diff --git a/docs/datadog_dashboard.json b/docs/datadog_dashboard.json index 715eecd..97b4456 100644 --- a/docs/datadog_dashboard.json +++ b/docs/datadog_dashboard.json @@ -211,7 +211,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:(UpdateFunctionCode20150331v2 OR UpdateDistribution2020_05_31 OR PublishFunction2020_05_31 OR CreateFunction2020_05_31 OR CreateInstanceExportTask OR CreateTrafficMirrorTarget OR CreateTrafficMirrorSession OR CreateRoute OR CreateTrafficMirrorFilter OR CreateTrafficMirrorFilterRule) $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:(UpdateFunctionCode20150331v2 OR UpdateDistribution OR PublishFunction OR CreateFunction OR CreateInstanceExportTask OR CreateTrafficMirrorTarget OR CreateTrafficMirrorSession OR CreateRoute OR CreateTrafficMirrorFilter OR CreateTrafficMirrorFilterRule) $userIdentity.arn $network.client.ip $account" }, "group_by": [], "storage": "hot" @@ -361,7 +361,7 @@ } }, { - "id": 2141339723, + "id": 2995857962, "definition": { "type": "group", "layout_type": "ordered", @@ -370,7 +370,7 @@ "show_title": true, "widgets": [ { - "id": 1174854483, + "id": 3170365388, "definition": { "type": "note", "content": "### [AssumeRoleWithWebIdentity](https://traildiscover.cloud/#STS-AssumeRoleWithWebIdentity)\n\n**Description:** Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider.\n\n**Related Research:**\n- [From GitHub To Account Takeover: Misconfigured Actions Place GCP & AWS Accounts At Risk](https://www.rezonate.io/blog/github-misconfigurations-put-gcp-aws-in-account-takeover-risk/)\n", @@ -389,7 +389,7 @@ } }, { - "id": 3379511035, + "id": 134397489, "definition": { "title": "AssumeRoleWithWebIdentity", "title_size": "16", @@ -431,7 +431,7 @@ } }, { - "id": 2233108726, + "id": 2636314380, "definition": { "type": "note", "content": "### [GetSessionToken](https://traildiscover.cloud/#STS-GetSessionToken)\n\n**Description:** Returns a set of temporary credentials for an AWS account or IAM user.\n\n**Related Research:**\n- [AWS STS GetSessionToken Abuse](https://www.elastic.co/guide/en/security/7.17/aws-sts-getsessiontoken-abuse.html)\n", @@ -450,7 +450,7 @@ } }, { - "id": 2389620517, + "id": 1847169016, "definition": { "title": "GetSessionToken", "title_size": "16", @@ -492,7 +492,7 @@ } }, { - "id": 2145879909, + "id": 3029305066, "definition": { "type": "note", "content": "### [AssumeRole](https://traildiscover.cloud/#STS-AssumeRole)\n\n**Description:** Returns a set of temporary security credentials that you can use to access AWS resources.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n**Related Research:**\n- [Role Chain Juggling](https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/)\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -511,7 +511,7 @@ } }, { - "id": 154908052, + "id": 2240159702, "definition": { "title": "AssumeRole", "title_size": "16", @@ -553,7 +553,7 @@ } }, { - "id": 2442928629, + "id": 2961285858, "definition": { "type": "note", "content": "### [AssumeRoleWithSAML](https://traildiscover.cloud/#STS-AssumeRoleWithSAML)\n\n**Description:** Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response.\n\n**Related Research:**\n- [AWS - STS Privesc](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc)\n", @@ -572,7 +572,7 @@ } }, { - "id": 2599440420, + "id": 2172140494, "definition": { "title": "AssumeRoleWithSAML", "title_size": "16", @@ -614,7 +614,7 @@ } }, { - "id": 1888615060, + "id": 288443579, "definition": { "type": "note", "content": "### [PasswordRecoveryRequested ](https://traildiscover.cloud/#SignIn-PasswordRecoveryRequested )\n\n**Description:** This is the CloudTrail event generated when you request a password recovery.\n\n**Related Incidents:**\n- [An Ongoing AWS Phishing Campaign](https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/)\n- [Disclosure of Security Incidents on imToken](https://support.token.im/hc/en-us/articles/360005681954-Disclosure-of-Security-Incidents-on-imToken)\n", @@ -633,7 +633,7 @@ } }, { - "id": 4192610499, + "id": 3794265511, "definition": { "title": "PasswordRecoveryRequested ", "title_size": "16", @@ -675,7 +675,7 @@ } }, { - "id": 1652287159, + "id": 3787290068, "definition": { "type": "note", "content": "### [ConsoleLogin](https://traildiscover.cloud/#SignIn-ConsoleLogin)\n\n**Description:** This is the CloudTrail event generated when you sign-in.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Responding to an attack in AWS](https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac)\n- [Credential Phishing](https://ramimac.me/aws-phishing#credential-phishing)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies](https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/)\n**Related Research:**\n- [Compromising AWS Console credentials](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/compromising-aws-console-credentials/)\n- [Create a Console Session from IAM Credentials](https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n", @@ -694,7 +694,7 @@ } }, { - "id": 3956282598, + "id": 2998144704, "definition": { "title": "ConsoleLogin", "title_size": "16", @@ -745,7 +745,7 @@ } }, { - "id": 879268648, + "id": 265077198, "definition": { "type": "group", "layout_type": "ordered", @@ -754,7 +754,7 @@ "show_title": true, "widgets": [ { - "id": 2308245272, + "id": 2720678546, "definition": { "type": "note", "content": "### [SendCommand](https://traildiscover.cloud/#SSM-SendCommand)\n\n**Description:** Runs commands on one or more managed nodes.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Run Shell Commands on EC2 with Send Command or Session Manager](https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/)\n", @@ -773,7 +773,7 @@ } }, { - "id": 2464757063, + "id": 1931533182, "definition": { "title": "SendCommand", "title_size": "16", @@ -815,7 +815,7 @@ } }, { - "id": 3094886807, + "id": 2199661814, "definition": { "type": "note", "content": "### [StartSession](https://traildiscover.cloud/#SSM-StartSession)\n\n**Description:** Initiates a connection to a target (for example, a managed node) for a Session Manager session.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Run Shell Commands on EC2 with Send Command or Session Manager](https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/)\n", @@ -834,7 +834,7 @@ } }, { - "id": 3251398598, + "id": 1410516450, "definition": { "title": "StartSession", "title_size": "16", @@ -885,7 +885,7 @@ } }, { - "id": 3005002362, + "id": 1721291352, "definition": { "type": "group", "layout_type": "ordered", @@ -894,7 +894,7 @@ "show_title": true, "widgets": [ { - "id": 3710425276, + "id": 1561827457, "definition": { "type": "note", "content": "### [GetFederationToken](https://traildiscover.cloud/#STS-GetFederationToken)\n\n**Description:** Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a user.\n\n**Related Incidents:**\n- [How Adversaries Can Persist with AWS User Federation](https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/)\n**Related Research:**\n- [Create a Console Session from IAM Credentials](https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/)\n- [Survive Access Key Deletion with sts:GetFederationToken](https://hackingthe.cloud/aws/post_exploitation/survive_access_key_deletion_with_sts_getfederationtoken/)\n", @@ -913,7 +913,7 @@ } }, { - "id": 3866937067, + "id": 772682093, "definition": { "title": "GetFederationToken", "title_size": "16", @@ -955,7 +955,7 @@ } }, { - "id": 2311523120, + "id": 200708827, "definition": { "type": "note", "content": "### [AssumeRole](https://traildiscover.cloud/#STS-AssumeRole)\n\n**Description:** Returns a set of temporary security credentials that you can use to access AWS resources.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n**Related Research:**\n- [Role Chain Juggling](https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/)\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -974,7 +974,7 @@ } }, { - "id": 2468034911, + "id": 3706530759, "definition": { "title": "AssumeRole", "title_size": "16", @@ -1016,7 +1016,7 @@ } }, { - "id": 3497733716, + "id": 1902361352, "definition": { "type": "note", "content": "### [CreateFunction20150331](https://traildiscover.cloud/#Lambda-CreateFunction20150331)\n\n**Description:** Creates a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -1035,7 +1035,7 @@ } }, { - "id": 1506761859, + "id": 1113215988, "definition": { "title": "CreateFunction20150331", "title_size": "16", @@ -1077,7 +1077,7 @@ } }, { - "id": 2099494439, + "id": 2402025279, "definition": { "type": "note", "content": "### [UpdateFunctionConfiguration20150331v2](https://traildiscover.cloud/#Lambda-UpdateFunctionConfiguration20150331v2)\n\n**Description:** Modify the version-specific settings of a Lambda function.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [LambdaSpy - Implanting the Lambda execution environment (Part two)](https://www.clearvector.com/blog/lambda-spy/)\n", @@ -1096,7 +1096,7 @@ } }, { - "id": 108522582, + "id": 1612879915, "definition": { "title": "UpdateFunctionConfiguration20150331v2", "title_size": "16", @@ -1138,7 +1138,7 @@ } }, { - "id": 694456312, + "id": 3084112206, "definition": { "type": "note", "content": "### [UpdateFunctionCode20150331v2](https://traildiscover.cloud/#Lambda-UpdateFunctionCode20150331v2)\n\n**Description:** Updates a Lambda function's code. If code signing is enabled for the function, the code package must be signed by a trusted publisher.\n\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", @@ -1157,7 +1157,7 @@ } }, { - "id": 850968103, + "id": 2294966842, "definition": { "title": "UpdateFunctionCode20150331v2", "title_size": "16", @@ -1199,7 +1199,7 @@ } }, { - "id": 2213383128, + "id": 1651887605, "definition": { "type": "note", "content": "### [PutTargets](https://traildiscover.cloud/#events-PutTargets)\n\n**Description:** Adds the specified targets to the specified rule, or updates the targets if they are already associated with the rule.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -1218,7 +1218,7 @@ } }, { - "id": 2369894919, + "id": 862742241, "definition": { "title": "PutTargets", "title_size": "16", @@ -1260,7 +1260,7 @@ } }, { - "id": 4221290604, + "id": 1375355231, "definition": { "type": "note", "content": "### [PutRule](https://traildiscover.cloud/#events-PutRule)\n\n**Description:** Creates or updates the specified rule.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -1279,7 +1279,7 @@ } }, { - "id": 2230318747, + "id": 486870980, "definition": { "title": "PutRule", "title_size": "16", @@ -1321,7 +1321,7 @@ } }, { - "id": 3019426784, + "id": 887849324, "definition": { "type": "note", "content": "### [UpdateLoginProfile](https://traildiscover.cloud/#IAM-UpdateLoginProfile)\n\n**Description:** Changes the password for the specified IAM user. You can use the AWS CLI, the AWS API, or the Users page in the IAM console to change the password for any IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -1340,7 +1340,7 @@ } }, { - "id": 3175938575, + "id": 98703960, "definition": { "title": "UpdateLoginProfile", "title_size": "16", @@ -1382,7 +1382,7 @@ } }, { - "id": 1808117017, + "id": 3798054123, "definition": { "type": "note", "content": "### [UpdateAccessKey](https://traildiscover.cloud/#IAM-UpdateAccessKey)\n\n**Description:** Changes the status of the specified access key from Active to Inactive, or vice versa.\n\n**Related Research:**\n- [AWS - IAM Privesc](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc)\n", @@ -1401,7 +1401,7 @@ } }, { - "id": 1964628808, + "id": 3008908759, "definition": { "title": "UpdateAccessKey", "title_size": "16", @@ -1443,7 +1443,7 @@ } }, { - "id": 3326358048, + "id": 1380036442, "definition": { "type": "note", "content": "### [UpdateAssumeRolePolicy](https://traildiscover.cloud/#IAM-UpdateAssumeRolePolicy)\n\n**Description:** Updates the policy that grants an IAM entity permission to assume a role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", @@ -1462,7 +1462,7 @@ } }, { - "id": 1335386191, + "id": 2639035839, "definition": { "title": "UpdateAssumeRolePolicy", "title_size": "16", @@ -1504,7 +1504,7 @@ } }, { - "id": 1591543169, + "id": 3793298687, "definition": { "type": "note", "content": "### [CreateAccessKey](https://traildiscover.cloud/#IAM-CreateAccessKey)\n\n**Description:** Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", @@ -1523,7 +1523,7 @@ } }, { - "id": 3895538608, + "id": 3004153323, "definition": { "title": "CreateAccessKey", "title_size": "16", @@ -1565,7 +1565,7 @@ } }, { - "id": 3299807536, + "id": 3861065711, "definition": { "type": "note", "content": "### [AttachUserPolicy](https://traildiscover.cloud/#IAM-AttachUserPolicy)\n\n**Description:** Attaches the specified managed policy to the specified user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -1584,7 +1584,7 @@ } }, { - "id": 3456319327, + "id": 3071920347, "definition": { "title": "AttachUserPolicy", "title_size": "16", @@ -1626,7 +1626,7 @@ } }, { - "id": 350451985, + "id": 2197154215, "definition": { "type": "note", "content": "### [PutUserPolicy](https://traildiscover.cloud/#IAM-PutUserPolicy)\n\n**Description:** Adds or updates an inline policy document that is embedded in the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -1645,7 +1645,7 @@ } }, { - "id": 506963776, + "id": 3456153612, "definition": { "title": "PutUserPolicy", "title_size": "16", @@ -1687,7 +1687,7 @@ } }, { - "id": 371285658, + "id": 3696690957, "definition": { "type": "note", "content": "### [ChangePassword](https://traildiscover.cloud/#IAM-ChangePassword)\n\n**Description:** Changes the password of the IAM user who is calling this operation.\n\n**Related Research:**\n- [AWS CloudTrail cheat sheet](https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet)\n- [IAM User Changes Alarm](https://asecure.cloud/a/cwalarm_iam_user_changes/)\n", @@ -1706,7 +1706,7 @@ } }, { - "id": 2675281097, + "id": 2907545593, "definition": { "title": "ChangePassword", "title_size": "16", @@ -1748,7 +1748,7 @@ } }, { - "id": 2225654716, + "id": 2750216848, "definition": { "type": "note", "content": "### [CreateLoginProfile](https://traildiscover.cloud/#IAM-CreateLoginProfile)\n\n**Description:** Creates a password for the specified IAM user. A password allows an IAM user to access AWS services through the AWS Management Console.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", @@ -1767,7 +1767,7 @@ } }, { - "id": 234682859, + "id": 1961071484, "definition": { "title": "CreateLoginProfile", "title_size": "16", @@ -1809,7 +1809,7 @@ } }, { - "id": 3038170648, + "id": 2028969769, "definition": { "type": "note", "content": "### [CreateUser](https://traildiscover.cloud/#IAM-CreateUser)\n\n**Description:** Creates a new IAM user for your AWS account.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Responding to an attack in AWS](https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Exposed long-lived access key resulted in unauthorized access](https://twitter.com/jhencinski/status/1578371249792724992?t=6oYeGYgGZq1B-LXFZzIqhQ)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [Insider Threat Risks to Flat Environments](https://www.mandiant.com/sites/default/files/2021-09/rpt-mtrends-2021-3.pdf)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Sendtech Pte. Ltd](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Sendtech-Pte-Ltd---220721.ashx?la=en)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [Creating a new IAM user](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/creating-new-iam-user/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -1828,7 +1828,7 @@ } }, { - "id": 3194682439, + "id": 1239824405, "definition": { "title": "CreateUser", "title_size": "16", @@ -1870,7 +1870,7 @@ } }, { - "id": 180822988, + "id": 3971411273, "definition": { "type": "note", "content": "### [CreateRole](https://traildiscover.cloud/#IAM-CreateRole)\n\n**Description:** Creates a new role for your AWS account.\n\n**Related Incidents:**\n- [Attack Scenario 2: From Misconfigured Firewall to Cryptojacking Botnet](https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/unit42-cloud-threat-report-volume7.pdf)\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -1889,7 +1889,7 @@ } }, { - "id": 2484818427, + "id": 3182265909, "definition": { "title": "CreateRole", "title_size": "16", @@ -1931,7 +1931,7 @@ } }, { - "id": 266484968, + "id": 1856358479, "definition": { "type": "note", "content": "### [UpdateGraphqlApi](https://traildiscover.cloud/#AppSync-UpdateGraphqlApi)\n\n**Description:** Updates a GraphqlApi object.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", @@ -1950,7 +1950,7 @@ } }, { - "id": 2570480407, + "id": 1067213115, "definition": { "title": "UpdateGraphqlApi", "title_size": "16", @@ -1992,7 +1992,7 @@ } }, { - "id": 2837662734, + "id": 2219814497, "definition": { "type": "note", "content": "### [CreateApiKey](https://traildiscover.cloud/#AppSync-CreateApiKey)\n\n**Description:** Creates a unique key that you can distribute to clients who invoke your API.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", @@ -2011,7 +2011,7 @@ } }, { - "id": 846690877, + "id": 3578152781, "definition": { "title": "CreateApiKey", "title_size": "16", @@ -2053,7 +2053,7 @@ } }, { - "id": 3412607195, + "id": 4125461547, "definition": { "type": "note", "content": "### [UpdateResolver](https://traildiscover.cloud/#AppSync-UpdateResolver)\n\n**Description:** Updates a Resolver object.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", @@ -2072,7 +2072,7 @@ } }, { - "id": 3569118986, + "id": 3336316183, "definition": { "title": "UpdateResolver", "title_size": "16", @@ -2114,7 +2114,7 @@ } }, { - "id": 956051389, + "id": 1870666782, "definition": { "type": "note", "content": "### [StartInstances](https://traildiscover.cloud/#EC2-StartInstances)\n\n**Description:** Starts an Amazon EBS-backed instance that you've previously stopped.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n", @@ -2133,7 +2133,7 @@ } }, { - "id": 3260046828, + "id": 1081521418, "definition": { "title": "StartInstances", "title_size": "16", @@ -2175,7 +2175,7 @@ } }, { - "id": 2968666965, + "id": 1353720097, "definition": { "type": "note", "content": "### [CreateSecurityGroup](https://traildiscover.cloud/#EC2-CreateSecurityGroup)\n\n**Description:** Creates a security group.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -2194,7 +2194,7 @@ } }, { - "id": 3125178756, + "id": 564574733, "definition": { "title": "CreateSecurityGroup", "title_size": "16", @@ -2236,7 +2236,7 @@ } }, { - "id": 143092158, + "id": 3870362518, "definition": { "type": "note", "content": "### [CreateDefaultVpc](https://traildiscover.cloud/#EC2-CreateDefaultVpc)\n\n**Description:** Creates a default VPC with a size /16 IPv4 CIDR block and a default subnet in each Availability Zone.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -2255,7 +2255,7 @@ } }, { - "id": 2447087597, + "id": 933733506, "definition": { "title": "CreateDefaultVpc", "title_size": "16", @@ -2297,7 +2297,7 @@ } }, { - "id": 454489154, + "id": 1796502273, "definition": { "type": "note", "content": "### [CreateNetworkAclEntry](https://traildiscover.cloud/#EC2-CreateNetworkAclEntry)\n\n**Description:** Creates an entry (a rule) in a network ACL with the specified rule number.\n\n**Related Research:**\n- [AWS EC2 Network Access Control List Creation](https://www.elastic.co/guide/en/security/current/aws-ec2-network-access-control-list-creation.html)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n", @@ -2316,7 +2316,7 @@ } }, { - "id": 611000945, + "id": 3154840557, "definition": { "title": "CreateNetworkAclEntry", "title_size": "16", @@ -2358,7 +2358,7 @@ } }, { - "id": 3527701278, + "id": 574749666, "definition": { "type": "note", "content": "### [CreateKeyPair](https://traildiscover.cloud/#EC2-CreateKeyPair)\n\n**Description:** Creates an ED25519 or 2048-bit RSA key pair with the specified name and in the specified PEM or PPK format.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -2377,7 +2377,7 @@ } }, { - "id": 1536729421, + "id": 4080571598, "definition": { "title": "CreateKeyPair", "title_size": "16", @@ -2419,7 +2419,7 @@ } }, { - "id": 804666286, + "id": 2916272635, "definition": { "type": "note", "content": "### [AuthorizeSecurityGroupIngress](https://traildiscover.cloud/#EC2-AuthorizeSecurityGroupIngress)\n\n**Description:** Adds the specified inbound (ingress) rules to a security group.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Finding evil in AWS](https://expel.com/blog/finding-evil-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Opening a security group to the Internet](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/opening-security-group-port/)\n", @@ -2438,7 +2438,7 @@ } }, { - "id": 961178077, + "id": 4175272032, "definition": { "title": "AuthorizeSecurityGroupIngress", "title_size": "16", @@ -2480,7 +2480,7 @@ } }, { - "id": 1399123691, + "id": 1831361688, "definition": { "type": "note", "content": "### [RunInstances](https://traildiscover.cloud/#EC2-RunInstances)\n\n**Description:** Launches the specified number of instances using an AMI for which you have permissions.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [DXC spills AWS private keys on public GitHub](https://www.theregister.com/2017/11/14/dxc_github_aws_keys_leaked/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Clear and Uncommon Story About Overcoming Issues With AWS](https://topdigital.agency/clear-and-uncommon-story-about-overcoming-issues-with-aws/)\n- [onelogin 2017 Security Incident](https://web.archive.org/web/20210620180614/https://www.onelogin.com/blog/may-31-2017-security-incident)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Launching EC2 instances](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/launching-ec2-instances/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -2499,7 +2499,7 @@ } }, { - "id": 3703119130, + "id": 1042216324, "definition": { "title": "RunInstances", "title_size": "16", @@ -2541,7 +2541,7 @@ } }, { - "id": 2635967316, + "id": 2002341096, "definition": { "type": "note", "content": "### [ImportKeyPair](https://traildiscover.cloud/#EC2-ImportKeyPair)\n\n**Description:** Imports the public key from an RSA or ED25519 key pair that you created with a third-party tool.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n", @@ -2560,7 +2560,7 @@ } }, { - "id": 644995459, + "id": 3360679380, "definition": { "title": "ImportKeyPair", "title_size": "16", @@ -2611,7 +2611,7 @@ } }, { - "id": 1844632318, + "id": 1500394835, "definition": { "type": "group", "layout_type": "ordered", @@ -2620,7 +2620,7 @@ "show_title": true, "widgets": [ { - "id": 3488528428, + "id": 607854651, "definition": { "type": "note", "content": "### [AssumeRole](https://traildiscover.cloud/#STS-AssumeRole)\n\n**Description:** Returns a set of temporary security credentials that you can use to access AWS resources.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n**Related Research:**\n- [Role Chain Juggling](https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/)\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -2639,7 +2639,7 @@ } }, { - "id": 3645040219, + "id": 4113676583, "definition": { "title": "AssumeRole", "title_size": "16", @@ -2681,7 +2681,7 @@ } }, { - "id": 1844171121, + "id": 1880742031, "definition": { "type": "note", "content": "### [GetCredentialsForIdentity](https://traildiscover.cloud/#CognitoIdentity-GetCredentialsForIdentity)\n\n**Description:** Returns credentials for the provided identity ID. Any provided logins will be validated against supported login providers.\n\n**Related Research:**\n- [Overpermissioned AWS Cognito Identity Pools](https://hackingthe.cloud/aws/exploitation/cognito_identity_pool_excessive_privileges/#exploitation)\n", @@ -2700,7 +2700,7 @@ } }, { - "id": 4148166560, + "id": 1091596667, "definition": { "title": "GetCredentialsForIdentity", "title_size": "16", @@ -2742,7 +2742,7 @@ } }, { - "id": 3415988813, + "id": 754172105, "definition": { "type": "note", "content": "### [GetId](https://traildiscover.cloud/#CognitoIdentity-GetId)\n\n**Description:** Generates (or retrieves) IdentityID. Supplying multiple logins will create an implicit linked account.\n\n**Related Research:**\n- [Overpermissioned AWS Cognito Identity Pools](https://hackingthe.cloud/aws/exploitation/cognito_identity_pool_excessive_privileges/#exploitation)\n", @@ -2761,7 +2761,7 @@ } }, { - "id": 1425016956, + "id": 4259994037, "definition": { "title": "GetId", "title_size": "16", @@ -2803,7 +2803,7 @@ } }, { - "id": 1622595639, + "id": 3114828026, "definition": { "type": "note", "content": "### [CreateFunction20150331](https://traildiscover.cloud/#Lambda-CreateFunction20150331)\n\n**Description:** Creates a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -2822,7 +2822,7 @@ } }, { - "id": 3926591078, + "id": 2325682662, "definition": { "title": "CreateFunction20150331", "title_size": "16", @@ -2864,7 +2864,7 @@ } }, { - "id": 3162111652, + "id": 584425734, "definition": { "type": "note", "content": "### [CreateEventSourceMapping20150331](https://traildiscover.cloud/#Lambda-CreateEventSourceMapping20150331)\n\n**Description:** Creates a mapping between an event source and an AWS Lambda function.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -2883,7 +2883,7 @@ } }, { - "id": 3318623443, + "id": 4090247666, "definition": { "title": "CreateEventSourceMapping20150331", "title_size": "16", @@ -2925,7 +2925,7 @@ } }, { - "id": 647639410, + "id": 83051274, "definition": { "type": "note", "content": "### [AddPermission20150331v2](https://traildiscover.cloud/#Lambda-AddPermission20150331v2)\n\n**Description:** Grants an AWS service, AWS account, or AWS organization permission to use a function.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -2944,7 +2944,7 @@ } }, { - "id": 804151201, + "id": 3588873206, "definition": { "title": "AddPermission20150331v2", "title_size": "16", @@ -2986,7 +2986,7 @@ } }, { - "id": 2342850482, + "id": 3155031076, "definition": { "type": "note", "content": "### [Invoke](https://traildiscover.cloud/#Lambda-Invoke)\n\n**Description:** Invokes a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3005,7 +3005,7 @@ } }, { - "id": 2499362273, + "id": 2365885712, "definition": { "title": "Invoke", "title_size": "16", @@ -3047,7 +3047,7 @@ } }, { - "id": 2553496801, + "id": 2851501113, "definition": { "type": "note", "content": "### [UpdateEventSourceMapping20150331](https://traildiscover.cloud/#Lambda-UpdateEventSourceMapping20150331)\n\n**Description:** Updates an event source mapping. You can change the function that AWS Lambda invokes, or pause invocation and resume later from the same location.\n\n**Related Research:**\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n", @@ -3066,7 +3066,7 @@ } }, { - "id": 562524944, + "id": 2062355749, "definition": { "title": "UpdateEventSourceMapping20150331", "title_size": "16", @@ -3108,7 +3108,7 @@ } }, { - "id": 2535891071, + "id": 3430616216, "definition": { "type": "note", "content": "### [DeleteRolePolicy](https://traildiscover.cloud/#IAM-DeleteRolePolicy)\n\n**Description:** Deletes the specified inline policy that is embedded in the specified IAM role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3127,7 +3127,7 @@ } }, { - "id": 2692402862, + "id": 2641470852, "definition": { "title": "DeleteRolePolicy", "title_size": "16", @@ -3169,7 +3169,7 @@ } }, { - "id": 3918942324, + "id": 4133078630, "definition": { "type": "note", "content": "### [DetachRolePolicy](https://traildiscover.cloud/#IAM-DetachRolePolicy)\n\n**Description:** Removes the specified managed policy from the specified role.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3188,7 +3188,7 @@ } }, { - "id": 4075454115, + "id": 1097110731, "definition": { "title": "DetachRolePolicy", "title_size": "16", @@ -3230,7 +3230,7 @@ } }, { - "id": 1997227570, + "id": 4148460759, "definition": { "type": "note", "content": "### [UpdateLoginProfile](https://traildiscover.cloud/#IAM-UpdateLoginProfile)\n\n**Description:** Changes the password for the specified IAM user. You can use the AWS CLI, the AWS API, or the Users page in the IAM console to change the password for any IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3249,7 +3249,7 @@ } }, { - "id": 2153739361, + "id": 3359315395, "definition": { "title": "UpdateLoginProfile", "title_size": "16", @@ -3291,7 +3291,7 @@ } }, { - "id": 1909541815, + "id": 120532444, "definition": { "type": "note", "content": "### [AddUserToGroup](https://traildiscover.cloud/#IAM-AddUserToGroup)\n\n**Description:** Adds the specified user to the specified group.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3310,7 +3310,7 @@ } }, { - "id": 2066053606, + "id": 3626354376, "definition": { "title": "AddUserToGroup", "title_size": "16", @@ -3352,7 +3352,7 @@ } }, { - "id": 208396060, + "id": 345680581, "definition": { "type": "note", "content": "### [UpdateAssumeRolePolicy](https://traildiscover.cloud/#IAM-UpdateAssumeRolePolicy)\n\n**Description:** Updates the policy that grants an IAM entity permission to assume a role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", @@ -3371,7 +3371,7 @@ } }, { - "id": 2512391499, + "id": 3851502513, "definition": { "title": "UpdateAssumeRolePolicy", "title_size": "16", @@ -3413,7 +3413,7 @@ } }, { - "id": 1474003692, + "id": 2858281713, "definition": { "type": "note", "content": "### [CreateAccessKey](https://traildiscover.cloud/#IAM-CreateAccessKey)\n\n**Description:** Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", @@ -3432,7 +3432,7 @@ } }, { - "id": 1630515483, + "id": 4216619997, "definition": { "title": "CreateAccessKey", "title_size": "16", @@ -3474,7 +3474,7 @@ } }, { - "id": 3879944985, + "id": 840293093, "definition": { "type": "note", "content": "### [CreatePolicyVersion](https://traildiscover.cloud/#IAM-CreatePolicyVersion)\n\n**Description:** Creates a new version of the specified managed policy.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3493,7 +3493,7 @@ } }, { - "id": 4036456776, + "id": 2198631377, "definition": { "title": "CreatePolicyVersion", "title_size": "16", @@ -3535,7 +3535,7 @@ } }, { - "id": 2762190669, + "id": 352713810, "definition": { "type": "note", "content": "### [DeleteUserPolicy](https://traildiscover.cloud/#IAM-DeleteUserPolicy)\n\n**Description:** Deletes the specified inline policy that is embedded in the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3554,7 +3554,7 @@ } }, { - "id": 2918702460, + "id": 3858535742, "definition": { "title": "DeleteUserPolicy", "title_size": "16", @@ -3596,7 +3596,7 @@ } }, { - "id": 313755909, + "id": 3616556052, "definition": { "type": "note", "content": "### [PutRolePermissionsBoundary](https://traildiscover.cloud/#IAM-PutRolePermissionsBoundary)\n\n**Description:** Adds or updates the policy that is specified as the IAM role's permissions boundary.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3615,7 +3615,7 @@ } }, { - "id": 2617751348, + "id": 580588153, "definition": { "title": "PutRolePermissionsBoundary", "title_size": "16", @@ -3657,7 +3657,7 @@ } }, { - "id": 201720349, + "id": 3420848809, "definition": { "type": "note", "content": "### [PutUserPermissionsBoundary](https://traildiscover.cloud/#IAM-PutUserPermissionsBoundary)\n\n**Description:** Adds or updates the policy that is specified as the IAM user's permissions boundary.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3676,7 +3676,7 @@ } }, { - "id": 358232140, + "id": 2631703445, "definition": { "title": "PutUserPermissionsBoundary", "title_size": "16", @@ -3718,7 +3718,7 @@ } }, { - "id": 1657558453, + "id": 70384524, "definition": { "type": "note", "content": "### [DeleteUserPermissionsBoundary](https://traildiscover.cloud/#IAM-DeleteUserPermissionsBoundary)\n\n**Description:** Deletes the permissions boundary for the specified IAM user.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3737,7 +3737,7 @@ } }, { - "id": 3961553892, + "id": 3576206456, "definition": { "title": "DeleteUserPermissionsBoundary", "title_size": "16", @@ -3779,7 +3779,7 @@ } }, { - "id": 1288296616, + "id": 1808771549, "definition": { "type": "note", "content": "### [AttachRolePolicy](https://traildiscover.cloud/#IAM-AttachRolePolicy)\n\n**Description:** Attaches the specified managed policy to the specified IAM role. When you attach a managed policy to a role, the managed policy becomes part of the role's permission (access) policy.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3798,7 +3798,7 @@ } }, { - "id": 1444808407, + "id": 1019626185, "definition": { "title": "AttachRolePolicy", "title_size": "16", @@ -3840,7 +3840,7 @@ } }, { - "id": 792047756, + "id": 3360733816, "definition": { "type": "note", "content": "### [SetDefaultPolicyVersion](https://traildiscover.cloud/#IAM-SetDefaultPolicyVersion)\n\n**Description:** Sets the specified version of the specified policy as the policy's default (operative) version.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3859,7 +3859,7 @@ } }, { - "id": 3096043195, + "id": 2571588452, "definition": { "title": "SetDefaultPolicyVersion", "title_size": "16", @@ -3901,7 +3901,7 @@ } }, { - "id": 2277608322, + "id": 778565089, "definition": { "type": "note", "content": "### [AttachUserPolicy](https://traildiscover.cloud/#IAM-AttachUserPolicy)\n\n**Description:** Attaches the specified managed policy to the specified user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3920,7 +3920,7 @@ } }, { - "id": 2434120113, + "id": 4284387021, "definition": { "title": "AttachUserPolicy", "title_size": "16", @@ -3962,7 +3962,7 @@ } }, { - "id": 1221316311, + "id": 2553358485, "definition": { "type": "note", "content": "### [CreateGroup](https://traildiscover.cloud/#IAM-CreateGroup)\n\n**Description:** Creates a new group.\n\n**Related Research:**\n- [AWS IAM Group Creation](https://www.elastic.co/guide/en/security/current/aws-iam-group-creation.html)\n", @@ -3981,7 +3981,7 @@ } }, { - "id": 1377828102, + "id": 1764213121, "definition": { "title": "CreateGroup", "title_size": "16", @@ -4023,7 +4023,7 @@ } }, { - "id": 1527457293, + "id": 2504961152, "definition": { "type": "note", "content": "### [PutUserPolicy](https://traildiscover.cloud/#IAM-PutUserPolicy)\n\n**Description:** Adds or updates an inline policy document that is embedded in the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4042,7 +4042,7 @@ } }, { - "id": 1683969084, + "id": 3863299436, "definition": { "title": "PutUserPolicy", "title_size": "16", @@ -4084,7 +4084,7 @@ } }, { - "id": 3547457363, + "id": 2594188683, "definition": { "type": "note", "content": "### [DeleteRolePermissionsBoundary](https://traildiscover.cloud/#IAM-DeleteRolePermissionsBoundary)\n\n**Description:** Deletes the permissions boundary for the specified IAM role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4103,7 +4103,7 @@ } }, { - "id": 1556485506, + "id": 1805043319, "definition": { "title": "DeleteRolePermissionsBoundary", "title_size": "16", @@ -4145,7 +4145,7 @@ } }, { - "id": 3739080863, + "id": 3701189806, "definition": { "type": "note", "content": "### [PutGroupPolicy](https://traildiscover.cloud/#IAM-PutGroupPolicy)\n\n**Description:** Adds or updates an inline policy document that is embedded in the specified IAM group.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4164,7 +4164,7 @@ } }, { - "id": 1748109006, + "id": 665221907, "definition": { "title": "PutGroupPolicy", "title_size": "16", @@ -4206,7 +4206,7 @@ } }, { - "id": 3644053740, + "id": 1103414270, "definition": { "type": "note", "content": "### [ChangePassword](https://traildiscover.cloud/#IAM-ChangePassword)\n\n**Description:** Changes the password of the IAM user who is calling this operation.\n\n**Related Research:**\n- [AWS CloudTrail cheat sheet](https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet)\n- [IAM User Changes Alarm](https://asecure.cloud/a/cwalarm_iam_user_changes/)\n", @@ -4225,7 +4225,7 @@ } }, { - "id": 1653081883, + "id": 314268906, "definition": { "title": "ChangePassword", "title_size": "16", @@ -4267,7 +4267,7 @@ } }, { - "id": 4156260000, + "id": 3157362672, "definition": { "type": "note", "content": "### [CreateLoginProfile](https://traildiscover.cloud/#IAM-CreateLoginProfile)\n\n**Description:** Creates a password for the specified IAM user. A password allows an IAM user to access AWS services through the AWS Management Console.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", @@ -4286,7 +4286,7 @@ } }, { - "id": 17804495, + "id": 2368217308, "definition": { "title": "CreateLoginProfile", "title_size": "16", @@ -4328,7 +4328,7 @@ } }, { - "id": 2908586121, + "id": 305817725, "definition": { "type": "note", "content": "### [DetachUserPolicy](https://traildiscover.cloud/#IAM-DetachUserPolicy)\n\n**Description:** Removes the specified managed policy from the specified user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4347,7 +4347,7 @@ } }, { - "id": 3065097912, + "id": 1664156009, "definition": { "title": "DetachUserPolicy", "title_size": "16", @@ -4389,7 +4389,7 @@ } }, { - "id": 3138535945, + "id": 510855432, "definition": { "type": "note", "content": "### [PutRolePolicy](https://traildiscover.cloud/#IAM-PutRolePolicy)\n\n**Description:** Adds or updates an inline policy document that is embedded in the specified IAM role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4408,7 +4408,7 @@ } }, { - "id": 1147564088, + "id": 4016677364, "definition": { "title": "PutRolePolicy", "title_size": "16", @@ -4450,7 +4450,7 @@ } }, { - "id": 794090617, + "id": 2796974140, "definition": { "type": "note", "content": "### [AddRoleToInstanceProfile](https://traildiscover.cloud/#IAM-AddRoleToInstanceProfile)\n\n**Description:** Adds the specified IAM role to the specified instance profile.\n\n**Related Research:**\n- [Cloudgoat AWS CTF solution- Scenerio 5 (iam_privesc_by_attachment)](https://pswalia2u.medium.com/cloudgoat-aws-ctf-solution-scenerio-5-iam-privesc-by-attachment-22145650f5f5)\n", @@ -4469,7 +4469,7 @@ } }, { - "id": 3098086056, + "id": 2007828776, "definition": { "title": "AddRoleToInstanceProfile", "title_size": "16", @@ -4511,7 +4511,7 @@ } }, { - "id": 4189091901, + "id": 2991560398, "definition": { "type": "note", "content": "### [AttachGroupPolicy](https://traildiscover.cloud/#IAM-AttachGroupPolicy)\n\n**Description:** Attaches the specified managed policy to the specified IAM group.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4530,7 +4530,7 @@ } }, { - "id": 50636396, + "id": 2202415034, "definition": { "title": "AttachGroupPolicy", "title_size": "16", @@ -4572,7 +4572,7 @@ } }, { - "id": 3140780027, + "id": 2981067370, "definition": { "type": "note", "content": "### [AssociateAccessPolicy](https://traildiscover.cloud/#EKS-AssociateAccessPolicy)\n\n**Description:** Associates an access policy and its scope to an access entry.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", @@ -4591,7 +4591,7 @@ } }, { - "id": 1149808170, + "id": 2191922006, "definition": { "title": "AssociateAccessPolicy", "title_size": "16", @@ -4633,7 +4633,7 @@ } }, { - "id": 2955904829, + "id": 1851155128, "definition": { "type": "note", "content": "### [CreateAccessEntry](https://traildiscover.cloud/#EKS-CreateAccessEntry)\n\n**Description:** Creates an access entry.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", @@ -4652,7 +4652,7 @@ } }, { - "id": 964932972, + "id": 1062009764, "definition": { "title": "CreateAccessEntry", "title_size": "16", @@ -4694,7 +4694,7 @@ } }, { - "id": 3340671533, + "id": 4171005838, "definition": { "type": "note", "content": "### [ModifyInstanceAttribute](https://traildiscover.cloud/#EC2-ModifyInstanceAttribute)\n\n**Description:** Modifies the specified attribute of the specified instance.\n\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [EC2 Privilege Escalation Through User Data](https://hackingthe.cloud/aws/exploitation/local_ec2_priv_esc_through_user_data/)\n- [User Data Script Persistence](https://hackingthe.cloud/aws/post_exploitation/user_data_script_persistence/)\n", @@ -4713,7 +4713,7 @@ } }, { - "id": 1250360789, + "id": 1234376826, "definition": { "title": "ModifyInstanceAttribute", "title_size": "16", @@ -4755,7 +4755,7 @@ } }, { - "id": 3139643323, + "id": 3209010554, "definition": { "type": "note", "content": "### [ReplaceIamInstanceProfileAssociation](https://traildiscover.cloud/#EC2-ReplaceIamInstanceProfileAssociation)\n\n**Description:** Replaces an IAM instance profile for the specified running instance.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n", @@ -4774,7 +4774,7 @@ } }, { - "id": 1148671466, + "id": 2419865190, "definition": { "title": "ReplaceIamInstanceProfileAssociation", "title_size": "16", @@ -4816,7 +4816,7 @@ } }, { - "id": 2212912444, + "id": 157370830, "definition": { "type": "note", "content": "### [CreateDevEndpoint](https://traildiscover.cloud/#Glue-CreateDevEndpoint)\n\n**Description:** Creates a new development endpoint.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4835,7 +4835,7 @@ } }, { - "id": 2369424235, + "id": 3663192762, "definition": { "title": "CreateDevEndpoint", "title_size": "16", @@ -4877,7 +4877,7 @@ } }, { - "id": 233262928, + "id": 1074746368, "definition": { "type": "note", "content": "### [UpdateJob](https://traildiscover.cloud/#Glue-UpdateJob)\n\n**Description:** Updates an existing job definition.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4896,7 +4896,7 @@ } }, { - "id": 290435832, + "id": 285601004, "definition": { "title": "UpdateJob", "title_size": "16", @@ -4938,7 +4938,7 @@ } }, { - "id": 3977544577, + "id": 1396338317, "definition": { "type": "note", "content": "### [CreateJob](https://traildiscover.cloud/#Glue-CreateJob)\n\n**Description:** Creates a new job definition.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4957,7 +4957,7 @@ } }, { - "id": 1986572720, + "id": 2754676601, "definition": { "title": "CreateJob", "title_size": "16", @@ -4999,7 +4999,7 @@ } }, { - "id": 2776936441, + "id": 74720711, "definition": { "type": "note", "content": "### [UpdateDevEndpoint](https://traildiscover.cloud/#Glue-UpdateDevEndpoint)\n\n**Description:** Updates a specified development endpoint.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -5018,7 +5018,7 @@ } }, { - "id": 785964584, + "id": 1333720108, "definition": { "title": "UpdateDevEndpoint", "title_size": "16", @@ -5069,7 +5069,7 @@ } }, { - "id": 2164952282, + "id": 3225986775, "definition": { "type": "group", "layout_type": "ordered", @@ -5078,7 +5078,7 @@ "show_title": true, "widgets": [ { - "id": 3047848621, + "id": 2131206456, "definition": { "type": "note", "content": "### [LeaveOrganization](https://traildiscover.cloud/#Organizations-LeaveOrganization)\n\n**Description:** Removes a member account from its parent organization.\n\n**Related Research:**\n- [An AWS account attempted to leave the AWS Organization](hhttps://docs.datadoghq.com/security/default_rules/aws-organizations-leave-organization/)\n", @@ -5097,7 +5097,7 @@ } }, { - "id": 3204360412, + "id": 1342061092, "definition": { "title": "LeaveOrganization", "title_size": "16", @@ -5139,7 +5139,7 @@ } }, { - "id": 10241788, + "id": 396559185, "definition": { "type": "note", "content": "### [PutLogEvents](https://traildiscover.cloud/#CloudWatchLogs-PutLogEvents)\n\n**Description:** Uploads a batch of log events to the specified log stream.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -5158,7 +5158,7 @@ } }, { - "id": 2314237227, + "id": 3902381117, "definition": { "title": "PutLogEvents", "title_size": "16", @@ -5200,7 +5200,7 @@ } }, { - "id": 845178458, + "id": 83129756, "definition": { "type": "note", "content": "### [DeleteAlarms](https://traildiscover.cloud/#CloudWatch-DeleteAlarms)\n\n**Description:** Deletes the specified alarms. You can delete up to 100 alarms in one operation.\n\n**Related Research:**\n- [AWS CloudWatch Alarm Deletion](https://www.elastic.co/guide/en/security/current/aws-cloudwatch-alarm-deletion.html)\n", @@ -5219,7 +5219,7 @@ } }, { - "id": 3149173897, + "id": 1342129153, "definition": { "title": "DeleteAlarms", "title_size": "16", @@ -5261,7 +5261,7 @@ } }, { - "id": 3574602046, + "id": 2169912576, "definition": { "type": "note", "content": "### [DeleteLogGroup](https://traildiscover.cloud/#CloudWatchLogs-DeleteLogGroup)\n\n**Description:** Deletes the specified log group and permanently deletes all the archived log events associated with the log group.\n\n**Related Research:**\n- [Penetration testing of aws-based environments](https://essay.utwente.nl/76955/1/Szabo_MSc_EEMCS.pdf)\n- [Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail](https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/)\n", @@ -5280,7 +5280,7 @@ } }, { - "id": 3731113837, + "id": 3428911973, "definition": { "title": "DeleteLogGroup", "title_size": "16", @@ -5322,7 +5322,7 @@ } }, { - "id": 596753777, + "id": 1812837798, "definition": { "type": "note", "content": "### [DeleteLogStream](https://traildiscover.cloud/#CloudWatchLogs-DeleteLogStream)\n\n**Description:** Deletes the specified log stream and permanently deletes all the archived log events associated with the log stream.\n\n**Related Research:**\n- [Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail](https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/)\n", @@ -5341,7 +5341,7 @@ } }, { - "id": 2900749216, + "id": 1023692434, "definition": { "title": "DeleteLogStream", "title_size": "16", @@ -5383,7 +5383,7 @@ } }, { - "id": 10241788, + "id": 396559185, "definition": { "type": "note", "content": "### [PutLogEvents](https://traildiscover.cloud/#CloudWatchLogs-PutLogEvents)\n\n**Description:** Uploads a batch of log events to the specified log stream.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -5402,7 +5402,7 @@ } }, { - "id": 2314237227, + "id": 3902381117, "definition": { "title": "PutLogEvents", "title_size": "16", @@ -5444,7 +5444,7 @@ } }, { - "id": 172107312, + "id": 661973194, "definition": { "type": "note", "content": "### [CreateLogStream](https://traildiscover.cloud/#CloudWatchLogs-CreateLogStream)\n\n**Description:** Creates a log stream for the specified log group.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -5463,7 +5463,7 @@ } }, { - "id": 328619103, + "id": 1920972591, "definition": { "title": "CreateLogStream", "title_size": "16", @@ -5505,7 +5505,7 @@ } }, { - "id": 681721024, + "id": 3935142640, "definition": { "type": "note", "content": "### [DeleteRule](https://traildiscover.cloud/#events-DeleteRule)\n\n**Description:** Deletes the specified rule.\n\n**Related Research:**\n- [AWS EventBridge Rule Disabled or Deleted](https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html)\n- [AWS EventBridge rule disabled or deleted](https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/)\n", @@ -5524,7 +5524,7 @@ } }, { - "id": 2985716463, + "id": 899174741, "definition": { "title": "DeleteRule", "title_size": "16", @@ -5566,7 +5566,7 @@ } }, { - "id": 1259734126, + "id": 1974371732, "definition": { "type": "note", "content": "### [RemoveTargets](https://traildiscover.cloud/#events-RemoveTargets)\n\n**Description:** Removes the specified targets from the specified rule.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -5585,7 +5585,7 @@ } }, { - "id": 3563729565, + "id": 1185226368, "definition": { "title": "RemoveTargets", "title_size": "16", @@ -5627,7 +5627,7 @@ } }, { - "id": 1157352879, + "id": 3552050575, "definition": { "type": "note", "content": "### [DisableRule](https://traildiscover.cloud/#events-DisableRule)\n\n**Description:** Disables the specified rule.\n\n**Related Research:**\n- [AWS EventBridge Rule Disabled or Deleted](https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html)\n- [AWS EventBridge rule disabled or deleted](https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/)\n", @@ -5646,7 +5646,7 @@ } }, { - "id": 1313864670, + "id": 2762905211, "definition": { "title": "DisableRule", "title_size": "16", @@ -5688,7 +5688,7 @@ } }, { - "id": 2149453747, + "id": 1544463696, "definition": { "type": "note", "content": "### [PutRule](https://traildiscover.cloud/#events-PutRule)\n\n**Description:** Creates or updates the specified rule.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -5707,7 +5707,7 @@ } }, { - "id": 158481890, + "id": 755318332, "definition": { "title": "PutRule", "title_size": "16", @@ -5749,7 +5749,7 @@ } }, { - "id": 1004703433, + "id": 3591533190, "definition": { "type": "note", "content": "### [CreateInstances](https://traildiscover.cloud/#Lightsail-CreateInstances)\n\n**Description:** Creates one or more Amazon Lightsail instances.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -5768,7 +5768,7 @@ } }, { - "id": 3308698872, + "id": 2802387826, "definition": { "title": "CreateInstances", "title_size": "16", @@ -5810,7 +5810,7 @@ } }, { - "id": 795080243, + "id": 4211845879, "definition": { "type": "note", "content": "### [DeleteMembers](https://traildiscover.cloud/#SecurityHub-DeleteMembers)\n\n**Description:** Deletes the specified member accounts from Security Hub.\n\n**Related Research:**\n- [AWS CloudTrail cheat sheet](https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet)\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", @@ -5829,7 +5829,7 @@ } }, { - "id": 3099075682, + "id": 1175877980, "definition": { "title": "DeleteMembers", "title_size": "16", @@ -5871,7 +5871,7 @@ } }, { - "id": 670100159, + "id": 942236773, "definition": { "type": "note", "content": "### [DetachRolePolicy](https://traildiscover.cloud/#IAM-DetachRolePolicy)\n\n**Description:** Removes the specified managed policy from the specified role.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -5890,7 +5890,7 @@ } }, { - "id": 2974095598, + "id": 153091409, "definition": { "title": "DetachRolePolicy", "title_size": "16", @@ -5932,7 +5932,7 @@ } }, { - "id": 1712553026, + "id": 2361498986, "definition": { "type": "note", "content": "### [DeleteUserPolicy](https://traildiscover.cloud/#IAM-DeleteUserPolicy)\n\n**Description:** Deletes the specified inline policy that is embedded in the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -5951,7 +5951,7 @@ } }, { - "id": 1869064817, + "id": 1572353622, "definition": { "title": "DeleteUserPolicy", "title_size": "16", @@ -5993,7 +5993,7 @@ } }, { - "id": 2658326291, + "id": 264496418, "definition": { "type": "note", "content": "### [DeleteAccessKey](https://traildiscover.cloud/#IAM-DeleteAccessKey)\n\n**Description:** Deletes the access key pair associated with the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", @@ -6012,7 +6012,7 @@ } }, { - "id": 2814838082, + "id": 3770318350, "definition": { "title": "DeleteAccessKey", "title_size": "16", @@ -6054,7 +6054,7 @@ } }, { - "id": 1896958096, + "id": 301001836, "definition": { "type": "note", "content": "### [DeleteUser](https://traildiscover.cloud/#IAM-DeleteUser)\n\n**Description:** Deletes the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Insider Threat Risks to Flat Environments](https://www.mandiant.com/sites/default/files/2021-09/rpt-mtrends-2021-3.pdf)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", @@ -6073,7 +6073,7 @@ } }, { - "id": 2053469887, + "id": 3806823768, "definition": { "title": "DeleteUser", "title_size": "16", @@ -6115,7 +6115,7 @@ } }, { - "id": 465064806, + "id": 1020058116, "definition": { "type": "note", "content": "### [DetachUserPolicy](https://traildiscover.cloud/#IAM-DetachUserPolicy)\n\n**Description:** Removes the specified managed policy from the specified user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -6134,7 +6134,7 @@ } }, { - "id": 2769060245, + "id": 230912752, "definition": { "title": "DetachUserPolicy", "title_size": "16", @@ -6176,7 +6176,7 @@ } }, { - "id": 3361849170, + "id": 926252588, "definition": { "type": "note", "content": "### [DeleteLoginProfile](https://traildiscover.cloud/#IAM-DeleteLoginProfile)\n\n**Description:** Deletes the password for the specified IAM user.\n\n**Related Incidents:**\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", @@ -6195,7 +6195,7 @@ } }, { - "id": 1370877313, + "id": 137107224, "definition": { "title": "DeleteLoginProfile", "title_size": "16", @@ -6237,7 +6237,7 @@ } }, { - "id": 2716036546, + "id": 123589438, "definition": { "type": "note", "content": "### [DeactivateMFADevice](https://traildiscover.cloud/#IAM-DeactivateMFADevice)\n\n**Description:** Deactivates the specified MFA device and removes it from association with the user name for which it was originally enabled.\n\n**Related Research:**\n- [AWS IAM Deactivation of MFA Device](https://www.elastic.co/guide/en/security/current/aws-iam-deactivation-of-mfa-device.html)\n", @@ -6256,7 +6256,7 @@ } }, { - "id": 2872548337, + "id": 3629411370, "definition": { "title": "DeactivateMFADevice", "title_size": "16", @@ -6298,7 +6298,7 @@ } }, { - "id": 476741614, + "id": 1113244236, "definition": { "type": "note", "content": "### [CreateRule](https://traildiscover.cloud/#ELBv2-CreateRule)\n\n**Description:** Creates a rule for the specified listener.\n\n**Related Research:**\n- [Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data](https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994)\n", @@ -6317,7 +6317,7 @@ } }, { - "id": 2780737053, + "id": 2372243633, "definition": { "title": "CreateRule", "title_size": "16", @@ -6359,7 +6359,7 @@ } }, { - "id": 149048599, + "id": 6245053, "definition": { "type": "note", "content": "### [StopLogging](https://traildiscover.cloud/#CloudTrail-StopLogging)\n\n**Description:** Suspends the recording of AWS API calls and log file delivery for the specified trail.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Stopping a CloudTrail trail](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/stopping-cloudtrail-trail/)\n- [AWS Defense Evasion Stop Logging Cloudtrail](https://research.splunk.com/cloud/8a2f3ca2-4eb5-4389-a549-14063882e537/)\n- [AWS Defense Evasion and Centralized Multi-Account Logging](https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/)\n- [Disrupting AWS logging](https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n", @@ -6378,7 +6378,7 @@ } }, { - "id": 2453044038, + "id": 3512066985, "definition": { "title": "StopLogging", "title_size": "16", @@ -6420,7 +6420,7 @@ } }, { - "id": 2696229837, + "id": 64986259, "definition": { "type": "note", "content": "### [UpdateTrail](https://traildiscover.cloud/#CloudTrail-UpdateTrail)\n\n**Description:** Updates trail settings that control what events you are logging, and how to handle log files.\n\n**Related Research:**\n- [AWS Defense Evasion and Centralized Multi-Account Logging](https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/)\n- [Disrupting AWS logging](https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594)\n", @@ -6439,7 +6439,7 @@ } }, { - "id": 705257980, + "id": 3570808191, "definition": { "title": "UpdateTrail", "title_size": "16", @@ -6481,7 +6481,7 @@ } }, { - "id": 2688659942, + "id": 4143905885, "definition": { "type": "note", "content": "### [DeleteTrail](https://traildiscover.cloud/#CloudTrail-DeleteTrail)\n\n**Description:** Deletes a trail.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [AWS Defense Evasion Delete Cloudtrail](https://research.splunk.com/cloud/82092925-9ca1-4e06-98b8-85a2d3889552/)\n- [Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail](https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/)\n- [Disrupting AWS logging](https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594)\n", @@ -6500,7 +6500,7 @@ } }, { - "id": 2845171733, + "id": 3255421634, "definition": { "title": "DeleteTrail", "title_size": "16", @@ -6542,7 +6542,7 @@ } }, { - "id": 3957406942, + "id": 398947103, "definition": { "type": "note", "content": "### [PutEventSelectors](https://traildiscover.cloud/#CloudTrail-PutEventSelectors)\n\n**Description:** Configures an event selector or advanced event selectors for your trail.\n\n**Related Research:**\n- [cloudtrail_guardduty_bypass](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/cloudtrail_guardduty_bypass)\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -6561,7 +6561,7 @@ } }, { - "id": 4113918733, + "id": 3904769035, "definition": { "title": "PutEventSelectors", "title_size": "16", @@ -6603,7 +6603,7 @@ } }, { - "id": 1246791496, + "id": 1271866968, "definition": { "type": "note", "content": "### [UpdateGraphqlApi](https://traildiscover.cloud/#AppSync-UpdateGraphqlApi)\n\n**Description:** Updates a GraphqlApi object.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", @@ -6622,7 +6622,7 @@ } }, { - "id": 3550786935, + "id": 482721604, "definition": { "title": "UpdateGraphqlApi", "title_size": "16", @@ -6664,7 +6664,7 @@ } }, { - "id": 765825877, + "id": 1635322986, "definition": { "type": "note", "content": "### [CreateApiKey](https://traildiscover.cloud/#AppSync-CreateApiKey)\n\n**Description:** Creates a unique key that you can distribute to clients who invoke your API.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", @@ -6683,7 +6683,7 @@ } }, { - "id": 3069821316, + "id": 2993661270, "definition": { "title": "CreateApiKey", "title_size": "16", @@ -6725,7 +6725,7 @@ } }, { - "id": 1340770338, + "id": 98941603, "definition": { "type": "note", "content": "### [UpdateResolver](https://traildiscover.cloud/#AppSync-UpdateResolver)\n\n**Description:** Updates a Resolver object.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", @@ -6744,7 +6744,7 @@ } }, { - "id": 1497282129, + "id": 1457279887, "definition": { "title": "UpdateResolver", "title_size": "16", @@ -6786,7 +6786,7 @@ } }, { - "id": 1341888469, + "id": 81455571, "definition": { "type": "note", "content": "### [DeleteBucketPolicy](https://traildiscover.cloud/#S3-DeleteBucketPolicy)\n\n**Description:** Deletes the policy of a specified bucket.\n\n**Related Research:**\n- [AWS S3 Bucket Configuration Deletion](https://www.elastic.co/guide/en/security/7.17/aws-s3-bucket-configuration-deletion.html)\n", @@ -6805,7 +6805,7 @@ } }, { - "id": 1498400260, + "id": 1340454968, "definition": { "title": "DeleteBucketPolicy", "title_size": "16", @@ -6847,7 +6847,7 @@ } }, { - "id": 1344925916, + "id": 3302980049, "definition": { "type": "note", "content": "### [DeleteFlowLogs](https://traildiscover.cloud/#EC2-DeleteFlowLogs)\n\n**Description:** Deletes one or more flow logs.\n\n**Related Research:**\n- [Removing VPC flow logs](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/removing-vpc-flow-logs/)\n- [AWS Incident Response](https://github.com/easttimor/aws-incident-response)\n- [Proactive Cloud Security w/ AWS Organizations](https://witoff.medium.com/proactive-cloud-security-w-aws-organizations-d58695bcae16)\n", @@ -6866,7 +6866,7 @@ } }, { - "id": 3648921355, + "id": 267012150, "definition": { "title": "DeleteFlowLogs", "title_size": "16", @@ -6908,7 +6908,7 @@ } }, { - "id": 1211707517, + "id": 2150636984, "definition": { "type": "note", "content": "### [DeleteNetworkAcl](https://traildiscover.cloud/#EC2-DeleteNetworkAcl)\n\n**Description:** Deletes the specified network ACL.\n\n**Related Research:**\n- [Ensure CloudWatch has an Alarm for Network ACL Changes](https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-network-acl-change)\n", @@ -6927,7 +6927,7 @@ } }, { - "id": 3515702956, + "id": 3508975268, "definition": { "title": "DeleteNetworkAcl", "title_size": "16", @@ -6969,7 +6969,7 @@ } }, { - "id": 3049493838, + "id": 585787403, "definition": { "type": "note", "content": "### [TerminateInstances](https://traildiscover.cloud/#EC2-TerminateInstances)\n\n**Description:** Shuts down the specified instances. This operation is idempotent; if you terminate an instance more than once, each call succeeds.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Former Cisco engineer sentenced to prison for deleting 16k Webex accounts](https://www.zdnet.com/article/former-cisco-engineer-sentenced-to-prison-for-deleting-16k-webex-accounts/)\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", @@ -6988,7 +6988,7 @@ } }, { - "id": 1058521981, + "id": 4091609335, "definition": { "title": "TerminateInstances", "title_size": "16", @@ -7030,7 +7030,7 @@ } }, { - "id": 59536734, + "id": 4171877671, "definition": { "type": "note", "content": "### [DeleteNetworkAclEntry](https://traildiscover.cloud/#EC2-DeleteNetworkAclEntry)\n\n**Description:** Deletes the specified ingress or egress entry (rule) from the specified network ACL.\n\n**Related Research:**\n- [Ensure CloudWatch has an Alarm for Network ACL Changes](https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-network-acl-change)\n", @@ -7049,7 +7049,7 @@ } }, { - "id": 2363532173, + "id": 3382732307, "definition": { "title": "DeleteNetworkAclEntry", "title_size": "16", @@ -7091,7 +7091,7 @@ } }, { - "id": 2618096196, + "id": 1509385374, "definition": { "type": "note", "content": "### [StopInstances](https://traildiscover.cloud/#EC2-StopInstances)\n\n**Description:** Stops an Amazon EBS-backed instance.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n", @@ -7110,7 +7110,7 @@ } }, { - "id": 627124339, + "id": 720240010, "definition": { "title": "StopInstances", "title_size": "16", @@ -7152,7 +7152,7 @@ } }, { - "id": 1787699337, + "id": 2719380800, "definition": { "type": "note", "content": "### [AuthorizeDBSecurityGroupIngress](https://traildiscover.cloud/#RDS-AuthorizeDBSecurityGroupIngress)\n\n**Description:** Enables ingress to a DBSecurityGroup using one of two forms of authorization.\n\n**Related Research:**\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [Hunting AWS RDS security events with Sysdig](https://sysdig.com/blog/aws-rds-security-events-sysdig/)\n", @@ -7171,7 +7171,7 @@ } }, { - "id": 1944211128, + "id": 4077719084, "definition": { "title": "AuthorizeDBSecurityGroupIngress", "title_size": "16", @@ -7213,7 +7213,7 @@ } }, { - "id": 961842525, + "id": 3064393780, "definition": { "type": "note", "content": "### [ModifyActivityStream](https://traildiscover.cloud/#RDS-ModifyActivityStream)\n\n**Description:** Changes the audit policy state of a database activity stream to either locked (default) or unlocked.\n\n**Related Incidents:**\n- [Uncovering Hybrid Cloud Attacks Through Intelligence-Driven Incident Response: Part 3 \u2013 The Response](https://www.gem.security/post/uncovering-hybrid-cloud-attacks-through-intelligence-driven-incident-response-part-3-the-response)\n", @@ -7232,7 +7232,7 @@ } }, { - "id": 3265837964, + "id": 2175909529, "definition": { "title": "ModifyActivityStream", "title_size": "16", @@ -7274,7 +7274,7 @@ } }, { - "id": 182191416, + "id": 3312735031, "definition": { "type": "note", "content": "### [DeleteIdentity](https://traildiscover.cloud/#SES-DeleteIdentity)\n\n**Description:** Deletes the specified identity (an email address or a domain) from the list of verified identities.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -7293,7 +7293,7 @@ } }, { - "id": 338703207, + "id": 2523589667, "definition": { "title": "DeleteIdentity", "title_size": "16", @@ -7335,7 +7335,7 @@ } }, { - "id": 1185389122, + "id": 4177137417, "definition": { "type": "note", "content": "### [UpdateIPSet](https://traildiscover.cloud/#GuardDuty-UpdateIPSet)\n\n**Description:** Updates the IPSet specified by the IPSet ID.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -7354,7 +7354,7 @@ } }, { - "id": 3489384561, + "id": 3387992053, "definition": { "title": "UpdateIPSet", "title_size": "16", @@ -7396,7 +7396,7 @@ } }, { - "id": 3374658981, + "id": 2283325339, "definition": { "type": "note", "content": "### [DeleteInvitations](https://traildiscover.cloud/#GuardDuty-DeleteInvitations)\n\n**Description:** Deletes invitations sent to the current member account by AWS accounts specified by their account IDs.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n", @@ -7415,7 +7415,7 @@ } }, { - "id": 1383687124, + "id": 3641663623, "definition": { "title": "DeleteInvitations", "title_size": "16", @@ -7457,7 +7457,7 @@ } }, { - "id": 985157036, + "id": 2004160955, "definition": { "type": "note", "content": "### [UpdateDetector](https://traildiscover.cloud/#GuardDuty-UpdateDetector)\n\n**Description:** Updates the GuardDuty detector specified by the detectorId.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -7476,7 +7476,7 @@ } }, { - "id": 1141668827, + "id": 3362499239, "definition": { "title": "UpdateDetector", "title_size": "16", @@ -7518,7 +7518,7 @@ } }, { - "id": 3611426795, + "id": 435838375, "definition": { "type": "note", "content": "### [DeleteDetector](https://traildiscover.cloud/#GuardDuty-DeleteDetector)\n\n**Description:** Deletes an Amazon GuardDuty detector that is specified by the detector ID.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [AWS GuardDuty detector deleted](https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-guardduty-detector-deleted/)\n- [AWS GuardDuty Evasion](https://medium.com/@cloud_tips/aws-guardduty-evasion-c181e55f3af1)\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", @@ -7537,7 +7537,7 @@ } }, { - "id": 1620454938, + "id": 3941660307, "definition": { "title": "DeleteDetector", "title_size": "16", @@ -7579,7 +7579,7 @@ } }, { - "id": 2414949320, + "id": 2412844729, "definition": { "type": "note", "content": "### [DeletePublishingDestination](https://traildiscover.cloud/#GuardDuty-DeletePublishingDestination)\n\n**Description:** Deletes the publishing definition with the specified destinationId.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -7598,7 +7598,7 @@ } }, { - "id": 2571461111, + "id": 1623699365, "definition": { "title": "DeletePublishingDestination", "title_size": "16", @@ -7640,7 +7640,7 @@ } }, { - "id": 4189487954, + "id": 3103604299, "definition": { "type": "note", "content": "### [DisassociateMembers](https://traildiscover.cloud/#GuardDuty-DisassociateMembers)\n\n**Description:** Disassociates GuardDuty member accounts (from the current administrator account) specified by the account IDs.\n\n**Related Research:**\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", @@ -7659,7 +7659,7 @@ } }, { - "id": 2198516097, + "id": 2314458935, "definition": { "title": "DisassociateMembers", "title_size": "16", @@ -7701,7 +7701,7 @@ } }, { - "id": 217267159, + "id": 2308180011, "definition": { "type": "note", "content": "### [DisassociateFromMasterAccount](https://traildiscover.cloud/#GuardDuty-DisassociateFromMasterAccount)\n\n**Description:** Disassociates the current GuardDuty member account from its administrator account.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", @@ -7720,7 +7720,7 @@ } }, { - "id": 373778950, + "id": 1519034647, "definition": { "title": "DisassociateFromMasterAccount", "title_size": "16", @@ -7762,7 +7762,7 @@ } }, { - "id": 895985183, + "id": 1459289521, "definition": { "type": "note", "content": "### [StopMonitoringMembers](https://traildiscover.cloud/#GuardDuty-StopMonitoringMembers)\n\n**Description:** Stops GuardDuty monitoring for the specified member accounts.\n\n**Related Research:**\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", @@ -7781,7 +7781,7 @@ } }, { - "id": 1052496974, + "id": 670144157, "definition": { "title": "StopMonitoringMembers", "title_size": "16", @@ -7823,7 +7823,7 @@ } }, { - "id": 3553299437, + "id": 110965816, "definition": { "type": "note", "content": "### [CreateIPSet](https://traildiscover.cloud/#GuardDuty-CreateIPSet)\n\n**Description:** Creates a new IPSet, which is called a trusted IP list in the console user interface.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -7842,7 +7842,7 @@ } }, { - "id": 1562327580, + "id": 3616787748, "definition": { "title": "CreateIPSet", "title_size": "16", @@ -7884,7 +7884,7 @@ } }, { - "id": 3786703911, + "id": 1349590608, "definition": { "type": "note", "content": "### [CreateFilter](https://traildiscover.cloud/#GuardDuty-CreateFilter)\n\n**Description:** Creates a filter using the specified finding criteria.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -7903,7 +7903,7 @@ } }, { - "id": 1795732054, + "id": 2707928892, "definition": { "title": "CreateFilter", "title_size": "16", @@ -7945,7 +7945,7 @@ } }, { - "id": 795080243, + "id": 4211845879, "definition": { "type": "note", "content": "### [DeleteMembers](https://traildiscover.cloud/#GuardDuty-DeleteMembers)\n\n**Description:** Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.\n\n**Related Research:**\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", @@ -7964,7 +7964,7 @@ } }, { - "id": 3099075682, + "id": 1175877980, "definition": { "title": "DeleteMembers", "title_size": "16", @@ -8006,7 +8006,7 @@ } }, { - "id": 1688468312, + "id": 3850666249, "definition": { "type": "note", "content": "### [DeleteConfigurationRecorder](https://traildiscover.cloud/#Config-DeleteConfigurationRecorder)\n\n**Description:** Deletes the configuration recorder.\n\n**Related Research:**\n- [AWS Config Resource Deletion](https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion)\n", @@ -8025,7 +8025,7 @@ } }, { - "id": 1745641216, + "id": 3061520885, "definition": { "title": "DeleteConfigurationRecorder", "title_size": "16", @@ -8067,7 +8067,7 @@ } }, { - "id": 1148245249, + "id": 563256548, "definition": { "type": "note", "content": "### [DeleteDeliveryChannel](https://traildiscover.cloud/#Config-DeleteDeliveryChannel)\n\n**Description:** Deletes the delivery channel.\n\n**Related Research:**\n- [AWS Config Resource Deletion](https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion)\n- [AWS Config modified](https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-config-disabled/)\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", @@ -8086,7 +8086,7 @@ } }, { - "id": 3452240688, + "id": 4069078480, "definition": { "title": "DeleteDeliveryChannel", "title_size": "16", @@ -8128,7 +8128,7 @@ } }, { - "id": 3969314384, + "id": 1867431330, "definition": { "type": "note", "content": "### [StopConfigurationRecorder](https://traildiscover.cloud/#Config-StopConfigurationRecorder)\n\n**Description:** Stops recording configurations of the AWS resources you have selected to record in your AWS account.\n\n**Related Research:**\n- [AWS Configuration Recorder Stopped](https://www.elastic.co/guide/en/security/current/prebuilt-rule-8-2-1-aws-configuration-recorder-stopped.html#prebuilt-rule-8-2-1-aws-configuration-recorder-stopped)\n- [AWS Config modified](https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-config-disabled/)\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", @@ -8147,7 +8147,7 @@ } }, { - "id": 1978342527, + "id": 3126430727, "definition": { "title": "StopConfigurationRecorder", "title_size": "16", @@ -8189,7 +8189,7 @@ } }, { - "id": 657781255, + "id": 3761905475, "definition": { "type": "note", "content": "### [DeleteConfigRule](https://traildiscover.cloud/#Config-DeleteConfigRule)\n\n**Description:** Deletes the specified AWS Config rule and all of its evaluation results.\n\n**Related Research:**\n- [AWS Config Resource Deletion](https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion)\n", @@ -8208,7 +8208,7 @@ } }, { - "id": 814293046, + "id": 725937576, "definition": { "title": "DeleteConfigRule", "title_size": "16", @@ -8250,7 +8250,7 @@ } }, { - "id": 2724064891, + "id": 1925582222, "definition": { "type": "note", "content": "### [DeleteRuleGroup](https://traildiscover.cloud/#WAFV2-DeleteRuleGroup)\n\n**Description:** Deletes the specified RuleGroup.\n\n**Related Research:**\n- [AWS WAF Rule or Rule Group Deletion](https://www.elastic.co/guide/en/security/current/aws-waf-rule-or-rule-group-deletion.html)\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", @@ -8269,7 +8269,7 @@ } }, { - "id": 733093034, + "id": 1136436858, "definition": { "title": "DeleteRuleGroup", "title_size": "16", @@ -8311,7 +8311,7 @@ } }, { - "id": 1185389122, + "id": 4177137417, "definition": { "type": "note", "content": "### [UpdateIPSet](https://traildiscover.cloud/#WAFV2-UpdateIPSet)\n\n**Description:** Updates the specified IPSet.\n\n**Related Research:**\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", @@ -8330,7 +8330,7 @@ } }, { - "id": 3489384561, + "id": 3387992053, "definition": { "title": "UpdateIPSet", "title_size": "16", @@ -8372,7 +8372,7 @@ } }, { - "id": 3449364264, + "id": 2263215334, "definition": { "type": "note", "content": "### [DeleteWebACL](https://traildiscover.cloud/#WAFV2-DeleteWebACL)\n\n**Description:** Deletes the specified WebACL.\n\n**Related Research:**\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", @@ -8391,7 +8391,7 @@ } }, { - "id": 1458392407, + "id": 3621553618, "definition": { "title": "DeleteWebACL", "title_size": "16", @@ -8442,7 +8442,7 @@ } }, { - "id": 2406198897, + "id": 1849793307, "definition": { "type": "group", "layout_type": "ordered", @@ -8451,7 +8451,7 @@ "show_title": true, "widgets": [ { - "id": 2142767099, + "id": 1410046401, "definition": { "type": "note", "content": "### [GetSecretValue](https://traildiscover.cloud/#SecretsManager-GetSecretValue)\n\n**Description:** Retrieves the contents of the encrypted fields SecretString or SecretBinary from the specified version of a secret, whichever contains content.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -8470,7 +8470,7 @@ } }, { - "id": 151795242, + "id": 620901037, "definition": { "title": "GetSecretValue", "title_size": "16", @@ -8512,7 +8512,7 @@ } }, { - "id": 3223109913, + "id": 3794713833, "definition": { "type": "note", "content": "### [DescribeSecret](https://traildiscover.cloud/#SecretsManager-DescribeSecret)\n\n**Description:** Retrieves the details of a secret.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -8531,7 +8531,7 @@ } }, { - "id": 1232138056, + "id": 3005568469, "definition": { "title": "DescribeSecret", "title_size": "16", @@ -8573,7 +8573,7 @@ } }, { - "id": 612606808, + "id": 1722034201, "definition": { "type": "note", "content": "### [ListSecrets](https://traildiscover.cloud/#SecretsManager-ListSecrets)\n\n**Description:** Lists the secrets that are stored by Secrets Manager in the AWS account, not including secrets that are marked for deletion.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -8592,7 +8592,7 @@ } }, { - "id": 769118599, + "id": 932888837, "definition": { "title": "ListSecrets", "title_size": "16", @@ -8634,7 +8634,7 @@ } }, { - "id": 784188188, + "id": 2531598624, "definition": { "type": "note", "content": "### [GetPasswordData](https://traildiscover.cloud/#EC2-GetPasswordData)\n\n**Description:** Retrieves the encrypted administrator password for a running Windows instance.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -8653,7 +8653,7 @@ } }, { - "id": 3088183627, + "id": 3889936908, "definition": { "title": "GetPasswordData", "title_size": "16", @@ -8695,7 +8695,7 @@ } }, { - "id": 3296455017, + "id": 751562107, "definition": { "type": "note", "content": "### [GetParameters](https://traildiscover.cloud/#SSM-GetParameters)\n\n**Description:** Get information about one or more parameters by specifying multiple parameter names.\n\n**Related Research:**\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -8714,7 +8714,7 @@ } }, { - "id": 3452966808, + "id": 4257384039, "definition": { "title": "GetParameters", "title_size": "16", @@ -8765,7 +8765,7 @@ } }, { - "id": 729997972, + "id": 4212461918, "definition": { "type": "group", "layout_type": "ordered", @@ -8774,7 +8774,7 @@ "show_title": true, "widgets": [ { - "id": 2408353466, + "id": 3034288293, "definition": { "type": "note", "content": "### [ListDomains](https://traildiscover.cloud/#route53domains-ListDomains)\n\n**Description:** This operation returns all the domain names registered with Amazon Route 53 for the current AWS account if no filtering conditions are used.\n\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -8793,7 +8793,7 @@ } }, { - "id": 417381609, + "id": 2245142929, "definition": { "title": "ListDomains", "title_size": "16", @@ -8835,7 +8835,7 @@ } }, { - "id": 2798319762, + "id": 2641995670, "definition": { "type": "note", "content": "### [GetHostedZoneCount](https://traildiscover.cloud/#Route53-GetHostedZoneCount)\n\n**Description:** Retrieves the number of hosted zones that are associated with the current AWS account.\n\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -8854,7 +8854,7 @@ } }, { - "id": 807347905, + "id": 1852850306, "definition": { "title": "GetHostedZoneCount", "title_size": "16", @@ -8896,7 +8896,7 @@ } }, { - "id": 3265878789, + "id": 379527925, "definition": { "type": "note", "content": "### [DescribeOrganization](https://traildiscover.cloud/#Organizations-DescribeOrganization)\n\n**Description:** Retrieves information about the organization that the user's account belongs to.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", @@ -8915,7 +8915,7 @@ } }, { - "id": 3422390580, + "id": 1737866209, "definition": { "title": "DescribeOrganization", "title_size": "16", @@ -8957,7 +8957,7 @@ } }, { - "id": 1906309184, + "id": 1339702943, "definition": { "type": "note", "content": "### [ListOrganizationalUnitsForParent](https://traildiscover.cloud/#Organizations-ListOrganizationalUnitsForParent)\n\n**Description:** Lists the organizational units (OUs) in a parent organizational unit or root.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", @@ -8976,7 +8976,7 @@ } }, { - "id": 4210304623, + "id": 550557579, "definition": { "title": "ListOrganizationalUnitsForParent", "title_size": "16", @@ -9018,7 +9018,7 @@ } }, { - "id": 419184246, + "id": 1602981646, "definition": { "type": "note", "content": "### [ListAccounts](https://traildiscover.cloud/#Organizations-ListAccounts)\n\n**Description:** Lists all the accounts in the organization.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", @@ -9037,7 +9037,7 @@ } }, { - "id": 2723179685, + "id": 813836282, "definition": { "title": "ListAccounts", "title_size": "16", @@ -9079,7 +9079,7 @@ } }, { - "id": 3868335569, + "id": 812880508, "definition": { "type": "note", "content": "### [GetCallerIdentity](https://traildiscover.cloud/#STS-GetCallerIdentity)\n\n**Description:** Returns details about the IAM user or role whose credentials are used to call the operation.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [GotRoot! AWS root Account Takeover](https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n- [Enumerate AWS Account ID from an EC2 Instance](https://hackingthe.cloud/aws/enumeration/account_id_from_ec2/)\n", @@ -9098,7 +9098,7 @@ } }, { - "id": 1877363712, + "id": 23735144, "definition": { "title": "GetCallerIdentity", "title_size": "16", @@ -9140,7 +9140,7 @@ } }, { - "id": 874675808, + "id": 3458848317, "definition": { "type": "note", "content": "### [ListTopics](https://traildiscover.cloud/#SNS-ListTopics)\n\n**Description:** Returns a list of the requester's topics.\n\n**Related Research:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n", @@ -9159,7 +9159,7 @@ } }, { - "id": 1031187599, + "id": 2669702953, "definition": { "title": "ListTopics", "title_size": "16", @@ -9201,7 +9201,7 @@ } }, { - "id": 3521153277, + "id": 1111552399, "definition": { "type": "note", "content": "### [ListSubscriptions](https://traildiscover.cloud/#SNS-ListSubscriptions)\n\n**Description:** Lists the calling AWS account's dedicated origination numbers and their metadata.\n\n**Related Research:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n", @@ -9220,7 +9220,7 @@ } }, { - "id": 1530181420, + "id": 2469890683, "definition": { "title": "ListSubscriptions", "title_size": "16", @@ -9262,7 +9262,7 @@ } }, { - "id": 975484521, + "id": 3275422955, "definition": { "type": "note", "content": "### [ListOriginationNumbers](https://traildiscover.cloud/#SNS-ListOriginationNumbers)\n\n**Description:** Lists the calling AWS account's dedicated origination numbers and their metadata.\n\n**Related Research:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n", @@ -9281,7 +9281,7 @@ } }, { - "id": 1131996312, + "id": 2486277591, "definition": { "title": "ListOriginationNumbers", "title_size": "16", @@ -9323,7 +9323,7 @@ } }, { - "id": 3770074704, + "id": 430382683, "definition": { "type": "note", "content": "### [GetSMSAttributes](https://traildiscover.cloud/#SNS-GetSMSAttributes)\n\n**Description:** Returns the settings for sending SMS messages from your AWS account.\n\n**Related Incidents:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n- [Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -9342,7 +9342,7 @@ } }, { - "id": 3926586495, + "id": 3936204615, "definition": { "title": "GetSMSAttributes", "title_size": "16", @@ -9384,7 +9384,7 @@ } }, { - "id": 1031736136, + "id": 1746962174, "definition": { "type": "note", "content": "### [GetSMSSandboxAccountStatus](https://traildiscover.cloud/#SNS-GetSMSSandboxAccountStatus)\n\n**Description:** Retrieves the SMS sandbox status for the calling AWS account in the target AWS Region.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/)\n**Related Research:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n", @@ -9403,7 +9403,7 @@ } }, { - "id": 3335731575, + "id": 957816810, "definition": { "title": "GetSMSSandboxAccountStatus", "title_size": "16", @@ -9445,7 +9445,7 @@ } }, { - "id": 3409007401, + "id": 1134696580, "definition": { "type": "note", "content": "### [IssueCertificate](https://traildiscover.cloud/#ACMPCA-IssueCertificate)\n\n**Description:** Uses your private certificate authority (CA), or one that has been shared with you, to issue a client certificate.\n\n**Related Research:**\n- [AWS API Call Hijacking via ACM-PCA](https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/)\n", @@ -9464,7 +9464,7 @@ } }, { - "id": 3565519192, + "id": 345551216, "definition": { "title": "IssueCertificate", "title_size": "16", @@ -9506,7 +9506,7 @@ } }, { - "id": 3395521530, + "id": 765973898, "definition": { "type": "note", "content": "### [GetCertificate](https://traildiscover.cloud/#ACMPCA-GetCertificate)\n\n**Description:** Retrieves a certificate from your private CA or one that has been shared with you.\n\n**Related Research:**\n- [AWS API Call Hijacking via ACM-PCA](https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/)\n", @@ -9525,7 +9525,7 @@ } }, { - "id": 1404549673, + "id": 2024973295, "definition": { "title": "GetCertificate", "title_size": "16", @@ -9567,7 +9567,7 @@ } }, { - "id": 2878458930, + "id": 1982931038, "definition": { "type": "note", "content": "### [DescribeLogGroups](https://traildiscover.cloud/#CloudWatchLogs-DescribeLogGroups)\n\n**Description:** Lists the specified log groups.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -9586,7 +9586,7 @@ } }, { - "id": 887487073, + "id": 1193785674, "definition": { "title": "DescribeLogGroups", "title_size": "16", @@ -9628,7 +9628,7 @@ } }, { - "id": 605745404, + "id": 3055791109, "definition": { "type": "note", "content": "### [DescribeSubscriptionFilters](https://traildiscover.cloud/#CloudWatchLogs-DescribeSubscriptionFilters)\n\n**Description:** Lists the subscription filters for the specified log group.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -9647,7 +9647,7 @@ } }, { - "id": 2909740843, + "id": 19823210, "definition": { "title": "DescribeSubscriptionFilters", "title_size": "16", @@ -9689,7 +9689,7 @@ } }, { - "id": 427194997, + "id": 2550139698, "definition": { "type": "note", "content": "### [DescribeLogStreams](https://traildiscover.cloud/#CloudWatchLogs-DescribeLogStreams)\n\n**Description:** Lists the log streams for the specified log group.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -9708,7 +9708,7 @@ } }, { - "id": 2731190436, + "id": 1760994334, "definition": { "title": "DescribeLogStreams", "title_size": "16", @@ -9750,7 +9750,7 @@ } }, { - "id": 3664223518, + "id": 394178746, "definition": { "type": "note", "content": "### [GetLogRecord](https://traildiscover.cloud/#CloudWatchLogs-GetLogRecord)\n\n**Description:** Retrieves all of the fields and values of a single log event.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -9769,7 +9769,7 @@ } }, { - "id": 1673251661, + "id": 1653178143, "definition": { "title": "GetLogRecord", "title_size": "16", @@ -9811,7 +9811,7 @@ } }, { - "id": 2301713492, + "id": 400968085, "definition": { "type": "note", "content": "### [GetQueryResults](https://traildiscover.cloud/#Athena-GetQueryResults)\n\n**Description:** Streams the results of a single query execution specified by QueryExecutionId from the Athena query results location in Amazon S3.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -9830,7 +9830,7 @@ } }, { - "id": 310741635, + "id": 1759306369, "definition": { "title": "GetQueryResults", "title_size": "16", @@ -9872,7 +9872,7 @@ } }, { - "id": 3856913850, + "id": 2158594879, "definition": { "type": "note", "content": "### [ListTargetsByRule](https://traildiscover.cloud/#events-ListTargetsByRule)\n\n**Description:** Lists the targets assigned to the specified rule.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -9891,7 +9891,7 @@ } }, { - "id": 4013425641, + "id": 1369449515, "definition": { "title": "ListTargetsByRule", "title_size": "16", @@ -9933,7 +9933,7 @@ } }, { - "id": 1351676437, + "id": 3341782391, "definition": { "type": "note", "content": "### [ListRules](https://traildiscover.cloud/#events-ListRules)\n\n**Description:** Lists your Amazon EventBridge rules. You can either list all the rules or you can provide a prefix to match to the rule names.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -9952,7 +9952,7 @@ } }, { - "id": 1508188228, + "id": 2552637027, "definition": { "title": "ListRules", "title_size": "16", @@ -9994,7 +9994,7 @@ } }, { - "id": 3073375619, + "id": 3310532511, "definition": { "type": "note", "content": "### [GetInstances](https://traildiscover.cloud/#LightSail-GetInstances)\n\n**Description:** Returns information about all Amazon Lightsail virtual private servers, or instances.\n\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -10013,7 +10013,7 @@ } }, { - "id": 3130548523, + "id": 2521387147, "definition": { "title": "GetInstances", "title_size": "16", @@ -10055,7 +10055,7 @@ } }, { - "id": 561323259, + "id": 1323013707, "definition": { "type": "note", "content": "### [GetRegions](https://traildiscover.cloud/#LightSail-GetRegions)\n\n**Description:** Returns a list of all valid regions for Amazon Lightsail.\n\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -10074,7 +10074,7 @@ } }, { - "id": 717835050, + "id": 533868343, "definition": { "title": "GetRegions", "title_size": "16", @@ -10116,7 +10116,7 @@ } }, { - "id": 3488600821, + "id": 711204426, "definition": { "type": "note", "content": "### [GetCostAndUsage](https://traildiscover.cloud/#CostExplorer-GetCostAndUsage)\n\n**Description:** Retrieves cost and usage metrics for your account.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", @@ -10135,7 +10135,7 @@ } }, { - "id": 3645112612, + "id": 2069542710, "definition": { "title": "GetCostAndUsage", "title_size": "16", @@ -10177,7 +10177,7 @@ } }, { - "id": 3257996455, + "id": 1075960730, "definition": { "type": "note", "content": "### [ListGroupsForUser](https://traildiscover.cloud/#IAM-ListGroupsForUser)\n\n**Description:** Lists the IAM groups that the specified IAM user belongs to.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -10196,7 +10196,7 @@ } }, { - "id": 3414508246, + "id": 286815366, "definition": { "title": "ListGroupsForUser", "title_size": "16", @@ -10238,7 +10238,7 @@ } }, { - "id": 2483708938, + "id": 4194606680, "definition": { "type": "note", "content": "### [ListAccessKeys](https://traildiscover.cloud/#IAM-ListAccessKeys)\n\n**Description:** Returns information about the access key IDs associated with the specified IAM user.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n", @@ -10257,7 +10257,7 @@ } }, { - "id": 2640220729, + "id": 3405461316, "definition": { "title": "ListAccessKeys", "title_size": "16", @@ -10299,7 +10299,7 @@ } }, { - "id": 3128295014, + "id": 3970198394, "definition": { "type": "note", "content": "### [SimulatePrincipalPolicy](https://traildiscover.cloud/#IAM-SimulatePrincipalPolicy)\n\n**Description:** Simulate how a set of IAM policies attached to an IAM entity works with a list of API operations and AWS resources to determine the policies' effective permissions.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -10318,7 +10318,7 @@ } }, { - "id": 3284806805, + "id": 934230495, "definition": { "title": "SimulatePrincipalPolicy", "title_size": "16", @@ -10360,7 +10360,7 @@ } }, { - "id": 2844255180, + "id": 2943421452, "definition": { "type": "note", "content": "### [GetAccountAuthorizationDetails](https://traildiscover.cloud/#IAM-GetAccountAuthorizationDetails)\n\n**Description:** Retrieves information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another.\n\n**Related Research:**\n- [AWS - IAM Enum](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum)\n", @@ -10379,7 +10379,7 @@ } }, { - "id": 853283323, + "id": 2154276088, "definition": { "title": "GetAccountAuthorizationDetails", "title_size": "16", @@ -10421,7 +10421,7 @@ } }, { - "id": 2444447938, + "id": 585988066, "definition": { "type": "note", "content": "### [ListGroups](https://traildiscover.cloud/#IAM-ListGroups)\n\n**Description:** Lists the IAM groups that have the specified path prefix.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n**Related Research:**\n- [AWS - IAM Enum](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum)\n", @@ -10440,7 +10440,7 @@ } }, { - "id": 2600959729, + "id": 1844987463, "definition": { "title": "ListGroups", "title_size": "16", @@ -10482,7 +10482,7 @@ } }, { - "id": 3795265361, + "id": 4247681448, "definition": { "type": "note", "content": "### [ListUsers](https://traildiscover.cloud/#IAM-ListUsers)\n\n**Description:** Lists the IAM users that have the specified path prefix. If no path prefix is specified, the operation returns all users in the AWS account.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -10501,7 +10501,7 @@ } }, { - "id": 1804293504, + "id": 1211713549, "definition": { "title": "ListUsers", "title_size": "16", @@ -10543,7 +10543,7 @@ } }, { - "id": 1070156401, + "id": 1289290335, "definition": { "type": "note", "content": "### [ListRoles](https://traildiscover.cloud/#IAM-ListRoles)\n\n**Description:** Lists the IAM roles that have the specified path prefix. \n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n**Related Research:**\n- [AWS - IAM Enum](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum)\n", @@ -10562,7 +10562,7 @@ } }, { - "id": 3374151840, + "id": 500144971, "definition": { "title": "ListRoles", "title_size": "16", @@ -10604,7 +10604,7 @@ } }, { - "id": 4096299297, + "id": 2815277834, "definition": { "type": "note", "content": "### [ListSAMLProviders](https://traildiscover.cloud/#IAM-ListSAMLProviders)\n\n**Description:** Lists the SAML provider resource objects defined in IAM in the account.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -10623,7 +10623,7 @@ } }, { - "id": 4153472201, + "id": 2026132470, "definition": { "title": "ListSAMLProviders", "title_size": "16", @@ -10665,7 +10665,7 @@ } }, { - "id": 522876424, + "id": 3060115033, "definition": { "type": "note", "content": "### [GetUser](https://traildiscover.cloud/#IAM-GetUser)\n\n**Description:** Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN.\n\n**Related Incidents:**\n- [GotRoot! AWS root Account Takeover](https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1)\n", @@ -10684,7 +10684,7 @@ } }, { - "id": 679388215, + "id": 2270969669, "definition": { "title": "GetUser", "title_size": "16", @@ -10726,7 +10726,7 @@ } }, { - "id": 1731717290, + "id": 1220604483, "definition": { "type": "note", "content": "### [ListAttachedRolePolicies](https://traildiscover.cloud/#IAM-ListAttachedRolePolicies)\n\n**Description:** Lists all managed policies that are attached to the specified IAM role.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -10745,7 +10745,7 @@ } }, { - "id": 1888229081, + "id": 431459119, "definition": { "title": "ListAttachedRolePolicies", "title_size": "16", @@ -10787,7 +10787,7 @@ } }, { - "id": 4248419490, + "id": 266836045, "definition": { "type": "note", "content": "### [ListServiceSpecificCredentials](https://traildiscover.cloud/#IAM-ListServiceSpecificCredentials)\n\n**Description:** Returns information about the service-specific credentials associated with the specified IAM user.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -10806,7 +10806,7 @@ } }, { - "id": 109963985, + "id": 1625174329, "definition": { "title": "ListServiceSpecificCredentials", "title_size": "16", @@ -10848,7 +10848,7 @@ } }, { - "id": 3068435365, + "id": 77037572, "definition": { "type": "note", "content": "### [ListRolePolicies](https://traildiscover.cloud/#IAM-ListRolePolicies)\n\n**Description:** Lists the names of the inline policies that are embedded in the specified IAM role.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -10867,7 +10867,7 @@ } }, { - "id": 1077463508, + "id": 3582859504, "definition": { "title": "ListRolePolicies", "title_size": "16", @@ -10909,7 +10909,7 @@ } }, { - "id": 1821574988, + "id": 405102388, "definition": { "type": "note", "content": "### [ListSigningCertificates](https://traildiscover.cloud/#IAM-ListSigningCertificates)\n\n**Description:** Returns information about the signing certificates associated with the specified IAM user.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -10928,7 +10928,7 @@ } }, { - "id": 4125570427, + "id": 3910924320, "definition": { "title": "ListSigningCertificates", "title_size": "16", @@ -10970,7 +10970,7 @@ } }, { - "id": 428079412, + "id": 571100426, "definition": { "type": "note", "content": "### [ListInstanceProfiles](https://traildiscover.cloud/#IAM-ListInstanceProfiles)\n\n**Description:** Lists the instance profiles that have the specified path prefix. If there are none, the operation returns an empty list.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -10989,7 +10989,7 @@ } }, { - "id": 2732074851, + "id": 4076922358, "definition": { "title": "ListInstanceProfiles", "title_size": "16", @@ -11031,7 +11031,7 @@ } }, { - "id": 3535838844, + "id": 2073808223, "definition": { "type": "note", "content": "### [ListSSHPublicKeys](https://traildiscover.cloud/#IAM-ListSSHPublicKeys)\n\n**Description:** Returns information about the SSH public keys associated with the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -11050,7 +11050,7 @@ } }, { - "id": 3692350635, + "id": 3332807620, "definition": { "title": "ListSSHPublicKeys", "title_size": "16", @@ -11092,7 +11092,7 @@ } }, { - "id": 2967197060, + "id": 339647870, "definition": { "type": "note", "content": "### [ListOpenIDConnectProviders](https://traildiscover.cloud/#IAM-ListOpenIDConnectProviders)\n\n**Description:** Lists information about the IAM OpenID Connect (OIDC) provider resource objects defined in the AWS account.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -11111,7 +11111,7 @@ } }, { - "id": 3123708851, + "id": 3845469802, "definition": { "title": "ListOpenIDConnectProviders", "title_size": "16", @@ -11153,7 +11153,7 @@ } }, { - "id": 2308987682, + "id": 4180094356, "definition": { "type": "note", "content": "### [GetLoginProfile](https://traildiscover.cloud/#IAM-GetLoginProfile)\n\n**Description:** Retrieves the user name for the specified IAM user.\n\n**Related Incidents:**\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", @@ -11172,7 +11172,7 @@ } }, { - "id": 318015825, + "id": 3390948992, "definition": { "title": "GetLoginProfile", "title_size": "16", @@ -11214,7 +11214,7 @@ } }, { - "id": 2405134776, + "id": 1260477516, "definition": { "type": "note", "content": "### [DescribeLoadBalancers](https://traildiscover.cloud/#ELBv2-DescribeLoadBalancers)\n\n**Description:** Describes the specified load balancers or all of your load balancers.\n\n**Related Research:**\n- [Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data](https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994)\n", @@ -11233,7 +11233,7 @@ } }, { - "id": 414162919, + "id": 471332152, "definition": { "title": "DescribeLoadBalancers", "title_size": "16", @@ -11275,7 +11275,7 @@ } }, { - "id": 2133570313, + "id": 2121231512, "definition": { "type": "note", "content": "### [DescribeListeners](https://traildiscover.cloud/#ELBv2-DescribeListeners)\n\n**Description:** Describes the specified listeners or the listeners for the specified Application Load Balancer, Network Load Balancer, or Gateway Load Balancer.\n\n**Related Research:**\n- [Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data](https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994)\n", @@ -11294,7 +11294,7 @@ } }, { - "id": 142598456, + "id": 1332086148, "definition": { "title": "DescribeListeners", "title_size": "16", @@ -11336,7 +11336,7 @@ } }, { - "id": 599466225, + "id": 361241594, "definition": { "type": "note", "content": "### [ListAssociatedAccessPolicies](https://traildiscover.cloud/#EKS-ListAssociatedAccessPolicies)\n\n**Description:** Lists the access policies associated with an access entry.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", @@ -11355,7 +11355,7 @@ } }, { - "id": 755978016, + "id": 1719579878, "definition": { "title": "ListAssociatedAccessPolicies", "title_size": "16", @@ -11397,7 +11397,7 @@ } }, { - "id": 273753492, + "id": 59191378, "definition": { "type": "note", "content": "### [ListClusters](https://traildiscover.cloud/#EKS-ListClusters)\n\n**Description:** Lists the Amazon EKS clusters in your AWS account in the specified AWS Region.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", @@ -11416,7 +11416,7 @@ } }, { - "id": 2577748931, + "id": 3565013310, "definition": { "title": "ListClusters", "title_size": "16", @@ -11458,7 +11458,7 @@ } }, { - "id": 2816191904, + "id": 2309851231, "definition": { "type": "note", "content": "### [DescribeAccessEntry](https://traildiscover.cloud/#EKS-DescribeAccessEntry)\n\n**Description:** Describes an access entry.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", @@ -11477,7 +11477,7 @@ } }, { - "id": 2972703695, + "id": 1520705867, "definition": { "title": "DescribeAccessEntry", "title_size": "16", @@ -11519,7 +11519,7 @@ } }, { - "id": 3753009292, + "id": 2885346219, "definition": { "type": "note", "content": "### [DescribeCluster](https://traildiscover.cloud/#EKS-DescribeCluster)\n\n**Description:** Describes an Amazon EKS cluster.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", @@ -11538,7 +11538,7 @@ } }, { - "id": 1762037435, + "id": 2096200855, "definition": { "title": "DescribeCluster", "title_size": "16", @@ -11580,7 +11580,7 @@ } }, { - "id": 3165981490, + "id": 2985876222, "definition": { "type": "note", "content": "### [Search](https://traildiscover.cloud/#ResourceExplorer-Search)\n\n**Description:** Searches for resources and displays details about all resources that match the specified criteria.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -11599,7 +11599,7 @@ } }, { - "id": 3322493281, + "id": 2196730858, "definition": { "title": "Search", "title_size": "16", @@ -11641,7 +11641,7 @@ } }, { - "id": 3606873723, + "id": 475764523, "definition": { "type": "note", "content": "### [LookupEvents](https://traildiscover.cloud/#CloudTrail-LookupEvents)\n\n**Description:** Looks up management events or CloudTrail Insights events that are captured by CloudTrail.\n\n**Related Incidents:**\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", @@ -11660,7 +11660,7 @@ } }, { - "id": 3763385514, + "id": 3981586455, "definition": { "title": "LookupEvents", "title_size": "16", @@ -11702,7 +11702,7 @@ } }, { - "id": 2455055513, + "id": 4189350422, "definition": { "type": "note", "content": "### [GetIntrospectionSchema](https://traildiscover.cloud/#AppSync-GetIntrospectionSchema)\n\n**Description:** Retrieves the introspection schema for a GraphQL API.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", @@ -11721,7 +11721,7 @@ } }, { - "id": 464083656, + "id": 3400205058, "definition": { "title": "GetIntrospectionSchema", "title_size": "16", @@ -11763,7 +11763,7 @@ } }, { - "id": 641285771, + "id": 2467799295, "definition": { "type": "note", "content": "### [GetBucketVersioning](https://traildiscover.cloud/#S3-GetBucketVersioning)\n\n**Description:** Returns the versioning state of a bucket.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -11782,7 +11782,7 @@ } }, { - "id": 797797562, + "id": 3726798692, "definition": { "title": "GetBucketVersioning", "title_size": "16", @@ -11824,7 +11824,7 @@ } }, { - "id": 1542892487, + "id": 25157594, "definition": { "type": "note", "content": "### [GetBucketLogging](https://traildiscover.cloud/#S3-GetBucketLogging)\n\n**Description:** Returns the logging status of a bucket and the permissions users have to view and modify that status.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -11843,7 +11843,7 @@ } }, { - "id": 1699404278, + "id": 3530979526, "definition": { "title": "GetBucketLogging", "title_size": "16", @@ -11885,7 +11885,7 @@ } }, { - "id": 1595104319, + "id": 2868703371, "definition": { "type": "note", "content": "### [GetBucketPolicy](https://traildiscover.cloud/#S3-GetBucketPolicy)\n\n**Description:** Returns the policy of a specified bucket.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -11904,7 +11904,7 @@ } }, { - "id": 1751616110, + "id": 2079558007, "definition": { "title": "GetBucketPolicy", "title_size": "16", @@ -11946,7 +11946,7 @@ } }, { - "id": 2361068291, + "id": 2731535590, "definition": { "type": "note", "content": "### [ListBuckets](https://traildiscover.cloud/#S3-ListBuckets)\n\n**Description:** Returns a list of all buckets owned by the authenticated sender of the request.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [A Technical Analysis of the Capital One Cloud Misconfiguration Breach](https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach)\n- [Enumerate AWS Account ID from a Public S3 Bucket](https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -11965,7 +11965,7 @@ } }, { - "id": 2517580082, + "id": 1942390226, "definition": { "title": "ListBuckets", "title_size": "16", @@ -12007,7 +12007,7 @@ } }, { - "id": 1042116270, + "id": 2834479866, "definition": { "type": "note", "content": "### [GetBucketReplication](https://traildiscover.cloud/#S3-GetBucketReplication)\n\n**Description:** Returns the replication configuration of a bucket.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -12026,7 +12026,7 @@ } }, { - "id": 1198628061, + "id": 4093479263, "definition": { "title": "GetBucketReplication", "title_size": "16", @@ -12068,7 +12068,7 @@ } }, { - "id": 2421481938, + "id": 2747648271, "definition": { "type": "note", "content": "### [GetBucketAcl](https://traildiscover.cloud/#S3-GetBucketAcl)\n\n**Description:** This implementation of the GET action uses the acl subresource to return the access control list (ACL) of a bucket.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n**Related Research:**\n- [Public S3 bucket through bucket ACL](https://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/s3-bucket-public-acl/)\n", @@ -12087,7 +12087,7 @@ } }, { - "id": 430510081, + "id": 1958502907, "definition": { "title": "GetBucketAcl", "title_size": "16", @@ -12129,7 +12129,7 @@ } }, { - "id": 3872762300, + "id": 1740494162, "definition": { "type": "note", "content": "### [HeadObject](https://traildiscover.cloud/#S3-HeadObject)\n\n**Description:** The HEAD operation retrieves metadata from an object without returning the object itself.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -12148,7 +12148,7 @@ } }, { - "id": 4029274091, + "id": 2999493559, "definition": { "title": "HeadObject", "title_size": "16", @@ -12190,7 +12190,7 @@ } }, { - "id": 723862554, + "id": 1987773456, "definition": { "type": "note", "content": "### [ListVaults](https://traildiscover.cloud/#S3-ListVaults)\n\n**Description:** This operation lists all vaults owned by the calling user\u2019s account.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -12209,7 +12209,7 @@ } }, { - "id": 3027857993, + "id": 3246772853, "definition": { "title": "ListVaults", "title_size": "16", @@ -12251,7 +12251,7 @@ } }, { - "id": 4282342896, + "id": 2595892388, "definition": { "type": "note", "content": "### [GetPublicAccessBlock](https://traildiscover.cloud/#S3-GetPublicAccessBlock)\n\n**Description:** Retrieves the PublicAccessBlock configuration for an Amazon S3 bucket.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -12270,7 +12270,7 @@ } }, { - "id": 2291371039, + "id": 1806747024, "definition": { "title": "GetPublicAccessBlock", "title_size": "16", @@ -12312,7 +12312,7 @@ } }, { - "id": 1617792774, + "id": 2656055713, "definition": { "type": "note", "content": "### [GetBucketTagging](https://traildiscover.cloud/#S3-GetBucketTagging)\n\n**Description:** Returns the tag set associated with the bucket.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -12331,7 +12331,7 @@ } }, { - "id": 3921788213, + "id": 1866910349, "definition": { "title": "GetBucketTagging", "title_size": "16", @@ -12373,7 +12373,7 @@ } }, { - "id": 2057601142, + "id": 1620544401, "definition": { "type": "note", "content": "### [ListObjects](https://traildiscover.cloud/#S3-ListObjects)\n\n**Description:** Returns some or all (up to 1,000) of the objects in a bucket.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -12392,7 +12392,7 @@ } }, { - "id": 2214112933, + "id": 831399037, "definition": { "title": "ListObjects", "title_size": "16", @@ -12434,7 +12434,7 @@ } }, { - "id": 524138153, + "id": 3311367366, "definition": { "type": "note", "content": "### [InvokeModel](https://traildiscover.cloud/#Bedrock-InvokeModel)\n\n**Description:** Invokes the specified Amazon Bedrock model to run inference using the prompt and inference parameters provided in the request body.\n\n**Related Incidents:**\n- [LLMjacking: Stolen Cloud Credentials Used in New AI Attack](https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -12453,7 +12453,7 @@ } }, { - "id": 2828133592, + "id": 2522222002, "definition": { "title": "InvokeModel", "title_size": "16", @@ -12495,7 +12495,7 @@ } }, { - "id": 961637698, + "id": 427806382, "definition": { "type": "note", "content": "### [GetUseCaseForModelAccess](https://traildiscover.cloud/#Bedrock-GetUseCaseForModelAccess)\n\n**Description:** Grants permission to retrieve a use case for model access.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -12514,7 +12514,7 @@ } }, { - "id": 3265633137, + "id": 3933628314, "definition": { "title": "GetUseCaseForModelAccess", "title_size": "16", @@ -12556,7 +12556,7 @@ } }, { - "id": 3339388268, + "id": 2280869750, "definition": { "type": "note", "content": "### [ListProvisionedModelThroughputs](https://traildiscover.cloud/#Bedrock-ListProvisionedModelThroughputs)\n\n**Description:** Grants permission to list provisioned model throughputs that you created earlier.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -12575,7 +12575,7 @@ } }, { - "id": 1348416411, + "id": 1491724386, "definition": { "title": "ListProvisionedModelThroughputs", "title_size": "16", @@ -12617,7 +12617,7 @@ } }, { - "id": 372121516, + "id": 799375902, "definition": { "type": "note", "content": "### [GetFoundationModelAvailability](https://traildiscover.cloud/#Bedrock-GetFoundationModelAvailability)\n\n**Description:** Grants permission to get the availability of a foundation model.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -12636,7 +12636,7 @@ } }, { - "id": 528633307, + "id": 2157714186, "definition": { "title": "GetFoundationModelAvailability", "title_size": "16", @@ -12678,7 +12678,7 @@ } }, { - "id": 3339584929, + "id": 994860962, "definition": { "type": "note", "content": "### [ListFoundationModels](https://traildiscover.cloud/#Bedrock-ListFoundationModels)\n\n**Description:** Grants permission to list Bedrock foundation models that you can use.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -12697,7 +12697,7 @@ } }, { - "id": 3496096720, + "id": 205715598, "definition": { "title": "ListFoundationModels", "title_size": "16", @@ -12739,7 +12739,7 @@ } }, { - "id": 2532931724, + "id": 2911751868, "definition": { "type": "note", "content": "### [ListFoundationModelAgreementOffers](https://traildiscover.cloud/#Bedrock-ListFoundationModelAgreementOffers)\n\n**Description:** Grants permission to get a list of foundation model agreement offers.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -12758,7 +12758,7 @@ } }, { - "id": 2689443515, + "id": 2122606504, "definition": { "title": "ListFoundationModelAgreementOffers", "title_size": "16", @@ -12800,7 +12800,7 @@ } }, { - "id": 4133810184, + "id": 1846212471, "definition": { "type": "note", "content": "### [GetModelInvocationLoggingConfiguration](https://traildiscover.cloud/#Bedrock-GetModelInvocationLoggingConfiguration)\n\n**Description:** Get the current configuration values for model invocation logging.\n\n**Related Incidents:**\n- [LLMjacking: Stolen Cloud Credentials Used in New AI Attack](https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/)\n", @@ -12819,7 +12819,7 @@ } }, { - "id": 2142838327, + "id": 3105211868, "definition": { "title": "GetModelInvocationLoggingConfiguration", "title_size": "16", @@ -12861,7 +12861,7 @@ } }, { - "id": 103901528, + "id": 1884544588, "definition": { "type": "note", "content": "### [GetConsoleScreenshot](https://traildiscover.cloud/#EC2-GetConsoleScreenshot)\n\n**Description:** Retrieve a JPG-format screenshot of a running instance to help with troubleshooting.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -12880,7 +12880,7 @@ } }, { - "id": 260413319, + "id": 3242882872, "definition": { "title": "GetConsoleScreenshot", "title_size": "16", @@ -12922,7 +12922,7 @@ } }, { - "id": 4232385496, + "id": 17536631, "definition": { "type": "note", "content": "### [DescribeSnapshotTierStatus](https://traildiscover.cloud/#EC2-DescribeSnapshotTierStatus)\n\n**Description:** Describes the storage tier status of one or more Amazon EBS snapshots.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -12941,7 +12941,7 @@ } }, { - "id": 93929991, + "id": 1375874915, "definition": { "title": "DescribeSnapshotTierStatus", "title_size": "16", @@ -12983,7 +12983,7 @@ } }, { - "id": 2194148189, + "id": 1664162372, "definition": { "type": "note", "content": "### [DescribeImages](https://traildiscover.cloud/#EC2-DescribeImages)\n\n**Description:** Describes the specified images (AMIs, AKIs, and ARIs) available to you or all of the images available to you.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13002,7 +13002,7 @@ } }, { - "id": 203176332, + "id": 2923161769, "definition": { "title": "DescribeImages", "title_size": "16", @@ -13044,7 +13044,7 @@ } }, { - "id": 1182139178, + "id": 1383650146, "definition": { "type": "note", "content": "### [GetEbsDefaultKmsKeyId](https://traildiscover.cloud/#EC2-GetEbsDefaultKmsKeyId)\n\n**Description:** Describes the default AWS KMS key for EBS encryption by default for your account in this Region.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13063,7 +13063,7 @@ } }, { - "id": 3486134617, + "id": 2642649543, "definition": { "title": "GetEbsDefaultKmsKeyId", "title_size": "16", @@ -13105,7 +13105,7 @@ } }, { - "id": 3338219996, + "id": 155683875, "definition": { "type": "note", "content": "### [DescribeAvailabilityZones](https://traildiscover.cloud/#EC2-DescribeAvailabilityZones)\n\n**Description:** Describes the Availability Zones, Local Zones, and Wavelength Zones that are available to you.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13124,7 +13124,7 @@ } }, { - "id": 1347248139, + "id": 3661505807, "definition": { "title": "DescribeAvailabilityZones", "title_size": "16", @@ -13166,7 +13166,7 @@ } }, { - "id": 1993366237, + "id": 2898318833, "definition": { "type": "note", "content": "### [DescribeInstances](https://traildiscover.cloud/#EC2-DescribeInstances)\n\n**Description:** Describes the specified instances or all instances.\n\n**Related Incidents:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -13185,7 +13185,7 @@ } }, { - "id": 4198022789, + "id": 2109173469, "definition": { "title": "DescribeInstances", "title_size": "16", @@ -13227,7 +13227,7 @@ } }, { - "id": 334028427, + "id": 3478154763, "definition": { "type": "note", "content": "### [GetTransitGatewayRouteTableAssociations](https://traildiscover.cloud/#EC2-GetTransitGatewayRouteTableAssociations)\n\n**Description:** Gets information about the associations for the specified transit gateway route table.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13246,7 +13246,7 @@ } }, { - "id": 490540218, + "id": 2689009399, "definition": { "title": "GetTransitGatewayRouteTableAssociations", "title_size": "16", @@ -13288,7 +13288,7 @@ } }, { - "id": 687866309, + "id": 3813728644, "definition": { "type": "note", "content": "### [GetLaunchTemplateData](https://traildiscover.cloud/#EC2-GetLaunchTemplateData)\n\n**Description:** Retrieves the configuration data of the specified instance. You can use this data to create a launch template.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13307,7 +13307,7 @@ } }, { - "id": 2991861748, + "id": 3024583280, "definition": { "title": "GetLaunchTemplateData", "title_size": "16", @@ -13349,7 +13349,7 @@ } }, { - "id": 1508565434, + "id": 153881005, "definition": { "type": "note", "content": "### [DescribeKeyPairs](https://traildiscover.cloud/#EC2-DescribeKeyPairs)\n\n**Description:** Describes the specified key pairs or all of your key pairs.\n\n**Related Incidents:**\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n", @@ -13368,7 +13368,7 @@ } }, { - "id": 3812560873, + "id": 1412880402, "definition": { "title": "DescribeKeyPairs", "title_size": "16", @@ -13410,7 +13410,7 @@ } }, { - "id": 3552920132, + "id": 2289834389, "definition": { "type": "note", "content": "### [GetEbsEncryptionByDefault](https://traildiscover.cloud/#EC2-GetEbsEncryptionByDefault)\n\n**Description:** Describes whether EBS encryption by default is enabled for your account in the current Region.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13429,7 +13429,7 @@ } }, { - "id": 1561948275, + "id": 1500689025, "definition": { "title": "GetEbsEncryptionByDefault", "title_size": "16", @@ -13471,7 +13471,7 @@ } }, { - "id": 3618671198, + "id": 903704403, "definition": { "type": "note", "content": "### [DescribeCarrierGateways](https://traildiscover.cloud/#EC2-DescribeCarrierGateways)\n\n**Description:** Describes one or more of your carrier gateways.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13490,7 +13490,7 @@ } }, { - "id": 3775182989, + "id": 2162703800, "definition": { "title": "DescribeCarrierGateways", "title_size": "16", @@ -13532,7 +13532,7 @@ } }, { - "id": 2996908233, + "id": 2317125472, "definition": { "type": "note", "content": "### [GetFlowLogsIntegrationTemplate](https://traildiscover.cloud/#EC2-GetFlowLogsIntegrationTemplate)\n\n**Description:** Generates a CloudFormation template that streamlines and automates the integration of VPC flow logs with Amazon Athena.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13551,7 +13551,7 @@ } }, { - "id": 3153420024, + "id": 1527980108, "definition": { "title": "GetFlowLogsIntegrationTemplate", "title_size": "16", @@ -13593,7 +13593,7 @@ } }, { - "id": 1188778012, + "id": 3410787265, "definition": { "type": "note", "content": "### [DescribeTransitGatewayMulticastDomains](https://traildiscover.cloud/#EC2-DescribeTransitGatewayMulticastDomains)\n\n**Description:** Describes one or more transit gateway multicast domains.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13612,7 +13612,7 @@ } }, { - "id": 3492773451, + "id": 474158253, "definition": { "title": "DescribeTransitGatewayMulticastDomains", "title_size": "16", @@ -13654,7 +13654,7 @@ } }, { - "id": 3915984468, + "id": 514603324, "definition": { "type": "note", "content": "### [DescribeInstanceAttribute](https://traildiscover.cloud/#EC2-DescribeInstanceAttribute)\n\n**Description:** Describes the specified attribute of the specified instance. You can specify only one attribute at a time.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13673,7 +13673,7 @@ } }, { - "id": 1925012611, + "id": 1872941608, "definition": { "title": "DescribeInstanceAttribute", "title_size": "16", @@ -13715,7 +13715,7 @@ } }, { - "id": 4271686105, + "id": 2182384579, "definition": { "type": "note", "content": "### [DescribeDhcpOptions](https://traildiscover.cloud/#EC2-DescribeDhcpOptions)\n\n**Description:** Describes one or more of your DHCP options sets.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13734,7 +13734,7 @@ } }, { - "id": 2280714248, + "id": 1393239215, "definition": { "title": "DescribeDhcpOptions", "title_size": "16", @@ -13776,7 +13776,7 @@ } }, { - "id": 982278348, + "id": 3650086587, "definition": { "type": "note", "content": "### [DescribeVpcEndpointConnectionNotifications](https://traildiscover.cloud/#EC2-DescribeVpcEndpointConnectionNotifications)\n\n**Description:** Describes the connection notifications for VPC endpoints and VPC endpoint services.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13795,7 +13795,7 @@ } }, { - "id": 1138790139, + "id": 2860941223, "definition": { "title": "DescribeVpcEndpointConnectionNotifications", "title_size": "16", @@ -13837,7 +13837,7 @@ } }, { - "id": 3540414705, + "id": 1461775137, "definition": { "type": "note", "content": "### [DescribeFlowLogs](https://traildiscover.cloud/#EC2-DescribeFlowLogs)\n\n**Description:** Describes one or more flow logs.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13856,7 +13856,7 @@ } }, { - "id": 3696926496, + "id": 2720774534, "definition": { "title": "DescribeFlowLogs", "title_size": "16", @@ -13898,7 +13898,7 @@ } }, { - "id": 3311106047, + "id": 756645025, "definition": { "type": "note", "content": "### [DescribeSnapshotAttribute](https://traildiscover.cloud/#EC2-DescribeSnapshotAttribute)\n\n**Description:** Describes the specified attribute of the specified snapshot.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13917,7 +13917,7 @@ } }, { - "id": 1320134190, + "id": 4262466957, "definition": { "title": "DescribeSnapshotAttribute", "title_size": "16", @@ -13959,7 +13959,7 @@ } }, { - "id": 772072718, + "id": 3441724246, "definition": { "type": "note", "content": "### [DescribeVolumesModifications](https://traildiscover.cloud/#EC2-DescribeVolumesModifications)\n\n**Description:** Describes the most recent volume modification request for the specified EBS volumes.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13978,7 +13978,7 @@ } }, { - "id": 3076068157, + "id": 2652578882, "definition": { "title": "DescribeVolumesModifications", "title_size": "16", @@ -14020,7 +14020,7 @@ } }, { - "id": 313558039, + "id": 1406042345, "definition": { "type": "note", "content": "### [DescribeRegions](https://traildiscover.cloud/#EC2-DescribeRegions)\n\n**Description:** Describes the Regions that are enabled for your account, or all Regions.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -14039,7 +14039,7 @@ } }, { - "id": 470069830, + "id": 616896981, "definition": { "title": "DescribeRegions", "title_size": "16", @@ -14081,7 +14081,7 @@ } }, { - "id": 1018953764, + "id": 3420189936, "definition": { "type": "note", "content": "### [DescribeSecurityGroups](https://traildiscover.cloud/#EC2-DescribeSecurityGroups)\n\n**Description:** Describes the specified security groups or all of your security groups.\n\n**Related Incidents:**\n- [Case Study: Responding to an Attack in AWS](https://www.cadosecurity.com/case-study-responding-to-an-attack-in-aws/)\n", @@ -14100,7 +14100,7 @@ } }, { - "id": 3322949203, + "id": 384222037, "definition": { "title": "DescribeSecurityGroups", "title_size": "16", @@ -14142,7 +14142,7 @@ } }, { - "id": 2741155850, + "id": 1842617723, "definition": { "type": "note", "content": "### [DescribeVpcs](https://traildiscover.cloud/#EC2-DescribeVpcs)\n\n**Description:** Describes one or more of your VPCs.\n\n**Related Incidents:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -14161,7 +14161,7 @@ } }, { - "id": 750183993, + "id": 1053472359, "definition": { "title": "DescribeVpcs", "title_size": "16", @@ -14203,7 +14203,7 @@ } }, { - "id": 3007447534, + "id": 2860199151, "definition": { "type": "note", "content": "### [DescribeBundleTasks](https://traildiscover.cloud/#EC2-DescribeBundleTasks)\n\n**Description:** Describes the specified bundle tasks or all of your bundle tasks.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -14222,7 +14222,7 @@ } }, { - "id": 3163959325, + "id": 2071053787, "definition": { "title": "DescribeBundleTasks", "title_size": "16", @@ -14264,7 +14264,7 @@ } }, { - "id": 347145034, + "id": 187305223, "definition": { "type": "note", "content": "### [DescribeAccountAttributes](https://traildiscover.cloud/#EC2-DescribeAccountAttributes)\n\n**Description:** Describes attributes of your AWS account.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -14283,7 +14283,7 @@ } }, { - "id": 2651140473, + "id": 3593788268, "definition": { "title": "DescribeAccountAttributes", "title_size": "16", @@ -14325,7 +14325,7 @@ } }, { - "id": 2045106715, + "id": 922086896, "definition": { "type": "note", "content": "### [DescribeVolumes](https://traildiscover.cloud/#EC2-DescribeVolumes)\n\n**Description:** Describes the specified EBS volumes or all of your EBS volumes.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -14344,7 +14344,7 @@ } }, { - "id": 54134858, + "id": 132941532, "definition": { "title": "DescribeVolumes", "title_size": "16", @@ -14386,7 +14386,7 @@ } }, { - "id": 684183526, + "id": 997323280, "definition": { "type": "note", "content": "### [DescribeInstanceTypes](https://traildiscover.cloud/#EC2-DescribeInstanceTypes)\n\n**Description:** Describes the details of the instance types that are offered in a location.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -14405,7 +14405,7 @@ } }, { - "id": 2988178965, + "id": 2355661564, "definition": { "title": "DescribeInstanceTypes", "title_size": "16", @@ -14447,7 +14447,7 @@ } }, { - "id": 504351285, + "id": 3990903063, "definition": { "type": "note", "content": "### [DescribeClientVpnRoutes](https://traildiscover.cloud/#EC2-DescribeClientVpnRoutes)\n\n**Description:** Describes the routes for the specified Client VPN endpoint.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -14466,7 +14466,7 @@ } }, { - "id": 2808346724, + "id": 1054274051, "definition": { "title": "DescribeClientVpnRoutes", "title_size": "16", @@ -14508,7 +14508,7 @@ } }, { - "id": 687866309, + "id": 3813728644, "definition": { "type": "note", "content": "### [GetLaunchTemplateData](https://traildiscover.cloud/#EC2-GetLaunchTemplateData)\n\n**Description:** Retrieves the configuration data of the specified instance. You can use this data to create a launch template.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -14527,7 +14527,7 @@ } }, { - "id": 2991861748, + "id": 3024583280, "definition": { "title": "GetLaunchTemplateData", "title_size": "16", @@ -14569,7 +14569,7 @@ } }, { - "id": 4084100487, + "id": 2114749304, "definition": { "type": "note", "content": "### [GetParameters](https://traildiscover.cloud/#SSM-GetParameters)\n\n**Description:** Get information about one or more parameters by specifying multiple parameter names.\n\n**Related Research:**\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -14588,7 +14588,7 @@ } }, { - "id": 2093128630, + "id": 3473087588, "definition": { "title": "GetParameters", "title_size": "16", @@ -14630,7 +14630,7 @@ } }, { - "id": 2323677433, + "id": 500258368, "definition": { "type": "note", "content": "### [DescribeInstanceInformation](https://traildiscover.cloud/#SSM-DescribeInstanceInformation)\n\n**Description:** Provides information about one or more of your managed nodes, including the operating system platform, SSM Agent version, association status, and IP address.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -14649,7 +14649,7 @@ } }, { - "id": 332705576, + "id": 1759257765, "definition": { "title": "DescribeInstanceInformation", "title_size": "16", @@ -14691,7 +14691,7 @@ } }, { - "id": 2789390061, + "id": 776009940, "definition": { "type": "note", "content": "### [GetIdentityVerificationAttributes](https://traildiscover.cloud/#SES-GetIdentityVerificationAttributes)\n\n**Description:** Given a list of identities (email addresses and/or domains), returns the verification status and (for domain identities) the verification token for each identity.\n\n**Related Incidents:**\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n", @@ -14710,7 +14710,7 @@ } }, { - "id": 2945901852, + "id": 2134348224, "definition": { "title": "GetIdentityVerificationAttributes", "title_size": "16", @@ -14752,7 +14752,7 @@ } }, { - "id": 2101946886, + "id": 2966802073, "definition": { "type": "note", "content": "### [GetAccountSendingEnabled](https://traildiscover.cloud/#SES-GetAccountSendingEnabled)\n\n**Description:** Returns the email sending status of the Amazon SES account for the current Region.\n\n**Related Research:**\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n", @@ -14771,7 +14771,7 @@ } }, { - "id": 110975029, + "id": 2177656709, "definition": { "title": "GetAccountSendingEnabled", "title_size": "16", @@ -14813,7 +14813,7 @@ } }, { - "id": 1718461194, + "id": 908700011, "definition": { "type": "note", "content": "### [ListIdentities](https://traildiscover.cloud/#SES-ListIdentities)\n\n**Description:** Returns a list containing all of the identities (email addresses and domains) for your AWS account in the current AWS Region, regardless of verification status.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -14832,7 +14832,7 @@ } }, { - "id": 4022456633, + "id": 119554647, "definition": { "title": "ListIdentities", "title_size": "16", @@ -14874,7 +14874,7 @@ } }, { - "id": 2467189381, + "id": 1251024166, "definition": { "type": "note", "content": "### [GetSendQuota](https://traildiscover.cloud/#SES-GetSendQuota)\n\n**Description:** Provides the sending limits for the Amazon SES account.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -14893,7 +14893,7 @@ } }, { - "id": 2623701172, + "id": 2510023563, "definition": { "title": "GetSendQuota", "title_size": "16", @@ -14935,7 +14935,7 @@ } }, { - "id": 1720384428, + "id": 587882090, "definition": { "type": "note", "content": "### [GetAccount](https://traildiscover.cloud/#SES-GetAccount)\n\n**Description:** Lists the applied quota values for the specified AWS service.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -14954,7 +14954,7 @@ } }, { - "id": 1876896219, + "id": 4093704022, "definition": { "title": "GetAccount", "title_size": "16", @@ -14996,7 +14996,7 @@ } }, { - "id": 805524292, + "id": 1404734453, "definition": { "type": "note", "content": "### [GetFindings](https://traildiscover.cloud/#GuardDuty-GetFindings)\n\n**Description:** Returns a list of findings that match the specified criteria.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -15015,7 +15015,7 @@ } }, { - "id": 962036083, + "id": 615589089, "definition": { "title": "GetFindings", "title_size": "16", @@ -15057,7 +15057,7 @@ } }, { - "id": 963594923, + "id": 1527401578, "definition": { "type": "note", "content": "### [ListFindings](https://traildiscover.cloud/#GuardDuty-ListFindings)\n\n**Description:** Lists GuardDuty findings for the specified detector ID.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -15076,7 +15076,7 @@ } }, { - "id": 3267590362, + "id": 738256214, "definition": { "title": "ListFindings", "title_size": "16", @@ -15118,7 +15118,7 @@ } }, { - "id": 388763651, + "id": 1942051539, "definition": { "type": "note", "content": "### [ListDetectors](https://traildiscover.cloud/#GuardDuty-ListDetectors)\n\n**Description:** Lists detectorIds of all the existing Amazon GuardDuty detector resources.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -15137,7 +15137,7 @@ } }, { - "id": 545275442, + "id": 1152906175, "definition": { "title": "ListDetectors", "title_size": "16", @@ -15179,7 +15179,7 @@ } }, { - "id": 3534569231, + "id": 156528904, "definition": { "type": "note", "content": "### [GetDetector](https://traildiscover.cloud/#GuardDuty-GetDetector)\n\n**Description:** Retrieves an Amazon GuardDuty detector specified by the detectorId.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -15198,7 +15198,7 @@ } }, { - "id": 1543597374, + "id": 3662350836, "definition": { "title": "GetDetector", "title_size": "16", @@ -15240,7 +15240,7 @@ } }, { - "id": 4009710071, + "id": 2557446618, "definition": { "type": "note", "content": "### [ListIPSets](https://traildiscover.cloud/#GuardDuty-ListIPSets)\n\n**Description:** Lists the IPSets of the GuardDuty service specified by the detector ID.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -15259,7 +15259,7 @@ } }, { - "id": 2018738214, + "id": 1768301254, "definition": { "title": "ListIPSets", "title_size": "16", @@ -15301,7 +15301,7 @@ } }, { - "id": 3906046960, + "id": 3564178547, "definition": { "type": "note", "content": "### [ListServiceQuotas](https://traildiscover.cloud/#ServiceQuotas-ListServiceQuotas)\n\n**Description:** Lists the applied quota values for the specified AWS service.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -15320,7 +15320,7 @@ } }, { - "id": 4062558751, + "id": 528210648, "definition": { "title": "ListServiceQuotas", "title_size": "16", @@ -15371,7 +15371,7 @@ } }, { - "id": 3178574696, + "id": 643531050, "definition": { "type": "group", "layout_type": "ordered", @@ -15380,7 +15380,7 @@ "show_title": true, "widgets": [ { - "id": 148443602, + "id": 270147237, "definition": { "type": "note", "content": "### [AssumeRoleWithWebIdentity](https://traildiscover.cloud/#STS-AssumeRoleWithWebIdentity)\n\n**Description:** Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider.\n\n**Related Research:**\n- [From GitHub To Account Takeover: Misconfigured Actions Place GCP & AWS Accounts At Risk](https://www.rezonate.io/blog/github-misconfigurations-put-gcp-aws-in-account-takeover-risk/)\n", @@ -15399,7 +15399,7 @@ } }, { - "id": 2452439041, + "id": 3775969169, "definition": { "title": "AssumeRoleWithWebIdentity", "title_size": "16", @@ -15441,7 +15441,7 @@ } }, { - "id": 2922427264, + "id": 3967290718, "definition": { "type": "note", "content": "### [SwitchRole](https://traildiscover.cloud/#SignIn-SwitchRole)\n\n**Description:** This event is recorded when a user manually switches to a different IAM role within the AWS Management Console.\n\n**Related Research:**\n- [AWS CloudTrail cheat sheet](https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet)\n", @@ -15460,7 +15460,7 @@ } }, { - "id": 931455407, + "id": 3178145354, "definition": { "title": "SwitchRole", "title_size": "16", @@ -15502,7 +15502,7 @@ } }, { - "id": 2289930233, + "id": 1332668169, "definition": { "type": "note", "content": "### [EnableSerialConsoleAccess](https://traildiscover.cloud/#EC2-EnableSerialConsoleAccess)\n\n**Description:** Enables access to the EC2 serial console of all instances for your account.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [How to detect EC2 Serial Console enabled](https://sysdig.com/blog/ec2-serial-console-enabled/)\n", @@ -15521,7 +15521,7 @@ } }, { - "id": 2446442024, + "id": 2591667566, "definition": { "title": "EnableSerialConsoleAccess", "title_size": "16", @@ -15563,7 +15563,7 @@ } }, { - "id": 2333906619, + "id": 4124248397, "definition": { "type": "note", "content": "### [CreateVolume](https://traildiscover.cloud/#EC2-CreateVolume)\n\n**Description:** Creates an EBS volume that can be attached to an instance in the same Availability Zone.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n", @@ -15582,7 +15582,7 @@ } }, { - "id": 2490418410, + "id": 3335103033, "definition": { "title": "CreateVolume", "title_size": "16", @@ -15624,7 +15624,7 @@ } }, { - "id": 971292023, + "id": 3528920720, "definition": { "type": "note", "content": "### [CreateSecurityGroup](https://traildiscover.cloud/#EC2-CreateSecurityGroup)\n\n**Description:** Creates a security group.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -15643,7 +15643,7 @@ } }, { - "id": 3275287462, + "id": 2739775356, "definition": { "title": "CreateSecurityGroup", "title_size": "16", @@ -15685,7 +15685,7 @@ } }, { - "id": 1859434729, + "id": 4139195508, "definition": { "type": "note", "content": "### [AuthorizeSecurityGroupIngress](https://traildiscover.cloud/#EC2-AuthorizeSecurityGroupIngress)\n\n**Description:** Adds the specified inbound (ingress) rules to a security group.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Finding evil in AWS](https://expel.com/blog/finding-evil-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Opening a security group to the Internet](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/opening-security-group-port/)\n", @@ -15704,7 +15704,7 @@ } }, { - "id": 4163430168, + "id": 3350050144, "definition": { "title": "AuthorizeSecurityGroupIngress", "title_size": "16", @@ -15746,7 +15746,7 @@ } }, { - "id": 4220238376, + "id": 4104779645, "definition": { "type": "note", "content": "### [SendSSHPublicKey](https://traildiscover.cloud/#EC2InstanceConnect-SendSSHPublicKey)\n\n**Description:** Pushes an SSH public key to the specified EC2 instance for use by the specified user.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n", @@ -15765,7 +15765,7 @@ } }, { - "id": 2229266519, + "id": 3315634281, "definition": { "title": "SendSSHPublicKey", "title_size": "16", @@ -15807,7 +15807,7 @@ } }, { - "id": 355912386, + "id": 3493138620, "definition": { "type": "note", "content": "### [CreateSnapshot](https://traildiscover.cloud/#EC2-CreateSnapshot)\n\n**Description:** Creates a snapshot of an EBS volume and stores it in Amazon S3.\n\n**Related Incidents:**\n- [CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Stealing an EBS snapshot by creating a snapshot and sharing it](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-ebs-snapshot/)\n- [Exfiltrate EBS Snapshot by Sharing It](https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/)\n", @@ -15826,7 +15826,7 @@ } }, { - "id": 2659907825, + "id": 2703993256, "definition": { "title": "CreateSnapshot", "title_size": "16", @@ -15868,7 +15868,7 @@ } }, { - "id": 2354553247, + "id": 1006139800, "definition": { "type": "note", "content": "### [RunInstances](https://traildiscover.cloud/#EC2-RunInstances)\n\n**Description:** Launches the specified number of instances using an AMI for which you have permissions.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [DXC spills AWS private keys on public GitHub](https://www.theregister.com/2017/11/14/dxc_github_aws_keys_leaked/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Clear and Uncommon Story About Overcoming Issues With AWS](https://topdigital.agency/clear-and-uncommon-story-about-overcoming-issues-with-aws/)\n- [onelogin 2017 Security Incident](https://web.archive.org/web/20210620180614/https://www.onelogin.com/blog/may-31-2017-security-incident)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Launching EC2 instances](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/launching-ec2-instances/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -15887,7 +15887,7 @@ } }, { - "id": 363581390, + "id": 216994436, "definition": { "title": "RunInstances", "title_size": "16", @@ -15929,7 +15929,7 @@ } }, { - "id": 1264851528, + "id": 3668202081, "definition": { "type": "note", "content": "### [AttachVolume](https://traildiscover.cloud/#EC2-AttachVolume)\n\n**Description:** Attaches an EBS volume to a running or stopped instance and exposes it to the instance with the specified device name.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n", @@ -15948,7 +15948,7 @@ } }, { - "id": 1421363319, + "id": 632234182, "definition": { "title": "AttachVolume", "title_size": "16", @@ -15990,7 +15990,7 @@ } }, { - "id": 73622994, + "id": 2132612313, "definition": { "type": "note", "content": "### [SendSerialConsoleSSHPublicKey](https://traildiscover.cloud/#EC2InstanceConnect-SendSerialConsoleSSHPublicKey)\n\n**Description:** Pushes an SSH public key to the specified EC2 instance.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n", @@ -16009,7 +16009,7 @@ } }, { - "id": 230134785, + "id": 3490950597, "definition": { "title": "SendSerialConsoleSSHPublicKey", "title_size": "16", @@ -16051,7 +16051,7 @@ } }, { - "id": 3769617803, + "id": 52341414, "definition": { "type": "note", "content": "### [SendCommand](https://traildiscover.cloud/#SSM-SendCommand)\n\n**Description:** Runs commands on one or more managed nodes.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Run Shell Commands on EC2 with Send Command or Session Manager](https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/)\n", @@ -16070,7 +16070,7 @@ } }, { - "id": 1778645946, + "id": 3558163346, "definition": { "title": "SendCommand", "title_size": "16", @@ -16112,7 +16112,7 @@ } }, { - "id": 2309436803, + "id": 825869467, "definition": { "type": "note", "content": "### [StartSession](https://traildiscover.cloud/#SSM-StartSession)\n\n**Description:** Initiates a connection to a target (for example, a managed node) for a Session Manager session.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Run Shell Commands on EC2 with Send Command or Session Manager](https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/)\n", @@ -16131,7 +16131,7 @@ } }, { - "id": 318464946, + "id": 36724103, "definition": { "title": "StartSession", "title_size": "16", @@ -16182,7 +16182,7 @@ } }, { - "id": 4216480751, + "id": 2049461719, "definition": { "type": "group", "layout_type": "ordered", @@ -16191,7 +16191,7 @@ "show_title": true, "widgets": [ { - "id": 3019434578, + "id": 551053471, "definition": { "type": "note", "content": "### [UpdateFunctionCode20150331v2](https://traildiscover.cloud/#Lambda-UpdateFunctionCode20150331v2)\n\n**Description:** Updates a Lambda function's code. If code signing is enabled for the function, the code package must be signed by a trusted publisher.\n\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", @@ -16210,7 +16210,7 @@ } }, { - "id": 3175946369, + "id": 4056875403, "definition": { "title": "UpdateFunctionCode20150331v2", "title_size": "16", @@ -16252,10 +16252,10 @@ } }, { - "id": 1611621266, + "id": 432086592, "definition": { "type": "note", - "content": "### [UpdateDistribution2020_05_31](https://traildiscover.cloud/#CloudFront-UpdateDistribution2020_05_31)\n\n**Description:** Updates the configuration for a CloudFront distribution.\n\n**Related Research:**\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", + "content": "### [UpdateDistribution](https://traildiscover.cloud/#CloudFront-UpdateDistribution)\n\n**Description:** Updates the configuration for a CloudFront distribution.\n\n**Related Research:**\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -16271,9 +16271,9 @@ } }, { - "id": 3915616705, + "id": 1790424876, "definition": { - "title": "UpdateDistribution2020_05_31", + "title": "UpdateDistribution", "title_size": "16", "title_align": "left", "type": "query_value", @@ -16291,7 +16291,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateDistribution2020_05_31 $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:UpdateDistribution $userIdentity.arn $network.client.ip $account" } } ], @@ -16313,10 +16313,10 @@ } }, { - "id": 2529331237, + "id": 2550889298, "definition": { "type": "note", - "content": "### [PublishFunction2020_05_31](https://traildiscover.cloud/#CloudFront-PublishFunction2020_05_31)\n\n**Description:** Publishes a CloudFront function by copying the function code from the DEVELOPMENT stage to LIVE.\n\n**Related Research:**\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", + "content": "### [PublishFunction](https://traildiscover.cloud/#CloudFront-PublishFunction)\n\n**Description:** Publishes a CloudFront function by copying the function code from the DEVELOPMENT stage to LIVE.\n\n**Related Research:**\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -16332,9 +16332,9 @@ } }, { - "id": 2685843028, + "id": 1761743934, "definition": { - "title": "PublishFunction2020_05_31", + "title": "PublishFunction", "title_size": "16", "title_align": "left", "type": "query_value", @@ -16352,7 +16352,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PublishFunction2020_05_31 $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PublishFunction $userIdentity.arn $network.client.ip $account" } } ], @@ -16374,10 +16374,10 @@ } }, { - "id": 1393988109, + "id": 4187076574, "definition": { "type": "note", - "content": "### [CreateFunction2020_05_31](https://traildiscover.cloud/#CloudFront-CreateFunction2020_05_31)\n\n**Description:** Creates a CloudFront function.\n\n**Related Research:**\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", + "content": "### [CreateFunction](https://traildiscover.cloud/#CloudFront-CreateFunction)\n\n**Description:** Creates a CloudFront function.\n\n**Related Research:**\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -16393,9 +16393,9 @@ } }, { - "id": 1550499900, + "id": 1250447562, "definition": { - "title": "CreateFunction2020_05_31", + "title": "CreateFunction", "title_size": "16", "title_align": "left", "type": "query_value", @@ -16413,7 +16413,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateFunction2020_05_31 $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateFunction $userIdentity.arn $network.client.ip $account" } } ], @@ -16435,7 +16435,7 @@ } }, { - "id": 3562503295, + "id": 219006427, "definition": { "type": "note", "content": "### [CreateInstanceExportTask](https://traildiscover.cloud/#EC2-CreateInstanceExportTask)\n\n**Description:** Exports a running or stopped instance to an Amazon S3 bucket.\n\n**Related Research:**\n- [AWS EC2 VM Export Failure](https://www.elastic.co/guide/en/security/current/aws-ec2-vm-export-failure.html)\n", @@ -16454,7 +16454,7 @@ } }, { - "id": 1571531438, + "id": 3724828359, "definition": { "title": "CreateInstanceExportTask", "title_size": "16", @@ -16496,7 +16496,7 @@ } }, { - "id": 3380143120, + "id": 2665439260, "definition": { "type": "note", "content": "### [CreateTrafficMirrorTarget](https://traildiscover.cloud/#EC2-CreateTrafficMirrorTarget)\n\n**Description:** Creates a target for your Traffic Mirror session.\n\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -16515,7 +16515,7 @@ } }, { - "id": 1389171263, + "id": 1876293896, "definition": { "title": "CreateTrafficMirrorTarget", "title_size": "16", @@ -16557,7 +16557,7 @@ } }, { - "id": 2685263757, + "id": 2209974912, "definition": { "type": "note", "content": "### [CreateTrafficMirrorSession](https://traildiscover.cloud/#EC2-CreateTrafficMirrorSession)\n\n**Description:** Creates a Traffic Mirror session.\n\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -16576,7 +16576,7 @@ } }, { - "id": 694291900, + "id": 1420829548, "definition": { "title": "CreateTrafficMirrorSession", "title_size": "16", @@ -16618,7 +16618,7 @@ } }, { - "id": 3376416485, + "id": 106445354, "definition": { "type": "note", "content": "### [CreateRoute](https://traildiscover.cloud/#EC2-CreateRoute)\n\n**Description:** Creates a route in a route table within a VPC.\n\n**Related Research:**\n- [Ensure CloudWatch has an Alarm for Route Table Changes](https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-route-table-change)\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", @@ -16637,7 +16637,7 @@ } }, { - "id": 1385444628, + "id": 3612267286, "definition": { "title": "CreateRoute", "title_size": "16", @@ -16679,7 +16679,7 @@ } }, { - "id": 2830430297, + "id": 2265312450, "definition": { "type": "note", "content": "### [CreateTrafficMirrorFilter](https://traildiscover.cloud/#EC2-CreateTrafficMirrorFilter)\n\n**Description:** Creates a Traffic Mirror filter.\n\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -16698,7 +16698,7 @@ } }, { - "id": 839458440, + "id": 1476167086, "definition": { "title": "CreateTrafficMirrorFilter", "title_size": "16", @@ -16740,7 +16740,7 @@ } }, { - "id": 2971673877, + "id": 2770152174, "definition": { "type": "note", "content": "### [CreateTrafficMirrorFilterRule](https://traildiscover.cloud/#EC2-CreateTrafficMirrorFilterRule)\n\n**Description:** Creates a Traffic Mirror filter rule.\n\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -16759,7 +16759,7 @@ } }, { - "id": 980702020, + "id": 1981006810, "definition": { "title": "CreateTrafficMirrorFilterRule", "title_size": "16", @@ -16810,7 +16810,7 @@ } }, { - "id": 4123325146, + "id": 3589583567, "definition": { "type": "group", "layout_type": "ordered", @@ -16819,7 +16819,7 @@ "show_title": true, "widgets": [ { - "id": 3265880710, + "id": 2992292336, "definition": { "type": "note", "content": "### [CreateUser](https://traildiscover.cloud/#TransferFamily-CreateUser)\n\n**Description:** Creates a user and associates them with an existing file transfer protocol-enabled server.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -16838,7 +16838,7 @@ } }, { - "id": 3422392501, + "id": 55663324, "definition": { "title": "CreateUser", "title_size": "16", @@ -16880,7 +16880,7 @@ } }, { - "id": 1145494090, + "id": 810333865, "definition": { "type": "note", "content": "### [CreateServer](https://traildiscover.cloud/#TransferFamily-CreateServer)\n\n**Description:** Instantiates an auto-scaling virtual server based on the selected file transfer protocol in AWS.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -16899,7 +16899,7 @@ } }, { - "id": 1302005881, + "id": 2168672149, "definition": { "title": "CreateServer", "title_size": "16", @@ -16941,7 +16941,7 @@ } }, { - "id": 4139434921, + "id": 3387156743, "definition": { "type": "note", "content": "### [PutBucketPolicy](https://traildiscover.cloud/#S3-PutBucketPolicy)\n\n**Description:** Applies an Amazon S3 bucket policy to an Amazon S3 bucket.\n\n**Related Research:**\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -16960,7 +16960,7 @@ } }, { - "id": 2049124177, + "id": 2598011379, "definition": { "title": "PutBucketPolicy", "title_size": "16", @@ -17002,7 +17002,7 @@ } }, { - "id": 2404936096, + "id": 2858991398, "definition": { "type": "note", "content": "### [PutBucketAcl](https://traildiscover.cloud/#S3-PutBucketAcl)\n\n**Description:** Sets the permissions on an existing bucket using access control lists (ACL).\n\n**Related Research:**\n- [AWS S3 Bucket ACL made public](https://docs.datadoghq.com/security/default_rules/aws-bucket-acl-made-public/)\n", @@ -17021,7 +17021,7 @@ } }, { - "id": 2561447887, + "id": 4117990795, "definition": { "title": "PutBucketAcl", "title_size": "16", @@ -17063,7 +17063,7 @@ } }, { - "id": 2817125668, + "id": 3370746107, "definition": { "type": "note", "content": "### [PutBucketVersioning](https://traildiscover.cloud/#S3-PutBucketVersioning)\n\n**Description:** Sets the versioning state of an existing bucket.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n**Related Research:**\n- [Exfiltrating S3 Data with Bucket Replication Policies](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -17082,7 +17082,7 @@ } }, { - "id": 826153811, + "id": 2581600743, "definition": { "title": "PutBucketVersioning", "title_size": "16", @@ -17124,7 +17124,7 @@ } }, { - "id": 782771102, + "id": 499432120, "definition": { "type": "note", "content": "### [PutBucketReplication](https://traildiscover.cloud/#S3-PutBucketReplication)\n\n**Description:** Creates a replication configuration or replaces an existing one.\n\n**Related Research:**\n- [Exfiltrating S3 Data with Bucket Replication Policies](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -17143,7 +17143,7 @@ } }, { - "id": 3086766541, + "id": 4005254052, "definition": { "title": "PutBucketReplication", "title_size": "16", @@ -17185,7 +17185,7 @@ } }, { - "id": 3059501410, + "id": 2192063821, "definition": { "type": "note", "content": "### [GetObject](https://traildiscover.cloud/#S3-GetObject)\n\n**Description:** Retrieves an object from Amazon S3.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Incident 2 - Additional details of the attack](https://support.lastpass.com/s/document-item?language=en_US&bundleId=lastpass&topicId=LastPass/incident-2-details.html&_LANG=enus)\n- [Aruba Central Security Incident](https://www.arubanetworks.com/support-services/security-bulletins/central-incident-faq/)\n- [Sendtech Pte. Ltd](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Sendtech-Pte-Ltd---220721.ashx?la=en)\n- [GotRoot! AWS root Account Takeover](https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1)\n- [A Technical Analysis of the Capital One Cloud Misconfiguration Breach](https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach)\n- [Chegg, Inc](https://www.ftc.gov/system/files/ftc_gov/pdf/2023151-Chegg-Complaint.pdf)\n- [Scattered Spider Attack Analysis](https://www.reliaquest.com/blog/scattered-spider-attack-analysis-account-compromise/)\n- [Enumerate AWS Account ID from a Public S3 Bucket](https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Data Exfiltration through S3 Server Access Logs](https://hackingthe.cloud/aws/exploitation/s3_server_access_logs/)\n- [S3 Streaming Copy](https://hackingthe.cloud/aws/exploitation/s3_streaming_copy/)\n", @@ -17204,7 +17204,7 @@ } }, { - "id": 1068529553, + "id": 1402918457, "definition": { "title": "GetObject", "title_size": "16", @@ -17246,7 +17246,7 @@ } }, { - "id": 3978332661, + "id": 2281047047, "definition": { "type": "note", "content": "### [JobCreated](https://traildiscover.cloud/#S3-JobCreated)\n\n**Description:** When a Batch Operations job is created, it is recorded as a JobCreated event in CloudTrail.\n\n**Related Research:**\n- [Exfiltrating S3 Data with Bucket Replication Policies](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -17265,7 +17265,7 @@ } }, { - "id": 4134844452, + "id": 1491901683, "definition": { "title": "JobCreated", "title_size": "16", @@ -17307,7 +17307,7 @@ } }, { - "id": 1440628083, + "id": 651749355, "definition": { "type": "note", "content": "### [ModifySnapshotAttribute](https://traildiscover.cloud/#EC2-ModifySnapshotAttribute)\n\n**Description:** Adds or removes permission settings for the specified snapshot.\n\n**Related Incidents:**\n- [CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/)\n", @@ -17326,7 +17326,7 @@ } }, { - "id": 3744623522, + "id": 4157571287, "definition": { "title": "ModifySnapshotAttribute", "title_size": "16", @@ -17368,7 +17368,7 @@ } }, { - "id": 3370973544, + "id": 1067608718, "definition": { "type": "note", "content": "### [SharedSnapshotCopyInitiated](https://traildiscover.cloud/#EC2-SharedSnapshotCopyInitiated)\n\n**Description:** Modifies the specified attribute of the specified instance.\n\n**Related Incidents:**\n- [M-Trends Report - 2020](https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf)\n- [Democratic National Committee hack](https://www.politico.com/f/?id=00000168-6161-de11-af7d-ef7327ea0000)\n**Related Research:**\n- [Detecting exfiltration of EBS snapshots in AWS](https://twitter.com/christophetd/status/1574681313218506753)\n", @@ -17387,7 +17387,7 @@ } }, { - "id": 3527485335, + "id": 278463354, "definition": { "title": "SharedSnapshotCopyInitiated", "title_size": "16", @@ -17429,7 +17429,7 @@ } }, { - "id": 3352994923, + "id": 3897456966, "definition": { "type": "note", "content": "### [SharedSnapshotVolumeCreated](https://traildiscover.cloud/#EC2-SharedSnapshotVolumeCreated)\n\n**Description:** Modifies the specified attribute of the specified instance.\n\n**Related Incidents:**\n- [M-Trends Report - 2020](https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf)\n- [Democratic National Committee hack](https://www.politico.com/f/?id=00000168-6161-de11-af7d-ef7327ea0000)\n**Related Research:**\n- [Detecting exfiltration of EBS snapshots in AWS](https://twitter.com/christophetd/status/1574681313218506753)\n", @@ -17448,7 +17448,7 @@ } }, { - "id": 3509506714, + "id": 3108311602, "definition": { "title": "SharedSnapshotVolumeCreated", "title_size": "16", @@ -17490,7 +17490,7 @@ } }, { - "id": 3018500451, + "id": 181394929, "definition": { "type": "note", "content": "### [CreateSnapshot](https://traildiscover.cloud/#EC2-CreateSnapshot)\n\n**Description:** Creates a snapshot of an EBS volume and stores it in Amazon S3.\n\n**Related Incidents:**\n- [CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Stealing an EBS snapshot by creating a snapshot and sharing it](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-ebs-snapshot/)\n- [Exfiltrate EBS Snapshot by Sharing It](https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/)\n", @@ -17509,7 +17509,7 @@ } }, { - "id": 3175012242, + "id": 3687216861, "definition": { "title": "CreateSnapshot", "title_size": "16", @@ -17551,7 +17551,7 @@ } }, { - "id": 1045455042, + "id": 3988065562, "definition": { "type": "note", "content": "### [CreateImage](https://traildiscover.cloud/#EC2-CreateImage)\n\n**Description:** Creates an Amazon EBS-backed AMI from an Amazon EBS-backed instance that is either running or stopped.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", @@ -17570,7 +17570,7 @@ } }, { - "id": 1201966833, + "id": 3198920198, "definition": { "title": "CreateImage", "title_size": "16", @@ -17612,7 +17612,7 @@ } }, { - "id": 1794465891, + "id": 2697773554, "definition": { "type": "note", "content": "### [AuthorizeSecurityGroupEgress](https://traildiscover.cloud/#EC2-AuthorizeSecurityGroupEgress)\n\n**Description:** Adds the specified outbound (egress) rules to a security group.\n\n**Related Incidents:**\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n", @@ -17631,7 +17631,7 @@ } }, { - "id": 1950977682, + "id": 1908628190, "definition": { "title": "AuthorizeSecurityGroupEgress", "title_size": "16", @@ -17673,7 +17673,7 @@ } }, { - "id": 2222450971, + "id": 4256705975, "definition": { "type": "note", "content": "### [ModifyImageAttribute](https://traildiscover.cloud/#EC2-ModifyImageAttribute)\n\n**Description:** Modifies the specified attribute of the specified AMI.\n\n**Related Research:**\n- [AWS AMI Atttribute Modification for Exfiltration](https://research.splunk.com/cloud/f2132d74-cf81-4c5e-8799-ab069e67dc9f/)\n", @@ -17692,7 +17692,7 @@ } }, { - "id": 231479114, + "id": 3467560611, "definition": { "title": "ModifyImageAttribute", "title_size": "16", @@ -17734,7 +17734,7 @@ } }, { - "id": 1547855875, + "id": 1566492164, "definition": { "type": "note", "content": "### [ModifyDBSnapshotAttribute](https://traildiscover.cloud/#RDS-ModifyDBSnapshotAttribute)\n\n**Description:** Adds an attribute and values to, or removes an attribute and values from, a manual DB snapshot.\n\n**Related Incidents:**\n- [Imperva Security Update](https://www.imperva.com/blog/ceoblog/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Stealing an RDS database by creating a snapshot and sharing it](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-rds-snapshot/)\n- [Hunting AWS RDS security events with Sysdig](https://sysdig.com/blog/aws-rds-security-events-sysdig/)\n", @@ -17753,7 +17753,7 @@ } }, { - "id": 1704367666, + "id": 777346800, "definition": { "title": "ModifyDBSnapshotAttribute", "title_size": "16", @@ -17795,7 +17795,7 @@ } }, { - "id": 2148315031, + "id": 4071599388, "definition": { "type": "note", "content": "### [StartExportTask](https://traildiscover.cloud/#RDS-StartExportTask)\n\n**Description:** Starts an export of DB snapshot or DB cluster data to Amazon S3.\n\n**Related Research:**\n- [AWS - RDS Post Exploitation](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation)\n", @@ -17814,7 +17814,7 @@ } }, { - "id": 58004287, + "id": 3282454024, "definition": { "title": "StartExportTask", "title_size": "16", @@ -17856,7 +17856,7 @@ } }, { - "id": 2956054086, + "id": 4158685508, "definition": { "type": "note", "content": "### [CreateDBSecurityGroup](https://traildiscover.cloud/#RDS-CreateDBSecurityGroup)\n\n**Description:** Creates a new DB security group. DB security groups control access to a DB instance.\n\n**Related Research:**\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [Hunting AWS RDS security events with Sysdig](https://sysdig.com/blog/aws-rds-security-events-sysdig/)\n", @@ -17875,7 +17875,7 @@ } }, { - "id": 965082229, + "id": 3369540144, "definition": { "title": "CreateDBSecurityGroup", "title_size": "16", @@ -17917,7 +17917,7 @@ } }, { - "id": 757286936, + "id": 650455496, "definition": { "type": "note", "content": "### [CreateDBSnapshot](https://traildiscover.cloud/#RDS-CreateDBSnapshot)\n\n**Description:** Creates a snapshot of a DB instance.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Stealing an RDS database by creating a snapshot and sharing it](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-rds-snapshot/)\n", @@ -17936,7 +17936,7 @@ } }, { - "id": 913798727, + "id": 4156277428, "definition": { "title": "CreateDBSnapshot", "title_size": "16", @@ -17987,7 +17987,7 @@ } }, { - "id": 4232940182, + "id": 702318055, "definition": { "type": "group", "layout_type": "ordered", @@ -17996,7 +17996,7 @@ "show_title": true, "widgets": [ { - "id": 2499426009, + "id": 1426833775, "definition": { "type": "note", "content": "### [ChangeResourceRecordSets](https://traildiscover.cloud/#Route53-ChangeResourceRecordSets)\n\n**Description:** Creates, changes, or deletes a resource record set, which contains authoritative DNS information for a specified domain name or subdomain name.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS API Call Hijacking via ACM-PCA](https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/)\n", @@ -18015,7 +18015,7 @@ } }, { - "id": 2655937800, + "id": 637688411, "definition": { "title": "ChangeResourceRecordSets", "title_size": "16", @@ -18057,7 +18057,7 @@ } }, { - "id": 1396026359, + "id": 1674912899, "definition": { "type": "note", "content": "### [RegisterDomain](https://traildiscover.cloud/#route53domains-RegisterDomain)\n\n**Description:** This operation registers a domain. For some top-level domains (TLDs), this operation requires extra parameters.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -18076,7 +18076,7 @@ } }, { - "id": 1552538150, + "id": 885767535, "definition": { "title": "RegisterDomain", "title_size": "16", @@ -18118,7 +18118,7 @@ } }, { - "id": 3941826586, + "id": 3740533868, "definition": { "type": "note", "content": "### [CreateHostedZone](https://traildiscover.cloud/#Route53-CreateHostedZone)\n\n**Description:** Creates a new public or private hosted zone. You create records in a public hosted zone to define how you want to route traffic on the internet for a domain, such as example.com, and its subdomains.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS API Call Hijacking via ACM-PCA](https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/)\n", @@ -18137,7 +18137,7 @@ } }, { - "id": 4098338377, + "id": 2951388504, "definition": { "title": "CreateHostedZone", "title_size": "16", @@ -18179,7 +18179,7 @@ } }, { - "id": 1142458942, + "id": 4221597640, "definition": { "type": "note", "content": "### [Publish](https://traildiscover.cloud/#SNS-Publish)\n\n**Description:** Sends a message to an Amazon SNS topic, a text message (SMS message) directly to a phone number, or a message to a mobile platform endpoint (when you specify the TargetArn).\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -18198,7 +18198,7 @@ } }, { - "id": 3446454381, + "id": 3432452276, "definition": { "title": "Publish", "title_size": "16", @@ -18240,7 +18240,7 @@ } }, { - "id": 1829058908, + "id": 3612034888, "definition": { "type": "note", "content": "### [CreateFunction20150331](https://traildiscover.cloud/#Lambda-CreateFunction20150331)\n\n**Description:** Creates a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -18259,7 +18259,7 @@ } }, { - "id": 4133054347, + "id": 2822889524, "definition": { "title": "CreateFunction20150331", "title_size": "16", @@ -18301,7 +18301,7 @@ } }, { - "id": 3320748800, + "id": 2546963207, "definition": { "type": "note", "content": "### [UpdateFunctionCode20150331v2](https://traildiscover.cloud/#Lambda-UpdateFunctionCode20150331v2)\n\n**Description:** Updates a Lambda function's code. If code signing is enabled for the function, the code package must be signed by a trusted publisher.\n\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", @@ -18320,7 +18320,7 @@ } }, { - "id": 3477260591, + "id": 1757817843, "definition": { "title": "UpdateFunctionCode20150331v2", "title_size": "16", @@ -18362,7 +18362,7 @@ } }, { - "id": 1743992901, + "id": 2210736253, "definition": { "type": "note", "content": "### [Invoke](https://traildiscover.cloud/#Lambda-Invoke)\n\n**Description:** Invokes a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -18381,7 +18381,7 @@ } }, { - "id": 1900504692, + "id": 1421590889, "definition": { "title": "Invoke", "title_size": "16", @@ -18423,7 +18423,7 @@ } }, { - "id": 234113658, + "id": 547638816, "definition": { "type": "note", "content": "### [DeleteFileSystem](https://traildiscover.cloud/#elasticfilesystem-DeleteFileSystem)\n\n**Description:** Deletes a file system, permanently severing access to its contents.\n\n**Related Research:**\n- [AWS EFS File System or Mount Deleted](https://www.elastic.co/guide/en/security/7.17/aws-efs-file-system-or-mount-deleted.html)\n", @@ -18442,7 +18442,7 @@ } }, { - "id": 2438770210, + "id": 4053460748, "definition": { "title": "DeleteFileSystem", "title_size": "16", @@ -18484,7 +18484,7 @@ } }, { - "id": 1525767445, + "id": 2613426910, "definition": { "type": "note", "content": "### [DeleteMountTarget](https://traildiscover.cloud/#elasticfilesystem-DeleteMountTarget)\n\n**Description:** Deletes the specified mount target.\n\n**Related Research:**\n- [AWS EFS File System or Mount Deleted](https://www.elastic.co/guide/en/security/7.17/aws-efs-file-system-or-mount-deleted.html)\n", @@ -18503,7 +18503,7 @@ } }, { - "id": 3829762884, + "id": 3971765194, "definition": { "title": "DeleteMountTarget", "title_size": "16", @@ -18545,7 +18545,7 @@ } }, { - "id": 1937821936, + "id": 176741791, "definition": { "type": "note", "content": "### [DeleteRule](https://traildiscover.cloud/#events-DeleteRule)\n\n**Description:** Deletes the specified rule.\n\n**Related Research:**\n- [AWS EventBridge Rule Disabled or Deleted](https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html)\n- [AWS EventBridge rule disabled or deleted](https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/)\n", @@ -18564,7 +18564,7 @@ } }, { - "id": 4241817375, + "id": 3682563723, "definition": { "title": "DeleteRule", "title_size": "16", @@ -18606,7 +18606,7 @@ } }, { - "id": 3909718710, + "id": 1268114268, "definition": { "type": "note", "content": "### [RemoveTargets](https://traildiscover.cloud/#events-RemoveTargets)\n\n**Description:** Removes the specified targets from the specified rule.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -18625,7 +18625,7 @@ } }, { - "id": 4066230501, + "id": 478968904, "definition": { "title": "RemoveTargets", "title_size": "16", @@ -18667,7 +18667,7 @@ } }, { - "id": 2902677726, + "id": 2845793111, "definition": { "type": "note", "content": "### [DisableRule](https://traildiscover.cloud/#events-DisableRule)\n\n**Description:** Disables the specified rule.\n\n**Related Research:**\n- [AWS EventBridge Rule Disabled or Deleted](https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html)\n- [AWS EventBridge rule disabled or deleted](https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/)\n", @@ -18686,7 +18686,7 @@ } }, { - "id": 3059189517, + "id": 2056647747, "definition": { "title": "DisableRule", "title_size": "16", @@ -18728,7 +18728,7 @@ } }, { - "id": 504471035, + "id": 32885382, "definition": { "type": "note", "content": "### [PutRule](https://traildiscover.cloud/#events-PutRule)\n\n**Description:** Creates or updates the specified rule.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -18747,7 +18747,7 @@ } }, { - "id": 660982826, + "id": 3538707314, "definition": { "title": "PutRule", "title_size": "16", @@ -18789,7 +18789,7 @@ } }, { - "id": 1455483495, + "id": 2885275726, "definition": { "type": "note", "content": "### [CreateInstances](https://traildiscover.cloud/#Lightsail-CreateInstances)\n\n**Description:** Creates one or more Amazon Lightsail instances.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -18808,7 +18808,7 @@ } }, { - "id": 3759478934, + "id": 1996791475, "definition": { "title": "CreateInstances", "title_size": "16", @@ -18850,7 +18850,7 @@ } }, { - "id": 2275752166, + "id": 272557722, "definition": { "type": "note", "content": "### [GenerateDataKeyWithoutPlaintext](https://traildiscover.cloud/#KMS-GenerateDataKeyWithoutPlaintext)\n\n**Description:** Returns a unique symmetric data key for use outside of AWS KMS.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -18869,7 +18869,7 @@ } }, { - "id": 284780309, + "id": 3778379654, "definition": { "title": "GenerateDataKeyWithoutPlaintext", "title_size": "16", @@ -18911,7 +18911,7 @@ } }, { - "id": 1025597508, + "id": 2480169040, "definition": { "type": "note", "content": "### [ScheduleKeyDeletion](https://traildiscover.cloud/#KMS-ScheduleKeyDeletion)\n\n**Description:** Schedules the deletion of a KMS key.\n\n**Related Research:**\n- [ Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", @@ -18930,7 +18930,7 @@ } }, { - "id": 1182109299, + "id": 1691023676, "definition": { "title": "ScheduleKeyDeletion", "title_size": "16", @@ -18972,7 +18972,7 @@ } }, { - "id": 2493644938, + "id": 2216956109, "definition": { "type": "note", "content": "### [Encrypt](https://traildiscover.cloud/#KMS-Encrypt)\n\n**Description:** Encrypts plaintext of up to 4,096 bytes using a KMS key. \n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -18991,7 +18991,7 @@ } }, { - "id": 2650156729, + "id": 3475955506, "definition": { "title": "Encrypt", "title_size": "16", @@ -19033,7 +19033,7 @@ } }, { - "id": 3061005799, + "id": 3513646818, "definition": { "type": "note", "content": "### [PutObject](https://traildiscover.cloud/#S3-PutObject)\n\n**Description:** Adds an object to a bucket.\n\n**Related Incidents:**\n- [Incident Report: TaskRouter JS SDK Security Incident - July 19, 2020](https://www.twilio.com/en-us/blog/incident-report-taskrouter-js-sdk-july-2020)\n- [LA Times homicide website throttles cryptojacking attack](https://www.tripwire.com/state-of-security/la-times-website-cryptojacking-attack)\n", @@ -19052,7 +19052,7 @@ } }, { - "id": 3217517590, + "id": 2724501454, "definition": { "title": "PutObject", "title_size": "16", @@ -19094,7 +19094,7 @@ } }, { - "id": 2579000511, + "id": 3164819326, "definition": { "type": "note", "content": "### [PutBucketVersioning](https://traildiscover.cloud/#S3-PutBucketVersioning)\n\n**Description:** Sets the versioning state of an existing bucket.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n**Related Research:**\n- [Exfiltrating S3 Data with Bucket Replication Policies](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -19113,7 +19113,7 @@ } }, { - "id": 588028654, + "id": 2375673962, "definition": { "title": "PutBucketVersioning", "title_size": "16", @@ -19155,7 +19155,7 @@ } }, { - "id": 496262321, + "id": 538347346, "definition": { "type": "note", "content": "### [PutBucketLifecycle](https://traildiscover.cloud/#S3-PutBucketLifecycle)\n\n**Description:** Creates a new lifecycle configuration for the bucket or replaces an existing lifecycle configuration.\n\n**Related Incidents:**\n- [USA VS Nickolas Sharp](https://www.justice.gov/usao-sdny/press-release/file/1452706/dl)\n", @@ -19174,7 +19174,7 @@ } }, { - "id": 2800257760, + "id": 1797346743, "definition": { "title": "PutBucketLifecycle", "title_size": "16", @@ -19216,7 +19216,7 @@ } }, { - "id": 638916446, + "id": 3184221952, "definition": { "type": "note", "content": "### [DeleteObject](https://traildiscover.cloud/#S3-DeleteObject)\n\n**Description:** Removes an object from a bucket. The behavior depends on the bucket's versioning state.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [The attack on ONUS \u2013 A real-life case of the Log4Shell vulnerability](https://cystack.net/research/the-attack-on-onus-a-real-life-case-of-the-log4shell-vulnerability)\n- [20/20 Eye Care Network and Hearing Care Network notify 3,253,822 health plan members of breach that deleted contents of AWS buckets](https://www.databreaches.net/20-20-eye-care-network-and-hearing-care-network-notify-3253822-health-plan-members-of-breach-that-deleted-contents-of-aws-buckets/)\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", @@ -19235,7 +19235,7 @@ } }, { - "id": 2942911885, + "id": 2395076588, "definition": { "title": "DeleteObject", "title_size": "16", @@ -19277,7 +19277,7 @@ } }, { - "id": 3376316371, + "id": 666360716, "definition": { "type": "note", "content": "### [InvokeModel](https://traildiscover.cloud/#Bedrock-InvokeModel)\n\n**Description:** Invokes the specified Amazon Bedrock model to run inference using the prompt and inference parameters provided in the request body.\n\n**Related Incidents:**\n- [LLMjacking: Stolen Cloud Credentials Used in New AI Attack](https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -19296,7 +19296,7 @@ } }, { - "id": 3532828162, + "id": 4172182648, "definition": { "title": "InvokeModel", "title_size": "16", @@ -19338,7 +19338,7 @@ } }, { - "id": 1139059389, + "id": 2993717907, "definition": { "type": "note", "content": "### [PutFoundationModelEntitlement](https://traildiscover.cloud/#Bedrock-PutFoundationModelEntitlement)\n\n**Description:** Grants permission to put entitlement to access a foundation model.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -19357,7 +19357,7 @@ } }, { - "id": 3443054828, + "id": 2204572543, "definition": { "title": "PutFoundationModelEntitlement", "title_size": "16", @@ -19399,7 +19399,7 @@ } }, { - "id": 1175891001, + "id": 2440466586, "definition": { "type": "note", "content": "### [InvokeModelWithResponseStream](https://traildiscover.cloud/#Bedrock-InvokeModelWithResponseStream)\n\n**Description:** Grants permission to invoke the specified Bedrock model to run inference using the input provided in the request body with streaming response.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -19418,7 +19418,7 @@ } }, { - "id": 3479886440, + "id": 1651321222, "definition": { "title": "InvokeModelWithResponseStream", "title_size": "16", @@ -19460,7 +19460,7 @@ } }, { - "id": 2357763015, + "id": 4028720238, "definition": { "type": "note", "content": "### [PutUseCaseForModelAccess](https://traildiscover.cloud/#Bedrock-PutUseCaseForModelAccess)\n\n**Description:** Grants permission to put a use case for model access.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -19479,7 +19479,7 @@ } }, { - "id": 366791158, + "id": 3239574874, "definition": { "title": "PutUseCaseForModelAccess", "title_size": "16", @@ -19521,7 +19521,7 @@ } }, { - "id": 1138651912, + "id": 1723185915, "definition": { "type": "note", "content": "### [CreateFoundationModelAgreement](https://traildiscover.cloud/#Bedrock-CreateFoundationModelAgreement)\n\n**Description:** Grants permission to create a new foundation model agreement.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -19540,7 +19540,7 @@ } }, { - "id": 3442647351, + "id": 934040551, "definition": { "title": "CreateFoundationModelAgreement", "title_size": "16", @@ -19582,7 +19582,7 @@ } }, { - "id": 3047043158, + "id": 3548908360, "definition": { "type": "note", "content": "### [DeleteVolume](https://traildiscover.cloud/#EC2-DeleteVolume)\n\n**Description:** Deletes the specified EBS volume. The volume must be in the available state (not attached to an instance).\n\n**Related Incidents:**\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", @@ -19601,7 +19601,7 @@ } }, { - "id": 3203554949, + "id": 2759762996, "definition": { "title": "DeleteVolume", "title_size": "16", @@ -19643,7 +19643,7 @@ } }, { - "id": 140315444, + "id": 2628062568, "definition": { "type": "note", "content": "### [StartInstances](https://traildiscover.cloud/#EC2-StartInstances)\n\n**Description:** Starts an Amazon EBS-backed instance that you've previously stopped.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n", @@ -19662,7 +19662,7 @@ } }, { - "id": 2444310883, + "id": 1838917204, "definition": { "title": "StartInstances", "title_size": "16", @@ -19704,7 +19704,7 @@ } }, { - "id": 2280160711, + "id": 432129895, "definition": { "type": "note", "content": "### [CreateDefaultVpc](https://traildiscover.cloud/#EC2-CreateDefaultVpc)\n\n**Description:** Creates a default VPC with a size /16 IPv4 CIDR block and a default subnet in each Availability Zone.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -19723,7 +19723,7 @@ } }, { - "id": 2436672502, + "id": 3937951827, "definition": { "title": "CreateDefaultVpc", "title_size": "16", @@ -19765,7 +19765,7 @@ } }, { - "id": 10627454, + "id": 4174497235, "definition": { "type": "note", "content": "### [TerminateInstances](https://traildiscover.cloud/#EC2-TerminateInstances)\n\n**Description:** Shuts down the specified instances. This operation is idempotent; if you terminate an instance more than once, each call succeeds.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Former Cisco engineer sentenced to prison for deleting 16k Webex accounts](https://www.zdnet.com/article/former-cisco-engineer-sentenced-to-prison-for-deleting-16k-webex-accounts/)\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", @@ -19784,7 +19784,7 @@ } }, { - "id": 2314622893, + "id": 1138529336, "definition": { "title": "TerminateInstances", "title_size": "16", @@ -19826,7 +19826,7 @@ } }, { - "id": 3021258245, + "id": 803127910, "definition": { "type": "note", "content": "### [StopInstances](https://traildiscover.cloud/#EC2-StopInstances)\n\n**Description:** Stops an Amazon EBS-backed instance.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n", @@ -19845,7 +19845,7 @@ } }, { - "id": 3177770036, + "id": 13982546, "definition": { "title": "StopInstances", "title_size": "16", @@ -19887,7 +19887,7 @@ } }, { - "id": 3526159487, + "id": 3659322062, "definition": { "type": "note", "content": "### [DeleteSnapshot](https://traildiscover.cloud/#EC2-DeleteSnapshot)\n\n**Description:** Deletes the specified snapshot.\n\n**Related Incidents:**\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", @@ -19906,7 +19906,7 @@ } }, { - "id": 1535187630, + "id": 623354163, "definition": { "title": "DeleteSnapshot", "title_size": "16", @@ -19948,7 +19948,7 @@ } }, { - "id": 4025416179, + "id": 3541035224, "definition": { "type": "note", "content": "### [RunInstances](https://traildiscover.cloud/#EC2-RunInstances)\n\n**Description:** Launches the specified number of instances using an AMI for which you have permissions.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [DXC spills AWS private keys on public GitHub](https://www.theregister.com/2017/11/14/dxc_github_aws_keys_leaked/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Clear and Uncommon Story About Overcoming Issues With AWS](https://topdigital.agency/clear-and-uncommon-story-about-overcoming-issues-with-aws/)\n- [onelogin 2017 Security Incident](https://web.archive.org/web/20210620180614/https://www.onelogin.com/blog/may-31-2017-security-incident)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Launching EC2 instances](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/launching-ec2-instances/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -19967,7 +19967,7 @@ } }, { - "id": 2034444322, + "id": 2751889860, "definition": { "title": "RunInstances", "title_size": "16", @@ -20009,7 +20009,7 @@ } }, { - "id": 813531710, + "id": 3880221718, "definition": { "type": "note", "content": "### [DeleteGlobalCluster](https://traildiscover.cloud/#RDS-DeleteGlobalCluster)\n\n**Description:** Deletes a global database cluster. The primary and secondary clusters must already be detached or destroyed first.\n\n**Related Research:**\n- [AWS Deletion of RDS Instance or Cluster](https://www.elastic.co/guide/en/security/current/aws-deletion-of-rds-instance-or-cluster.html)\n", @@ -20028,7 +20028,7 @@ } }, { - "id": 3117527149, + "id": 3091076354, "definition": { "title": "DeleteGlobalCluster", "title_size": "16", @@ -20070,7 +20070,7 @@ } }, { - "id": 3514543361, + "id": 3961603411, "definition": { "type": "note", "content": "### [DeleteDBCluster](https://traildiscover.cloud/#RDS-DeleteDBCluster)\n\n**Description:** The DeleteDBCluster action deletes a previously provisioned DB cluster.\n\n**Related Research:**\n- [Hunting AWS RDS security events with Sysdig](https://sysdig.com/blog/aws-rds-security-events-sysdig/)\n- [AWS Deletion of RDS Instance or Cluster](https://www.elastic.co/guide/en/security/current/aws-deletion-of-rds-instance-or-cluster.html)\n", @@ -20089,7 +20089,7 @@ } }, { - "id": 1523571504, + "id": 925635512, "definition": { "title": "DeleteDBCluster", "title_size": "16", @@ -20131,7 +20131,7 @@ } }, { - "id": 3839074085, + "id": 1992998435, "definition": { "type": "note", "content": "### [CreateEmailIdentity](https://traildiscover.cloud/#SES-CreateEmailIdentity)\n\n**Description:** Starts the process of verifying an email identity. An identity is an email address or domain that you use when you send email.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -20150,7 +20150,7 @@ } }, { - "id": 1848102228, + "id": 1203853071, "definition": { "title": "CreateEmailIdentity", "title_size": "16", @@ -20192,7 +20192,7 @@ } }, { - "id": 3309901105, + "id": 1664948684, "definition": { "type": "note", "content": "### [UpdateAccountSendingEnabled](https://traildiscover.cloud/#SES-UpdateAccountSendingEnabled)\n\n**Description:** Enables or disables email sending across your entire Amazon SES account in the current AWS Region.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n", @@ -20211,7 +20211,7 @@ } }, { - "id": 3466412896, + "id": 875803320, "definition": { "title": "UpdateAccountSendingEnabled", "title_size": "16", @@ -20253,7 +20253,7 @@ } }, { - "id": 1448453854, + "id": 1924373205, "definition": { "type": "note", "content": "### [VerifyEmailIdentity](https://traildiscover.cloud/#SES-VerifyEmailIdentity)\n\n**Description:** Adds an email address to the list of identities for your Amazon SES account in the current AWS Region and attempts to verify it.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -20272,7 +20272,7 @@ } }, { - "id": 1604965645, + "id": 3183372602, "definition": { "title": "VerifyEmailIdentity", "title_size": "16", @@ -20314,7 +20314,7 @@ } }, { - "id": 4241698070, + "id": 219662861, "definition": { "type": "note", "content": "### [RegisterTaskDefinition](https://traildiscover.cloud/#ECS-RegisterTaskDefinition)\n\n**Description:** Registers a new task definition from the supplied family and containerDefinitions.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -20333,7 +20333,7 @@ } }, { - "id": 2250726213, + "id": 3725484793, "definition": { "title": "RegisterTaskDefinition", "title_size": "16", @@ -20375,7 +20375,7 @@ } }, { - "id": 1422708379, + "id": 3003796423, "definition": { "type": "note", "content": "### [CreateService](https://traildiscover.cloud/#ECS-CreateService)\n\n**Description:** Runs and maintains your desired number of tasks from a specified task definition.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -20394,7 +20394,7 @@ } }, { - "id": 1579220170, + "id": 2214651059, "definition": { "title": "CreateService", "title_size": "16", @@ -20436,7 +20436,7 @@ } }, { - "id": 2985747495, + "id": 217914126, "definition": { "type": "note", "content": "### [CreateCluster](https://traildiscover.cloud/#ECS-CreateCluster)\n\n**Description:** Creates a new Amazon ECS cluster.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -20455,7 +20455,7 @@ } }, { - "id": 3142259286, + "id": 3624397171, "definition": { "title": "CreateCluster", "title_size": "16", @@ -20497,7 +20497,7 @@ } }, { - "id": 830249732, + "id": 2491459597, "definition": { "type": "note", "content": "### [RequestServiceQuotaIncrease](https://traildiscover.cloud/#ServiceQuotas-RequestServiceQuotaIncrease)\n\n**Description:** Submits a quota increase request for the specified quota at the account or resource level.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n", @@ -20516,7 +20516,7 @@ } }, { - "id": 3134245171, + "id": 1702314233, "definition": { "title": "RequestServiceQuotaIncrease", "title_size": "16", diff --git a/docs/events.csv b/docs/events.csv index dfa8239..87a1c0f 100644 --- a/docs/events.csv +++ b/docs/events.csv @@ -45,9 +45,9 @@ UpdateFunctionCode20150331v2,lambda.amazonaws.com,Lambda,"Updates a Lambda funct Invoke,lambda.amazonaws.com,Lambda,Invokes a Lambda function.,"TA0040 - Impact, TA0004 - Privilege Escalation",T1496 - Resource Hijacking,True,"[{""description"": ""Mining Crypto"", ""link"": ""https://twitter.com/jonnyplatt/status/1471453527390277638""}, {""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}]","[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]",Attackers might use Invoke to execute previously modified functions in AWS Lambda.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/lambda#lambda-InvokeFunction UpdateEventSourceMapping20150331,lambda.amazonaws.com,Lambda,"Updates an event source mapping. You can change the function that AWS Lambda invokes, or pause invocation and resume later from the same location.",TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""Enhancing Your Security Visibility and DetectionResponse Operations in AWS"", ""link"": ""https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf""}]","Attackers might use UpdateEventSourceMapping to pull data from a different source, leading to incorrect function results.",[],"[{""type"": ""commandLine"", ""value"": ""aws lambda update-event-source-mapping --uuid 'a1b2c3d4-5678-90ab-cdef-11111EXAMPLE' --batch-size 8""}]",https://aws.permissions.cloud/iam/lambda#lambda-UpdateEventSourceMapping GetQueryResults,athena.amazonaws.com,Athena,Streams the results of a single query execution specified by QueryExecutionId from the Athena query results location in Amazon S3.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use GetQueryResults from Amazon Athena to illicitly access and read potential sensitive data.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/athena#athena-GetQueryResults -UpdateDistribution2020_05_31,cloudfront.amazonaws.com,CloudFront,Updates the configuration for a CloudFront distribution.,TA0009 - Collection,T1119 - Automated Collection,False,[],"[{""description"": ""How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies"", ""link"": ""https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c""}]",Attackers might use UpdateDistribution to add a malicious configuration such as a function to exfiltrate data.,[],"[{""type"": ""commandLine"", ""value"": ""aws cloudfront update-distribution --id EDFDVBD6EXAMPLE --distribution-config '{\""CallerReference\"":\""\"", \""Origins\"":{\""Quantity\"":1,\""Items\"":[{\""Id\"":\""\"", \""DomainName\"":\""\""}]}, \""DefaultCacheBehavior\"":{\""TargetOriginId\"":\""\"", \""ViewerProtocolPolicy\"":\""\""}, \""Comment\"":\""\"", \""Enabled\"":false }'""}]",https://aws.permissions.cloud/iam/cloudfront#cloudfront-UpdateDistribution -PublishFunction2020_05_31,cloudfront.amazonaws.com,CloudFront,Publishes a CloudFront function by copying the function code from the DEVELOPMENT stage to LIVE.,TA0009 - Collection,T1119 - Automated Collection,False,[],"[{""description"": ""How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies"", ""link"": ""https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c""}]",Attackers might use PublishFunction to publish a malicious function that might be used to exfiltrate data.,[],"[{""type"": ""commandLine"", ""value"": ""aws cloudfront publish-function --name trail-discover-function --if-match trail-discover-function""}]",https://aws.permissions.cloud/iam/cloudfront#cloudfront-PublishFunction -CreateFunction2020_05_31,cloudfront.amazonaws.com,CloudFront,Creates a CloudFront function.,TA0009 - Collection,T1119 - Automated Collection,False,[],"[{""description"": ""How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies"", ""link"": ""https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c""}]",Attackers might use CreateFunction to add a new function that can be use to exfiltrate date.,[],"[{""type"": ""commandLine"", ""value"": ""aws cloudfront create-function --name trail-discover-function --function-config Comment='TrailDiscover',Runtime=cloudfront-js-1.0 --function-code VHJhaWxEaXNjb3Zlcgo=""}]",https://aws.permissions.cloud/iam/cloudfront#cloudfront-CreateFunction +UpdateDistribution,cloudfront.amazonaws.com,CloudFront,Updates the configuration for a CloudFront distribution.,TA0009 - Collection,T1119 - Automated Collection,False,[],"[{""description"": ""How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies"", ""link"": ""https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c""}]",Attackers might use UpdateDistribution to add a malicious configuration such as a function to exfiltrate data.,[],"[{""type"": ""commandLine"", ""value"": ""aws cloudfront update-distribution --id EDFDVBD6EXAMPLE --distribution-config '{\""CallerReference\"":\""\"", \""Origins\"":{\""Quantity\"":1,\""Items\"":[{\""Id\"":\""\"", \""DomainName\"":\""\""}]}, \""DefaultCacheBehavior\"":{\""TargetOriginId\"":\""\"", \""ViewerProtocolPolicy\"":\""\""}, \""Comment\"":\""\"", \""Enabled\"":false }'""}]",https://aws.permissions.cloud/iam/cloudfront#cloudfront-UpdateDistribution +PublishFunction,cloudfront.amazonaws.com,CloudFront,Publishes a CloudFront function by copying the function code from the DEVELOPMENT stage to LIVE.,TA0009 - Collection,T1119 - Automated Collection,False,[],"[{""description"": ""How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies"", ""link"": ""https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c""}]",Attackers might use PublishFunction to publish a malicious function that might be used to exfiltrate data.,[],"[{""type"": ""commandLine"", ""value"": ""aws cloudfront publish-function --name trail-discover-function --if-match trail-discover-function""}]",https://aws.permissions.cloud/iam/cloudfront#cloudfront-PublishFunction +CreateFunction,cloudfront.amazonaws.com,CloudFront,Creates a CloudFront function.,TA0009 - Collection,T1119 - Automated Collection,False,[],"[{""description"": ""How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies"", ""link"": ""https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c""}]",Attackers might use CreateFunction to add a new function that can be use to exfiltrate date.,[],"[{""type"": ""commandLine"", ""value"": ""aws cloudfront create-function --name trail-discover-function --function-config Comment='TrailDiscover',Runtime=cloudfront-js-1.0 --function-code VHJhaWxEaXNjb3Zlcgo=""}]",https://aws.permissions.cloud/iam/cloudfront#cloudfront-CreateFunction DeleteFileSystem,elasticfilesystem.amazonaws.com,elasticfilesystem,"Deletes a file system, permanently severing access to its contents.",TA0040 - Impact,T1485 - Data Destruction,False,[],"[{""description"": ""AWS EFS File System or Mount Deleted"", ""link"": ""https://www.elastic.co/guide/en/security/7.17/aws-efs-file-system-or-mount-deleted.html""}]","Attackers might use DeleteFileSystem in AWS EFS to deliberately erase file systems, leading to data loss.","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_efs_fileshare_modified_or_deleted.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws efs delete-file-system --file-system-id fs-c7a0456e""}]",https://aws.permissions.cloud/iam/elasticfilesystem#elasticfilesystem-DeleteFileSystem DeleteMountTarget,elasticfilesystem.amazonaws.com,elasticfilesystem,Deletes the specified mount target.,TA0040 - Impact,T1485 - Data Destruction,False,[],"[{""description"": ""AWS EFS File System or Mount Deleted"", ""link"": ""https://www.elastic.co/guide/en/security/7.17/aws-efs-file-system-or-mount-deleted.html""}]","Attackers might use DeleteMountTarget in AWS EFS to remove mount targets, disrupting access to file system and as a preliminary phase before data deletion.","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_efs_fileshare_mount_modified_or_deleted.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws efs delete-mount-target --mount-target-id fsmt-f9a14450""}]",https://aws.permissions.cloud/iam/elasticfilesystem#elasticfilesystem-DeleteMountTarget DeleteRule,events.amazonaws.com,events,Deletes the specified rule.,"TA0040 - Impact, TA0005 - Defense Evasion","T1489 - Service Stop, T1578 - Modify Cloud Compute Infrastructure",False,[],"[{""description"": ""AWS EventBridge Rule Disabled or Deleted"", ""link"": ""https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html""}, {""description"": ""AWS EventBridge rule disabled or deleted"", ""link"": ""https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/""}]","Attackers might use DeleteRule to disrupt automated security responses and event logging in AWS EventBridge, potentially masking unauthorized activities or compromising system integrity.",[],"[{""type"": ""commandLine"", ""value"": ""aws events delete-rule --name TrailDiscoverRule""}]",https://aws.permissions.cloud/iam/events#events-DeleteRule diff --git a/docs/events.json b/docs/events.json index c57f215..8dd3b7c 100644 --- a/docs/events.json +++ b/docs/events.json @@ -1560,7 +1560,7 @@ "permissions": "https://aws.permissions.cloud/iam/athena#athena-GetQueryResults" }, { - "eventName": "UpdateDistribution2020_05_31", + "eventName": "UpdateDistribution", "eventSource": "cloudfront.amazonaws.com", "awsService": "CloudFront", "description": "Updates the configuration for a CloudFront distribution.", @@ -1589,7 +1589,7 @@ "permissions": "https://aws.permissions.cloud/iam/cloudfront#cloudfront-UpdateDistribution" }, { - "eventName": "PublishFunction2020_05_31", + "eventName": "PublishFunction", "eventSource": "cloudfront.amazonaws.com", "awsService": "CloudFront", "description": "Publishes a CloudFront function by copying the function code from the DEVELOPMENT stage to LIVE.", @@ -1618,7 +1618,7 @@ "permissions": "https://aws.permissions.cloud/iam/cloudfront#cloudfront-PublishFunction" }, { - "eventName": "CreateFunction2020_05_31", + "eventName": "CreateFunction", "eventSource": "cloudfront.amazonaws.com", "awsService": "CloudFront", "description": "Creates a CloudFront function.",