7 @@ } }, { - "id": 852943818, + "id": 3293443253, "definition": { "title": "UpdateDevEndpoint", "title_size": "16", @@ -5124,13 +5307,13 @@ }, "layout": { "x": 0, - "y": 37, + "y": 39, "width": 12, "height": 30 } }, { - "id": 451105512, + "id": 239565790, "definition": { "type": "group", "layout_type": "ordered", @@ -5139,10 +5322,10 @@ "show_title": true, "widgets": [ { - "id": 3599067378, + "id": 1796173027, "definition": { "type": "note", - "content": "### [LeaveOrganization](https://traildiscover.cloud/#Organizations-LeaveOrganization)\n\n**Description:** Removes a member account from its parent organization.\n\n**Related Research:**\n- [An AWS account attempted to leave the AWS Organization](hhttps://docs.datadoghq.com/security/default_rules/aws-organizations-leave-organization/)\n", + "content": "### [InviteAccountToOrganization](https://traildiscover.cloud/#Organizations-InviteAccountToOrganization)\n\n**Description:** Sends an invitation to another account to join your organization as a member account.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -5158,9 +5341,9 @@ } }, { - "id": 555086259, + "id": 3447929083, "definition": { - "title": "LeaveOrganization", + "title": "InviteAccountToOrganization", "title_size": "16", "title_align": "left", "type": "query_value", @@ -5178,7 +5361,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:LeaveOrganization $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:InviteAccountToOrganization $userIdentity.arn $network.client.ip $account" } } ], @@ -5200,10 +5383,10 @@ } }, { - "id": 1000802182, + "id": 1096762342, "definition": { "type": "note", - "content": "### [PutLogEvents](https://traildiscover.cloud/#CloudWatchLogs-PutLogEvents)\n\n**Description:** Uploads a batch of log events to the specified log stream.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", + "content": "### [CreateAccount](https://traildiscover.cloud/#Organizations-CreateAccount)\n\n**Description:** Creates an AWS account that is automatically a member of the organization whose credentials made the request.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -5219,9 +5402,9 @@ } }, { - "id": 104304711, + "id": 601034750, "definition": { - "title": "PutLogEvents", + "title": "CreateAccount", "title_size": "16", "title_align": "left", "type": "query_value", @@ -5239,7 +5422,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutLogEvents $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateAccount $userIdentity.arn $network.client.ip $account" } } ], @@ -5261,10 +5444,10 @@ } }, { - "id": 2211101291, + "id": 4273994413, "definition": { "type": "note", - "content": "### [DeleteAlarms](https://traildiscover.cloud/#CloudWatch-DeleteAlarms)\n\n**Description:** Deletes the specified alarms. You can delete up to 100 alarms in one operation.\n\n**Related Research:**\n- [AWS CloudWatch Alarm Deletion](https://www.elastic.co/guide/en/security/current/aws-cloudwatch-alarm-deletion.html)\n", + "content": "### [LeaveOrganization](https://traildiscover.cloud/#Organizations-LeaveOrganization)\n\n**Description:** Removes a member account from its parent organization.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [An AWS account attempted to leave the AWS Organization](hhttps://docs.datadoghq.com/security/default_rules/aws-organizations-leave-organization/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -5280,9 +5463,9 @@ } }, { - "id": 3462087468, + "id": 3778266821, "definition": { - "title": "DeleteAlarms", + "title": "LeaveOrganization", "title_size": "16", "title_align": "left", "type": "query_value", @@ -5300,7 +5483,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteAlarms $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:LeaveOrganization $userIdentity.arn $network.client.ip $account" } } ], @@ -5322,10 +5505,10 @@ } }, { - "id": 3675344909, + "id": 4143205983, "definition": { "type": "note", - "content": "### [DeleteLogGroup](https://traildiscover.cloud/#CloudWatchLogs-DeleteLogGroup)\n\n**Description:** Deletes the specified log group and permanently deletes all the archived log events associated with the log group.\n\n**Related Research:**\n- [Penetration testing of aws-based environments](https://essay.utwente.nl/76955/1/Szabo_MSc_EEMCS.pdf)\n- [Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail](https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/)\n", + "content": "### [PutLogEvents](https://traildiscover.cloud/#CloudWatchLogs-PutLogEvents)\n\n**Description:** Uploads a batch of log events to the specified log stream.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -5341,9 +5524,9 @@ } }, { - "id": 2878186325, + "id": 3647478391, "definition": { - "title": "DeleteLogGroup", + "title": "PutLogEvents", "title_size": "16", "title_align": "left", "type": "query_value", @@ -5361,7 +5544,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteLogGroup $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PutLogEvents $userIdentity.arn $network.client.ip $account" } } ], @@ -5383,10 +5566,10 @@ } }, { - "id": 3488845796, + "id": 930548023, "definition": { "type": "note", - "content": "### [DeleteLogStream](https://traildiscover.cloud/#CloudWatchLogs-DeleteLogStream)\n\n**Description:** Deletes the specified log stream and permanently deletes all the archived log events associated with the log stream.\n\n**Related Research:**\n- [Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail](https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/)\n", + "content": "### [DeleteAlarms](https://traildiscover.cloud/#CloudWatch-DeleteAlarms)\n\n**Description:** Deletes the specified alarms. You can delete up to 100 alarms in one operation.\n\n**Related Research:**\n- [AWS CloudWatch Alarm Deletion](https://www.elastic.co/guide/en/security/current/aws-cloudwatch-alarm-deletion.html)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -5402,9 +5585,9 @@ } }, { - "id": 444864677, + "id": 2582304079, "definition": { - "title": "DeleteLogStream", + "title": "DeleteAlarms", "title_size": "16", "title_align": "left", "type": "query_value", @@ -5422,7 +5605,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteLogStream $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteAlarms $userIdentity.arn $network.client.ip $account" } } ], @@ -5444,10 +5627,10 @@ } }, { - "id": 1000802182, + "id": 1196300391, "definition": { "type": "note", - "content": "### [PutLogEvents](https://traildiscover.cloud/#CloudWatchLogs-PutLogEvents)\n\n**Description:** Uploads a batch of log events to the specified log stream.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", + "content": "### [DeleteLogGroup](https://traildiscover.cloud/#CloudWatchLogs-DeleteLogGroup)\n\n**Description:** Deletes the specified log group and permanently deletes all the archived log events associated with the log group.\n\n**Related Research:**\n- [Penetration testing of aws-based environments](https://essay.utwente.nl/76955/1/Szabo_MSc_EEMCS.pdf)\n- [Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail](https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -5463,9 +5646,9 @@ } }, { - "id": 104304711, + "id": 2748717560, "definition": { - "title": "PutLogEvents", + "title": "DeleteLogGroup", "title_size": "16", "title_align": "left", "type": "query_value", @@ -5483,7 +5666,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutLogEvents $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteLogGroup $userIdentity.arn $network.client.ip $account" } } ], @@ -5505,10 +5688,10 @@ } }, { - "id": 953648751, + "id": 2592249971, "definition": { "type": "note", - "content": "### [CreateLogStream](https://traildiscover.cloud/#CloudWatchLogs-CreateLogStream)\n\n**Description:** Creates a log stream for the specified log group.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", + "content": "### [DeleteLogStream](https://traildiscover.cloud/#CloudWatchLogs-DeleteLogStream)\n\n**Description:** Deletes the specified log stream and permanently deletes all the archived log events associated with the log stream.\n\n**Related Research:**\n- [Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail](https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -5524,9 +5707,9 @@ } }, { - "id": 2303973815, + "id": 4244006027, "definition": { - "title": "CreateLogStream", + "title": "DeleteLogStream", "title_size": "16", "title_align": "left", "type": "query_value", @@ -5544,7 +5727,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateLogStream $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteLogStream $userIdentity.arn $network.client.ip $account" } } ], @@ -5566,10 +5749,10 @@ } }, { - "id": 1145075169, + "id": 4143205983, "definition": { "type": "note", - "content": "### [DeleteRule](https://traildiscover.cloud/#events-DeleteRule)\n\n**Description:** Deletes the specified rule.\n\n**Related Research:**\n- [AWS EventBridge Rule Disabled or Deleted](https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html)\n- [AWS EventBridge rule disabled or deleted](https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/)\n", + "content": "### [PutLogEvents](https://traildiscover.cloud/#CloudWatchLogs-PutLogEvents)\n\n**Description:** Uploads a batch of log events to the specified log stream.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -5585,9 +5768,9 @@ } }, { - "id": 248577698, + "id": 3647478391, "definition": { - "title": "DeleteRule", + "title": "PutLogEvents", "title_size": "16", "title_align": "left", "type": "query_value", @@ -5605,7 +5788,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteRule $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PutLogEvents $userIdentity.arn $network.client.ip $account" } } ], @@ -5627,10 +5810,10 @@ } }, { - "id": 235544294, + "id": 3659357783, "definition": { "type": "note", - "content": "### [RemoveTargets](https://traildiscover.cloud/#events-RemoveTargets)\n\n**Description:** Removes the specified targets from the specified rule.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", + "content": "### [CreateLogStream](https://traildiscover.cloud/#CloudWatchLogs-CreateLogStream)\n\n**Description:** Creates a log stream for the specified log group.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -5646,9 +5829,9 @@ } }, { - "id": 1486530471, + "id": 3163630191, "definition": { - "title": "RemoveTargets", + "title": "CreateLogStream", "title_size": "16", "title_align": "left", "type": "query_value", @@ -5666,7 +5849,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:RemoveTargets $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateLogStream $userIdentity.arn $network.client.ip $account" } } ], @@ -5688,10 +5871,10 @@ } }, { - "id": 2882275028, + "id": 1925427135, "definition": { "type": "note", - "content": "### [DisableRule](https://traildiscover.cloud/#events-DisableRule)\n\n**Description:** Disables the specified rule.\n\n**Related Research:**\n- [AWS EventBridge Rule Disabled or Deleted](https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html)\n- [AWS EventBridge rule disabled or deleted](https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/)\n", + "content": "### [DeleteRule](https://traildiscover.cloud/#events-DeleteRule)\n\n**Description:** Deletes the specified rule.\n\n**Related Research:**\n- [AWS EventBridge Rule Disabled or Deleted](https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html)\n- [AWS EventBridge rule disabled or deleted](https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -5707,9 +5890,9 @@ } }, { - "id": 4232600092, + "id": 1429699543, "definition": { - "title": "DisableRule", + "title": "DeleteRule", "title_size": "16", "title_align": "left", "type": "query_value", @@ -5727,7 +5910,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DisableRule $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteRule $userIdentity.arn $network.client.ip $account" } } ], @@ -5749,10 +5932,10 @@ } }, { - "id": 2024893808, + "id": 3281856696, "definition": { "type": "note", - "content": "### [PutRule](https://traildiscover.cloud/#events-PutRule)\n\n**Description:** Creates or updates the specified rule.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", + "content": "### [RemoveTargets](https://traildiscover.cloud/#events-RemoveTargets)\n\n**Description:** Removes the specified targets from the specified rule.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -5768,9 +5951,9 @@ } }, { - "id": 3275879985, + "id": 539306569, "definition": { - "title": "PutRule", + "title": "RemoveTargets", "title_size": "16", "title_align": "left", "type": "query_value", @@ -5788,7 +5971,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutRule $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:RemoveTargets $userIdentity.arn $network.client.ip $account" } } ], @@ -5810,10 +5993,10 @@ } }, { - "id": 2146705797, + "id": 2989936191, "definition": { "type": "note", - "content": "### [CreateInstances](https://traildiscover.cloud/#Lightsail-CreateInstances)\n\n**Description:** Creates one or more Amazon Lightsail instances.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", + "content": "### [DisableRule](https://traildiscover.cloud/#events-DisableRule)\n\n**Description:** Disables the specified rule.\n\n**Related Research:**\n- [AWS EventBridge Rule Disabled or Deleted](https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html)\n- [AWS EventBridge rule disabled or deleted](https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -5829,9 +6012,9 @@ } }, { - "id": 1349547213, + "id": 2494208599, "definition": { - "title": "CreateInstances", + "title": "DisableRule", "title_size": "16", "title_align": "left", "type": "query_value", @@ -5849,7 +6032,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateInstances $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DisableRule $userIdentity.arn $network.client.ip $account" } } ], @@ -5871,10 +6054,10 @@ } }, { - "id": 3141459334, + "id": 1358789946, "definition": { "type": "note", - "content": "### [DeleteMembers](https://traildiscover.cloud/#SecurityHub-DeleteMembers)\n\n**Description:** Deletes the specified member accounts from Security Hub.\n\n**Related Research:**\n- [AWS CloudTrail cheat sheet](https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet)\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", + "content": "### [PutRule](https://traildiscover.cloud/#events-PutRule)\n\n**Description:** Creates or updates the specified rule.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -5890,9 +6073,9 @@ } }, { - "id": 2344300750, + "id": 3010546002, "definition": { - "title": "DeleteMembers", + "title": "PutRule", "title_size": "16", "title_align": "left", "type": "query_value", @@ -5910,7 +6093,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteMembers $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PutRule $userIdentity.arn $network.client.ip $account" } } ], @@ -5932,10 +6115,10 @@ } }, { - "id": 3081166491, + "id": 1784879835, "definition": { "type": "note", - "content": "### [DetachRolePolicy](https://traildiscover.cloud/#IAM-DetachRolePolicy)\n\n**Description:** Removes the specified managed policy from the specified role.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [CreateInstances](https://traildiscover.cloud/#Lightsail-CreateInstances)\n\n**Description:** Creates one or more Amazon Lightsail instances.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -5951,9 +6134,9 @@ } }, { - "id": 37185372, + "id": 3337297004, "definition": { - "title": "DetachRolePolicy", + "title": "CreateInstances", "title_size": "16", "title_align": "left", "type": "query_value", @@ -5971,7 +6154,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DetachRolePolicy $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateInstances $userIdentity.arn $network.client.ip $account" } } ], @@ -5993,10 +6176,10 @@ } }, { - "id": 3988359622, + "id": 1386303468, "definition": { "type": "note", - "content": "### [DeleteUserPolicy](https://traildiscover.cloud/#IAM-DeleteUserPolicy)\n\n**Description:** Deletes the specified inline policy that is embedded in the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [DeleteMembers](https://traildiscover.cloud/#SecurityHub-DeleteMembers)\n\n**Description:** Deletes the specified member accounts from Security Hub.\n\n**Related Research:**\n- [AWS CloudTrail cheat sheet](https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet)\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -6012,9 +6195,9 @@ } }, { - "id": 3191201038, + "id": 890575876, "definition": { - "title": "DeleteUserPolicy", + "title": "DeleteMembers", "title_size": "16", "title_align": "left", "type": "query_value", @@ -6032,7 +6215,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteUserPolicy $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteMembers $userIdentity.arn $network.client.ip $account" } } ], @@ -6054,10 +6237,10 @@ } }, { - "id": 3266556253, + "id": 1115075537, "definition": { "type": "note", - "content": "### [DeleteAccessKey](https://traildiscover.cloud/#IAM-DeleteAccessKey)\n\n**Description:** Deletes the access key pair associated with the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", + "content": "### [DetachRolePolicy](https://traildiscover.cloud/#IAM-DetachRolePolicy)\n\n**Description:** Removes the specified managed policy from the specified role.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -6073,9 +6256,9 @@ } }, { - "id": 2469397669, + "id": 619347945, "definition": { - "title": "DeleteAccessKey", + "title": "DetachRolePolicy", "title_size": "16", "title_align": "left", "type": "query_value", @@ -6093,7 +6276,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteAccessKey $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DetachRolePolicy $userIdentity.arn $network.client.ip $account" } } ], @@ -6115,10 +6298,10 @@ } }, { - "id": 906666856, + "id": 1757321248, "definition": { "type": "note", - "content": "### [DeleteUser](https://traildiscover.cloud/#IAM-DeleteUser)\n\n**Description:** Deletes the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Insider Threat Risks to Flat Environments](https://www.mandiant.com/sites/default/files/2021-09/rpt-mtrends-2021-3.pdf)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", + "content": "### [DeleteUserPolicy](https://traildiscover.cloud/#IAM-DeleteUserPolicy)\n\n**Description:** Deletes the specified inline policy that is embedded in the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -6134,9 +6317,9 @@ } }, { - "id": 2157653033, + "id": 1261593656, "definition": { - "title": "DeleteUser", + "title": "DeleteUserPolicy", "title_size": "16", "title_align": "left", "type": "query_value", @@ -6154,7 +6337,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteUser $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteUserPolicy $userIdentity.arn $network.client.ip $account" } } ], @@ -6176,10 +6359,10 @@ } }, { - "id": 3712812130, + "id": 2054121412, "definition": { "type": "note", - "content": "### [DetachUserPolicy](https://traildiscover.cloud/#IAM-DetachUserPolicy)\n\n**Description:** Removes the specified managed policy from the specified user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [DeleteAccessKey](https://traildiscover.cloud/#IAM-DeleteAccessKey)\n\n**Description:** Deletes the access key pair associated with the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -6195,9 +6378,9 @@ } }, { - "id": 2816314659, + "id": 1558393820, "definition": { - "title": "DetachUserPolicy", + "title": "DeleteAccessKey", "title_size": "16", "title_align": "left", "type": "query_value", @@ -6215,7 +6398,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DetachUserPolicy $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteAccessKey $userIdentity.arn $network.client.ip $account" } } ], @@ -6237,10 +6420,10 @@ } }, { - "id": 2577115472, + "id": 240311568, "definition": { "type": "note", - "content": "### [DeleteLoginProfile](https://traildiscover.cloud/#IAM-DeleteLoginProfile)\n\n**Description:** Deletes the password for the specified IAM user.\n\n**Related Incidents:**\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", + "content": "### [DeleteUser](https://traildiscover.cloud/#IAM-DeleteUser)\n\n**Description:** Deletes the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Insider Threat Risks to Flat Environments](https://www.mandiant.com/sites/default/files/2021-09/rpt-mtrends-2021-3.pdf)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -6256,9 +6439,9 @@ } }, { - "id": 3927440536, + "id": 1892067624, "definition": { - "title": "DeleteLoginProfile", + "title": "DeleteUser", "title_size": "16", "title_align": "left", "type": "query_value", @@ -6276,7 +6459,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteLoginProfile $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteUser $userIdentity.arn $network.client.ip $account" } } ], @@ -6298,10 +6481,10 @@ } }, { - "id": 1207995952, + "id": 436022684, "definition": { "type": "note", - "content": "### [DeactivateMFADevice](https://traildiscover.cloud/#IAM-DeactivateMFADevice)\n\n**Description:** Deactivates the specified MFA device and removes it from association with the user name for which it was originally enabled.\n\n**Related Research:**\n- [AWS IAM Deactivation of MFA Device](https://www.elastic.co/guide/en/security/current/aws-iam-deactivation-of-mfa-device.html)\n", + "content": "### [DetachUserPolicy](https://traildiscover.cloud/#IAM-DetachUserPolicy)\n\n**Description:** Removes the specified managed policy from the specified user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -6317,9 +6500,9 @@ } }, { - "id": 2458982129, + "id": 4235262388, "definition": { - "title": "DeactivateMFADevice", + "title": "DetachUserPolicy", "title_size": "16", "title_align": "left", "type": "query_value", @@ -6337,7 +6520,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeactivateMFADevice $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DetachUserPolicy $userIdentity.arn $network.client.ip $account" } } ], @@ -6359,10 +6542,10 @@ } }, { - "id": 944820825, + "id": 4124372733, "definition": { "type": "note", - "content": "### [CreateRule](https://traildiscover.cloud/#ELBv2-CreateRule)\n\n**Description:** Creates a rule for the specified listener.\n\n**Related Research:**\n- [Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data](https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994)\n", + "content": "### [DeleteLoginProfile](https://traildiscover.cloud/#IAM-DeleteLoginProfile)\n\n**Description:** Deletes the password for the specified IAM user.\n\n**Related Incidents:**\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -6378,9 +6561,9 @@ } }, { - "id": 48323354, + "id": 3628645141, "definition": { - "title": "CreateRule", + "title": "DeleteLoginProfile", "title_size": "16", "title_align": "left", "type": "query_value", @@ -6398,7 +6581,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateRule $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteLoginProfile $userIdentity.arn $network.client.ip $account" } } ], @@ -6420,10 +6603,10 @@ } }, { - "id": 3873333191, + "id": 3441702120, "definition": { "type": "note", - "content": "### [StopLogging](https://traildiscover.cloud/#CloudTrail-StopLogging)\n\n**Description:** Suspends the recording of AWS API calls and log file delivery for the specified trail.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Stopping a CloudTrail trail](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/stopping-cloudtrail-trail/)\n- [AWS Defense Evasion Stop Logging Cloudtrail](https://research.splunk.com/cloud/8a2f3ca2-4eb5-4389-a549-14063882e537/)\n- [AWS Defense Evasion and Centralized Multi-Account Logging](https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/)\n- [Disrupting AWS logging](https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n", + "content": "### [DeactivateMFADevice](https://traildiscover.cloud/#IAM-DeactivateMFADevice)\n\n**Description:** Deactivates the specified MFA device and removes it from association with the user name for which it was originally enabled.\n\n**Related Research:**\n- [AWS IAM Deactivation of MFA Device](https://www.elastic.co/guide/en/security/current/aws-iam-deactivation-of-mfa-device.html)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -6439,9 +6622,9 @@ } }, { - "id": 2976835720, + "id": 2945974528, "definition": { - "title": "StopLogging", + "title": "DeactivateMFADevice", "title_size": "16", "title_align": "left", "type": "query_value", @@ -6459,7 +6642,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:StopLogging $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeactivateMFADevice $userIdentity.arn $network.client.ip $account" } } ], @@ -6481,10 +6664,10 @@ } }, { - "id": 973914164, + "id": 3972666051, "definition": { "type": "note", - "content": "### [UpdateTrail](https://traildiscover.cloud/#CloudTrail-UpdateTrail)\n\n**Description:** Updates trail settings that control what events you are logging, and how to handle log files.\n\n**Related Research:**\n- [AWS Defense Evasion and Centralized Multi-Account Logging](https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/)\n- [Disrupting AWS logging](https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594)\n", + "content": "### [CreateRule](https://traildiscover.cloud/#ELBv2-CreateRule)\n\n**Description:** Creates a rule for the specified listener.\n\n**Related Research:**\n- [Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data](https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -6500,9 +6683,9 @@ } }, { - "id": 176755580, + "id": 3476938459, "definition": { - "title": "UpdateTrail", + "title": "CreateRule", "title_size": "16", "title_align": "left", "type": "query_value", @@ -6520,7 +6703,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateTrail $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateRule $userIdentity.arn $network.client.ip $account" } } ], @@ -6542,10 +6725,10 @@ } }, { - "id": 1520975350, + "id": 1762816202, "definition": { "type": "note", - "content": "### [DeleteTrail](https://traildiscover.cloud/#CloudTrail-DeleteTrail)\n\n**Description:** Deletes a trail.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [AWS Defense Evasion Delete Cloudtrail](https://research.splunk.com/cloud/82092925-9ca1-4e06-98b8-85a2d3889552/)\n- [Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail](https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/)\n- [Disrupting AWS logging](https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594)\n", + "content": "### [StopLogging](https://traildiscover.cloud/#CloudTrail-StopLogging)\n\n**Description:** Suspends the recording of AWS API calls and log file delivery for the specified trail.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Stopping a CloudTrail trail](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/stopping-cloudtrail-trail/)\n- [AWS Defense Evasion Stop Logging Cloudtrail](https://research.splunk.com/cloud/8a2f3ca2-4eb5-4389-a549-14063882e537/)\n- [AWS Defense Evasion and Centralized Multi-Account Logging](https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/)\n- [Disrupting AWS logging](https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -6561,9 +6744,9 @@ } }, { - "id": 624477879, + "id": 1167749723, "definition": { - "title": "DeleteTrail", + "title": "StopLogging", "title_size": "16", "title_align": "left", "type": "query_value", @@ -6581,7 +6764,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteTrail $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:StopLogging $userIdentity.arn $network.client.ip $account" } } ], @@ -6603,10 +6786,10 @@ } }, { - "id": 2457597046, + "id": 4264104743, "definition": { "type": "note", - "content": "### [PutEventSelectors](https://traildiscover.cloud/#CloudTrail-PutEventSelectors)\n\n**Description:** Configures an event selector or advanced event selectors for your trail.\n\n**Related Research:**\n- [cloudtrail_guardduty_bypass](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/cloudtrail_guardduty_bypass)\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", + "content": "### [UpdateTrail](https://traildiscover.cloud/#CloudTrail-UpdateTrail)\n\n**Description:** Updates trail settings that control what events you are logging, and how to handle log files.\n\n**Related Research:**\n- [AWS Defense Evasion and Centralized Multi-Account Logging](https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/)\n- [Disrupting AWS logging](https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -6622,9 +6805,9 @@ } }, { - "id": 1660438462, + "id": 3768377151, "definition": { - "title": "PutEventSelectors", + "title": "UpdateTrail", "title_size": "16", "title_align": "left", "type": "query_value", @@ -6642,7 +6825,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutEventSelectors $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:UpdateTrail $userIdentity.arn $network.client.ip $account" } } ], @@ -6664,10 +6847,10 @@ } }, { - "id": 700451299, + "id": 4221136133, "definition": { "type": "note", - "content": "### [UpdateGraphqlApi](https://traildiscover.cloud/#AppSync-UpdateGraphqlApi)\n\n**Description:** Updates a GraphqlApi object.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", + "content": "### [DeleteTrail](https://traildiscover.cloud/#CloudTrail-DeleteTrail)\n\n**Description:** Deletes a trail.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [AWS Defense Evasion Delete Cloudtrail](https://research.splunk.com/cloud/82092925-9ca1-4e06-98b8-85a2d3889552/)\n- [Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail](https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/)\n- [Disrupting AWS logging](https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -6683,9 +6866,9 @@ } }, { - "id": 4098921124, + "id": 3725408541, "definition": { - "title": "UpdateGraphqlApi", + "title": "DeleteTrail", "title_size": "16", "title_align": "left", "type": "query_value", @@ -6703,7 +6886,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateGraphqlApi $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteTrail $userIdentity.arn $network.client.ip $account" } } ], @@ -6725,10 +6908,10 @@ } }, { - "id": 1821008924, + "id": 900381533, "definition": { "type": "note", - "content": "### [CreateApiKey](https://traildiscover.cloud/#AppSync-CreateApiKey)\n\n**Description:** Creates a unique key that you can distribute to clients who invoke your API.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", + "content": "### [PutEventSelectors](https://traildiscover.cloud/#CloudTrail-PutEventSelectors)\n\n**Description:** Configures an event selector or advanced event selectors for your trail.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [cloudtrail_guardduty_bypass](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/cloudtrail_guardduty_bypass)\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -6744,9 +6927,9 @@ } }, { - "id": 924511453, + "id": 404653941, "definition": { - "title": "CreateApiKey", + "title": "PutEventSelectors", "title_size": "16", "title_align": "left", "type": "query_value", @@ -6764,7 +6947,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateApiKey $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PutEventSelectors $userIdentity.arn $network.client.ip $account" } } ], @@ -6786,10 +6969,10 @@ } }, { - "id": 1551259120, + "id": 1965721299, "definition": { "type": "note", - "content": "### [UpdateResolver](https://traildiscover.cloud/#AppSync-UpdateResolver)\n\n**Description:** Updates a Resolver object.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", + "content": "### [UpdateGraphqlApi](https://traildiscover.cloud/#AppSync-UpdateGraphqlApi)\n\n**Description:** Updates a GraphqlApi object.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -6805,9 +6988,9 @@ } }, { - "id": 654761649, + "id": 3617477355, "definition": { - "title": "UpdateResolver", + "title": "UpdateGraphqlApi", "title_size": "16", "title_align": "left", "type": "query_value", @@ -6825,7 +7008,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateResolver $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:UpdateGraphqlApi $userIdentity.arn $network.client.ip $account" } } ], @@ -6847,10 +7030,10 @@ } }, { - "id": 3522343928, + "id": 1522969638, "definition": { "type": "note", - "content": "### [DeleteBucketPolicy](https://traildiscover.cloud/#S3-DeleteBucketPolicy)\n\n**Description:** Deletes the policy of a specified bucket.\n\n**Related Research:**\n- [AWS S3 Bucket Configuration Deletion](https://www.elastic.co/guide/en/security/7.17/aws-s3-bucket-configuration-deletion.html)\n", + "content": "### [CreateApiKey](https://traildiscover.cloud/#AppSync-CreateApiKey)\n\n**Description:** Creates a unique key that you can distribute to clients who invoke your API.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -6866,9 +7049,9 @@ } }, { - "id": 2625846457, + "id": 1027242046, "definition": { - "title": "DeleteBucketPolicy", + "title": "CreateApiKey", "title_size": "16", "title_align": "left", "type": "query_value", @@ -6886,7 +7069,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteBucketPolicy $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateApiKey $userIdentity.arn $network.client.ip $account" } } ], @@ -6908,10 +7091,10 @@ } }, { - "id": 3394609593, + "id": 3716664319, "definition": { "type": "note", - "content": "### [DeleteFlowLogs](https://traildiscover.cloud/#EC2-DeleteFlowLogs)\n\n**Description:** Deletes one or more flow logs.\n\n**Related Research:**\n- [Removing VPC flow logs](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/removing-vpc-flow-logs/)\n- [AWS Incident Response](https://github.com/easttimor/aws-incident-response)\n- [Proactive Cloud Security w/ AWS Organizations](https://witoff.medium.com/proactive-cloud-security-w-aws-organizations-d58695bcae16)\n", + "content": "### [UpdateResolver](https://traildiscover.cloud/#AppSync-UpdateResolver)\n\n**Description:** Updates a Resolver object.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -6927,9 +7110,9 @@ } }, { - "id": 2498112122, + "id": 3220936727, "definition": { - "title": "DeleteFlowLogs", + "title": "UpdateResolver", "title_size": "16", "title_align": "left", "type": "query_value", @@ -6947,7 +7130,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteFlowLogs $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:UpdateResolver $userIdentity.arn $network.client.ip $account" } } ], @@ -6969,10 +7152,10 @@ } }, { - "id": 1605891909, + "id": 2783540918, "definition": { "type": "note", - "content": "### [DeleteNetworkAcl](https://traildiscover.cloud/#EC2-DeleteNetworkAcl)\n\n**Description:** Deletes the specified network ACL.\n\n**Related Research:**\n- [Ensure CloudWatch has an Alarm for Network ACL Changes](https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-network-acl-change)\n", + "content": "### [DeleteBucketPolicy](https://traildiscover.cloud/#S3-DeleteBucketPolicy)\n\n**Description:** Deletes the policy of a specified bucket.\n\n**Related Research:**\n- [AWS S3 Bucket Configuration Deletion](https://www.elastic.co/guide/en/security/7.17/aws-s3-bucket-configuration-deletion.html)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -6988,9 +7171,9 @@ } }, { - "id": 808733325, + "id": 140329678, "definition": { - "title": "DeleteNetworkAcl", + "title": "DeleteBucketPolicy", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7008,7 +7191,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteNetworkAcl $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteBucketPolicy $userIdentity.arn $network.client.ip $account" } } ], @@ -7030,10 +7213,10 @@ } }, { - "id": 1335732021, + "id": 748439779, "definition": { "type": "note", - "content": "### [TerminateInstances](https://traildiscover.cloud/#EC2-TerminateInstances)\n\n**Description:** Shuts down the specified instances. This operation is idempotent; if you terminate an instance more than once, each call succeeds.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Former Cisco engineer sentenced to prison for deleting 16k Webex accounts](https://www.zdnet.com/article/former-cisco-engineer-sentenced-to-prison-for-deleting-16k-webex-accounts/)\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", + "content": "### [DeleteFlowLogs](https://traildiscover.cloud/#EC2-DeleteFlowLogs)\n\n**Description:** Deletes one or more flow logs.\n\n**Related Research:**\n- [Removing VPC flow logs](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/removing-vpc-flow-logs/)\n- [AWS Incident Response](https://github.com/easttimor/aws-incident-response)\n- [Proactive Cloud Security w/ AWS Organizations](https://witoff.medium.com/proactive-cloud-security-w-aws-organizations-d58695bcae16)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7049,9 +7232,9 @@ } }, { - "id": 439234550, + "id": 2400195835, "definition": { - "title": "TerminateInstances", + "title": "DeleteFlowLogs", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7069,7 +7252,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:TerminateInstances $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteFlowLogs $userIdentity.arn $network.client.ip $account" } } ], @@ -7091,10 +7274,10 @@ } }, { - "id": 3588964608, + "id": 13689000, "definition": { "type": "note", - "content": "### [DeleteNetworkAclEntry](https://traildiscover.cloud/#EC2-DeleteNetworkAclEntry)\n\n**Description:** Deletes the specified ingress or egress entry (rule) from the specified network ACL.\n\n**Related Research:**\n- [Ensure CloudWatch has an Alarm for Network ACL Changes](https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-network-acl-change)\n", + "content": "### [DeleteNetworkAcl](https://traildiscover.cloud/#EC2-DeleteNetworkAcl)\n\n**Description:** Deletes the specified network ACL.\n\n**Related Research:**\n- [Ensure CloudWatch has an Alarm for Network ACL Changes](https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-network-acl-change)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7110,9 +7293,9 @@ } }, { - "id": 644322376, + "id": 3812928704, "definition": { - "title": "DeleteNetworkAclEntry", + "title": "DeleteNetworkAcl", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7130,7 +7313,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteNetworkAclEntry $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteNetworkAcl $userIdentity.arn $network.client.ip $account" } } ], @@ -7152,10 +7335,10 @@ } }, { - "id": 2397989545, + "id": 2090706372, "definition": { "type": "note", - "content": "### [StopInstances](https://traildiscover.cloud/#EC2-StopInstances)\n\n**Description:** Stops an Amazon EBS-backed instance.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", + "content": "### [TerminateInstances](https://traildiscover.cloud/#EC2-TerminateInstances)\n\n**Description:** Shuts down the specified instances. This operation is idempotent; if you terminate an instance more than once, each call succeeds.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Former Cisco engineer sentenced to prison for deleting 16k Webex accounts](https://www.zdnet.com/article/former-cisco-engineer-sentenced-to-prison-for-deleting-16k-webex-accounts/)\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7171,9 +7354,9 @@ } }, { - "id": 3648975722, + "id": 1594978780, "definition": { - "title": "StopInstances", + "title": "TerminateInstances", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7191,7 +7374,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:StopInstances $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:TerminateInstances $userIdentity.arn $network.client.ip $account" } } ], @@ -7213,10 +7396,10 @@ } }, { - "id": 2066824311, + "id": 3885009126, "definition": { "type": "note", - "content": "### [AuthorizeDBSecurityGroupIngress](https://traildiscover.cloud/#RDS-AuthorizeDBSecurityGroupIngress)\n\n**Description:** Enables ingress to a DBSecurityGroup using one of two forms of authorization.\n\n**Related Research:**\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [Hunting AWS RDS security events with Sysdig](https://sysdig.com/blog/aws-rds-security-events-sysdig/)\n", + "content": "### [DeleteNetworkAclEntry](https://traildiscover.cloud/#EC2-DeleteNetworkAclEntry)\n\n**Description:** Deletes the specified ingress or egress entry (rule) from the specified network ACL.\n\n**Related Research:**\n- [Ensure CloudWatch has an Alarm for Network ACL Changes](https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-network-acl-change)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7232,9 +7415,9 @@ } }, { - "id": 1170326840, + "id": 3389281534, "definition": { - "title": "AuthorizeDBSecurityGroupIngress", + "title": "DeleteNetworkAclEntry", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7252,7 +7435,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:AuthorizeDBSecurityGroupIngress $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteNetworkAclEntry $userIdentity.arn $network.client.ip $account" } } ], @@ -7274,10 +7457,10 @@ } }, { - "id": 691446361, + "id": 3620923312, "definition": { "type": "note", - "content": "### [ModifyActivityStream](https://traildiscover.cloud/#RDS-ModifyActivityStream)\n\n**Description:** Changes the audit policy state of a database activity stream to either locked (default) or unlocked.\n\n**Related Incidents:**\n- [Uncovering Hybrid Cloud Attacks Through Intelligence-Driven Incident Response: Part 3 \u2013 The Response](https://www.gem.security/post/uncovering-hybrid-cloud-attacks-through-intelligence-driven-incident-response-part-3-the-response)\n", + "content": "### [StopInstances](https://traildiscover.cloud/#EC2-StopInstances)\n\n**Description:** Stops an Amazon EBS-backed instance.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7293,9 +7476,9 @@ } }, { - "id": 4089916186, + "id": 3125195720, "definition": { - "title": "ModifyActivityStream", + "title": "StopInstances", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7313,7 +7496,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ModifyActivityStream $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:StopInstances $userIdentity.arn $network.client.ip $account" } } ], @@ -7335,10 +7518,10 @@ } }, { - "id": 1131935934, + "id": 1846118731, "definition": { "type": "note", - "content": "### [DeleteIdentity](https://traildiscover.cloud/#SES-DeleteIdentity)\n\n**Description:** Deletes the specified identity (an email address or a domain) from the list of verified identities.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [AuthorizeDBSecurityGroupIngress](https://traildiscover.cloud/#RDS-AuthorizeDBSecurityGroupIngress)\n\n**Description:** Enables ingress to a DBSecurityGroup using one of two forms of authorization.\n\n**Related Research:**\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [Hunting AWS RDS security events with Sysdig](https://sysdig.com/blog/aws-rds-security-events-sysdig/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7354,9 +7537,9 @@ } }, { - "id": 235438463, + "id": 3497874787, "definition": { - "title": "DeleteIdentity", + "title": "AuthorizeDBSecurityGroupIngress", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7374,7 +7557,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteIdentity $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:AuthorizeDBSecurityGroupIngress $userIdentity.arn $network.client.ip $account" } } ], @@ -7396,10 +7579,10 @@ } }, { - "id": 2632151139, + "id": 1161222978, "definition": { "type": "note", - "content": "### [UpdateIPSet](https://traildiscover.cloud/#GuardDuty-UpdateIPSet)\n\n**Description:** Updates the IPSet specified by the IPSet ID.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", + "content": "### [ModifyActivityStream](https://traildiscover.cloud/#RDS-ModifyActivityStream)\n\n**Description:** Changes the audit policy state of a database activity stream to either locked (default) or unlocked.\n\n**Related Incidents:**\n- [Uncovering Hybrid Cloud Attacks Through Intelligence-Driven Incident Response: Part 3 \u2013 The Response](https://www.gem.security/post/uncovering-hybrid-cloud-attacks-through-intelligence-driven-incident-response-part-3-the-response)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7415,9 +7598,9 @@ } }, { - "id": 1735653668, + "id": 665495386, "definition": { - "title": "UpdateIPSet", + "title": "ModifyActivityStream", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7435,7 +7618,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateIPSet $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ModifyActivityStream $userIdentity.arn $network.client.ip $account" } } ], @@ -7457,10 +7640,10 @@ } }, { - "id": 2950858544, + "id": 2525508603, "definition": { "type": "note", - "content": "### [DeleteInvitations](https://traildiscover.cloud/#GuardDuty-DeleteInvitations)\n\n**Description:** Deletes invitations sent to the current member account by AWS accounts specified by their account IDs.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n", + "content": "### [DeleteIdentity](https://traildiscover.cloud/#SES-DeleteIdentity)\n\n**Description:** Deletes the specified identity (an email address or a domain) from the list of verified identities.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7476,9 +7659,9 @@ } }, { - "id": 4201844721, + "id": 4177264659, "definition": { - "title": "DeleteInvitations", + "title": "DeleteIdentity", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7496,7 +7679,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteInvitations $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteIdentity $userIdentity.arn $network.client.ip $account" } } ], @@ -7518,10 +7701,10 @@ } }, { - "id": 4219024324, + "id": 2507555029, "definition": { "type": "note", - "content": "### [UpdateDetector](https://traildiscover.cloud/#GuardDuty-UpdateDetector)\n\n**Description:** Updates the GuardDuty detector specified by the detectorId.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", + "content": "### [UpdateIPSet](https://traildiscover.cloud/#GuardDuty-UpdateIPSet)\n\n**Description:** Updates the IPSet specified by the IPSet ID.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7537,9 +7720,9 @@ } }, { - "id": 1175043205, + "id": 2011827437, "definition": { - "title": "UpdateDetector", + "title": "UpdateIPSet", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7557,7 +7740,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateDetector $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:UpdateIPSet $userIdentity.arn $network.client.ip $account" } } ], @@ -7579,10 +7762,10 @@ } }, { - "id": 3342185937, + "id": 474787532, "definition": { "type": "note", - "content": "### [DeleteDetector](https://traildiscover.cloud/#GuardDuty-DeleteDetector)\n\n**Description:** Deletes an Amazon GuardDuty detector that is specified by the detector ID.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [AWS GuardDuty detector deleted](https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-guardduty-detector-deleted/)\n- [AWS GuardDuty Evasion](https://medium.com/@cloud_tips/aws-guardduty-evasion-c181e55f3af1)\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", + "content": "### [DeleteInvitations](https://traildiscover.cloud/#GuardDuty-DeleteInvitations)\n\n**Description:** Deletes invitations sent to the current member account by AWS accounts specified by their account IDs.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7598,9 +7781,9 @@ } }, { - "id": 298204818, + "id": 4274027236, "definition": { - "title": "DeleteDetector", + "title": "DeleteInvitations", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7618,7 +7801,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteDetector $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteInvitations $userIdentity.arn $network.client.ip $account" } } ], @@ -7640,10 +7823,10 @@ } }, { - "id": 3704162379, + "id": 2548566192, "definition": { "type": "note", - "content": "### [DeletePublishingDestination](https://traildiscover.cloud/#GuardDuty-DeletePublishingDestination)\n\n**Description:** Deletes the publishing definition with the specified destinationId.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", + "content": "### [UpdateDetector](https://traildiscover.cloud/#GuardDuty-UpdateDetector)\n\n**Description:** Updates the GuardDuty detector specified by the detectorId.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7659,9 +7842,9 @@ } }, { - "id": 2907003795, + "id": 2052838600, "definition": { - "title": "DeletePublishingDestination", + "title": "UpdateDetector", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7679,7 +7862,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeletePublishingDestination $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:UpdateDetector $userIdentity.arn $network.client.ip $account" } } ], @@ -7701,10 +7884,10 @@ } }, { - "id": 2755555653, + "id": 49388944, "definition": { "type": "note", - "content": "### [DisassociateMembers](https://traildiscover.cloud/#GuardDuty-DisassociateMembers)\n\n**Description:** Disassociates GuardDuty member accounts (from the current administrator account) specified by the account IDs.\n\n**Related Research:**\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", + "content": "### [DeleteDetector](https://traildiscover.cloud/#GuardDuty-DeleteDetector)\n\n**Description:** Deletes an Amazon GuardDuty detector that is specified by the detector ID.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [AWS GuardDuty detector deleted](https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-guardduty-detector-deleted/)\n- [AWS GuardDuty Evasion](https://medium.com/@cloud_tips/aws-guardduty-evasion-c181e55f3af1)\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7720,9 +7903,9 @@ } }, { - "id": 1859058182, + "id": 3848628648, "definition": { - "title": "DisassociateMembers", + "title": "DeleteDetector", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7740,7 +7923,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DisassociateMembers $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteDetector $userIdentity.arn $network.client.ip $account" } } ], @@ -7762,10 +7945,10 @@ } }, { - "id": 3951473060, + "id": 1247994396, "definition": { "type": "note", - "content": "### [DisassociateFromMasterAccount](https://traildiscover.cloud/#GuardDuty-DisassociateFromMasterAccount)\n\n**Description:** Disassociates the current GuardDuty member account from its administrator account.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", + "content": "### [DeletePublishingDestination](https://traildiscover.cloud/#GuardDuty-DeletePublishingDestination)\n\n**Description:** Deletes the publishing definition with the specified destinationId.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7781,9 +7964,9 @@ } }, { - "id": 3054975589, + "id": 752266804, "definition": { - "title": "DisassociateFromMasterAccount", + "title": "DeletePublishingDestination", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7801,7 +7984,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DisassociateFromMasterAccount $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeletePublishingDestination $userIdentity.arn $network.client.ip $account" } } ], @@ -7823,10 +8006,10 @@ } }, { - "id": 4129137026, + "id": 3544588116, "definition": { "type": "note", - "content": "### [StopMonitoringMembers](https://traildiscover.cloud/#GuardDuty-StopMonitoringMembers)\n\n**Description:** Stops GuardDuty monitoring for the specified member accounts.\n\n**Related Research:**\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", + "content": "### [DisassociateMembers](https://traildiscover.cloud/#GuardDuty-DisassociateMembers)\n\n**Description:** Disassociates GuardDuty member accounts (from the current administrator account) specified by the account IDs.\n\n**Related Research:**\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7842,9 +8025,9 @@ } }, { - "id": 3232639555, + "id": 3048860524, "definition": { - "title": "StopMonitoringMembers", + "title": "DisassociateMembers", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7862,7 +8045,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:StopMonitoringMembers $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DisassociateMembers $userIdentity.arn $network.client.ip $account" } } ], @@ -7884,10 +8067,10 @@ } }, { - "id": 3701284337, + "id": 3378214177, "definition": { "type": "note", - "content": "### [CreateIPSet](https://traildiscover.cloud/#GuardDuty-CreateIPSet)\n\n**Description:** Creates a new IPSet, which is called a trusted IP list in the console user interface.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", + "content": "### [DisassociateFromMasterAccount](https://traildiscover.cloud/#GuardDuty-DisassociateFromMasterAccount)\n\n**Description:** Disassociates the current GuardDuty member account from its administrator account.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7903,9 +8086,9 @@ } }, { - "id": 657303218, + "id": 2882486585, "definition": { - "title": "CreateIPSet", + "title": "DisassociateFromMasterAccount", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7923,7 +8106,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateIPSet $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DisassociateFromMasterAccount $userIdentity.arn $network.client.ip $account" } } ], @@ -7945,10 +8128,10 @@ } }, { - "id": 2331921959, + "id": 2001342468, "definition": { "type": "note", - "content": "### [CreateFilter](https://traildiscover.cloud/#GuardDuty-CreateFilter)\n\n**Description:** Creates a filter using the specified finding criteria.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", + "content": "### [StopMonitoringMembers](https://traildiscover.cloud/#GuardDuty-StopMonitoringMembers)\n\n**Description:** Stops GuardDuty monitoring for the specified member accounts.\n\n**Related Research:**\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7964,9 +8147,9 @@ } }, { - "id": 1435424488, + "id": 1505614876, "definition": { - "title": "CreateFilter", + "title": "StopMonitoringMembers", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7984,7 +8167,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateFilter $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:StopMonitoringMembers $userIdentity.arn $network.client.ip $account" } } ], @@ -8006,10 +8189,10 @@ } }, { - "id": 3141459334, + "id": 2417175810, "definition": { "type": "note", - "content": "### [DeleteMembers](https://traildiscover.cloud/#GuardDuty-DeleteMembers)\n\n**Description:** Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.\n\n**Related Research:**\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", + "content": "### [CreateIPSet](https://traildiscover.cloud/#GuardDuty-CreateIPSet)\n\n**Description:** Creates a new IPSet, which is called a trusted IP list in the console user interface.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -8025,9 +8208,9 @@ } }, { - "id": 2344300750, + "id": 3969592979, "definition": { - "title": "DeleteMembers", + "title": "CreateIPSet", "title_size": "16", "title_align": "left", "type": "query_value", @@ -8045,7 +8228,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteMembers $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateIPSet $userIdentity.arn $network.client.ip $account" } } ], @@ -8067,10 +8250,10 @@ } }, { - "id": 2329752639, + "id": 4247372559, "definition": { "type": "note", - "content": "### [DeleteConfigurationRecorder](https://traildiscover.cloud/#Config-DeleteConfigurationRecorder)\n\n**Description:** Deletes the configuration recorder.\n\n**Related Research:**\n- [AWS Config Resource Deletion](https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion)\n", + "content": "### [CreateFilter](https://traildiscover.cloud/#GuardDuty-CreateFilter)\n\n**Description:** Creates a filter using the specified finding criteria.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -8086,9 +8269,9 @@ } }, { - "id": 1433255168, + "id": 3751644967, "definition": { - "title": "DeleteConfigurationRecorder", + "title": "CreateFilter", "title_size": "16", "title_align": "left", "type": "query_value", @@ -8106,7 +8289,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteConfigurationRecorder $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateFilter $userIdentity.arn $network.client.ip $account" } } ], @@ -8128,10 +8311,10 @@ } }, { - "id": 3276191920, + "id": 1386303468, "definition": { "type": "note", - "content": "### [DeleteDeliveryChannel](https://traildiscover.cloud/#Config-DeleteDeliveryChannel)\n\n**Description:** Deletes the delivery channel.\n\n**Related Research:**\n- [AWS Config Resource Deletion](https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion)\n- [AWS Config modified](https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-config-disabled/)\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", + "content": "### [DeleteMembers](https://traildiscover.cloud/#GuardDuty-DeleteMembers)\n\n**Description:** Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.\n\n**Related Research:**\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -8147,9 +8330,9 @@ } }, { - "id": 2379694449, + "id": 890575876, "definition": { - "title": "DeleteDeliveryChannel", + "title": "DeleteMembers", "title_size": "16", "title_align": "left", "type": "query_value", @@ -8167,7 +8350,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteDeliveryChannel $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteMembers $userIdentity.arn $network.client.ip $account" } } ], @@ -8189,10 +8372,10 @@ } }, { - "id": 3231226590, + "id": 3886323524, "definition": { "type": "note", - "content": "### [StopConfigurationRecorder](https://traildiscover.cloud/#Config-StopConfigurationRecorder)\n\n**Description:** Stops recording configurations of the AWS resources you have selected to record in your AWS account.\n\n**Related Research:**\n- [AWS Configuration Recorder Stopped](https://www.elastic.co/guide/en/security/current/prebuilt-rule-8-2-1-aws-configuration-recorder-stopped.html#prebuilt-rule-8-2-1-aws-configuration-recorder-stopped)\n- [AWS Config modified](https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-config-disabled/)\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", + "content": "### [DeleteConfigurationRecorder](https://traildiscover.cloud/#Config-DeleteConfigurationRecorder)\n\n**Description:** Deletes the configuration recorder.\n\n**Related Research:**\n- [AWS Config Resource Deletion](https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -8208,9 +8391,9 @@ } }, { - "id": 2334729119, + "id": 3390595932, "definition": { - "title": "StopConfigurationRecorder", + "title": "DeleteConfigurationRecorder", "title_size": "16", "title_align": "left", "type": "query_value", @@ -8228,7 +8411,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:StopConfigurationRecorder $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteConfigurationRecorder $userIdentity.arn $network.client.ip $account" } } ], @@ -8250,10 +8433,10 @@ } }, { - "id": 3056072165, + "id": 3589652769, "definition": { "type": "note", - "content": "### [DeleteConfigRule](https://traildiscover.cloud/#Config-DeleteConfigRule)\n\n**Description:** Deletes the specified AWS Config rule and all of its evaluation results.\n\n**Related Research:**\n- [AWS Config Resource Deletion](https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion)\n", + "content": "### [DeleteDeliveryChannel](https://traildiscover.cloud/#Config-DeleteDeliveryChannel)\n\n**Description:** Deletes the delivery channel.\n\n**Related Research:**\n- [AWS Config Resource Deletion](https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion)\n- [AWS Config modified](https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-config-disabled/)\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -8269,9 +8452,9 @@ } }, { - "id": 12091046, + "id": 3093925177, "definition": { - "title": "DeleteConfigRule", + "title": "DeleteDeliveryChannel", "title_size": "16", "title_align": "left", "type": "query_value", @@ -8289,7 +8472,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteConfigRule $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteDeliveryChannel $userIdentity.arn $network.client.ip $account" } } ], @@ -8311,10 +8494,10 @@ } }, { - "id": 416662789, + "id": 2404364544, "definition": { "type": "note", - "content": "### [DeleteRuleGroup](https://traildiscover.cloud/#WAFV2-DeleteRuleGroup)\n\n**Description:** Deletes the specified RuleGroup.\n\n**Related Research:**\n- [AWS WAF Rule or Rule Group Deletion](https://www.elastic.co/guide/en/security/current/aws-waf-rule-or-rule-group-deletion.html)\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", + "content": "### [StopConfigurationRecorder](https://traildiscover.cloud/#Config-StopConfigurationRecorder)\n\n**Description:** Stops recording configurations of the AWS resources you have selected to record in your AWS account.\n\n**Related Research:**\n- [AWS Configuration Recorder Stopped](https://www.elastic.co/guide/en/security/current/prebuilt-rule-8-2-1-aws-configuration-recorder-stopped.html#prebuilt-rule-8-2-1-aws-configuration-recorder-stopped)\n- [AWS Config modified](https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-config-disabled/)\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -8330,9 +8513,9 @@ } }, { - "id": 3815132614, + "id": 3956781713, "definition": { - "title": "DeleteRuleGroup", + "title": "StopConfigurationRecorder", "title_size": "16", "title_align": "left", "type": "query_value", @@ -8350,7 +8533,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteRuleGroup $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:StopConfigurationRecorder $userIdentity.arn $network.client.ip $account" } } ], @@ -8372,10 +8555,10 @@ } }, { - "id": 2632151139, + "id": 4071211491, "definition": { "type": "note", - "content": "### [UpdateIPSet](https://traildiscover.cloud/#WAFV2-UpdateIPSet)\n\n**Description:** Updates the specified IPSet.\n\n**Related Research:**\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", + "content": "### [DeleteConfigRule](https://traildiscover.cloud/#Config-DeleteConfigRule)\n\n**Description:** Deletes the specified AWS Config rule and all of its evaluation results.\n\n**Related Research:**\n- [AWS Config Resource Deletion](https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -8391,9 +8574,9 @@ } }, { - "id": 1735653668, + "id": 3575483899, "definition": { - "title": "UpdateIPSet", + "title": "DeleteConfigRule", "title_size": "16", "title_align": "left", "type": "query_value", @@ -8411,7 +8594,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateIPSet $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteConfigRule $userIdentity.arn $network.client.ip $account" } } ], @@ -8433,10 +8616,10 @@ } }, { - "id": 2184422100, + "id": 3334911921, "definition": { "type": "note", - "content": "### [DeleteWebACL](https://traildiscover.cloud/#WAFV2-DeleteWebACL)\n\n**Description:** Deletes the specified WebACL.\n\n**Related Research:**\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", + "content": "### [DeleteRuleGroup](https://traildiscover.cloud/#WAFV2-DeleteRuleGroup)\n\n**Description:** Deletes the specified RuleGroup.\n\n**Related Research:**\n- [AWS WAF Rule or Rule Group Deletion](https://www.elastic.co/guide/en/security/current/aws-waf-rule-or-rule-group-deletion.html)\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -8452,7 +8635,129 @@ } }, { - "id": 1287924629, + "id": 691700681, + "definition": { + "title": "DeleteRuleGroup", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "search": { + "query": "source:cloudtrail @evt.name:DeleteRuleGroup $userIdentity.arn $network.client.ip $account" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 36, + "width": 2, + "height": 2 + } + }, + { + "id": 2507555029, + "definition": { + "type": "note", + "content": "### [UpdateIPSet](https://traildiscover.cloud/#WAFV2-UpdateIPSet)\n\n**Description:** Updates the specified IPSet.\n\n**Related Research:**\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "has_padding": true + }, + "layout": { + "x": 4, + "y": 36, + "width": 2, + "height": 2 + } + }, + { + "id": 2011827437, + "definition": { + "title": "UpdateIPSet", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "search": { + "query": "source:cloudtrail @evt.name:UpdateIPSet $userIdentity.arn $network.client.ip $account" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 6, + "y": 36, + "width": 2, + "height": 2 + } + }, + { + "id": 1855668959, + "definition": { + "type": "note", + "content": "### [DeleteWebACL](https://traildiscover.cloud/#WAFV2-DeleteWebACL)\n\n**Description:** Deletes the specified WebACL.\n\n**Related Research:**\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "has_padding": true + }, + "layout": { + "x": 8, + "y": 36, + "width": 2, + "height": 2 + } + }, + { + "id": 3507425015, "definition": { "title": "DeleteWebACL", "title_size": "16", @@ -8487,7 +8792,7 @@ "precision": 2 }, "layout": { - "x": 2, + "x": 10, "y": 36, "width": 2, "height": 2 @@ -8497,13 +8802,13 @@ }, "layout": { "x": 0, - "y": 67, + "y": 69, "width": 12, "height": 40 } }, { - "id": 2119893646, + "id": 2801495301, "definition": { "type": "group", "layout_type": "ordered", @@ -8512,7 +8817,7 @@ "show_title": true, "widgets": [ { - "id": 4289833058, + "id": 989095754, "definition": { "type": "note", "content": "### [GetSecretValue](https://traildiscover.cloud/#SecretsManager-GetSecretValue)\n\n**Description:** Retrieves the contents of the encrypted fields SecretString or SecretBinary from the specified version of a secret, whichever contains content.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -8531,7 +8836,7 @@ } }, { - "id": 1345190826, + "id": 2640851810, "definition": { "title": "GetSecretValue", "title_size": "16", @@ -8573,7 +8878,7 @@ } }, { - "id": 778128748, + "id": 2083908195, "definition": { "type": "note", "content": "### [DescribeSecret](https://traildiscover.cloud/#SecretsManager-DescribeSecret)\n\n**Description:** Retrieves the details of a secret.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -8592,7 +8897,7 @@ } }, { - "id": 2029114925, + "id": 1588180603, "definition": { "title": "DescribeSecret", "title_size": "16", @@ -8634,7 +8939,7 @@ } }, { - "id": 3896099814, + "id": 1991721620, "definition": { "type": "note", "content": "### [ListSecrets](https://traildiscover.cloud/#SecretsManager-ListSecrets)\n\n**Description:** Lists the secrets that are stored by Secrets Manager in the AWS account, not including secrets that are marked for deletion.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n", @@ -8653,7 +8958,7 @@ } }, { - "id": 852118695, + "id": 3544138789, "definition": { "title": "ListSecrets", "title_size": "16", @@ -8695,7 +9000,7 @@ } }, { - "id": 769701111, + "id": 3110371190, "definition": { "type": "note", "content": "### [GetPasswordData](https://traildiscover.cloud/#EC2-GetPasswordData)\n\n**Description:** Retrieves the encrypted administrator password for a running Windows instance.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -8714,7 +9019,7 @@ } }, { - "id": 4168170936, + "id": 2614643598, "definition": { "title": "GetPasswordData", "title_size": "16", @@ -8756,7 +9061,7 @@ } }, { - "id": 2917714153, + "id": 2465207795, "definition": { "type": "note", "content": "### [GetParameters](https://traildiscover.cloud/#SSM-GetParameters)\n\n**Description:** Get information about one or more parameters by specifying multiple parameter names.\n\n**Related Research:**\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -8775,7 +9080,7 @@ } }, { - "id": 4268039217, + "id": 1969480203, "definition": { "title": "GetParameters", "title_size": "16", @@ -8820,13 +9125,13 @@ }, "layout": { "x": 0, - "y": 107, + "y": 109, "width": 12, "height": 6 } }, { - "id": 3339707903, + "id": 4085229456, "definition": { "type": "group", "layout_type": "ordered", @@ -8835,7 +9140,7 @@ "show_title": true, "widgets": [ { - "id": 2166760335, + "id": 927476832, "definition": { "type": "note", "content": "### [ListDomains](https://traildiscover.cloud/#route53domains-ListDomains)\n\n**Description:** This operation returns all the domain names registered with Amazon Route 53 for the current AWS account if no filtering conditions are used.\n\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -8854,7 +9159,7 @@ } }, { - "id": 3417746512, + "id": 2579232888, "definition": { "title": "ListDomains", "title_size": "16", @@ -8896,7 +9201,7 @@ } }, { - "id": 1103695674, + "id": 495879803, "definition": { "type": "note", "content": "### [GetHostedZoneCount](https://traildiscover.cloud/#Route53-GetHostedZoneCount)\n\n**Description:** Retrieves the number of hosted zones that are associated with the current AWS account.\n\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -8915,7 +9220,7 @@ } }, { - "id": 207198203, + "id": 2048296972, "definition": { "title": "GetHostedZoneCount", "title_size": "16", @@ -8957,7 +9262,7 @@ } }, { - "id": 620441155, + "id": 2406233899, "definition": { "type": "note", "content": "### [DescribeOrganization](https://traildiscover.cloud/#Organizations-DescribeOrganization)\n\n**Description:** Retrieves information about the organization that the user's account belongs to.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", @@ -8976,7 +9281,7 @@ } }, { - "id": 1970766219, + "id": 1910506307, "definition": { "title": "DescribeOrganization", "title_size": "16", @@ -9018,7 +9323,7 @@ } }, { - "id": 2225317205, + "id": 63116510, "definition": { "type": "note", "content": "### [ListOrganizationalUnitsForParent](https://traildiscover.cloud/#Organizations-ListOrganizationalUnitsForParent)\n\n**Description:** Lists the organizational units (OUs) in a parent organizational unit or root.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", @@ -9037,7 +9342,7 @@ } }, { - "id": 3476303382, + "id": 1714872566, "definition": { "title": "ListOrganizationalUnitsForParent", "title_size": "16", @@ -9079,7 +9384,7 @@ } }, { - "id": 2371447929, + "id": 1672416682, "definition": { "type": "note", "content": "### [ListAccounts](https://traildiscover.cloud/#Organizations-ListAccounts)\n\n**Description:** Lists all the accounts in the organization.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", @@ -9098,7 +9403,7 @@ } }, { - "id": 3721772993, + "id": 1176689090, "definition": { "title": "ListAccounts", "title_size": "16", @@ -9140,7 +9445,7 @@ } }, { - "id": 3720591129, + "id": 3821765345, "definition": { "type": "note", "content": "### [GetCallerIdentity](https://traildiscover.cloud/#STS-GetCallerIdentity)\n\n**Description:** Returns details about the IAM user or role whose credentials are used to call the operation.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [GotRoot! AWS root Account Takeover](https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n- [Enumerate AWS Account ID from an EC2 Instance](https://hackingthe.cloud/aws/enumeration/account_id_from_ec2/)\n", @@ -9159,7 +9464,7 @@ } }, { - "id": 2824093658, + "id": 1178554105, "definition": { "title": "GetCallerIdentity", "title_size": "16", @@ -9201,7 +9506,7 @@ } }, { - "id": 390036627, + "id": 2572341001, "definition": { "type": "note", "content": "### [ListTopics](https://traildiscover.cloud/#SNS-ListTopics)\n\n**Description:** Returns a list of the requester's topics.\n\n**Related Research:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n", @@ -9220,7 +9525,7 @@ } }, { - "id": 1740361691, + "id": 2076613409, "definition": { "title": "ListTopics", "title_size": "16", @@ -9262,7 +9567,7 @@ } }, { - "id": 875045655, + "id": 1765889080, "definition": { "type": "note", "content": "### [ListSubscriptions](https://traildiscover.cloud/#SNS-ListSubscriptions)\n\n**Description:** Lists the calling AWS account's dedicated origination numbers and their metadata.\n\n**Related Research:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n", @@ -9281,7 +9586,7 @@ } }, { - "id": 4273515480, + "id": 3417645136, "definition": { "title": "ListSubscriptions", "title_size": "16", @@ -9323,7 +9628,7 @@ } }, { - "id": 2712495972, + "id": 1584917234, "definition": { "type": "note", "content": "### [ListOriginationNumbers](https://traildiscover.cloud/#SNS-ListOriginationNumbers)\n\n**Description:** Lists the calling AWS account's dedicated origination numbers and their metadata.\n\n**Related Research:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n", @@ -9342,7 +9647,7 @@ } }, { - "id": 3963482149, + "id": 1089189642, "definition": { "title": "ListOriginationNumbers", "title_size": "16", @@ -9384,7 +9689,7 @@ } }, { - "id": 2191299201, + "id": 3623879345, "definition": { "type": "note", "content": "### [GetSMSAttributes](https://traildiscover.cloud/#SNS-GetSMSAttributes)\n\n**Description:** Returns the settings for sending SMS messages from your AWS account.\n\n**Related Incidents:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n- [Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -9403,7 +9708,7 @@ } }, { - "id": 3442285378, + "id": 3128151753, "definition": { "title": "GetSMSAttributes", "title_size": "16", @@ -9445,7 +9750,7 @@ } }, { - "id": 116899444, + "id": 1110822643, "definition": { "type": "note", "content": "### [GetSMSSandboxAccountStatus](https://traildiscover.cloud/#SNS-GetSMSSandboxAccountStatus)\n\n**Description:** Retrieves the SMS sandbox status for the calling AWS account in the target AWS Region.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/)\n**Related Research:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n", @@ -9464,7 +9769,7 @@ } }, { - "id": 1467224508, + "id": 2762578699, "definition": { "title": "GetSMSSandboxAccountStatus", "title_size": "16", @@ -9506,7 +9811,7 @@ } }, { - "id": 172713557, + "id": 293867883, "definition": { "type": "note", "content": "### [IssueCertificate](https://traildiscover.cloud/#ACMPCA-IssueCertificate)\n\n**Description:** Uses your private certificate authority (CA), or one that has been shared with you, to issue a client certificate.\n\n**Related Research:**\n- [AWS API Call Hijacking via ACM-PCA](https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/)\n", @@ -9525,7 +9830,7 @@ } }, { - "id": 1423699734, + "id": 4093107587, "definition": { "title": "IssueCertificate", "title_size": "16", @@ -9567,7 +9872,7 @@ } }, { - "id": 2317017543, + "id": 1373214416, "definition": { "type": "note", "content": "### [GetCertificate](https://traildiscover.cloud/#ACMPCA-GetCertificate)\n\n**Description:** Retrieves a certificate from your private CA or one that has been shared with you.\n\n**Related Research:**\n- [AWS API Call Hijacking via ACM-PCA](https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/)\n", @@ -9586,7 +9891,7 @@ } }, { - "id": 3568003720, + "id": 877486824, "definition": { "title": "GetCertificate", "title_size": "16", @@ -9628,7 +9933,7 @@ } }, { - "id": 3971786134, + "id": 2939479035, "definition": { "type": "note", "content": "### [DescribeLogGroups](https://traildiscover.cloud/#CloudWatchLogs-DescribeLogGroups)\n\n**Description:** Lists the specified log groups.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -9647,7 +9952,7 @@ } }, { - "id": 1027143902, + "id": 2443751443, "definition": { "title": "DescribeLogGroups", "title_size": "16", @@ -9689,7 +9994,7 @@ } }, { - "id": 4141695623, + "id": 1429874304, "definition": { "type": "note", "content": "### [DescribeSubscriptionFilters](https://traildiscover.cloud/#CloudWatchLogs-DescribeSubscriptionFilters)\n\n**Description:** Lists the subscription filters for the specified log group.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -9708,7 +10013,7 @@ } }, { - "id": 3245198152, + "id": 934146712, "definition": { "title": "DescribeSubscriptionFilters", "title_size": "16", @@ -9750,7 +10055,7 @@ } }, { - "id": 1236414765, + "id": 258604026, "definition": { "type": "note", "content": "### [DescribeLogStreams](https://traildiscover.cloud/#CloudWatchLogs-DescribeLogStreams)\n\n**Description:** Lists the log streams for the specified log group.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -9769,7 +10074,7 @@ } }, { - "id": 2586739829, + "id": 4057843730, "definition": { "title": "DescribeLogStreams", "title_size": "16", @@ -9811,7 +10116,7 @@ } }, { - "id": 1805975682, + "id": 2401096688, "definition": { "type": "note", "content": "### [GetLogRecord](https://traildiscover.cloud/#CloudWatchLogs-GetLogRecord)\n\n**Description:** Retrieves all of the fields and values of a single log event.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -9830,7 +10135,7 @@ } }, { - "id": 3056961859, + "id": 4052852744, "definition": { "title": "GetLogRecord", "title_size": "16", @@ -9872,7 +10177,7 @@ } }, { - "id": 3004926268, + "id": 2645222389, "definition": { "type": "note", "content": "### [GetQueryResults](https://traildiscover.cloud/#Athena-GetQueryResults)\n\n**Description:** Streams the results of a single query execution specified by QueryExecutionId from the Athena query results location in Amazon S3.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -9891,7 +10196,7 @@ } }, { - "id": 60284036, + "id": 2149494797, "definition": { "title": "GetQueryResults", "title_size": "16", @@ -9933,7 +10238,7 @@ } }, { - "id": 2078260762, + "id": 1726063268, "definition": { "type": "note", "content": "### [ListTargetsByRule](https://traildiscover.cloud/#events-ListTargetsByRule)\n\n**Description:** Lists the targets assigned to the specified rule.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -9952,7 +10257,7 @@ } }, { - "id": 3329246939, + "id": 1230335676, "definition": { "title": "ListTargetsByRule", "title_size": "16", @@ -9994,7 +10299,7 @@ } }, { - "id": 3790587870, + "id": 694739578, "definition": { "type": "note", "content": "### [ListRules](https://traildiscover.cloud/#events-ListRules)\n\n**Description:** Lists your Amazon EventBridge rules. You can either list all the rules or you can provide a prefix to match to the rule names.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -10013,7 +10318,7 @@ } }, { - "id": 746606751, + "id": 199011986, "definition": { "title": "ListRules", "title_size": "16", @@ -10055,7 +10360,7 @@ } }, { - "id": 2981294360, + "id": 2223933067, "definition": { "type": "note", "content": "### [GetInstances](https://traildiscover.cloud/#LightSail-GetInstances)\n\n**Description:** Returns information about all Amazon Lightsail virtual private servers, or instances.\n\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -10074,7 +10379,7 @@ } }, { - "id": 4232280537, + "id": 3776350236, "definition": { "title": "GetInstances", "title_size": "16", @@ -10116,7 +10421,7 @@ } }, { - "id": 3836392548, + "id": 3259998869, "definition": { "type": "note", "content": "### [GetRegions](https://traildiscover.cloud/#LightSail-GetRegions)\n\n**Description:** Returns a list of all valid regions for Amazon Lightsail.\n\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -10135,7 +10440,7 @@ } }, { - "id": 2939895077, + "id": 616787629, "definition": { "title": "GetRegions", "title_size": "16", @@ -10177,7 +10482,7 @@ } }, { - "id": 2226430374, + "id": 309167822, "definition": { "type": "note", "content": "### [GetCostAndUsage](https://traildiscover.cloud/#CostExplorer-GetCostAndUsage)\n\n**Description:** Retrieves cost and usage metrics for your account.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", @@ -10196,7 +10501,7 @@ } }, { - "id": 1329932903, + "id": 4108407526, "definition": { "title": "GetCostAndUsage", "title_size": "16", @@ -10238,7 +10543,7 @@ } }, { - "id": 1238084299, + "id": 2407690150, "definition": { "type": "note", "content": "### [ListGroupsForUser](https://traildiscover.cloud/#IAM-ListGroupsForUser)\n\n**Description:** Lists the IAM groups that the specified IAM user belongs to.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -10257,7 +10562,7 @@ } }, { - "id": 341586828, + "id": 1911962558, "definition": { "title": "ListGroupsForUser", "title_size": "16", @@ -10299,7 +10604,7 @@ } }, { - "id": 3840848699, + "id": 1330779601, "definition": { "type": "note", "content": "### [ListAccessKeys](https://traildiscover.cloud/#IAM-ListAccessKeys)\n\n**Description:** Returns information about the access key IDs associated with the specified IAM user.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n", @@ -10318,7 +10623,7 @@ } }, { - "id": 796867580, + "id": 835052009, "definition": { "title": "ListAccessKeys", "title_size": "16", @@ -10360,7 +10665,7 @@ } }, { - "id": 1763058883, + "id": 392027869, "definition": { "type": "note", "content": "### [SimulatePrincipalPolicy](https://traildiscover.cloud/#IAM-SimulatePrincipalPolicy)\n\n**Description:** Simulate how a set of IAM policies attached to an IAM entity works with a list of API operations and AWS resources to determine the policies' effective permissions.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -10379,7 +10684,7 @@ } }, { - "id": 866561412, + "id": 4191267573, "definition": { "title": "SimulatePrincipalPolicy", "title_size": "16", @@ -10421,7 +10726,7 @@ } }, { - "id": 1756221725, + "id": 684745936, "definition": { "type": "note", "content": "### [GetAccountAuthorizationDetails](https://traildiscover.cloud/#IAM-GetAccountAuthorizationDetails)\n\n**Description:** Retrieves information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another.\n\n**Related Research:**\n- [AWS - IAM Enum](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum)\n", @@ -10440,7 +10745,7 @@ } }, { - "id": 859724254, + "id": 189018344, "definition": { "title": "GetAccountAuthorizationDetails", "title_size": "16", @@ -10482,7 +10787,7 @@ } }, { - "id": 2239982274, + "id": 1771123060, "definition": { "type": "note", "content": "### [ListGroups](https://traildiscover.cloud/#IAM-ListGroups)\n\n**Description:** Lists the IAM groups that have the specified path prefix.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n**Related Research:**\n- [AWS - IAM Enum](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum)\n", @@ -10501,7 +10806,7 @@ } }, { - "id": 3490968451, + "id": 1275395468, "definition": { "title": "ListGroups", "title_size": "16", @@ -10543,7 +10848,7 @@ } }, { - "id": 585522248, + "id": 2831433364, "definition": { "type": "note", "content": "### [ListUsers](https://traildiscover.cloud/#IAM-ListUsers)\n\n**Description:** Lists the IAM users that have the specified path prefix. If no path prefix is specified, the operation returns all users in the AWS account.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -10562,7 +10867,7 @@ } }, { - "id": 1836508425, + "id": 2335705772, "definition": { "title": "ListUsers", "title_size": "16", @@ -10604,7 +10909,7 @@ } }, { - "id": 1151269100, + "id": 663167908, "definition": { "type": "note", "content": "### [ListRoles](https://traildiscover.cloud/#IAM-ListRoles)\n\n**Description:** Lists the IAM roles that have the specified path prefix. \n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n**Related Research:**\n- [AWS - IAM Enum](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum)\n", @@ -10623,7 +10928,7 @@ } }, { - "id": 2402255277, + "id": 167440316, "definition": { "title": "ListRoles", "title_size": "16", @@ -10665,7 +10970,7 @@ } }, { - "id": 1583049918, + "id": 3209544739, "definition": { "type": "note", "content": "### [ListSAMLProviders](https://traildiscover.cloud/#IAM-ListSAMLProviders)\n\n**Description:** Lists the SAML provider resource objects defined in IAM in the account.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -10684,7 +10989,7 @@ } }, { - "id": 2834036095, + "id": 2713817147, "definition": { "title": "ListSAMLProviders", "title_size": "16", @@ -10726,7 +11031,7 @@ } }, { - "id": 1995955526, + "id": 3482641160, "definition": { "type": "note", "content": "### [GetUser](https://traildiscover.cloud/#IAM-GetUser)\n\n**Description:** Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN.\n\n**Related Incidents:**\n- [GotRoot! AWS root Account Takeover](https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n", @@ -10745,7 +11050,7 @@ } }, { - "id": 1198796942, + "id": 2986913568, "definition": { "title": "GetUser", "title_size": "16", @@ -10787,7 +11092,7 @@ } }, { - "id": 3078441750, + "id": 686427582, "definition": { "type": "note", "content": "### [ListAttachedRolePolicies](https://traildiscover.cloud/#IAM-ListAttachedRolePolicies)\n\n**Description:** Lists all managed policies that are attached to the specified IAM role.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -10806,7 +11111,7 @@ } }, { - "id": 2181944279, + "id": 2338183638, "definition": { "title": "ListAttachedRolePolicies", "title_size": "16", @@ -10848,7 +11153,7 @@ } }, { - "id": 1073597487, + "id": 22861042, "definition": { "type": "note", "content": "### [ListServiceSpecificCredentials](https://traildiscover.cloud/#IAM-ListServiceSpecificCredentials)\n\n**Description:** Returns information about the service-specific credentials associated with the specified IAM user.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -10867,7 +11172,7 @@ } }, { - "id": 177100016, + "id": 1674617098, "definition": { "title": "ListServiceSpecificCredentials", "title_size": "16", @@ -10909,7 +11214,7 @@ } }, { - "id": 1033038014, + "id": 1667098193, "definition": { "type": "note", "content": "### [ListRolePolicies](https://traildiscover.cloud/#IAM-ListRolePolicies)\n\n**Description:** Lists the names of the inline policies that are embedded in the specified IAM role.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -10928,7 +11233,7 @@ } }, { - "id": 2284024191, + "id": 1171370601, "definition": { "title": "ListRolePolicies", "title_size": "16", @@ -10970,7 +11275,7 @@ } }, { - "id": 2323391907, + "id": 3244621239, "definition": { "type": "note", "content": "### [ListSigningCertificates](https://traildiscover.cloud/#IAM-ListSigningCertificates)\n\n**Description:** Returns information about the signing certificates associated with the specified IAM user.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -10989,7 +11294,7 @@ } }, { - "id": 3574378084, + "id": 2748893647, "definition": { "title": "ListSigningCertificates", "title_size": "16", @@ -11031,7 +11336,7 @@ } }, { - "id": 505865206, + "id": 1894985294, "definition": { "type": "note", "content": "### [ListInstanceProfiles](https://traildiscover.cloud/#IAM-ListInstanceProfiles)\n\n**Description:** Lists the instance profiles that have the specified path prefix. If there are none, the operation returns an empty list.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -11050,7 +11355,7 @@ } }, { - "id": 1856190270, + "id": 3546741350, "definition": { "title": "ListInstanceProfiles", "title_size": "16", @@ -11092,7 +11397,7 @@ } }, { - "id": 3125349314, + "id": 1223352549, "definition": { "type": "note", "content": "### [ListSSHPublicKeys](https://traildiscover.cloud/#IAM-ListSSHPublicKeys)\n\n**Description:** Returns information about the SSH public keys associated with the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -11111,7 +11416,7 @@ } }, { - "id": 2228851843, + "id": 2875108605, "definition": { "title": "ListSSHPublicKeys", "title_size": "16", @@ -11153,7 +11458,7 @@ } }, { - "id": 2997432385, + "id": 3170333080, "definition": { "type": "note", "content": "### [ListOpenIDConnectProviders](https://traildiscover.cloud/#IAM-ListOpenIDConnectProviders)\n\n**Description:** Lists information about the IAM OpenID Connect (OIDC) provider resource objects defined in the AWS account.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -11172,7 +11477,7 @@ } }, { - "id": 2100934914, + "id": 2674605488, "definition": { "title": "ListOpenIDConnectProviders", "title_size": "16", @@ -11214,7 +11519,7 @@ } }, { - "id": 940481350, + "id": 3509889957, "definition": { "type": "note", "content": "### [GetLoginProfile](https://traildiscover.cloud/#IAM-GetLoginProfile)\n\n**Description:** Retrieves the user name for the specified IAM user.\n\n**Related Incidents:**\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", @@ -11233,7 +11538,7 @@ } }, { - "id": 43983879, + "id": 3014162365, "definition": { "title": "GetLoginProfile", "title_size": "16", @@ -11275,7 +11580,7 @@ } }, { - "id": 3879727335, + "id": 4266524810, "definition": { "type": "note", "content": "### [DescribeLoadBalancers](https://traildiscover.cloud/#ELBv2-DescribeLoadBalancers)\n\n**Description:** Describes the specified load balancers or all of your load balancers.\n\n**Related Research:**\n- [Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data](https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994)\n", @@ -11294,7 +11599,7 @@ } }, { - "id": 2983229864, + "id": 1623313570, "definition": { "title": "DescribeLoadBalancers", "title_size": "16", @@ -11336,7 +11641,7 @@ } }, { - "id": 452359856, + "id": 2967311650, "definition": { "type": "note", "content": "### [DescribeListeners](https://traildiscover.cloud/#ELBv2-DescribeListeners)\n\n**Description:** Describes the specified listeners or the listeners for the specified Application Load Balancer, Network Load Balancer, or Gateway Load Balancer.\n\n**Related Research:**\n- [Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data](https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994)\n", @@ -11355,7 +11660,7 @@ } }, { - "id": 1703346033, + "id": 2471584058, "definition": { "title": "DescribeListeners", "title_size": "16", @@ -11397,7 +11702,7 @@ } }, { - "id": 1440622466, + "id": 2838727158, "definition": { "type": "note", "content": "### [ListAssociatedAccessPolicies](https://traildiscover.cloud/#EKS-ListAssociatedAccessPolicies)\n\n**Description:** Lists the access policies associated with an access entry.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", @@ -11416,7 +11721,7 @@ } }, { - "id": 2691608643, + "id": 195515918, "definition": { "title": "ListAssociatedAccessPolicies", "title_size": "16", @@ -11458,7 +11763,7 @@ } }, { - "id": 748624162, + "id": 2962601625, "definition": { "type": "note", "content": "### [ListClusters](https://traildiscover.cloud/#EKS-ListClusters)\n\n**Description:** Lists the Amazon EKS clusters in your AWS account in the specified AWS Region.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", @@ -11477,7 +11782,7 @@ } }, { - "id": 1999610339, + "id": 2466874033, "definition": { "title": "ListClusters", "title_size": "16", @@ -11519,7 +11824,7 @@ } }, { - "id": 1913972320, + "id": 3294347125, "definition": { "type": "note", "content": "### [DescribeAccessEntry](https://traildiscover.cloud/#EKS-DescribeAccessEntry)\n\n**Description:** Describes an access entry.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", @@ -11538,7 +11843,7 @@ } }, { - "id": 3264297384, + "id": 651135885, "definition": { "title": "DescribeAccessEntry", "title_size": "16", @@ -11580,7 +11885,7 @@ } }, { - "id": 2962882972, + "id": 3682970103, "definition": { "type": "note", "content": "### [DescribeCluster](https://traildiscover.cloud/#EKS-DescribeCluster)\n\n**Description:** Describes an Amazon EKS cluster.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", @@ -11599,7 +11904,7 @@ } }, { - "id": 2066385501, + "id": 1039758863, "definition": { "title": "DescribeCluster", "title_size": "16", @@ -11641,7 +11946,7 @@ } }, { - "id": 3655930893, + "id": 2188909473, "definition": { "type": "note", "content": "### [Search](https://traildiscover.cloud/#ResourceExplorer-Search)\n\n**Description:** Searches for resources and displays details about all resources that match the specified criteria.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -11660,7 +11965,7 @@ } }, { - "id": 2759433422, + "id": 1693181881, "definition": { "title": "Search", "title_size": "16", @@ -11702,7 +12007,7 @@ } }, { - "id": 3956939809, + "id": 2826830915, "definition": { "type": "note", "content": "### [LookupEvents](https://traildiscover.cloud/#CloudTrail-LookupEvents)\n\n**Description:** Looks up management events or CloudTrail Insights events that are captured by CloudTrail.\n\n**Related Incidents:**\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", @@ -11721,7 +12026,7 @@ } }, { - "id": 3159781225, + "id": 183619675, "definition": { "title": "LookupEvents", "title_size": "16", @@ -11763,7 +12068,7 @@ } }, { - "id": 2062015313, + "id": 1674068358, "definition": { "type": "note", "content": "### [GetIntrospectionSchema](https://traildiscover.cloud/#AppSync-GetIntrospectionSchema)\n\n**Description:** Retrieves the introspection schema for a GraphQL API.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", @@ -11782,7 +12087,7 @@ } }, { - "id": 3412340377, + "id": 1178340766, "definition": { "title": "GetIntrospectionSchema", "title_size": "16", @@ -11824,7 +12129,7 @@ } }, { - "id": 977037714, + "id": 3161333663, "definition": { "type": "note", "content": "### [GetBucketVersioning](https://traildiscover.cloud/#S3-GetBucketVersioning)\n\n**Description:** Returns the versioning state of a bucket.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -11843,7 +12148,7 @@ } }, { - "id": 80540243, + "id": 518122423, "definition": { "title": "GetBucketVersioning", "title_size": "16", @@ -11885,7 +12190,7 @@ } }, { - "id": 2723088777, + "id": 855335418, "definition": { "type": "note", "content": "### [GetBucketLogging](https://traildiscover.cloud/#S3-GetBucketLogging)\n\n**Description:** Returns the logging status of a bucket and the permissions users have to view and modify that status.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -11904,7 +12209,7 @@ } }, { - "id": 3974074954, + "id": 359607826, "definition": { "title": "GetBucketLogging", "title_size": "16", @@ -11946,7 +12251,7 @@ } }, { - "id": 2834770088, + "id": 2663611911, "definition": { "type": "note", "content": "### [GetBucketPolicy](https://traildiscover.cloud/#S3-GetBucketPolicy)\n\n**Description:** Returns the policy of a specified bucket.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -11965,7 +12270,7 @@ } }, { - "id": 4085756265, + "id": 2167884319, "definition": { "title": "GetBucketPolicy", "title_size": "16", @@ -12007,7 +12312,7 @@ } }, { - "id": 1453453823, + "id": 3729931024, "definition": { "type": "note", "content": "### [ListBuckets](https://traildiscover.cloud/#S3-ListBuckets)\n\n**Description:** Returns a list of all buckets owned by the authenticated sender of the request.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [A Technical Analysis of the Capital One Cloud Misconfiguration Breach](https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach)\n- [Enumerate AWS Account ID from a Public S3 Bucket](https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -12026,7 +12331,7 @@ } }, { - "id": 556956352, + "id": 1086719784, "definition": { "title": "ListBuckets", "title_size": "16", @@ -12068,7 +12373,7 @@ } }, { - "id": 3689558247, + "id": 3795518780, "definition": { "type": "note", "content": "### [GetBucketReplication](https://traildiscover.cloud/#S3-GetBucketReplication)\n\n**Description:** Returns the replication configuration of a bucket.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -12087,7 +12392,7 @@ } }, { - "id": 2892399663, + "id": 1152307540, "definition": { "title": "GetBucketReplication", "title_size": "16", @@ -12129,7 +12434,7 @@ } }, { - "id": 1503565511, + "id": 1719319609, "definition": { "type": "note", "content": "### [GetBucketAcl](https://traildiscover.cloud/#S3-GetBucketAcl)\n\n**Description:** This implementation of the GET action uses the acl subresource to return the access control list (ACL) of a bucket.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n**Related Research:**\n- [Public S3 bucket through bucket ACL](https://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/s3-bucket-public-acl/)\n", @@ -12148,7 +12453,7 @@ } }, { - "id": 607068040, + "id": 1223592017, "definition": { "title": "GetBucketAcl", "title_size": "16", @@ -12190,7 +12495,7 @@ } }, { - "id": 4247324509, + "id": 3348940898, "definition": { "type": "note", "content": "### [HeadObject](https://traildiscover.cloud/#S3-HeadObject)\n\n**Description:** The HEAD operation retrieves metadata from an object without returning the object itself.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -12209,7 +12514,7 @@ } }, { - "id": 3350827038, + "id": 705729658, "definition": { "title": "HeadObject", "title_size": "16", @@ -12251,7 +12556,7 @@ } }, { - "id": 2932175251, + "id": 3647618396, "definition": { "type": "note", "content": "### [ListVaults](https://traildiscover.cloud/#S3-ListVaults)\n\n**Description:** This operation lists all vaults owned by the calling user\u2019s account.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n", @@ -12270,7 +12575,7 @@ } }, { - "id": 4183161428, + "id": 1004407156, "definition": { "title": "ListVaults", "title_size": "16", @@ -12312,7 +12617,7 @@ } }, { - "id": 509343099, + "id": 1762371059, "definition": { "type": "note", "content": "### [GetPublicAccessBlock](https://traildiscover.cloud/#S3-GetPublicAccessBlock)\n\n**Description:** Retrieves the PublicAccessBlock configuration for an Amazon S3 bucket.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -12331,7 +12636,7 @@ } }, { - "id": 4007151811, + "id": 3414127115, "definition": { "title": "GetPublicAccessBlock", "title_size": "16", @@ -12373,7 +12678,7 @@ } }, { - "id": 2235686895, + "id": 4206311696, "definition": { "type": "note", "content": "### [GetBucketTagging](https://traildiscover.cloud/#S3-GetBucketTagging)\n\n**Description:** Returns the tag set associated with the bucket.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -12392,7 +12697,7 @@ } }, { - "id": 3586011959, + "id": 1563100456, "definition": { "title": "GetBucketTagging", "title_size": "16", @@ -12434,7 +12739,7 @@ } }, { - "id": 3016782802, + "id": 3502252639, "definition": { "type": "note", "content": "### [ListObjects](https://traildiscover.cloud/#S3-ListObjects)\n\n**Description:** Returns some or all (up to 1,000) of the objects in a bucket.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n", @@ -12453,7 +12758,7 @@ } }, { - "id": 4267768979, + "id": 859041399, "definition": { "title": "ListObjects", "title_size": "16", @@ -12495,10 +12800,10 @@ } }, { - "id": 1373183296, + "id": 1216775720, "definition": { "type": "note", - "content": "### [InvokeModel](https://traildiscover.cloud/#Bedrock-InvokeModel)\n\n**Description:** Invokes the specified Amazon Bedrock model to run inference using the prompt and inference parameters provided in the request body.\n\n**Related Incidents:**\n- [LLMjacking: Stolen Cloud Credentials Used in New AI Attack](https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", + "content": "### [InvokeModel](https://traildiscover.cloud/#Bedrock-InvokeModel)\n\n**Description:** Invokes the specified Amazon Bedrock model to run inference using the prompt and inference parameters provided in the request body.\n\n**Related Incidents:**\n- [LLMjacking: Stolen Cloud Credentials Used in New AI Attack](https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12514,7 +12819,7 @@ } }, { - "id": 576024712, + "id": 721048128, "definition": { "title": "InvokeModel", "title_size": "16", @@ -12556,7 +12861,7 @@ } }, { - "id": 1849728252, + "id": 1926676945, "definition": { "type": "note", "content": "### [GetUseCaseForModelAccess](https://traildiscover.cloud/#Bedrock-GetUseCaseForModelAccess)\n\n**Description:** Grants permission to retrieve a use case for model access.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -12575,7 +12880,7 @@ } }, { - "id": 3100714429, + "id": 1430949353, "definition": { "title": "GetUseCaseForModelAccess", "title_size": "16", @@ -12617,7 +12922,7 @@ } }, { - "id": 468681246, + "id": 728697572, "definition": { "type": "note", "content": "### [ListProvisionedModelThroughputs](https://traildiscover.cloud/#Bedrock-ListProvisionedModelThroughputs)\n\n**Description:** Grants permission to list provisioned model throughputs that you created earlier.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -12636,7 +12941,7 @@ } }, { - "id": 3867151071, + "id": 232969980, "definition": { "title": "ListProvisionedModelThroughputs", "title_size": "16", @@ -12678,7 +12983,7 @@ } }, { - "id": 805408665, + "id": 2544624624, "definition": { "type": "note", "content": "### [GetFoundationModelAvailability](https://traildiscover.cloud/#Bedrock-GetFoundationModelAvailability)\n\n**Description:** Grants permission to get the availability of a foundation model.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -12697,7 +13002,7 @@ } }, { - "id": 4203878490, + "id": 4196380680, "definition": { "title": "GetFoundationModelAvailability", "title_size": "16", @@ -12739,7 +13044,7 @@ } }, { - "id": 476984695, + "id": 1429187672, "definition": { "type": "note", "content": "### [ListFoundationModels](https://traildiscover.cloud/#Bedrock-ListFoundationModels)\n\n**Description:** Grants permission to list Bedrock foundation models that you can use.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -12758,7 +13063,7 @@ } }, { - "id": 1827309759, + "id": 933460080, "definition": { "title": "ListFoundationModels", "title_size": "16", @@ -12800,7 +13105,7 @@ } }, { - "id": 1508160524, + "id": 2186012141, "definition": { "type": "note", "content": "### [ListFoundationModelAgreementOffers](https://traildiscover.cloud/#Bedrock-ListFoundationModelAgreementOffers)\n\n**Description:** Grants permission to get a list of foundation model agreement offers.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -12819,7 +13124,7 @@ } }, { - "id": 2759146701, + "id": 1690284549, "definition": { "title": "ListFoundationModelAgreementOffers", "title_size": "16", @@ -12861,7 +13166,7 @@ } }, { - "id": 3119397726, + "id": 4048985172, "definition": { "type": "note", "content": "### [GetModelInvocationLoggingConfiguration](https://traildiscover.cloud/#Bedrock-GetModelInvocationLoggingConfiguration)\n\n**Description:** Get the current configuration values for model invocation logging.\n\n**Related Incidents:**\n- [LLMjacking: Stolen Cloud Credentials Used in New AI Attack](https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/)\n", @@ -12880,7 +13185,7 @@ } }, { - "id": 2322239142, + "id": 3553257580, "definition": { "title": "GetModelInvocationLoggingConfiguration", "title_size": "16", @@ -12922,7 +13227,7 @@ } }, { - "id": 243160157, + "id": 851719321, "definition": { "type": "note", "content": "### [GetConsoleScreenshot](https://traildiscover.cloud/#EC2-GetConsoleScreenshot)\n\n**Description:** Retrieve a JPG-format screenshot of a running instance to help with troubleshooting.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -12941,7 +13246,7 @@ } }, { - "id": 1494146334, + "id": 355991729, "definition": { "title": "GetConsoleScreenshot", "title_size": "16", @@ -12983,7 +13288,7 @@ } }, { - "id": 2383734567, + "id": 1784200847, "definition": { "type": "note", "content": "### [DescribeSnapshotTierStatus](https://traildiscover.cloud/#EC2-DescribeSnapshotTierStatus)\n\n**Description:** Describes the storage tier status of one or more Amazon EBS snapshots.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13002,7 +13307,7 @@ } }, { - "id": 1487237096, + "id": 3435956903, "definition": { "title": "DescribeSnapshotTierStatus", "title_size": "16", @@ -13044,7 +13349,7 @@ } }, { - "id": 271560324, + "id": 2407302489, "definition": { "type": "note", "content": "### [DescribeImages](https://traildiscover.cloud/#EC2-DescribeImages)\n\n**Description:** Describes the specified images (AMIs, AKIs, and ARIs) available to you or all of the images available to you.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13063,7 +13368,7 @@ } }, { - "id": 1621885388, + "id": 4059058545, "definition": { "title": "DescribeImages", "title_size": "16", @@ -13105,7 +13410,7 @@ } }, { - "id": 3942992307, + "id": 447333718, "definition": { "type": "note", "content": "### [GetEbsDefaultKmsKeyId](https://traildiscover.cloud/#EC2-GetEbsDefaultKmsKeyId)\n\n**Description:** Describes the default AWS KMS key for EBS encryption by default for your account in this Region.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13124,7 +13429,7 @@ } }, { - "id": 3046494836, + "id": 2099089774, "definition": { "title": "GetEbsDefaultKmsKeyId", "title_size": "16", @@ -13166,7 +13471,7 @@ } }, { - "id": 1805108174, + "id": 2177700075, "definition": { "type": "note", "content": "### [DescribeAvailabilityZones](https://traildiscover.cloud/#EC2-DescribeAvailabilityZones)\n\n**Description:** Describes the Availability Zones, Local Zones, and Wavelength Zones that are available to you.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13185,7 +13490,7 @@ } }, { - "id": 908610703, + "id": 1681972483, "definition": { "title": "DescribeAvailabilityZones", "title_size": "16", @@ -13227,7 +13532,7 @@ } }, { - "id": 2722185596, + "id": 1750854589, "definition": { "type": "note", "content": "### [DescribeInstances](https://traildiscover.cloud/#EC2-DescribeInstances)\n\n**Description:** Describes the specified instances or all instances.\n\n**Related Incidents:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -13246,7 +13551,7 @@ } }, { - "id": 4072510660, + "id": 3402610645, "definition": { "title": "DescribeInstances", "title_size": "16", @@ -13288,7 +13593,7 @@ } }, { - "id": 1083224209, + "id": 1674884373, "definition": { "type": "note", "content": "### [GetTransitGatewayRouteTableAssociations](https://traildiscover.cloud/#EC2-GetTransitGatewayRouteTableAssociations)\n\n**Description:** Gets information about the associations for the specified transit gateway route table.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13307,7 +13612,7 @@ } }, { - "id": 2433549273, + "id": 3326640429, "definition": { "title": "GetTransitGatewayRouteTableAssociations", "title_size": "16", @@ -13349,7 +13654,7 @@ } }, { - "id": 920256565, + "id": 1974150643, "definition": { "type": "note", "content": "### [GetLaunchTemplateData](https://traildiscover.cloud/#EC2-GetLaunchTemplateData)\n\n**Description:** Retrieves the configuration data of the specified instance. You can use this data to create a launch template.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13368,7 +13673,7 @@ } }, { - "id": 23759094, + "id": 3625906699, "definition": { "title": "GetLaunchTemplateData", "title_size": "16", @@ -13410,7 +13715,7 @@ } }, { - "id": 3047543624, + "id": 3984169003, "definition": { "type": "note", "content": "### [DescribeKeyPairs](https://traildiscover.cloud/#EC2-DescribeKeyPairs)\n\n**Description:** Describes the specified key pairs or all of your key pairs.\n\n**Related Incidents:**\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n", @@ -13429,7 +13734,7 @@ } }, { - "id": 2151046153, + "id": 3488441411, "definition": { "title": "DescribeKeyPairs", "title_size": "16", @@ -13471,7 +13776,7 @@ } }, { - "id": 509755626, + "id": 1215037625, "definition": { "type": "note", "content": "### [GetEbsEncryptionByDefault](https://traildiscover.cloud/#EC2-GetEbsEncryptionByDefault)\n\n**Description:** Describes whether EBS encryption by default is enabled for your account in the current Region.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13490,7 +13795,7 @@ } }, { - "id": 3908225451, + "id": 2866793681, "definition": { "title": "GetEbsEncryptionByDefault", "title_size": "16", @@ -13532,7 +13837,7 @@ } }, { - "id": 1451529101, + "id": 2449582744, "definition": { "type": "note", "content": "### [DescribeCarrierGateways](https://traildiscover.cloud/#EC2-DescribeCarrierGateways)\n\n**Description:** Describes one or more of your carrier gateways.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13551,7 +13856,7 @@ } }, { - "id": 654370517, + "id": 1953855152, "definition": { "title": "DescribeCarrierGateways", "title_size": "16", @@ -13593,7 +13898,7 @@ } }, { - "id": 1571792984, + "id": 1024085491, "definition": { "type": "note", "content": "### [GetFlowLogsIntegrationTemplate](https://traildiscover.cloud/#EC2-GetFlowLogsIntegrationTemplate)\n\n**Description:** Generates a CloudFormation template that streamlines and automates the integration of VPC flow logs with Amazon Athena.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13612,7 +13917,7 @@ } }, { - "id": 675295513, + "id": 528357899, "definition": { "title": "GetFlowLogsIntegrationTemplate", "title_size": "16", @@ -13654,7 +13959,7 @@ } }, { - "id": 1873188405, + "id": 2079785568, "definition": { "type": "note", "content": "### [DescribeTransitGatewayMulticastDomains](https://traildiscover.cloud/#EC2-DescribeTransitGatewayMulticastDomains)\n\n**Description:** Describes one or more transit gateway multicast domains.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13673,7 +13978,7 @@ } }, { - "id": 3223513469, + "id": 1584057976, "definition": { "title": "DescribeTransitGatewayMulticastDomains", "title_size": "16", @@ -13715,7 +14020,7 @@ } }, { - "id": 3011918395, + "id": 1480332684, "definition": { "type": "note", "content": "### [DescribeInstanceAttribute](https://traildiscover.cloud/#EC2-DescribeInstanceAttribute)\n\n**Description:** Describes the specified attribute of the specified instance. You can specify only one attribute at a time.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13734,7 +14039,7 @@ } }, { - "id": 2214759811, + "id": 984605092, "definition": { "title": "DescribeInstanceAttribute", "title_size": "16", @@ -13776,7 +14081,7 @@ } }, { - "id": 372977278, + "id": 2194960944, "definition": { "type": "note", "content": "### [DescribeDhcpOptions](https://traildiscover.cloud/#EC2-DescribeDhcpOptions)\n\n**Description:** Describes one or more of your DHCP options sets.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13795,7 +14100,7 @@ } }, { - "id": 3771447103, + "id": 3846717000, "definition": { "title": "DescribeDhcpOptions", "title_size": "16", @@ -13837,7 +14142,7 @@ } }, { - "id": 2692824372, + "id": 4220565412, "definition": { "type": "note", "content": "### [DescribeVpcEndpointConnectionNotifications](https://traildiscover.cloud/#EC2-DescribeVpcEndpointConnectionNotifications)\n\n**Description:** Describes the connection notifications for VPC endpoints and VPC endpoint services.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13856,7 +14161,7 @@ } }, { - "id": 3943810549, + "id": 3724837820, "definition": { "title": "DescribeVpcEndpointConnectionNotifications", "title_size": "16", @@ -13898,7 +14203,7 @@ } }, { - "id": 2069704131, + "id": 1594575055, "definition": { "type": "note", "content": "### [DescribeFlowLogs](https://traildiscover.cloud/#EC2-DescribeFlowLogs)\n\n**Description:** Describes one or more flow logs.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13917,7 +14222,7 @@ } }, { - "id": 3320690308, + "id": 1098847463, "definition": { "title": "DescribeFlowLogs", "title_size": "16", @@ -13959,7 +14264,7 @@ } }, { - "id": 3241675597, + "id": 1072980804, "definition": { "type": "note", "content": "### [DescribeSnapshotAttribute](https://traildiscover.cloud/#EC2-DescribeSnapshotAttribute)\n\n**Description:** Describes the specified attribute of the specified snapshot.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13978,7 +14283,7 @@ } }, { - "id": 2444517013, + "id": 2724736860, "definition": { "title": "DescribeSnapshotAttribute", "title_size": "16", @@ -14020,7 +14325,7 @@ } }, { - "id": 1146483962, + "id": 1482629875, "definition": { "type": "note", "content": "### [DescribeVolumesModifications](https://traildiscover.cloud/#EC2-DescribeVolumesModifications)\n\n**Description:** Describes the most recent volume modification request for the specified EBS volumes.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -14039,7 +14344,7 @@ } }, { - "id": 2397470139, + "id": 3134385931, "definition": { "title": "DescribeVolumesModifications", "title_size": "16", @@ -14081,7 +14386,7 @@ } }, { - "id": 3410362403, + "id": 4291115547, "definition": { "type": "note", "content": "### [DescribeRegions](https://traildiscover.cloud/#EC2-DescribeRegions)\n\n**Description:** Describes the Regions that are enabled for your account, or all Regions.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -14100,7 +14405,7 @@ } }, { - "id": 2513864932, + "id": 1647904307, "definition": { "title": "DescribeRegions", "title_size": "16", @@ -14142,7 +14447,7 @@ } }, { - "id": 631357616, + "id": 136394874, "definition": { "type": "note", "content": "### [DescribeSecurityGroups](https://traildiscover.cloud/#EC2-DescribeSecurityGroups)\n\n**Description:** Describes the specified security groups or all of your security groups.\n\n**Related Incidents:**\n- [Case Study: Responding to an Attack in AWS](https://www.cadosecurity.com/case-study-responding-to-an-attack-in-aws/)\n", @@ -14161,7 +14466,7 @@ } }, { - "id": 1981682680, + "id": 3935634578, "definition": { "title": "DescribeSecurityGroups", "title_size": "16", @@ -14203,7 +14508,7 @@ } }, { - "id": 3276082997, + "id": 2912024678, "definition": { "type": "note", "content": "### [DescribeVpcs](https://traildiscover.cloud/#EC2-DescribeVpcs)\n\n**Description:** Describes one or more of your VPCs.\n\n**Related Incidents:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -14222,7 +14527,7 @@ } }, { - "id": 2379585526, + "id": 2416297086, "definition": { "title": "DescribeVpcs", "title_size": "16", @@ -14264,7 +14569,7 @@ } }, { - "id": 974369643, + "id": 2173834468, "definition": { "type": "note", "content": "### [DescribeBundleTasks](https://traildiscover.cloud/#EC2-DescribeBundleTasks)\n\n**Description:** Describes the specified bundle tasks or all of your bundle tasks.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -14283,7 +14588,7 @@ } }, { - "id": 177211059, + "id": 1678106876, "definition": { "title": "DescribeBundleTasks", "title_size": "16", @@ -14325,7 +14630,7 @@ } }, { - "id": 2939725483, + "id": 347048212, "definition": { "type": "note", "content": "### [DescribeAccountAttributes](https://traildiscover.cloud/#EC2-DescribeAccountAttributes)\n\n**Description:** Describes attributes of your AWS account.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -14344,7 +14649,7 @@ } }, { - "id": 4190711660, + "id": 1998804268, "definition": { "title": "DescribeAccountAttributes", "title_size": "16", @@ -14386,7 +14691,7 @@ } }, { - "id": 3145664446, + "id": 3554878661, "definition": { "type": "note", "content": "### [DescribeVolumes](https://traildiscover.cloud/#EC2-DescribeVolumes)\n\n**Description:** Describes the specified EBS volumes or all of your EBS volumes.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -14405,7 +14710,7 @@ } }, { - "id": 101683327, + "id": 3059151069, "definition": { "title": "DescribeVolumes", "title_size": "16", @@ -14447,7 +14752,7 @@ } }, { - "id": 2189351799, + "id": 2785241595, "definition": { "type": "note", "content": "### [DescribeInstanceTypes](https://traildiscover.cloud/#EC2-DescribeInstanceTypes)\n\n**Description:** Describes the details of the instance types that are offered in a location.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -14466,7 +14771,7 @@ } }, { - "id": 1292854328, + "id": 142030355, "definition": { "title": "DescribeInstanceTypes", "title_size": "16", @@ -14508,7 +14813,7 @@ } }, { - "id": 3245350028, + "id": 3411251269, "definition": { "type": "note", "content": "### [DescribeClientVpnRoutes](https://traildiscover.cloud/#EC2-DescribeClientVpnRoutes)\n\n**Description:** Describes the routes for the specified Client VPN endpoint.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -14527,7 +14832,7 @@ } }, { - "id": 201368909, + "id": 2915523677, "definition": { "title": "DescribeClientVpnRoutes", "title_size": "16", @@ -14569,7 +14874,7 @@ } }, { - "id": 920256565, + "id": 1974150643, "definition": { "type": "note", "content": "### [GetLaunchTemplateData](https://traildiscover.cloud/#EC2-GetLaunchTemplateData)\n\n**Description:** Retrieves the configuration data of the specified instance. You can use this data to create a launch template.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -14588,7 +14893,7 @@ } }, { - "id": 23759094, + "id": 3625906699, "definition": { "title": "GetLaunchTemplateData", "title_size": "16", @@ -14630,7 +14935,7 @@ } }, { - "id": 1729196389, + "id": 1583445586, "definition": { "type": "note", "content": "### [GetParameters](https://traildiscover.cloud/#SSM-GetParameters)\n\n**Description:** Get information about one or more parameters by specifying multiple parameter names.\n\n**Related Research:**\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -14649,7 +14954,7 @@ } }, { - "id": 2980182566, + "id": 3235201642, "definition": { "title": "GetParameters", "title_size": "16", @@ -14691,7 +14996,7 @@ } }, { - "id": 1410726190, + "id": 1047103533, "definition": { "type": "note", "content": "### [DescribeInstanceInformation](https://traildiscover.cloud/#SSM-DescribeInstanceInformation)\n\n**Description:** Provides information about one or more of your managed nodes, including the operating system platform, SSM Agent version, association status, and IP address.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -14710,7 +15015,7 @@ } }, { - "id": 2761051254, + "id": 551375941, "definition": { "title": "DescribeInstanceInformation", "title_size": "16", @@ -14752,7 +15057,7 @@ } }, { - "id": 3950798414, + "id": 3453769540, "definition": { "type": "note", "content": "### [GetIdentityVerificationAttributes](https://traildiscover.cloud/#SES-GetIdentityVerificationAttributes)\n\n**Description:** Given a list of identities (email addresses and/or domains), returns the verification status and (for domain identities) the verification token for each identity.\n\n**Related Incidents:**\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n", @@ -14771,7 +15076,7 @@ } }, { - "id": 906817295, + "id": 2958041948, "definition": { "title": "GetIdentityVerificationAttributes", "title_size": "16", @@ -14813,7 +15118,7 @@ } }, { - "id": 349194343, + "id": 3004197099, "definition": { "type": "note", "content": "### [GetAccountSendingEnabled](https://traildiscover.cloud/#SES-GetAccountSendingEnabled)\n\n**Description:** Returns the email sending status of the Amazon SES account for the current Region.\n\n**Related Research:**\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n", @@ -14832,7 +15137,7 @@ } }, { - "id": 3747664168, + "id": 360985859, "definition": { "title": "GetAccountSendingEnabled", "title_size": "16", @@ -14874,7 +15179,7 @@ } }, { - "id": 473067023, + "id": 3344584878, "definition": { "type": "note", "content": "### [ListIdentities](https://traildiscover.cloud/#SES-ListIdentities)\n\n**Description:** Returns a list containing all of the identities (email addresses and domains) for your AWS account in the current AWS Region, regardless of verification status.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -14893,7 +15198,7 @@ } }, { - "id": 1724053200, + "id": 701373638, "definition": { "title": "ListIdentities", "title_size": "16", @@ -14935,7 +15240,7 @@ } }, { - "id": 4012214486, + "id": 728155560, "definition": { "type": "note", "content": "### [GetSendQuota](https://traildiscover.cloud/#SES-GetSendQuota)\n\n**Description:** Provides the sending limits for the Amazon SES account.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -14954,7 +15259,7 @@ } }, { - "id": 968233367, + "id": 2379911616, "definition": { "title": "GetSendQuota", "title_size": "16", @@ -14996,7 +15301,7 @@ } }, { - "id": 1948908313, + "id": 3400111730, "definition": { "type": "note", "content": "### [GetAccount](https://traildiscover.cloud/#SES-GetAccount)\n\n**Description:** Lists the applied quota values for the specified AWS service.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -15015,7 +15320,7 @@ } }, { - "id": 3199894490, + "id": 756900490, "definition": { "title": "GetAccount", "title_size": "16", @@ -15057,7 +15362,7 @@ } }, { - "id": 2788285747, + "id": 2401881988, "definition": { "type": "note", "content": "### [GetFindings](https://traildiscover.cloud/#GuardDuty-GetFindings)\n\n**Description:** Returns a list of findings that match the specified criteria.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -15076,7 +15381,7 @@ } }, { - "id": 1991127163, + "id": 4053638044, "definition": { "title": "GetFindings", "title_size": "16", @@ -15118,7 +15423,7 @@ } }, { - "id": 501615106, + "id": 4083622940, "definition": { "type": "note", "content": "### [ListFindings](https://traildiscover.cloud/#GuardDuty-ListFindings)\n\n**Description:** Lists GuardDuty findings for the specified detector ID.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -15137,7 +15442,7 @@ } }, { - "id": 3900084931, + "id": 1440411700, "definition": { "title": "ListFindings", "title_size": "16", @@ -15179,7 +15484,7 @@ } }, { - "id": 1593269003, + "id": 1680488719, "definition": { "type": "note", "content": "### [ListDetectors](https://traildiscover.cloud/#GuardDuty-ListDetectors)\n\n**Description:** Lists detectorIds of all the existing Amazon GuardDuty detector resources.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -15198,7 +15503,7 @@ } }, { - "id": 696771532, + "id": 1184761127, "definition": { "title": "ListDetectors", "title_size": "16", @@ -15240,7 +15545,7 @@ } }, { - "id": 930619286, + "id": 697449835, "definition": { "type": "note", "content": "### [GetDetector](https://traildiscover.cloud/#GuardDuty-GetDetector)\n\n**Description:** Retrieves an Amazon GuardDuty detector specified by the detectorId.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -15259,7 +15564,7 @@ } }, { - "id": 2280944350, + "id": 2249867004, "definition": { "title": "GetDetector", "title_size": "16", @@ -15301,7 +15606,7 @@ } }, { - "id": 653525461, + "id": 2325617110, "definition": { "type": "note", "content": "### [ListIPSets](https://traildiscover.cloud/#GuardDuty-ListIPSets)\n\n**Description:** Lists the IPSets of the GuardDuty service specified by the detector ID.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -15320,7 +15625,7 @@ } }, { - "id": 1904511638, + "id": 3977373166, "definition": { "title": "ListIPSets", "title_size": "16", @@ -15362,7 +15667,7 @@ } }, { - "id": 2547173999, + "id": 1002775488, "definition": { "type": "note", "content": "### [ListServiceQuotas](https://traildiscover.cloud/#ServiceQuotas-ListServiceQuotas)\n\n**Description:** Lists the applied quota values for the specified AWS service.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -15381,7 +15686,7 @@ } }, { - "id": 3798160176, + "id": 507047896, "definition": { "title": "ListServiceQuotas", "title_size": "16", @@ -15426,13 +15731,13 @@ }, "layout": { "x": 0, - "y": 113, + "y": 115, "width": 12, "height": 74 } }, { - "id": 2748250833, + "id": 46676597, "definition": { "type": "group", "layout_type": "ordered", @@ -15441,7 +15746,7 @@ "show_title": true, "widgets": [ { - "id": 282053377, + "id": 3892793627, "definition": { "type": "note", "content": "### [AssumeRoleWithWebIdentity](https://traildiscover.cloud/#STS-AssumeRoleWithWebIdentity)\n\n**Description:** Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider.\n\n**Related Research:**\n- [From GitHub To Account Takeover: Misconfigured Actions Place GCP & AWS Accounts At Risk](https://www.rezonate.io/blog/github-misconfigurations-put-gcp-aws-in-account-takeover-risk/)\n", @@ -15460,7 +15765,7 @@ } }, { - "id": 1533039554, + "id": 3397066035, "definition": { "title": "AssumeRoleWithWebIdentity", "title_size": "16", @@ -15502,7 +15807,7 @@ } }, { - "id": 3711302722, + "id": 219147980, "definition": { "type": "note", "content": "### [SwitchRole](https://traildiscover.cloud/#SignIn-SwitchRole)\n\n**Description:** This event is recorded when a user manually switches to a different IAM role within the AWS Management Console.\n\n**Related Research:**\n- [AWS CloudTrail cheat sheet](https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet)\n", @@ -15521,7 +15826,7 @@ } }, { - "id": 766660490, + "id": 4018387684, "definition": { "title": "SwitchRole", "title_size": "16", @@ -15563,7 +15868,7 @@ } }, { - "id": 3753350775, + "id": 2233376158, "definition": { "type": "note", "content": "### [EnableSerialConsoleAccess](https://traildiscover.cloud/#EC2-EnableSerialConsoleAccess)\n\n**Description:** Enables access to the EC2 serial console of all instances for your account.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [How to detect EC2 Serial Console enabled](https://sysdig.com/blog/ec2-serial-console-enabled/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -15582,7 +15887,7 @@ } }, { - "id": 709369656, + "id": 3885132214, "definition": { "title": "EnableSerialConsoleAccess", "title_size": "16", @@ -15624,7 +15929,7 @@ } }, { - "id": 2351983240, + "id": 1020346991, "definition": { "type": "note", "content": "### [CreateVolume](https://traildiscover.cloud/#EC2-CreateVolume)\n\n**Description:** Creates an EBS volume that can be attached to an instance in the same Availability Zone.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n", @@ -15643,7 +15948,7 @@ } }, { - "id": 1455485769, + "id": 524619399, "definition": { "title": "CreateVolume", "title_size": "16", @@ -15685,7 +15990,7 @@ } }, { - "id": 1372949638, + "id": 4013012331, "definition": { "type": "note", "content": "### [CreateSecurityGroup](https://traildiscover.cloud/#EC2-CreateSecurityGroup)\n\n**Description:** Creates a security group.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -15704,7 +16009,7 @@ } }, { - "id": 2623935815, + "id": 1369801091, "definition": { "title": "CreateSecurityGroup", "title_size": "16", @@ -15746,10 +16051,10 @@ } }, { - "id": 961294797, + "id": 3578420879, "definition": { "type": "note", - "content": "### [AuthorizeSecurityGroupIngress](https://traildiscover.cloud/#EC2-AuthorizeSecurityGroupIngress)\n\n**Description:** Adds the specified inbound (ingress) rules to a security group.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Finding evil in AWS](https://expel.com/blog/finding-evil-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Opening a security group to the Internet](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/opening-security-group-port/)\n", + "content": "### [AuthorizeSecurityGroupIngress](https://traildiscover.cloud/#EC2-AuthorizeSecurityGroupIngress)\n\n**Description:** Adds the specified inbound (ingress) rules to a security group.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Finding evil in AWS](https://expel.com/blog/finding-evil-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [Opening a security group to the Internet](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/opening-security-group-port/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15765,7 +16070,7 @@ } }, { - "id": 2212280974, + "id": 935209639, "definition": { "title": "AuthorizeSecurityGroupIngress", "title_size": "16", @@ -15807,7 +16112,7 @@ } }, { - "id": 2364717797, + "id": 1914100124, "definition": { "type": "note", "content": "### [SendSSHPublicKey](https://traildiscover.cloud/#EC2InstanceConnect-SendSSHPublicKey)\n\n**Description:** Pushes an SSH public key to the specified EC2 instance for use by the specified user.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -15826,7 +16131,7 @@ } }, { - "id": 1468220326, + "id": 3565856180, "definition": { "title": "SendSSHPublicKey", "title_size": "16", @@ -15868,7 +16173,7 @@ } }, { - "id": 3921422600, + "id": 1427557305, "definition": { "type": "note", "content": "### [CreateSnapshot](https://traildiscover.cloud/#EC2-CreateSnapshot)\n\n**Description:** Creates a snapshot of an EBS volume and stores it in Amazon S3.\n\n**Related Incidents:**\n- [CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Stealing an EBS snapshot by creating a snapshot and sharing it](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-ebs-snapshot/)\n- [Exfiltrate EBS Snapshot by Sharing It](https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/)\n", @@ -15887,7 +16192,7 @@ } }, { - "id": 877441481, + "id": 931829713, "definition": { "title": "CreateSnapshot", "title_size": "16", @@ -15929,10 +16234,10 @@ } }, { - "id": 2176244995, + "id": 1100934229, "definition": { "type": "note", - "content": "### [RunInstances](https://traildiscover.cloud/#EC2-RunInstances)\n\n**Description:** Launches the specified number of instances using an AMI for which you have permissions.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [DXC spills AWS private keys on public GitHub](https://www.theregister.com/2017/11/14/dxc_github_aws_keys_leaked/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Clear and Uncommon Story About Overcoming Issues With AWS](https://topdigital.agency/clear-and-uncommon-story-about-overcoming-issues-with-aws/)\n- [onelogin 2017 Security Incident](https://web.archive.org/web/20210620180614/https://www.onelogin.com/blog/may-31-2017-security-incident)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Launching EC2 instances](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/launching-ec2-instances/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", + "content": "### [RunInstances](https://traildiscover.cloud/#EC2-RunInstances)\n\n**Description:** Launches the specified number of instances using an AMI for which you have permissions.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [DXC spills AWS private keys on public GitHub](https://www.theregister.com/2017/11/14/dxc_github_aws_keys_leaked/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Clear and Uncommon Story About Overcoming Issues With AWS](https://topdigital.agency/clear-and-uncommon-story-about-overcoming-issues-with-aws/)\n- [onelogin 2017 Security Incident](https://web.archive.org/web/20210620180614/https://www.onelogin.com/blog/may-31-2017-security-incident)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [Launching EC2 instances](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/launching-ec2-instances/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15948,7 +16253,7 @@ } }, { - "id": 1279747524, + "id": 605206637, "definition": { "title": "RunInstances", "title_size": "16", @@ -15990,7 +16295,7 @@ } }, { - "id": 3738972907, + "id": 1266748354, "definition": { "type": "note", "content": "### [AttachVolume](https://traildiscover.cloud/#EC2-AttachVolume)\n\n**Description:** Attaches an EBS volume to a running or stopped instance and exposes it to the instance with the specified device name.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n", @@ -16009,7 +16314,7 @@ } }, { - "id": 694991788, + "id": 771020762, "definition": { "title": "AttachVolume", "title_size": "16", @@ -16051,7 +16356,7 @@ } }, { - "id": 84198124, + "id": 1724506417, "definition": { "type": "note", "content": "### [SendSerialConsoleSSHPublicKey](https://traildiscover.cloud/#EC2InstanceConnect-SendSerialConsoleSSHPublicKey)\n\n**Description:** Pushes an SSH public key to the specified EC2 instance.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n", @@ -16070,7 +16375,7 @@ } }, { - "id": 3482667949, + "id": 1228778825, "definition": { "title": "SendSerialConsoleSSHPublicKey", "title_size": "16", @@ -16112,7 +16417,7 @@ } }, { - "id": 3169641218, + "id": 1008468459, "definition": { "type": "note", "content": "### [SendCommand](https://traildiscover.cloud/#SSM-SendCommand)\n\n**Description:** Runs commands on one or more managed nodes.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Run Shell Commands on EC2 with Send Command or Session Manager](https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -16131,7 +16436,7 @@ } }, { - "id": 125660099, + "id": 2660224515, "definition": { "title": "SendCommand", "title_size": "16", @@ -16173,7 +16478,7 @@ } }, { - "id": 2692739650, + "id": 697948711, "definition": { "type": "note", "content": "### [StartSession](https://traildiscover.cloud/#SSM-StartSession)\n\n**Description:** Initiates a connection to a target (for example, a managed node) for a Session Manager session.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Run Shell Commands on EC2 with Send Command or Session Manager](https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/)\n", @@ -16192,7 +16497,7 @@ } }, { - "id": 1796242179, + "id": 2349704767, "definition": { "title": "StartSession", "title_size": "16", @@ -16234,7 +16539,7 @@ } }, { - "id": 2258944592, + "id": 654435082, "definition": { "type": "note", "content": "### [ResumeSession](https://traildiscover.cloud/#SSM-ResumeSession)\n\n**Description:** Reconnects a session to a managed node after it has been disconnected.\n\n**Related Research:**\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -16253,7 +16558,7 @@ } }, { - "id": 3509930769, + "id": 158707490, "definition": { "title": "ResumeSession", "title_size": "16", @@ -16298,13 +16603,13 @@ }, "layout": { "x": 0, - "y": 187, + "y": 189, "width": 12, "height": 12 } }, { - "id": 56148282, + "id": 2075694789, "definition": { "type": "group", "layout_type": "ordered", @@ -16313,7 +16618,7 @@ "show_title": true, "widgets": [ { - "id": 392915107, + "id": 1128526886, "definition": { "type": "note", "content": "### [UpdateFunctionCode20150331v2](https://traildiscover.cloud/#Lambda-UpdateFunctionCode20150331v2)\n\n**Description:** Updates a Lambda function's code. If code signing is enabled for the function, the code package must be signed by a trusted publisher.\n\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", @@ -16332,7 +16637,7 @@ } }, { - "id": 3791384932, + "id": 632799294, "definition": { "title": "UpdateFunctionCode20150331v2", "title_size": "16", @@ -16374,7 +16679,7 @@ } }, { - "id": 2787280443, + "id": 1733063769, "definition": { "type": "note", "content": "### [UpdateDistribution](https://traildiscover.cloud/#CloudFront-UpdateDistribution)\n\n**Description:** Updates the configuration for a CloudFront distribution.\n\n**Related Research:**\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", @@ -16393,7 +16698,7 @@ } }, { - "id": 1890782972, + "id": 1237336177, "definition": { "title": "UpdateDistribution", "title_size": "16", @@ -16435,7 +16740,7 @@ } }, { - "id": 4009592935, + "id": 3486738446, "definition": { "type": "note", "content": "### [PublishFunction](https://traildiscover.cloud/#CloudFront-PublishFunction)\n\n**Description:** Publishes a CloudFront function by copying the function code from the DEVELOPMENT stage to LIVE.\n\n**Related Research:**\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", @@ -16454,7 +16759,7 @@ } }, { - "id": 3113095464, + "id": 2991010854, "definition": { "title": "PublishFunction", "title_size": "16", @@ -16496,7 +16801,7 @@ } }, { - "id": 3561755502, + "id": 4169330849, "definition": { "type": "note", "content": "### [CreateFunction](https://traildiscover.cloud/#CloudFront-CreateFunction)\n\n**Description:** Creates a CloudFront function.\n\n**Related Research:**\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", @@ -16515,7 +16820,7 @@ } }, { - "id": 617113270, + "id": 1526119609, "definition": { "title": "CreateFunction", "title_size": "16", @@ -16557,7 +16862,7 @@ } }, { - "id": 4184762204, + "id": 1212981698, "definition": { "type": "note", "content": "### [CreateInstanceExportTask](https://traildiscover.cloud/#EC2-CreateInstanceExportTask)\n\n**Description:** Exports a running or stopped instance to an Amazon S3 bucket.\n\n**Related Research:**\n- [AWS EC2 VM Export Failure](https://www.elastic.co/guide/en/security/current/aws-ec2-vm-export-failure.html)\n", @@ -16576,7 +16881,7 @@ } }, { - "id": 3387603620, + "id": 717254106, "definition": { "title": "CreateInstanceExportTask", "title_size": "16", @@ -16618,7 +16923,7 @@ } }, { - "id": 2427879147, + "id": 1289093468, "definition": { "type": "note", "content": "### [CreateTrafficMirrorTarget](https://traildiscover.cloud/#EC2-CreateTrafficMirrorTarget)\n\n**Description:** Creates a target for your Traffic Mirror session.\n\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -16637,7 +16942,7 @@ } }, { - "id": 1531381676, + "id": 793365876, "definition": { "title": "CreateTrafficMirrorTarget", "title_size": "16", @@ -16679,7 +16984,7 @@ } }, { - "id": 700146825, + "id": 4090532511, "definition": { "type": "note", "content": "### [CreateTrafficMirrorSession](https://traildiscover.cloud/#EC2-CreateTrafficMirrorSession)\n\n**Description:** Creates a Traffic Mirror session.\n\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -16698,7 +17003,7 @@ } }, { - "id": 4197955537, + "id": 1347982384, "definition": { "title": "CreateTrafficMirrorSession", "title_size": "16", @@ -16740,7 +17045,7 @@ } }, { - "id": 3321447678, + "id": 3883364668, "definition": { "type": "note", "content": "### [CreateRoute](https://traildiscover.cloud/#EC2-CreateRoute)\n\n**Description:** Creates a route in a route table within a VPC.\n\n**Related Research:**\n- [Ensure CloudWatch has an Alarm for Route Table Changes](https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-route-table-change)\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", @@ -16759,7 +17064,7 @@ } }, { - "id": 376805446, + "id": 3387637076, "definition": { "title": "CreateRoute", "title_size": "16", @@ -16801,7 +17106,7 @@ } }, { - "id": 2501452591, + "id": 983226425, "definition": { "type": "note", "content": "### [CreateTrafficMirrorFilter](https://traildiscover.cloud/#EC2-CreateTrafficMirrorFilter)\n\n**Description:** Creates a Traffic Mirror filter.\n\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -16820,7 +17125,7 @@ } }, { - "id": 1604955120, + "id": 487498833, "definition": { "title": "CreateTrafficMirrorFilter", "title_size": "16", @@ -16862,7 +17167,7 @@ } }, { - "id": 2582972755, + "id": 3625648979, "definition": { "type": "note", "content": "### [CreateTrafficMirrorFilterRule](https://traildiscover.cloud/#EC2-CreateTrafficMirrorFilterRule)\n\n**Description:** Creates a Traffic Mirror filter rule.\n\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -16881,7 +17186,7 @@ } }, { - "id": 3833958932, + "id": 982437739, "definition": { "title": "CreateTrafficMirrorFilterRule", "title_size": "16", @@ -16926,13 +17231,13 @@ }, "layout": { "x": 0, - "y": 199, + "y": 201, "width": 12, "height": 10 } }, { - "id": 753313892, + "id": 3836151355, "definition": { "type": "group", "layout_type": "ordered", @@ -16941,7 +17246,7 @@ "show_title": true, "widgets": [ { - "id": 3467042405, + "id": 4250361592, "definition": { "type": "note", "content": "### [CreateUser](https://traildiscover.cloud/#TransferFamily-CreateUser)\n\n**Description:** Creates a user and associates them with an existing file transfer protocol-enabled server.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -16960,7 +17265,7 @@ } }, { - "id": 2570544934, + "id": 1607150352, "definition": { "title": "CreateUser", "title_size": "16", @@ -17002,7 +17307,7 @@ } }, { - "id": 2547883252, + "id": 1815835250, "definition": { "type": "note", "content": "### [CreateServer](https://traildiscover.cloud/#TransferFamily-CreateServer)\n\n**Description:** Instantiates an auto-scaling virtual server based on the selected file transfer protocol in AWS.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -17021,7 +17326,7 @@ } }, { - "id": 3898208316, + "id": 1320107658, "definition": { "title": "CreateServer", "title_size": "16", @@ -17063,7 +17368,7 @@ } }, { - "id": 2869571706, + "id": 1613183828, "definition": { "type": "note", "content": "### [PutBucketPolicy](https://traildiscover.cloud/#S3-PutBucketPolicy)\n\n**Description:** Applies an Amazon S3 bucket policy to an Amazon S3 bucket.\n\n**Related Research:**\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -17082,7 +17387,7 @@ } }, { - "id": 1973074235, + "id": 3264939884, "definition": { "title": "PutBucketPolicy", "title_size": "16", @@ -17124,7 +17429,7 @@ } }, { - "id": 2653918871, + "id": 3886539421, "definition": { "type": "note", "content": "### [PutBucketAcl](https://traildiscover.cloud/#S3-PutBucketAcl)\n\n**Description:** Sets the permissions on an existing bucket using access control lists (ACL).\n\n**Related Research:**\n- [AWS S3 Bucket ACL made public](https://docs.datadoghq.com/security/default_rules/aws-bucket-acl-made-public/)\n", @@ -17143,7 +17448,7 @@ } }, { - "id": 3904905048, + "id": 1243328181, "definition": { "title": "PutBucketAcl", "title_size": "16", @@ -17185,7 +17490,7 @@ } }, { - "id": 4046737660, + "id": 521040797, "definition": { "type": "note", "content": "### [PutBucketVersioning](https://traildiscover.cloud/#S3-PutBucketVersioning)\n\n**Description:** Sets the versioning state of an existing bucket.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n**Related Research:**\n- [Exfiltrating S3 Data with Bucket Replication Policies](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -17204,7 +17509,7 @@ } }, { - "id": 1002756541, + "id": 2172796853, "definition": { "title": "PutBucketVersioning", "title_size": "16", @@ -17246,7 +17551,7 @@ } }, { - "id": 913373397, + "id": 2358023164, "definition": { "type": "note", "content": "### [PutBucketReplication](https://traildiscover.cloud/#S3-PutBucketReplication)\n\n**Description:** Creates a replication configuration or replaces an existing one.\n\n**Related Research:**\n- [Exfiltrating S3 Data with Bucket Replication Policies](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -17265,7 +17570,7 @@ } }, { - "id": 116214813, + "id": 4009779220, "definition": { "title": "PutBucketReplication", "title_size": "16", @@ -17307,7 +17612,7 @@ } }, { - "id": 4180112710, + "id": 4161110225, "definition": { "type": "note", "content": "### [GetObject](https://traildiscover.cloud/#S3-GetObject)\n\n**Description:** Retrieves an object from Amazon S3.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Incident 2 - Additional details of the attack](https://support.lastpass.com/s/document-item?language=en_US&bundleId=lastpass&topicId=LastPass/incident-2-details.html&_LANG=enus)\n- [Aruba Central Security Incident](https://www.arubanetworks.com/support-services/security-bulletins/central-incident-faq/)\n- [Sendtech Pte. Ltd](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Sendtech-Pte-Ltd---220721.ashx?la=en)\n- [GotRoot! AWS root Account Takeover](https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1)\n- [A Technical Analysis of the Capital One Cloud Misconfiguration Breach](https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach)\n- [Chegg, Inc](https://www.ftc.gov/system/files/ftc_gov/pdf/2023151-Chegg-Complaint.pdf)\n- [Scattered Spider Attack Analysis](https://www.reliaquest.com/blog/scattered-spider-attack-analysis-account-compromise/)\n- [Enumerate AWS Account ID from a Public S3 Bucket](https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Data Exfiltration through S3 Server Access Logs](https://hackingthe.cloud/aws/exploitation/s3_server_access_logs/)\n- [S3 Streaming Copy](https://hackingthe.cloud/aws/exploitation/s3_streaming_copy/)\n", @@ -17326,7 +17631,7 @@ } }, { - "id": 3382954126, + "id": 3665382633, "definition": { "title": "GetObject", "title_size": "16", @@ -17368,7 +17673,7 @@ } }, { - "id": 596242029, + "id": 2516671992, "definition": { "type": "note", "content": "### [JobCreated](https://traildiscover.cloud/#S3-JobCreated)\n\n**Description:** When a Batch Operations job is created, it is recorded as a JobCreated event in CloudTrail.\n\n**Related Research:**\n- [Exfiltrating S3 Data with Bucket Replication Policies](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -17387,7 +17692,7 @@ } }, { - "id": 1847228206, + "id": 4168428048, "definition": { "title": "JobCreated", "title_size": "16", @@ -17429,7 +17734,7 @@ } }, { - "id": 2205086822, + "id": 377797664, "definition": { "type": "note", "content": "### [ModifySnapshotAttribute](https://traildiscover.cloud/#EC2-ModifySnapshotAttribute)\n\n**Description:** Adds or removes permission settings for the specified snapshot.\n\n**Related Incidents:**\n- [CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/)\n", @@ -17448,7 +17753,7 @@ } }, { - "id": 3456072999, + "id": 4177037368, "definition": { "title": "ModifySnapshotAttribute", "title_size": "16", @@ -17490,7 +17795,7 @@ } }, { - "id": 1517596163, + "id": 4144341096, "definition": { "type": "note", "content": "### [SharedSnapshotCopyInitiated](https://traildiscover.cloud/#EC2-SharedSnapshotCopyInitiated)\n\n**Description:** Modifies the specified attribute of the specified instance.\n\n**Related Incidents:**\n- [M-Trends Report - 2020](https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf)\n- [Democratic National Committee hack](https://www.politico.com/f/?id=00000168-6161-de11-af7d-ef7327ea0000)\n**Related Research:**\n- [Detecting exfiltration of EBS snapshots in AWS](https://twitter.com/christophetd/status/1574681313218506753)\n", @@ -17509,7 +17814,7 @@ } }, { - "id": 621098692, + "id": 3549274617, "definition": { "title": "SharedSnapshotCopyInitiated", "title_size": "16", @@ -17551,7 +17856,7 @@ } }, { - "id": 2633206184, + "id": 3836060413, "definition": { "type": "note", "content": "### [SharedSnapshotVolumeCreated](https://traildiscover.cloud/#EC2-SharedSnapshotVolumeCreated)\n\n**Description:** Modifies the specified attribute of the specified instance.\n\n**Related Incidents:**\n- [M-Trends Report - 2020](https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf)\n- [Democratic National Committee hack](https://www.politico.com/f/?id=00000168-6161-de11-af7d-ef7327ea0000)\n**Related Research:**\n- [Detecting exfiltration of EBS snapshots in AWS](https://twitter.com/christophetd/status/1574681313218506753)\n", @@ -17570,7 +17875,7 @@ } }, { - "id": 1736708713, + "id": 1192849173, "definition": { "title": "SharedSnapshotVolumeCreated", "title_size": "16", @@ -17612,7 +17917,7 @@ } }, { - "id": 1151966523, + "id": 3825268255, "definition": { "type": "note", "content": "### [CreateSnapshot](https://traildiscover.cloud/#EC2-CreateSnapshot)\n\n**Description:** Creates a snapshot of an EBS volume and stores it in Amazon S3.\n\n**Related Incidents:**\n- [CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Stealing an EBS snapshot by creating a snapshot and sharing it](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-ebs-snapshot/)\n- [Exfiltrate EBS Snapshot by Sharing It](https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/)\n", @@ -17631,7 +17936,7 @@ } }, { - "id": 2402952700, + "id": 3230201776, "definition": { "title": "CreateSnapshot", "title_size": "16", @@ -17673,7 +17978,7 @@ } }, { - "id": 273854776, + "id": 1513071745, "definition": { "type": "note", "content": "### [CreateImage](https://traildiscover.cloud/#EC2-CreateImage)\n\n**Description:** Creates an Amazon EBS-backed AMI from an Amazon EBS-backed instance that is either running or stopped.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", @@ -17692,7 +17997,7 @@ } }, { - "id": 3672324601, + "id": 1017344153, "definition": { "title": "CreateImage", "title_size": "16", @@ -17734,7 +18039,7 @@ } }, { - "id": 1126713681, + "id": 149699383, "definition": { "type": "note", "content": "### [AuthorizeSecurityGroupEgress](https://traildiscover.cloud/#EC2-AuthorizeSecurityGroupEgress)\n\n**Description:** Adds the specified outbound (egress) rules to a security group.\n\n**Related Incidents:**\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n", @@ -17753,7 +18058,7 @@ } }, { - "id": 2477038745, + "id": 3948939087, "definition": { "title": "AuthorizeSecurityGroupEgress", "title_size": "16", @@ -17795,7 +18100,7 @@ } }, { - "id": 2294943691, + "id": 2481786377, "definition": { "type": "note", "content": "### [ModifyImageAttribute](https://traildiscover.cloud/#EC2-ModifyImageAttribute)\n\n**Description:** Modifies the specified attribute of the specified AMI.\n\n**Related Research:**\n- [AWS AMI Atttribute Modification for Exfiltration](https://research.splunk.com/cloud/f2132d74-cf81-4c5e-8799-ab069e67dc9f/)\n", @@ -17814,7 +18119,7 @@ } }, { - "id": 1398446220, + "id": 1986058785, "definition": { "title": "ModifyImageAttribute", "title_size": "16", @@ -17856,7 +18161,7 @@ } }, { - "id": 802045896, + "id": 2678746375, "definition": { "type": "note", "content": "### [ModifyDBSnapshotAttribute](https://traildiscover.cloud/#RDS-ModifyDBSnapshotAttribute)\n\n**Description:** Adds an attribute and values to, or removes an attribute and values from, a manual DB snapshot.\n\n**Related Incidents:**\n- [Imperva Security Update](https://www.imperva.com/blog/ceoblog/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Stealing an RDS database by creating a snapshot and sharing it](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-rds-snapshot/)\n- [Hunting AWS RDS security events with Sysdig](https://sysdig.com/blog/aws-rds-security-events-sysdig/)\n", @@ -17875,7 +18180,7 @@ } }, { - "id": 4887312, + "id": 35535135, "definition": { "title": "ModifyDBSnapshotAttribute", "title_size": "16", @@ -17917,7 +18222,7 @@ } }, { - "id": 1858844037, + "id": 3663015519, "definition": { "type": "note", "content": "### [StartExportTask](https://traildiscover.cloud/#RDS-StartExportTask)\n\n**Description:** Starts an export of DB snapshot or DB cluster data to Amazon S3.\n\n**Related Research:**\n- [AWS - RDS Post Exploitation](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation)\n", @@ -17936,7 +18241,7 @@ } }, { - "id": 962346566, + "id": 3167287927, "definition": { "title": "StartExportTask", "title_size": "16", @@ -17978,7 +18283,7 @@ } }, { - "id": 1685648118, + "id": 535375034, "definition": { "type": "note", "content": "### [CreateDBSecurityGroup](https://traildiscover.cloud/#RDS-CreateDBSecurityGroup)\n\n**Description:** Creates a new DB security group. DB security groups control access to a DB instance.\n\n**Related Research:**\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [Hunting AWS RDS security events with Sysdig](https://sysdig.com/blog/aws-rds-security-events-sysdig/)\n", @@ -17997,7 +18302,7 @@ } }, { - "id": 2936634295, + "id": 2187131090, "definition": { "title": "CreateDBSecurityGroup", "title_size": "16", @@ -18039,10 +18344,10 @@ } }, { - "id": 1701948889, + "id": 790715096, "definition": { "type": "note", - "content": "### [CreateDBSnapshot](https://traildiscover.cloud/#RDS-CreateDBSnapshot)\n\n**Description:** Creates a snapshot of a DB instance.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Stealing an RDS database by creating a snapshot and sharing it](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-rds-snapshot/)\n", + "content": "### [CreateDBSnapshot](https://traildiscover.cloud/#RDS-CreateDBSnapshot)\n\n**Description:** Creates a snapshot of a DB instance.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [Stealing an RDS database by creating a snapshot and sharing it](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-rds-snapshot/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -18058,7 +18363,7 @@ } }, { - "id": 904790305, + "id": 294987504, "definition": { "title": "CreateDBSnapshot", "title_size": "16", @@ -18103,13 +18408,13 @@ }, "layout": { "x": 0, - "y": 209, + "y": 211, "width": 12, "height": 16 } }, { - "id": 3668429027, + "id": 3175029225, "definition": { "type": "group", "layout_type": "ordered", @@ -18118,7 +18423,7 @@ "show_title": true, "widgets": [ { - "id": 1048861228, + "id": 1381573792, "definition": { "type": "note", "content": "### [ChangeResourceRecordSets](https://traildiscover.cloud/#Route53-ChangeResourceRecordSets)\n\n**Description:** Creates, changes, or deletes a resource record set, which contains authoritative DNS information for a specified domain name or subdomain name.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS API Call Hijacking via ACM-PCA](https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/)\n", @@ -18137,7 +18442,7 @@ } }, { - "id": 2399186292, + "id": 885846200, "definition": { "title": "ChangeResourceRecordSets", "title_size": "16", @@ -18179,7 +18484,7 @@ } }, { - "id": 3153665777, + "id": 2465545814, "definition": { "type": "note", "content": "### [RegisterDomain](https://traildiscover.cloud/#route53domains-RegisterDomain)\n\n**Description:** This operation registers a domain. For some top-level domains (TLDs), this operation requires extra parameters.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -18198,7 +18503,7 @@ } }, { - "id": 2356507193, + "id": 1969818222, "definition": { "title": "RegisterDomain", "title_size": "16", @@ -18240,7 +18545,7 @@ } }, { - "id": 1279906025, + "id": 798815307, "definition": { "type": "note", "content": "### [CreateHostedZone](https://traildiscover.cloud/#Route53-CreateHostedZone)\n\n**Description:** Creates a new public or private hosted zone. You create records in a public hosted zone to define how you want to route traffic on the internet for a domain, such as example.com, and its subdomains.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS API Call Hijacking via ACM-PCA](https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/)\n", @@ -18259,7 +18564,7 @@ } }, { - "id": 2630231089, + "id": 2450571363, "definition": { "title": "CreateHostedZone", "title_size": "16", @@ -18301,10 +18606,10 @@ } }, { - "id": 1519101507, + "id": 1234354365, "definition": { "type": "note", - "content": "### [Publish](https://traildiscover.cloud/#SNS-Publish)\n\n**Description:** Sends a message to an Amazon SNS topic, a text message (SMS message) directly to a phone number, or a message to a mobile platform endpoint (when you specify the TargetArn).\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", + "content": "### [CreateStack](https://traildiscover.cloud/#CloudFormation-CreateStack)\n\n**Description:** Creates a stack as specified in the template.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -18320,9 +18625,9 @@ } }, { - "id": 622604036, + "id": 738626773, "definition": { - "title": "Publish", + "title": "CreateStack", "title_size": "16", "title_align": "left", "type": "query_value", @@ -18340,7 +18645,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:Publish $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateStack $userIdentity.arn $network.client.ip $account" } } ], @@ -18362,10 +18667,10 @@ } }, { - "id": 1759272292, + "id": 1030189004, "definition": { "type": "note", - "content": "### [CreateFunction20150331](https://traildiscover.cloud/#Lambda-CreateFunction20150331)\n\n**Description:** Creates a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [Publish](https://traildiscover.cloud/#SNS-Publish)\n\n**Description:** Sends a message to an Amazon SNS topic, a text message (SMS message) directly to a phone number, or a message to a mobile platform endpoint (when you specify the TargetArn).\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -18381,9 +18686,9 @@ } }, { - "id": 862774821, + "id": 2681945060, "definition": { - "title": "CreateFunction20150331", + "title": "Publish", "title_size": "16", "title_align": "left", "type": "query_value", @@ -18401,7 +18706,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateFunction20150331 $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:Publish $userIdentity.arn $network.client.ip $account" } } ], @@ -18423,10 +18728,10 @@ } }, { - "id": 1867957198, + "id": 1617421009, "definition": { "type": "note", - "content": "### [UpdateFunctionCode20150331v2](https://traildiscover.cloud/#Lambda-UpdateFunctionCode20150331v2)\n\n**Description:** Updates a Lambda function's code. If code signing is enabled for the function, the code package must be signed by a trusted publisher.\n\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", + "content": "### [CreateFunction20150331](https://traildiscover.cloud/#Lambda-CreateFunction20150331)\n\n**Description:** Creates a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -18442,9 +18747,9 @@ } }, { - "id": 1070798614, + "id": 3269177065, "definition": { - "title": "UpdateFunctionCode20150331v2", + "title": "CreateFunction20150331", "title_size": "16", "title_align": "left", "type": "query_value", @@ -18462,7 +18767,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateFunctionCode20150331v2 $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateFunction20150331 $userIdentity.arn $network.client.ip $account" } } ], @@ -18484,10 +18789,10 @@ } }, { - "id": 3521826320, + "id": 1711910713, "definition": { "type": "note", - "content": "### [Invoke](https://traildiscover.cloud/#Lambda-Invoke)\n\n**Description:** Invokes a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [UpdateFunctionCode20150331v2](https://traildiscover.cloud/#Lambda-UpdateFunctionCode20150331v2)\n\n**Description:** Updates a Lambda function's code. If code signing is enabled for the function, the code package must be signed by a trusted publisher.\n\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -18503,9 +18808,9 @@ } }, { - "id": 577184088, + "id": 3363666769, "definition": { - "title": "Invoke", + "title": "UpdateFunctionCode20150331v2", "title_size": "16", "title_align": "left", "type": "query_value", @@ -18523,7 +18828,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:Invoke $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:UpdateFunctionCode20150331v2 $userIdentity.arn $network.client.ip $account" } } ], @@ -18545,10 +18850,10 @@ } }, { - "id": 2543627143, + "id": 436407326, "definition": { "type": "note", - "content": "### [DeleteFileSystem](https://traildiscover.cloud/#elasticfilesystem-DeleteFileSystem)\n\n**Description:** Deletes a file system, permanently severing access to its contents.\n\n**Related Research:**\n- [AWS EFS File System or Mount Deleted](https://www.elastic.co/guide/en/security/7.17/aws-efs-file-system-or-mount-deleted.html)\n", + "content": "### [Invoke](https://traildiscover.cloud/#Lambda-Invoke)\n\n**Description:** Invokes a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -18564,9 +18869,9 @@ } }, { - "id": 3794613320, + "id": 4235647030, "definition": { - "title": "DeleteFileSystem", + "title": "Invoke", "title_size": "16", "title_align": "left", "type": "query_value", @@ -18584,7 +18889,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteFileSystem $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:Invoke $userIdentity.arn $network.client.ip $account" } } ], @@ -18606,10 +18911,10 @@ } }, { - "id": 3730719242, + "id": 2752488647, "definition": { "type": "note", - "content": "### [DeleteMountTarget](https://traildiscover.cloud/#elasticfilesystem-DeleteMountTarget)\n\n**Description:** Deletes the specified mount target.\n\n**Related Research:**\n- [AWS EFS File System or Mount Deleted](https://www.elastic.co/guide/en/security/7.17/aws-efs-file-system-or-mount-deleted.html)\n", + "content": "### [DeleteFileSystem](https://traildiscover.cloud/#elasticfilesystem-DeleteFileSystem)\n\n**Description:** Deletes a file system, permanently severing access to its contents.\n\n**Related Research:**\n- [AWS EFS File System or Mount Deleted](https://www.elastic.co/guide/en/security/7.17/aws-efs-file-system-or-mount-deleted.html)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -18625,9 +18930,9 @@ } }, { - "id": 2834221771, + "id": 109277407, "definition": { - "title": "DeleteMountTarget", + "title": "DeleteFileSystem", "title_size": "16", "title_align": "left", "type": "query_value", @@ -18645,7 +18950,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteMountTarget $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteFileSystem $userIdentity.arn $network.client.ip $account" } } ], @@ -18667,10 +18972,10 @@ } }, { - "id": 344435555, + "id": 3118964136, "definition": { "type": "note", - "content": "### [DeleteRule](https://traildiscover.cloud/#events-DeleteRule)\n\n**Description:** Deletes the specified rule.\n\n**Related Research:**\n- [AWS EventBridge Rule Disabled or Deleted](https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html)\n- [AWS EventBridge rule disabled or deleted](https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/)\n", + "content": "### [DeleteMountTarget](https://traildiscover.cloud/#elasticfilesystem-DeleteMountTarget)\n\n**Description:** Deletes the specified mount target.\n\n**Related Research:**\n- [AWS EFS File System or Mount Deleted](https://www.elastic.co/guide/en/security/7.17/aws-efs-file-system-or-mount-deleted.html)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -18686,9 +18991,9 @@ } }, { - "id": 3742905380, + "id": 2623236544, "definition": { - "title": "DeleteRule", + "title": "DeleteMountTarget", "title_size": "16", "title_align": "left", "type": "query_value", @@ -18706,7 +19011,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteRule $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteMountTarget $userIdentity.arn $network.client.ip $account" } } ], @@ -18728,10 +19033,10 @@ } }, { - "id": 2924551126, + "id": 1755891098, "definition": { "type": "note", - "content": "### [RemoveTargets](https://traildiscover.cloud/#events-RemoveTargets)\n\n**Description:** Removes the specified targets from the specified rule.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", + "content": "### [DeleteRule](https://traildiscover.cloud/#events-DeleteRule)\n\n**Description:** Deletes the specified rule.\n\n**Related Research:**\n- [AWS EventBridge Rule Disabled or Deleted](https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html)\n- [AWS EventBridge rule disabled or deleted](https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -18747,9 +19052,9 @@ } }, { - "id": 2028053655, + "id": 3308308267, "definition": { - "title": "RemoveTargets", + "title": "DeleteRule", "title_size": "16", "title_align": "left", "type": "query_value", @@ -18767,7 +19072,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:RemoveTargets $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteRule $userIdentity.arn $network.client.ip $account" } } ], @@ -18789,10 +19094,10 @@ } }, { - "id": 3376180199, + "id": 865498124, "definition": { "type": "note", - "content": "### [DisableRule](https://traildiscover.cloud/#events-DisableRule)\n\n**Description:** Disables the specified rule.\n\n**Related Research:**\n- [AWS EventBridge Rule Disabled or Deleted](https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html)\n- [AWS EventBridge rule disabled or deleted](https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/)\n", + "content": "### [RemoveTargets](https://traildiscover.cloud/#events-RemoveTargets)\n\n**Description:** Removes the specified targets from the specified rule.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -18808,9 +19113,9 @@ } }, { - "id": 431537967, + "id": 369770532, "definition": { - "title": "DisableRule", + "title": "RemoveTargets", "title_size": "16", "title_align": "left", "type": "query_value", @@ -18828,7 +19133,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DisableRule $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:RemoveTargets $userIdentity.arn $network.client.ip $account" } } ], @@ -18850,10 +19155,10 @@ } }, { - "id": 1224254194, + "id": 2820400154, "definition": { "type": "note", - "content": "### [PutRule](https://traildiscover.cloud/#events-PutRule)\n\n**Description:** Creates or updates the specified rule.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", + "content": "### [DisableRule](https://traildiscover.cloud/#events-DisableRule)\n\n**Description:** Disables the specified rule.\n\n**Related Research:**\n- [AWS EventBridge Rule Disabled or Deleted](https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html)\n- [AWS EventBridge rule disabled or deleted](https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -18869,9 +19174,9 @@ } }, { - "id": 2475240371, + "id": 2324672562, "definition": { - "title": "PutRule", + "title": "DisableRule", "title_size": "16", "title_align": "left", "type": "query_value", @@ -18889,7 +19194,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutRule $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DisableRule $userIdentity.arn $network.client.ip $account" } } ], @@ -18911,10 +19216,10 @@ } }, { - "id": 1346066183, + "id": 1189253909, "definition": { "type": "note", - "content": "### [CreateInstances](https://traildiscover.cloud/#Lightsail-CreateInstances)\n\n**Description:** Creates one or more Amazon Lightsail instances.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", + "content": "### [PutRule](https://traildiscover.cloud/#events-PutRule)\n\n**Description:** Creates or updates the specified rule.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -18930,9 +19235,9 @@ } }, { - "id": 548907599, + "id": 693526317, "definition": { - "title": "CreateInstances", + "title": "PutRule", "title_size": "16", "title_align": "left", "type": "query_value", @@ -18950,7 +19255,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateInstances $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PutRule $userIdentity.arn $network.client.ip $account" } } ], @@ -18972,10 +19277,10 @@ } }, { - "id": 2452739824, + "id": 3663488559, "definition": { "type": "note", - "content": "### [GenerateDataKeyWithoutPlaintext](https://traildiscover.cloud/#KMS-GenerateDataKeyWithoutPlaintext)\n\n**Description:** Returns a unique symmetric data key for use outside of AWS KMS.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", + "content": "### [CreateInstances](https://traildiscover.cloud/#Lightsail-CreateInstances)\n\n**Description:** Creates one or more Amazon Lightsail instances.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -18991,9 +19296,9 @@ } }, { - "id": 3703726001, + "id": 3167760967, "definition": { - "title": "GenerateDataKeyWithoutPlaintext", + "title": "CreateInstances", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19011,7 +19316,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GenerateDataKeyWithoutPlaintext $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateInstances $userIdentity.arn $network.client.ip $account" } } ], @@ -19033,10 +19338,10 @@ } }, { - "id": 874165561, + "id": 2754892567, "definition": { "type": "note", - "content": "### [ScheduleKeyDeletion](https://traildiscover.cloud/#KMS-ScheduleKeyDeletion)\n\n**Description:** Schedules the deletion of a KMS key.\n\n**Related Research:**\n- [ Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", + "content": "### [GenerateDataKeyWithoutPlaintext](https://traildiscover.cloud/#KMS-GenerateDataKeyWithoutPlaintext)\n\n**Description:** Returns a unique symmetric data key for use outside of AWS KMS.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19052,9 +19357,9 @@ } }, { - "id": 4272635386, + "id": 2259164975, "definition": { - "title": "ScheduleKeyDeletion", + "title": "GenerateDataKeyWithoutPlaintext", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19072,7 +19377,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ScheduleKeyDeletion $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GenerateDataKeyWithoutPlaintext $userIdentity.arn $network.client.ip $account" } } ], @@ -19094,10 +19399,10 @@ } }, { - "id": 2389472753, + "id": 4282158007, "definition": { "type": "note", - "content": "### [Encrypt](https://traildiscover.cloud/#KMS-Encrypt)\n\n**Description:** Encrypts plaintext of up to 4,096 bytes using a KMS key. \n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", + "content": "### [ScheduleKeyDeletion](https://traildiscover.cloud/#KMS-ScheduleKeyDeletion)\n\n**Description:** Schedules the deletion of a KMS key.\n\n**Related Research:**\n- [ Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19113,9 +19418,9 @@ } }, { - "id": 1592314169, + "id": 3786430415, "definition": { - "title": "Encrypt", + "title": "ScheduleKeyDeletion", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19133,7 +19438,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:Encrypt $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ScheduleKeyDeletion $userIdentity.arn $network.client.ip $account" } } ], @@ -19155,10 +19460,10 @@ } }, { - "id": 2391682787, + "id": 613909860, "definition": { "type": "note", - "content": "### [PutObject](https://traildiscover.cloud/#S3-PutObject)\n\n**Description:** Adds an object to a bucket.\n\n**Related Incidents:**\n- [Incident Report: TaskRouter JS SDK Security Incident - July 19, 2020](https://www.twilio.com/en-us/blog/incident-report-taskrouter-js-sdk-july-2020)\n- [LA Times homicide website throttles cryptojacking attack](https://www.tripwire.com/state-of-security/la-times-website-cryptojacking-attack)\n", + "content": "### [Encrypt](https://traildiscover.cloud/#KMS-Encrypt)\n\n**Description:** Encrypts plaintext of up to 4,096 bytes using a KMS key. \n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19174,9 +19479,9 @@ } }, { - "id": 1594524203, + "id": 118182268, "definition": { - "title": "PutObject", + "title": "Encrypt", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19194,7 +19499,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutObject $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:Encrypt $userIdentity.arn $network.client.ip $account" } } ], @@ -19216,10 +19521,10 @@ } }, { - "id": 1048583851, + "id": 525315290, "definition": { "type": "note", - "content": "### [PutBucketVersioning](https://traildiscover.cloud/#S3-PutBucketVersioning)\n\n**Description:** Sets the versioning state of an existing bucket.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n**Related Research:**\n- [Exfiltrating S3 Data with Bucket Replication Policies](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", + "content": "### [PutObject](https://traildiscover.cloud/#S3-PutObject)\n\n**Description:** Adds an object to a bucket.\n\n**Related Incidents:**\n- [Incident Report: TaskRouter JS SDK Security Incident - July 19, 2020](https://www.twilio.com/en-us/blog/incident-report-taskrouter-js-sdk-july-2020)\n- [LA Times homicide website throttles cryptojacking attack](https://www.tripwire.com/state-of-security/la-times-website-cryptojacking-attack)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19235,9 +19540,9 @@ } }, { - "id": 251425267, + "id": 29587698, "definition": { - "title": "PutBucketVersioning", + "title": "PutObject", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19255,7 +19560,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutBucketVersioning $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PutObject $userIdentity.arn $network.client.ip $account" } } ], @@ -19277,10 +19582,10 @@ } }, { - "id": 3536115423, + "id": 336055787, "definition": { "type": "note", - "content": "### [PutBucketLifecycle](https://traildiscover.cloud/#S3-PutBucketLifecycle)\n\n**Description:** Creates a new lifecycle configuration for the bucket or replaces an existing lifecycle configuration.\n\n**Related Incidents:**\n- [USA VS Nickolas Sharp](https://www.justice.gov/usao-sdny/press-release/file/1452706/dl)\n", + "content": "### [PutBucketVersioning](https://traildiscover.cloud/#S3-PutBucketVersioning)\n\n**Description:** Sets the versioning state of an existing bucket.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n**Related Research:**\n- [Exfiltrating S3 Data with Bucket Replication Policies](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19296,9 +19601,9 @@ } }, { - "id": 2639617952, + "id": 4135295491, "definition": { - "title": "PutBucketLifecycle", + "title": "PutBucketVersioning", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19316,7 +19621,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutBucketLifecycle $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PutBucketVersioning $userIdentity.arn $network.client.ip $account" } } ], @@ -19338,10 +19643,10 @@ } }, { - "id": 4171771703, + "id": 1409542848, "definition": { "type": "note", - "content": "### [DeleteObject](https://traildiscover.cloud/#S3-DeleteObject)\n\n**Description:** Removes an object from a bucket. The behavior depends on the bucket's versioning state.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [The attack on ONUS \u2013 A real-life case of the Log4Shell vulnerability](https://cystack.net/research/the-attack-on-onus-a-real-life-case-of-the-log4shell-vulnerability)\n- [20/20 Eye Care Network and Hearing Care Network notify 3,253,822 health plan members of breach that deleted contents of AWS buckets](https://www.databreaches.net/20-20-eye-care-network-and-hearing-care-network-notify-3253822-health-plan-members-of-breach-that-deleted-contents-of-aws-buckets/)\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", + "content": "### [PutBucketLifecycle](https://traildiscover.cloud/#S3-PutBucketLifecycle)\n\n**Description:** Creates a new lifecycle configuration for the bucket or replaces an existing lifecycle configuration.\n\n**Related Incidents:**\n- [USA VS Nickolas Sharp](https://www.justice.gov/usao-sdny/press-release/file/1452706/dl)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19357,9 +19662,9 @@ } }, { - "id": 3275274232, + "id": 913815256, "definition": { - "title": "DeleteObject", + "title": "PutBucketLifecycle", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19377,7 +19682,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteObject $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PutBucketLifecycle $userIdentity.arn $network.client.ip $account" } } ], @@ -19399,10 +19704,10 @@ } }, { - "id": 431858764, + "id": 2291261877, "definition": { "type": "note", - "content": "### [InvokeModel](https://traildiscover.cloud/#Bedrock-InvokeModel)\n\n**Description:** Invokes the specified Amazon Bedrock model to run inference using the prompt and inference parameters provided in the request body.\n\n**Related Incidents:**\n- [LLMjacking: Stolen Cloud Credentials Used in New AI Attack](https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", + "content": "### [DeleteBucket](https://traildiscover.cloud/#S3-DeleteBucket)\n\n**Description:** Deletes the S3 bucket.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19418,9 +19723,9 @@ } }, { - "id": 3830328589, + "id": 1795534285, "definition": { - "title": "InvokeModel", + "title": "DeleteBucket", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19438,7 +19743,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:InvokeModel $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteBucket $userIdentity.arn $network.client.ip $account" } } ], @@ -19460,10 +19765,10 @@ } }, { - "id": 1356053040, + "id": 1545498035, "definition": { "type": "note", - "content": "### [PutFoundationModelEntitlement](https://traildiscover.cloud/#Bedrock-PutFoundationModelEntitlement)\n\n**Description:** Grants permission to put entitlement to access a foundation model.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", + "content": "### [DeleteObject](https://traildiscover.cloud/#S3-DeleteObject)\n\n**Description:** Removes an object from a bucket. The behavior depends on the bucket's versioning state.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [The attack on ONUS \u2013 A real-life case of the Log4Shell vulnerability](https://cystack.net/research/the-attack-on-onus-a-real-life-case-of-the-log4shell-vulnerability)\n- [20/20 Eye Care Network and Hearing Care Network notify 3,253,822 health plan members of breach that deleted contents of AWS buckets](https://www.databreaches.net/20-20-eye-care-network-and-hearing-care-network-notify-3253822-health-plan-members-of-breach-that-deleted-contents-of-aws-buckets/)\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19479,9 +19784,9 @@ } }, { - "id": 2607039217, + "id": 1049770443, "definition": { - "title": "PutFoundationModelEntitlement", + "title": "DeleteObject", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19499,7 +19804,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutFoundationModelEntitlement $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteObject $userIdentity.arn $network.client.ip $account" } } ], @@ -19521,10 +19826,10 @@ } }, { - "id": 4054649061, + "id": 545786594, "definition": { "type": "note", - "content": "### [InvokeModelWithResponseStream](https://traildiscover.cloud/#Bedrock-InvokeModelWithResponseStream)\n\n**Description:** Grants permission to invoke the specified Bedrock model to run inference using the input provided in the request body with streaming response.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", + "content": "### [InvokeModel](https://traildiscover.cloud/#Bedrock-InvokeModel)\n\n**Description:** Invokes the specified Amazon Bedrock model to run inference using the prompt and inference parameters provided in the request body.\n\n**Related Incidents:**\n- [LLMjacking: Stolen Cloud Credentials Used in New AI Attack](https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19540,9 +19845,9 @@ } }, { - "id": 1010667942, + "id": 50059002, "definition": { - "title": "InvokeModelWithResponseStream", + "title": "InvokeModel", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19560,7 +19865,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:InvokeModelWithResponseStream $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:InvokeModel $userIdentity.arn $network.client.ip $account" } } ], @@ -19582,10 +19887,10 @@ } }, { - "id": 807938940, + "id": 3578160285, "definition": { "type": "note", - "content": "### [PutUseCaseForModelAccess](https://traildiscover.cloud/#Bedrock-PutUseCaseForModelAccess)\n\n**Description:** Grants permission to put a use case for model access.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", + "content": "### [PutFoundationModelEntitlement](https://traildiscover.cloud/#Bedrock-PutFoundationModelEntitlement)\n\n**Description:** Grants permission to put entitlement to access a foundation model.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19601,9 +19906,9 @@ } }, { - "id": 4206408765, + "id": 3082432693, "definition": { - "title": "PutUseCaseForModelAccess", + "title": "PutFoundationModelEntitlement", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19621,7 +19926,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutUseCaseForModelAccess $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PutFoundationModelEntitlement $userIdentity.arn $network.client.ip $account" } } ], @@ -19643,10 +19948,10 @@ } }, { - "id": 2934951439, + "id": 2773585715, "definition": { "type": "note", - "content": "### [CreateFoundationModelAgreement](https://traildiscover.cloud/#Bedrock-CreateFoundationModelAgreement)\n\n**Description:** Grants permission to create a new foundation model agreement.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", + "content": "### [InvokeModelWithResponseStream](https://traildiscover.cloud/#Bedrock-InvokeModelWithResponseStream)\n\n**Description:** Grants permission to invoke the specified Bedrock model to run inference using the input provided in the request body with streaming response.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19662,9 +19967,9 @@ } }, { - "id": 2038453968, + "id": 2277858123, "definition": { - "title": "CreateFoundationModelAgreement", + "title": "InvokeModelWithResponseStream", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19682,7 +19987,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateFoundationModelAgreement $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:InvokeModelWithResponseStream $userIdentity.arn $network.client.ip $account" } } ], @@ -19704,10 +20009,10 @@ } }, { - "id": 3483481384, + "id": 117938238, "definition": { "type": "note", - "content": "### [DeleteVolume](https://traildiscover.cloud/#EC2-DeleteVolume)\n\n**Description:** Deletes the specified EBS volume. The volume must be in the available state (not attached to an instance).\n\n**Related Incidents:**\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", + "content": "### [PutUseCaseForModelAccess](https://traildiscover.cloud/#Bedrock-PutUseCaseForModelAccess)\n\n**Description:** Grants permission to put a use case for model access.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19723,9 +20028,9 @@ } }, { - "id": 2586983913, + "id": 1769694294, "definition": { - "title": "DeleteVolume", + "title": "PutUseCaseForModelAccess", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19743,7 +20048,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteVolume $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PutUseCaseForModelAccess $userIdentity.arn $network.client.ip $account" } } ], @@ -19765,10 +20070,10 @@ } }, { - "id": 3294891290, + "id": 965827571, "definition": { "type": "note", - "content": "### [StartInstances](https://traildiscover.cloud/#EC2-StartInstances)\n\n**Description:** Starts an Amazon EBS-backed instance that you've previously stopped.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", + "content": "### [CreateFoundationModelAgreement](https://traildiscover.cloud/#Bedrock-CreateFoundationModelAgreement)\n\n**Description:** Grants permission to create a new foundation model agreement.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19784,9 +20089,9 @@ } }, { - "id": 350249058, + "id": 470099979, "definition": { - "title": "StartInstances", + "title": "CreateFoundationModelAgreement", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19804,7 +20109,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:StartInstances $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateFoundationModelAgreement $userIdentity.arn $network.client.ip $account" } } ], @@ -19826,10 +20131,10 @@ } }, { - "id": 363055578, + "id": 546345766, "definition": { "type": "note", - "content": "### [CreateDefaultVpc](https://traildiscover.cloud/#EC2-CreateDefaultVpc)\n\n**Description:** Creates a default VPC with a size /16 IPv4 CIDR block and a default subnet in each Availability Zone.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", + "content": "### [DeleteVolume](https://traildiscover.cloud/#EC2-DeleteVolume)\n\n**Description:** Deletes the specified EBS volume. The volume must be in the available state (not attached to an instance).\n\n**Related Incidents:**\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19845,9 +20150,9 @@ } }, { - "id": 1713380642, + "id": 50618174, "definition": { - "title": "CreateDefaultVpc", + "title": "DeleteVolume", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19865,7 +20170,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateDefaultVpc $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteVolume $userIdentity.arn $network.client.ip $account" } } ], @@ -19887,10 +20192,10 @@ } }, { - "id": 3925399966, + "id": 3821299331, "definition": { "type": "note", - "content": "### [TerminateInstances](https://traildiscover.cloud/#EC2-TerminateInstances)\n\n**Description:** Shuts down the specified instances. This operation is idempotent; if you terminate an instance more than once, each call succeeds.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Former Cisco engineer sentenced to prison for deleting 16k Webex accounts](https://www.zdnet.com/article/former-cisco-engineer-sentenced-to-prison-for-deleting-16k-webex-accounts/)\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", + "content": "### [StartInstances](https://traildiscover.cloud/#EC2-StartInstances)\n\n**Description:** Starts an Amazon EBS-backed instance that you've previously stopped.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19906,9 +20211,9 @@ } }, { - "id": 3128241382, + "id": 3325571739, "definition": { - "title": "TerminateInstances", + "title": "StartInstances", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19926,7 +20231,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:TerminateInstances $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:StartInstances $userIdentity.arn $network.client.ip $account" } } ], @@ -19948,10 +20253,10 @@ } }, { - "id": 1597349931, + "id": 1494037069, "definition": { "type": "note", - "content": "### [StopInstances](https://traildiscover.cloud/#EC2-StopInstances)\n\n**Description:** Stops an Amazon EBS-backed instance.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", + "content": "### [CreateDefaultVpc](https://traildiscover.cloud/#EC2-CreateDefaultVpc)\n\n**Description:** Creates a default VPC with a size /16 IPv4 CIDR block and a default subnet in each Availability Zone.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19967,9 +20272,9 @@ } }, { - "id": 2848336108, + "id": 998309477, "definition": { - "title": "StopInstances", + "title": "CreateDefaultVpc", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19987,7 +20292,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:StopInstances $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateDefaultVpc $userIdentity.arn $network.client.ip $account" } } ], @@ -20009,10 +20314,10 @@ } }, { - "id": 2996720459, + "id": 3969315096, "definition": { "type": "note", - "content": "### [DeleteSnapshot](https://traildiscover.cloud/#EC2-DeleteSnapshot)\n\n**Description:** Deletes the specified snapshot.\n\n**Related Incidents:**\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", + "content": "### [TerminateInstances](https://traildiscover.cloud/#EC2-TerminateInstances)\n\n**Description:** Shuts down the specified instances. This operation is idempotent; if you terminate an instance more than once, each call succeeds.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Former Cisco engineer sentenced to prison for deleting 16k Webex accounts](https://www.zdnet.com/article/former-cisco-engineer-sentenced-to-prison-for-deleting-16k-webex-accounts/)\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -20028,9 +20333,9 @@ } }, { - "id": 2100222988, + "id": 3473587504, "definition": { - "title": "DeleteSnapshot", + "title": "TerminateInstances", "title_size": "16", "title_align": "left", "type": "query_value", @@ -20048,7 +20353,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteSnapshot $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:TerminateInstances $userIdentity.arn $network.client.ip $account" } } ], @@ -20070,10 +20375,10 @@ } }, { - "id": 3755745790, + "id": 1204564740, "definition": { "type": "note", - "content": "### [RunInstances](https://traildiscover.cloud/#EC2-RunInstances)\n\n**Description:** Launches the specified number of instances using an AMI for which you have permissions.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [DXC spills AWS private keys on public GitHub](https://www.theregister.com/2017/11/14/dxc_github_aws_keys_leaked/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Clear and Uncommon Story About Overcoming Issues With AWS](https://topdigital.agency/clear-and-uncommon-story-about-overcoming-issues-with-aws/)\n- [onelogin 2017 Security Incident](https://web.archive.org/web/20210620180614/https://www.onelogin.com/blog/may-31-2017-security-incident)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Launching EC2 instances](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/launching-ec2-instances/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", + "content": "### [StopInstances](https://traildiscover.cloud/#EC2-StopInstances)\n\n**Description:** Stops an Amazon EBS-backed instance.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -20089,9 +20394,9 @@ } }, { - "id": 711764671, + "id": 708837148, "definition": { - "title": "RunInstances", + "title": "StopInstances", "title_size": "16", "title_align": "left", "type": "query_value", @@ -20109,7 +20414,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:RunInstances $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:StopInstances $userIdentity.arn $network.client.ip $account" } } ], @@ -20131,10 +20436,10 @@ } }, { - "id": 3873481830, + "id": 653738419, "definition": { "type": "note", - "content": "### [DeleteGlobalCluster](https://traildiscover.cloud/#RDS-DeleteGlobalCluster)\n\n**Description:** Deletes a global database cluster. The primary and secondary clusters must already be detached or destroyed first.\n\n**Related Research:**\n- [AWS Deletion of RDS Instance or Cluster](https://www.elastic.co/guide/en/security/current/aws-deletion-of-rds-instance-or-cluster.html)\n", + "content": "### [DeleteSnapshot](https://traildiscover.cloud/#EC2-DeleteSnapshot)\n\n**Description:** Deletes the specified snapshot.\n\n**Related Incidents:**\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -20150,9 +20455,9 @@ } }, { - "id": 829500711, + "id": 2305494475, "definition": { - "title": "DeleteGlobalCluster", + "title": "DeleteSnapshot", "title_size": "16", "title_align": "left", "type": "query_value", @@ -20170,7 +20475,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteGlobalCluster $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteSnapshot $userIdentity.arn $network.client.ip $account" } } ], @@ -20192,10 +20497,10 @@ } }, { - "id": 3461963518, + "id": 1919776497, "definition": { "type": "note", - "content": "### [DeleteDBCluster](https://traildiscover.cloud/#RDS-DeleteDBCluster)\n\n**Description:** The DeleteDBCluster action deletes a previously provisioned DB cluster.\n\n**Related Research:**\n- [Hunting AWS RDS security events with Sysdig](https://sysdig.com/blog/aws-rds-security-events-sysdig/)\n- [AWS Deletion of RDS Instance or Cluster](https://www.elastic.co/guide/en/security/current/aws-deletion-of-rds-instance-or-cluster.html)\n", + "content": "### [RunInstances](https://traildiscover.cloud/#EC2-RunInstances)\n\n**Description:** Launches the specified number of instances using an AMI for which you have permissions.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [DXC spills AWS private keys on public GitHub](https://www.theregister.com/2017/11/14/dxc_github_aws_keys_leaked/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Clear and Uncommon Story About Overcoming Issues With AWS](https://topdigital.agency/clear-and-uncommon-story-about-overcoming-issues-with-aws/)\n- [onelogin 2017 Security Incident](https://web.archive.org/web/20210620180614/https://www.onelogin.com/blog/may-31-2017-security-incident)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [Launching EC2 instances](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/launching-ec2-instances/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -20211,7 +20516,129 @@ } }, { - "id": 2565466047, + "id": 3571532553, + "definition": { + "title": "RunInstances", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "search": { + "query": "source:cloudtrail @evt.name:RunInstances $userIdentity.arn $network.client.ip $account" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 6, + "y": 22, + "width": 2, + "height": 2 + } + }, + { + "id": 2853521926, + "definition": { + "type": "note", + "content": "### [DeleteGlobalCluster](https://traildiscover.cloud/#RDS-DeleteGlobalCluster)\n\n**Description:** Deletes a global database cluster. The primary and secondary clusters must already be detached or destroyed first.\n\n**Related Research:**\n- [AWS Deletion of RDS Instance or Cluster](https://www.elastic.co/guide/en/security/current/aws-deletion-of-rds-instance-or-cluster.html)\n", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "has_padding": true + }, + "layout": { + "x": 8, + "y": 22, + "width": 2, + "height": 2 + } + }, + { + "id": 210310686, + "definition": { + "title": "DeleteGlobalCluster", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "search": { + "query": "source:cloudtrail @evt.name:DeleteGlobalCluster $userIdentity.arn $network.client.ip $account" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 10, + "y": 22, + "width": 2, + "height": 2 + } + }, + { + "id": 4180738741, + "definition": { + "type": "note", + "content": "### [DeleteDBCluster](https://traildiscover.cloud/#RDS-DeleteDBCluster)\n\n**Description:** The DeleteDBCluster action deletes a previously provisioned DB cluster.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [Hunting AWS RDS security events with Sysdig](https://sysdig.com/blog/aws-rds-security-events-sysdig/)\n- [AWS Deletion of RDS Instance or Cluster](https://www.elastic.co/guide/en/security/current/aws-deletion-of-rds-instance-or-cluster.html)\n", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "has_padding": true + }, + "layout": { + "x": 0, + "y": 24, + "width": 2, + "height": 2 + } + }, + { + "id": 3685011149, "definition": { "title": "DeleteDBCluster", "title_size": "16", @@ -20245,15 +20672,76 @@ "autoscale": true, "precision": 2 }, + "layout": { + "x": 2, + "y": 24, + "width": 2, + "height": 2 + } + }, + { + "id": 3052675768, + "definition": { + "type": "note", + "content": "### [DeleteDBInstance](https://traildiscover.cloud/#RDS-DeleteDBInstance)\n\n**Description:** Deletes a previously provisioned DB instance.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "has_padding": true + }, + "layout": { + "x": 4, + "y": 24, + "width": 2, + "height": 2 + } + }, + { + "id": 409464528, + "definition": { + "title": "DeleteDBInstance", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "search": { + "query": "source:cloudtrail @evt.name:DeleteDBInstance $userIdentity.arn $network.client.ip $account" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, "layout": { "x": 6, - "y": 22, + "y": 24, "width": 2, "height": 2 } }, { - "id": 3302819324, + "id": 445471826, "definition": { "type": "note", "content": "### [CreateEmailIdentity](https://traildiscover.cloud/#SES-CreateEmailIdentity)\n\n**Description:** Starts the process of verifying an email identity. An identity is an email address or domain that you use when you send email.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -20266,13 +20754,13 @@ }, "layout": { "x": 8, - "y": 22, + "y": 24, "width": 2, "height": 2 } }, { - "id": 358177092, + "id": 2097227882, "definition": { "title": "CreateEmailIdentity", "title_size": "16", @@ -20308,13 +20796,13 @@ }, "layout": { "x": 10, - "y": 22, + "y": 24, "width": 2, "height": 2 } }, { - "id": 3484192527, + "id": 2575247221, "definition": { "type": "note", "content": "### [UpdateAccountSendingEnabled](https://traildiscover.cloud/#SES-UpdateAccountSendingEnabled)\n\n**Description:** Enables or disables email sending across your entire Amazon SES account in the current AWS Region.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n", @@ -20327,13 +20815,13 @@ }, "layout": { "x": 0, - "y": 24, + "y": 26, "width": 2, "height": 2 } }, { - "id": 2687033943, + "id": 2079519629, "definition": { "title": "UpdateAccountSendingEnabled", "title_size": "16", @@ -20369,13 +20857,13 @@ }, "layout": { "x": 2, - "y": 24, + "y": 26, "width": 2, "height": 2 } }, { - "id": 2950706983, + "id": 545651970, "definition": { "type": "note", "content": "### [VerifyEmailIdentity](https://traildiscover.cloud/#SES-VerifyEmailIdentity)\n\n**Description:** Adds an email address to the list of identities for your Amazon SES account in the current AWS Region and attempts to verify it.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -20388,13 +20876,13 @@ }, "layout": { "x": 4, - "y": 24, + "y": 26, "width": 2, "height": 2 } }, { - "id": 2054209512, + "id": 49924378, "definition": { "title": "VerifyEmailIdentity", "title_size": "16", @@ -20430,13 +20918,13 @@ }, "layout": { "x": 6, - "y": 24, + "y": 26, "width": 2, "height": 2 } }, { - "id": 4248834813, + "id": 1612750806, "definition": { "type": "note", "content": "### [RegisterTaskDefinition](https://traildiscover.cloud/#ECS-RegisterTaskDefinition)\n\n**Description:** Registers a new task definition from the supplied family and containerDefinitions.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -20449,13 +20937,13 @@ }, "layout": { "x": 8, - "y": 24, + "y": 26, "width": 2, "height": 2 } }, { - "id": 3352337342, + "id": 1117023214, "definition": { "title": "RegisterTaskDefinition", "title_size": "16", @@ -20491,13 +20979,13 @@ }, "layout": { "x": 10, - "y": 24, + "y": 26, "width": 2, "height": 2 } }, { - "id": 3073408598, + "id": 26697223, "definition": { "type": "note", "content": "### [CreateService](https://traildiscover.cloud/#ECS-CreateService)\n\n**Description:** Runs and maintains your desired number of tasks from a specified task definition.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -20510,13 +20998,13 @@ }, "layout": { "x": 0, - "y": 26, + "y": 28, "width": 2, "height": 2 } }, { - "id": 2176911127, + "id": 3825936927, "definition": { "title": "CreateService", "title_size": "16", @@ -20552,16 +21040,16 @@ }, "layout": { "x": 2, - "y": 26, + "y": 28, "width": 2, "height": 2 } }, { - "id": 164320414, + "id": 2344419161, "definition": { "type": "note", - "content": "### [CreateCluster](https://traildiscover.cloud/#ECS-CreateCluster)\n\n**Description:** Creates a new Amazon ECS cluster.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", + "content": "### [CreateCluster](https://traildiscover.cloud/#ECS-CreateCluster)\n\n**Description:** Creates a new Amazon ECS cluster.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -20571,13 +21059,13 @@ }, "layout": { "x": 4, - "y": 26, + "y": 28, "width": 2, "height": 2 } }, { - "id": 3562790239, + "id": 1749352682, "definition": { "title": "CreateCluster", "title_size": "16", @@ -20613,13 +21101,13 @@ }, "layout": { "x": 6, - "y": 26, + "y": 28, "width": 2, "height": 2 } }, { - "id": 2531828626, + "id": 3150920082, "definition": { "type": "note", "content": "### [RequestServiceQuotaIncrease](https://traildiscover.cloud/#ServiceQuotas-RequestServiceQuotaIncrease)\n\n**Description:** Submits a quota increase request for the specified quota at the account or resource level.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n", @@ -20632,13 +21120,13 @@ }, "layout": { "x": 8, - "y": 26, + "y": 28, "width": 2, "height": 2 } }, { - "id": 3882153690, + "id": 2655192490, "definition": { "title": "RequestServiceQuotaIncrease", "title_size": "16", @@ -20674,7 +21162,7 @@ }, "layout": { "x": 10, - "y": 26, + "y": 28, "width": 2, "height": 2 } @@ -20683,9 +21171,9 @@ }, "layout": { "x": 0, - "y": 225, + "y": 227, "width": 12, - "height": 30 + "height": 32 } } ], diff --git a/docs/events.csv b/docs/events.csv index 0340c8a..3cf37a9 100644 --- a/docs/events.csv +++ b/docs/events.csv @@ -4,13 +4,16 @@ ListDomains,route53domains.amazonaws.com,route53domains,This operation returns a GetHostedZoneCount,route53.amazonaws.com,Route53,Retrieves the number of hosted zones that are associated with the current AWS account.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,False,[],"[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]","Attackers might use GetHostedZoneCount to gather information about the number of hosted zones, potentially identifying targets for DNS attacks.",[],"[{""type"": ""commandLine"", ""value"": ""aws route53 get-hosted-zone-count""}]",https://aws.permissions.cloud/iam/route53#route53-GetHostedZoneCount RegisterDomain,route53domains.amazonaws.com,route53domains,"This operation registers a domain. For some top-level domains (TLDs), this operation requires extra parameters.",TA0040 - Impact,T1496 - Resource Hijacking,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],Attackers might use RegisterDomain to register malicious domains for phishing or malware distribution.,[],"[{""type"": ""commandLine"", ""value"": ""aws route53domains register-domain --region us-east-1 --cli-input-json '{\""DomainName\"": \""\"", \""DurationInYears\"": 1, \""AdminContact\"": { \""FirstName\"": \""\"", \""LastName\"": \""\""}, \""RegistrantContact\"": {\""FirstName\"": \""\"", \""LastName\"": \""\"" }, \""TechContact\"": {\""FirstName\"": \""\"", \""LastName\"": \""\""}}'""}]",https://aws.permissions.cloud/iam/route53domains#route53domains-RegisterDomain CreateHostedZone,route53.amazonaws.com,Route53,"Creates a new public or private hosted zone. You create records in a public hosted zone to define how you want to route traffic on the internet for a domain, such as example.com, and its subdomains.",TA0040 - Impact,T1496 - Resource Hijacking,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]","[{""description"": ""AWS API Call Hijacking via ACM-PCA"", ""link"": ""https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/""}]",Attackers might use CreateHostedZone to create malicious DNS zones for phishing or redirecting traffic.,[],"[{""type"": ""commandLine"", ""value"": ""aws route53 create-hosted-zone --name traildiscover.cloud --caller-reference 2014-04-01-18:47 --hosted-zone-config Comment='traildiscover'""}]",https://aws.permissions.cloud/iam/route53#route53-CreateHostedZone +InviteAccountToOrganization,organizations.amazonaws.com,Organizations,Sends an invitation to another account to join your organization as a member account.,TA0005 - Defense Evasion,T1535 - Unused/Unsupported Cloud Regions,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],"Attackers might use InviteAccountToOrganization to add an account they control for defense evasion, resource hijacking.",[],"[{""type"": ""commandLine"", ""value"": ""aws organizations invite-account-to-organization --target '{\""Type\"": \""EMAIL\"", \""Id\"": \""traildiscover@example.com\""}'""}]",https://aws.permissions.cloud/iam/organizations#organizations-InviteAccountToOrganization DescribeOrganization,organizations.amazonaws.com,Organizations,Retrieves information about the organization that the user's account belongs to.,TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]",[],Attackers might use DescribeOrganization to gather information about the structure and details of an AWS organization.,[],"[{""type"": ""commandLine"", ""value"": ""aws organizations describe-organization""}]",https://aws.permissions.cloud/iam/organizations#organizations-DescribeOrganization ListOrganizationalUnitsForParent,organizations.amazonaws.com,Organizations,Lists the organizational units (OUs) in a parent organizational unit or root.,TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]",[],Attackers might use ListOrganizationalUnitsForParent to map the structure of an organization's AWS environment for potential vulnerabilities.,[],"[{""type"": ""commandLine"", ""value"": ""aws organizations list-organizational-units-for-parent --parent-id r-traildiscover""}]",https://aws.permissions.cloud/iam/organizations#organizations-ListOrganizationalUnitsForParent -LeaveOrganization,organizations.amazonaws.com,Organizations,Removes a member account from its parent organization.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""An AWS account attempted to leave the AWS Organization"", ""link"": ""hhttps://docs.datadoghq.com/security/default_rules/aws-organizations-leave-organization/""}]",Attackers might use LeaveOrganization to disassociate resources and disrupt the structure of AWS organizations.,[],"[{""type"": ""commandLine"", ""value"": ""aws organizations leave-organization""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.organizations-leave""}]",https://aws.permissions.cloud/iam/organizations#organizations-LeaveOrganization +CreateAccount,organizations.amazonaws.com,Organizations,Creates an AWS account that is automatically a member of the organization whose credentials made the request.,TA0005 - Defense Evasion,T1535 - Unused/Unsupported Cloud Regions,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],"Attackers might use CreateAccount to add a new account for defense evasion, resource hijacking.",[],"[{""type"": ""commandLine"", ""value"": ""aws organizations create-account --email traildiscover@example.com --account-name \""TrailDiscover Account\""""}]",https://aws.permissions.cloud/iam/organizations#organizations-CreateAccount +LeaveOrganization,organizations.amazonaws.com,Organizations,Removes a member account from its parent organization.,TA0005 - Defense Evasion,T1070 - Indicator Removal,False,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]","[{""description"": ""An AWS account attempted to leave the AWS Organization"", ""link"": ""hhttps://docs.datadoghq.com/security/default_rules/aws-organizations-leave-organization/""}]",Attackers might use LeaveOrganization to disassociate resources and disrupt the structure of AWS organizations.,[],"[{""type"": ""commandLine"", ""value"": ""aws organizations leave-organization""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.organizations-leave""}]",https://aws.permissions.cloud/iam/organizations#organizations-LeaveOrganization ListAccounts,organizations.amazonaws.com,Organizations,Lists all the accounts in the organization.,TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]",[],Attackers might use ListAccounts to gather information about the structure and resources of an organization's AWS environment.,[],"[{""type"": ""commandLine"", ""value"": ""aws organizations list-accounts""}]",https://aws.permissions.cloud/iam/organizations#organizations-ListAccounts +CreateStack,cloudformation.amazonaws.com,CloudFormation,Creates a stack as specified in the template.,TA0040 - Impact,T1496 - Resource Hijacking,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],Attackers might use CreateStack to provision unauthorized resources,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/cloudformation#cloudformation-CreateStack AssumeRoleWithWebIdentity,sts.amazonaws.com,STS,Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider.,"TA0001 - Initial Access, TA0008 - Lateral Movement","T1199 - Trusted Relationship, T1550 - Use Alternate Authentication Material",False,[],"[{""description"": ""From GitHub To Account Takeover: Misconfigured Actions Place GCP & AWS Accounts At Risk"", ""link"": ""https://www.rezonate.io/blog/github-misconfigurations-put-gcp-aws-in-account-takeover-risk/""}]",Attackers might use AssumeRoleWithWebIdentity to impersonate legitimate users and gain unauthorized access to an AWS role.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/sts#sts-AssumeRoleWithWebIdentity -GetFederationToken,sts.amazonaws.com,STS,"Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a user.",TA0003 - Persistence,T1078 - Valid Accounts,False,"[{""description"": ""How Adversaries Can Persist with AWS User Federation"", ""link"": ""https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/""}]","[{""description"": ""Create a Console Session from IAM Credentials"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/""}, {""description"": ""Survive Access Key Deletion with sts:GetFederationToken"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/survive_access_key_deletion_with_sts_getfederationtoken/""}]",Attackers might use GetFederationToken to gain temporary access credentials.,[],"[{""type"": ""commandLine"", ""value"": ""aws sts get-federation-token --name TrailDiscover --policy TrailDiscoverPolicy""}]",https://aws.permissions.cloud/iam/sts#sts-GetFederationToken -GetSessionToken,sts.amazonaws.com,STS,Returns a set of temporary credentials for an AWS account or IAM user.,TA0001 - Initial Access,T1199 - Trusted Relationship,False,[],"[{""description"": ""AWS STS GetSessionToken Abuse"", ""link"": ""https://www.elastic.co/guide/en/security/7.17/aws-sts-getsessiontoken-abuse.html""}]",Attackers might use GetSessionToken to obtain temporary access credentials.,"[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws sts get-session-token --duration-seconds 900 --serial-number 'YourMFADeviceSerialNumber' --token-code 123456""}]",https://aws.permissions.cloud/iam/sts#sts-GetSessionToken +GetFederationToken,sts.amazonaws.com,STS,"Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a user.",TA0003 - Persistence,T1078 - Valid Accounts,True,"[{""description"": ""How Adversaries Can Persist with AWS User Federation"", ""link"": ""https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]","[{""description"": ""Create a Console Session from IAM Credentials"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/""}, {""description"": ""Survive Access Key Deletion with sts:GetFederationToken"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/survive_access_key_deletion_with_sts_getfederationtoken/""}]",Attackers might use GetFederationToken to gain temporary access credentials.,[],"[{""type"": ""commandLine"", ""value"": ""aws sts get-federation-token --name TrailDiscover --policy TrailDiscoverPolicy""}]",https://aws.permissions.cloud/iam/sts#sts-GetFederationToken +GetSessionToken,sts.amazonaws.com,STS,Returns a set of temporary credentials for an AWS account or IAM user.,TA0001 - Initial Access,T1199 - Trusted Relationship,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]","[{""description"": ""AWS STS GetSessionToken Abuse"", ""link"": ""https://www.elastic.co/guide/en/security/7.17/aws-sts-getsessiontoken-abuse.html""}]",Attackers might use GetSessionToken to obtain temporary access credentials.,"[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws sts get-session-token --duration-seconds 900 --serial-number 'YourMFADeviceSerialNumber' --token-code 123456""}]",https://aws.permissions.cloud/iam/sts#sts-GetSessionToken AssumeRole,sts.amazonaws.com,STS,Returns a set of temporary security credentials that you can use to access AWS resources.,"TA0001 - Initial Access, TA0003 - Persistence, TA0004 - Privilege Escalation","T1199 - Trusted Relationship, T1078 - Valid Accounts",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Trouble in Paradise"", ""link"": ""https://blog.darklab.hk/2021/07/06/trouble-in-paradise/""}]","[{""description"": ""Role Chain Juggling"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/""}, {""description"": ""Detecting and removing risky actions out of your IAM security policies"", ""link"": ""https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/""}]","Attackers might use AssumeRole to gain unauthorized access to an AWS role. This might allow them to gain initial access, escalate privileges or in specific scenarios gain persistence.",[],"[{""type"": ""commandLine"", ""value"": ""aws sts assume-role --role-arn arn:aws:iam::123456789012:role/TrailDiscover --role-session-name TrailDiscover""}]",https://aws.permissions.cloud/iam/sts#sts-AssumeRole AssumeRoleWithSAML,sts.amazonaws.com,STS,Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response.,TA0001 - Initial Access,T1199 - Trusted Relationship,False,[],"[{""description"": ""AWS - STS Privesc"", ""link"": ""https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc""}]",Attackers might use AssumeRoleWithSAML to impersonate legitimate users and gain unauthorized access to an AWS role.,"[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml""}]","[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/sts#sts-AssumeRoleWithSAML GetCallerIdentity,sts.amazonaws.com,STS,Returns details about the IAM user or role whose credentials are used to call the operation.,TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}, {""description"": ""GotRoot! AWS root Account Takeover"", ""link"": ""https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1""}, {""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}, {""description"": ""Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/""}, {""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}, {""description"": ""New attack vectors in EKS"", ""link"": ""https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features""}, {""description"": ""Enumerate AWS Account ID from an EC2 Instance"", ""link"": ""https://hackingthe.cloud/aws/enumeration/account_id_from_ec2/""}]",Attackers might use GetCallerIdentity to know what user or role are they using. This request does not need any permission.,[],"[{""type"": ""commandLine"", ""value"": ""aws sts get-caller-identity""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials""}]",https://aws.permissions.cloud/iam/sts#sts-GetCallerIdentity @@ -63,6 +66,7 @@ GetRegions,lightsail.amazonaws.com,LightSail,Returns a list of all valid regions GetCostAndUsage,ce.amazonaws.com,CostExplorer,Retrieves cost and usage metrics for your account.,TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]",[],Attackers might use GetCostAndUsage to determine how active an account is by understanding the cost within a cloud account.,[],"[{""type"": ""commandLine"", ""value"": ""aws ce get-cost-and-usage --time-period Start=2017-09-01,End=2017-10-01 --granularity MONTHLY --metrics 'BlendedCost' 'UnblendedCost' 'UsageQuantity' --group-by Type=DIMENSION,Key=SERVICE Type=TAG,Key=Environment""}]",https://aws.permissions.cloud/iam/ce#ce-GetCostAndUsage DeleteMembers,securityhub.amazonaws.com,SecurityHub,Deletes the specified member accounts from Security Hub.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""AWS CloudTrail cheat sheet"", ""link"": ""https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet""}, {""description"": ""AWS Incident Response"", ""link"": ""https://easttimor.github.io/aws-incident-response/""}]","Attackers might use DeleteMembers to remove specific members from the SecurityHub, disrupting security management and monitoring.",[],"[{""type"": ""commandLine"", ""value"": ""aws securityhub delete-members --account-ids TrailDiscoverAccountIds""}]",https://aws.permissions.cloud/iam/securityhub#securityhub-DeleteMembers ListGroupsForUser,iam.amazonaws.com,IAM,Lists the IAM groups that the specified IAM user belongs to.,TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],Attackers might use ListGroupsForUser to identify privileged groups and target specific users for access escalation.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-groups-for-user --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-ListGroupsForUser +CreateSAMLProvider,iam.amazonaws.com,IAM,Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0.,TA0003 - Persistence,T1136 - Create Account,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],Attackers use CreateSAMLProvider to establish persistent footholds.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/iam#iam-CreateSAMLProvider ListAccessKeys,iam.amazonaws.com,IAM,Returns information about the access key IDs associated with the specified IAM user.,TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}]",[],Attackers might use ListAccessKeys to identify and exploit unused or unmonitored AWS IAM access keys.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-access-keys --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-ListAccessKeys DeleteRolePolicy,iam.amazonaws.com,IAM,Deletes the specified inline policy that is embedded in the specified IAM role.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use DeleteRolePolicy to remove security policies, potentially escalating their privileges.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam delete-role-policy --role-name TrailDiscover-Role --policy-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-DeleteRolePolicy DetachRolePolicy,iam.amazonaws.com,IAM,Removes the specified managed policy from the specified role.,"TA0005 - Defense Evasion, TA0004 - Privilege Escalation","T1578 - Modify Cloud Compute Infrastructure, T1098 - Account Manipulation",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]","[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use DetachRolePolicy to remove crucial permissions from IAM roles, disrupting AWS services.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam detach-role-policy --role-name TrailDiscover --policy-arn arn:aws:iam::123456789012:policy/FederatedTesterAccessPolicy""}]",https://aws.permissions.cloud/iam/iam#iam-DetachRolePolicy @@ -79,6 +83,7 @@ CreatePolicyVersion,iam.amazonaws.com,IAM,Creates a new version of the specified DeleteUserPolicy,iam.amazonaws.com,IAM,Deletes the specified inline policy that is embedded in the specified IAM user.,"TA0005 - Defense Evasion, TA0004 - Privilege Escalation","T1578 - Modify Cloud Compute Infrastructure, T1098 - Account Manipulation",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}]","[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]",Attackers might use DeleteUserPolicy to remove security policies and gain unauthorized access to AWS resources.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam delete-user-policy --user-name TrailDiscover --policy-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-DeleteUserPolicy ListRoles,iam.amazonaws.com,IAM,Lists the IAM roles that have the specified path prefix. ,TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]","[{""description"": ""AWS - IAM Enum"", ""link"": ""https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum""}]",Attackers might use ListRoles to identify potential targets for privilege escalation attacks in AWS.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-roles""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance""}]",https://aws.permissions.cloud/iam/iam#iam-ListRoles PutRolePermissionsBoundary,iam.amazonaws.com,IAM,Adds or updates the policy that is specified as the IAM role's permissions boundary.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use PutRolePermissionsBoundary to modify permissions boundaries, potentially escalating privileges or enabling unauthorized access.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam put-role-permissions-boundary --permissions-boundary arn:aws:iam::123456789012:policy/intern-boundary --role-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-PutRolePermissionsBoundary +StartSSO,sso.amazonaws.com,SSO,Initialize AWS IAM Identity Center,TA0003 - Persistence,T1136 - Create Account,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],Attackers use StartSSO to establish persistent footholds.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/sso#sso-StartSSO PutUserPermissionsBoundary,iam.amazonaws.com,IAM,Adds or updates the policy that is specified as the IAM user's permissions boundary.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use PutUserPermissionsBoundary to modify the permissions boundary for an IAM user, potentially escalating privileges or enabling unauthorized access.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam put-user-permissions-boundary --permissions-boundary arn:aws:iam::123456789012:policy/intern-boundary --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-PutUserPermissionsBoundary ListSAMLProviders,iam.amazonaws.com,IAM,Lists the SAML provider resource objects defined in IAM in the account.,TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],Attackers might use ListSAMLProviders to discover if there are SAML providers configured.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-saml-providers""}]",https://aws.permissions.cloud/iam/iam#iam-ListSAMLProviders DeleteUserPermissionsBoundary,iam.amazonaws.com,IAM,Deletes the permissions boundary for the specified IAM user.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]",Attackers might use DeleteUserPermissionsBoundary to remove restrictions and gain unauthorized access to AWS resources.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam delete-user-permissions-boundary --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-DeleteUserPermissionsBoundary @@ -86,6 +91,7 @@ GetUser,iam.amazonaws.com,IAM,"Retrieves information about the specified IAM use DeleteAccessKey,iam.amazonaws.com,IAM,Deletes the access key pair associated with the specified IAM user.,TA0005 - Defense Evasion,"T1578 - Modify Cloud Compute Infrastructure, T1070 - Indicator Removal",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}]",[],"Attackers might use DeleteAccessKey to revoke legitimate user access to AWS services. Also, it can be used to delete previously used keys to avoid detection.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam delete-access-key --access-key-id AKIDPMS9RO4H3FEXAMPLE --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-DeleteAccessKey DeleteUser,iam.amazonaws.com,IAM,Deletes the specified IAM user.,TA0005 - Defense Evasion,"T1578 - Modify Cloud Compute Infrastructure, T1070 - Indicator Removal",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Insider Threat Risks to Flat Environments"", ""link"": ""https://www.mandiant.com/sites/default/files/2021-09/rpt-mtrends-2021-3.pdf""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}]",[],"Attackers might use DeleteUser to remove users and their permissions, disrupting access control in AWS. Also, it can be used to delete previously used users to avoid detection.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam delete-user --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-DeleteUser AttachRolePolicy,iam.amazonaws.com,IAM,"Attaches the specified managed policy to the specified IAM role. When you attach a managed policy to a role, the managed policy becomes part of the role's permission (access) policy.",TA0004 - Privilege Escalation,T1098 - Account Manipulation,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]","[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers use AttachRolePolicy to grant malicious policies to IAM roles, potentially escalating privileges or enabling unauthorized access to AWS resources.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/TrailDiscover --role-name TrailDiscover""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-backdoor-role""}]",https://aws.permissions.cloud/iam/iam#iam-AttachRolePolicy +CreateOpenIDConnectProvider,iam.amazonaws.com,IAM,Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC),TA0003 - Persistence,T1136 - Create Account,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],Attackers use CreateOpenIDConnectProvider to establish persistent footholds.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam create-open-id-connect-provider --cli-input-json '{\""Url\"": \""https://server.example.com\"",\""ClientIDList\"": [\""example-application-ID\""],\""ThumbprintList\"": [\""c3768084dfb3d2b68b7897bf5f565da8eEXAMPLE\""]}'""}]",https://aws.permissions.cloud/iam/iam#iam-CreateOpenIDConnectProvider SetDefaultPolicyVersion,iam.amazonaws.com,IAM,Sets the specified version of the specified policy as the policy's default (operative) version.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use SetDefaultPolicyVersion to revert IAM policies to less secure versions, potentially exposing sensitive resources.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam set-default-policy-version --policy-arn arn:aws:iam::123456789012:policy/TrailDiscover --version-id v2""}]",https://aws.permissions.cloud/iam/iam#iam-SetDefaultPolicyVersion AttachUserPolicy,iam.amazonaws.com,IAM,Attaches the specified managed policy to the specified user.,"TA0003 - Persistence, TA0004 - Privilege Escalation",T1098 - Account Manipulation,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Incident report: From CLI to console, chasing an attacker in AWS"", ""link"": ""https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}]","[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers use AttachUserPolicy to grant malicious policies to IAM users, potentially escalating privileges or enabling unauthorized access to AWS resources.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --user-name TrailDiscover""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-admin-user""}]",https://aws.permissions.cloud/iam/iam#iam-AttachUserPolicy CreateGroup,iam.amazonaws.com,IAM,Creates a new group.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Group Creation"", ""link"": ""https://www.elastic.co/guide/en/security/current/aws-iam-group-creation.html""}]",Attackers use CreateGroup to create a group that they can use to escalate privileges.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam create-group --group-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-CreateGroup @@ -132,7 +138,7 @@ LookupEvents,cloudtrail.amazonaws.com,CloudTrail,Looks up management events or C StopLogging,cloudtrail.amazonaws.com,CloudTrail,Suspends the recording of AWS API calls and log file delivery for the specified trail.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,"[{""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}]","[{""description"": ""Stopping a CloudTrail trail"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/stopping-cloudtrail-trail/""}, {""description"": ""AWS Defense Evasion Stop Logging Cloudtrail"", ""link"": ""https://research.splunk.com/cloud/8a2f3ca2-4eb5-4389-a549-14063882e537/""}, {""description"": ""AWS Defense Evasion and Centralized Multi-Account Logging"", ""link"": ""https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/""}, {""description"": ""Disrupting AWS logging"", ""link"": ""https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594""}, {""description"": ""Enhancing Your Security Visibility and DetectionResponse Operations in AWS"", ""link"": ""https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf""}]",Attackers might use StopLogging to disrupting AWS logging.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-5""}, {""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws cloudtrail stop-logging --name TrailDiscover""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-stop""}]",https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-StopLogging UpdateTrail,cloudtrail.amazonaws.com,CloudTrail,"Updates trail settings that control what events you are logging, and how to handle log files.",TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""AWS Defense Evasion and Centralized Multi-Account Logging"", ""link"": ""https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/""}, {""description"": ""Disrupting AWS logging"", ""link"": ""https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594""}]",Attackers might use UpdateTrail to disrupting AWS logging.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-5""}, {""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws cloudtrail update-trail --name TrailDiscoverName --s3-bucket-name TrailDiscoverBucketName""}]",https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-UpdateTrail DeleteTrail,cloudtrail.amazonaws.com,CloudTrail,Deletes a trail.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,"[{""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}]","[{""description"": ""AWS Defense Evasion Delete Cloudtrail"", ""link"": ""https://research.splunk.com/cloud/82092925-9ca1-4e06-98b8-85a2d3889552/""}, {""description"": ""Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail"", ""link"": ""https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/""}, {""description"": ""Disrupting AWS logging"", ""link"": ""https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594""}]",Attackers might use DeleteTrail to disrupting AWS logging.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-5""}, {""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws cloudtrail delete-trail --name TrailDiscoverTrailName""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-delete""}]",https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-DeleteTrail -PutEventSelectors,cloudtrail.amazonaws.com,CloudTrail,Configures an event selector or advanced event selectors for your trail.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""cloudtrail_guardduty_bypass"", ""link"": ""https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/cloudtrail_guardduty_bypass""}, {""description"": ""Detecting and removing risky actions out of your IAM security policies"", ""link"": ""https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/""}]",Attackers might use PutEventSelectors to disrupting AWS logging.,[],"[{""type"": ""commandLine"", ""value"": ""aws cloudtrail put-event-selectors --trail-name TrailDiscover --event-selectors '[{\""ReadWriteType\"": \""All\"", \""IncludeManagementEvents\"":true, \""DataResources\"": [{\""Type\"": \""AWS::S3::Object\"", \""Values\"": [\""arn:aws:s3\""]}] }]'""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors""}]",https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-PutEventSelectors +PutEventSelectors,cloudtrail.amazonaws.com,CloudTrail,Configures an event selector or advanced event selectors for your trail.,TA0005 - Defense Evasion,T1562 - Impair Defenses,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]","[{""description"": ""cloudtrail_guardduty_bypass"", ""link"": ""https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/cloudtrail_guardduty_bypass""}, {""description"": ""Detecting and removing risky actions out of your IAM security policies"", ""link"": ""https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/""}]",Attackers might use PutEventSelectors to disrupting AWS logging.,[],"[{""type"": ""commandLine"", ""value"": ""aws cloudtrail put-event-selectors --trail-name TrailDiscover --event-selectors '[{\""ReadWriteType\"": \""All\"", \""IncludeManagementEvents\"":true, \""DataResources\"": [{\""Type\"": \""AWS::S3::Object\"", \""Values\"": [\""arn:aws:s3\""]}] }]'""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors""}]",https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-PutEventSelectors UpdateGraphqlApi,appsync.amazonaws.com,AppSync,Updates a GraphqlApi object.,"TA0005 - Defense Evasion, TA0003 - Persistence","T1578 - Modify Cloud Compute Infrastructure, T1556 - Modify Authentication Process",False,[],"[{""description"": ""Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor"", ""link"": ""https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8""}]",Attackers might use UpdateGraphqlApi to add additional authentications options. Bypassing current authentication and potentially allowing persistent access to data.,[],"[{""type"": ""commandLine"", ""value"": ""aws appsync update-graphql-api --api-id TrailDiscoverApiId --name TrailDiscoverName --log-config cloudWatchLogsRoleArn=TrailDiscoverRoleArn,fieldLogLevel=TrailDiscoverLogLevel""}]",https://aws.permissions.cloud/iam/appsync#appsync-UpdateGraphqlApi CreateApiKey,appsync.amazonaws.com,AppSync,Creates a unique key that you can distribute to clients who invoke your API.,"TA0005 - Defense Evasion, TA0003 - Persistence","T1578 - Modify Cloud Compute Infrastructure, T1556 - Modify Authentication Process",False,[],"[{""description"": ""Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor"", ""link"": ""https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8""}]",Attackers might use CreateApiKey to add a key they control for authentication. Bypassing current authentication and potentially allowing persistent access to data.,[],"[{""type"": ""commandLine"", ""value"": ""aws appsync create-api-key --api-id TrailDiscoverApiId""}]",https://aws.permissions.cloud/iam/appsync#appsync-CreateApiKey GetIntrospectionSchema,appsync.amazonaws.com,AppSync,Retrieves the introspection schema for a GraphQL API.,TA0007 - Discovery,T1526 - Cloud Service Discovery,False,[],"[{""description"": ""Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor"", ""link"": ""https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8""}]",Attackers might use GetIntrospectionSchema to understand the API for future attacks or use the configuration for future modifications.,[],"[{""type"": ""commandLine"", ""value"": ""aws appsync get-introspection-schema --api-id TrailDiscover --format json output""}]",https://aws.permissions.cloud/iam/appsync#appsync-GetIntrospectionSchema @@ -148,21 +154,22 @@ PutBucketReplication,s3.amazonaws.com,S3,Creates a replication configuration or ListBuckets,s3.amazonaws.com,S3,Returns a list of all buckets owned by the authenticated sender of the request.,TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}, {""description"": ""ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING"", ""link"": ""https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}, {""description"": ""A Technical Analysis of the Capital One Cloud Misconfiguration Breach"", ""link"": ""https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach""}, {""description"": ""Enumerate AWS Account ID from a Public S3 Bucket"", ""link"": ""https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/""}, {""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}, {""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}, {""description"": ""Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]",Attackers might use ListAllMyBuckets to identify potential targets for data breaches or unauthorized access.,"[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws s3api list-buckets --query \""Buckets[].Name\""""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance""}]",N/A GetBucketReplication,s3.amazonaws.com,S3,Returns the replication configuration of a bucket.,TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}, {""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],Attackers might use GetBucketReplication to identify replication configurations and target specific data for theft or corruption.,[],"[{""type"": ""commandLine"", ""value"": ""aws s3api get-bucket-replication --bucket TrailDiscoverBucket""}]",N/A GetObject,s3.amazonaws.com,S3,Retrieves an object from Amazon S3.,TA0010 - Exfiltration,T1048 - Exfiltration Over Alternative Protocol,True,"[{""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Incident 2 - Additional details of the attack"", ""link"": ""https://support.lastpass.com/s/document-item?language=en_US&bundleId=lastpass&topicId=LastPass/incident-2-details.html&_LANG=enus""}, {""description"": ""Aruba Central Security Incident"", ""link"": ""https://www.arubanetworks.com/support-services/security-bulletins/central-incident-faq/""}, {""description"": ""Sendtech Pte. Ltd"", ""link"": ""https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Sendtech-Pte-Ltd---220721.ashx?la=en""}, {""description"": ""GotRoot! AWS root Account Takeover"", ""link"": ""https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1""}, {""description"": ""A Technical Analysis of the Capital One Cloud Misconfiguration Breach"", ""link"": ""https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach""}, {""description"": ""Chegg, Inc"", ""link"": ""https://www.ftc.gov/system/files/ftc_gov/pdf/2023151-Chegg-Complaint.pdf""}, {""description"": ""Scattered Spider Attack Analysis"", ""link"": ""https://www.reliaquest.com/blog/scattered-spider-attack-analysis-account-compromise/""}, {""description"": ""Enumerate AWS Account ID from a Public S3 Bucket"", ""link"": ""https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/""}, {""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}]","[{""description"": ""Data Exfiltration through S3 Server Access Logs"", ""link"": ""https://hackingthe.cloud/aws/exploitation/s3_server_access_logs/""}, {""description"": ""S3 Streaming Copy"", ""link"": ""https://hackingthe.cloud/aws/exploitation/s3_streaming_copy/""}]",Attackers might use GetObject to download data from S3 buckets.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-client-side-encryption""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-individual-deletion""}]",https://aws.permissions.cloud/iam/s3#s3-GetObject -PutBucketLifecycle,s3.amazonaws.com,S3,Creates a new lifecycle configuration for the bucket or replaces an existing lifecycle configuration.,TA0040 - Impact,T1485 - Data Destruction,True,"[{""description"": ""USA VS Nickolas Sharp"", ""link"": ""https://www.justice.gov/usao-sdny/press-release/file/1452706/dl""}]",[],Attackers might use PutBucketLifecycle to add a lifecycle that deletes data after one day.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8""}]","[{""type"": ""commandLine"", ""value"": ""aws s3api put-bucket-lifecycle --bucket my-bucket --lifecycle-configuration '{\""Rules\"":[{\""ID\"":\""\"",\""Status\"": \""Enabled\"", \""Prefix\"": \""TrailDiscover/\""}]}'""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule""}]",N/A +PutBucketLifecycle,s3.amazonaws.com,S3,Creates a new lifecycle configuration for the bucket or replaces an existing lifecycle configuration.,TA0040 - Impact,T1485 - Data Destruction,True,"[{""description"": ""USA VS Nickolas Sharp"", ""link"": ""https://www.justice.gov/usao-sdny/press-release/file/1452706/dl""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],Attackers might use PutBucketLifecycle to add a lifecycle that deletes data after one day.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8""}]","[{""type"": ""commandLine"", ""value"": ""aws s3api put-bucket-lifecycle --bucket my-bucket --lifecycle-configuration '{\""Rules\"":[{\""ID\"":\""\"",\""Status\"": \""Enabled\"", \""Prefix\"": \""TrailDiscover/\""}]}'""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule""}]",N/A +DeleteBucket,s3.amazonaws.com,S3,Deletes the S3 bucket.,TA0040 - Impact,T1485 - Data Destruction,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],Attackers might use DeleteBucket to delete resources.,[],"[{""type"": ""commandLine"", ""value"": ""aws s3api delete-bucket --bucket my-traildiscover-bucket --region us-east-1""}]",https://aws.permissions.cloud/iam/s3#s3-DeleteBucket GetBucketAcl,s3.amazonaws.com,S3,This implementation of the GET action uses the acl subresource to return the access control list (ACL) of a bucket.,TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]","[{""description"": ""Public S3 bucket through bucket ACL"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/s3-bucket-public-acl/""}]",Attackers might use GetBucketAccessControlPolicy to gain unauthorized access to sensitive data stored in S3 buckets.,[],"[{""type"": ""commandLine"", ""value"": ""aws s3api get-bucket-acl --bucket TrailDiscoverBucket""}]",https://aws.permissions.cloud/iam/s3#s3-GetBucketAcl DeleteBucketPolicy,s3.amazonaws.com,S3,Deletes the policy of a specified bucket.,TA0005 - Defense Evasion,T1578 - Modify Cloud Compute Infrastructure,False,[],"[{""description"": ""AWS S3 Bucket Configuration Deletion"", ""link"": ""https://www.elastic.co/guide/en/security/7.17/aws-s3-bucket-configuration-deletion.html""}]",Attackers might use DeleteBucketPolicy to remove security policies and gain unauthorized access to S3 buckets.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8""}]","[{""type"": ""commandLine"", ""value"": ""aws s3api delete-bucket-policy --bucket TrailDiscoverBucketName""}]",https://aws.permissions.cloud/iam/s3#s3-DeleteBucketPolicy HeadObject,s3.amazonaws.com,S3,The HEAD operation retrieves metadata from an object without returning the object itself.,TA0007 - Discovery,T1619 - Cloud Storage Object Discovery,True,"[{""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}]",[],Attackers might use HeadObject to gather metadata about sensitive files stored in S3.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",N/A ListVaults,glacier.amazonaws.com,S3,This operation lists all vaults owned by the calling user’s account.,TA0007 - Discovery,T1619 - Cloud Storage Object Discovery,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/""}]",[],Attackers might use ListVaults to identify data such as archived training data or related datasets.,[],"[{""type"": ""commandLine"", ""value"": ""aws glacier list-vaults --account-id -""}]",https://aws.permissions.cloud/iam/glacier#glacier-ListVaults GetPublicAccessBlock,s3.amazonaws.com,S3,Retrieves the PublicAccessBlock configuration for an Amazon S3 bucket.,TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}, {""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],Attackers might use GetPublicAccessBlock to identify S3 buckets with public access for potential data breaches.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",N/A GetBucketTagging,s3.amazonaws.com,S3,Returns the tag set associated with the bucket.,TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}]",[],Attackers might use GetBucketTagging to look for tags reminiscent of PII or confidential data.,[],"[{""type"": ""commandLine"", ""value"": ""aws s3api get-bucket-tagging --bucket TrailDiscoverBucket""}]",https://aws.permissions.cloud/iam/s3#s3-GetBucketTagging -DeleteObject,s3.amazonaws.com,S3,Removes an object from a bucket. The behavior depends on the bucket's versioning state.,TA0040 - Impact,T1485 - Data Destruction,True,"[{""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}, {""description"": ""The attack on ONUS \u2013 A real-life case of the Log4Shell vulnerability"", ""link"": ""https://cystack.net/research/the-attack-on-onus-a-real-life-case-of-the-log4shell-vulnerability""}, {""description"": ""20/20 Eye Care Network and Hearing Care Network notify 3,253,822 health plan members of breach that deleted contents of AWS buckets"", ""link"": ""https://www.databreaches.net/20-20-eye-care-network-and-hearing-care-network-notify-3253822-health-plan-members-of-breach-that-deleted-contents-of-aws-buckets/""}, {""description"": ""Hacker Puts Hosting Service Code Spaces Out of Business"", ""link"": ""https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/""}]",[],Attackers might use DeleteObject to erase crucial data from S3 buckets.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-client-side-encryption""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-individual-deletion""}]",https://aws.permissions.cloud/iam/s3#s3-DeleteObject +DeleteObject,s3.amazonaws.com,S3,Removes an object from a bucket. The behavior depends on the bucket's versioning state.,TA0040 - Impact,T1485 - Data Destruction,True,"[{""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}, {""description"": ""The attack on ONUS \u2013 A real-life case of the Log4Shell vulnerability"", ""link"": ""https://cystack.net/research/the-attack-on-onus-a-real-life-case-of-the-log4shell-vulnerability""}, {""description"": ""20/20 Eye Care Network and Hearing Care Network notify 3,253,822 health plan members of breach that deleted contents of AWS buckets"", ""link"": ""https://www.databreaches.net/20-20-eye-care-network-and-hearing-care-network-notify-3253822-health-plan-members-of-breach-that-deleted-contents-of-aws-buckets/""}, {""description"": ""Hacker Puts Hosting Service Code Spaces Out of Business"", ""link"": ""https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],Attackers might use DeleteObject to erase crucial data from S3 buckets.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-client-side-encryption""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-individual-deletion""}]",https://aws.permissions.cloud/iam/s3#s3-DeleteObject JobCreated,s3.amazonaws.com,S3,"When a Batch Operations job is created, it is recorded as a JobCreated event in CloudTrail.",TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,False,[],"[{""description"": ""Exfiltrating S3 Data with Bucket Replication Policies"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}]",Attackers might use Batch Operations jobs to initiate unauthorized data transfer or manipulation tasks in S3.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",N/A ListObjects,s3.amazonaws.com,S3,"Returns some or all (up to 1,000) of the objects in a bucket.",TA0007 - Discovery,T1619 - Cloud Storage Object Discovery,True,"[{""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}, {""description"": ""Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/""}]",[],Attackers might use ListObjects to identify potentially sensitive objects stored in S3 buckets.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",N/A -InvokeModel,bedrock.amazonaws.com,Bedrock,Invokes the specified Amazon Bedrock model to run inference using the prompt and inference parameters provided in the request body.,"TA0007 - Discovery, TA0040 - Impact","T1580 - Cloud Infrastructure Discovery, T1496 - Resource Hijacking",True,"[{""description"": ""LLMjacking: Stolen Cloud Credentials Used in New AI Attack"", ""link"": ""https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/""}, {""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}]",[],Attackers might use InvokeModel to check if the credentials have access to the LLMs and they have been enabled and invoke the model for resource hijacking.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-InvokeModel +InvokeModel,bedrock.amazonaws.com,Bedrock,Invokes the specified Amazon Bedrock model to run inference using the prompt and inference parameters provided in the request body.,"TA0007 - Discovery, TA0040 - Impact","T1580 - Cloud Infrastructure Discovery, T1496 - Resource Hijacking",True,"[{""description"": ""LLMjacking: Stolen Cloud Credentials Used in New AI Attack"", ""link"": ""https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/""}, {""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],Attackers might use InvokeModel to check if the credentials have access to the LLMs and they have been enabled and invoke the model for resource hijacking.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-InvokeModel GetUseCaseForModelAccess,bedrock.amazonaws.com,Bedrock,Grants permission to retrieve a use case for model access.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}]",[],Attackers might use GetUseCaseForModelAccess to enumerate accessible models.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-GetUseCaseForModelAccess ListProvisionedModelThroughputs,bedrock.amazonaws.com,Bedrock,Grants permission to list provisioned model throughputs that you created earlier.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}]",[],Attackers might use ListProvisionedModelThroughputs to gather information on existing inputs and outputs for models in use.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-ListProvisionedModelThroughputs PutFoundationModelEntitlement,bedrock.amazonaws.com,Bedrock,Grants permission to put entitlement to access a foundation model.,TA0040 - Impact,T1496 - Resource Hijacking,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}]",[],Attackers might use PutFoundationModelEntitlement to prepare for using foundation models for resource hijacking.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-PutFoundationModelEntitlement -InvokeModelWithResponseStream,bedrock.amazonaws.com,Bedrock,Grants permission to invoke the specified Bedrock model to run inference using the input provided in the request body with streaming response.,TA0040 - Impact,T1496 - Resource Hijacking,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}]",[],Attackers might use InvokeModelWithResponseStream to invoke the model for resource hijacking.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-InvokeModelWithResponseStream +InvokeModelWithResponseStream,bedrock.amazonaws.com,Bedrock,Grants permission to invoke the specified Bedrock model to run inference using the input provided in the request body with streaming response.,TA0040 - Impact,T1496 - Resource Hijacking,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],Attackers might use InvokeModelWithResponseStream to invoke the model for resource hijacking.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-InvokeModelWithResponseStream PutUseCaseForModelAccess,bedrock.amazonaws.com,Bedrock,Grants permission to put a use case for model access.,TA0040 - Impact,T1496 - Resource Hijacking,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}]",[],Attackers might use PutUseCaseForModelAccess to prepare for using foundation models for resource hijacking.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-PutUseCaseForModelAccess GetFoundationModelAvailability,bedrock.amazonaws.com,Bedrock,Grants permission to get the availability of a foundation model.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}]",[],Attackers might use GetFoundationModelAvailability to enumerate accessible models,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-GetFoundationModelAvailability ListFoundationModels,bedrock.amazonaws.com,Bedrock,Grants permission to list Bedrock foundation models that you can use.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}]",[],Attackers might use ListFoundationModels to enumerate accessible models.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-ListFoundationModels @@ -205,7 +212,7 @@ DescribeTransitGatewayMulticastDomains,ec2.amazonaws.com,EC2,Describes one or mo StopInstances,ec2.amazonaws.com,EC2,Stops an Amazon EBS-backed instance.,"TA0040 - Impact, TA0005 - Defense Evasion","T1499 - Endpoint Denial of Service, T1578 - Modify Cloud Compute Infrastructure",True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]","[{""description"": ""Executing commands through EC2 user data"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/""}, {""description"": ""Attack Paths Into VMs in the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/""}]",Attackers might use StopInstances to avoid being detected or to do changes that will be executed when the EC2 is started.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 stop-instances --instance-ids TrailDiscoverInstanceID""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ec2-user-data""}]",https://aws.permissions.cloud/iam/ec2#ec2-StopInstances DescribeInstanceAttribute,ec2.amazonaws.com,EC2,Describes the specified attribute of the specified instance. You can specify only one attribute at a time.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeInstanceAttribute to inspect detailed configurations of EC2 instances.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-instance-attribute --instance-id TrailDiscoverInstanceId --attribute TrailDiscoverAttribute""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-download-user-data""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeInstanceAttribute DescribeDhcpOptions,ec2.amazonaws.com,EC2,Describes one or more of your DHCP options sets.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeDhcpOptions to inspect DHCP configurations in an AWS VPC.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-dhcp-options --dhcp-options-ids TrailDiscoverDhcpOptionsId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeDhcpOptions -AuthorizeSecurityGroupIngress,ec2.amazonaws.com,EC2,Adds the specified inbound (ingress) rules to a security group.,"TA0003 - Persistence, TA0008 - Lateral Movement","T1098 - Account Manipulation, T1021 - Remote Services",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Finding evil in AWS"", ""link"": ""https://expel.com/blog/finding-evil-in-aws/""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Behind the scenes in the Expel SOC: Alert-to-fix in AWS"", ""link"": ""https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/""}, {""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}, {""description"": ""BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability"", ""link"": ""https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/""}, {""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}]","[{""description"": ""Opening a security group to the Internet"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/opening-security-group-port/""}]",Attackers might use AuthorizeSecurityGroupIngress to allow access to resources to gain persistence or move laterally.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-10""}]","[{""type"": ""commandLine"", ""value"": ""aws ec2 authorize-security-group-ingress --group-id sg-0683fcf7a41c82593 --protocol tcp --port 22 --cidr 203.0.113.0/24""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-security-group-open-port-22-ingress""}]",https://aws.permissions.cloud/iam/ec2#ec2-AuthorizeSecurityGroupIngress +AuthorizeSecurityGroupIngress,ec2.amazonaws.com,EC2,Adds the specified inbound (ingress) rules to a security group.,"TA0003 - Persistence, TA0008 - Lateral Movement","T1098 - Account Manipulation, T1021 - Remote Services",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Finding evil in AWS"", ""link"": ""https://expel.com/blog/finding-evil-in-aws/""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Behind the scenes in the Expel SOC: Alert-to-fix in AWS"", ""link"": ""https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/""}, {""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}, {""description"": ""BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability"", ""link"": ""https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/""}, {""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]","[{""description"": ""Opening a security group to the Internet"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/opening-security-group-port/""}]",Attackers might use AuthorizeSecurityGroupIngress to allow access to resources to gain persistence or move laterally.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-10""}]","[{""type"": ""commandLine"", ""value"": ""aws ec2 authorize-security-group-ingress --group-id sg-0683fcf7a41c82593 --protocol tcp --port 22 --cidr 203.0.113.0/24""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-security-group-open-port-22-ingress""}]",https://aws.permissions.cloud/iam/ec2#ec2-AuthorizeSecurityGroupIngress DescribeVpcEndpointConnectionNotifications,ec2.amazonaws.com,EC2,Describes the connection notifications for VPC endpoints and VPC endpoint services.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeVpcEndpointConnectionNotifications to monitor notification configurations for VPC endpoints.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-vpc-endpoint-connection-notifications --connection-notification-id TrailDiscoverConnectionNotificationId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeVpcEndpointConnectionNotifications DescribeFlowLogs,ec2.amazonaws.com,EC2,Describes one or more flow logs.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use DescribeFlowLogs to review VPC flow log configurations, aiming to understand what network traffic is being logged.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-flow-logs --filter Name=resource-id,Values=TrailDiscoverResourceId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeFlowLogs SendSSHPublicKey,ec2-instance-connect.amazonaws.com,EC2InstanceConnect,Pushes an SSH public key to the specified EC2 instance for use by the specified user.,TA0008 - Lateral Movement,T1021 - Remote Services,True,"[{""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}]","[{""description"": ""Attack Paths Into VMs in the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/""}]","Attackers might use SendSSHPublicKey to inject unauthorized SSH keys into EC2 instances, granting them access for remote control.",[],"[{""type"": ""commandLine"", ""value"": ""N/A""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.lateral-movement.ec2-instance-connect""}]",https://aws.permissions.cloud/iam/ec2-instance-connect#ec2-instance-connect-SendSSHPublicKey @@ -216,7 +223,7 @@ DeleteSnapshot,ec2.amazonaws.com,EC2,Deletes the specified snapshot.,TA0040 - Im SharedSnapshotVolumeCreated,ec2.amazonaws.com,EC2,Modifies the specified attribute of the specified instance.,TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,True,"[{""description"": ""M-Trends Report - 2020"", ""link"": ""https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf""}, {""description"": ""Democratic National Committee hack"", ""link"": ""https://www.politico.com/f/?id=00000168-6161-de11-af7d-ef7327ea0000""}]","[{""description"": ""Detecting exfiltration of EBS snapshots in AWS"", ""link"": ""https://twitter.com/christophetd/status/1574681313218506753""}]",SharedSnapshotVolumeCreated might be a signal of an attacker copying a snapshot to their account.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot""}]",N/A CreateSnapshot,ec2.amazonaws.com,EC2,Creates a snapshot of an EBS volume and stores it in Amazon S3.,"TA0008 - Lateral Movement, TA0010 - Exfiltration","T1537 - Transfer Data to Cloud Account, T1021 - Remote Services",True,"[{""description"": ""CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight"", ""link"": ""https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/""}, {""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}]","[{""description"": ""Stealing an EBS snapshot by creating a snapshot and sharing it"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-ebs-snapshot/""}, {""description"": ""Exfiltrate EBS Snapshot by Sharing It"", ""link"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/""}]","Attackers might use ModifySnapshotAttribute to alter permissions on EBS snapshots, potentially exposing sensitive data to unauthorized parties.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 modify-snapshot-attribute --snapshot-id snap-1234567890abcdef0 --attribute createVolumePermission --operation-type remove --user-ids 123456789012""}]",https://aws.permissions.cloud/iam/ec2#ec2-ModifySnapshotAttribute ReplaceIamInstanceProfileAssociation,ec2.amazonaws.com,EC2,Replaces an IAM instance profile for the specified running instance.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,True,"[{""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}]",[],Attackers might use ReplaceIamInstanceProfileAssociation to replace the IAM instance profile on an instance they control with one that has higher privileges.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 replace-iam-instance-profile-association --iam-instance-profile Name=TrailDiscoverAdminRole --association-id iip-assoc-060bae234aac2e7fa""}]",https://aws.permissions.cloud/iam/ec2#ec2-ReplaceIamInstanceProfileAssociation -RunInstances,ec2.amazonaws.com,EC2,Launches the specified number of instances using an AMI for which you have permissions.,"TA0003 - Persistence, TA0040 - Impact, TA0008 - Lateral Movement","T1098 - Account Manipulation, T1496 - Resource Hijacking, T1021 - Remote Services",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""DXC spills AWS private keys on public GitHub"", ""link"": ""https://www.theregister.com/2017/11/14/dxc_github_aws_keys_leaked/""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Behind the scenes in the Expel SOC: Alert-to-fix in AWS"", ""link"": ""https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/""}, {""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}, {""description"": ""SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto"", ""link"": ""https://sysdig.com/blog/scarleteel-2-0/""}, {""description"": ""ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING"", ""link"": ""https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}, {""description"": ""Clear and Uncommon Story About Overcoming Issues With AWS"", ""link"": ""https://topdigital.agency/clear-and-uncommon-story-about-overcoming-issues-with-aws/""}, {""description"": ""onelogin 2017 Security Incident"", ""link"": ""https://web.archive.org/web/20210620180614/https://www.onelogin.com/blog/may-31-2017-security-incident""}, {""description"": ""BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability"", ""link"": ""https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/""}, {""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}]","[{""description"": ""Launching EC2 instances"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/launching-ec2-instances/""}, {""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}, {""description"": ""Abusing VPC Traffic Mirroring in AWS"", ""link"": ""https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/""}]",Attackers might use RunInstances to programmatically launch unauthorized EC2 instances for crypto mining or to create a foothold within the AWS environment for further exploitation.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 run-instances --image-id ami-0b98a32b1c5e0d105 --instance-type t2.micro --key-name MyKeyPair""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ec2-launch-unusual-instances""}]",https://aws.permissions.cloud/iam/ec2#ec2-RunInstances +RunInstances,ec2.amazonaws.com,EC2,Launches the specified number of instances using an AMI for which you have permissions.,"TA0003 - Persistence, TA0040 - Impact, TA0008 - Lateral Movement","T1098 - Account Manipulation, T1496 - Resource Hijacking, T1021 - Remote Services",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""DXC spills AWS private keys on public GitHub"", ""link"": ""https://www.theregister.com/2017/11/14/dxc_github_aws_keys_leaked/""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Behind the scenes in the Expel SOC: Alert-to-fix in AWS"", ""link"": ""https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/""}, {""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}, {""description"": ""SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto"", ""link"": ""https://sysdig.com/blog/scarleteel-2-0/""}, {""description"": ""ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING"", ""link"": ""https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}, {""description"": ""Clear and Uncommon Story About Overcoming Issues With AWS"", ""link"": ""https://topdigital.agency/clear-and-uncommon-story-about-overcoming-issues-with-aws/""}, {""description"": ""onelogin 2017 Security Incident"", ""link"": ""https://web.archive.org/web/20210620180614/https://www.onelogin.com/blog/may-31-2017-security-incident""}, {""description"": ""BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability"", ""link"": ""https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/""}, {""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]","[{""description"": ""Launching EC2 instances"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/launching-ec2-instances/""}, {""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}, {""description"": ""Abusing VPC Traffic Mirroring in AWS"", ""link"": ""https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/""}]",Attackers might use RunInstances to programmatically launch unauthorized EC2 instances for crypto mining or to create a foothold within the AWS environment for further exploitation.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 run-instances --image-id ami-0b98a32b1c5e0d105 --instance-type t2.micro --key-name MyKeyPair""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ec2-launch-unusual-instances""}]",https://aws.permissions.cloud/iam/ec2#ec2-RunInstances CreateTrafficMirrorFilter,ec2.amazonaws.com,EC2,Creates a Traffic Mirror filter.,TA0009 - Collection,T1074 - Data Staged,False,[],"[{""description"": ""Abusing VPC Traffic Mirroring in AWS"", ""link"": ""https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/""}]",Attackers might use CreateTrafficMirrorFilter to clandestinely mirror network traffic for analysis or exfiltration.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 create-traffic-mirror-filter --description 'TCP Filter'""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateTrafficMirrorFilter DescribeSecurityGroups,ec2.amazonaws.com,EC2,Describes the specified security groups or all of your security groups.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Case Study: Responding to an Attack in AWS"", ""link"": ""https://www.cadosecurity.com/case-study-responding-to-an-attack-in-aws/""}]",[],"Attackers might use DescribeSecurityGroups to review AWS VPC security group configurations, seeking misconfigurations that could be exploited for unauthorized access or to bypass network security controls.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-security-groups --group-names TrailDiscoverSecurityGroup""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeSecurityGroups CreateTrafficMirrorFilterRule,ec2.amazonaws.com,EC2,Creates a Traffic Mirror filter rule.,TA0009 - Collection,T1074 - Data Staged,False,[],"[{""description"": ""Abusing VPC Traffic Mirroring in AWS"", ""link"": ""https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/""}]",Attackers might use CreateTrafficMirrorFilterRule to fine-tune traffic mirroring for selective interception.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 create-traffic-mirror-filter-rule --description 'TCP Rule' --destination-cidr-block 0.0.0.0/0 --protocol 6 --rule-action accept --rule-number 1 --source-cidr-block 0.0.0.0/0 --traffic-direction ingress --traffic-mirror-filter-id tmf-04812ff784b25ae67""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateTrafficMirrorFilterRule @@ -236,10 +243,11 @@ ModifyImageAttribute,ec2.amazonaws.com,EC2,Modifies the specified attribute of t ModifyDBSnapshotAttribute,rds.amazonaws.com,RDS,"Adds an attribute and values to, or removes an attribute and values from, a manual DB snapshot.",TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,True,"[{""description"": ""Imperva Security Update"", ""link"": ""https://www.imperva.com/blog/ceoblog/""}, {""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]","[{""description"": ""Stealing an RDS database by creating a snapshot and sharing it"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-rds-snapshot/""}, {""description"": ""Hunting AWS RDS security events with Sysdig"", ""link"": ""https://sysdig.com/blog/aws-rds-security-events-sysdig/""}]","Attackers might use ModifyDBSnapshotAttribute to alter database snapshot permissions, potentially gaining unauthorized access to sensitive data via sharing it.",[],"[{""type"": ""commandLine"", ""value"": ""aws rds modify-db-snapshot-attribute --db-snapshot-identifier TrailDiscoverDBSnapshotIdentifier --attribute-name TrailDiscoverAttributeName --values-to-add TrailDiscoverValuesToAdd""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.rds-share-snapshot""}]",https://aws.permissions.cloud/iam/rds#rds-ModifyDBSnapshotAttribute AuthorizeDBSecurityGroupIngress,rds.amazonaws.com,RDS,Enables ingress to a DBSecurityGroup using one of two forms of authorization.,TA0005 - Defense Evasion,T1578 - Modify Cloud Compute Infrastructure,False,[],"[{""description"": ""Enhancing Your Security Visibility and DetectionResponse Operations in AWS"", ""link"": ""https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf""}, {""description"": ""Hunting AWS RDS security events with Sysdig"", ""link"": ""https://sysdig.com/blog/aws-rds-security-events-sysdig/""}]",Attackers might use AuthorizeDBSecurityGroupIngress to allow unauthorized access to the database by modifying security group rules.,[],"[{""type"": ""commandLine"", ""value"": ""aws rds authorize-db-security-group-ingress --db-security-group-name TrailDiscoverDBSecurityGroupName --cidrip TrailDiscoverCIDRIP""}]",https://aws.permissions.cloud/iam/rds#rds-AuthorizeDBSecurityGroupIngress DeleteGlobalCluster,rds.amazonaws.com,RDS,Deletes a global database cluster. The primary and secondary clusters must already be detached or destroyed first.,TA0040 - Impact,T1485 - Data Destruction,False,[],"[{""description"": ""AWS Deletion of RDS Instance or Cluster"", ""link"": ""https://www.elastic.co/guide/en/security/current/aws-deletion-of-rds-instance-or-cluster.html""}]",Attackers might use DeleteGlobalCluster to disrupt database services by deleting global clusters in AWS RDS.,[],"[{""type"": ""commandLine"", ""value"": ""aws rds delete-global-cluster --global-cluster-identifier TrailDiscoverGlobalClusterIdentifier""}]",https://aws.permissions.cloud/iam/rds#rds-DeleteGlobalCluster -DeleteDBCluster,rds.amazonaws.com,RDS,The DeleteDBCluster action deletes a previously provisioned DB cluster.,TA0040 - Impact,T1485 - Data Destruction,False,[],"[{""description"": ""Hunting AWS RDS security events with Sysdig"", ""link"": ""https://sysdig.com/blog/aws-rds-security-events-sysdig/""}, {""description"": ""AWS Deletion of RDS Instance or Cluster"", ""link"": ""https://www.elastic.co/guide/en/security/current/aws-deletion-of-rds-instance-or-cluster.html""}]","Attackers might use DeleteDBCluster to delete crucial databases, causing data loss and service disruption.",[],"[{""type"": ""commandLine"", ""value"": ""aws rds delete-db-cluster --db-cluster-identifier TrailDiscoverDBCluster""}]",https://aws.permissions.cloud/iam/rds#rds-DeleteDBCluster +DeleteDBCluster,rds.amazonaws.com,RDS,The DeleteDBCluster action deletes a previously provisioned DB cluster.,TA0040 - Impact,T1485 - Data Destruction,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]","[{""description"": ""Hunting AWS RDS security events with Sysdig"", ""link"": ""https://sysdig.com/blog/aws-rds-security-events-sysdig/""}, {""description"": ""AWS Deletion of RDS Instance or Cluster"", ""link"": ""https://www.elastic.co/guide/en/security/current/aws-deletion-of-rds-instance-or-cluster.html""}]","Attackers might use DeleteDBCluster to delete crucial databases, causing data loss and service disruption.",[],"[{""type"": ""commandLine"", ""value"": ""aws rds delete-db-cluster --db-cluster-identifier TrailDiscoverDBCluster""}]",https://aws.permissions.cloud/iam/rds#rds-DeleteDBCluster StartExportTask,rds.amazonaws.com,RDS,Starts an export of DB snapshot or DB cluster data to Amazon S3.,TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,False,[],"[{""description"": ""AWS - RDS Post Exploitation"", ""link"": ""https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation""}]",Attackers might use StartExportTask to export database snapshots to an S3 they control and gain access to the data.,[],"[{""type"": ""commandLine"", ""value"": ""aws rds start-export-task --export-task-identifier my-s3-export --source-arn arn:aws:rds:us-west-2:123456789012:snapshot:db5-snapshot-test --s3-bucket-name mybucket --iam-role-arn arn:aws:iam::123456789012:role/service-role/TrailDiscover --kms-key-id arn:aws:kms:us-west-2:123456789012:key/abcd0000-7fca-4128-82f2-aabbccddeeff""}]",https://aws.permissions.cloud/iam/rds#rds-StartExportTask +DeleteDBInstance,rds.amazonaws.com,RDS,Deletes a previously provisioned DB instance.,TA0040 - Impact,T1485 - Data Destruction,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],"Attackers might use DeleteDBInstance to delete crucial databases, causing data loss and service disruption.",[],"[{""type"": ""commandLine"", ""value"": ""aws rds delete-db-instance --db-instance-identifier TrailDiscoverDB""}]",https://aws.permissions.cloud/iam/rds#rds-DeleteDBInstance CreateDBSecurityGroup,rds.amazonaws.com,RDS,Creates a new DB security group. DB security groups control access to a DB instance.,TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,False,[],"[{""description"": ""Enhancing Your Security Visibility and DetectionResponse Operations in AWS"", ""link"": ""https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf""}, {""description"": ""Hunting AWS RDS security events with Sysdig"", ""link"": ""https://sysdig.com/blog/aws-rds-security-events-sysdig/""}]","Attackers might use CreateDBSecurityGroup to create new security groups with lax rules, potentially allowing unauthorized access to the database.",[],"[{""type"": ""commandLine"", ""value"": ""aws rds create-db-security-group --db-security-group-name TrailDiscoverSecurityGroupName --db-security-group-description TrailDiscoverDescription""}]",https://aws.permissions.cloud/iam/rds#rds-CreateDBSecurityGroup -CreateDBSnapshot,rds.amazonaws.com,RDS,Creates a snapshot of a DB instance.,TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]","[{""description"": ""Stealing an RDS database by creating a snapshot and sharing it"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-rds-snapshot/""}]",Attackers might use CreateDBSnapshot to create unauthorized backups of sensitive databases for data theft.,[],"[{""type"": ""commandLine"", ""value"": ""aws rds create-db-snapshot --db-instance-identifier TrailDiscoverDBInstance --db-snapshot-identifier TrailDiscoverDBSnapshot""}]",https://aws.permissions.cloud/iam/rds#rds-CreateDBSnapshot +CreateDBSnapshot,rds.amazonaws.com,RDS,Creates a snapshot of a DB instance.,TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]","[{""description"": ""Stealing an RDS database by creating a snapshot and sharing it"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-rds-snapshot/""}]",Attackers might use CreateDBSnapshot to create unauthorized backups of sensitive databases for data theft.,[],"[{""type"": ""commandLine"", ""value"": ""aws rds create-db-snapshot --db-instance-identifier TrailDiscoverDBInstance --db-snapshot-identifier TrailDiscoverDBSnapshot""}]",https://aws.permissions.cloud/iam/rds#rds-CreateDBSnapshot ModifyActivityStream,rds.amazonaws.com,RDS,Changes the audit policy state of a database activity stream to either locked (default) or unlocked.,TA0005 - Defense Evasion,T1578 - Modify Cloud Compute Infrastructure,True,"[{""description"": ""Uncovering Hybrid Cloud Attacks Through Intelligence-Driven Incident Response: Part 3 \u2013 The Response"", ""link"": ""https://www.gem.security/post/uncovering-hybrid-cloud-attacks-through-intelligence-driven-incident-response-part-3-the-response""}]",[],"Attackers might use ModifyActivityStream to alter the configuration of the activity stream, potentially hiding malicious activities or causing disruptions in the database operations.",[],"[{""type"": ""commandLine"", ""value"": ""aws rds modify-activity-stream""}]",https://aws.permissions.cloud/iam/rds#rds-ModifyActivityStream CreateDevEndpoint,glue.amazonaws.com,Glue,Creates a new development endpoint.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use CreateDevEndpoint in AWS Glue to escalate privileges or provision development endpoints, potentially exploiting them.","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws glue create-dev-endpoint --endpoint-name TrailDiscover --role-arn arn:aws:iam::111122223333:role/TrailDiscover""}]",https://aws.permissions.cloud/iam/glue#glue-CreateDevEndpoint UpdateJob,glue.amazonaws.com,Glue,Updates an existing job definition.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use UpdateJob to modify Glue job parameters, potentially disrupting data processing or injecting malicious code.",[],"[{""type"": ""commandLine"", ""value"": ""aws glue update-job --job-name TrailDiscoverJob --job-update '{\""Role\"": \""TrailDiscoverRole\"", \""Command\"": {\""Name\"": \""glueetl\"", \""ScriptLocation\"": \""s3://mybucket/myscript.py\""}}'""}]",https://aws.permissions.cloud/iam/glue#glue-UpdateJob @@ -277,7 +285,7 @@ CreateFilter,guardduty.amazonaws.com,GuardDuty,Creates a filter using the specif DeleteMembers,guardduty.amazonaws.com,GuardDuty,Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""Threat Hunting with CloudTrail and GuardDuty in Splunk"", ""link"": ""https://www.chrisfarris.com/post/reinforce-threat-hunting/""}]","Attackers might use DeleteMembers to remove members from a GuardDuty detector, disrupting threat detection and security analysis.",[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty delete-members --account-ids TrailDiscoverAccountIds --detector-id TrailDiscoverDetectorId""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-DeleteMembers RegisterTaskDefinition,ecs.amazonaws.com,ECS,Registers a new task definition from the supplied family and containerDefinitions.,TA0040 - Impact,T1496 - Resource Hijacking,True,"[{""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}]",[],Attackers might use RegisterTaskDefinition to deploy containers with malicious tasks in AWS ECS.,"[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws ecs register-task-definition --family 'xtdb-bench-dev' --network-mode 'awsvpc' --container-definitions '[{\""name\"":\""bench-container\"", \""cpu\"":2048, \""memory\"":4092 }]'""}]",https://aws.permissions.cloud/iam/ecs#ecs-RegisterTaskDefinition CreateService,ecs.amazonaws.com,ECS,Runs and maintains your desired number of tasks from a specified task definition.,TA0040 - Impact,T1496 - Resource Hijacking,True,"[{""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}]",[],"Attackers might use CreateService in AWS ECS to orchestrate and deploy unauthorized services, potentially for malicious activities such as resource hijacking.",[],"[{""type"": ""commandLine"", ""value"": ""aws ecs create-service --service-name TrailDiscoverService --task-definition TrailDiscoverTaskDefinition""}]",https://aws.permissions.cloud/iam/ecs#ecs-CreateService -CreateCluster,ecs.amazonaws.com,ECS,Creates a new Amazon ECS cluster.,TA0040 - Impact,T1496 - Resource Hijacking,True,"[{""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}]",[],"Attackers might use CreateCluster to provision unauthorized cluster resources, aiming to deploy malicious workloads or use compute resources for cryptojacking","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_eks_cluster_created_or_deleted.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws ecs create-cluster --cluster-name TrailDiscoverCluster""}]",https://aws.permissions.cloud/iam/ecs#ecs-CreateCluster +CreateCluster,ecs.amazonaws.com,ECS,Creates a new Amazon ECS cluster.,TA0040 - Impact,T1496 - Resource Hijacking,True,"[{""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],"Attackers might use CreateCluster to provision unauthorized cluster resources, aiming to deploy malicious workloads or use compute resources for cryptojacking","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_eks_cluster_created_or_deleted.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws ecs create-cluster --cluster-name TrailDiscoverCluster""}]",https://aws.permissions.cloud/iam/ecs#ecs-CreateCluster DeleteConfigurationRecorder,config.amazonaws.com,Config,Deletes the configuration recorder.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""AWS Config Resource Deletion"", ""link"": ""https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion""}]",Attackers might use DeleteConfigurationRecorder to disrupt AWS configuration auditing.,[],"[{""type"": ""commandLine"", ""value"": ""aws configservice delete-configuration-recorder --configuration-recorder-name TrailDiscoverRecorder""}]",https://aws.permissions.cloud/iam/config#config-DeleteConfigurationRecorder DeleteDeliveryChannel,config.amazonaws.com,Config,Deletes the delivery channel.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""AWS Config Resource Deletion"", ""link"": ""https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion""}, {""description"": ""AWS Config modified"", ""link"": ""https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-config-disabled/""}, {""description"": ""Threat Hunting with CloudTrail and GuardDuty in Splunk"", ""link"": ""https://www.chrisfarris.com/post/reinforce-threat-hunting/""}]",Attackers might use DeleteDeliveryChannel to disrupt the flow of configuration history and compliance data in AWS.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-9""}, {""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws configservice delete-delivery-channel --delivery-channel-name TrailDiscoverDeliveryChannel""}]",https://aws.permissions.cloud/iam/config#config-DeleteDeliveryChannel StopConfigurationRecorder,config.amazonaws.com,Config,Stops recording configurations of the AWS resources you have selected to record in your AWS account.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""AWS Configuration Recorder Stopped"", ""link"": ""https://www.elastic.co/guide/en/security/current/prebuilt-rule-8-2-1-aws-configuration-recorder-stopped.html#prebuilt-rule-8-2-1-aws-configuration-recorder-stopped""}, {""description"": ""AWS Config modified"", ""link"": ""https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-config-disabled/""}, {""description"": ""Threat Hunting with CloudTrail and GuardDuty in Splunk"", ""link"": ""https://www.chrisfarris.com/post/reinforce-threat-hunting/""}]","Attackers might use StopConfigurationRecorder to halt the recording of AWS resource configurations, hindering audit trails.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-9""}, {""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws configservice stop-configuration-recorder --configuration-recorder-name TrailDiscoverRecorder""}]",https://aws.permissions.cloud/iam/config#config-StopConfigurationRecorder diff --git a/docs/events.json b/docs/events.json index 9b621f9..338100b 100644 --- a/docs/events.json +++ b/docs/events.json @@ -154,6 +154,35 @@ ], "permissions": "https://aws.permissions.cloud/iam/route53#route53-CreateHostedZone" }, + { + "eventName": "InviteAccountToOrganization", + "eventSource": "organizations.amazonaws.com", + "awsService": "Organizations", + "description": "Sends an invitation to another account to join your organization as a member account.", + "mitreAttackTactics": [ + "TA0005 - Defense Evasion" + ], + "mitreAttackTechniques": [ + "T1535 - Unused/Unsupported Cloud Regions" + ], + "usedInWild": true, + "incidents": [ + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use InviteAccountToOrganization to add an account they control for defense evasion, resource hijacking.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws organizations invite-account-to-organization --target '{\"Type\": \"EMAIL\", \"Id\": \"traildiscover@example.com\"}'" + } + ], + "permissions": "https://aws.permissions.cloud/iam/organizations#organizations-InviteAccountToOrganization" + }, { "eventName": "DescribeOrganization", "eventSource": "organizations.amazonaws.com", @@ -212,6 +241,35 @@ ], "permissions": "https://aws.permissions.cloud/iam/organizations#organizations-ListOrganizationalUnitsForParent" }, + { + "eventName": "CreateAccount", + "eventSource": "organizations.amazonaws.com", + "awsService": "Organizations", + "description": "Creates an AWS account that is automatically a member of the organization whose credentials made the request.", + "mitreAttackTactics": [ + "TA0005 - Defense Evasion" + ], + "mitreAttackTechniques": [ + "T1535 - Unused/Unsupported Cloud Regions" + ], + "usedInWild": true, + "incidents": [ + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use CreateAccount to add a new account for defense evasion, resource hijacking.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws organizations create-account --email traildiscover@example.com --account-name \"TrailDiscover Account\"" + } + ], + "permissions": "https://aws.permissions.cloud/iam/organizations#organizations-CreateAccount" + }, { "eventName": "LeaveOrganization", "eventSource": "organizations.amazonaws.com", @@ -221,10 +279,15 @@ "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1562 - Impair Defenses" + "T1070 - Indicator Removal" ], "usedInWild": false, - "incidents": [], + "incidents": [ + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + } + ], "researchLinks": [ { "description": "An AWS account attempted to leave the AWS Organization", @@ -274,6 +337,35 @@ ], "permissions": "https://aws.permissions.cloud/iam/organizations#organizations-ListAccounts" }, + { + "eventName": "CreateStack", + "eventSource": "cloudformation.amazonaws.com", + "awsService": "CloudFormation", + "description": "Creates a stack as specified in the template.", + "mitreAttackTactics": [ + "TA0040 - Impact" + ], + "mitreAttackTechniques": [ + "T1496 - Resource Hijacking" + ], + "usedInWild": true, + "incidents": [ + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use CreateStack to provision unauthorized resources", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "N/A" + } + ], + "permissions": "https://aws.permissions.cloud/iam/cloudformation#cloudformation-CreateStack" + }, { "eventName": "AssumeRoleWithWebIdentity", "eventSource": "sts.amazonaws.com", @@ -316,11 +408,15 @@ "mitreAttackTechniques": [ "T1078 - Valid Accounts" ], - "usedInWild": false, + "usedInWild": true, "incidents": [ { "description": "How Adversaries Can Persist with AWS User Federation", "link": "https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/" + }, + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" } ], "researchLinks": [ @@ -354,8 +450,13 @@ "mitreAttackTechniques": [ "T1199 - Trusted Relationship" ], - "usedInWild": false, - "incidents": [], + "usedInWild": true, + "incidents": [ + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + } + ], "researchLinks": [ { "description": "AWS STS GetSessionToken Abuse", @@ -2120,6 +2221,35 @@ ], "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListGroupsForUser" }, + { + "eventName": "CreateSAMLProvider", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0.", + "mitreAttackTactics": [ + "TA0003 - Persistence" + ], + "mitreAttackTechniques": [ + "T1136 - Create Account" + ], + "usedInWild": true, + "incidents": [ + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + } + ], + "researchLinks": [], + "securityImplications": "Attackers use CreateSAMLProvider to establish persistent footholds.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "N/A" + } + ], + "permissions": "https://aws.permissions.cloud/iam/iam#iam-CreateSAMLProvider" + }, { "eventName": "ListAccessKeys", "eventSource": "iam.amazonaws.com", @@ -2757,6 +2887,35 @@ ], "permissions": "https://aws.permissions.cloud/iam/iam#iam-PutRolePermissionsBoundary" }, + { + "eventName": "StartSSO", + "eventSource": "sso.amazonaws.com", + "awsService": "SSO", + "description": "Initialize AWS IAM Identity Center", + "mitreAttackTactics": [ + "TA0003 - Persistence" + ], + "mitreAttackTechniques": [ + "T1136 - Create Account" + ], + "usedInWild": true, + "incidents": [ + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + } + ], + "researchLinks": [], + "securityImplications": "Attackers use StartSSO to establish persistent footholds.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "N/A" + } + ], + "permissions": "https://aws.permissions.cloud/iam/sso#sso-StartSSO" + }, { "eventName": "PutUserPermissionsBoundary", "eventSource": "iam.amazonaws.com", @@ -2992,6 +3151,35 @@ ], "permissions": "https://aws.permissions.cloud/iam/iam#iam-AttachRolePolicy" }, + { + "eventName": "CreateOpenIDConnectProvider", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC)", + "mitreAttackTactics": [ + "TA0003 - Persistence" + ], + "mitreAttackTechniques": [ + "T1136 - Create Account" + ], + "usedInWild": true, + "incidents": [ + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + } + ], + "researchLinks": [], + "securityImplications": "Attackers use CreateOpenIDConnectProvider to establish persistent footholds.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws iam create-open-id-connect-provider --cli-input-json '{\"Url\": \"https://server.example.com\",\"ClientIDList\": [\"example-application-ID\"],\"ThumbprintList\": [\"c3768084dfb3d2b68b7897bf5f565da8eEXAMPLE\"]}'" + } + ], + "permissions": "https://aws.permissions.cloud/iam/iam#iam-CreateOpenIDConnectProvider" + }, { "eventName": "SetDefaultPolicyVersion", "eventSource": "iam.amazonaws.com", @@ -4666,8 +4854,13 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], - "usedInWild": false, - "incidents": [], + "usedInWild": true, + "incidents": [ + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + } + ], "researchLinks": [ { "description": "cloudtrail_guardduty_bypass", @@ -5307,6 +5500,10 @@ { "description": "USA VS Nickolas Sharp", "link": "https://www.justice.gov/usao-sdny/press-release/file/1452706/dl" + }, + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" } ], "researchLinks": [], @@ -5329,6 +5526,35 @@ ], "permissions": "N/A" }, + { + "eventName": "DeleteBucket", + "eventSource": "s3.amazonaws.com", + "awsService": "S3", + "description": "Deletes the S3 bucket.", + "mitreAttackTactics": [ + "TA0040 - Impact" + ], + "mitreAttackTechniques": [ + "T1485 - Data Destruction" + ], + "usedInWild": true, + "incidents": [ + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use DeleteBucket to delete resources.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws s3api delete-bucket --bucket my-traildiscover-bucket --region us-east-1" + } + ], + "permissions": "https://aws.permissions.cloud/iam/s3#s3-DeleteBucket" + }, { "eventName": "GetBucketAcl", "eventSource": "s3.amazonaws.com", @@ -5549,6 +5775,10 @@ { "description": "Hacker Puts Hosting Service Code Spaces Out of Business", "link": "https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/" + }, + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" } ], "researchLinks": [], @@ -5662,6 +5892,10 @@ { "description": "Detecting AI resource-hijacking with Composite Alerts", "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + }, + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" } ], "researchLinks": [], @@ -5778,6 +6012,10 @@ { "description": "Detecting AI resource-hijacking with Composite Alerts", "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + }, + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" } ], "researchLinks": [], @@ -7272,6 +7510,10 @@ { "description": "Navigating the Cloud: Exploring Lateral Movement Techniques", "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/" + }, + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" } ], "researchLinks": [ @@ -7699,6 +7941,10 @@ { "description": "Navigating the Cloud: Exploring Lateral Movement Techniques", "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/" + }, + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" } ], "researchLinks": [ @@ -8342,8 +8588,13 @@ "mitreAttackTechniques": [ "T1485 - Data Destruction" ], - "usedInWild": false, - "incidents": [], + "usedInWild": true, + "incidents": [ + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + } + ], "researchLinks": [ { "description": "Hunting AWS RDS security events with Sysdig", @@ -8393,6 +8644,35 @@ ], "permissions": "https://aws.permissions.cloud/iam/rds#rds-StartExportTask" }, + { + "eventName": "DeleteDBInstance", + "eventSource": "rds.amazonaws.com", + "awsService": "RDS", + "description": "Deletes a previously provisioned DB instance.", + "mitreAttackTactics": [ + "TA0040 - Impact" + ], + "mitreAttackTechniques": [ + "T1485 - Data Destruction" + ], + "usedInWild": true, + "incidents": [ + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use DeleteDBInstance to delete crucial databases, causing data loss and service disruption.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws rds delete-db-instance --db-instance-identifier TrailDiscoverDB" + } + ], + "permissions": "https://aws.permissions.cloud/iam/rds#rds-DeleteDBInstance" + }, { "eventName": "CreateDBSecurityGroup", "eventSource": "rds.amazonaws.com", @@ -8442,6 +8722,10 @@ { "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" + }, + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" } ], "researchLinks": [ @@ -9699,6 +9983,10 @@ { "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + }, + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" } ], "researchLinks": [], diff --git a/events/Bedrock/InvokeModel.json b/events/Bedrock/InvokeModel.json index aec9e7e..317b9fc 100644 --- a/events/Bedrock/InvokeModel.json +++ b/events/Bedrock/InvokeModel.json @@ -20,6 +20,10 @@ { "description": "Detecting AI resource-hijacking with Composite Alerts", "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + }, + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" } ], "researchLinks": [], diff --git a/events/Bedrock/InvokeModelWithResponseStream.json b/events/Bedrock/InvokeModelWithResponseStream.json index abd8a0e..cb69009 100644 --- a/events/Bedrock/InvokeModelWithResponseStream.json +++ b/events/Bedrock/InvokeModelWithResponseStream.json @@ -14,6 +14,10 @@ { "description": "Detecting AI resource-hijacking with Composite Alerts", "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + }, + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" } ], "researchLinks": [], diff --git a/events/CloudFormation/CreateStack.json b/events/CloudFormation/CreateStack.json new file mode 100644 index 0000000..9cc8a6f --- /dev/null +++ b/events/CloudFormation/CreateStack.json @@ -0,0 +1,29 @@ +{ + "eventName": "CreateStack", + "eventSource": "cloudformation.amazonaws.com", + "awsService": "CloudFormation", + "description": "Creates a stack as specified in the template.", + "mitreAttackTactics": [ + "TA0040 - Impact" + ], + "mitreAttackTechniques": [ + "T1496 - Resource Hijacking" + ], + "usedInWild": true, + "incidents": [ + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use CreateStack to provision unauthorized resources", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "N/A" + } + ], + "permissions": "https://aws.permissions.cloud/iam/cloudformation#cloudformation-CreateStack" +} \ No newline at end of file diff --git a/events/CloudTrail/PutEventSelectors.json b/events/CloudTrail/PutEventSelectors.json index 331e1c4..f0684f6 100644 --- a/events/CloudTrail/PutEventSelectors.json +++ b/events/CloudTrail/PutEventSelectors.json @@ -9,8 +9,13 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], - "usedInWild": false, - "incidents": [], + "usedInWild": true, + "incidents": [ + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + } + ], "researchLinks": [ { "description": "cloudtrail_guardduty_bypass", diff --git a/events/EC2/AuthorizeSecurityGroupIngress.json b/events/EC2/AuthorizeSecurityGroupIngress.json index f38e59a..3cb6d61 100644 --- a/events/EC2/AuthorizeSecurityGroupIngress.json +++ b/events/EC2/AuthorizeSecurityGroupIngress.json @@ -44,6 +44,10 @@ { "description": "Navigating the Cloud: Exploring Lateral Movement Techniques", "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/" + }, + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" } ], "researchLinks": [ diff --git a/events/EC2/RunInstances.json b/events/EC2/RunInstances.json index aeda6f5..9c464aa 100644 --- a/events/EC2/RunInstances.json +++ b/events/EC2/RunInstances.json @@ -62,6 +62,10 @@ { "description": "Navigating the Cloud: Exploring Lateral Movement Techniques", "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/" + }, + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" } ], "researchLinks": [ diff --git a/events/ECS/CreateCluster.json b/events/ECS/CreateCluster.json index 10d6cee..744ed69 100644 --- a/events/ECS/CreateCluster.json +++ b/events/ECS/CreateCluster.json @@ -14,6 +14,10 @@ { "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + }, + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" } ], "researchLinks": [], diff --git a/events/IAM/CreateOpenIDConnectProvider.json b/events/IAM/CreateOpenIDConnectProvider.json new file mode 100644 index 0000000..b8b0c10 --- /dev/null +++ b/events/IAM/CreateOpenIDConnectProvider.json @@ -0,0 +1,29 @@ +{ + "eventName": "CreateOpenIDConnectProvider", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC)", + "mitreAttackTactics": [ + "TA0003 - Persistence" + ], + "mitreAttackTechniques": [ + "T1136 - Create Account" + ], + "usedInWild": true, + "incidents": [ + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + } + ], + "researchLinks": [], + "securityImplications": "Attackers use CreateOpenIDConnectProvider to establish persistent footholds.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws iam create-open-id-connect-provider --cli-input-json '{\"Url\": \"https://server.example.com\",\"ClientIDList\": [\"example-application-ID\"],\"ThumbprintList\": [\"c3768084dfb3d2b68b7897bf5f565da8eEXAMPLE\"]}'" + } + ], + "permissions": "https://aws.permissions.cloud/iam/iam#iam-CreateOpenIDConnectProvider" +} \ No newline at end of file diff --git a/events/IAM/CreateSAMLProvider copy.json b/events/IAM/CreateSAMLProvider copy.json new file mode 100644 index 0000000..4b98793 --- /dev/null +++ b/events/IAM/CreateSAMLProvider copy.json @@ -0,0 +1,29 @@ +{ + "eventName": "CreateSAMLProvider", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0.", + "mitreAttackTactics": [ + "TA0003 - Persistence" + ], + "mitreAttackTechniques": [ + "T1136 - Create Account" + ], + "usedInWild": true, + "incidents": [ + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + } + ], + "researchLinks": [], + "securityImplications": "Attackers use CreateSAMLProvider to establish persistent footholds.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "N/A" + } + ], + "permissions": "https://aws.permissions.cloud/iam/iam#iam-CreateSAMLProvider" +} \ No newline at end of file diff --git a/events/IAM/CreateSAMLProvider.json b/events/IAM/CreateSAMLProvider.json new file mode 100644 index 0000000..b65ae08 --- /dev/null +++ b/events/IAM/CreateSAMLProvider.json @@ -0,0 +1,29 @@ +{ + "eventName": "StartSSO", + "eventSource": "sso.amazonaws.com", + "awsService": "SSO", + "description": "Initialize AWS IAM Identity Center", + "mitreAttackTactics": [ + "TA0003 - Persistence" + ], + "mitreAttackTechniques": [ + "T1136 - Create Account" + ], + "usedInWild": true, + "incidents": [ + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + } + ], + "researchLinks": [], + "securityImplications": "Attackers use StartSSO to establish persistent footholds.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "N/A" + } + ], + "permissions": "https://aws.permissions.cloud/iam/sso#sso-StartSSO" +} \ No newline at end of file diff --git a/events/Organizations/InviteAccountToOrganization copy.json b/events/Organizations/InviteAccountToOrganization copy.json new file mode 100644 index 0000000..3e66a30 --- /dev/null +++ b/events/Organizations/InviteAccountToOrganization copy.json @@ -0,0 +1,29 @@ +{ + "eventName": "CreateAccount", + "eventSource": "organizations.amazonaws.com", + "awsService": "Organizations", + "description": "Creates an AWS account that is automatically a member of the organization whose credentials made the request.", + "mitreAttackTactics": [ + "TA0005 - Defense Evasion" + ], + "mitreAttackTechniques": [ + "T1535 - Unused/Unsupported Cloud Regions" + ], + "usedInWild": true, + "incidents": [ + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use CreateAccount to add a new account for defense evasion, resource hijacking.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws organizations create-account --email traildiscover@example.com --account-name \"TrailDiscover Account\"" + } + ], + "permissions": "https://aws.permissions.cloud/iam/organizations#organizations-CreateAccount" +} \ No newline at end of file diff --git a/events/Organizations/InviteAccountToOrganization.json b/events/Organizations/InviteAccountToOrganization.json new file mode 100644 index 0000000..a1f1de2 --- /dev/null +++ b/events/Organizations/InviteAccountToOrganization.json @@ -0,0 +1,29 @@ +{ + "eventName": "InviteAccountToOrganization", + "eventSource": "organizations.amazonaws.com", + "awsService": "Organizations", + "description": "Sends an invitation to another account to join your organization as a member account.", + "mitreAttackTactics": [ + "TA0005 - Defense Evasion" + ], + "mitreAttackTechniques": [ + "T1535 - Unused/Unsupported Cloud Regions" + ], + "usedInWild": true, + "incidents": [ + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use InviteAccountToOrganization to add an account they control for defense evasion, resource hijacking.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws organizations invite-account-to-organization --target '{\"Type\": \"EMAIL\", \"Id\": \"traildiscover@example.com\"}'" + } + ], + "permissions": "https://aws.permissions.cloud/iam/organizations#organizations-InviteAccountToOrganization" +} \ No newline at end of file diff --git a/events/Organizations/LeaveOrganization.json b/events/Organizations/LeaveOrganization.json index c6c1766..801575f 100644 --- a/events/Organizations/LeaveOrganization.json +++ b/events/Organizations/LeaveOrganization.json @@ -7,10 +7,15 @@ "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1562 - Impair Defenses" + "T1070 - Indicator Removal" ], "usedInWild": false, - "incidents": [], + "incidents": [ + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + } + ], "researchLinks": [ { "description": "An AWS account attempted to leave the AWS Organization", diff --git a/events/RDS/CreateDBSnapshot.json b/events/RDS/CreateDBSnapshot.json index 6d746a0..4f29771 100644 --- a/events/RDS/CreateDBSnapshot.json +++ b/events/RDS/CreateDBSnapshot.json @@ -14,6 +14,10 @@ { "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" + }, + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" } ], "researchLinks": [ diff --git a/events/RDS/DeleteDBCluster.json b/events/RDS/DeleteDBCluster.json index 12d028e..50ff170 100644 --- a/events/RDS/DeleteDBCluster.json +++ b/events/RDS/DeleteDBCluster.json @@ -9,8 +9,13 @@ "mitreAttackTechniques": [ "T1485 - Data Destruction" ], - "usedInWild": false, - "incidents": [], + "usedInWild": true, + "incidents": [ + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + } + ], "researchLinks": [ { "description": "Hunting AWS RDS security events with Sysdig", diff --git a/events/RDS/DeleteDBInstance.json b/events/RDS/DeleteDBInstance.json new file mode 100644 index 0000000..acc316a --- /dev/null +++ b/events/RDS/DeleteDBInstance.json @@ -0,0 +1,29 @@ +{ + "eventName": "DeleteDBInstance", + "eventSource": "rds.amazonaws.com", + "awsService": "RDS", + "description": "Deletes a previously provisioned DB instance.", + "mitreAttackTactics": [ + "TA0040 - Impact" + ], + "mitreAttackTechniques": [ + "T1485 - Data Destruction" + ], + "usedInWild": true, + "incidents": [ + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use DeleteDBInstance to delete crucial databases, causing data loss and service disruption.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws rds delete-db-instance --db-instance-identifier TrailDiscoverDB" + } + ], + "permissions": "https://aws.permissions.cloud/iam/rds#rds-DeleteDBInstance" +} \ No newline at end of file diff --git a/events/S3/DeleteBucket.json b/events/S3/DeleteBucket.json new file mode 100644 index 0000000..05f46a8 --- /dev/null +++ b/events/S3/DeleteBucket.json @@ -0,0 +1,29 @@ +{ + "eventName": "DeleteBucket", + "eventSource": "s3.amazonaws.com", + "awsService": "S3", + "description": "Deletes the S3 bucket.", + "mitreAttackTactics": [ + "TA0040 - Impact" + ], + "mitreAttackTechniques": [ + "T1485 - Data Destruction" + ], + "usedInWild": true, + "incidents": [ + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use DeleteBucket to delete resources.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws s3api delete-bucket --bucket my-traildiscover-bucket --region us-east-1" + } + ], + "permissions": "https://aws.permissions.cloud/iam/s3#s3-DeleteBucket" +} \ No newline at end of file diff --git a/events/S3/DeleteObject.json b/events/S3/DeleteObject.json index 6407c53..b21cd12 100644 --- a/events/S3/DeleteObject.json +++ b/events/S3/DeleteObject.json @@ -26,6 +26,10 @@ { "description": "Hacker Puts Hosting Service Code Spaces Out of Business", "link": "https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/" + }, + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" } ], "researchLinks": [], diff --git a/events/S3/PutBucketLifecycle.json b/events/S3/PutBucketLifecycle.json index 4e463d3..e6a1faa 100644 --- a/events/S3/PutBucketLifecycle.json +++ b/events/S3/PutBucketLifecycle.json @@ -14,6 +14,10 @@ { "description": "USA VS Nickolas Sharp", "link": "https://www.justice.gov/usao-sdny/press-release/file/1452706/dl" + }, + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" } ], "researchLinks": [], diff --git a/events/SecurityTokenService/GetFederationToken.json b/events/SecurityTokenService/GetFederationToken.json index 71e9102..f1b958d 100644 --- a/events/SecurityTokenService/GetFederationToken.json +++ b/events/SecurityTokenService/GetFederationToken.json @@ -9,11 +9,15 @@ "mitreAttackTechniques": [ "T1078 - Valid Accounts" ], - "usedInWild": false, + "usedInWild": true, "incidents": [ { "description": "How Adversaries Can Persist with AWS User Federation", "link": "https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/" + }, + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" } ], "researchLinks": [ diff --git a/events/SecurityTokenService/GetSessionToken.json b/events/SecurityTokenService/GetSessionToken.json index df7a230..7202dcc 100644 --- a/events/SecurityTokenService/GetSessionToken.json +++ b/events/SecurityTokenService/GetSessionToken.json @@ -9,8 +9,13 @@ "mitreAttackTechniques": [ "T1199 - Trusted Relationship" ], - "usedInWild": false, - "incidents": [], + "usedInWild": true, + "incidents": [ + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + } + ], "researchLinks": [ { "description": "AWS STS GetSessionToken Abuse",