diff --git a/docs/datadog_dashboard.json b/docs/datadog_dashboard.json index a33baab..5805fed 100644 --- a/docs/datadog_dashboard.json +++ b/docs/datadog_dashboard.json @@ -51,35 +51,35 @@ { "formulas": [ { - "alias": "TA0040 - Impact", + "alias": "TA0007 - Discovery", "formula": "query1" }, { - "alias": "TA0007 - Discovery", + "alias": "TA0005 - Defense Evasion", "formula": "query2" }, { - "alias": "TA0005 - Defense Evasion", + "alias": "TA0003 - Persistence", "formula": "query3" }, { - "alias": "TA0001 - Initial Access", + "alias": "TA0040 - Impact", "formula": "query4" }, { - "alias": "TA0008 - Lateral Movement", + "alias": "TA0009 - Collection", "formula": "query5" }, { - "alias": "TA0003 - Persistence", + "alias": "TA0004 - Privilege Escalation", "formula": "query6" }, { - "alias": "TA0004 - Privilege Escalation", + "alias": "TA0008 - Lateral Movement", "formula": "query7" }, { - "alias": "TA0009 - Collection", + "alias": "TA0010 - Exfiltration", "formula": "query8" }, { @@ -87,7 +87,7 @@ "formula": "query9" }, { - "alias": "TA0010 - Exfiltration", + "alias": "TA0001 - Initial Access", "formula": "query10" }, { @@ -106,7 +106,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:(ChangeResourceRecordSets OR RegisterDomain OR CreateHostedZone OR CreateStack OR Publish OR CreateFunction20150331 OR UpdateFunctionCode20150331v2 OR Invoke OR DeleteFileSystem OR DeleteMountTarget OR DeleteRule OR RemoveTargets OR DisableRule OR PutRule OR CreateInstances OR GenerateDataKeyWithoutPlaintext OR ScheduleKeyDeletion OR Encrypt OR PutObject OR PutBucketVersioning OR PutBucketLifecycle OR DeleteBucket OR DeleteObject OR InvokeModel OR PutFoundationModelEntitlement OR InvokeModelWithResponseStream OR PutUseCaseForModelAccess OR CreateFoundationModelAgreement OR DeleteVolume OR StartInstances OR CreateDefaultVpc OR TerminateInstances OR StopInstances OR DeleteSnapshot OR RunInstances OR DeleteGlobalCluster OR DeleteDBCluster OR DeleteDBInstance OR CreateEmailIdentity OR UpdateAccountSendingEnabled OR VerifyEmailIdentity OR RegisterTaskDefinition OR CreateService OR CreateCluster OR RequestServiceQuotaIncrease) $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:(GetCertificate OR IssueCertificate OR GetIntrospectionSchema OR GetQueryResults OR GetFoundationModelAvailability OR GetModelInvocationLoggingConfiguration OR GetUseCaseForModelAccess OR InvokeModel OR ListFoundationModelAgreementOffers OR ListFoundationModels OR ListProvisionedModelThroughputs OR LookupEvents OR DescribeLogGroups OR DescribeLogStreams OR DescribeSubscriptionFilters OR GetLogRecord OR GetCostAndUsage OR DescribeAccountAttributes OR DescribeAvailabilityZones OR DescribeBundleTasks OR DescribeCarrierGateways OR DescribeClientVpnRoutes OR DescribeDhcpOptions OR DescribeFlowLogs OR DescribeImages OR DescribeInstanceAttribute OR DescribeInstances OR DescribeInstanceTypes OR DescribeKeyPairs OR DescribeRegions OR GetLaunchTemplateData OR DescribeSecurityGroups OR DescribeSnapshotAttribute OR DescribeSnapshotTierStatus OR DescribeTransitGatewayMulticastDomains OR DescribeVolumes OR DescribeVolumesModifications OR DescribeVpcEndpointConnectionNotifications OR DescribeVpcs OR GetConsoleScreenshot OR GetEbsDefaultKmsKeyId OR GetEbsEncryptionByDefault OR GetFlowLogsIntegrationTemplate OR GetLaunchTemplateData OR GetTransitGatewayRouteTableAssociations OR DescribeAccessEntry OR DescribeCluster OR ListAssociatedAccessPolicies OR ListClusters OR DescribeListeners OR DescribeLoadBalancers OR ListRules OR ListTargetsByRule OR GetDetector OR GetFindings OR ListDetectors OR ListFindings OR ListIPSets OR GetAccountAuthorizationDetails OR GetLoginProfile OR GetUser OR ListAccessKeys OR ListAttachedRolePolicies OR ListGroups OR ListGroupsForUser OR ListInstanceProfiles OR ListOpenIDConnectProviders OR ListRolePolicies OR ListRoles OR ListSAMLProviders OR ListServiceSpecificCredentials OR ListSigningCertificates OR ListSSHPublicKeys OR ListUsers OR SimulatePrincipalPolicy OR GetInstances OR GetRegions OR DescribeOrganization OR ListAccounts OR ListOrganizationalUnitsForParent OR Search OR GetHostedZoneCount OR ListDomains OR GetBucketAcl OR GetBucketLogging OR GetBucketPolicy OR GetPublicAccessBlock OR GetBucketReplication OR GetBucketTagging OR GetBucketVersioning OR HeadObject OR ListBuckets OR ListObjects OR ListVaults OR GetCallerIdentity OR ListServiceQuotas OR GetAccount OR GetAccountSendingEnabled OR GetIdentityVerificationAttributes OR GetSendQuota OR ListIdentities OR GetSMSAttributes OR GetSMSSandboxAccountStatus OR ListOriginationNumbers OR ListSubscriptions OR ListTopics OR DescribeInstanceInformation OR GetParameters) $userIdentity.arn $network.client.ip $account" }, "group_by": [], "storage": "hot" @@ -121,7 +121,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:(ListDomains OR GetHostedZoneCount OR DescribeOrganization OR ListOrganizationalUnitsForParent OR ListAccounts OR GetCallerIdentity OR ListTopics OR ListSubscriptions OR ListOriginationNumbers OR GetSMSAttributes OR GetSMSSandboxAccountStatus OR IssueCertificate OR GetCertificate OR DescribeLogGroups OR DescribeSubscriptionFilters OR DescribeLogStreams OR GetLogRecord OR GetQueryResults OR ListTargetsByRule OR ListRules OR GetInstances OR GetRegions OR GetCostAndUsage OR ListGroupsForUser OR ListAccessKeys OR SimulatePrincipalPolicy OR GetAccountAuthorizationDetails OR ListGroups OR ListUsers OR ListRoles OR ListSAMLProviders OR GetUser OR ListAttachedRolePolicies OR ListServiceSpecificCredentials OR ListRolePolicies OR ListSigningCertificates OR ListInstanceProfiles OR ListSSHPublicKeys OR ListOpenIDConnectProviders OR GetLoginProfile OR DescribeLoadBalancers OR DescribeListeners OR ListAssociatedAccessPolicies OR ListClusters OR DescribeAccessEntry OR DescribeCluster OR Search OR LookupEvents OR GetIntrospectionSchema OR GetBucketVersioning OR GetBucketLogging OR GetBucketPolicy OR ListBuckets OR GetBucketReplication OR GetBucketAcl OR HeadObject OR ListVaults OR GetPublicAccessBlock OR GetBucketTagging OR ListObjects OR InvokeModel OR GetUseCaseForModelAccess OR ListProvisionedModelThroughputs OR GetFoundationModelAvailability OR ListFoundationModels OR ListFoundationModelAgreementOffers OR GetModelInvocationLoggingConfiguration OR GetConsoleScreenshot OR DescribeSnapshotTierStatus OR DescribeImages OR GetEbsDefaultKmsKeyId OR DescribeAvailabilityZones OR DescribeInstances OR GetTransitGatewayRouteTableAssociations OR GetLaunchTemplateData OR DescribeKeyPairs OR GetEbsEncryptionByDefault OR DescribeCarrierGateways OR GetFlowLogsIntegrationTemplate OR DescribeTransitGatewayMulticastDomains OR DescribeInstanceAttribute OR DescribeDhcpOptions OR DescribeVpcEndpointConnectionNotifications OR DescribeFlowLogs OR DescribeSnapshotAttribute OR DescribeVolumesModifications OR DescribeRegions OR DescribeSecurityGroups OR DescribeVpcs OR DescribeBundleTasks OR DescribeAccountAttributes OR DescribeVolumes OR DescribeInstanceTypes OR DescribeClientVpnRoutes OR GetLaunchTemplateData OR GetParameters OR DescribeInstanceInformation OR GetIdentityVerificationAttributes OR GetAccountSendingEnabled OR ListIdentities OR GetSendQuota OR GetAccount OR GetFindings OR ListFindings OR ListDetectors OR GetDetector OR ListIPSets OR ListServiceQuotas) $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:(CreateApiKey OR UpdateGraphqlApi OR UpdateResolver OR DeleteTrail OR PutEventSelectors OR StopLogging OR UpdateTrail OR PutLogEvents OR CreateLogStream OR DeleteAlarms OR DeleteLogGroup OR DeleteLogStream OR PutLogEvents OR DeleteConfigRule OR DeleteConfigurationRecorder OR DeleteDeliveryChannel OR StopConfigurationRecorder OR DeleteFlowLogs OR DeleteNetworkAcl OR DeleteNetworkAclEntry OR StopInstances OR TerminateInstances OR CreateRule OR DeleteRule OR DisableRule OR PutRule OR RemoveTargets OR CreateFilter OR CreateIPSet OR DeleteDetector OR DeleteInvitations OR DeleteMembers OR DeletePublishingDestination OR DisassociateFromMasterAccount OR DisassociateMembers OR StopMonitoringMembers OR UpdateDetector OR UpdateIPSet OR DeactivateMFADevice OR DeleteAccessKey OR DeleteLoginProfile OR DeleteUser OR DeleteUserPolicy OR DetachRolePolicy OR DetachUserPolicy OR CreateInstances OR CreateAccount OR InviteAccountToOrganization OR LeaveOrganization OR AuthorizeDBSecurityGroupIngress OR ModifyActivityStream OR DeleteBucketPolicy OR DeleteMembers OR DeleteIdentity OR DeleteRuleGroup OR DeleteWebACL OR UpdateIPSet) $userIdentity.arn $network.client.ip $account" }, "group_by": [], "storage": "hot" @@ -136,7 +136,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:(InviteAccountToOrganization OR CreateAccount OR LeaveOrganization OR PutLogEvents OR DeleteAlarms OR DeleteLogGroup OR DeleteLogStream OR PutLogEvents OR CreateLogStream OR DeleteRule OR RemoveTargets OR DisableRule OR PutRule OR CreateInstances OR DeleteMembers OR DetachRolePolicy OR DeleteUserPolicy OR DeleteAccessKey OR DeleteUser OR DetachUserPolicy OR DeleteLoginProfile OR DeactivateMFADevice OR CreateRule OR StopLogging OR UpdateTrail OR DeleteTrail OR PutEventSelectors OR UpdateGraphqlApi OR CreateApiKey OR UpdateResolver OR DeleteBucketPolicy OR DeleteFlowLogs OR DeleteNetworkAcl OR TerminateInstances OR DeleteNetworkAclEntry OR StopInstances OR AuthorizeDBSecurityGroupIngress OR ModifyActivityStream OR DeleteIdentity OR UpdateIPSet OR DeleteInvitations OR UpdateDetector OR DeleteDetector OR DeletePublishingDestination OR DisassociateMembers OR DisassociateFromMasterAccount OR StopMonitoringMembers OR CreateIPSet OR CreateFilter OR DeleteMembers OR DeleteConfigurationRecorder OR DeleteDeliveryChannel OR StopConfigurationRecorder OR DeleteConfigRule OR DeleteRuleGroup OR UpdateIPSet OR DeleteWebACL) $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:(CreateApiKey OR UpdateGraphqlApi OR UpdateResolver OR AuthorizeSecurityGroupIngress OR CreateDefaultVpc OR CreateKeyPair OR CreateNetworkAclEntry OR CreateSecurityGroup OR ImportKeyPair OR RunInstances OR StartInstances OR PutRule OR PutTargets OR AttachUserPolicy OR ChangePassword OR CreateAccessKey OR CreateLoginProfile OR CreateOpenIDConnectProvider OR CreateRole OR CreateSAMLProvider OR StartSSO OR CreateUser OR PutUserPolicy OR UpdateAccessKey OR UpdateAssumeRolePolicy OR UpdateLoginProfile OR UpdateSAMLProvider OR CreateFunction20150331 OR UpdateFunctionCode20150331v2 OR UpdateFunctionConfiguration20150331v2 OR AssumeRole OR GetFederationToken) $userIdentity.arn $network.client.ip $account" }, "group_by": [], "storage": "hot" @@ -151,7 +151,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:(AssumeRoleWithWebIdentity OR GetSessionToken OR AssumeRole OR AssumeRoleWithSAML OR PasswordRecoveryRequested OR ConsoleLogin OR GetSigninToken) $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:(CreateFoundationModelAgreement OR InvokeModel OR InvokeModelWithResponseStream OR PutFoundationModelEntitlement OR PutUseCaseForModelAccess OR CreateStack OR CreateDefaultVpc OR DeleteSnapshot OR DeleteVolume OR RunInstances OR StartInstances OR StopInstances OR TerminateInstances OR CreateCluster OR CreateService OR RegisterTaskDefinition OR DeleteFileSystem OR DeleteMountTarget OR DeleteRule OR DisableRule OR PutRule OR RemoveTargets OR Encrypt OR GenerateDataKeyWithoutPlaintext OR ScheduleKeyDeletion OR CreateFunction20150331 OR Invoke OR UpdateFunctionCode20150331v2 OR CreateInstances OR DeleteDBCluster OR DeleteDBInstance OR DeleteGlobalCluster OR ChangeResourceRecordSets OR CreateHostedZone OR RegisterDomain OR DeleteBucket OR DeleteObject OR PutBucketLifecycle OR PutBucketVersioning OR PutObject OR RequestServiceQuotaIncrease OR CreateEmailIdentity OR UpdateAccountSendingEnabled OR VerifyEmailIdentity OR Publish) $userIdentity.arn $network.client.ip $account" }, "group_by": [], "storage": "hot" @@ -166,7 +166,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:(AssumeRoleWithWebIdentity OR SwitchRole OR EnableSerialConsoleAccess OR CreateVolume OR CreateSecurityGroup OR AuthorizeSecurityGroupIngress OR SendSSHPublicKey OR CreateSnapshot OR RunInstances OR AttachVolume OR SendSerialConsoleSSHPublicKey OR SendCommand OR StartSession OR ResumeSession) $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:(CreateFunction OR PublishFunction OR UpdateDistribution OR CreateInstanceExportTask OR CreateRoute OR CreateTrafficMirrorFilter OR CreateTrafficMirrorFilterRule OR CreateTrafficMirrorSession OR CreateTrafficMirrorTarget OR UpdateFunctionCode20150331v2) $userIdentity.arn $network.client.ip $account" }, "group_by": [], "storage": "hot" @@ -181,7 +181,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:(GetFederationToken OR AssumeRole OR CreateFunction20150331 OR UpdateFunctionConfiguration20150331v2 OR UpdateFunctionCode20150331v2 OR PutTargets OR PutRule OR CreateSAMLProvider OR UpdateLoginProfile OR UpdateAccessKey OR UpdateAssumeRolePolicy OR CreateAccessKey OR UpdateSAMLProvider OR StartSSO OR CreateOpenIDConnectProvider OR AttachUserPolicy OR PutUserPolicy OR ChangePassword OR CreateLoginProfile OR CreateUser OR CreateRole OR UpdateGraphqlApi OR CreateApiKey OR UpdateResolver OR StartInstances OR CreateSecurityGroup OR CreateDefaultVpc OR CreateNetworkAclEntry OR CreateKeyPair OR AuthorizeSecurityGroupIngress OR RunInstances OR ImportKeyPair) $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:(GetCredentialsForIdentity OR GetId OR ModifyInstanceAttribute OR ReplaceIamInstanceProfileAssociation OR AssociateAccessPolicy OR CreateAccessEntry OR CreateDevEndpoint OR CreateJob OR UpdateDevEndpoint OR UpdateJob OR AddRoleToInstanceProfile OR AddUserToGroup OR AttachGroupPolicy OR AttachRolePolicy OR AttachUserPolicy OR ChangePassword OR CreateAccessKey OR CreateGroup OR CreateLoginProfile OR CreatePolicyVersion OR DeleteRolePermissionsBoundary OR DeleteRolePolicy OR DeleteUserPermissionsBoundary OR DeleteUserPolicy OR DetachRolePolicy OR DetachUserPolicy OR PutGroupPolicy OR PutRolePermissionsBoundary OR PutRolePolicy OR PutUserPermissionsBoundary OR PutUserPolicy OR SetDefaultPolicyVersion OR UpdateAssumeRolePolicy OR UpdateLoginProfile OR UpdateSAMLProvider OR AddPermission20150331v2 OR CreateEventSourceMapping20150331 OR CreateFunction20150331 OR Invoke OR UpdateEventSourceMapping20150331 OR AssumeRole) $userIdentity.arn $network.client.ip $account" }, "group_by": [], "storage": "hot" @@ -196,7 +196,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:(AssumeRole OR GetCredentialsForIdentity OR GetId OR CreateFunction20150331 OR CreateEventSourceMapping20150331 OR AddPermission20150331v2 OR Invoke OR UpdateEventSourceMapping20150331 OR DeleteRolePolicy OR DetachRolePolicy OR UpdateLoginProfile OR AddUserToGroup OR UpdateAssumeRolePolicy OR CreateAccessKey OR CreatePolicyVersion OR DeleteUserPolicy OR UpdateSAMLProvider OR PutRolePermissionsBoundary OR PutUserPermissionsBoundary OR DeleteUserPermissionsBoundary OR AttachRolePolicy OR SetDefaultPolicyVersion OR AttachUserPolicy OR CreateGroup OR PutUserPolicy OR DeleteRolePermissionsBoundary OR PutGroupPolicy OR ChangePassword OR CreateLoginProfile OR DetachUserPolicy OR PutRolePolicy OR AddRoleToInstanceProfile OR AttachGroupPolicy OR AssociateAccessPolicy OR CreateAccessEntry OR ModifyInstanceAttribute OR ReplaceIamInstanceProfileAssociation OR CreateDevEndpoint OR UpdateJob OR CreateJob OR UpdateDevEndpoint) $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:(AttachVolume OR AuthorizeSecurityGroupIngress OR CreateSecurityGroup OR CreateSnapshot OR CreateVolume OR EnableSerialConsoleAccess OR RunInstances OR SendSerialConsoleSSHPublicKey OR SendSSHPublicKey OR AssumeRoleWithWebIdentity OR SwitchRole OR ResumeSession OR SendCommand OR StartSession) $userIdentity.arn $network.client.ip $account" }, "group_by": [], "storage": "hot" @@ -211,7 +211,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:(UpdateFunctionCode20150331v2 OR UpdateDistribution OR PublishFunction OR CreateFunction OR CreateInstanceExportTask OR CreateTrafficMirrorTarget OR CreateTrafficMirrorSession OR CreateRoute OR CreateTrafficMirrorFilter OR CreateTrafficMirrorFilterRule) $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:(AuthorizeSecurityGroupEgress OR CreateImage OR CreateSnapshot OR ModifyImageAttribute OR ModifySnapshotAttribute OR SharedSnapshotCopyInitiated OR SharedSnapshotVolumeCreated OR CreateDBSecurityGroup OR CreateDBSnapshot OR ModifyDBSnapshotAttribute OR StartExportTask OR GetObject OR JobCreated OR PutBucketAcl OR PutBucketPolicy OR PutBucketReplication OR PutBucketVersioning OR CreateServer OR CreateUser) $userIdentity.arn $network.client.ip $account" }, "group_by": [], "storage": "hot" @@ -226,7 +226,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:(GetSecretValue OR DescribeSecret OR ListSecrets OR GetPasswordData OR GetParameters) $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:(GetPasswordData OR DescribeSecret OR GetSecretValue OR ListSecrets OR GetParameters) $userIdentity.arn $network.client.ip $account" }, "group_by": [], "storage": "hot" @@ -241,7 +241,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:(CreateUser OR CreateServer OR PutBucketPolicy OR PutBucketAcl OR PutBucketVersioning OR PutBucketReplication OR GetObject OR JobCreated OR ModifySnapshotAttribute OR SharedSnapshotCopyInitiated OR SharedSnapshotVolumeCreated OR CreateSnapshot OR CreateImage OR AuthorizeSecurityGroupEgress OR ModifyImageAttribute OR ModifyDBSnapshotAttribute OR StartExportTask OR CreateDBSecurityGroup OR CreateDBSnapshot) $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:(AssumeRole OR AssumeRoleWithSAML OR AssumeRoleWithWebIdentity OR GetSessionToken OR ConsoleLogin OR GetSigninToken OR PasswordRecoveryRequested) $userIdentity.arn $network.client.ip $account" }, "group_by": [], "storage": "hot" @@ -256,7 +256,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:(SendCommand OR StartSession OR ResumeSession) $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:(ResumeSession OR SendCommand OR StartSession) $userIdentity.arn $network.client.ip $account" }, "group_by": [], "storage": "hot" @@ -309,7 +309,7 @@ } ], "search": { - "query": "source:cloudtrail @evt.name:(ChangeResourceRecordSets OR RegisterDomain OR CreateHostedZone OR InviteAccountToOrganization OR DescribeOrganization OR ListOrganizationalUnitsForParent OR CreateAccount OR ListAccounts OR CreateStack OR GetFederationToken OR GetSessionToken OR AssumeRole OR GetCallerIdentity OR GetSMSAttributes OR Publish OR GetSMSSandboxAccountStatus OR PutLogEvents OR DescribeLogGroups OR DescribeSubscriptionFilters OR DescribeLogStreams OR GetLogRecord OR PutLogEvents OR CreateLogStream OR PasswordRecoveryRequested OR ConsoleLogin OR GetSigninToken OR CreateFunction20150331 OR Invoke OR GetQueryResults OR PutTargets OR PutRule OR CreateInstances OR GetCostAndUsage OR ListGroupsForUser OR CreateSAMLProvider OR ListAccessKeys OR DetachRolePolicy OR UpdateLoginProfile OR SimulatePrincipalPolicy OR ListGroups OR ListUsers OR CreateAccessKey OR DeleteUserPolicy OR ListRoles OR StartSSO OR ListSAMLProviders OR GetUser OR DeleteAccessKey OR DeleteUser OR AttachRolePolicy OR CreateOpenIDConnectProvider OR AttachUserPolicy OR ListAttachedRolePolicies OR PutUserPolicy OR ListServiceSpecificCredentials OR ListRolePolicies OR CreateLoginProfile OR CreateUser OR ListSigningCertificates OR ListInstanceProfiles OR DetachUserPolicy OR ListSSHPublicKeys OR ListOpenIDConnectProviders OR CreateRole OR DeleteLoginProfile OR GetLoginProfile OR GetSecretValue OR DescribeSecret OR ListSecrets OR CreateUser OR CreateServer OR Search OR GenerateDataKeyWithoutPlaintext OR Encrypt OR LookupEvents OR UpdateTrail OR DeleteTrail OR PutEventSelectors OR PutObject OR GetBucketVersioning OR PutBucketVersioning OR GetBucketLogging OR GetBucketPolicy OR ListBuckets OR GetBucketReplication OR GetObject OR PutBucketLifecycle OR DeleteBucket OR GetBucketAcl OR HeadObject OR ListVaults OR GetPublicAccessBlock OR GetBucketTagging OR DeleteObject OR ListObjects OR InvokeModel OR GetUseCaseForModelAccess OR ListProvisionedModelThroughputs OR PutFoundationModelEntitlement OR InvokeModelWithResponseStream OR PutUseCaseForModelAccess OR GetFoundationModelAvailability OR ListFoundationModels OR ListFoundationModelAgreementOffers OR GetModelInvocationLoggingConfiguration OR CreateFoundationModelAgreement OR GetConsoleScreenshot OR DeleteVolume OR DescribeSnapshotTierStatus OR DescribeImages OR GetEbsDefaultKmsKeyId OR EnableSerialConsoleAccess OR DescribeAvailabilityZones OR GetPasswordData OR CreateVolume OR StartInstances OR CreateSecurityGroup OR DescribeInstances OR GetTransitGatewayRouteTableAssociations OR ModifySnapshotAttribute OR CreateDefaultVpc OR DeleteFlowLogs OR GetLaunchTemplateData OR DescribeKeyPairs OR GetEbsEncryptionByDefault OR CreateKeyPair OR SharedSnapshotCopyInitiated OR DescribeCarrierGateways OR TerminateInstances OR GetFlowLogsIntegrationTemplate OR DescribeTransitGatewayMulticastDomains OR StopInstances OR DescribeInstanceAttribute OR DescribeDhcpOptions OR AuthorizeSecurityGroupIngress OR DescribeVpcEndpointConnectionNotifications OR DescribeFlowLogs OR SendSSHPublicKey OR DescribeSnapshotAttribute OR DescribeVolumesModifications OR DescribeRegions OR DeleteSnapshot OR SharedSnapshotVolumeCreated OR CreateSnapshot OR ReplaceIamInstanceProfileAssociation OR RunInstances OR DescribeSecurityGroups OR DescribeVpcs OR AttachVolume OR ImportKeyPair OR DescribeBundleTasks OR DescribeAccountAttributes OR DescribeVolumes OR DescribeInstanceTypes OR DescribeClientVpnRoutes OR GetLaunchTemplateData OR CreateImage OR AuthorizeSecurityGroupEgress OR SendSerialConsoleSSHPublicKey OR ModifyDBSnapshotAttribute OR DeleteDBCluster OR DeleteDBInstance OR CreateDBSnapshot OR ModifyActivityStream OR SendCommand OR StartSession OR DescribeInstanceInformation OR CreateEmailIdentity OR GetIdentityVerificationAttributes OR UpdateAccountSendingEnabled OR ListIdentities OR GetSendQuota OR VerifyEmailIdentity OR GetAccount OR DeleteIdentity OR DeleteInvitations OR GetFindings OR ListFindings OR ListDetectors OR DeleteDetector OR GetDetector OR DisassociateFromMasterAccount OR RegisterTaskDefinition OR CreateService OR CreateCluster OR ListServiceQuotas OR RequestServiceQuotaIncrease) $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:(GetQueryResults OR CreateFoundationModelAgreement OR GetFoundationModelAvailability OR GetModelInvocationLoggingConfiguration OR GetUseCaseForModelAccess OR InvokeModel OR InvokeModelWithResponseStream OR ListFoundationModelAgreementOffers OR ListFoundationModels OR ListProvisionedModelThroughputs OR PutFoundationModelEntitlement OR PutUseCaseForModelAccess OR CreateStack OR DeleteTrail OR LookupEvents OR PutEventSelectors OR UpdateTrail OR PutLogEvents OR CreateLogStream OR DescribeLogGroups OR DescribeLogStreams OR DescribeSubscriptionFilters OR GetLogRecord OR PutLogEvents OR GetCostAndUsage OR AttachVolume OR AuthorizeSecurityGroupEgress OR AuthorizeSecurityGroupIngress OR CreateDefaultVpc OR CreateImage OR CreateKeyPair OR CreateSecurityGroup OR CreateSnapshot OR CreateVolume OR DeleteFlowLogs OR DeleteSnapshot OR DeleteVolume OR DescribeAccountAttributes OR DescribeAvailabilityZones OR DescribeBundleTasks OR DescribeCarrierGateways OR DescribeClientVpnRoutes OR DescribeDhcpOptions OR DescribeFlowLogs OR DescribeImages OR DescribeInstanceAttribute OR DescribeInstances OR DescribeInstanceTypes OR DescribeKeyPairs OR DescribeRegions OR GetLaunchTemplateData OR DescribeSecurityGroups OR DescribeSnapshotAttribute OR DescribeSnapshotTierStatus OR DescribeTransitGatewayMulticastDomains OR DescribeVolumes OR DescribeVolumesModifications OR DescribeVpcEndpointConnectionNotifications OR DescribeVpcs OR EnableSerialConsoleAccess OR GetConsoleScreenshot OR GetEbsDefaultKmsKeyId OR GetEbsEncryptionByDefault OR GetFlowLogsIntegrationTemplate OR GetLaunchTemplateData OR GetPasswordData OR GetTransitGatewayRouteTableAssociations OR ImportKeyPair OR ModifySnapshotAttribute OR ReplaceIamInstanceProfileAssociation OR RunInstances OR SendSerialConsoleSSHPublicKey OR SendSSHPublicKey OR SharedSnapshotCopyInitiated OR SharedSnapshotVolumeCreated OR StartInstances OR StopInstances OR TerminateInstances OR CreateCluster OR CreateService OR RegisterTaskDefinition OR PutRule OR PutTargets OR DeleteDetector OR DeleteInvitations OR DisassociateFromMasterAccount OR GetDetector OR GetFindings OR ListDetectors OR ListFindings OR AttachRolePolicy OR AttachUserPolicy OR CreateAccessKey OR CreateLoginProfile OR CreateOpenIDConnectProvider OR CreateRole OR CreateSAMLProvider OR StartSSO OR CreateUser OR DeleteAccessKey OR DeleteLoginProfile OR DeleteUser OR DeleteUserPolicy OR DetachRolePolicy OR DetachUserPolicy OR GetLoginProfile OR GetUser OR ListAccessKeys OR ListAttachedRolePolicies OR ListGroups OR ListGroupsForUser OR ListInstanceProfiles OR ListOpenIDConnectProviders OR ListRolePolicies OR ListRoles OR ListSAMLProviders OR ListServiceSpecificCredentials OR ListSigningCertificates OR ListSSHPublicKeys OR ListUsers OR PutUserPolicy OR SimulatePrincipalPolicy OR UpdateLoginProfile OR Encrypt OR GenerateDataKeyWithoutPlaintext OR CreateFunction20150331 OR Invoke OR CreateInstances OR DescribeOrganization OR CreateAccount OR InviteAccountToOrganization OR ListAccounts OR ListOrganizationalUnitsForParent OR CreateDBSnapshot OR DeleteDBCluster OR DeleteDBInstance OR ModifyActivityStream OR ModifyDBSnapshotAttribute OR Search OR ChangeResourceRecordSets OR CreateHostedZone OR RegisterDomain OR DeleteBucket OR DeleteObject OR GetBucketAcl OR GetBucketLogging OR GetBucketPolicy OR GetPublicAccessBlock OR GetBucketReplication OR GetBucketTagging OR GetBucketVersioning OR GetObject OR HeadObject OR ListBuckets OR ListObjects OR ListVaults OR PutBucketLifecycle OR PutBucketVersioning OR PutObject OR DescribeSecret OR GetSecretValue OR ListSecrets OR AssumeRole OR GetCallerIdentity OR GetFederationToken OR GetSessionToken OR ListServiceQuotas OR RequestServiceQuotaIncrease OR CreateEmailIdentity OR DeleteIdentity OR GetAccount OR GetIdentityVerificationAttributes OR GetSendQuota OR ListIdentities OR UpdateAccountSendingEnabled OR VerifyEmailIdentity OR ConsoleLogin OR GetSigninToken OR PasswordRecoveryRequested OR GetSMSAttributes OR GetSMSSandboxAccountStatus OR Publish OR DescribeInstanceInformation OR SendCommand OR StartSession OR CreateServer OR CreateUser) $userIdentity.arn $network.client.ip $account" } } ], @@ -361,7 +361,7 @@ } }, { - "id": 2159724447, + "id": 1746155583, "definition": { "type": "group", "layout_type": "ordered", @@ -370,10 +370,10 @@ "show_title": true, "widgets": [ { - "id": 464105964, + "id": 3273056366, "definition": { "type": "note", - "content": "### [AssumeRoleWithWebIdentity](https://traildiscover.cloud/#STS-AssumeRoleWithWebIdentity)\n\n**Description:** Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider.\n\n**Related Research:**\n- [From GitHub To Account Takeover: Misconfigured Actions Place GCP & AWS Accounts At Risk](https://www.rezonate.io/blog/github-misconfigurations-put-gcp-aws-in-account-takeover-risk/)\n", + "content": "### [AssumeRole](https://traildiscover.cloud/#STS-AssumeRole)\n\n**Description:** Returns a set of temporary security credentials that you can use to access AWS resources.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n**Related Research:**\n- [Role Chain Juggling](https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/)\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -389,9 +389,9 @@ } }, { - "id": 2488331093, + "id": 3153784623, "definition": { - "title": "AssumeRoleWithWebIdentity", + "title": "AssumeRole", "title_size": "16", "title_align": "left", "type": "query_value", @@ -409,7 +409,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:AssumeRoleWithWebIdentity $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:AssumeRole $userIdentity.arn $network.client.ip $account" } } ], @@ -431,10 +431,10 @@ } }, { - "id": 1203215630, + "id": 763343409, "definition": { "type": "note", - "content": "### [GetSessionToken](https://traildiscover.cloud/#STS-GetSessionToken)\n\n**Description:** Returns a set of temporary credentials for an AWS account or IAM user.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [AWS STS GetSessionToken Abuse](https://www.elastic.co/guide/en/security/7.17/aws-sts-getsessiontoken-abuse.html)\n", + "content": "### [AssumeRoleWithSAML](https://traildiscover.cloud/#STS-AssumeRoleWithSAML)\n\n**Description:** Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response.\n\n**Related Research:**\n- [AWS - STS Privesc](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -450,9 +450,9 @@ } }, { - "id": 980618224, + "id": 2890894201, "definition": { - "title": "GetSessionToken", + "title": "AssumeRoleWithSAML", "title_size": "16", "title_align": "left", "type": "query_value", @@ -470,7 +470,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetSessionToken $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:AssumeRoleWithSAML $userIdentity.arn $network.client.ip $account" } } ], @@ -492,10 +492,10 @@ } }, { - "id": 1806647790, + "id": 3316474698, "definition": { "type": "note", - "content": "### [AssumeRole](https://traildiscover.cloud/#STS-AssumeRole)\n\n**Description:** Returns a set of temporary security credentials that you can use to access AWS resources.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n**Related Research:**\n- [Role Chain Juggling](https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/)\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", + "content": "### [AssumeRoleWithWebIdentity](https://traildiscover.cloud/#STS-AssumeRoleWithWebIdentity)\n\n**Description:** Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider.\n\n**Related Research:**\n- [From GitHub To Account Takeover: Misconfigured Actions Place GCP & AWS Accounts At Risk](https://www.rezonate.io/blog/github-misconfigurations-put-gcp-aws-in-account-takeover-risk/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -511,9 +511,9 @@ } }, { - "id": 3830872919, + "id": 3197202955, "definition": { - "title": "AssumeRole", + "title": "AssumeRoleWithWebIdentity", "title_size": "16", "title_align": "left", "type": "query_value", @@ -531,7 +531,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:AssumeRole $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:AssumeRoleWithWebIdentity $userIdentity.arn $network.client.ip $account" } } ], @@ -553,10 +553,10 @@ } }, { - "id": 4023470160, + "id": 770663913, "definition": { "type": "note", - "content": "### [AssumeRoleWithSAML](https://traildiscover.cloud/#STS-AssumeRoleWithSAML)\n\n**Description:** Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response.\n\n**Related Research:**\n- [AWS - STS Privesc](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc)\n", + "content": "### [GetSessionToken](https://traildiscover.cloud/#STS-GetSessionToken)\n\n**Description:** Returns a set of temporary credentials for an AWS account or IAM user.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [AWS STS GetSessionToken Abuse](https://www.elastic.co/guide/en/security/7.17/aws-sts-getsessiontoken-abuse.html)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -572,9 +572,9 @@ } }, { - "id": 3900211641, + "id": 651392170, "definition": { - "title": "AssumeRoleWithSAML", + "title": "GetSessionToken", "title_size": "16", "title_align": "left", "type": "query_value", @@ -592,7 +592,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:AssumeRoleWithSAML $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetSessionToken $userIdentity.arn $network.client.ip $account" } } ], @@ -614,10 +614,10 @@ } }, { - "id": 2511682163, + "id": 1989560802, "definition": { "type": "note", - "content": "### [PasswordRecoveryRequested ](https://traildiscover.cloud/#SignIn-PasswordRecoveryRequested )\n\n**Description:** This is the CloudTrail event generated when you request a password recovery.\n\n**Related Incidents:**\n- [An Ongoing AWS Phishing Campaign](https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/)\n- [Disclosure of Security Incidents on imToken](https://support.token.im/hc/en-us/articles/360005681954-Disclosure-of-Security-Incidents-on-imToken)\n", + "content": "### [ConsoleLogin](https://traildiscover.cloud/#SignIn-ConsoleLogin)\n\n**Description:** This is the CloudTrail event generated when you sign-in.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Responding to an attack in AWS](https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac)\n- [Credential Phishing](https://ramimac.me/aws-phishing#credential-phishing)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies](https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/)\n**Related Research:**\n- [Compromising AWS Console credentials](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/compromising-aws-console-credentials/)\n- [Create a Console Session from IAM Credentials](https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -633,9 +633,9 @@ } }, { - "id": 2388423644, + "id": 4117111594, "definition": { - "title": "PasswordRecoveryRequested ", + "title": "ConsoleLogin", "title_size": "16", "title_align": "left", "type": "query_value", @@ -653,7 +653,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PasswordRecoveryRequested $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ConsoleLogin $userIdentity.arn $network.client.ip $account" } } ], @@ -675,10 +675,10 @@ } }, { - "id": 4050781364, + "id": 2036927890, "definition": { "type": "note", - "content": "### [ConsoleLogin](https://traildiscover.cloud/#SignIn-ConsoleLogin)\n\n**Description:** This is the CloudTrail event generated when you sign-in.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Responding to an attack in AWS](https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac)\n- [Credential Phishing](https://ramimac.me/aws-phishing#credential-phishing)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies](https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/)\n**Related Research:**\n- [Compromising AWS Console credentials](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/compromising-aws-console-credentials/)\n- [Create a Console Session from IAM Credentials](https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n", + "content": "### [GetSigninToken](https://traildiscover.cloud/#SignIn-GetSigninToken)\n\n**Description:** Generate a SigninToken that can be used to login to the the AWS Management Console.\n\n**Related Incidents:**\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -694,9 +694,9 @@ } }, { - "id": 1780039197, + "id": 1917656147, "definition": { - "title": "ConsoleLogin", + "title": "GetSigninToken", "title_size": "16", "title_align": "left", "type": "query_value", @@ -714,7 +714,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ConsoleLogin $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetSigninToken $userIdentity.arn $network.client.ip $account" } } ], @@ -736,10 +736,10 @@ } }, { - "id": 1732938420, + "id": 4013867821, "definition": { "type": "note", - "content": "### [GetSigninToken](https://traildiscover.cloud/#SignIn-GetSigninToken)\n\n**Description:** Generate a SigninToken that can be used to login to the the AWS Management Console.\n\n**Related Incidents:**\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n", + "content": "### [PasswordRecoveryRequested](https://traildiscover.cloud/#SignIn-PasswordRecoveryRequested)\n\n**Description:** This is the CloudTrail event generated when you request a password recovery.\n\n**Related Incidents:**\n- [An Ongoing AWS Phishing Campaign](https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/)\n- [Disclosure of Security Incidents on imToken](https://support.token.im/hc/en-us/articles/360005681954-Disclosure-of-Security-Incidents-on-imToken)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -755,9 +755,9 @@ } }, { - "id": 3757163549, + "id": 1846451317, "definition": { - "title": "GetSigninToken", + "title": "PasswordRecoveryRequested", "title_size": "16", "title_align": "left", "type": "query_value", @@ -775,7 +775,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetSigninToken $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PasswordRecoveryRequested $userIdentity.arn $network.client.ip $account" } } ], @@ -806,7 +806,7 @@ } }, { - "id": 720292941, + "id": 3311469648, "definition": { "type": "group", "layout_type": "ordered", @@ -815,10 +815,10 @@ "show_title": true, "widgets": [ { - "id": 3119616000, + "id": 2078710041, "definition": { "type": "note", - "content": "### [SendCommand](https://traildiscover.cloud/#SSM-SendCommand)\n\n**Description:** Runs commands on one or more managed nodes.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Run Shell Commands on EC2 with Send Command or Session Manager](https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", + "content": "### [ResumeSession](https://traildiscover.cloud/#SSM-ResumeSession)\n\n**Description:** Reconnects a session to a managed node after it has been disconnected.\n\n**Related Research:**\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -834,9 +834,9 @@ } }, { - "id": 2996357481, + "id": 1959438298, "definition": { - "title": "SendCommand", + "title": "ResumeSession", "title_size": "16", "title_align": "left", "type": "query_value", @@ -854,7 +854,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:SendCommand $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ResumeSession $userIdentity.arn $network.client.ip $account" } } ], @@ -876,10 +876,10 @@ } }, { - "id": 3474826172, + "id": 2993883445, "definition": { "type": "note", - "content": "### [StartSession](https://traildiscover.cloud/#SSM-StartSession)\n\n**Description:** Initiates a connection to a target (for example, a managed node) for a Session Manager session.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Run Shell Commands on EC2 with Send Command or Session Manager](https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/)\n", + "content": "### [SendCommand](https://traildiscover.cloud/#SSM-SendCommand)\n\n**Description:** Runs commands on one or more managed nodes.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Run Shell Commands on EC2 with Send Command or Session Manager](https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -895,9 +895,9 @@ } }, { - "id": 1204084005, + "id": 2874611702, "definition": { - "title": "StartSession", + "title": "SendCommand", "title_size": "16", "title_align": "left", "type": "query_value", @@ -915,7 +915,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:StartSession $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:SendCommand $userIdentity.arn $network.client.ip $account" } } ], @@ -937,10 +937,10 @@ } }, { - "id": 3720449867, + "id": 3692360075, "definition": { "type": "note", - "content": "### [ResumeSession](https://traildiscover.cloud/#SSM-ResumeSession)\n\n**Description:** Reconnects a session to a managed node after it has been disconnected.\n\n**Related Research:**\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", + "content": "### [StartSession](https://traildiscover.cloud/#SSM-StartSession)\n\n**Description:** Initiates a connection to a target (for example, a managed node) for a Session Manager session.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Run Shell Commands on EC2 with Send Command or Session Manager](https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -956,9 +956,9 @@ } }, { - "id": 1449707700, + "id": 1524943571, "definition": { - "title": "ResumeSession", + "title": "StartSession", "title_size": "16", "title_align": "left", "type": "query_value", @@ -976,7 +976,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ResumeSession $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:StartSession $userIdentity.arn $network.client.ip $account" } } ], @@ -1007,7 +1007,7 @@ } }, { - "id": 3522150509, + "id": 1553374564, "definition": { "type": "group", "layout_type": "ordered", @@ -1016,10 +1016,10 @@ "show_title": true, "widgets": [ { - "id": 1146815294, + "id": 984468595, "definition": { "type": "note", - "content": "### [GetFederationToken](https://traildiscover.cloud/#STS-GetFederationToken)\n\n**Description:** Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a user.\n\n**Related Incidents:**\n- [How Adversaries Can Persist with AWS User Federation](https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n**Related Research:**\n- [Create a Console Session from IAM Credentials](https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/)\n- [Survive Access Key Deletion with sts:GetFederationToken](https://hackingthe.cloud/aws/post_exploitation/survive_access_key_deletion_with_sts_getfederationtoken/)\n", + "content": "### [CreateApiKey](https://traildiscover.cloud/#AppSync-CreateApiKey)\n\n**Description:** Creates a unique key that you can distribute to clients who invoke your API.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -1035,9 +1035,9 @@ } }, { - "id": 3171040423, + "id": 865196852, "definition": { - "title": "GetFederationToken", + "title": "CreateApiKey", "title_size": "16", "title_align": "left", "type": "query_value", @@ -1055,7 +1055,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetFederationToken $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateApiKey $userIdentity.arn $network.client.ip $account" } } ], @@ -1077,10 +1077,10 @@ } }, { - "id": 1317675324, + "id": 353224799, "definition": { "type": "note", - "content": "### [AssumeRole](https://traildiscover.cloud/#STS-AssumeRole)\n\n**Description:** Returns a set of temporary security credentials that you can use to access AWS resources.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n**Related Research:**\n- [Role Chain Juggling](https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/)\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", + "content": "### [UpdateGraphqlApi](https://traildiscover.cloud/#AppSync-UpdateGraphqlApi)\n\n**Description:** Updates a GraphqlApi object.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -1096,9 +1096,9 @@ } }, { - "id": 3341900453, + "id": 233953056, "definition": { - "title": "AssumeRole", + "title": "UpdateGraphqlApi", "title_size": "16", "title_align": "left", "type": "query_value", @@ -1116,7 +1116,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:AssumeRole $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:UpdateGraphqlApi $userIdentity.arn $network.client.ip $account" } } ], @@ -1138,10 +1138,10 @@ } }, { - "id": 3905679375, + "id": 2579423578, "definition": { "type": "note", - "content": "### [CreateFunction20150331](https://traildiscover.cloud/#Lambda-CreateFunction20150331)\n\n**Description:** Creates a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [UpdateResolver](https://traildiscover.cloud/#AppSync-UpdateResolver)\n\n**Description:** Updates a Resolver object.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -1157,9 +1157,9 @@ } }, { - "id": 1634937208, + "id": 2460151835, "definition": { - "title": "CreateFunction20150331", + "title": "UpdateResolver", "title_size": "16", "title_align": "left", "type": "query_value", @@ -1177,7 +1177,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateFunction20150331 $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:UpdateResolver $userIdentity.arn $network.client.ip $account" } } ], @@ -1199,10 +1199,10 @@ } }, { - "id": 2504520868, + "id": 2842933871, "definition": { "type": "note", - "content": "### [UpdateFunctionConfiguration20150331v2](https://traildiscover.cloud/#Lambda-UpdateFunctionConfiguration20150331v2)\n\n**Description:** Modify the version-specific settings of a Lambda function.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [LambdaSpy - Implanting the Lambda execution environment (Part two)](https://www.clearvector.com/blog/lambda-spy/)\n", + "content": "### [AuthorizeSecurityGroupIngress](https://traildiscover.cloud/#EC2-AuthorizeSecurityGroupIngress)\n\n**Description:** Adds the specified inbound (ingress) rules to a security group.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Finding evil in AWS](https://expel.com/blog/finding-evil-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [Opening a security group to the Internet](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/opening-security-group-port/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -1218,9 +1218,9 @@ } }, { - "id": 233778701, + "id": 2723662128, "definition": { - "title": "UpdateFunctionConfiguration20150331v2", + "title": "AuthorizeSecurityGroupIngress", "title_size": "16", "title_align": "left", "type": "query_value", @@ -1238,7 +1238,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateFunctionConfiguration20150331v2 $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:AuthorizeSecurityGroupIngress $userIdentity.arn $network.client.ip $account" } } ], @@ -1260,10 +1260,10 @@ } }, { - "id": 3459201955, + "id": 36080719, "definition": { "type": "note", - "content": "### [UpdateFunctionCode20150331v2](https://traildiscover.cloud/#Lambda-UpdateFunctionCode20150331v2)\n\n**Description:** Updates a Lambda function's code. If code signing is enabled for the function, the code package must be signed by a trusted publisher.\n\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", + "content": "### [CreateDefaultVpc](https://traildiscover.cloud/#EC2-CreateDefaultVpc)\n\n**Description:** Creates a default VPC with a size /16 IPv4 CIDR block and a default subnet in each Availability Zone.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -1279,9 +1279,9 @@ } }, { - "id": 3236604549, + "id": 4211776272, "definition": { - "title": "UpdateFunctionCode20150331v2", + "title": "CreateDefaultVpc", "title_size": "16", "title_align": "left", "type": "query_value", @@ -1299,7 +1299,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateFunctionCode20150331v2 $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateDefaultVpc $userIdentity.arn $network.client.ip $account" } } ], @@ -1321,10 +1321,10 @@ } }, { - "id": 1266416442, + "id": 3779557266, "definition": { "type": "note", - "content": "### [PutTargets](https://traildiscover.cloud/#events-PutTargets)\n\n**Description:** Adds the specified targets to the specified rule, or updates the targets if they are already associated with the rule.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", + "content": "### [CreateKeyPair](https://traildiscover.cloud/#EC2-CreateKeyPair)\n\n**Description:** Creates an ED25519 or 2048-bit RSA key pair with the specified name and in the specified PEM or PPK format.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -1340,9 +1340,9 @@ } }, { - "id": 1143157923, + "id": 3660285523, "definition": { - "title": "PutTargets", + "title": "CreateKeyPair", "title_size": "16", "title_align": "left", "type": "query_value", @@ -1360,7 +1360,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutTargets $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateKeyPair $userIdentity.arn $network.client.ip $account" } } ], @@ -1382,10 +1382,10 @@ } }, { - "id": 938288015, + "id": 370396376, "definition": { "type": "note", - "content": "### [PutRule](https://traildiscover.cloud/#events-PutRule)\n\n**Description:** Creates or updates the specified rule.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", + "content": "### [CreateNetworkAclEntry](https://traildiscover.cloud/#EC2-CreateNetworkAclEntry)\n\n**Description:** Creates an entry (a rule) in a network ACL with the specified rule number.\n\n**Related Research:**\n- [AWS EC2 Network Access Control List Creation](https://www.elastic.co/guide/en/security/current/aws-ec2-network-access-control-list-creation.html)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -1401,9 +1401,9 @@ } }, { - "id": 815029496, + "id": 251124633, "definition": { - "title": "PutRule", + "title": "CreateNetworkAclEntry", "title_size": "16", "title_align": "left", "type": "query_value", @@ -1421,7 +1421,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutRule $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateNetworkAclEntry $userIdentity.arn $network.client.ip $account" } } ], @@ -1443,10 +1443,10 @@ } }, { - "id": 3411667309, + "id": 507058475, "definition": { "type": "note", - "content": "### [CreateSAMLProvider](https://traildiscover.cloud/#IAM-CreateSAMLProvider)\n\n**Description:** Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", + "content": "### [CreateSecurityGroup](https://traildiscover.cloud/#EC2-CreateSecurityGroup)\n\n**Description:** Creates a security group.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -1462,9 +1462,9 @@ } }, { - "id": 1140925142, + "id": 387786732, "definition": { - "title": "CreateSAMLProvider", + "title": "CreateSecurityGroup", "title_size": "16", "title_align": "left", "type": "query_value", @@ -1482,7 +1482,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateSAMLProvider $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateSecurityGroup $userIdentity.arn $network.client.ip $account" } } ], @@ -1504,10 +1504,10 @@ } }, { - "id": 2516672447, + "id": 3922636673, "definition": { "type": "note", - "content": "### [UpdateLoginProfile](https://traildiscover.cloud/#IAM-UpdateLoginProfile)\n\n**Description:** Changes the password for the specified IAM user. You can use the AWS CLI, the AWS API, or the Users page in the IAM console to change the password for any IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [ImportKeyPair](https://traildiscover.cloud/#EC2-ImportKeyPair)\n\n**Description:** Imports the public key from an RSA or ED25519 key pair that you created with a third-party tool.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -1523,9 +1523,9 @@ } }, { - "id": 245930280, + "id": 1655881282, "definition": { - "title": "UpdateLoginProfile", + "title": "ImportKeyPair", "title_size": "16", "title_align": "left", "type": "query_value", @@ -1543,7 +1543,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateLoginProfile $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ImportKeyPair $userIdentity.arn $network.client.ip $account" } } ], @@ -1565,10 +1565,10 @@ } }, { - "id": 1526760078, + "id": 2378506893, "definition": { "type": "note", - "content": "### [UpdateAccessKey](https://traildiscover.cloud/#IAM-UpdateAccessKey)\n\n**Description:** Changes the status of the specified access key from Active to Inactive, or vice versa.\n\n**Related Research:**\n- [AWS - IAM Privesc](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc)\n", + "content": "### [RunInstances](https://traildiscover.cloud/#EC2-RunInstances)\n\n**Description:** Launches the specified number of instances using an AMI for which you have permissions.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [DXC spills AWS private keys on public GitHub](https://www.theregister.com/2017/11/14/dxc_github_aws_keys_leaked/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Clear and Uncommon Story About Overcoming Issues With AWS](https://topdigital.agency/clear-and-uncommon-story-about-overcoming-issues-with-aws/)\n- [onelogin 2017 Security Incident](https://web.archive.org/web/20210620180614/https://www.onelogin.com/blog/may-31-2017-security-incident)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [Launching EC2 instances](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/launching-ec2-instances/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -1584,9 +1584,9 @@ } }, { - "id": 3451646320, + "id": 2259235150, "definition": { - "title": "UpdateAccessKey", + "title": "RunInstances", "title_size": "16", "title_align": "left", "type": "query_value", @@ -1604,7 +1604,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateAccessKey $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:RunInstances $userIdentity.arn $network.client.ip $account" } } ], @@ -1626,10 +1626,10 @@ } }, { - "id": 499451509, + "id": 2775610200, "definition": { "type": "note", - "content": "### [UpdateAssumeRolePolicy](https://traildiscover.cloud/#IAM-UpdateAssumeRolePolicy)\n\n**Description:** Updates the policy that grants an IAM entity permission to assume a role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", + "content": "### [StartInstances](https://traildiscover.cloud/#EC2-StartInstances)\n\n**Description:** Starts an Amazon EBS-backed instance that you've previously stopped.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -1645,9 +1645,9 @@ } }, { - "id": 2523676638, + "id": 2656338457, "definition": { - "title": "UpdateAssumeRolePolicy", + "title": "StartInstances", "title_size": "16", "title_align": "left", "type": "query_value", @@ -1665,7 +1665,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateAssumeRolePolicy $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:StartInstances $userIdentity.arn $network.client.ip $account" } } ], @@ -1687,10 +1687,10 @@ } }, { - "id": 313661460, + "id": 1551961493, "definition": { "type": "note", - "content": "### [CreateAccessKey](https://traildiscover.cloud/#IAM-CreateAccessKey)\n\n**Description:** Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", + "content": "### [PutRule](https://traildiscover.cloud/#events-PutRule)\n\n**Description:** Creates or updates the specified rule.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -1706,9 +1706,9 @@ } }, { - "id": 2337886589, + "id": 1432689750, "definition": { - "title": "CreateAccessKey", + "title": "PutRule", "title_size": "16", "title_align": "left", "type": "query_value", @@ -1726,7 +1726,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateAccessKey $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PutRule $userIdentity.arn $network.client.ip $account" } } ], @@ -1748,10 +1748,10 @@ } }, { - "id": 4090476402, + "id": 1088314292, "definition": { "type": "note", - "content": "### [UpdateSAMLProvider](https://traildiscover.cloud/#IAM-UpdateSAMLProvider)\n\n**Description:** Updates the metadata document for an existing SAML provider resource object.\n\n**Related Research:**\n- [Gaining AWS Persistence by Updating a SAML Identity Provider](https://medium.com/@adan.alvarez/gaining-aws-persistence-by-updating-a-saml-identity-provider-ef57ebdc8db5)\n", + "content": "### [PutTargets](https://traildiscover.cloud/#events-PutTargets)\n\n**Description:** Adds the specified targets to the specified rule, or updates the targets if they are already associated with the rule.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -1767,9 +1767,9 @@ } }, { - "id": 1720395348, + "id": 969042549, "definition": { - "title": "UpdateSAMLProvider", + "title": "PutTargets", "title_size": "16", "title_align": "left", "type": "query_value", @@ -1787,7 +1787,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateSAMLProvider $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PutTargets $userIdentity.arn $network.client.ip $account" } } ], @@ -1809,10 +1809,10 @@ } }, { - "id": 2364177865, + "id": 2380112882, "definition": { "type": "note", - "content": "### [StartSSO](https://traildiscover.cloud/#SSO-StartSSO)\n\n**Description:** Initialize AWS IAM Identity Center\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", + "content": "### [AttachUserPolicy](https://traildiscover.cloud/#IAM-AttachUserPolicy)\n\n**Description:** Attaches the specified managed policy to the specified user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -1828,9 +1828,9 @@ } }, { - "id": 93435698, + "id": 2260841139, "definition": { - "title": "StartSSO", + "title": "AttachUserPolicy", "title_size": "16", "title_align": "left", "type": "query_value", @@ -1848,7 +1848,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:StartSSO $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:AttachUserPolicy $userIdentity.arn $network.client.ip $account" } } ], @@ -1870,10 +1870,10 @@ } }, { - "id": 3180529808, + "id": 797507128, "definition": { "type": "note", - "content": "### [CreateOpenIDConnectProvider](https://traildiscover.cloud/#IAM-CreateOpenIDConnectProvider)\n\n**Description:** Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC)\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", + "content": "### [ChangePassword](https://traildiscover.cloud/#IAM-ChangePassword)\n\n**Description:** Changes the password of the IAM user who is calling this operation.\n\n**Related Research:**\n- [AWS CloudTrail cheat sheet](https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet)\n- [IAM User Changes Alarm](https://asecure.cloud/a/cwalarm_iam_user_changes/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -1889,9 +1889,9 @@ } }, { - "id": 2957932402, + "id": 2925057920, "definition": { - "title": "CreateOpenIDConnectProvider", + "title": "ChangePassword", "title_size": "16", "title_align": "left", "type": "query_value", @@ -1909,7 +1909,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateOpenIDConnectProvider $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ChangePassword $userIdentity.arn $network.client.ip $account" } } ], @@ -1931,10 +1931,10 @@ } }, { - "id": 936295334, + "id": 2199885233, "definition": { "type": "note", - "content": "### [AttachUserPolicy](https://traildiscover.cloud/#IAM-AttachUserPolicy)\n\n**Description:** Attaches the specified managed policy to the specified user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [CreateAccessKey](https://traildiscover.cloud/#IAM-CreateAccessKey)\n\n**Description:** Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -1950,9 +1950,9 @@ } }, { - "id": 813036815, + "id": 2080613490, "definition": { - "title": "AttachUserPolicy", + "title": "CreateAccessKey", "title_size": "16", "title_align": "left", "type": "query_value", @@ -1970,7 +1970,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:AttachUserPolicy $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateAccessKey $userIdentity.arn $network.client.ip $account" } } ], @@ -1992,10 +1992,10 @@ } }, { - "id": 1041099456, + "id": 492966742, "definition": { "type": "note", - "content": "### [PutUserPolicy](https://traildiscover.cloud/#IAM-PutUserPolicy)\n\n**Description:** Adds or updates an inline policy document that is embedded in the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [CreateLoginProfile](https://traildiscover.cloud/#IAM-CreateLoginProfile)\n\n**Description:** Creates a password for the specified IAM user. A password allows an IAM user to access AWS services through the AWS Management Console.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -2011,9 +2011,9 @@ } }, { - "id": 818502050, + "id": 373694999, "definition": { - "title": "PutUserPolicy", + "title": "CreateLoginProfile", "title_size": "16", "title_align": "left", "type": "query_value", @@ -2031,7 +2031,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutUserPolicy $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateLoginProfile $userIdentity.arn $network.client.ip $account" } } ], @@ -2053,10 +2053,10 @@ } }, { - "id": 2560717696, + "id": 2744325980, "definition": { "type": "note", - "content": "### [ChangePassword](https://traildiscover.cloud/#IAM-ChangePassword)\n\n**Description:** Changes the password of the IAM user who is calling this operation.\n\n**Related Research:**\n- [AWS CloudTrail cheat sheet](https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet)\n- [IAM User Changes Alarm](https://asecure.cloud/a/cwalarm_iam_user_changes/)\n", + "content": "### [CreateOpenIDConnectProvider](https://traildiscover.cloud/#IAM-CreateOpenIDConnectProvider)\n\n**Description:** Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC)\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -2072,9 +2072,9 @@ } }, { - "id": 289975529, + "id": 2625054237, "definition": { - "title": "ChangePassword", + "title": "CreateOpenIDConnectProvider", "title_size": "16", "title_align": "left", "type": "query_value", @@ -2092,7 +2092,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ChangePassword $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateOpenIDConnectProvider $userIdentity.arn $network.client.ip $account" } } ], @@ -2114,10 +2114,10 @@ } }, { - "id": 994921101, + "id": 1534009647, "definition": { "type": "note", - "content": "### [CreateLoginProfile](https://traildiscover.cloud/#IAM-CreateLoginProfile)\n\n**Description:** Creates a password for the specified IAM user. A password allows an IAM user to access AWS services through the AWS Management Console.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", + "content": "### [CreateRole](https://traildiscover.cloud/#IAM-CreateRole)\n\n**Description:** Creates a new role for your AWS account.\n\n**Related Incidents:**\n- [Attack Scenario 2: From Misconfigured Firewall to Cryptojacking Botnet](https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/unit42-cloud-threat-report-volume7.pdf)\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -2133,9 +2133,9 @@ } }, { - "id": 2919807343, + "id": 1414737904, "definition": { - "title": "CreateLoginProfile", + "title": "CreateRole", "title_size": "16", "title_align": "left", "type": "query_value", @@ -2153,7 +2153,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateLoginProfile $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateRole $userIdentity.arn $network.client.ip $account" } } ], @@ -2175,10 +2175,10 @@ } }, { - "id": 263464156, + "id": 2781880907, "definition": { "type": "note", - "content": "### [CreateUser](https://traildiscover.cloud/#IAM-CreateUser)\n\n**Description:** Creates a new IAM user for your AWS account.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Responding to an attack in AWS](https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Exposed long-lived access key resulted in unauthorized access](https://twitter.com/jhencinski/status/1578371249792724992?t=6oYeGYgGZq1B-LXFZzIqhQ)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [Insider Threat Risks to Flat Environments](https://www.mandiant.com/sites/default/files/2021-09/rpt-mtrends-2021-3.pdf)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Sendtech Pte. Ltd](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Sendtech-Pte-Ltd---220721.ashx?la=en)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [Creating a new IAM user](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/creating-new-iam-user/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", + "content": "### [CreateSAMLProvider](https://traildiscover.cloud/#IAM-CreateSAMLProvider)\n\n**Description:** Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -2194,9 +2194,9 @@ } }, { - "id": 140205637, + "id": 2662609164, "definition": { - "title": "CreateUser", + "title": "CreateSAMLProvider", "title_size": "16", "title_align": "left", "type": "query_value", @@ -2214,7 +2214,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateUser $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateSAMLProvider $userIdentity.arn $network.client.ip $account" } } ], @@ -2236,10 +2236,10 @@ } }, { - "id": 3772235644, + "id": 1862656388, "definition": { "type": "note", - "content": "### [CreateRole](https://traildiscover.cloud/#IAM-CreateRole)\n\n**Description:** Creates a new role for your AWS account.\n\n**Related Incidents:**\n- [Attack Scenario 2: From Misconfigured Firewall to Cryptojacking Botnet](https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/unit42-cloud-threat-report-volume7.pdf)\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", + "content": "### [StartSSO](https://traildiscover.cloud/#SSO-StartSSO)\n\n**Description:** Initialize AWS IAM Identity Center\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -2255,9 +2255,9 @@ } }, { - "id": 3648977125, + "id": 1743384645, "definition": { - "title": "CreateRole", + "title": "StartSSO", "title_size": "16", "title_align": "left", "type": "query_value", @@ -2275,7 +2275,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateRole $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:StartSSO $userIdentity.arn $network.client.ip $account" } } ], @@ -2297,10 +2297,10 @@ } }, { - "id": 1181804479, + "id": 1110453335, "definition": { "type": "note", - "content": "### [UpdateGraphqlApi](https://traildiscover.cloud/#AppSync-UpdateGraphqlApi)\n\n**Description:** Updates a GraphqlApi object.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", + "content": "### [CreateUser](https://traildiscover.cloud/#IAM-CreateUser)\n\n**Description:** Creates a new IAM user for your AWS account.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Responding to an attack in AWS](https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Exposed long-lived access key resulted in unauthorized access](https://twitter.com/jhencinski/status/1578371249792724992?t=6oYeGYgGZq1B-LXFZzIqhQ)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [Insider Threat Risks to Flat Environments](https://www.mandiant.com/sites/default/files/2021-09/rpt-mtrends-2021-3.pdf)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Sendtech Pte. Ltd](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Sendtech-Pte-Ltd---220721.ashx?la=en)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [Creating a new IAM user](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/creating-new-iam-user/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -2316,9 +2316,9 @@ } }, { - "id": 3206029608, + "id": 991181592, "definition": { - "title": "UpdateGraphqlApi", + "title": "CreateUser", "title_size": "16", "title_align": "left", "type": "query_value", @@ -2336,7 +2336,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateGraphqlApi $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateUser $userIdentity.arn $network.client.ip $account" } } ], @@ -2358,10 +2358,10 @@ } }, { - "id": 1889993219, + "id": 133680516, "definition": { "type": "note", - "content": "### [CreateApiKey](https://traildiscover.cloud/#AppSync-CreateApiKey)\n\n**Description:** Creates a unique key that you can distribute to clients who invoke your API.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", + "content": "### [PutUserPolicy](https://traildiscover.cloud/#IAM-PutUserPolicy)\n\n**Description:** Adds or updates an inline policy document that is embedded in the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -2377,9 +2377,9 @@ } }, { - "id": 3814879461, + "id": 14408773, "definition": { - "title": "CreateApiKey", + "title": "PutUserPolicy", "title_size": "16", "title_align": "left", "type": "query_value", @@ -2397,7 +2397,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateApiKey $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PutUserPolicy $userIdentity.arn $network.client.ip $account" } } ], @@ -2419,10 +2419,10 @@ } }, { - "id": 5336765, + "id": 3199130567, "definition": { "type": "note", - "content": "### [UpdateResolver](https://traildiscover.cloud/#AppSync-UpdateResolver)\n\n**Description:** Updates a Resolver object.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", + "content": "### [UpdateAccessKey](https://traildiscover.cloud/#IAM-UpdateAccessKey)\n\n**Description:** Changes the status of the specified access key from Active to Inactive, or vice versa.\n\n**Related Research:**\n- [AWS - IAM Privesc](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -2438,9 +2438,9 @@ } }, { - "id": 4177045542, + "id": 3079858824, "definition": { - "title": "UpdateResolver", + "title": "UpdateAccessKey", "title_size": "16", "title_align": "left", "type": "query_value", @@ -2458,7 +2458,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateResolver $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:UpdateAccessKey $userIdentity.arn $network.client.ip $account" } } ], @@ -2480,10 +2480,10 @@ } }, { - "id": 4165981159, + "id": 1692552390, "definition": { "type": "note", - "content": "### [StartInstances](https://traildiscover.cloud/#EC2-StartInstances)\n\n**Description:** Starts an Amazon EBS-backed instance that you've previously stopped.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", + "content": "### [UpdateAssumeRolePolicy](https://traildiscover.cloud/#IAM-UpdateAssumeRolePolicy)\n\n**Description:** Updates the policy that grants an IAM entity permission to assume a role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -2499,9 +2499,9 @@ } }, { - "id": 4042722640, + "id": 1573280647, "definition": { - "title": "StartInstances", + "title": "UpdateAssumeRolePolicy", "title_size": "16", "title_align": "left", "type": "query_value", @@ -2519,7 +2519,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:StartInstances $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:UpdateAssumeRolePolicy $userIdentity.arn $network.client.ip $account" } } ], @@ -2541,10 +2541,10 @@ } }, { - "id": 2041944219, + "id": 843279510, "definition": { "type": "note", - "content": "### [CreateSecurityGroup](https://traildiscover.cloud/#EC2-CreateSecurityGroup)\n\n**Description:** Creates a security group.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", + "content": "### [UpdateLoginProfile](https://traildiscover.cloud/#IAM-UpdateLoginProfile)\n\n**Description:** Changes the password for the specified IAM user. You can use the AWS CLI, the AWS API, or the Users page in the IAM console to change the password for any IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -2560,9 +2560,9 @@ } }, { - "id": 3966830461, + "id": 724007767, "definition": { - "title": "CreateSecurityGroup", + "title": "UpdateLoginProfile", "title_size": "16", "title_align": "left", "type": "query_value", @@ -2580,7 +2580,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateSecurityGroup $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:UpdateLoginProfile $userIdentity.arn $network.client.ip $account" } } ], @@ -2602,10 +2602,10 @@ } }, { - "id": 2474851675, + "id": 852458622, "definition": { "type": "note", - "content": "### [CreateDefaultVpc](https://traildiscover.cloud/#EC2-CreateDefaultVpc)\n\n**Description:** Creates a default VPC with a size /16 IPv4 CIDR block and a default subnet in each Availability Zone.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", + "content": "### [UpdateSAMLProvider](https://traildiscover.cloud/#IAM-UpdateSAMLProvider)\n\n**Description:** Updates the metadata document for an existing SAML provider resource object.\n\n**Related Research:**\n- [Gaining AWS Persistence by Updating a SAML Identity Provider](https://medium.com/@adan.alvarez/gaining-aws-persistence-by-updating-a-saml-identity-provider-ef57ebdc8db5)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -2621,9 +2621,9 @@ } }, { - "id": 204109508, + "id": 733186879, "definition": { - "title": "CreateDefaultVpc", + "title": "UpdateSAMLProvider", "title_size": "16", "title_align": "left", "type": "query_value", @@ -2641,7 +2641,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateDefaultVpc $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:UpdateSAMLProvider $userIdentity.arn $network.client.ip $account" } } ], @@ -2663,10 +2663,10 @@ } }, { - "id": 2199146742, + "id": 1662328823, "definition": { "type": "note", - "content": "### [CreateNetworkAclEntry](https://traildiscover.cloud/#EC2-CreateNetworkAclEntry)\n\n**Description:** Creates an entry (a rule) in a network ACL with the specified rule number.\n\n**Related Research:**\n- [AWS EC2 Network Access Control List Creation](https://www.elastic.co/guide/en/security/current/aws-ec2-network-access-control-list-creation.html)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n", + "content": "### [CreateFunction20150331](https://traildiscover.cloud/#Lambda-CreateFunction20150331)\n\n**Description:** Creates a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -2682,9 +2682,9 @@ } }, { - "id": 4223371871, + "id": 3789879615, "definition": { - "title": "CreateNetworkAclEntry", + "title": "CreateFunction20150331", "title_size": "16", "title_align": "left", "type": "query_value", @@ -2702,7 +2702,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateNetworkAclEntry $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateFunction20150331 $userIdentity.arn $network.client.ip $account" } } ], @@ -2724,10 +2724,10 @@ } }, { - "id": 2134900830, + "id": 228305250, "definition": { "type": "note", - "content": "### [CreateKeyPair](https://traildiscover.cloud/#EC2-CreateKeyPair)\n\n**Description:** Creates an ED25519 or 2048-bit RSA key pair with the specified name and in the specified PEM or PPK format.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", + "content": "### [UpdateFunctionCode20150331v2](https://traildiscover.cloud/#Lambda-UpdateFunctionCode20150331v2)\n\n**Description:** Updates a Lambda function's code. If code signing is enabled for the function, the code package must be signed by a trusted publisher.\n\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -2743,9 +2743,9 @@ } }, { - "id": 2011642311, + "id": 109033507, "definition": { - "title": "CreateKeyPair", + "title": "UpdateFunctionCode20150331v2", "title_size": "16", "title_align": "left", "type": "query_value", @@ -2763,7 +2763,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateKeyPair $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:UpdateFunctionCode20150331v2 $userIdentity.arn $network.client.ip $account" } } ], @@ -2785,10 +2785,10 @@ } }, { - "id": 3616060369, + "id": 1906983556, "definition": { "type": "note", - "content": "### [AuthorizeSecurityGroupIngress](https://traildiscover.cloud/#EC2-AuthorizeSecurityGroupIngress)\n\n**Description:** Adds the specified inbound (ingress) rules to a security group.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Finding evil in AWS](https://expel.com/blog/finding-evil-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [Opening a security group to the Internet](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/opening-security-group-port/)\n", + "content": "### [UpdateFunctionConfiguration20150331v2](https://traildiscover.cloud/#Lambda-UpdateFunctionConfiguration20150331v2)\n\n**Description:** Modify the version-specific settings of a Lambda function.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [LambdaSpy - Implanting the Lambda execution environment (Part two)](https://www.clearvector.com/blog/lambda-spy/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -2804,9 +2804,9 @@ } }, { - "id": 3492801850, + "id": 1787711813, "definition": { - "title": "AuthorizeSecurityGroupIngress", + "title": "UpdateFunctionConfiguration20150331v2", "title_size": "16", "title_align": "left", "type": "query_value", @@ -2824,7 +2824,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:AuthorizeSecurityGroupIngress $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:UpdateFunctionConfiguration20150331v2 $userIdentity.arn $network.client.ip $account" } } ], @@ -2846,10 +2846,10 @@ } }, { - "id": 4238341025, + "id": 1716304326, "definition": { "type": "note", - "content": "### [RunInstances](https://traildiscover.cloud/#EC2-RunInstances)\n\n**Description:** Launches the specified number of instances using an AMI for which you have permissions.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [DXC spills AWS private keys on public GitHub](https://www.theregister.com/2017/11/14/dxc_github_aws_keys_leaked/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Clear and Uncommon Story About Overcoming Issues With AWS](https://topdigital.agency/clear-and-uncommon-story-about-overcoming-issues-with-aws/)\n- [onelogin 2017 Security Incident](https://web.archive.org/web/20210620180614/https://www.onelogin.com/blog/may-31-2017-security-incident)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [Launching EC2 instances](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/launching-ec2-instances/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", + "content": "### [AssumeRole](https://traildiscover.cloud/#STS-AssumeRole)\n\n**Description:** Returns a set of temporary security credentials that you can use to access AWS resources.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n**Related Research:**\n- [Role Chain Juggling](https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/)\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -2865,9 +2865,9 @@ } }, { - "id": 4115082506, + "id": 3744516231, "definition": { - "title": "RunInstances", + "title": "AssumeRole", "title_size": "16", "title_align": "left", "type": "query_value", @@ -2885,7 +2885,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:RunInstances $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:AssumeRole $userIdentity.arn $network.client.ip $account" } } ], @@ -2907,10 +2907,10 @@ } }, { - "id": 3741148703, + "id": 1033840012, "definition": { "type": "note", - "content": "### [ImportKeyPair](https://traildiscover.cloud/#EC2-ImportKeyPair)\n\n**Description:** Imports the public key from an RSA or ED25519 key pair that you created with a third-party tool.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n", + "content": "### [GetFederationToken](https://traildiscover.cloud/#STS-GetFederationToken)\n\n**Description:** Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a user.\n\n**Related Incidents:**\n- [How Adversaries Can Persist with AWS User Federation](https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n**Related Research:**\n- [Create a Console Session from IAM Credentials](https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/)\n- [Survive Access Key Deletion with sts:GetFederationToken](https://hackingthe.cloud/aws/post_exploitation/survive_access_key_deletion_with_sts_getfederationtoken/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -2926,9 +2926,9 @@ } }, { - "id": 1470406536, + "id": 914568269, "definition": { - "title": "ImportKeyPair", + "title": "GetFederationToken", "title_size": "16", "title_align": "left", "type": "query_value", @@ -2946,7 +2946,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ImportKeyPair $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetFederationToken $userIdentity.arn $network.client.ip $account" } } ], @@ -2977,7 +2977,7 @@ } }, { - "id": 2696549765, + "id": 1773350570, "definition": { "type": "group", "layout_type": "ordered", @@ -2986,10 +2986,10 @@ "show_title": true, "widgets": [ { - "id": 2256535120, + "id": 1590226858, "definition": { "type": "note", - "content": "### [AssumeRole](https://traildiscover.cloud/#STS-AssumeRole)\n\n**Description:** Returns a set of temporary security credentials that you can use to access AWS resources.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n**Related Research:**\n- [Role Chain Juggling](https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/)\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", + "content": "### [GetCredentialsForIdentity](https://traildiscover.cloud/#CognitoIdentity-GetCredentialsForIdentity)\n\n**Description:** Returns credentials for the provided identity ID. Any provided logins will be validated against supported login providers.\n\n**Related Research:**\n- [Overpermissioned AWS Cognito Identity Pools](https://hackingthe.cloud/aws/exploitation/cognito_identity_pool_excessive_privileges/#exploitation)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -3005,9 +3005,9 @@ } }, { - "id": 4280760249, + "id": 1470955115, "definition": { - "title": "AssumeRole", + "title": "GetCredentialsForIdentity", "title_size": "16", "title_align": "left", "type": "query_value", @@ -3025,7 +3025,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:AssumeRole $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetCredentialsForIdentity $userIdentity.arn $network.client.ip $account" } } ], @@ -3047,10 +3047,10 @@ } }, { - "id": 1801438209, + "id": 423664730, "definition": { "type": "note", - "content": "### [GetCredentialsForIdentity](https://traildiscover.cloud/#CognitoIdentity-GetCredentialsForIdentity)\n\n**Description:** Returns credentials for the provided identity ID. Any provided logins will be validated against supported login providers.\n\n**Related Research:**\n- [Overpermissioned AWS Cognito Identity Pools](https://hackingthe.cloud/aws/exploitation/cognito_identity_pool_excessive_privileges/#exploitation)\n", + "content": "### [GetId](https://traildiscover.cloud/#CognitoIdentity-GetId)\n\n**Description:** Generates (or retrieves) IdentityID. Supplying multiple logins will create an implicit linked account.\n\n**Related Research:**\n- [Overpermissioned AWS Cognito Identity Pools](https://hackingthe.cloud/aws/exploitation/cognito_identity_pool_excessive_privileges/#exploitation)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -3066,9 +3066,9 @@ } }, { - "id": 1678179690, + "id": 2551215522, "definition": { - "title": "GetCredentialsForIdentity", + "title": "GetId", "title_size": "16", "title_align": "left", "type": "query_value", @@ -3086,7 +3086,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetCredentialsForIdentity $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetId $userIdentity.arn $network.client.ip $account" } } ], @@ -3108,10 +3108,10 @@ } }, { - "id": 21028199, + "id": 3780438587, "definition": { "type": "note", - "content": "### [GetId](https://traildiscover.cloud/#CognitoIdentity-GetId)\n\n**Description:** Generates (or retrieves) IdentityID. Supplying multiple logins will create an implicit linked account.\n\n**Related Research:**\n- [Overpermissioned AWS Cognito Identity Pools](https://hackingthe.cloud/aws/exploitation/cognito_identity_pool_excessive_privileges/#exploitation)\n", + "content": "### [ModifyInstanceAttribute](https://traildiscover.cloud/#EC2-ModifyInstanceAttribute)\n\n**Description:** Modifies the specified attribute of the specified instance.\n\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [EC2 Privilege Escalation Through User Data](https://hackingthe.cloud/aws/exploitation/local_ec2_priv_esc_through_user_data/)\n- [User Data Script Persistence](https://hackingthe.cloud/aws/post_exploitation/user_data_script_persistence/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -3127,9 +3127,9 @@ } }, { - "id": 4192736976, + "id": 3760505731, "definition": { - "title": "GetId", + "title": "ModifyInstanceAttribute", "title_size": "16", "title_align": "left", "type": "query_value", @@ -3147,7 +3147,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetId $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ModifyInstanceAttribute $userIdentity.arn $network.client.ip $account" } } ], @@ -3169,10 +3169,10 @@ } }, { - "id": 1402510738, + "id": 536513705, "definition": { "type": "note", - "content": "### [CreateFunction20150331](https://traildiscover.cloud/#Lambda-CreateFunction20150331)\n\n**Description:** Creates a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [ReplaceIamInstanceProfileAssociation](https://traildiscover.cloud/#EC2-ReplaceIamInstanceProfileAssociation)\n\n**Description:** Replaces an IAM instance profile for the specified running instance.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -3188,9 +3188,9 @@ } }, { - "id": 1179913332, + "id": 417241962, "definition": { - "title": "CreateFunction20150331", + "title": "ReplaceIamInstanceProfileAssociation", "title_size": "16", "title_align": "left", "type": "query_value", @@ -3208,7 +3208,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateFunction20150331 $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ReplaceIamInstanceProfileAssociation $userIdentity.arn $network.client.ip $account" } } ], @@ -3230,10 +3230,10 @@ } }, { - "id": 2897212162, + "id": 2055940372, "definition": { "type": "note", - "content": "### [CreateEventSourceMapping20150331](https://traildiscover.cloud/#Lambda-CreateEventSourceMapping20150331)\n\n**Description:** Creates a mapping between an event source and an AWS Lambda function.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [AssociateAccessPolicy](https://traildiscover.cloud/#EKS-AssociateAccessPolicy)\n\n**Description:** Associates an access policy and its scope to an access entry.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -3249,9 +3249,9 @@ } }, { - "id": 2773953643, + "id": 4183491164, "definition": { - "title": "CreateEventSourceMapping20150331", + "title": "AssociateAccessPolicy", "title_size": "16", "title_align": "left", "type": "query_value", @@ -3269,7 +3269,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateEventSourceMapping20150331 $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:AssociateAccessPolicy $userIdentity.arn $network.client.ip $account" } } ], @@ -3291,10 +3291,10 @@ } }, { - "id": 3051966080, + "id": 2246441426, "definition": { "type": "note", - "content": "### [AddPermission20150331v2](https://traildiscover.cloud/#Lambda-AddPermission20150331v2)\n\n**Description:** Grants an AWS service, AWS account, or AWS organization permission to use a function.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [CreateAccessEntry](https://traildiscover.cloud/#EKS-CreateAccessEntry)\n\n**Description:** Creates an access entry.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -3310,9 +3310,9 @@ } }, { - "id": 2928707561, + "id": 2127169683, "definition": { - "title": "AddPermission20150331v2", + "title": "CreateAccessEntry", "title_size": "16", "title_align": "left", "type": "query_value", @@ -3330,7 +3330,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:AddPermission20150331v2 $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateAccessEntry $userIdentity.arn $network.client.ip $account" } } ], @@ -3352,10 +3352,10 @@ } }, { - "id": 3204272060, + "id": 763878914, "definition": { "type": "note", - "content": "### [Invoke](https://traildiscover.cloud/#Lambda-Invoke)\n\n**Description:** Invokes a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [CreateDevEndpoint](https://traildiscover.cloud/#Glue-CreateDevEndpoint)\n\n**Description:** Creates a new development endpoint.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -3371,9 +3371,9 @@ } }, { - "id": 2981674654, + "id": 644607171, "definition": { - "title": "Invoke", + "title": "CreateDevEndpoint", "title_size": "16", "title_align": "left", "type": "query_value", @@ -3391,7 +3391,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:Invoke $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateDevEndpoint $userIdentity.arn $network.client.ip $account" } } ], @@ -3413,10 +3413,10 @@ } }, { - "id": 2608509866, + "id": 4267876289, "definition": { "type": "note", - "content": "### [UpdateEventSourceMapping20150331](https://traildiscover.cloud/#Lambda-UpdateEventSourceMapping20150331)\n\n**Description:** Updates an event source mapping. You can change the function that AWS Lambda invokes, or pause invocation and resume later from the same location.\n\n**Related Research:**\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n", + "content": "### [CreateJob](https://traildiscover.cloud/#Glue-CreateJob)\n\n**Description:** Creates a new job definition.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -3432,9 +3432,9 @@ } }, { - "id": 2485251347, + "id": 4148604546, "definition": { - "title": "UpdateEventSourceMapping20150331", + "title": "CreateJob", "title_size": "16", "title_align": "left", "type": "query_value", @@ -3452,7 +3452,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateEventSourceMapping20150331 $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateJob $userIdentity.arn $network.client.ip $account" } } ], @@ -3474,10 +3474,10 @@ } }, { - "id": 4231485268, + "id": 386205591, "definition": { "type": "note", - "content": "### [DeleteRolePolicy](https://traildiscover.cloud/#IAM-DeleteRolePolicy)\n\n**Description:** Deletes the specified inline policy that is embedded in the specified IAM role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [UpdateDevEndpoint](https://traildiscover.cloud/#Glue-UpdateDevEndpoint)\n\n**Description:** Updates a specified development endpoint.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -3493,9 +3493,9 @@ } }, { - "id": 1960743101, + "id": 2414417496, "definition": { - "title": "DeleteRolePolicy", + "title": "UpdateDevEndpoint", "title_size": "16", "title_align": "left", "type": "query_value", @@ -3513,7 +3513,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteRolePolicy $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:UpdateDevEndpoint $userIdentity.arn $network.client.ip $account" } } ], @@ -3535,10 +3535,10 @@ } }, { - "id": 2076594790, + "id": 2704739778, "definition": { "type": "note", - "content": "### [DetachRolePolicy](https://traildiscover.cloud/#IAM-DetachRolePolicy)\n\n**Description:** Removes the specified managed policy from the specified role.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [UpdateJob](https://traildiscover.cloud/#Glue-UpdateJob)\n\n**Description:** Updates an existing job definition.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -3554,9 +3554,9 @@ } }, { - "id": 4100819919, + "id": 537323274, "definition": { - "title": "DetachRolePolicy", + "title": "UpdateJob", "title_size": "16", "title_align": "left", "type": "query_value", @@ -3574,7 +3574,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DetachRolePolicy $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:UpdateJob $userIdentity.arn $network.client.ip $account" } } ], @@ -3596,10 +3596,10 @@ } }, { - "id": 2061648571, + "id": 1245890929, "definition": { "type": "note", - "content": "### [UpdateLoginProfile](https://traildiscover.cloud/#IAM-UpdateLoginProfile)\n\n**Description:** Changes the password for the specified IAM user. You can use the AWS CLI, the AWS API, or the Users page in the IAM console to change the password for any IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [AddRoleToInstanceProfile](https://traildiscover.cloud/#IAM-AddRoleToInstanceProfile)\n\n**Description:** Adds the specified IAM role to the specified instance profile.\n\n**Related Research:**\n- [Cloudgoat AWS CTF solution- Scenerio 5 (iam_privesc_by_attachment)](https://pswalia2u.medium.com/cloudgoat-aws-ctf-solution-scenerio-5-iam-privesc-by-attachment-22145650f5f5)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -3615,9 +3615,9 @@ } }, { - "id": 4085873700, + "id": 1126619186, "definition": { - "title": "UpdateLoginProfile", + "title": "AddRoleToInstanceProfile", "title_size": "16", "title_align": "left", "type": "query_value", @@ -3635,7 +3635,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateLoginProfile $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:AddRoleToInstanceProfile $userIdentity.arn $network.client.ip $account" } } ], @@ -3657,7 +3657,7 @@ } }, { - "id": 337955984, + "id": 1441363882, "definition": { "type": "note", "content": "### [AddUserToGroup](https://traildiscover.cloud/#IAM-AddUserToGroup)\n\n**Description:** Adds the specified user to the specified group.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3676,7 +3676,7 @@ } }, { - "id": 214697465, + "id": 1322092139, "definition": { "title": "AddUserToGroup", "title_size": "16", @@ -3718,10 +3718,10 @@ } }, { - "id": 1438311305, + "id": 2926045079, "definition": { "type": "note", - "content": "### [UpdateAssumeRolePolicy](https://traildiscover.cloud/#IAM-UpdateAssumeRolePolicy)\n\n**Description:** Updates the policy that grants an IAM entity permission to assume a role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", + "content": "### [AttachGroupPolicy](https://traildiscover.cloud/#IAM-AttachGroupPolicy)\n\n**Description:** Attaches the specified managed policy to the specified IAM group.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -3737,9 +3737,9 @@ } }, { - "id": 1215713899, + "id": 2806773336, "definition": { - "title": "UpdateAssumeRolePolicy", + "title": "AttachGroupPolicy", "title_size": "16", "title_align": "left", "type": "query_value", @@ -3757,7 +3757,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateAssumeRolePolicy $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:AttachGroupPolicy $userIdentity.arn $network.client.ip $account" } } ], @@ -3779,10 +3779,10 @@ } }, { - "id": 2105460119, + "id": 1430738982, "definition": { "type": "note", - "content": "### [CreateAccessKey](https://traildiscover.cloud/#IAM-CreateAccessKey)\n\n**Description:** Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", + "content": "### [AttachRolePolicy](https://traildiscover.cloud/#IAM-AttachRolePolicy)\n\n**Description:** Attaches the specified managed policy to the specified IAM role. When you attach a managed policy to a role, the managed policy becomes part of the role's permission (access) policy.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -3798,9 +3798,9 @@ } }, { - "id": 4129685248, + "id": 3558289774, "definition": { - "title": "CreateAccessKey", + "title": "AttachRolePolicy", "title_size": "16", "title_align": "left", "type": "query_value", @@ -3818,7 +3818,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateAccessKey $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:AttachRolePolicy $userIdentity.arn $network.client.ip $account" } } ], @@ -3840,10 +3840,10 @@ } }, { - "id": 2222981236, + "id": 2134316722, "definition": { "type": "note", - "content": "### [CreatePolicyVersion](https://traildiscover.cloud/#IAM-CreatePolicyVersion)\n\n**Description:** Creates a new version of the specified managed policy.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [AttachUserPolicy](https://traildiscover.cloud/#IAM-AttachUserPolicy)\n\n**Description:** Attaches the specified managed policy to the specified user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -3859,9 +3859,9 @@ } }, { - "id": 4247206365, + "id": 2015044979, "definition": { - "title": "CreatePolicyVersion", + "title": "AttachUserPolicy", "title_size": "16", "title_align": "left", "type": "query_value", @@ -3879,7 +3879,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreatePolicyVersion $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:AttachUserPolicy $userIdentity.arn $network.client.ip $account" } } ], @@ -3901,10 +3901,10 @@ } }, { - "id": 3244002121, + "id": 2699194616, "definition": { "type": "note", - "content": "### [DeleteUserPolicy](https://traildiscover.cloud/#IAM-DeleteUserPolicy)\n\n**Description:** Deletes the specified inline policy that is embedded in the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [ChangePassword](https://traildiscover.cloud/#IAM-ChangePassword)\n\n**Description:** Changes the password of the IAM user who is calling this operation.\n\n**Related Research:**\n- [AWS CloudTrail cheat sheet](https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet)\n- [IAM User Changes Alarm](https://asecure.cloud/a/cwalarm_iam_user_changes/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -3920,9 +3920,9 @@ } }, { - "id": 973259954, + "id": 2579922873, "definition": { - "title": "DeleteUserPolicy", + "title": "ChangePassword", "title_size": "16", "title_align": "left", "type": "query_value", @@ -3940,7 +3940,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteUserPolicy $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ChangePassword $userIdentity.arn $network.client.ip $account" } } ], @@ -3962,10 +3962,10 @@ } }, { - "id": 2830131676, + "id": 4101572721, "definition": { "type": "note", - "content": "### [UpdateSAMLProvider](https://traildiscover.cloud/#IAM-UpdateSAMLProvider)\n\n**Description:** Updates the metadata document for an existing SAML provider resource object.\n\n**Related Research:**\n- [Gaining AWS Persistence by Updating a SAML Identity Provider](https://medium.com/@adan.alvarez/gaining-aws-persistence-by-updating-a-saml-identity-provider-ef57ebdc8db5)\n", + "content": "### [CreateAccessKey](https://traildiscover.cloud/#IAM-CreateAccessKey)\n\n**Description:** Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -3981,9 +3981,9 @@ } }, { - "id": 2706873157, + "id": 1834817330, "definition": { - "title": "UpdateSAMLProvider", + "title": "CreateAccessKey", "title_size": "16", "title_align": "left", "type": "query_value", @@ -4001,7 +4001,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateSAMLProvider $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateAccessKey $userIdentity.arn $network.client.ip $account" } } ], @@ -4023,10 +4023,10 @@ } }, { - "id": 1246291771, + "id": 3467085456, "definition": { "type": "note", - "content": "### [PutRolePermissionsBoundary](https://traildiscover.cloud/#IAM-PutRolePermissionsBoundary)\n\n**Description:** Adds or updates the policy that is specified as the IAM role's permissions boundary.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [CreateGroup](https://traildiscover.cloud/#IAM-CreateGroup)\n\n**Description:** Creates a new group.\n\n**Related Research:**\n- [AWS IAM Group Creation](https://www.elastic.co/guide/en/security/current/aws-iam-group-creation.html)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -4042,9 +4042,9 @@ } }, { - "id": 3270516900, + "id": 1299668952, "definition": { - "title": "PutRolePermissionsBoundary", + "title": "CreateGroup", "title_size": "16", "title_align": "left", "type": "query_value", @@ -4062,7 +4062,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutRolePermissionsBoundary $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateGroup $userIdentity.arn $network.client.ip $account" } } ], @@ -4084,10 +4084,10 @@ } }, { - "id": 4069191881, + "id": 147831695, "definition": { "type": "note", - "content": "### [PutUserPermissionsBoundary](https://traildiscover.cloud/#IAM-PutUserPermissionsBoundary)\n\n**Description:** Adds or updates the policy that is specified as the IAM user's permissions boundary.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [CreateLoginProfile](https://traildiscover.cloud/#IAM-CreateLoginProfile)\n\n**Description:** Creates a password for the specified IAM user. A password allows an IAM user to access AWS services through the AWS Management Console.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -4103,9 +4103,9 @@ } }, { - "id": 3945933362, + "id": 2275382487, "definition": { - "title": "PutUserPermissionsBoundary", + "title": "CreateLoginProfile", "title_size": "16", "title_align": "left", "type": "query_value", @@ -4123,7 +4123,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutUserPermissionsBoundary $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateLoginProfile $userIdentity.arn $network.client.ip $account" } } ], @@ -4145,10 +4145,10 @@ } }, { - "id": 3596740726, + "id": 2672285533, "definition": { "type": "note", - "content": "### [DeleteUserPermissionsBoundary](https://traildiscover.cloud/#IAM-DeleteUserPermissionsBoundary)\n\n**Description:** Deletes the permissions boundary for the specified IAM user.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [CreatePolicyVersion](https://traildiscover.cloud/#IAM-CreatePolicyVersion)\n\n**Description:** Creates a new version of the specified managed policy.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -4164,9 +4164,9 @@ } }, { - "id": 1325998559, + "id": 2553013790, "definition": { - "title": "DeleteUserPermissionsBoundary", + "title": "CreatePolicyVersion", "title_size": "16", "title_align": "left", "type": "query_value", @@ -4184,7 +4184,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteUserPermissionsBoundary $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreatePolicyVersion $userIdentity.arn $network.client.ip $account" } } ], @@ -4206,10 +4206,10 @@ } }, { - "id": 2931744533, + "id": 2428934192, "definition": { "type": "note", - "content": "### [AttachRolePolicy](https://traildiscover.cloud/#IAM-AttachRolePolicy)\n\n**Description:** Attaches the specified managed policy to the specified IAM role. When you attach a managed policy to a role, the managed policy becomes part of the role's permission (access) policy.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [DeleteRolePermissionsBoundary](https://traildiscover.cloud/#IAM-DeleteRolePermissionsBoundary)\n\n**Description:** Deletes the permissions boundary for the specified IAM role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -4225,9 +4225,9 @@ } }, { - "id": 661002366, + "id": 261517688, "definition": { - "title": "AttachRolePolicy", + "title": "DeleteRolePermissionsBoundary", "title_size": "16", "title_align": "left", "type": "query_value", @@ -4245,7 +4245,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:AttachRolePolicy $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteRolePermissionsBoundary $userIdentity.arn $network.client.ip $account" } } ], @@ -4267,10 +4267,10 @@ } }, { - "id": 872441613, + "id": 2127473543, "definition": { "type": "note", - "content": "### [SetDefaultPolicyVersion](https://traildiscover.cloud/#IAM-SetDefaultPolicyVersion)\n\n**Description:** Sets the specified version of the specified policy as the policy's default (operative) version.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [DeleteRolePolicy](https://traildiscover.cloud/#IAM-DeleteRolePolicy)\n\n**Description:** Deletes the specified inline policy that is embedded in the specified IAM role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -4286,9 +4286,9 @@ } }, { - "id": 649844207, + "id": 2008201800, "definition": { - "title": "SetDefaultPolicyVersion", + "title": "DeleteRolePolicy", "title_size": "16", "title_align": "left", "type": "query_value", @@ -4306,7 +4306,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:SetDefaultPolicyVersion $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteRolePolicy $userIdentity.arn $network.client.ip $account" } } ], @@ -4328,10 +4328,10 @@ } }, { - "id": 1922773143, + "id": 3488067225, "definition": { "type": "note", - "content": "### [AttachUserPolicy](https://traildiscover.cloud/#IAM-AttachUserPolicy)\n\n**Description:** Attaches the specified managed policy to the specified user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [DeleteUserPermissionsBoundary](https://traildiscover.cloud/#IAM-DeleteUserPermissionsBoundary)\n\n**Description:** Deletes the permissions boundary for the specified IAM user.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -4347,9 +4347,9 @@ } }, { - "id": 3847659385, + "id": 3368795482, "definition": { - "title": "AttachUserPolicy", + "title": "DeleteUserPermissionsBoundary", "title_size": "16", "title_align": "left", "type": "query_value", @@ -4367,7 +4367,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:AttachUserPolicy $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteUserPermissionsBoundary $userIdentity.arn $network.client.ip $account" } } ], @@ -4389,10 +4389,10 @@ } }, { - "id": 857148398, + "id": 3422238940, "definition": { "type": "note", - "content": "### [CreateGroup](https://traildiscover.cloud/#IAM-CreateGroup)\n\n**Description:** Creates a new group.\n\n**Related Research:**\n- [AWS IAM Group Creation](https://www.elastic.co/guide/en/security/current/aws-iam-group-creation.html)\n", + "content": "### [DeleteUserPolicy](https://traildiscover.cloud/#IAM-DeleteUserPolicy)\n\n**Description:** Deletes the specified inline policy that is embedded in the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -4408,9 +4408,9 @@ } }, { - "id": 2881373527, + "id": 3302967197, "definition": { - "title": "CreateGroup", + "title": "DeleteUserPolicy", "title_size": "16", "title_align": "left", "type": "query_value", @@ -4428,7 +4428,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateGroup $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteUserPolicy $userIdentity.arn $network.client.ip $account" } } ], @@ -4450,10 +4450,10 @@ } }, { - "id": 586075580, + "id": 590912286, "definition": { "type": "note", - "content": "### [PutUserPolicy](https://traildiscover.cloud/#IAM-PutUserPolicy)\n\n**Description:** Adds or updates an inline policy document that is embedded in the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [DetachRolePolicy](https://traildiscover.cloud/#IAM-DetachRolePolicy)\n\n**Description:** Removes the specified managed policy from the specified role.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -4469,9 +4469,9 @@ } }, { - "id": 2610300709, + "id": 471640543, "definition": { - "title": "PutUserPolicy", + "title": "DetachRolePolicy", "title_size": "16", "title_align": "left", "type": "query_value", @@ -4489,7 +4489,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutUserPolicy $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DetachRolePolicy $userIdentity.arn $network.client.ip $account" } } ], @@ -4511,10 +4511,10 @@ } }, { - "id": 503374712, + "id": 158059249, "definition": { "type": "note", - "content": "### [DeleteRolePermissionsBoundary](https://traildiscover.cloud/#IAM-DeleteRolePermissionsBoundary)\n\n**Description:** Deletes the permissions boundary for the specified IAM role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [DetachUserPolicy](https://traildiscover.cloud/#IAM-DetachUserPolicy)\n\n**Description:** Removes the specified managed policy from the specified user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -4530,9 +4530,9 @@ } }, { - "id": 280777306, + "id": 2186271154, "definition": { - "title": "DeleteRolePermissionsBoundary", + "title": "DetachUserPolicy", "title_size": "16", "title_align": "left", "type": "query_value", @@ -4550,7 +4550,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteRolePermissionsBoundary $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DetachUserPolicy $userIdentity.arn $network.client.ip $account" } } ], @@ -4572,7 +4572,7 @@ } }, { - "id": 1446840213, + "id": 3798401925, "definition": { "type": "note", "content": "### [PutGroupPolicy](https://traildiscover.cloud/#IAM-PutGroupPolicy)\n\n**Description:** Adds or updates an inline policy document that is embedded in the specified IAM group.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4591,7 +4591,7 @@ } }, { - "id": 3471065342, + "id": 3679130182, "definition": { "title": "PutGroupPolicy", "title_size": "16", @@ -4633,10 +4633,10 @@ } }, { - "id": 1300372970, + "id": 1252441981, "definition": { "type": "note", - "content": "### [ChangePassword](https://traildiscover.cloud/#IAM-ChangePassword)\n\n**Description:** Changes the password of the IAM user who is calling this operation.\n\n**Related Research:**\n- [AWS CloudTrail cheat sheet](https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet)\n- [IAM User Changes Alarm](https://asecure.cloud/a/cwalarm_iam_user_changes/)\n", + "content": "### [PutRolePermissionsBoundary](https://traildiscover.cloud/#IAM-PutRolePermissionsBoundary)\n\n**Description:** Adds or updates the policy that is specified as the IAM role's permissions boundary.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -4652,9 +4652,9 @@ } }, { - "id": 3324598099, + "id": 1133170238, "definition": { - "title": "ChangePassword", + "title": "PutRolePermissionsBoundary", "title_size": "16", "title_align": "left", "type": "query_value", @@ -4672,7 +4672,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ChangePassword $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PutRolePermissionsBoundary $userIdentity.arn $network.client.ip $account" } } ], @@ -4694,10 +4694,10 @@ } }, { - "id": 1933780897, + "id": 1963309214, "definition": { "type": "note", - "content": "### [CreateLoginProfile](https://traildiscover.cloud/#IAM-CreateLoginProfile)\n\n**Description:** Creates a password for the specified IAM user. A password allows an IAM user to access AWS services through the AWS Management Console.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", + "content": "### [PutRolePolicy](https://traildiscover.cloud/#IAM-PutRolePolicy)\n\n**Description:** Adds or updates an inline policy document that is embedded in the specified IAM role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -4713,9 +4713,9 @@ } }, { - "id": 1711183491, + "id": 1844037471, "definition": { - "title": "CreateLoginProfile", + "title": "PutRolePolicy", "title_size": "16", "title_align": "left", "type": "query_value", @@ -4733,7 +4733,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateLoginProfile $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PutRolePolicy $userIdentity.arn $network.client.ip $account" } } ], @@ -4755,10 +4755,10 @@ } }, { - "id": 1748038245, + "id": 3204805001, "definition": { "type": "note", - "content": "### [DetachUserPolicy](https://traildiscover.cloud/#IAM-DetachUserPolicy)\n\n**Description:** Removes the specified managed policy from the specified user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [PutUserPermissionsBoundary](https://traildiscover.cloud/#IAM-PutUserPermissionsBoundary)\n\n**Description:** Adds or updates the policy that is specified as the IAM user's permissions boundary.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -4774,9 +4774,9 @@ } }, { - "id": 3672924487, + "id": 3085533258, "definition": { - "title": "DetachUserPolicy", + "title": "PutUserPermissionsBoundary", "title_size": "16", "title_align": "left", "type": "query_value", @@ -4794,7 +4794,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DetachUserPolicy $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PutUserPermissionsBoundary $userIdentity.arn $network.client.ip $account" } } ], @@ -4816,10 +4816,10 @@ } }, { - "id": 1610086974, + "id": 1182429141, "definition": { "type": "note", - "content": "### [PutRolePolicy](https://traildiscover.cloud/#IAM-PutRolePolicy)\n\n**Description:** Adds or updates an inline policy document that is embedded in the specified IAM role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [PutUserPolicy](https://traildiscover.cloud/#IAM-PutUserPolicy)\n\n**Description:** Adds or updates an inline policy document that is embedded in the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -4835,9 +4835,9 @@ } }, { - "id": 1486828455, + "id": 1063157398, "definition": { - "title": "PutRolePolicy", + "title": "PutUserPolicy", "title_size": "16", "title_align": "left", "type": "query_value", @@ -4855,7 +4855,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutRolePolicy $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PutUserPolicy $userIdentity.arn $network.client.ip $account" } } ], @@ -4877,10 +4877,10 @@ } }, { - "id": 1962526299, + "id": 736370749, "definition": { "type": "note", - "content": "### [AddRoleToInstanceProfile](https://traildiscover.cloud/#IAM-AddRoleToInstanceProfile)\n\n**Description:** Adds the specified IAM role to the specified instance profile.\n\n**Related Research:**\n- [Cloudgoat AWS CTF solution- Scenerio 5 (iam_privesc_by_attachment)](https://pswalia2u.medium.com/cloudgoat-aws-ctf-solution-scenerio-5-iam-privesc-by-attachment-22145650f5f5)\n", + "content": "### [SetDefaultPolicyVersion](https://traildiscover.cloud/#IAM-SetDefaultPolicyVersion)\n\n**Description:** Sets the specified version of the specified policy as the policy's default (operative) version.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -4896,9 +4896,9 @@ } }, { - "id": 1839267780, + "id": 617099006, "definition": { - "title": "AddRoleToInstanceProfile", + "title": "SetDefaultPolicyVersion", "title_size": "16", "title_align": "left", "type": "query_value", @@ -4916,7 +4916,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:AddRoleToInstanceProfile $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:SetDefaultPolicyVersion $userIdentity.arn $network.client.ip $account" } } ], @@ -4938,10 +4938,10 @@ } }, { - "id": 3795208560, + "id": 542096493, "definition": { "type": "note", - "content": "### [AttachGroupPolicy](https://traildiscover.cloud/#IAM-AttachGroupPolicy)\n\n**Description:** Attaches the specified managed policy to the specified IAM group.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [UpdateAssumeRolePolicy](https://traildiscover.cloud/#IAM-UpdateAssumeRolePolicy)\n\n**Description:** Updates the policy that grants an IAM entity permission to assume a role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -4957,9 +4957,9 @@ } }, { - "id": 1524466393, + "id": 2669647285, "definition": { - "title": "AttachGroupPolicy", + "title": "UpdateAssumeRolePolicy", "title_size": "16", "title_align": "left", "type": "query_value", @@ -4977,7 +4977,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:AttachGroupPolicy $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:UpdateAssumeRolePolicy $userIdentity.arn $network.client.ip $account" } } ], @@ -4999,10 +4999,10 @@ } }, { - "id": 192543750, + "id": 987368398, "definition": { "type": "note", - "content": "### [AssociateAccessPolicy](https://traildiscover.cloud/#EKS-AssociateAccessPolicy)\n\n**Description:** Associates an access policy and its scope to an access entry.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", + "content": "### [UpdateLoginProfile](https://traildiscover.cloud/#IAM-UpdateLoginProfile)\n\n**Description:** Changes the password for the specified IAM user. You can use the AWS CLI, the AWS API, or the Users page in the IAM console to change the password for any IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -5018,9 +5018,9 @@ } }, { - "id": 2117429992, + "id": 868096655, "definition": { - "title": "AssociateAccessPolicy", + "title": "UpdateLoginProfile", "title_size": "16", "title_align": "left", "type": "query_value", @@ -5038,7 +5038,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:AssociateAccessPolicy $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:UpdateLoginProfile $userIdentity.arn $network.client.ip $account" } } ], @@ -5060,10 +5060,10 @@ } }, { - "id": 4193538602, + "id": 4048690895, "definition": { "type": "note", - "content": "### [CreateAccessEntry](https://traildiscover.cloud/#EKS-CreateAccessEntry)\n\n**Description:** Creates an access entry.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", + "content": "### [UpdateSAMLProvider](https://traildiscover.cloud/#IAM-UpdateSAMLProvider)\n\n**Description:** Updates the metadata document for an existing SAML provider resource object.\n\n**Related Research:**\n- [Gaining AWS Persistence by Updating a SAML Identity Provider](https://medium.com/@adan.alvarez/gaining-aws-persistence-by-updating-a-saml-identity-provider-ef57ebdc8db5)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -5079,9 +5079,9 @@ } }, { - "id": 4070280083, + "id": 3929419152, "definition": { - "title": "CreateAccessEntry", + "title": "UpdateSAMLProvider", "title_size": "16", "title_align": "left", "type": "query_value", @@ -5099,7 +5099,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateAccessEntry $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:UpdateSAMLProvider $userIdentity.arn $network.client.ip $account" } } ], @@ -5121,10 +5121,10 @@ } }, { - "id": 22205559, + "id": 1638569194, "definition": { "type": "note", - "content": "### [ModifyInstanceAttribute](https://traildiscover.cloud/#EC2-ModifyInstanceAttribute)\n\n**Description:** Modifies the specified attribute of the specified instance.\n\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [EC2 Privilege Escalation Through User Data](https://hackingthe.cloud/aws/exploitation/local_ec2_priv_esc_through_user_data/)\n- [User Data Script Persistence](https://hackingthe.cloud/aws/post_exploitation/user_data_script_persistence/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", + "content": "### [AddPermission20150331v2](https://traildiscover.cloud/#Lambda-AddPermission20150331v2)\n\n**Description:** Grants an AWS service, AWS account, or AWS organization permission to use a function.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -5140,9 +5140,9 @@ } }, { - "id": 2046430688, + "id": 1519297451, "definition": { - "title": "ModifyInstanceAttribute", + "title": "AddPermission20150331v2", "title_size": "16", "title_align": "left", "type": "query_value", @@ -5160,7 +5160,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ModifyInstanceAttribute $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:AddPermission20150331v2 $userIdentity.arn $network.client.ip $account" } } ], @@ -5182,10 +5182,10 @@ } }, { - "id": 1398745503, + "id": 3105263686, "definition": { "type": "note", - "content": "### [ReplaceIamInstanceProfileAssociation](https://traildiscover.cloud/#EC2-ReplaceIamInstanceProfileAssociation)\n\n**Description:** Replaces an IAM instance profile for the specified running instance.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n", + "content": "### [CreateEventSourceMapping20150331](https://traildiscover.cloud/#Lambda-CreateEventSourceMapping20150331)\n\n**Description:** Creates a mapping between an event source and an AWS Lambda function.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -5201,9 +5201,9 @@ } }, { - "id": 1275486984, + "id": 2985991943, "definition": { - "title": "ReplaceIamInstanceProfileAssociation", + "title": "CreateEventSourceMapping20150331", "title_size": "16", "title_align": "left", "type": "query_value", @@ -5221,7 +5221,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ReplaceIamInstanceProfileAssociation $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateEventSourceMapping20150331 $userIdentity.arn $network.client.ip $account" } } ], @@ -5243,10 +5243,10 @@ } }, { - "id": 615116023, + "id": 1905756598, "definition": { "type": "note", - "content": "### [CreateDevEndpoint](https://traildiscover.cloud/#Glue-CreateDevEndpoint)\n\n**Description:** Creates a new development endpoint.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [CreateFunction20150331](https://traildiscover.cloud/#Lambda-CreateFunction20150331)\n\n**Description:** Creates a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -5262,9 +5262,9 @@ } }, { - "id": 491857504, + "id": 1786484855, "definition": { - "title": "CreateDevEndpoint", + "title": "CreateFunction20150331", "title_size": "16", "title_align": "left", "type": "query_value", @@ -5282,7 +5282,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateDevEndpoint $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateFunction20150331 $userIdentity.arn $network.client.ip $account" } } ], @@ -5304,10 +5304,10 @@ } }, { - "id": 1606307923, + "id": 2405835847, "definition": { "type": "note", - "content": "### [UpdateJob](https://traildiscover.cloud/#Glue-UpdateJob)\n\n**Description:** Updates an existing job definition.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [Invoke](https://traildiscover.cloud/#Lambda-Invoke)\n\n**Description:** Invokes a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -5323,9 +5323,9 @@ } }, { - "id": 3630533052, + "id": 2286564104, "definition": { - "title": "UpdateJob", + "title": "Invoke", "title_size": "16", "title_align": "left", "type": "query_value", @@ -5343,7 +5343,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateJob $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:Invoke $userIdentity.arn $network.client.ip $account" } } ], @@ -5365,10 +5365,10 @@ } }, { - "id": 3749541939, + "id": 3295687953, "definition": { "type": "note", - "content": "### [CreateJob](https://traildiscover.cloud/#Glue-CreateJob)\n\n**Description:** Creates a new job definition.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [UpdateEventSourceMapping20150331](https://traildiscover.cloud/#Lambda-UpdateEventSourceMapping20150331)\n\n**Description:** Updates an event source mapping. You can change the function that AWS Lambda invokes, or pause invocation and resume later from the same location.\n\n**Related Research:**\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -5384,9 +5384,9 @@ } }, { - "id": 3626283420, + "id": 1128271449, "definition": { - "title": "CreateJob", + "title": "UpdateEventSourceMapping20150331", "title_size": "16", "title_align": "left", "type": "query_value", @@ -5404,7 +5404,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateJob $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:UpdateEventSourceMapping20150331 $userIdentity.arn $network.client.ip $account" } } ], @@ -5426,10 +5426,10 @@ } }, { - "id": 2199806652, + "id": 1959732101, "definition": { "type": "note", - "content": "### [UpdateDevEndpoint](https://traildiscover.cloud/#Glue-UpdateDevEndpoint)\n\n**Description:** Updates a specified development endpoint.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [AssumeRole](https://traildiscover.cloud/#STS-AssumeRole)\n\n**Description:** Returns a set of temporary security credentials that you can use to access AWS resources.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n**Related Research:**\n- [Role Chain Juggling](https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/)\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -5445,9 +5445,9 @@ } }, { - "id": 4124692894, + "id": 1840460358, "definition": { - "title": "UpdateDevEndpoint", + "title": "AssumeRole", "title_size": "16", "title_align": "left", "type": "query_value", @@ -5465,7 +5465,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateDevEndpoint $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:AssumeRole $userIdentity.arn $network.client.ip $account" } } ], @@ -5496,7 +5496,7 @@ } }, { - "id": 1670437368, + "id": 1665089707, "definition": { "type": "group", "layout_type": "ordered", @@ -5505,10 +5505,10 @@ "show_title": true, "widgets": [ { - "id": 2961210480, + "id": 1751966583, "definition": { "type": "note", - "content": "### [InviteAccountToOrganization](https://traildiscover.cloud/#Organizations-InviteAccountToOrganization)\n\n**Description:** Sends an invitation to another account to join your organization as a member account.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", + "content": "### [CreateApiKey](https://traildiscover.cloud/#AppSync-CreateApiKey)\n\n**Description:** Creates a unique key that you can distribute to clients who invoke your API.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -5524,9 +5524,9 @@ } }, { - "id": 2837951961, + "id": 3879517375, "definition": { - "title": "InviteAccountToOrganization", + "title": "CreateApiKey", "title_size": "16", "title_align": "left", "type": "query_value", @@ -5544,7 +5544,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:InviteAccountToOrganization $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateApiKey $userIdentity.arn $network.client.ip $account" } } ], @@ -5566,10 +5566,10 @@ } }, { - "id": 1699103690, + "id": 3268206435, "definition": { "type": "note", - "content": "### [CreateAccount](https://traildiscover.cloud/#Organizations-CreateAccount)\n\n**Description:** Creates an AWS account that is automatically a member of the organization whose credentials made the request.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", + "content": "### [UpdateGraphqlApi](https://traildiscover.cloud/#AppSync-UpdateGraphqlApi)\n\n**Description:** Updates a GraphqlApi object.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -5585,9 +5585,9 @@ } }, { - "id": 1575845171, + "id": 1001451044, "definition": { - "title": "CreateAccount", + "title": "UpdateGraphqlApi", "title_size": "16", "title_align": "left", "type": "query_value", @@ -5605,7 +5605,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateAccount $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:UpdateGraphqlApi $userIdentity.arn $network.client.ip $account" } } ], @@ -5627,10 +5627,10 @@ } }, { - "id": 121884819, + "id": 3446260453, "definition": { "type": "note", - "content": "### [LeaveOrganization](https://traildiscover.cloud/#Organizations-LeaveOrganization)\n\n**Description:** Removes a member account from its parent organization.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [An AWS account attempted to leave the AWS Organization](https://docs.datadoghq.com/security/default_rules/aws-organizations-leave-organization/)\n", + "content": "### [UpdateResolver](https://traildiscover.cloud/#AppSync-UpdateResolver)\n\n**Description:** Updates a Resolver object.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -5646,9 +5646,9 @@ } }, { - "id": 2146109948, + "id": 3326988710, "definition": { - "title": "LeaveOrganization", + "title": "UpdateResolver", "title_size": "16", "title_align": "left", "type": "query_value", @@ -5666,7 +5666,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:LeaveOrganization $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:UpdateResolver $userIdentity.arn $network.client.ip $account" } } ], @@ -5688,10 +5688,10 @@ } }, { - "id": 2948895400, + "id": 202186447, "definition": { "type": "note", - "content": "### [PutLogEvents](https://traildiscover.cloud/#CloudWatchLogs-PutLogEvents)\n\n**Description:** Uploads a batch of log events to the specified log stream.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", + "content": "### [DeleteTrail](https://traildiscover.cloud/#CloudTrail-DeleteTrail)\n\n**Description:** Deletes a trail.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n**Related Research:**\n- [AWS Defense Evasion Delete Cloudtrail](https://research.splunk.com/cloud/82092925-9ca1-4e06-98b8-85a2d3889552/)\n- [Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail](https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/)\n- [Disrupting AWS logging](https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -5707,9 +5707,9 @@ } }, { - "id": 678153233, + "id": 82914704, "definition": { - "title": "PutLogEvents", + "title": "DeleteTrail", "title_size": "16", "title_align": "left", "type": "query_value", @@ -5727,7 +5727,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutLogEvents $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteTrail $userIdentity.arn $network.client.ip $account" } } ], @@ -5749,10 +5749,10 @@ } }, { - "id": 1125400894, + "id": 369195651, "definition": { "type": "note", - "content": "### [DeleteAlarms](https://traildiscover.cloud/#CloudWatch-DeleteAlarms)\n\n**Description:** Deletes the specified alarms. You can delete up to 100 alarms in one operation.\n\n**Related Research:**\n- [AWS CloudWatch Alarm Deletion](https://www.elastic.co/guide/en/security/current/aws-cloudwatch-alarm-deletion.html)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n", + "content": "### [PutEventSelectors](https://traildiscover.cloud/#CloudTrail-PutEventSelectors)\n\n**Description:** Configures an event selector or advanced event selectors for your trail.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [cloudtrail_guardduty_bypass](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/cloudtrail_guardduty_bypass)\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -5768,9 +5768,9 @@ } }, { - "id": 1002142375, + "id": 249923908, "definition": { - "title": "DeleteAlarms", + "title": "PutEventSelectors", "title_size": "16", "title_align": "left", "type": "query_value", @@ -5788,7 +5788,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteAlarms $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PutEventSelectors $userIdentity.arn $network.client.ip $account" } } ], @@ -5810,10 +5810,10 @@ } }, { - "id": 1694170558, + "id": 1581398832, "definition": { "type": "note", - "content": "### [DeleteLogGroup](https://traildiscover.cloud/#CloudWatchLogs-DeleteLogGroup)\n\n**Description:** Deletes the specified log group and permanently deletes all the archived log events associated with the log group.\n\n**Related Research:**\n- [Penetration testing of aws-based environments](https://essay.utwente.nl/76955/1/Szabo_MSc_EEMCS.pdf)\n- [Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail](https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/)\n", + "content": "### [StopLogging](https://traildiscover.cloud/#CloudTrail-StopLogging)\n\n**Description:** Suspends the recording of AWS API calls and log file delivery for the specified trail.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Stopping a CloudTrail trail](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/stopping-cloudtrail-trail/)\n- [AWS Defense Evasion Stop Logging Cloudtrail](https://research.splunk.com/cloud/8a2f3ca2-4eb5-4389-a549-14063882e537/)\n- [AWS Defense Evasion and Centralized Multi-Account Logging](https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/)\n- [Disrupting AWS logging](https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -5829,9 +5829,9 @@ } }, { - "id": 1471573152, + "id": 1462127089, "definition": { - "title": "DeleteLogGroup", + "title": "StopLogging", "title_size": "16", "title_align": "left", "type": "query_value", @@ -5849,7 +5849,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteLogGroup $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:StopLogging $userIdentity.arn $network.client.ip $account" } } ], @@ -5871,10 +5871,10 @@ } }, { - "id": 1235322284, + "id": 516730243, "definition": { "type": "note", - "content": "### [DeleteLogStream](https://traildiscover.cloud/#CloudWatchLogs-DeleteLogStream)\n\n**Description:** Deletes the specified log stream and permanently deletes all the archived log events associated with the log stream.\n\n**Related Research:**\n- [Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail](https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/)\n", + "content": "### [UpdateTrail](https://traildiscover.cloud/#CloudTrail-UpdateTrail)\n\n**Description:** Updates trail settings that control what events you are logging, and how to handle log files.\n\n**Related Incidents:**\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n**Related Research:**\n- [AWS Defense Evasion and Centralized Multi-Account Logging](https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/)\n- [Disrupting AWS logging](https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -5890,9 +5890,9 @@ } }, { - "id": 1112063765, + "id": 397458500, "definition": { - "title": "DeleteLogStream", + "title": "UpdateTrail", "title_size": "16", "title_align": "left", "type": "query_value", @@ -5910,7 +5910,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteLogStream $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:UpdateTrail $userIdentity.arn $network.client.ip $account" } } ], @@ -5932,7 +5932,7 @@ } }, { - "id": 2948895400, + "id": 4017284417, "definition": { "type": "note", "content": "### [PutLogEvents](https://traildiscover.cloud/#CloudWatchLogs-PutLogEvents)\n\n**Description:** Uploads a batch of log events to the specified log stream.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -5951,7 +5951,7 @@ } }, { - "id": 678153233, + "id": 1849867913, "definition": { "title": "PutLogEvents", "title_size": "16", @@ -5993,7 +5993,7 @@ } }, { - "id": 1479244909, + "id": 547158336, "definition": { "type": "note", "content": "### [CreateLogStream](https://traildiscover.cloud/#CloudWatchLogs-CreateLogStream)\n\n**Description:** Creates a log stream for the specified log group.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -6012,7 +6012,7 @@ } }, { - "id": 1256647503, + "id": 427886593, "definition": { "title": "CreateLogStream", "title_size": "16", @@ -6054,10 +6054,10 @@ } }, { - "id": 2805238463, + "id": 1837455566, "definition": { "type": "note", - "content": "### [DeleteRule](https://traildiscover.cloud/#events-DeleteRule)\n\n**Description:** Deletes the specified rule.\n\n**Related Research:**\n- [AWS EventBridge Rule Disabled or Deleted](https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html)\n- [AWS EventBridge rule disabled or deleted](https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/)\n", + "content": "### [DeleteAlarms](https://traildiscover.cloud/#CloudWatch-DeleteAlarms)\n\n**Description:** Deletes the specified alarms. You can delete up to 100 alarms in one operation.\n\n**Related Research:**\n- [AWS CloudWatch Alarm Deletion](https://www.elastic.co/guide/en/security/current/aws-cloudwatch-alarm-deletion.html)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -6073,9 +6073,9 @@ } }, { - "id": 534496296, + "id": 1718183823, "definition": { - "title": "DeleteRule", + "title": "DeleteAlarms", "title_size": "16", "title_align": "left", "type": "query_value", @@ -6093,7 +6093,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteRule $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteAlarms $userIdentity.arn $network.client.ip $account" } } ], @@ -6115,10 +6115,10 @@ } }, { - "id": 3279874169, + "id": 911979304, "definition": { "type": "note", - "content": "### [RemoveTargets](https://traildiscover.cloud/#events-RemoveTargets)\n\n**Description:** Removes the specified targets from the specified rule.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", + "content": "### [DeleteLogGroup](https://traildiscover.cloud/#CloudWatchLogs-DeleteLogGroup)\n\n**Description:** Deletes the specified log group and permanently deletes all the archived log events associated with the log group.\n\n**Related Research:**\n- [Penetration testing of aws-based environments](https://essay.utwente.nl/76955/1/Szabo_MSc_EEMCS.pdf)\n- [Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail](https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -6134,9 +6134,9 @@ } }, { - "id": 3156615650, + "id": 792707561, "definition": { - "title": "RemoveTargets", + "title": "DeleteLogGroup", "title_size": "16", "title_align": "left", "type": "query_value", @@ -6154,7 +6154,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:RemoveTargets $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteLogGroup $userIdentity.arn $network.client.ip $account" } } ], @@ -6176,10 +6176,10 @@ } }, { - "id": 407210302, + "id": 2389778065, "definition": { "type": "note", - "content": "### [DisableRule](https://traildiscover.cloud/#events-DisableRule)\n\n**Description:** Disables the specified rule.\n\n**Related Research:**\n- [AWS EventBridge Rule Disabled or Deleted](https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html)\n- [AWS EventBridge rule disabled or deleted](https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/)\n", + "content": "### [DeleteLogStream](https://traildiscover.cloud/#CloudWatchLogs-DeleteLogStream)\n\n**Description:** Deletes the specified log stream and permanently deletes all the archived log events associated with the log stream.\n\n**Related Research:**\n- [Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail](https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -6195,9 +6195,9 @@ } }, { - "id": 184612896, + "id": 222361561, "definition": { - "title": "DisableRule", + "title": "DeleteLogStream", "title_size": "16", "title_align": "left", "type": "query_value", @@ -6215,7 +6215,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DisableRule $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteLogStream $userIdentity.arn $network.client.ip $account" } } ], @@ -6237,10 +6237,10 @@ } }, { - "id": 94986808, + "id": 4017284417, "definition": { "type": "note", - "content": "### [PutRule](https://traildiscover.cloud/#events-PutRule)\n\n**Description:** Creates or updates the specified rule.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", + "content": "### [PutLogEvents](https://traildiscover.cloud/#CloudWatchLogs-PutLogEvents)\n\n**Description:** Uploads a batch of log events to the specified log stream.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -6256,9 +6256,9 @@ } }, { - "id": 2119211937, + "id": 1849867913, "definition": { - "title": "PutRule", + "title": "PutLogEvents", "title_size": "16", "title_align": "left", "type": "query_value", @@ -6276,7 +6276,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutRule $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PutLogEvents $userIdentity.arn $network.client.ip $account" } } ], @@ -6298,10 +6298,10 @@ } }, { - "id": 2005265155, + "id": 795978684, "definition": { "type": "note", - "content": "### [CreateInstances](https://traildiscover.cloud/#Lightsail-CreateInstances)\n\n**Description:** Creates one or more Amazon Lightsail instances.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", + "content": "### [DeleteConfigRule](https://traildiscover.cloud/#Config-DeleteConfigRule)\n\n**Description:** Deletes the specified AWS Config rule and all of its evaluation results.\n\n**Related Research:**\n- [AWS Config Resource Deletion](https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -6317,9 +6317,9 @@ } }, { - "id": 1882006636, + "id": 676706941, "definition": { - "title": "CreateInstances", + "title": "DeleteConfigRule", "title_size": "16", "title_align": "left", "type": "query_value", @@ -6337,7 +6337,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateInstances $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteConfigRule $userIdentity.arn $network.client.ip $account" } } ], @@ -6359,10 +6359,10 @@ } }, { - "id": 1547567171, + "id": 1711666955, "definition": { "type": "note", - "content": "### [DeleteMembers](https://traildiscover.cloud/#SecurityHub-DeleteMembers)\n\n**Description:** Deletes the specified member accounts from Security Hub.\n\n**Related Research:**\n- [AWS CloudTrail cheat sheet](https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet)\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", + "content": "### [DeleteConfigurationRecorder](https://traildiscover.cloud/#Config-DeleteConfigurationRecorder)\n\n**Description:** Deletes the configuration recorder.\n\n**Related Research:**\n- [AWS Config Resource Deletion](https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -6378,9 +6378,9 @@ } }, { - "id": 3472453413, + "id": 1592395212, "definition": { - "title": "DeleteMembers", + "title": "DeleteConfigurationRecorder", "title_size": "16", "title_align": "left", "type": "query_value", @@ -6398,7 +6398,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteMembers $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteConfigurationRecorder $userIdentity.arn $network.client.ip $account" } } ], @@ -6420,10 +6420,10 @@ } }, { - "id": 1588978572, + "id": 1872821811, "definition": { "type": "note", - "content": "### [DetachRolePolicy](https://traildiscover.cloud/#IAM-DetachRolePolicy)\n\n**Description:** Removes the specified managed policy from the specified role.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [DeleteDeliveryChannel](https://traildiscover.cloud/#Config-DeleteDeliveryChannel)\n\n**Description:** Deletes the delivery channel.\n\n**Related Research:**\n- [AWS Config Resource Deletion](https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion)\n- [AWS Config modified](https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-config-disabled/)\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -6439,9 +6439,9 @@ } }, { - "id": 1465720053, + "id": 1753550068, "definition": { - "title": "DetachRolePolicy", + "title": "DeleteDeliveryChannel", "title_size": "16", "title_align": "left", "type": "query_value", @@ -6459,7 +6459,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DetachRolePolicy $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteDeliveryChannel $userIdentity.arn $network.client.ip $account" } } ], @@ -6481,10 +6481,10 @@ } }, { - "id": 2756385903, + "id": 507040142, "definition": { "type": "note", - "content": "### [DeleteUserPolicy](https://traildiscover.cloud/#IAM-DeleteUserPolicy)\n\n**Description:** Deletes the specified inline policy that is embedded in the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [StopConfigurationRecorder](https://traildiscover.cloud/#Config-StopConfigurationRecorder)\n\n**Description:** Stops recording configurations of the AWS resources you have selected to record in your AWS account.\n\n**Related Research:**\n- [AWS Configuration Recorder Stopped](https://www.elastic.co/guide/en/security/current/prebuilt-rule-8-2-1-aws-configuration-recorder-stopped.html#prebuilt-rule-8-2-1-aws-configuration-recorder-stopped)\n- [AWS Config modified](https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-config-disabled/)\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -6500,9 +6500,9 @@ } }, { - "id": 485643736, + "id": 387768399, "definition": { - "title": "DeleteUserPolicy", + "title": "StopConfigurationRecorder", "title_size": "16", "title_align": "left", "type": "query_value", @@ -6520,7 +6520,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteUserPolicy $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:StopConfigurationRecorder $userIdentity.arn $network.client.ip $account" } } ], @@ -6542,10 +6542,10 @@ } }, { - "id": 1171130190, + "id": 2851998901, "definition": { "type": "note", - "content": "### [DeleteAccessKey](https://traildiscover.cloud/#IAM-DeleteAccessKey)\n\n**Description:** Deletes the access key pair associated with the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", + "content": "### [DeleteFlowLogs](https://traildiscover.cloud/#EC2-DeleteFlowLogs)\n\n**Description:** Deletes one or more flow logs.\n\n**Related Incidents:**\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n**Related Research:**\n- [Removing VPC flow logs](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/removing-vpc-flow-logs/)\n- [AWS Incident Response](https://github.com/easttimor/aws-incident-response)\n- [Proactive Cloud Security w/ AWS Organizations](https://witoff.medium.com/proactive-cloud-security-w-aws-organizations-d58695bcae16)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -6561,9 +6561,9 @@ } }, { - "id": 3195355319, + "id": 2732727158, "definition": { - "title": "DeleteAccessKey", + "title": "DeleteFlowLogs", "title_size": "16", "title_align": "left", "type": "query_value", @@ -6581,7 +6581,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteAccessKey $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteFlowLogs $userIdentity.arn $network.client.ip $account" } } ], @@ -6603,10 +6603,10 @@ } }, { - "id": 1332008588, + "id": 1354400746, "definition": { "type": "note", - "content": "### [DeleteUser](https://traildiscover.cloud/#IAM-DeleteUser)\n\n**Description:** Deletes the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Insider Threat Risks to Flat Environments](https://www.mandiant.com/sites/default/files/2021-09/rpt-mtrends-2021-3.pdf)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", + "content": "### [DeleteNetworkAcl](https://traildiscover.cloud/#EC2-DeleteNetworkAcl)\n\n**Description:** Deletes the specified network ACL.\n\n**Related Research:**\n- [Ensure CloudWatch has an Alarm for Network ACL Changes](https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-network-acl-change)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -6622,9 +6622,9 @@ } }, { - "id": 1109411182, + "id": 1235129003, "definition": { - "title": "DeleteUser", + "title": "DeleteNetworkAcl", "title_size": "16", "title_align": "left", "type": "query_value", @@ -6642,7 +6642,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteUser $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteNetworkAcl $userIdentity.arn $network.client.ip $account" } } ], @@ -6664,10 +6664,10 @@ } }, { - "id": 1260422027, + "id": 4160458240, "definition": { "type": "note", - "content": "### [DetachUserPolicy](https://traildiscover.cloud/#IAM-DetachUserPolicy)\n\n**Description:** Removes the specified managed policy from the specified user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [DeleteNetworkAclEntry](https://traildiscover.cloud/#EC2-DeleteNetworkAclEntry)\n\n**Description:** Deletes the specified ingress or egress entry (rule) from the specified network ACL.\n\n**Related Research:**\n- [Ensure CloudWatch has an Alarm for Network ACL Changes](https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-network-acl-change)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -6683,9 +6683,9 @@ } }, { - "id": 3185308269, + "id": 4041186497, "definition": { - "title": "DetachUserPolicy", + "title": "DeleteNetworkAclEntry", "title_size": "16", "title_align": "left", "type": "query_value", @@ -6703,7 +6703,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DetachUserPolicy $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteNetworkAclEntry $userIdentity.arn $network.client.ip $account" } } ], @@ -6725,10 +6725,10 @@ } }, { - "id": 1787334227, + "id": 1251938597, "definition": { "type": "note", - "content": "### [DeleteLoginProfile](https://traildiscover.cloud/#IAM-DeleteLoginProfile)\n\n**Description:** Deletes the password for the specified IAM user.\n\n**Related Incidents:**\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", + "content": "### [StopInstances](https://traildiscover.cloud/#EC2-StopInstances)\n\n**Description:** Stops an Amazon EBS-backed instance.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -6744,9 +6744,9 @@ } }, { - "id": 3811559356, + "id": 1132666854, "definition": { - "title": "DeleteLoginProfile", + "title": "StopInstances", "title_size": "16", "title_align": "left", "type": "query_value", @@ -6764,7 +6764,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteLoginProfile $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:StopInstances $userIdentity.arn $network.client.ip $account" } } ], @@ -6786,10 +6786,10 @@ } }, { - "id": 2224973506, + "id": 2398176047, "definition": { "type": "note", - "content": "### [DeactivateMFADevice](https://traildiscover.cloud/#IAM-DeactivateMFADevice)\n\n**Description:** Deactivates the specified MFA device and removes it from association with the user name for which it was originally enabled.\n\n**Related Research:**\n- [AWS IAM Deactivation of MFA Device](https://www.elastic.co/guide/en/security/current/aws-iam-deactivation-of-mfa-device.html)\n", + "content": "### [TerminateInstances](https://traildiscover.cloud/#EC2-TerminateInstances)\n\n**Description:** Shuts down the specified instances. This operation is idempotent; if you terminate an instance more than once, each call succeeds.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Former Cisco engineer sentenced to prison for deleting 16k Webex accounts](https://www.zdnet.com/article/former-cisco-engineer-sentenced-to-prison-for-deleting-16k-webex-accounts/)\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -6805,9 +6805,9 @@ } }, { - "id": 4249198635, + "id": 2278904304, "definition": { - "title": "DeactivateMFADevice", + "title": "TerminateInstances", "title_size": "16", "title_align": "left", "type": "query_value", @@ -6825,7 +6825,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeactivateMFADevice $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:TerminateInstances $userIdentity.arn $network.client.ip $account" } } ], @@ -6847,7 +6847,7 @@ } }, { - "id": 130950239, + "id": 2518024035, "definition": { "type": "note", "content": "### [CreateRule](https://traildiscover.cloud/#ELBv2-CreateRule)\n\n**Description:** Creates a rule for the specified listener.\n\n**Related Research:**\n- [Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data](https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994)\n", @@ -6866,7 +6866,7 @@ } }, { - "id": 2155175368, + "id": 350607531, "definition": { "title": "CreateRule", "title_size": "16", @@ -6908,10 +6908,10 @@ } }, { - "id": 3411014943, + "id": 1465244364, "definition": { "type": "note", - "content": "### [StopLogging](https://traildiscover.cloud/#CloudTrail-StopLogging)\n\n**Description:** Suspends the recording of AWS API calls and log file delivery for the specified trail.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Stopping a CloudTrail trail](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/stopping-cloudtrail-trail/)\n- [AWS Defense Evasion Stop Logging Cloudtrail](https://research.splunk.com/cloud/8a2f3ca2-4eb5-4389-a549-14063882e537/)\n- [AWS Defense Evasion and Centralized Multi-Account Logging](https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/)\n- [Disrupting AWS logging](https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n", + "content": "### [DeleteRule](https://traildiscover.cloud/#events-DeleteRule)\n\n**Description:** Deletes the specified rule.\n\n**Related Research:**\n- [AWS EventBridge Rule Disabled or Deleted](https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html)\n- [AWS EventBridge rule disabled or deleted](https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -6927,9 +6927,9 @@ } }, { - "id": 3287756424, + "id": 1345972621, "definition": { - "title": "StopLogging", + "title": "DeleteRule", "title_size": "16", "title_align": "left", "type": "query_value", @@ -6947,7 +6947,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:StopLogging $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteRule $userIdentity.arn $network.client.ip $account" } } ], @@ -6969,10 +6969,10 @@ } }, { - "id": 1651529469, + "id": 4057955755, "definition": { "type": "note", - "content": "### [UpdateTrail](https://traildiscover.cloud/#CloudTrail-UpdateTrail)\n\n**Description:** Updates trail settings that control what events you are logging, and how to handle log files.\n\n**Related Incidents:**\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n**Related Research:**\n- [AWS Defense Evasion and Centralized Multi-Account Logging](https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/)\n- [Disrupting AWS logging](https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594)\n", + "content": "### [DisableRule](https://traildiscover.cloud/#events-DisableRule)\n\n**Description:** Disables the specified rule.\n\n**Related Research:**\n- [AWS EventBridge Rule Disabled or Deleted](https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html)\n- [AWS EventBridge rule disabled or deleted](https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -6988,9 +6988,9 @@ } }, { - "id": 1428932063, + "id": 3938684012, "definition": { - "title": "UpdateTrail", + "title": "DisableRule", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7008,7 +7008,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateTrail $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DisableRule $userIdentity.arn $network.client.ip $account" } } ], @@ -7030,10 +7030,10 @@ } }, { - "id": 971096752, + "id": 3172398344, "definition": { "type": "note", - "content": "### [DeleteTrail](https://traildiscover.cloud/#CloudTrail-DeleteTrail)\n\n**Description:** Deletes a trail.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n**Related Research:**\n- [AWS Defense Evasion Delete Cloudtrail](https://research.splunk.com/cloud/82092925-9ca1-4e06-98b8-85a2d3889552/)\n- [Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail](https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/)\n- [Disrupting AWS logging](https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594)\n", + "content": "### [PutRule](https://traildiscover.cloud/#events-PutRule)\n\n**Description:** Creates or updates the specified rule.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7049,9 +7049,9 @@ } }, { - "id": 2995321881, + "id": 3053126601, "definition": { - "title": "DeleteTrail", + "title": "PutRule", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7069,7 +7069,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteTrail $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PutRule $userIdentity.arn $network.client.ip $account" } } ], @@ -7091,10 +7091,10 @@ } }, { - "id": 1991266575, + "id": 1050020491, "definition": { "type": "note", - "content": "### [PutEventSelectors](https://traildiscover.cloud/#CloudTrail-PutEventSelectors)\n\n**Description:** Configures an event selector or advanced event selectors for your trail.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [cloudtrail_guardduty_bypass](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/cloudtrail_guardduty_bypass)\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", + "content": "### [RemoveTargets](https://traildiscover.cloud/#events-RemoveTargets)\n\n**Description:** Removes the specified targets from the specified rule.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7110,9 +7110,9 @@ } }, { - "id": 1868008056, + "id": 930748748, "definition": { - "title": "PutEventSelectors", + "title": "RemoveTargets", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7130,7 +7130,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutEventSelectors $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:RemoveTargets $userIdentity.arn $network.client.ip $account" } } ], @@ -7152,10 +7152,10 @@ } }, { - "id": 2485986920, + "id": 1676825606, "definition": { "type": "note", - "content": "### [UpdateGraphqlApi](https://traildiscover.cloud/#AppSync-UpdateGraphqlApi)\n\n**Description:** Updates a GraphqlApi object.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", + "content": "### [CreateFilter](https://traildiscover.cloud/#GuardDuty-CreateFilter)\n\n**Description:** Creates a filter using the specified finding criteria.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7171,9 +7171,9 @@ } }, { - "id": 115905866, + "id": 1557553863, "definition": { - "title": "UpdateGraphqlApi", + "title": "CreateFilter", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7191,7 +7191,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateGraphqlApi $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateFilter $userIdentity.arn $network.client.ip $account" } } ], @@ -7213,10 +7213,10 @@ } }, { - "id": 3094836773, + "id": 3396737101, "definition": { "type": "note", - "content": "### [CreateApiKey](https://traildiscover.cloud/#AppSync-CreateApiKey)\n\n**Description:** Creates a unique key that you can distribute to clients who invoke your API.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", + "content": "### [CreateIPSet](https://traildiscover.cloud/#GuardDuty-CreateIPSet)\n\n**Description:** Creates a new IPSet, which is called a trusted IP list in the console user interface.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7232,9 +7232,9 @@ } }, { - "id": 824094606, + "id": 1229320597, "definition": { - "title": "CreateApiKey", + "title": "CreateIPSet", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7252,7 +7252,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateApiKey $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateIPSet $userIdentity.arn $network.client.ip $account" } } ], @@ -7274,10 +7274,10 @@ } }, { - "id": 3457002854, + "id": 219430597, "definition": { "type": "note", - "content": "### [UpdateResolver](https://traildiscover.cloud/#AppSync-UpdateResolver)\n\n**Description:** Updates a Resolver object.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", + "content": "### [DeleteDetector](https://traildiscover.cloud/#GuardDuty-DeleteDetector)\n\n**Description:** Deletes an Amazon GuardDuty detector that is specified by the detector ID.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [AWS GuardDuty detector deleted](https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-guardduty-detector-deleted/)\n- [AWS GuardDuty Evasion](https://medium.com/@cloud_tips/aws-guardduty-evasion-c181e55f3af1)\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7293,9 +7293,9 @@ } }, { - "id": 1186260687, + "id": 100158854, "definition": { - "title": "UpdateResolver", + "title": "DeleteDetector", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7313,7 +7313,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateResolver $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteDetector $userIdentity.arn $network.client.ip $account" } } ], @@ -7335,10 +7335,10 @@ } }, { - "id": 916394037, + "id": 3291001424, "definition": { "type": "note", - "content": "### [DeleteBucketPolicy](https://traildiscover.cloud/#S3-DeleteBucketPolicy)\n\n**Description:** Deletes the policy of a specified bucket.\n\n**Related Research:**\n- [AWS S3 Bucket Configuration Deletion](https://www.elastic.co/guide/en/security/7.17/aws-s3-bucket-configuration-deletion.html)\n", + "content": "### [DeleteInvitations](https://traildiscover.cloud/#GuardDuty-DeleteInvitations)\n\n**Description:** Deletes invitations sent to the current member account by AWS accounts specified by their account IDs.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7354,9 +7354,9 @@ } }, { - "id": 2940619166, + "id": 3171729681, "definition": { - "title": "DeleteBucketPolicy", + "title": "DeleteInvitations", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7374,7 +7374,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteBucketPolicy $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteInvitations $userIdentity.arn $network.client.ip $account" } } ], @@ -7396,10 +7396,10 @@ } }, { - "id": 3307356749, + "id": 940767877, "definition": { "type": "note", - "content": "### [DeleteFlowLogs](https://traildiscover.cloud/#EC2-DeleteFlowLogs)\n\n**Description:** Deletes one or more flow logs.\n\n**Related Incidents:**\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n**Related Research:**\n- [Removing VPC flow logs](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/removing-vpc-flow-logs/)\n- [AWS Incident Response](https://github.com/easttimor/aws-incident-response)\n- [Proactive Cloud Security w/ AWS Organizations](https://witoff.medium.com/proactive-cloud-security-w-aws-organizations-d58695bcae16)\n", + "content": "### [DeleteMembers](https://traildiscover.cloud/#GuardDuty-DeleteMembers)\n\n**Description:** Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.\n\n**Related Research:**\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7415,9 +7415,9 @@ } }, { - "id": 1036614582, + "id": 821496134, "definition": { - "title": "DeleteFlowLogs", + "title": "DeleteMembers", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7435,7 +7435,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteFlowLogs $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteMembers $userIdentity.arn $network.client.ip $account" } } ], @@ -7457,10 +7457,10 @@ } }, { - "id": 1006150339, + "id": 3532707857, "definition": { "type": "note", - "content": "### [DeleteNetworkAcl](https://traildiscover.cloud/#EC2-DeleteNetworkAcl)\n\n**Description:** Deletes the specified network ACL.\n\n**Related Research:**\n- [Ensure CloudWatch has an Alarm for Network ACL Changes](https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-network-acl-change)\n", + "content": "### [DeletePublishingDestination](https://traildiscover.cloud/#GuardDuty-DeletePublishingDestination)\n\n**Description:** Deletes the publishing definition with the specified destinationId.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7476,9 +7476,9 @@ } }, { - "id": 783552933, + "id": 1365291353, "definition": { - "title": "DeleteNetworkAcl", + "title": "DeletePublishingDestination", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7496,7 +7496,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteNetworkAcl $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeletePublishingDestination $userIdentity.arn $network.client.ip $account" } } ], @@ -7518,10 +7518,10 @@ } }, { - "id": 999095650, + "id": 4280830030, "definition": { "type": "note", - "content": "### [TerminateInstances](https://traildiscover.cloud/#EC2-TerminateInstances)\n\n**Description:** Shuts down the specified instances. This operation is idempotent; if you terminate an instance more than once, each call succeeds.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Former Cisco engineer sentenced to prison for deleting 16k Webex accounts](https://www.zdnet.com/article/former-cisco-engineer-sentenced-to-prison-for-deleting-16k-webex-accounts/)\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", + "content": "### [DisassociateFromMasterAccount](https://traildiscover.cloud/#GuardDuty-DisassociateFromMasterAccount)\n\n**Description:** Disassociates the current GuardDuty member account from its administrator account.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7537,9 +7537,9 @@ } }, { - "id": 875837131, + "id": 2113413526, "definition": { - "title": "TerminateInstances", + "title": "DisassociateFromMasterAccount", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7557,7 +7557,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:TerminateInstances $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DisassociateFromMasterAccount $userIdentity.arn $network.client.ip $account" } } ], @@ -7579,10 +7579,10 @@ } }, { - "id": 1566380299, + "id": 3500423418, "definition": { "type": "note", - "content": "### [DeleteNetworkAclEntry](https://traildiscover.cloud/#EC2-DeleteNetworkAclEntry)\n\n**Description:** Deletes the specified ingress or egress entry (rule) from the specified network ACL.\n\n**Related Research:**\n- [Ensure CloudWatch has an Alarm for Network ACL Changes](https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-network-acl-change)\n", + "content": "### [DisassociateMembers](https://traildiscover.cloud/#GuardDuty-DisassociateMembers)\n\n**Description:** Disassociates GuardDuty member accounts (from the current administrator account) specified by the account IDs.\n\n**Related Research:**\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7598,9 +7598,9 @@ } }, { - "id": 1443121780, + "id": 3381151675, "definition": { - "title": "DeleteNetworkAclEntry", + "title": "DisassociateMembers", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7618,7 +7618,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteNetworkAclEntry $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DisassociateMembers $userIdentity.arn $network.client.ip $account" } } ], @@ -7640,10 +7640,10 @@ } }, { - "id": 3124893105, + "id": 4194204278, "definition": { "type": "note", - "content": "### [StopInstances](https://traildiscover.cloud/#EC2-StopInstances)\n\n**Description:** Stops an Amazon EBS-backed instance.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", + "content": "### [StopMonitoringMembers](https://traildiscover.cloud/#GuardDuty-StopMonitoringMembers)\n\n**Description:** Stops GuardDuty monitoring for the specified member accounts.\n\n**Related Research:**\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7659,9 +7659,9 @@ } }, { - "id": 854150938, + "id": 2026787774, "definition": { - "title": "StopInstances", + "title": "StopMonitoringMembers", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7679,7 +7679,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:StopInstances $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:StopMonitoringMembers $userIdentity.arn $network.client.ip $account" } } ], @@ -7701,10 +7701,10 @@ } }, { - "id": 1909641963, + "id": 2177168671, "definition": { "type": "note", - "content": "### [AuthorizeDBSecurityGroupIngress](https://traildiscover.cloud/#RDS-AuthorizeDBSecurityGroupIngress)\n\n**Description:** Enables ingress to a DBSecurityGroup using one of two forms of authorization.\n\n**Related Research:**\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [Hunting AWS RDS security events with Sysdig](https://sysdig.com/blog/aws-rds-security-events-sysdig/)\n", + "content": "### [UpdateDetector](https://traildiscover.cloud/#GuardDuty-UpdateDetector)\n\n**Description:** Updates the GuardDuty detector specified by the detectorId.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7720,9 +7720,9 @@ } }, { - "id": 3933867092, + "id": 2057896928, "definition": { - "title": "AuthorizeDBSecurityGroupIngress", + "title": "UpdateDetector", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7740,7 +7740,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:AuthorizeDBSecurityGroupIngress $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:UpdateDetector $userIdentity.arn $network.client.ip $account" } } ], @@ -7762,10 +7762,10 @@ } }, { - "id": 1402230070, + "id": 2122325017, "definition": { "type": "note", - "content": "### [ModifyActivityStream](https://traildiscover.cloud/#RDS-ModifyActivityStream)\n\n**Description:** Changes the audit policy state of a database activity stream to either locked (default) or unlocked.\n\n**Related Incidents:**\n- [Uncovering Hybrid Cloud Attacks Through Intelligence-Driven Incident Response: Part 3 \u2013 The Response](https://www.gem.security/post/uncovering-hybrid-cloud-attacks-through-intelligence-driven-incident-response-part-3-the-response)\n", + "content": "### [UpdateIPSet](https://traildiscover.cloud/#GuardDuty-UpdateIPSet)\n\n**Description:** Updates the IPSet specified by the IPSet ID.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7781,9 +7781,9 @@ } }, { - "id": 3426455199, + "id": 2003053274, "definition": { - "title": "ModifyActivityStream", + "title": "UpdateIPSet", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7801,7 +7801,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ModifyActivityStream $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:UpdateIPSet $userIdentity.arn $network.client.ip $account" } } ], @@ -7823,10 +7823,10 @@ } }, { - "id": 40348489, + "id": 1346074451, "definition": { "type": "note", - "content": "### [DeleteIdentity](https://traildiscover.cloud/#SES-DeleteIdentity)\n\n**Description:** Deletes the specified identity (an email address or a domain) from the list of verified identities.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [DeactivateMFADevice](https://traildiscover.cloud/#IAM-DeactivateMFADevice)\n\n**Description:** Deactivates the specified MFA device and removes it from association with the user name for which it was originally enabled.\n\n**Related Research:**\n- [AWS IAM Deactivation of MFA Device](https://www.elastic.co/guide/en/security/current/aws-iam-deactivation-of-mfa-device.html)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7842,9 +7842,9 @@ } }, { - "id": 4112718379, + "id": 1226802708, "definition": { - "title": "DeleteIdentity", + "title": "DeactivateMFADevice", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7862,7 +7862,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteIdentity $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeactivateMFADevice $userIdentity.arn $network.client.ip $account" } } ], @@ -7884,10 +7884,10 @@ } }, { - "id": 1611381416, + "id": 1742991337, "definition": { "type": "note", - "content": "### [UpdateIPSet](https://traildiscover.cloud/#GuardDuty-UpdateIPSet)\n\n**Description:** Updates the IPSet specified by the IPSet ID.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", + "content": "### [DeleteAccessKey](https://traildiscover.cloud/#IAM-DeleteAccessKey)\n\n**Description:** Deletes the access key pair associated with the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7903,9 +7903,9 @@ } }, { - "id": 1488122897, + "id": 1623719594, "definition": { - "title": "UpdateIPSet", + "title": "DeleteAccessKey", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7923,7 +7923,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateIPSet $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteAccessKey $userIdentity.arn $network.client.ip $account" } } ], @@ -7945,10 +7945,10 @@ } }, { - "id": 279842838, + "id": 1213295304, "definition": { "type": "note", - "content": "### [DeleteInvitations](https://traildiscover.cloud/#GuardDuty-DeleteInvitations)\n\n**Description:** Deletes invitations sent to the current member account by AWS accounts specified by their account IDs.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n", + "content": "### [DeleteLoginProfile](https://traildiscover.cloud/#IAM-DeleteLoginProfile)\n\n**Description:** Deletes the password for the specified IAM user.\n\n**Related Incidents:**\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7964,9 +7964,9 @@ } }, { - "id": 2304067967, + "id": 1094023561, "definition": { - "title": "DeleteInvitations", + "title": "DeleteLoginProfile", "title_size": "16", "title_align": "left", "type": "query_value", @@ -7984,7 +7984,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteInvitations $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteLoginProfile $userIdentity.arn $network.client.ip $account" } } ], @@ -8006,10 +8006,10 @@ } }, { - "id": 800062478, + "id": 1464306203, "definition": { "type": "note", - "content": "### [UpdateDetector](https://traildiscover.cloud/#GuardDuty-UpdateDetector)\n\n**Description:** Updates the GuardDuty detector specified by the detectorId.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", + "content": "### [DeleteUser](https://traildiscover.cloud/#IAM-DeleteUser)\n\n**Description:** Deletes the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Insider Threat Risks to Flat Environments](https://www.mandiant.com/sites/default/files/2021-09/rpt-mtrends-2021-3.pdf)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -8025,9 +8025,9 @@ } }, { - "id": 676803959, + "id": 1345034460, "definition": { - "title": "UpdateDetector", + "title": "DeleteUser", "title_size": "16", "title_align": "left", "type": "query_value", @@ -8045,7 +8045,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateDetector $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteUser $userIdentity.arn $network.client.ip $account" } } ], @@ -8067,10 +8067,10 @@ } }, { - "id": 2909434880, + "id": 1092843542, "definition": { "type": "note", - "content": "### [DeleteDetector](https://traildiscover.cloud/#GuardDuty-DeleteDetector)\n\n**Description:** Deletes an Amazon GuardDuty detector that is specified by the detector ID.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [AWS GuardDuty detector deleted](https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-guardduty-detector-deleted/)\n- [AWS GuardDuty Evasion](https://medium.com/@cloud_tips/aws-guardduty-evasion-c181e55f3af1)\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n", + "content": "### [DeleteUserPolicy](https://traildiscover.cloud/#IAM-DeleteUserPolicy)\n\n**Description:** Deletes the specified inline policy that is embedded in the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -8086,9 +8086,9 @@ } }, { - "id": 2786176361, + "id": 973571799, "definition": { - "title": "DeleteDetector", + "title": "DeleteUserPolicy", "title_size": "16", "title_align": "left", "type": "query_value", @@ -8106,7 +8106,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteDetector $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteUserPolicy $userIdentity.arn $network.client.ip $account" } } ], @@ -8128,10 +8128,10 @@ } }, { - "id": 841183435, + "id": 2556484184, "definition": { "type": "note", - "content": "### [DeletePublishingDestination](https://traildiscover.cloud/#GuardDuty-DeletePublishingDestination)\n\n**Description:** Deletes the publishing definition with the specified destinationId.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", + "content": "### [DetachRolePolicy](https://traildiscover.cloud/#IAM-DetachRolePolicy)\n\n**Description:** Removes the specified managed policy from the specified role.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -8147,9 +8147,9 @@ } }, { - "id": 717924916, + "id": 2437212441, "definition": { - "title": "DeletePublishingDestination", + "title": "DetachRolePolicy", "title_size": "16", "title_align": "left", "type": "query_value", @@ -8167,7 +8167,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeletePublishingDestination $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DetachRolePolicy $userIdentity.arn $network.client.ip $account" } } ], @@ -8189,10 +8189,10 @@ } }, { - "id": 3374104199, + "id": 781468349, "definition": { "type": "note", - "content": "### [DisassociateMembers](https://traildiscover.cloud/#GuardDuty-DisassociateMembers)\n\n**Description:** Disassociates GuardDuty member accounts (from the current administrator account) specified by the account IDs.\n\n**Related Research:**\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", + "content": "### [DetachUserPolicy](https://traildiscover.cloud/#IAM-DetachUserPolicy)\n\n**Description:** Removes the specified managed policy from the specified user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -8208,9 +8208,9 @@ } }, { - "id": 3250845680, + "id": 662196606, "definition": { - "title": "DisassociateMembers", + "title": "DetachUserPolicy", "title_size": "16", "title_align": "left", "type": "query_value", @@ -8228,7 +8228,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DisassociateMembers $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DetachUserPolicy $userIdentity.arn $network.client.ip $account" } } ], @@ -8250,10 +8250,10 @@ } }, { - "id": 3187174793, + "id": 386718684, "definition": { "type": "note", - "content": "### [DisassociateFromMasterAccount](https://traildiscover.cloud/#GuardDuty-DisassociateFromMasterAccount)\n\n**Description:** Disassociates the current GuardDuty member account from its administrator account.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", + "content": "### [CreateInstances](https://traildiscover.cloud/#Lightsail-CreateInstances)\n\n**Description:** Creates one or more Amazon Lightsail instances.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -8269,9 +8269,9 @@ } }, { - "id": 817093739, + "id": 267446941, "definition": { - "title": "DisassociateFromMasterAccount", + "title": "CreateInstances", "title_size": "16", "title_align": "left", "type": "query_value", @@ -8289,7 +8289,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DisassociateFromMasterAccount $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateInstances $userIdentity.arn $network.client.ip $account" } } ], @@ -8311,10 +8311,10 @@ } }, { - "id": 2236413823, + "id": 154809828, "definition": { "type": "note", - "content": "### [StopMonitoringMembers](https://traildiscover.cloud/#GuardDuty-StopMonitoringMembers)\n\n**Description:** Stops GuardDuty monitoring for the specified member accounts.\n\n**Related Research:**\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", + "content": "### [CreateAccount](https://traildiscover.cloud/#Organizations-CreateAccount)\n\n**Description:** Creates an AWS account that is automatically a member of the organization whose credentials made the request.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -8330,9 +8330,9 @@ } }, { - "id": 2113155304, + "id": 35538085, "definition": { - "title": "StopMonitoringMembers", + "title": "CreateAccount", "title_size": "16", "title_align": "left", "type": "query_value", @@ -8350,7 +8350,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:StopMonitoringMembers $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateAccount $userIdentity.arn $network.client.ip $account" } } ], @@ -8372,10 +8372,10 @@ } }, { - "id": 50924102, + "id": 566859568, "definition": { "type": "note", - "content": "### [CreateIPSet](https://traildiscover.cloud/#GuardDuty-CreateIPSet)\n\n**Description:** Creates a new IPSet, which is called a trusted IP list in the console user interface.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", + "content": "### [InviteAccountToOrganization](https://traildiscover.cloud/#Organizations-InviteAccountToOrganization)\n\n**Description:** Sends an invitation to another account to join your organization as a member account.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -8391,9 +8391,9 @@ } }, { - "id": 2075149231, + "id": 2694410360, "definition": { - "title": "CreateIPSet", + "title": "InviteAccountToOrganization", "title_size": "16", "title_align": "left", "type": "query_value", @@ -8411,7 +8411,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateIPSet $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:InviteAccountToOrganization $userIdentity.arn $network.client.ip $account" } } ], @@ -8433,10 +8433,10 @@ } }, { - "id": 3021382888, + "id": 3261103547, "definition": { "type": "note", - "content": "### [CreateFilter](https://traildiscover.cloud/#GuardDuty-CreateFilter)\n\n**Description:** Creates a filter using the specified finding criteria.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", + "content": "### [LeaveOrganization](https://traildiscover.cloud/#Organizations-LeaveOrganization)\n\n**Description:** Removes a member account from its parent organization.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [An AWS account attempted to leave the AWS Organization](https://docs.datadoghq.com/security/default_rules/aws-organizations-leave-organization/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -8452,9 +8452,9 @@ } }, { - "id": 2898124369, + "id": 1093687043, "definition": { - "title": "CreateFilter", + "title": "LeaveOrganization", "title_size": "16", "title_align": "left", "type": "query_value", @@ -8472,7 +8472,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateFilter $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:LeaveOrganization $userIdentity.arn $network.client.ip $account" } } ], @@ -8494,10 +8494,10 @@ } }, { - "id": 1547567171, + "id": 1143388080, "definition": { "type": "note", - "content": "### [DeleteMembers](https://traildiscover.cloud/#GuardDuty-DeleteMembers)\n\n**Description:** Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.\n\n**Related Research:**\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", + "content": "### [AuthorizeDBSecurityGroupIngress](https://traildiscover.cloud/#RDS-AuthorizeDBSecurityGroupIngress)\n\n**Description:** Enables ingress to a DBSecurityGroup using one of two forms of authorization.\n\n**Related Research:**\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [Hunting AWS RDS security events with Sysdig](https://sysdig.com/blog/aws-rds-security-events-sysdig/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -8513,9 +8513,9 @@ } }, { - "id": 3472453413, + "id": 3270938872, "definition": { - "title": "DeleteMembers", + "title": "AuthorizeDBSecurityGroupIngress", "title_size": "16", "title_align": "left", "type": "query_value", @@ -8533,7 +8533,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteMembers $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:AuthorizeDBSecurityGroupIngress $userIdentity.arn $network.client.ip $account" } } ], @@ -8555,10 +8555,10 @@ } }, { - "id": 878871959, + "id": 1979109440, "definition": { "type": "note", - "content": "### [DeleteConfigurationRecorder](https://traildiscover.cloud/#Config-DeleteConfigurationRecorder)\n\n**Description:** Deletes the configuration recorder.\n\n**Related Research:**\n- [AWS Config Resource Deletion](https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion)\n", + "content": "### [ModifyActivityStream](https://traildiscover.cloud/#RDS-ModifyActivityStream)\n\n**Description:** Changes the audit policy state of a database activity stream to either locked (default) or unlocked.\n\n**Related Incidents:**\n- [Uncovering Hybrid Cloud Attacks Through Intelligence-Driven Incident Response: Part 3 \u2013 The Response](https://www.gem.security/post/uncovering-hybrid-cloud-attacks-through-intelligence-driven-incident-response-part-3-the-response)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -8574,9 +8574,9 @@ } }, { - "id": 755613440, + "id": 1859837697, "definition": { - "title": "DeleteConfigurationRecorder", + "title": "ModifyActivityStream", "title_size": "16", "title_align": "left", "type": "query_value", @@ -8594,7 +8594,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteConfigurationRecorder $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ModifyActivityStream $userIdentity.arn $network.client.ip $account" } } ], @@ -8616,10 +8616,10 @@ } }, { - "id": 2794430409, + "id": 4178411761, "definition": { "type": "note", - "content": "### [DeleteDeliveryChannel](https://traildiscover.cloud/#Config-DeleteDeliveryChannel)\n\n**Description:** Deletes the delivery channel.\n\n**Related Research:**\n- [AWS Config Resource Deletion](https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion)\n- [AWS Config modified](https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-config-disabled/)\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", + "content": "### [DeleteBucketPolicy](https://traildiscover.cloud/#S3-DeleteBucketPolicy)\n\n**Description:** Deletes the policy of a specified bucket.\n\n**Related Research:**\n- [AWS S3 Bucket Configuration Deletion](https://www.elastic.co/guide/en/security/7.17/aws-s3-bucket-configuration-deletion.html)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -8635,9 +8635,9 @@ } }, { - "id": 2571833003, + "id": 4059140018, "definition": { - "title": "DeleteDeliveryChannel", + "title": "DeleteBucketPolicy", "title_size": "16", "title_align": "left", "type": "query_value", @@ -8655,7 +8655,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteDeliveryChannel $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteBucketPolicy $userIdentity.arn $network.client.ip $account" } } ], @@ -8677,10 +8677,10 @@ } }, { - "id": 3867624443, + "id": 940767877, "definition": { "type": "note", - "content": "### [StopConfigurationRecorder](https://traildiscover.cloud/#Config-StopConfigurationRecorder)\n\n**Description:** Stops recording configurations of the AWS resources you have selected to record in your AWS account.\n\n**Related Research:**\n- [AWS Configuration Recorder Stopped](https://www.elastic.co/guide/en/security/current/prebuilt-rule-8-2-1-aws-configuration-recorder-stopped.html#prebuilt-rule-8-2-1-aws-configuration-recorder-stopped)\n- [AWS Config modified](https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-config-disabled/)\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", + "content": "### [DeleteMembers](https://traildiscover.cloud/#SecurityHub-DeleteMembers)\n\n**Description:** Deletes the specified member accounts from Security Hub.\n\n**Related Research:**\n- [AWS CloudTrail cheat sheet](https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet)\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -8696,9 +8696,9 @@ } }, { - "id": 3744365924, + "id": 821496134, "definition": { - "title": "StopConfigurationRecorder", + "title": "DeleteMembers", "title_size": "16", "title_align": "left", "type": "query_value", @@ -8716,7 +8716,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:StopConfigurationRecorder $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteMembers $userIdentity.arn $network.client.ip $account" } } ], @@ -8738,10 +8738,10 @@ } }, { - "id": 2881210171, + "id": 3036410288, "definition": { "type": "note", - "content": "### [DeleteConfigRule](https://traildiscover.cloud/#Config-DeleteConfigRule)\n\n**Description:** Deletes the specified AWS Config rule and all of its evaluation results.\n\n**Related Research:**\n- [AWS Config Resource Deletion](https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion)\n", + "content": "### [DeleteIdentity](https://traildiscover.cloud/#SES-DeleteIdentity)\n\n**Description:** Deletes the specified identity (an email address or a domain) from the list of verified identities.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -8757,9 +8757,9 @@ } }, { - "id": 610468004, + "id": 2917138545, "definition": { - "title": "DeleteConfigRule", + "title": "DeleteIdentity", "title_size": "16", "title_align": "left", "type": "query_value", @@ -8777,7 +8777,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteConfigRule $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteIdentity $userIdentity.arn $network.client.ip $account" } } ], @@ -8799,7 +8799,7 @@ } }, { - "id": 155093139, + "id": 2026031417, "definition": { "type": "note", "content": "### [DeleteRuleGroup](https://traildiscover.cloud/#WAFV2-DeleteRuleGroup)\n\n**Description:** Deletes the specified RuleGroup.\n\n**Related Research:**\n- [AWS WAF Rule or Rule Group Deletion](https://www.elastic.co/guide/en/security/current/aws-waf-rule-or-rule-group-deletion.html)\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", @@ -8818,7 +8818,7 @@ } }, { - "id": 2179318268, + "id": 4153582209, "definition": { "title": "DeleteRuleGroup", "title_size": "16", @@ -8860,10 +8860,10 @@ } }, { - "id": 1611381416, + "id": 2027345482, "definition": { "type": "note", - "content": "### [UpdateIPSet](https://traildiscover.cloud/#WAFV2-UpdateIPSet)\n\n**Description:** Updates the specified IPSet.\n\n**Related Research:**\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", + "content": "### [DeleteWebACL](https://traildiscover.cloud/#WAFV2-DeleteWebACL)\n\n**Description:** Deletes the specified WebACL.\n\n**Related Research:**\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -8879,9 +8879,9 @@ } }, { - "id": 1488122897, + "id": 1908073739, "definition": { - "title": "UpdateIPSet", + "title": "DeleteWebACL", "title_size": "16", "title_align": "left", "type": "query_value", @@ -8899,7 +8899,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateIPSet $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteWebACL $userIdentity.arn $network.client.ip $account" } } ], @@ -8921,10 +8921,10 @@ } }, { - "id": 2651844872, + "id": 2122325017, "definition": { "type": "note", - "content": "### [DeleteWebACL](https://traildiscover.cloud/#WAFV2-DeleteWebACL)\n\n**Description:** Deletes the specified WebACL.\n\n**Related Research:**\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", + "content": "### [UpdateIPSet](https://traildiscover.cloud/#WAFV2-UpdateIPSet)\n\n**Description:** Updates the specified IPSet.\n\n**Related Research:**\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -8940,9 +8940,9 @@ } }, { - "id": 381102705, + "id": 2003053274, "definition": { - "title": "DeleteWebACL", + "title": "UpdateIPSet", "title_size": "16", "title_align": "left", "type": "query_value", @@ -8960,7 +8960,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteWebACL $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:UpdateIPSet $userIdentity.arn $network.client.ip $account" } } ], @@ -8991,7 +8991,7 @@ } }, { - "id": 1992852635, + "id": 338179879, "definition": { "type": "group", "layout_type": "ordered", @@ -9000,10 +9000,10 @@ "show_title": true, "widgets": [ { - "id": 2235793209, + "id": 2948400570, "definition": { "type": "note", - "content": "### [GetSecretValue](https://traildiscover.cloud/#SecretsManager-GetSecretValue)\n\n**Description:** Retrieves the contents of the encrypted fields SecretString or SecretBinary from the specified version of a secret, whichever contains content.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n", + "content": "### [GetPasswordData](https://traildiscover.cloud/#EC2-GetPasswordData)\n\n**Description:** Retrieves the encrypted administrator password for a running Windows instance.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -9019,9 +9019,9 @@ } }, { - "id": 4260018338, + "id": 780984066, "definition": { - "title": "GetSecretValue", + "title": "GetPasswordData", "title_size": "16", "title_align": "left", "type": "query_value", @@ -9039,7 +9039,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetSecretValue $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetPasswordData $userIdentity.arn $network.client.ip $account" } } ], @@ -9061,7 +9061,7 @@ } }, { - "id": 1258861938, + "id": 4211337879, "definition": { "type": "note", "content": "### [DescribeSecret](https://traildiscover.cloud/#SecretsManager-DescribeSecret)\n\n**Description:** Retrieves the details of a secret.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -9080,7 +9080,7 @@ } }, { - "id": 1135603419, + "id": 4092066136, "definition": { "title": "DescribeSecret", "title_size": "16", @@ -9122,10 +9122,10 @@ } }, { - "id": 1031872062, + "id": 3867587219, "definition": { "type": "note", - "content": "### [ListSecrets](https://traildiscover.cloud/#SecretsManager-ListSecrets)\n\n**Description:** Lists the secrets that are stored by Secrets Manager in the AWS account, not including secrets that are marked for deletion.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n", + "content": "### [GetSecretValue](https://traildiscover.cloud/#SecretsManager-GetSecretValue)\n\n**Description:** Retrieves the contents of the encrypted fields SecretString or SecretBinary from the specified version of a secret, whichever contains content.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -9141,9 +9141,9 @@ } }, { - "id": 3056097191, + "id": 3748315476, "definition": { - "title": "ListSecrets", + "title": "GetSecretValue", "title_size": "16", "title_align": "left", "type": "query_value", @@ -9161,7 +9161,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListSecrets $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetSecretValue $userIdentity.arn $network.client.ip $account" } } ], @@ -9183,10 +9183,10 @@ } }, { - "id": 3160883149, + "id": 3498922672, "definition": { "type": "note", - "content": "### [GetPasswordData](https://traildiscover.cloud/#EC2-GetPasswordData)\n\n**Description:** Retrieves the encrypted administrator password for a running Windows instance.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [ListSecrets](https://traildiscover.cloud/#SecretsManager-ListSecrets)\n\n**Description:** Lists the secrets that are stored by Secrets Manager in the AWS account, not including secrets that are marked for deletion.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -9202,9 +9202,9 @@ } }, { - "id": 3037624630, + "id": 3379650929, "definition": { - "title": "GetPasswordData", + "title": "ListSecrets", "title_size": "16", "title_align": "left", "type": "query_value", @@ -9222,7 +9222,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetPasswordData $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListSecrets $userIdentity.arn $network.client.ip $account" } } ], @@ -9244,7 +9244,7 @@ } }, { - "id": 2576109304, + "id": 3871278422, "definition": { "type": "note", "content": "### [GetParameters](https://traildiscover.cloud/#SSM-GetParameters)\n\n**Description:** Get information about one or more parameters by specifying multiple parameter names.\n\n**Related Research:**\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -9263,7 +9263,7 @@ } }, { - "id": 2353511898, + "id": 3752006679, "definition": { "title": "GetParameters", "title_size": "16", @@ -9314,7 +9314,7 @@ } }, { - "id": 1337316466, + "id": 3725073015, "definition": { "type": "group", "layout_type": "ordered", @@ -9323,10 +9323,10 @@ "show_title": true, "widgets": [ { - "id": 1868403757, + "id": 1315437973, "definition": { "type": "note", - "content": "### [ListDomains](https://traildiscover.cloud/#route53domains-ListDomains)\n\n**Description:** This operation returns all the domain names registered with Amazon Route 53 for the current AWS account if no filtering conditions are used.\n\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", + "content": "### [GetCertificate](https://traildiscover.cloud/#ACMPCA-GetCertificate)\n\n**Description:** Retrieves a certificate from your private CA or one that has been shared with you.\n\n**Related Research:**\n- [AWS API Call Hijacking via ACM-PCA](https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -9342,9 +9342,9 @@ } }, { - "id": 1645806351, + "id": 1196166230, "definition": { - "title": "ListDomains", + "title": "GetCertificate", "title_size": "16", "title_align": "left", "type": "query_value", @@ -9362,7 +9362,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListDomains $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetCertificate $userIdentity.arn $network.client.ip $account" } } ], @@ -9384,10 +9384,10 @@ } }, { - "id": 935436818, + "id": 3914062498, "definition": { "type": "note", - "content": "### [GetHostedZoneCount](https://traildiscover.cloud/#Route53-GetHostedZoneCount)\n\n**Description:** Retrieves the number of hosted zones that are associated with the current AWS account.\n\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", + "content": "### [IssueCertificate](https://traildiscover.cloud/#ACMPCA-IssueCertificate)\n\n**Description:** Uses your private certificate authority (CA), or one that has been shared with you, to issue a client certificate.\n\n**Related Research:**\n- [AWS API Call Hijacking via ACM-PCA](https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -9403,9 +9403,9 @@ } }, { - "id": 2959661947, + "id": 1746645994, "definition": { - "title": "GetHostedZoneCount", + "title": "IssueCertificate", "title_size": "16", "title_align": "left", "type": "query_value", @@ -9423,7 +9423,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetHostedZoneCount $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:IssueCertificate $userIdentity.arn $network.client.ip $account" } } ], @@ -9445,10 +9445,10 @@ } }, { - "id": 2772775466, + "id": 2834263952, "definition": { "type": "note", - "content": "### [DescribeOrganization](https://traildiscover.cloud/#Organizations-DescribeOrganization)\n\n**Description:** Retrieves information about the organization that the user's account belongs to.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", + "content": "### [GetIntrospectionSchema](https://traildiscover.cloud/#AppSync-GetIntrospectionSchema)\n\n**Description:** Retrieves the introspection schema for a GraphQL API.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -9464,9 +9464,9 @@ } }, { - "id": 2550178060, + "id": 2714992209, "definition": { - "title": "DescribeOrganization", + "title": "GetIntrospectionSchema", "title_size": "16", "title_align": "left", "type": "query_value", @@ -9484,7 +9484,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeOrganization $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetIntrospectionSchema $userIdentity.arn $network.client.ip $account" } } ], @@ -9506,10 +9506,10 @@ } }, { - "id": 219069719, + "id": 4266151995, "definition": { "type": "note", - "content": "### [ListOrganizationalUnitsForParent](https://traildiscover.cloud/#Organizations-ListOrganizationalUnitsForParent)\n\n**Description:** Lists the organizational units (OUs) in a parent organizational unit or root.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", + "content": "### [GetQueryResults](https://traildiscover.cloud/#Athena-GetQueryResults)\n\n**Description:** Streams the results of a single query execution specified by QueryExecutionId from the Athena query results location in Amazon S3.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -9525,9 +9525,9 @@ } }, { - "id": 2243294848, + "id": 4146880252, "definition": { - "title": "ListOrganizationalUnitsForParent", + "title": "GetQueryResults", "title_size": "16", "title_align": "left", "type": "query_value", @@ -9545,7 +9545,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListOrganizationalUnitsForParent $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetQueryResults $userIdentity.arn $network.client.ip $account" } } ], @@ -9567,10 +9567,10 @@ } }, { - "id": 4085183378, + "id": 3272381859, "definition": { "type": "note", - "content": "### [ListAccounts](https://traildiscover.cloud/#Organizations-ListAccounts)\n\n**Description:** Lists all the accounts in the organization.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", + "content": "### [GetFoundationModelAvailability](https://traildiscover.cloud/#Bedrock-GetFoundationModelAvailability)\n\n**Description:** Grants permission to get the availability of a foundation model.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying](https://permiso.io/blog/exploiting-hosted-models)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -9586,9 +9586,9 @@ } }, { - "id": 3862585972, + "id": 3153110116, "definition": { - "title": "ListAccounts", + "title": "GetFoundationModelAvailability", "title_size": "16", "title_align": "left", "type": "query_value", @@ -9606,7 +9606,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListAccounts $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetFoundationModelAvailability $userIdentity.arn $network.client.ip $account" } } ], @@ -9628,10 +9628,10 @@ } }, { - "id": 2625827243, + "id": 2725252114, "definition": { "type": "note", - "content": "### [GetCallerIdentity](https://traildiscover.cloud/#STS-GetCallerIdentity)\n\n**Description:** Returns details about the IAM user or role whose credentials are used to call the operation.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [GotRoot! AWS root Account Takeover](https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n- [Enumerate AWS Account ID from an EC2 Instance](https://hackingthe.cloud/aws/enumeration/account_id_from_ec2/)\n", + "content": "### [GetModelInvocationLoggingConfiguration](https://traildiscover.cloud/#Bedrock-GetModelInvocationLoggingConfiguration)\n\n**Description:** Get the current configuration values for model invocation logging.\n\n**Related Incidents:**\n- [LLMjacking: Stolen Cloud Credentials Used in New AI Attack](https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -9647,9 +9647,9 @@ } }, { - "id": 255746189, + "id": 2605980371, "definition": { - "title": "GetCallerIdentity", + "title": "GetModelInvocationLoggingConfiguration", "title_size": "16", "title_align": "left", "type": "query_value", @@ -9667,7 +9667,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetCallerIdentity $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetModelInvocationLoggingConfiguration $userIdentity.arn $network.client.ip $account" } } ], @@ -9689,10 +9689,10 @@ } }, { - "id": 1751682574, + "id": 801710898, "definition": { "type": "note", - "content": "### [ListTopics](https://traildiscover.cloud/#SNS-ListTopics)\n\n**Description:** Returns a list of the requester's topics.\n\n**Related Research:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n", + "content": "### [GetUseCaseForModelAccess](https://traildiscover.cloud/#Bedrock-GetUseCaseForModelAccess)\n\n**Description:** Grants permission to retrieve a use case for model access.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying](https://permiso.io/blog/exploiting-hosted-models)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -9708,9 +9708,9 @@ } }, { - "id": 3775907703, + "id": 682439155, "definition": { - "title": "ListTopics", + "title": "GetUseCaseForModelAccess", "title_size": "16", "title_align": "left", "type": "query_value", @@ -9728,7 +9728,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListTopics $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetUseCaseForModelAccess $userIdentity.arn $network.client.ip $account" } } ], @@ -9750,10 +9750,10 @@ } }, { - "id": 2493842541, + "id": 3473836945, "definition": { "type": "note", - "content": "### [ListSubscriptions](https://traildiscover.cloud/#SNS-ListSubscriptions)\n\n**Description:** Lists the calling AWS account's dedicated origination numbers and their metadata.\n\n**Related Research:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n", + "content": "### [InvokeModel](https://traildiscover.cloud/#Bedrock-InvokeModel)\n\n**Description:** Invokes the specified Amazon Bedrock model to run inference using the prompt and inference parameters provided in the request body.\n\n**Related Incidents:**\n- [LLMjacking: Stolen Cloud Credentials Used in New AI Attack](https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n- [When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying](https://permiso.io/blog/exploiting-hosted-models)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -9769,9 +9769,9 @@ } }, { - "id": 123761487, + "id": 3354565202, "definition": { - "title": "ListSubscriptions", + "title": "InvokeModel", "title_size": "16", "title_align": "left", "type": "query_value", @@ -9789,7 +9789,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListSubscriptions $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:InvokeModel $userIdentity.arn $network.client.ip $account" } } ], @@ -9811,10 +9811,10 @@ } }, { - "id": 2411613281, + "id": 3605021153, "definition": { "type": "note", - "content": "### [ListOriginationNumbers](https://traildiscover.cloud/#SNS-ListOriginationNumbers)\n\n**Description:** Lists the calling AWS account's dedicated origination numbers and their metadata.\n\n**Related Research:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n", + "content": "### [ListFoundationModelAgreementOffers](https://traildiscover.cloud/#Bedrock-ListFoundationModelAgreementOffers)\n\n**Description:** Grants permission to get a list of foundation model agreement offers.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -9830,9 +9830,9 @@ } }, { - "id": 2288354762, + "id": 3485749410, "definition": { - "title": "ListOriginationNumbers", + "title": "ListFoundationModelAgreementOffers", "title_size": "16", "title_align": "left", "type": "query_value", @@ -9850,7 +9850,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListOriginationNumbers $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListFoundationModelAgreementOffers $userIdentity.arn $network.client.ip $account" } } ], @@ -9872,10 +9872,10 @@ } }, { - "id": 345530653, + "id": 3850888294, "definition": { "type": "note", - "content": "### [GetSMSAttributes](https://traildiscover.cloud/#SNS-GetSMSAttributes)\n\n**Description:** Returns the settings for sending SMS messages from your AWS account.\n\n**Related Incidents:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n- [Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", + "content": "### [ListFoundationModels](https://traildiscover.cloud/#Bedrock-ListFoundationModels)\n\n**Description:** Grants permission to list Bedrock foundation models that you can use.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -9891,9 +9891,9 @@ } }, { - "id": 2369755782, + "id": 1683471790, "definition": { - "title": "GetSMSAttributes", + "title": "ListFoundationModels", "title_size": "16", "title_align": "left", "type": "query_value", @@ -9911,7 +9911,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetSMSAttributes $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListFoundationModels $userIdentity.arn $network.client.ip $account" } } ], @@ -9933,10 +9933,10 @@ } }, { - "id": 1813120063, + "id": 3274537459, "definition": { "type": "note", - "content": "### [GetSMSSandboxAccountStatus](https://traildiscover.cloud/#SNS-GetSMSSandboxAccountStatus)\n\n**Description:** Retrieves the SMS sandbox status for the calling AWS account in the target AWS Region.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/)\n**Related Research:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n", + "content": "### [ListProvisionedModelThroughputs](https://traildiscover.cloud/#Bedrock-ListProvisionedModelThroughputs)\n\n**Description:** Grants permission to list provisioned model throughputs that you created earlier.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -9952,9 +9952,9 @@ } }, { - "id": 3837345192, + "id": 3155265716, "definition": { - "title": "GetSMSSandboxAccountStatus", + "title": "ListProvisionedModelThroughputs", "title_size": "16", "title_align": "left", "type": "query_value", @@ -9972,7 +9972,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetSMSSandboxAccountStatus $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListProvisionedModelThroughputs $userIdentity.arn $network.client.ip $account" } } ], @@ -9994,10 +9994,10 @@ } }, { - "id": 3742466775, + "id": 968636819, "definition": { "type": "note", - "content": "### [IssueCertificate](https://traildiscover.cloud/#ACMPCA-IssueCertificate)\n\n**Description:** Uses your private certificate authority (CA), or one that has been shared with you, to issue a client certificate.\n\n**Related Research:**\n- [AWS API Call Hijacking via ACM-PCA](https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/)\n", + "content": "### [LookupEvents](https://traildiscover.cloud/#CloudTrail-LookupEvents)\n\n**Description:** Looks up management events or CloudTrail Insights events that are captured by CloudTrail.\n\n**Related Incidents:**\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -10013,9 +10013,9 @@ } }, { - "id": 1471724608, + "id": 849365076, "definition": { - "title": "IssueCertificate", + "title": "LookupEvents", "title_size": "16", "title_align": "left", "type": "query_value", @@ -10033,7 +10033,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:IssueCertificate $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:LookupEvents $userIdentity.arn $network.client.ip $account" } } ], @@ -10055,10 +10055,10 @@ } }, { - "id": 302545947, + "id": 3100215044, "definition": { "type": "note", - "content": "### [GetCertificate](https://traildiscover.cloud/#ACMPCA-GetCertificate)\n\n**Description:** Retrieves a certificate from your private CA or one that has been shared with you.\n\n**Related Research:**\n- [AWS API Call Hijacking via ACM-PCA](https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/)\n", + "content": "### [DescribeLogGroups](https://traildiscover.cloud/#CloudWatchLogs-DescribeLogGroups)\n\n**Description:** Lists the specified log groups.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -10074,9 +10074,9 @@ } }, { - "id": 179287428, + "id": 2980943301, "definition": { - "title": "GetCertificate", + "title": "DescribeLogGroups", "title_size": "16", "title_align": "left", "type": "query_value", @@ -10094,7 +10094,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetCertificate $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeLogGroups $userIdentity.arn $network.client.ip $account" } } ], @@ -10116,10 +10116,10 @@ } }, { - "id": 1937895802, + "id": 2034584803, "definition": { "type": "note", - "content": "### [DescribeLogGroups](https://traildiscover.cloud/#CloudWatchLogs-DescribeLogGroups)\n\n**Description:** Lists the specified log groups.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [DescribeLogStreams](https://traildiscover.cloud/#CloudWatchLogs-DescribeLogStreams)\n\n**Description:** Lists the log streams for the specified log group.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -10135,9 +10135,9 @@ } }, { - "id": 3962120931, + "id": 1915313060, "definition": { - "title": "DescribeLogGroups", + "title": "DescribeLogStreams", "title_size": "16", "title_align": "left", "type": "query_value", @@ -10155,7 +10155,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeLogGroups $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeLogStreams $userIdentity.arn $network.client.ip $account" } } ], @@ -10177,7 +10177,7 @@ } }, { - "id": 3274026046, + "id": 4079997213, "definition": { "type": "note", "content": "### [DescribeSubscriptionFilters](https://traildiscover.cloud/#CloudWatchLogs-DescribeSubscriptionFilters)\n\n**Description:** Lists the subscription filters for the specified log group.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -10196,7 +10196,7 @@ } }, { - "id": 1003283879, + "id": 3960725470, "definition": { "title": "DescribeSubscriptionFilters", "title_size": "16", @@ -10238,10 +10238,10 @@ } }, { - "id": 3626370615, + "id": 1471935979, "definition": { "type": "note", - "content": "### [DescribeLogStreams](https://traildiscover.cloud/#CloudWatchLogs-DescribeLogStreams)\n\n**Description:** Lists the log streams for the specified log group.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [GetLogRecord](https://traildiscover.cloud/#CloudWatchLogs-GetLogRecord)\n\n**Description:** Retrieves all of the fields and values of a single log event.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -10257,9 +10257,9 @@ } }, { - "id": 3503112096, + "id": 3599486771, "definition": { - "title": "DescribeLogStreams", + "title": "GetLogRecord", "title_size": "16", "title_align": "left", "type": "query_value", @@ -10277,7 +10277,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeLogStreams $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetLogRecord $userIdentity.arn $network.client.ip $account" } } ], @@ -10299,10 +10299,10 @@ } }, { - "id": 2586240250, + "id": 1013844008, "definition": { "type": "note", - "content": "### [GetLogRecord](https://traildiscover.cloud/#CloudWatchLogs-GetLogRecord)\n\n**Description:** Retrieves all of the fields and values of a single log event.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [GetCostAndUsage](https://traildiscover.cloud/#CostExplorer-GetCostAndUsage)\n\n**Description:** Retrieves cost and usage metrics for your account.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -10318,9 +10318,9 @@ } }, { - "id": 2462981731, + "id": 894572265, "definition": { - "title": "GetLogRecord", + "title": "GetCostAndUsage", "title_size": "16", "title_align": "left", "type": "query_value", @@ -10338,7 +10338,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetLogRecord $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetCostAndUsage $userIdentity.arn $network.client.ip $account" } } ], @@ -10360,10 +10360,10 @@ } }, { - "id": 3576493846, + "id": 4069494667, "definition": { "type": "note", - "content": "### [GetQueryResults](https://traildiscover.cloud/#Athena-GetQueryResults)\n\n**Description:** Streams the results of a single query execution specified by QueryExecutionId from the Athena query results location in Amazon S3.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [DescribeAccountAttributes](https://traildiscover.cloud/#EC2-DescribeAccountAttributes)\n\n**Description:** Describes attributes of your AWS account.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -10379,9 +10379,9 @@ } }, { - "id": 3453235327, + "id": 1902078163, "definition": { - "title": "GetQueryResults", + "title": "DescribeAccountAttributes", "title_size": "16", "title_align": "left", "type": "query_value", @@ -10399,7 +10399,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetQueryResults $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeAccountAttributes $userIdentity.arn $network.client.ip $account" } } ], @@ -10421,10 +10421,10 @@ } }, { - "id": 3674934063, + "id": 1073998549, "definition": { "type": "note", - "content": "### [ListTargetsByRule](https://traildiscover.cloud/#events-ListTargetsByRule)\n\n**Description:** Lists the targets assigned to the specified rule.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", + "content": "### [DescribeAvailabilityZones](https://traildiscover.cloud/#EC2-DescribeAvailabilityZones)\n\n**Description:** Describes the Availability Zones, Local Zones, and Wavelength Zones that are available to you.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -10440,9 +10440,9 @@ } }, { - "id": 1404191896, + "id": 954726806, "definition": { - "title": "ListTargetsByRule", + "title": "DescribeAvailabilityZones", "title_size": "16", "title_align": "left", "type": "query_value", @@ -10460,7 +10460,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListTargetsByRule $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeAvailabilityZones $userIdentity.arn $network.client.ip $account" } } ], @@ -10482,10 +10482,10 @@ } }, { - "id": 2717740185, + "id": 521452942, "definition": { "type": "note", - "content": "### [ListRules](https://traildiscover.cloud/#events-ListRules)\n\n**Description:** Lists your Amazon EventBridge rules. You can either list all the rules or you can provide a prefix to match to the rule names.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", + "content": "### [DescribeBundleTasks](https://traildiscover.cloud/#EC2-DescribeBundleTasks)\n\n**Description:** Describes the specified bundle tasks or all of your bundle tasks.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -10501,9 +10501,9 @@ } }, { - "id": 2495142779, + "id": 2649003734, "definition": { - "title": "ListRules", + "title": "DescribeBundleTasks", "title_size": "16", "title_align": "left", "type": "query_value", @@ -10521,7 +10521,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListRules $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeBundleTasks $userIdentity.arn $network.client.ip $account" } } ], @@ -10543,10 +10543,10 @@ } }, { - "id": 3286446408, + "id": 2955743937, "definition": { "type": "note", - "content": "### [GetInstances](https://traildiscover.cloud/#LightSail-GetInstances)\n\n**Description:** Returns information about all Amazon Lightsail virtual private servers, or instances.\n\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", + "content": "### [DescribeCarrierGateways](https://traildiscover.cloud/#EC2-DescribeCarrierGateways)\n\n**Description:** Describes one or more of your carrier gateways.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -10562,9 +10562,9 @@ } }, { - "id": 3063849002, + "id": 2836472194, "definition": { - "title": "GetInstances", + "title": "DescribeCarrierGateways", "title_size": "16", "title_align": "left", "type": "query_value", @@ -10582,7 +10582,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetInstances $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeCarrierGateways $userIdentity.arn $network.client.ip $account" } } ], @@ -10604,10 +10604,10 @@ } }, { - "id": 1792041788, + "id": 1156541374, "definition": { "type": "note", - "content": "### [GetRegions](https://traildiscover.cloud/#LightSail-GetRegions)\n\n**Description:** Returns a list of all valid regions for Amazon Lightsail.\n\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", + "content": "### [DescribeClientVpnRoutes](https://traildiscover.cloud/#EC2-DescribeClientVpnRoutes)\n\n**Description:** Describes the routes for the specified Client VPN endpoint.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -10623,9 +10623,9 @@ } }, { - "id": 3816266917, + "id": 1037269631, "definition": { - "title": "GetRegions", + "title": "DescribeClientVpnRoutes", "title_size": "16", "title_align": "left", "type": "query_value", @@ -10643,7 +10643,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetRegions $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeClientVpnRoutes $userIdentity.arn $network.client.ip $account" } } ], @@ -10665,10 +10665,10 @@ } }, { - "id": 2448456875, + "id": 2198537740, "definition": { "type": "note", - "content": "### [GetCostAndUsage](https://traildiscover.cloud/#CostExplorer-GetCostAndUsage)\n\n**Description:** Retrieves cost and usage metrics for your account.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", + "content": "### [DescribeDhcpOptions](https://traildiscover.cloud/#EC2-DescribeDhcpOptions)\n\n**Description:** Describes one or more of your DHCP options sets.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -10684,9 +10684,9 @@ } }, { - "id": 78375821, + "id": 2079265997, "definition": { - "title": "GetCostAndUsage", + "title": "DescribeDhcpOptions", "title_size": "16", "title_align": "left", "type": "query_value", @@ -10704,7 +10704,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetCostAndUsage $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeDhcpOptions $userIdentity.arn $network.client.ip $account" } } ], @@ -10726,10 +10726,10 @@ } }, { - "id": 2595383175, + "id": 3278134606, "definition": { "type": "note", - "content": "### [ListGroupsForUser](https://traildiscover.cloud/#IAM-ListGroupsForUser)\n\n**Description:** Lists the IAM groups that the specified IAM user belongs to.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", + "content": "### [DescribeFlowLogs](https://traildiscover.cloud/#EC2-DescribeFlowLogs)\n\n**Description:** Describes one or more flow logs.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -10745,9 +10745,9 @@ } }, { - "id": 324641008, + "id": 1110718102, "definition": { - "title": "ListGroupsForUser", + "title": "DescribeFlowLogs", "title_size": "16", "title_align": "left", "type": "query_value", @@ -10765,7 +10765,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListGroupsForUser $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeFlowLogs $userIdentity.arn $network.client.ip $account" } } ], @@ -10787,10 +10787,10 @@ } }, { - "id": 487062516, + "id": 1956074601, "definition": { "type": "note", - "content": "### [ListAccessKeys](https://traildiscover.cloud/#IAM-ListAccessKeys)\n\n**Description:** Returns information about the access key IDs associated with the specified IAM user.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n", + "content": "### [DescribeImages](https://traildiscover.cloud/#EC2-DescribeImages)\n\n**Description:** Describes the specified images (AMIs, AKIs, and ARIs) available to you or all of the images available to you.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -10806,9 +10806,9 @@ } }, { - "id": 264465110, + "id": 1836802858, "definition": { - "title": "ListAccessKeys", + "title": "DescribeImages", "title_size": "16", "title_align": "left", "type": "query_value", @@ -10826,7 +10826,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListAccessKeys $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeImages $userIdentity.arn $network.client.ip $account" } } ], @@ -10848,10 +10848,10 @@ } }, { - "id": 969707456, + "id": 1894662014, "definition": { "type": "note", - "content": "### [SimulatePrincipalPolicy](https://traildiscover.cloud/#IAM-SimulatePrincipalPolicy)\n\n**Description:** Simulate how a set of IAM policies attached to an IAM entity works with a list of API operations and AWS resources to determine the policies' effective permissions.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", + "content": "### [DescribeInstanceAttribute](https://traildiscover.cloud/#EC2-DescribeInstanceAttribute)\n\n**Description:** Describes the specified attribute of the specified instance. You can specify only one attribute at a time.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -10867,9 +10867,9 @@ } }, { - "id": 747110050, + "id": 1775390271, "definition": { - "title": "SimulatePrincipalPolicy", + "title": "DescribeInstanceAttribute", "title_size": "16", "title_align": "left", "type": "query_value", @@ -10887,7 +10887,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:SimulatePrincipalPolicy $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeInstanceAttribute $userIdentity.arn $network.client.ip $account" } } ], @@ -10909,10 +10909,10 @@ } }, { - "id": 263920346, + "id": 4032146424, "definition": { "type": "note", - "content": "### [GetAccountAuthorizationDetails](https://traildiscover.cloud/#IAM-GetAccountAuthorizationDetails)\n\n**Description:** Retrieves information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another.\n\n**Related Research:**\n- [AWS - IAM Enum](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum)\n", + "content": "### [DescribeInstances](https://traildiscover.cloud/#EC2-DescribeInstances)\n\n**Description:** Describes the specified instances or all instances.\n\n**Related Incidents:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -10928,9 +10928,9 @@ } }, { - "id": 41322940, + "id": 1864729920, "definition": { - "title": "GetAccountAuthorizationDetails", + "title": "DescribeInstances", "title_size": "16", "title_align": "left", "type": "query_value", @@ -10948,7 +10948,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetAccountAuthorizationDetails $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeInstances $userIdentity.arn $network.client.ip $account" } } ], @@ -10970,10 +10970,10 @@ } }, { - "id": 3754119458, + "id": 3524165521, "definition": { "type": "note", - "content": "### [ListGroups](https://traildiscover.cloud/#IAM-ListGroups)\n\n**Description:** Lists the IAM groups that have the specified path prefix.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n**Related Research:**\n- [AWS - IAM Enum](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum)\n", + "content": "### [DescribeInstanceTypes](https://traildiscover.cloud/#EC2-DescribeInstanceTypes)\n\n**Description:** Describes the details of the instance types that are offered in a location.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -10989,9 +10989,9 @@ } }, { - "id": 3630860939, + "id": 3404893778, "definition": { - "title": "ListGroups", + "title": "DescribeInstanceTypes", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11009,7 +11009,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListGroups $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeInstanceTypes $userIdentity.arn $network.client.ip $account" } } ], @@ -11031,10 +11031,10 @@ } }, { - "id": 429203467, + "id": 3051300180, "definition": { "type": "note", - "content": "### [ListUsers](https://traildiscover.cloud/#IAM-ListUsers)\n\n**Description:** Lists the IAM users that have the specified path prefix. If no path prefix is specified, the operation returns all users in the AWS account.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", + "content": "### [DescribeKeyPairs](https://traildiscover.cloud/#EC2-DescribeKeyPairs)\n\n**Description:** Describes the specified key pairs or all of your key pairs.\n\n**Related Incidents:**\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11050,9 +11050,9 @@ } }, { - "id": 206606061, + "id": 2932028437, "definition": { - "title": "ListUsers", + "title": "DescribeKeyPairs", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11070,7 +11070,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListUsers $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeKeyPairs $userIdentity.arn $network.client.ip $account" } } ], @@ -11092,10 +11092,10 @@ } }, { - "id": 3173749927, + "id": 2859948755, "definition": { "type": "note", - "content": "### [ListRoles](https://traildiscover.cloud/#IAM-ListRoles)\n\n**Description:** Lists the IAM roles that have the specified path prefix. \n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n**Related Research:**\n- [AWS - IAM Enum](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum)\n", + "content": "### [DescribeRegions](https://traildiscover.cloud/#EC2-DescribeRegions)\n\n**Description:** Describes the Regions that are enabled for your account, or all Regions.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11111,9 +11111,9 @@ } }, { - "id": 903007760, + "id": 2740677012, "definition": { - "title": "ListRoles", + "title": "DescribeRegions", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11131,7 +11131,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListRoles $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeRegions $userIdentity.arn $network.client.ip $account" } } ], @@ -11153,10 +11153,10 @@ } }, { - "id": 3863893786, + "id": 1706777055, "definition": { "type": "note", - "content": "### [ListSAMLProviders](https://traildiscover.cloud/#IAM-ListSAMLProviders)\n\n**Description:** Lists the SAML provider resource objects defined in IAM in the account.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", + "content": "### [GetLaunchTemplateData](https://traildiscover.cloud/#EC2-GetLaunchTemplateData)\n\n**Description:** Retrieves the configuration data of the specified instance. You can use this data to create a launch template.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11172,9 +11172,9 @@ } }, { - "id": 1593151619, + "id": 1587505312, "definition": { - "title": "ListSAMLProviders", + "title": "GetLaunchTemplateData", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11192,7 +11192,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListSAMLProviders $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetLaunchTemplateData $userIdentity.arn $network.client.ip $account" } } ], @@ -11214,10 +11214,10 @@ } }, { - "id": 1163806606, + "id": 2335153106, "definition": { "type": "note", - "content": "### [GetUser](https://traildiscover.cloud/#IAM-GetUser)\n\n**Description:** Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN.\n\n**Related Incidents:**\n- [GotRoot! AWS root Account Takeover](https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n", + "content": "### [DescribeSecurityGroups](https://traildiscover.cloud/#EC2-DescribeSecurityGroups)\n\n**Description:** Describes the specified security groups or all of your security groups.\n\n**Related Incidents:**\n- [Case Study: Responding to an Attack in AWS](https://www.cadosecurity.com/case-study-responding-to-an-attack-in-aws/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11233,9 +11233,9 @@ } }, { - "id": 3188031735, + "id": 2215881363, "definition": { - "title": "GetUser", + "title": "DescribeSecurityGroups", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11253,7 +11253,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetUser $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeSecurityGroups $userIdentity.arn $network.client.ip $account" } } ], @@ -11275,10 +11275,10 @@ } }, { - "id": 853271087, + "id": 2385808573, "definition": { "type": "note", - "content": "### [ListAttachedRolePolicies](https://traildiscover.cloud/#IAM-ListAttachedRolePolicies)\n\n**Description:** Lists all managed policies that are attached to the specified IAM role.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [DescribeSnapshotAttribute](https://traildiscover.cloud/#EC2-DescribeSnapshotAttribute)\n\n**Description:** Describes the specified attribute of the specified snapshot.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11294,9 +11294,9 @@ } }, { - "id": 630673681, + "id": 2266536830, "definition": { - "title": "ListAttachedRolePolicies", + "title": "DescribeSnapshotAttribute", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11314,7 +11314,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListAttachedRolePolicies $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeSnapshotAttribute $userIdentity.arn $network.client.ip $account" } } ], @@ -11336,10 +11336,10 @@ } }, { - "id": 943664834, + "id": 2520957555, "definition": { "type": "note", - "content": "### [ListServiceSpecificCredentials](https://traildiscover.cloud/#IAM-ListServiceSpecificCredentials)\n\n**Description:** Returns information about the service-specific credentials associated with the specified IAM user.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", + "content": "### [DescribeSnapshotTierStatus](https://traildiscover.cloud/#EC2-DescribeSnapshotTierStatus)\n\n**Description:** Describes the storage tier status of one or more Amazon EBS snapshots.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11355,9 +11355,9 @@ } }, { - "id": 2967889963, + "id": 2401685812, "definition": { - "title": "ListServiceSpecificCredentials", + "title": "DescribeSnapshotTierStatus", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11375,7 +11375,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListServiceSpecificCredentials $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeSnapshotTierStatus $userIdentity.arn $network.client.ip $account" } } ], @@ -11397,10 +11397,10 @@ } }, { - "id": 2711776374, + "id": 1815987245, "definition": { "type": "note", - "content": "### [ListRolePolicies](https://traildiscover.cloud/#IAM-ListRolePolicies)\n\n**Description:** Lists the names of the inline policies that are embedded in the specified IAM role.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [DescribeTransitGatewayMulticastDomains](https://traildiscover.cloud/#EC2-DescribeTransitGatewayMulticastDomains)\n\n**Description:** Describes one or more transit gateway multicast domains.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11416,9 +11416,9 @@ } }, { - "id": 441034207, + "id": 1696715502, "definition": { - "title": "ListRolePolicies", + "title": "DescribeTransitGatewayMulticastDomains", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11436,7 +11436,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListRolePolicies $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeTransitGatewayMulticastDomains $userIdentity.arn $network.client.ip $account" } } ], @@ -11458,10 +11458,10 @@ } }, { - "id": 1311901670, + "id": 2448808243, "definition": { "type": "note", - "content": "### [ListSigningCertificates](https://traildiscover.cloud/#IAM-ListSigningCertificates)\n\n**Description:** Returns information about the signing certificates associated with the specified IAM user.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", + "content": "### [DescribeVolumes](https://traildiscover.cloud/#EC2-DescribeVolumes)\n\n**Description:** Describes the specified EBS volumes or all of your EBS volumes.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11477,9 +11477,9 @@ } }, { - "id": 1089304264, + "id": 2329536500, "definition": { - "title": "ListSigningCertificates", + "title": "DescribeVolumes", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11497,7 +11497,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListSigningCertificates $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeVolumes $userIdentity.arn $network.client.ip $account" } } ], @@ -11519,10 +11519,10 @@ } }, { - "id": 406526411, + "id": 531098701, "definition": { "type": "note", - "content": "### [ListInstanceProfiles](https://traildiscover.cloud/#IAM-ListInstanceProfiles)\n\n**Description:** Lists the instance profiles that have the specified path prefix. If there are none, the operation returns an empty list.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", + "content": "### [DescribeVolumesModifications](https://traildiscover.cloud/#EC2-DescribeVolumesModifications)\n\n**Description:** Describes the most recent volume modification request for the specified EBS volumes.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11538,9 +11538,9 @@ } }, { - "id": 283267892, + "id": 411826958, "definition": { - "title": "ListInstanceProfiles", + "title": "DescribeVolumesModifications", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11558,7 +11558,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListInstanceProfiles $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeVolumesModifications $userIdentity.arn $network.client.ip $account" } } ], @@ -11580,10 +11580,10 @@ } }, { - "id": 3509573240, + "id": 3594558969, "definition": { "type": "note", - "content": "### [ListSSHPublicKeys](https://traildiscover.cloud/#IAM-ListSSHPublicKeys)\n\n**Description:** Returns information about the SSH public keys associated with the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", + "content": "### [DescribeVpcEndpointConnectionNotifications](https://traildiscover.cloud/#EC2-DescribeVpcEndpointConnectionNotifications)\n\n**Description:** Describes the connection notifications for VPC endpoints and VPC endpoint services.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11599,9 +11599,9 @@ } }, { - "id": 3386314721, + "id": 3475287226, "definition": { - "title": "ListSSHPublicKeys", + "title": "DescribeVpcEndpointConnectionNotifications", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11619,7 +11619,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListSSHPublicKeys $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeVpcEndpointConnectionNotifications $userIdentity.arn $network.client.ip $account" } } ], @@ -11641,10 +11641,10 @@ } }, { - "id": 3678017372, + "id": 680733932, "definition": { "type": "note", - "content": "### [ListOpenIDConnectProviders](https://traildiscover.cloud/#IAM-ListOpenIDConnectProviders)\n\n**Description:** Lists information about the IAM OpenID Connect (OIDC) provider resource objects defined in the AWS account.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", + "content": "### [DescribeVpcs](https://traildiscover.cloud/#EC2-DescribeVpcs)\n\n**Description:** Describes one or more of your VPCs.\n\n**Related Incidents:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11660,9 +11660,9 @@ } }, { - "id": 1307936318, + "id": 561462189, "definition": { - "title": "ListOpenIDConnectProviders", + "title": "DescribeVpcs", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11680,7 +11680,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListOpenIDConnectProviders $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeVpcs $userIdentity.arn $network.client.ip $account" } } ], @@ -11702,10 +11702,10 @@ } }, { - "id": 3116396786, + "id": 3668950038, "definition": { "type": "note", - "content": "### [GetLoginProfile](https://traildiscover.cloud/#IAM-GetLoginProfile)\n\n**Description:** Retrieves the user name for the specified IAM user.\n\n**Related Incidents:**\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", + "content": "### [GetConsoleScreenshot](https://traildiscover.cloud/#EC2-GetConsoleScreenshot)\n\n**Description:** Retrieve a JPG-format screenshot of a running instance to help with troubleshooting.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11721,9 +11721,9 @@ } }, { - "id": 845654619, + "id": 3549678295, "definition": { - "title": "GetLoginProfile", + "title": "GetConsoleScreenshot", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11741,7 +11741,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetLoginProfile $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetConsoleScreenshot $userIdentity.arn $network.client.ip $account" } } ], @@ -11763,10 +11763,10 @@ } }, { - "id": 1724734435, + "id": 3244626285, "definition": { "type": "note", - "content": "### [DescribeLoadBalancers](https://traildiscover.cloud/#ELBv2-DescribeLoadBalancers)\n\n**Description:** Describes the specified load balancers or all of your load balancers.\n\n**Related Research:**\n- [Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data](https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994)\n", + "content": "### [GetEbsDefaultKmsKeyId](https://traildiscover.cloud/#EC2-GetEbsDefaultKmsKeyId)\n\n**Description:** Describes the default AWS KMS key for EBS encryption by default for your account in this Region.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11782,9 +11782,9 @@ } }, { - "id": 3748959564, + "id": 3125354542, "definition": { - "title": "DescribeLoadBalancers", + "title": "GetEbsDefaultKmsKeyId", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11802,7 +11802,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeLoadBalancers $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetEbsDefaultKmsKeyId $userIdentity.arn $network.client.ip $account" } } ], @@ -11824,10 +11824,10 @@ } }, { - "id": 2505574877, + "id": 2164838359, "definition": { "type": "note", - "content": "### [DescribeListeners](https://traildiscover.cloud/#ELBv2-DescribeListeners)\n\n**Description:** Describes the specified listeners or the listeners for the specified Application Load Balancer, Network Load Balancer, or Gateway Load Balancer.\n\n**Related Research:**\n- [Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data](https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994)\n", + "content": "### [GetEbsEncryptionByDefault](https://traildiscover.cloud/#EC2-GetEbsEncryptionByDefault)\n\n**Description:** Describes whether EBS encryption by default is enabled for your account in the current Region.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11843,9 +11843,9 @@ } }, { - "id": 2382316358, + "id": 4193050264, "definition": { - "title": "DescribeListeners", + "title": "GetEbsEncryptionByDefault", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11863,7 +11863,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeListeners $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetEbsEncryptionByDefault $userIdentity.arn $network.client.ip $account" } } ], @@ -11885,10 +11885,10 @@ } }, { - "id": 2094364362, + "id": 3711144999, "definition": { "type": "note", - "content": "### [ListAssociatedAccessPolicies](https://traildiscover.cloud/#EKS-ListAssociatedAccessPolicies)\n\n**Description:** Lists the access policies associated with an access entry.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", + "content": "### [GetFlowLogsIntegrationTemplate](https://traildiscover.cloud/#EC2-GetFlowLogsIntegrationTemplate)\n\n**Description:** Generates a CloudFormation template that streamlines and automates the integration of VPC flow logs with Amazon Athena.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11904,9 +11904,9 @@ } }, { - "id": 1971105843, + "id": 3591873256, "definition": { - "title": "ListAssociatedAccessPolicies", + "title": "GetFlowLogsIntegrationTemplate", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11924,7 +11924,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListAssociatedAccessPolicies $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetFlowLogsIntegrationTemplate $userIdentity.arn $network.client.ip $account" } } ], @@ -11946,10 +11946,10 @@ } }, { - "id": 723888415, + "id": 1706777055, "definition": { "type": "note", - "content": "### [ListClusters](https://traildiscover.cloud/#EKS-ListClusters)\n\n**Description:** Lists the Amazon EKS clusters in your AWS account in the specified AWS Region.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", + "content": "### [GetLaunchTemplateData](https://traildiscover.cloud/#EC2-GetLaunchTemplateData)\n\n**Description:** Retrieves the configuration data of the specified instance. You can use this data to create a launch template.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11965,9 +11965,9 @@ } }, { - "id": 2748113544, + "id": 1587505312, "definition": { - "title": "ListClusters", + "title": "GetLaunchTemplateData", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11985,7 +11985,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListClusters $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetLaunchTemplateData $userIdentity.arn $network.client.ip $account" } } ], @@ -12007,10 +12007,10 @@ } }, { - "id": 3914303495, + "id": 1682004462, "definition": { "type": "note", - "content": "### [DescribeAccessEntry](https://traildiscover.cloud/#EKS-DescribeAccessEntry)\n\n**Description:** Describes an access entry.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", + "content": "### [GetTransitGatewayRouteTableAssociations](https://traildiscover.cloud/#EC2-GetTransitGatewayRouteTableAssociations)\n\n**Description:** Gets information about the associations for the specified transit gateway route table.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12026,9 +12026,9 @@ } }, { - "id": 1643561328, + "id": 3809555254, "definition": { - "title": "DescribeAccessEntry", + "title": "GetTransitGatewayRouteTableAssociations", "title_size": "16", "title_align": "left", "type": "query_value", @@ -12046,7 +12046,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeAccessEntry $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetTransitGatewayRouteTableAssociations $userIdentity.arn $network.client.ip $account" } } ], @@ -12068,10 +12068,10 @@ } }, { - "id": 2786615095, + "id": 2442693639, "definition": { "type": "note", - "content": "### [DescribeCluster](https://traildiscover.cloud/#EKS-DescribeCluster)\n\n**Description:** Describes an Amazon EKS cluster.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", + "content": "### [DescribeAccessEntry](https://traildiscover.cloud/#EKS-DescribeAccessEntry)\n\n**Description:** Describes an access entry.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12087,9 +12087,9 @@ } }, { - "id": 515872928, + "id": 2323421896, "definition": { - "title": "DescribeCluster", + "title": "DescribeAccessEntry", "title_size": "16", "title_align": "left", "type": "query_value", @@ -12107,7 +12107,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeCluster $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeAccessEntry $userIdentity.arn $network.client.ip $account" } } ], @@ -12129,10 +12129,10 @@ } }, { - "id": 1110706602, + "id": 869789883, "definition": { "type": "note", - "content": "### [Search](https://traildiscover.cloud/#ResourceExplorer-Search)\n\n**Description:** Searches for resources and displays details about all resources that match the specified criteria.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", + "content": "### [DescribeCluster](https://traildiscover.cloud/#EKS-DescribeCluster)\n\n**Description:** Describes an Amazon EKS cluster.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12148,9 +12148,9 @@ } }, { - "id": 3134931731, + "id": 750518140, "definition": { - "title": "Search", + "title": "DescribeCluster", "title_size": "16", "title_align": "left", "type": "query_value", @@ -12168,7 +12168,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:Search $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeCluster $userIdentity.arn $network.client.ip $account" } } ], @@ -12190,10 +12190,10 @@ } }, { - "id": 4046148666, + "id": 2458061261, "definition": { "type": "note", - "content": "### [LookupEvents](https://traildiscover.cloud/#CloudTrail-LookupEvents)\n\n**Description:** Looks up management events or CloudTrail Insights events that are captured by CloudTrail.\n\n**Related Incidents:**\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", + "content": "### [ListAssociatedAccessPolicies](https://traildiscover.cloud/#EKS-ListAssociatedAccessPolicies)\n\n**Description:** Lists the access policies associated with an access entry.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12209,9 +12209,9 @@ } }, { - "id": 1775406499, + "id": 2338789518, "definition": { - "title": "LookupEvents", + "title": "ListAssociatedAccessPolicies", "title_size": "16", "title_align": "left", "type": "query_value", @@ -12229,7 +12229,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:LookupEvents $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListAssociatedAccessPolicies $userIdentity.arn $network.client.ip $account" } } ], @@ -12251,10 +12251,10 @@ } }, { - "id": 4091122824, + "id": 194502346, "definition": { "type": "note", - "content": "### [GetIntrospectionSchema](https://traildiscover.cloud/#AppSync-GetIntrospectionSchema)\n\n**Description:** Retrieves the introspection schema for a GraphQL API.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", + "content": "### [ListClusters](https://traildiscover.cloud/#EKS-ListClusters)\n\n**Description:** Lists the Amazon EKS clusters in your AWS account in the specified AWS Region.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12270,9 +12270,9 @@ } }, { - "id": 3868525418, + "id": 75230603, "definition": { - "title": "GetIntrospectionSchema", + "title": "ListClusters", "title_size": "16", "title_align": "left", "type": "query_value", @@ -12290,7 +12290,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetIntrospectionSchema $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListClusters $userIdentity.arn $network.client.ip $account" } } ], @@ -12312,10 +12312,10 @@ } }, { - "id": 2987423154, + "id": 1846784587, "definition": { "type": "note", - "content": "### [GetBucketVersioning](https://traildiscover.cloud/#S3-GetBucketVersioning)\n\n**Description:** Returns the versioning state of a bucket.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", + "content": "### [DescribeListeners](https://traildiscover.cloud/#ELBv2-DescribeListeners)\n\n**Description:** Describes the specified listeners or the listeners for the specified Application Load Balancer, Network Load Balancer, or Gateway Load Balancer.\n\n**Related Research:**\n- [Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data](https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12331,9 +12331,9 @@ } }, { - "id": 2864164635, + "id": 1727512844, "definition": { - "title": "GetBucketVersioning", + "title": "DescribeListeners", "title_size": "16", "title_align": "left", "type": "query_value", @@ -12351,7 +12351,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetBucketVersioning $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeListeners $userIdentity.arn $network.client.ip $account" } } ], @@ -12373,10 +12373,10 @@ } }, { - "id": 1886137695, + "id": 232807464, "definition": { "type": "note", - "content": "### [GetBucketLogging](https://traildiscover.cloud/#S3-GetBucketLogging)\n\n**Description:** Returns the logging status of a bucket and the permissions users have to view and modify that status.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", + "content": "### [DescribeLoadBalancers](https://traildiscover.cloud/#ELBv2-DescribeLoadBalancers)\n\n**Description:** Describes the specified load balancers or all of your load balancers.\n\n**Related Research:**\n- [Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data](https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12392,9 +12392,9 @@ } }, { - "id": 1762879176, + "id": 113535721, "definition": { - "title": "GetBucketLogging", + "title": "DescribeLoadBalancers", "title_size": "16", "title_align": "left", "type": "query_value", @@ -12412,7 +12412,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetBucketLogging $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeLoadBalancers $userIdentity.arn $network.client.ip $account" } } ], @@ -12434,10 +12434,10 @@ } }, { - "id": 1230048853, + "id": 1266589445, "definition": { "type": "note", - "content": "### [GetBucketPolicy](https://traildiscover.cloud/#S3-GetBucketPolicy)\n\n**Description:** Returns the policy of a specified bucket.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", + "content": "### [ListRules](https://traildiscover.cloud/#events-ListRules)\n\n**Description:** Lists your Amazon EventBridge rules. You can either list all the rules or you can provide a prefix to match to the rule names.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12453,9 +12453,9 @@ } }, { - "id": 3154935095, + "id": 1147317702, "definition": { - "title": "GetBucketPolicy", + "title": "ListRules", "title_size": "16", "title_align": "left", "type": "query_value", @@ -12473,7 +12473,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetBucketPolicy $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListRules $userIdentity.arn $network.client.ip $account" } } ], @@ -12495,10 +12495,10 @@ } }, { - "id": 198185874, + "id": 2207747691, "definition": { "type": "note", - "content": "### [ListBuckets](https://traildiscover.cloud/#S3-ListBuckets)\n\n**Description:** Returns a list of all buckets owned by the authenticated sender of the request.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [A Technical Analysis of the Capital One Cloud Misconfiguration Breach](https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach)\n- [Enumerate AWS Account ID from a Public S3 Bucket](https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", + "content": "### [ListTargetsByRule](https://traildiscover.cloud/#events-ListTargetsByRule)\n\n**Description:** Lists the targets assigned to the specified rule.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12514,9 +12514,9 @@ } }, { - "id": 2222411003, + "id": 2088475948, "definition": { - "title": "ListBuckets", + "title": "ListTargetsByRule", "title_size": "16", "title_align": "left", "type": "query_value", @@ -12534,7 +12534,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListBuckets $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListTargetsByRule $userIdentity.arn $network.client.ip $account" } } ], @@ -12556,10 +12556,10 @@ } }, { - "id": 1835412147, + "id": 2594531733, "definition": { "type": "note", - "content": "### [GetBucketReplication](https://traildiscover.cloud/#S3-GetBucketReplication)\n\n**Description:** Returns the replication configuration of a bucket.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", + "content": "### [GetDetector](https://traildiscover.cloud/#GuardDuty-GetDetector)\n\n**Description:** Retrieves an Amazon GuardDuty detector specified by the detectorId.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12575,9 +12575,9 @@ } }, { - "id": 3859637276, + "id": 427115229, "definition": { - "title": "GetBucketReplication", + "title": "GetDetector", "title_size": "16", "title_align": "left", "type": "query_value", @@ -12595,7 +12595,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetBucketReplication $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetDetector $userIdentity.arn $network.client.ip $account" } } ], @@ -12617,10 +12617,10 @@ } }, { - "id": 3993913544, + "id": 2377068430, "definition": { "type": "note", - "content": "### [GetBucketAcl](https://traildiscover.cloud/#S3-GetBucketAcl)\n\n**Description:** This implementation of the GET action uses the acl subresource to return the access control list (ACL) of a bucket.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n**Related Research:**\n- [Public S3 bucket through bucket ACL](https://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/s3-bucket-public-acl/)\n", + "content": "### [GetFindings](https://traildiscover.cloud/#GuardDuty-GetFindings)\n\n**Description:** Returns a list of findings that match the specified criteria.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12636,9 +12636,9 @@ } }, { - "id": 1723171377, + "id": 2257796687, "definition": { - "title": "GetBucketAcl", + "title": "GetFindings", "title_size": "16", "title_align": "left", "type": "query_value", @@ -12656,7 +12656,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetBucketAcl $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetFindings $userIdentity.arn $network.client.ip $account" } } ], @@ -12678,10 +12678,10 @@ } }, { - "id": 3386593196, + "id": 2787168086, "definition": { "type": "note", - "content": "### [HeadObject](https://traildiscover.cloud/#S3-HeadObject)\n\n**Description:** The HEAD operation retrieves metadata from an object without returning the object itself.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", + "content": "### [ListDetectors](https://traildiscover.cloud/#GuardDuty-ListDetectors)\n\n**Description:** Lists detectorIds of all the existing Amazon GuardDuty detector resources.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12697,9 +12697,9 @@ } }, { - "id": 1115851029, + "id": 2667896343, "definition": { - "title": "HeadObject", + "title": "ListDetectors", "title_size": "16", "title_align": "left", "type": "query_value", @@ -12717,7 +12717,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:HeadObject $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListDetectors $userIdentity.arn $network.client.ip $account" } } ], @@ -12739,10 +12739,10 @@ } }, { - "id": 104466483, + "id": 1764551110, "definition": { "type": "note", - "content": "### [ListVaults](https://traildiscover.cloud/#S3-ListVaults)\n\n**Description:** This operation lists all vaults owned by the calling user\u2019s account.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n", + "content": "### [ListFindings](https://traildiscover.cloud/#GuardDuty-ListFindings)\n\n**Description:** Lists GuardDuty findings for the specified detector ID.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12758,9 +12758,9 @@ } }, { - "id": 2128691612, + "id": 3892101902, "definition": { - "title": "ListVaults", + "title": "ListFindings", "title_size": "16", "title_align": "left", "type": "query_value", @@ -12778,7 +12778,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListVaults $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListFindings $userIdentity.arn $network.client.ip $account" } } ], @@ -12800,10 +12800,10 @@ } }, { - "id": 3172293149, + "id": 931902694, "definition": { "type": "note", - "content": "### [GetPublicAccessBlock](https://traildiscover.cloud/#S3-GetPublicAccessBlock)\n\n**Description:** Retrieves the PublicAccessBlock configuration for an Amazon S3 bucket.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", + "content": "### [ListIPSets](https://traildiscover.cloud/#GuardDuty-ListIPSets)\n\n**Description:** Lists the IPSets of the GuardDuty service specified by the detector ID.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12819,9 +12819,9 @@ } }, { - "id": 901550982, + "id": 812630951, "definition": { - "title": "GetPublicAccessBlock", + "title": "ListIPSets", "title_size": "16", "title_align": "left", "type": "query_value", @@ -12839,7 +12839,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetPublicAccessBlock $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListIPSets $userIdentity.arn $network.client.ip $account" } } ], @@ -12861,10 +12861,10 @@ } }, { - "id": 4093376506, + "id": 3648080594, "definition": { "type": "note", - "content": "### [GetBucketTagging](https://traildiscover.cloud/#S3-GetBucketTagging)\n\n**Description:** Returns the tag set associated with the bucket.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", + "content": "### [GetAccountAuthorizationDetails](https://traildiscover.cloud/#IAM-GetAccountAuthorizationDetails)\n\n**Description:** Retrieves information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another.\n\n**Related Research:**\n- [AWS - IAM Enum](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12880,9 +12880,9 @@ } }, { - "id": 1822634339, + "id": 3528808851, "definition": { - "title": "GetBucketTagging", + "title": "GetAccountAuthorizationDetails", "title_size": "16", "title_align": "left", "type": "query_value", @@ -12900,7 +12900,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetBucketTagging $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetAccountAuthorizationDetails $userIdentity.arn $network.client.ip $account" } } ], @@ -12922,10 +12922,10 @@ } }, { - "id": 2158253424, + "id": 2172544907, "definition": { "type": "note", - "content": "### [ListObjects](https://traildiscover.cloud/#S3-ListObjects)\n\n**Description:** Returns some or all (up to 1,000) of the objects in a bucket.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n", + "content": "### [GetLoginProfile](https://traildiscover.cloud/#IAM-GetLoginProfile)\n\n**Description:** Retrieves the user name for the specified IAM user.\n\n**Related Incidents:**\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12941,9 +12941,9 @@ } }, { - "id": 2034994905, + "id": 5128403, "definition": { - "title": "ListObjects", + "title": "GetLoginProfile", "title_size": "16", "title_align": "left", "type": "query_value", @@ -12961,7 +12961,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListObjects $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetLoginProfile $userIdentity.arn $network.client.ip $account" } } ], @@ -12983,10 +12983,10 @@ } }, { - "id": 758948844, + "id": 2375603711, "definition": { "type": "note", - "content": "### [InvokeModel](https://traildiscover.cloud/#Bedrock-InvokeModel)\n\n**Description:** Invokes the specified Amazon Bedrock model to run inference using the prompt and inference parameters provided in the request body.\n\n**Related Incidents:**\n- [LLMjacking: Stolen Cloud Credentials Used in New AI Attack](https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", + "content": "### [GetUser](https://traildiscover.cloud/#IAM-GetUser)\n\n**Description:** Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN.\n\n**Related Incidents:**\n- [GotRoot! AWS root Account Takeover](https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13002,9 +13002,9 @@ } }, { - "id": 2783173973, + "id": 208187207, "definition": { - "title": "InvokeModel", + "title": "GetUser", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13022,7 +13022,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:InvokeModel $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetUser $userIdentity.arn $network.client.ip $account" } } ], @@ -13044,10 +13044,10 @@ } }, { - "id": 930830547, + "id": 2775307483, "definition": { "type": "note", - "content": "### [GetUseCaseForModelAccess](https://traildiscover.cloud/#Bedrock-GetUseCaseForModelAccess)\n\n**Description:** Grants permission to retrieve a use case for model access.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", + "content": "### [ListAccessKeys](https://traildiscover.cloud/#IAM-ListAccessKeys)\n\n**Description:** Returns information about the access key IDs associated with the specified IAM user.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13063,9 +13063,9 @@ } }, { - "id": 807572028, + "id": 2656035740, "definition": { - "title": "GetUseCaseForModelAccess", + "title": "ListAccessKeys", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13083,7 +13083,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetUseCaseForModelAccess $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListAccessKeys $userIdentity.arn $network.client.ip $account" } } ], @@ -13105,10 +13105,10 @@ } }, { - "id": 398887904, + "id": 482338585, "definition": { "type": "note", - "content": "### [ListProvisionedModelThroughputs](https://traildiscover.cloud/#Bedrock-ListProvisionedModelThroughputs)\n\n**Description:** Grants permission to list provisioned model throughputs that you created earlier.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", + "content": "### [ListAttachedRolePolicies](https://traildiscover.cloud/#IAM-ListAttachedRolePolicies)\n\n**Description:** Lists all managed policies that are attached to the specified IAM role.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13124,9 +13124,9 @@ } }, { - "id": 2423113033, + "id": 363066842, "definition": { - "title": "ListProvisionedModelThroughputs", + "title": "ListAttachedRolePolicies", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13144,7 +13144,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListProvisionedModelThroughputs $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListAttachedRolePolicies $userIdentity.arn $network.client.ip $account" } } ], @@ -13166,10 +13166,10 @@ } }, { - "id": 790839964, + "id": 2455352769, "definition": { "type": "note", - "content": "### [GetFoundationModelAvailability](https://traildiscover.cloud/#Bedrock-GetFoundationModelAvailability)\n\n**Description:** Grants permission to get the availability of a foundation model.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", + "content": "### [ListGroups](https://traildiscover.cloud/#IAM-ListGroups)\n\n**Description:** Lists the IAM groups that have the specified path prefix.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n**Related Research:**\n- [AWS - IAM Enum](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13185,9 +13185,9 @@ } }, { - "id": 667581445, + "id": 2336081026, "definition": { - "title": "GetFoundationModelAvailability", + "title": "ListGroups", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13205,7 +13205,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetFoundationModelAvailability $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListGroups $userIdentity.arn $network.client.ip $account" } } ], @@ -13227,10 +13227,10 @@ } }, { - "id": 2770020923, + "id": 3419224226, "definition": { "type": "note", - "content": "### [ListFoundationModels](https://traildiscover.cloud/#Bedrock-ListFoundationModels)\n\n**Description:** Grants permission to list Bedrock foundation models that you can use.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", + "content": "### [ListGroupsForUser](https://traildiscover.cloud/#IAM-ListGroupsForUser)\n\n**Description:** Lists the IAM groups that the specified IAM user belongs to.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13246,9 +13246,9 @@ } }, { - "id": 2547423517, + "id": 3299952483, "definition": { - "title": "ListFoundationModels", + "title": "ListGroupsForUser", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13266,7 +13266,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListFoundationModels $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListGroupsForUser $userIdentity.arn $network.client.ip $account" } } ], @@ -13288,10 +13288,10 @@ } }, { - "id": 2278541190, + "id": 4125038876, "definition": { "type": "note", - "content": "### [ListFoundationModelAgreementOffers](https://traildiscover.cloud/#Bedrock-ListFoundationModelAgreementOffers)\n\n**Description:** Grants permission to get a list of foundation model agreement offers.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", + "content": "### [ListInstanceProfiles](https://traildiscover.cloud/#IAM-ListInstanceProfiles)\n\n**Description:** Lists the instance profiles that have the specified path prefix. If there are none, the operation returns an empty list.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13307,9 +13307,9 @@ } }, { - "id": 2155282671, + "id": 4005767133, "definition": { - "title": "ListFoundationModelAgreementOffers", + "title": "ListInstanceProfiles", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13327,7 +13327,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListFoundationModelAgreementOffers $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListInstanceProfiles $userIdentity.arn $network.client.ip $account" } } ], @@ -13349,10 +13349,10 @@ } }, { - "id": 1905296191, + "id": 1015578977, "definition": { "type": "note", - "content": "### [GetModelInvocationLoggingConfiguration](https://traildiscover.cloud/#Bedrock-GetModelInvocationLoggingConfiguration)\n\n**Description:** Get the current configuration values for model invocation logging.\n\n**Related Incidents:**\n- [LLMjacking: Stolen Cloud Credentials Used in New AI Attack](https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/)\n", + "content": "### [ListOpenIDConnectProviders](https://traildiscover.cloud/#IAM-ListOpenIDConnectProviders)\n\n**Description:** Lists information about the IAM OpenID Connect (OIDC) provider resource objects defined in the AWS account.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13368,9 +13368,9 @@ } }, { - "id": 1782037672, + "id": 3143129769, "definition": { - "title": "GetModelInvocationLoggingConfiguration", + "title": "ListOpenIDConnectProviders", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13388,7 +13388,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetModelInvocationLoggingConfiguration $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListOpenIDConnectProviders $userIdentity.arn $network.client.ip $account" } } ], @@ -13410,10 +13410,10 @@ } }, { - "id": 1849215922, + "id": 3836531690, "definition": { "type": "note", - "content": "### [GetConsoleScreenshot](https://traildiscover.cloud/#EC2-GetConsoleScreenshot)\n\n**Description:** Retrieve a JPG-format screenshot of a running instance to help with troubleshooting.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [ListRolePolicies](https://traildiscover.cloud/#IAM-ListRolePolicies)\n\n**Description:** Lists the names of the inline policies that are embedded in the specified IAM role.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13429,9 +13429,9 @@ } }, { - "id": 3873441051, + "id": 3717259947, "definition": { - "title": "GetConsoleScreenshot", + "title": "ListRolePolicies", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13449,7 +13449,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetConsoleScreenshot $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListRolePolicies $userIdentity.arn $network.client.ip $account" } } ], @@ -13471,10 +13471,10 @@ } }, { - "id": 2198616274, + "id": 813780540, "definition": { "type": "note", - "content": "### [DescribeSnapshotTierStatus](https://traildiscover.cloud/#EC2-DescribeSnapshotTierStatus)\n\n**Description:** Describes the storage tier status of one or more Amazon EBS snapshots.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [ListRoles](https://traildiscover.cloud/#IAM-ListRoles)\n\n**Description:** Lists the IAM roles that have the specified path prefix. \n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n**Related Research:**\n- [AWS - IAM Enum](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13490,9 +13490,9 @@ } }, { - "id": 4222841403, + "id": 694508797, "definition": { - "title": "DescribeSnapshotTierStatus", + "title": "ListRoles", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13510,7 +13510,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeSnapshotTierStatus $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListRoles $userIdentity.arn $network.client.ip $account" } } ], @@ -13532,10 +13532,10 @@ } }, { - "id": 4194209197, + "id": 3110190111, "definition": { "type": "note", - "content": "### [DescribeImages](https://traildiscover.cloud/#EC2-DescribeImages)\n\n**Description:** Describes the specified images (AMIs, AKIs, and ARIs) available to you or all of the images available to you.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [ListSAMLProviders](https://traildiscover.cloud/#IAM-ListSAMLProviders)\n\n**Description:** Lists the SAML provider resource objects defined in IAM in the account.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13551,9 +13551,9 @@ } }, { - "id": 4070950678, + "id": 942773607, "definition": { - "title": "DescribeImages", + "title": "ListSAMLProviders", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13571,7 +13571,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeImages $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListSAMLProviders $userIdentity.arn $network.client.ip $account" } } ], @@ -13593,10 +13593,10 @@ } }, { - "id": 4209122939, + "id": 85523715, "definition": { "type": "note", - "content": "### [GetEbsDefaultKmsKeyId](https://traildiscover.cloud/#EC2-GetEbsDefaultKmsKeyId)\n\n**Description:** Describes the default AWS KMS key for EBS encryption by default for your account in this Region.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [ListServiceSpecificCredentials](https://traildiscover.cloud/#IAM-ListServiceSpecificCredentials)\n\n**Description:** Returns information about the service-specific credentials associated with the specified IAM user.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13612,9 +13612,9 @@ } }, { - "id": 1938380772, + "id": 4261219268, "definition": { - "title": "GetEbsDefaultKmsKeyId", + "title": "ListServiceSpecificCredentials", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13632,7 +13632,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetEbsDefaultKmsKeyId $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListServiceSpecificCredentials $userIdentity.arn $network.client.ip $account" } } ], @@ -13654,10 +13654,10 @@ } }, { - "id": 2754852328, + "id": 2589429409, "definition": { "type": "note", - "content": "### [DescribeAvailabilityZones](https://traildiscover.cloud/#EC2-DescribeAvailabilityZones)\n\n**Description:** Describes the Availability Zones, Local Zones, and Wavelength Zones that are available to you.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [ListSigningCertificates](https://traildiscover.cloud/#IAM-ListSigningCertificates)\n\n**Description:** Returns information about the signing certificates associated with the specified IAM user.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13673,9 +13673,9 @@ } }, { - "id": 2532254922, + "id": 2470157666, "definition": { - "title": "DescribeAvailabilityZones", + "title": "ListSigningCertificates", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13693,7 +13693,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeAvailabilityZones $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListSigningCertificates $userIdentity.arn $network.client.ip $account" } } ], @@ -13715,10 +13715,10 @@ } }, { - "id": 666141417, + "id": 2705657707, "definition": { "type": "note", - "content": "### [DescribeInstances](https://traildiscover.cloud/#EC2-DescribeInstances)\n\n**Description:** Describes the specified instances or all instances.\n\n**Related Incidents:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", + "content": "### [ListSSHPublicKeys](https://traildiscover.cloud/#IAM-ListSSHPublicKeys)\n\n**Description:** Returns information about the SSH public keys associated with the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13734,9 +13734,9 @@ } }, { - "id": 2591027659, + "id": 2586385964, "definition": { - "title": "DescribeInstances", + "title": "ListSSHPublicKeys", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13754,7 +13754,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeInstances $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListSSHPublicKeys $userIdentity.arn $network.client.ip $account" } } ], @@ -13776,10 +13776,10 @@ } }, { - "id": 1604811755, + "id": 1194006730, "definition": { "type": "note", - "content": "### [GetTransitGatewayRouteTableAssociations](https://traildiscover.cloud/#EC2-GetTransitGatewayRouteTableAssociations)\n\n**Description:** Gets information about the associations for the specified transit gateway route table.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [ListUsers](https://traildiscover.cloud/#IAM-ListUsers)\n\n**Description:** Lists the IAM users that have the specified path prefix. If no path prefix is specified, the operation returns all users in the AWS account.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13795,9 +13795,9 @@ } }, { - "id": 3629036884, + "id": 3321557522, "definition": { - "title": "GetTransitGatewayRouteTableAssociations", + "title": "ListUsers", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13815,7 +13815,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetTransitGatewayRouteTableAssociations $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListUsers $userIdentity.arn $network.client.ip $account" } } ], @@ -13837,10 +13837,10 @@ } }, { - "id": 1301952427, + "id": 1509941653, "definition": { "type": "note", - "content": "### [GetLaunchTemplateData](https://traildiscover.cloud/#EC2-GetLaunchTemplateData)\n\n**Description:** Retrieves the configuration data of the specified instance. You can use this data to create a launch template.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [SimulatePrincipalPolicy](https://traildiscover.cloud/#IAM-SimulatePrincipalPolicy)\n\n**Description:** Simulate how a set of IAM policies attached to an IAM entity works with a list of API operations and AWS resources to determine the policies' effective permissions.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13856,9 +13856,9 @@ } }, { - "id": 3326177556, + "id": 1390669910, "definition": { - "title": "GetLaunchTemplateData", + "title": "SimulatePrincipalPolicy", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13876,7 +13876,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetLaunchTemplateData $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:SimulatePrincipalPolicy $userIdentity.arn $network.client.ip $account" } } ], @@ -13898,10 +13898,10 @@ } }, { - "id": 2439509277, + "id": 1380149940, "definition": { "type": "note", - "content": "### [DescribeKeyPairs](https://traildiscover.cloud/#EC2-DescribeKeyPairs)\n\n**Description:** Describes the specified key pairs or all of your key pairs.\n\n**Related Incidents:**\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n", + "content": "### [GetInstances](https://traildiscover.cloud/#LightSail-GetInstances)\n\n**Description:** Returns information about all Amazon Lightsail virtual private servers, or instances.\n\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13917,9 +13917,9 @@ } }, { - "id": 2216911871, + "id": 1260878197, "definition": { - "title": "DescribeKeyPairs", + "title": "GetInstances", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13937,7 +13937,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeKeyPairs $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetInstances $userIdentity.arn $network.client.ip $account" } } ], @@ -13959,10 +13959,10 @@ } }, { - "id": 2657948153, + "id": 2229501156, "definition": { "type": "note", - "content": "### [GetEbsEncryptionByDefault](https://traildiscover.cloud/#EC2-GetEbsEncryptionByDefault)\n\n**Description:** Describes whether EBS encryption by default is enabled for your account in the current Region.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [GetRegions](https://traildiscover.cloud/#LightSail-GetRegions)\n\n**Description:** Returns a list of all valid regions for Amazon Lightsail.\n\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13978,9 +13978,9 @@ } }, { - "id": 387205986, + "id": 2110229413, "definition": { - "title": "GetEbsEncryptionByDefault", + "title": "GetRegions", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13998,7 +13998,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetEbsEncryptionByDefault $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetRegions $userIdentity.arn $network.client.ip $account" } } ], @@ -14020,10 +14020,10 @@ } }, { - "id": 3543623129, + "id": 4169838822, "definition": { "type": "note", - "content": "### [DescribeCarrierGateways](https://traildiscover.cloud/#EC2-DescribeCarrierGateways)\n\n**Description:** Describes one or more of your carrier gateways.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [DescribeOrganization](https://traildiscover.cloud/#Organizations-DescribeOrganization)\n\n**Description:** Retrieves information about the organization that the user's account belongs to.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -14039,9 +14039,9 @@ } }, { - "id": 3420364610, + "id": 4050567079, "definition": { - "title": "DescribeCarrierGateways", + "title": "DescribeOrganization", "title_size": "16", "title_align": "left", "type": "query_value", @@ -14059,7 +14059,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeCarrierGateways $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeOrganization $userIdentity.arn $network.client.ip $account" } } ], @@ -14081,10 +14081,10 @@ } }, { - "id": 1010544265, + "id": 2663616459, "definition": { "type": "note", - "content": "### [GetFlowLogsIntegrationTemplate](https://traildiscover.cloud/#EC2-GetFlowLogsIntegrationTemplate)\n\n**Description:** Generates a CloudFormation template that streamlines and automates the integration of VPC flow logs with Amazon Athena.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [ListAccounts](https://traildiscover.cloud/#Organizations-ListAccounts)\n\n**Description:** Lists all the accounts in the organization.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -14100,9 +14100,9 @@ } }, { - "id": 887285746, + "id": 496199955, "definition": { - "title": "GetFlowLogsIntegrationTemplate", + "title": "ListAccounts", "title_size": "16", "title_align": "left", "type": "query_value", @@ -14120,7 +14120,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetFlowLogsIntegrationTemplate $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListAccounts $userIdentity.arn $network.client.ip $account" } } ], @@ -14142,10 +14142,10 @@ } }, { - "id": 2306883080, + "id": 1918097770, "definition": { "type": "note", - "content": "### [DescribeTransitGatewayMulticastDomains](https://traildiscover.cloud/#EC2-DescribeTransitGatewayMulticastDomains)\n\n**Description:** Describes one or more transit gateway multicast domains.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [ListOrganizationalUnitsForParent](https://traildiscover.cloud/#Organizations-ListOrganizationalUnitsForParent)\n\n**Description:** Lists the organizational units (OUs) in a parent organizational unit or root.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -14161,9 +14161,9 @@ } }, { - "id": 36140913, + "id": 4045648562, "definition": { - "title": "DescribeTransitGatewayMulticastDomains", + "title": "ListOrganizationalUnitsForParent", "title_size": "16", "title_align": "left", "type": "query_value", @@ -14181,7 +14181,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeTransitGatewayMulticastDomains $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListOrganizationalUnitsForParent $userIdentity.arn $network.client.ip $account" } } ], @@ -14203,10 +14203,10 @@ } }, { - "id": 2555317371, + "id": 66072472, "definition": { "type": "note", - "content": "### [DescribeInstanceAttribute](https://traildiscover.cloud/#EC2-DescribeInstanceAttribute)\n\n**Description:** Describes the specified attribute of the specified instance. You can specify only one attribute at a time.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [Search](https://traildiscover.cloud/#ResourceExplorer-Search)\n\n**Description:** Searches for resources and displays details about all resources that match the specified criteria.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -14222,9 +14222,9 @@ } }, { - "id": 284575204, + "id": 4241768025, "definition": { - "title": "DescribeInstanceAttribute", + "title": "Search", "title_size": "16", "title_align": "left", "type": "query_value", @@ -14242,7 +14242,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeInstanceAttribute $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:Search $userIdentity.arn $network.client.ip $account" } } ], @@ -14264,10 +14264,10 @@ } }, { - "id": 4056889928, + "id": 1179470046, "definition": { "type": "note", - "content": "### [DescribeDhcpOptions](https://traildiscover.cloud/#EC2-DescribeDhcpOptions)\n\n**Description:** Describes one or more of your DHCP options sets.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [GetHostedZoneCount](https://traildiscover.cloud/#Route53-GetHostedZoneCount)\n\n**Description:** Retrieves the number of hosted zones that are associated with the current AWS account.\n\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -14283,9 +14283,9 @@ } }, { - "id": 1686808874, + "id": 1060198303, "definition": { - "title": "DescribeDhcpOptions", + "title": "GetHostedZoneCount", "title_size": "16", "title_align": "left", "type": "query_value", @@ -14303,7 +14303,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeDhcpOptions $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetHostedZoneCount $userIdentity.arn $network.client.ip $account" } } ], @@ -14325,10 +14325,10 @@ } }, { - "id": 3732845320, + "id": 2309240190, "definition": { "type": "note", - "content": "### [DescribeVpcEndpointConnectionNotifications](https://traildiscover.cloud/#EC2-DescribeVpcEndpointConnectionNotifications)\n\n**Description:** Describes the connection notifications for VPC endpoints and VPC endpoint services.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [ListDomains](https://traildiscover.cloud/#route53domains-ListDomains)\n\n**Description:** This operation returns all the domain names registered with Amazon Route 53 for the current AWS account if no filtering conditions are used.\n\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -14344,9 +14344,9 @@ } }, { - "id": 3510247914, + "id": 2189968447, "definition": { - "title": "DescribeVpcEndpointConnectionNotifications", + "title": "ListDomains", "title_size": "16", "title_align": "left", "type": "query_value", @@ -14364,7 +14364,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeVpcEndpointConnectionNotifications $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListDomains $userIdentity.arn $network.client.ip $account" } } ], @@ -14386,10 +14386,10 @@ } }, { - "id": 1962852269, + "id": 2247641792, "definition": { "type": "note", - "content": "### [DescribeFlowLogs](https://traildiscover.cloud/#EC2-DescribeFlowLogs)\n\n**Description:** Describes one or more flow logs.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [GetBucketAcl](https://traildiscover.cloud/#S3-GetBucketAcl)\n\n**Description:** This implementation of the GET action uses the acl subresource to return the access control list (ACL) of a bucket.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n**Related Research:**\n- [Public S3 bucket through bucket ACL](https://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/s3-bucket-public-acl/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -14405,9 +14405,9 @@ } }, { - "id": 1839593750, + "id": 2128370049, "definition": { - "title": "DescribeFlowLogs", + "title": "GetBucketAcl", "title_size": "16", "title_align": "left", "type": "query_value", @@ -14425,7 +14425,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeFlowLogs $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetBucketAcl $userIdentity.arn $network.client.ip $account" } } ], @@ -14447,10 +14447,10 @@ } }, { - "id": 71042131, + "id": 3524222609, "definition": { "type": "note", - "content": "### [DescribeSnapshotAttribute](https://traildiscover.cloud/#EC2-DescribeSnapshotAttribute)\n\n**Description:** Describes the specified attribute of the specified snapshot.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [GetBucketLogging](https://traildiscover.cloud/#S3-GetBucketLogging)\n\n**Description:** Returns the logging status of a bucket and the permissions users have to view and modify that status.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -14466,9 +14466,9 @@ } }, { - "id": 4242750908, + "id": 3404950866, "definition": { - "title": "DescribeSnapshotAttribute", + "title": "GetBucketLogging", "title_size": "16", "title_align": "left", "type": "query_value", @@ -14486,7 +14486,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeSnapshotAttribute $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetBucketLogging $userIdentity.arn $network.client.ip $account" } } ], @@ -14508,10 +14508,10 @@ } }, { - "id": 1584905420, + "id": 2333708594, "definition": { "type": "note", - "content": "### [DescribeVolumesModifications](https://traildiscover.cloud/#EC2-DescribeVolumesModifications)\n\n**Description:** Describes the most recent volume modification request for the specified EBS volumes.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [GetBucketPolicy](https://traildiscover.cloud/#S3-GetBucketPolicy)\n\n**Description:** Returns the policy of a specified bucket.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -14527,9 +14527,9 @@ } }, { - "id": 3509791662, + "id": 2214436851, "definition": { - "title": "DescribeVolumesModifications", + "title": "GetBucketPolicy", "title_size": "16", "title_align": "left", "type": "query_value", @@ -14547,7 +14547,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeVolumesModifications $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetBucketPolicy $userIdentity.arn $network.client.ip $account" } } ], @@ -14569,10 +14569,10 @@ } }, { - "id": 3332082924, + "id": 3085622366, "definition": { "type": "note", - "content": "### [DescribeRegions](https://traildiscover.cloud/#EC2-DescribeRegions)\n\n**Description:** Describes the Regions that are enabled for your account, or all Regions.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", + "content": "### [GetPublicAccessBlock](https://traildiscover.cloud/#S3-GetPublicAccessBlock)\n\n**Description:** Retrieves the PublicAccessBlock configuration for an Amazon S3 bucket.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -14588,9 +14588,9 @@ } }, { - "id": 3208824405, + "id": 2966350623, "definition": { - "title": "DescribeRegions", + "title": "GetPublicAccessBlock", "title_size": "16", "title_align": "left", "type": "query_value", @@ -14608,7 +14608,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeRegions $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetPublicAccessBlock $userIdentity.arn $network.client.ip $account" } } ], @@ -14630,10 +14630,10 @@ } }, { - "id": 1209896470, + "id": 2964868525, "definition": { "type": "note", - "content": "### [DescribeSecurityGroups](https://traildiscover.cloud/#EC2-DescribeSecurityGroups)\n\n**Description:** Describes the specified security groups or all of your security groups.\n\n**Related Incidents:**\n- [Case Study: Responding to an Attack in AWS](https://www.cadosecurity.com/case-study-responding-to-an-attack-in-aws/)\n", + "content": "### [GetBucketReplication](https://traildiscover.cloud/#S3-GetBucketReplication)\n\n**Description:** Returns the replication configuration of a bucket.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -14649,9 +14649,9 @@ } }, { - "id": 3234121599, + "id": 2845596782, "definition": { - "title": "DescribeSecurityGroups", + "title": "GetBucketReplication", "title_size": "16", "title_align": "left", "type": "query_value", @@ -14669,7 +14669,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeSecurityGroups $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetBucketReplication $userIdentity.arn $network.client.ip $account" } } ], @@ -14691,10 +14691,10 @@ } }, { - "id": 2231078047, + "id": 2417004326, "definition": { "type": "note", - "content": "### [DescribeVpcs](https://traildiscover.cloud/#EC2-DescribeVpcs)\n\n**Description:** Describes one or more of your VPCs.\n\n**Related Incidents:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", + "content": "### [GetBucketTagging](https://traildiscover.cloud/#S3-GetBucketTagging)\n\n**Description:** Returns the tag set associated with the bucket.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -14710,9 +14710,9 @@ } }, { - "id": 4255303176, + "id": 2297732583, "definition": { - "title": "DescribeVpcs", + "title": "GetBucketTagging", "title_size": "16", "title_align": "left", "type": "query_value", @@ -14730,7 +14730,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeVpcs $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetBucketTagging $userIdentity.arn $network.client.ip $account" } } ], @@ -14752,10 +14752,10 @@ } }, { - "id": 1660426355, + "id": 2747914320, "definition": { "type": "note", - "content": "### [DescribeBundleTasks](https://traildiscover.cloud/#EC2-DescribeBundleTasks)\n\n**Description:** Describes the specified bundle tasks or all of your bundle tasks.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [GetBucketVersioning](https://traildiscover.cloud/#S3-GetBucketVersioning)\n\n**Description:** Returns the versioning state of a bucket.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -14771,9 +14771,9 @@ } }, { - "id": 1537167836, + "id": 2628642577, "definition": { - "title": "DescribeBundleTasks", + "title": "GetBucketVersioning", "title_size": "16", "title_align": "left", "type": "query_value", @@ -14791,7 +14791,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeBundleTasks $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetBucketVersioning $userIdentity.arn $network.client.ip $account" } } ], @@ -14813,10 +14813,10 @@ } }, { - "id": 3035886310, + "id": 820187603, "definition": { "type": "note", - "content": "### [DescribeAccountAttributes](https://traildiscover.cloud/#EC2-DescribeAccountAttributes)\n\n**Description:** Describes attributes of your AWS account.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [HeadObject](https://traildiscover.cloud/#S3-HeadObject)\n\n**Description:** The HEAD operation retrieves metadata from an object without returning the object itself.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -14832,9 +14832,9 @@ } }, { - "id": 765144143, + "id": 700915860, "definition": { - "title": "DescribeAccountAttributes", + "title": "HeadObject", "title_size": "16", "title_align": "left", "type": "query_value", @@ -14852,7 +14852,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeAccountAttributes $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:HeadObject $userIdentity.arn $network.client.ip $account" } } ], @@ -14874,10 +14874,10 @@ } }, { - "id": 3360200135, + "id": 2068446958, "definition": { "type": "note", - "content": "### [DescribeVolumes](https://traildiscover.cloud/#EC2-DescribeVolumes)\n\n**Description:** Describes the specified EBS volumes or all of your EBS volumes.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [ListBuckets](https://traildiscover.cloud/#S3-ListBuckets)\n\n**Description:** Returns a list of all buckets owned by the authenticated sender of the request.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [A Technical Analysis of the Capital One Cloud Misconfiguration Breach](https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach)\n- [Enumerate AWS Account ID from a Public S3 Bucket](https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -14893,9 +14893,9 @@ } }, { - "id": 1089457968, + "id": 4195997750, "definition": { - "title": "DescribeVolumes", + "title": "ListBuckets", "title_size": "16", "title_align": "left", "type": "query_value", @@ -14913,7 +14913,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeVolumes $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListBuckets $userIdentity.arn $network.client.ip $account" } } ], @@ -14935,10 +14935,10 @@ } }, { - "id": 953152330, + "id": 267371514, "definition": { "type": "note", - "content": "### [DescribeInstanceTypes](https://traildiscover.cloud/#EC2-DescribeInstanceTypes)\n\n**Description:** Describes the details of the instance types that are offered in a location.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [ListObjects](https://traildiscover.cloud/#S3-ListObjects)\n\n**Description:** Returns some or all (up to 1,000) of the objects in a bucket.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -14954,9 +14954,9 @@ } }, { - "id": 2977377459, + "id": 2295583419, "definition": { - "title": "DescribeInstanceTypes", + "title": "ListObjects", "title_size": "16", "title_align": "left", "type": "query_value", @@ -14974,7 +14974,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeInstanceTypes $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListObjects $userIdentity.arn $network.client.ip $account" } } ], @@ -14996,10 +14996,10 @@ } }, { - "id": 2477284660, + "id": 952820355, "definition": { "type": "note", - "content": "### [DescribeClientVpnRoutes](https://traildiscover.cloud/#EC2-DescribeClientVpnRoutes)\n\n**Description:** Describes the routes for the specified Client VPN endpoint.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [ListVaults](https://traildiscover.cloud/#S3-ListVaults)\n\n**Description:** This operation lists all vaults owned by the calling user\u2019s account.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15015,9 +15015,9 @@ } }, { - "id": 2354026141, + "id": 833548612, "definition": { - "title": "DescribeClientVpnRoutes", + "title": "ListVaults", "title_size": "16", "title_align": "left", "type": "query_value", @@ -15035,7 +15035,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeClientVpnRoutes $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListVaults $userIdentity.arn $network.client.ip $account" } } ], @@ -15057,10 +15057,10 @@ } }, { - "id": 1301952427, + "id": 3839328340, "definition": { "type": "note", - "content": "### [GetLaunchTemplateData](https://traildiscover.cloud/#EC2-GetLaunchTemplateData)\n\n**Description:** Retrieves the configuration data of the specified instance. You can use this data to create a launch template.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [GetCallerIdentity](https://traildiscover.cloud/#STS-GetCallerIdentity)\n\n**Description:** Returns details about the IAM user or role whose credentials are used to call the operation.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [GotRoot! AWS root Account Takeover](https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n- [Enumerate AWS Account ID from an EC2 Instance](https://hackingthe.cloud/aws/enumeration/account_id_from_ec2/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15076,9 +15076,9 @@ } }, { - "id": 3326177556, + "id": 1671911836, "definition": { - "title": "GetLaunchTemplateData", + "title": "GetCallerIdentity", "title_size": "16", "title_align": "left", "type": "query_value", @@ -15096,7 +15096,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetLaunchTemplateData $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetCallerIdentity $userIdentity.arn $network.client.ip $account" } } ], @@ -15118,10 +15118,10 @@ } }, { - "id": 765703500, + "id": 963642982, "definition": { "type": "note", - "content": "### [GetParameters](https://traildiscover.cloud/#SSM-GetParameters)\n\n**Description:** Get information about one or more parameters by specifying multiple parameter names.\n\n**Related Research:**\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", + "content": "### [ListServiceQuotas](https://traildiscover.cloud/#ServiceQuotas-ListServiceQuotas)\n\n**Description:** Lists the applied quota values for the specified AWS service.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15137,9 +15137,9 @@ } }, { - "id": 2789928629, + "id": 844371239, "definition": { - "title": "GetParameters", + "title": "ListServiceQuotas", "title_size": "16", "title_align": "left", "type": "query_value", @@ -15157,7 +15157,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetParameters $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListServiceQuotas $userIdentity.arn $network.client.ip $account" } } ], @@ -15179,10 +15179,10 @@ } }, { - "id": 963121678, + "id": 2993675301, "definition": { "type": "note", - "content": "### [DescribeInstanceInformation](https://traildiscover.cloud/#SSM-DescribeInstanceInformation)\n\n**Description:** Provides information about one or more of your managed nodes, including the operating system platform, SSM Agent version, association status, and IP address.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", + "content": "### [GetAccount](https://traildiscover.cloud/#SES-GetAccount)\n\n**Description:** Obtain information about the email-sending status and capabilities of your Amazon SES account in the current AWS Region.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15198,9 +15198,9 @@ } }, { - "id": 839863159, + "id": 2874403558, "definition": { - "title": "DescribeInstanceInformation", + "title": "GetAccount", "title_size": "16", "title_align": "left", "type": "query_value", @@ -15218,7 +15218,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeInstanceInformation $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetAccount $userIdentity.arn $network.client.ip $account" } } ], @@ -15240,10 +15240,10 @@ } }, { - "id": 1358574347, + "id": 1367053466, "definition": { "type": "note", - "content": "### [GetIdentityVerificationAttributes](https://traildiscover.cloud/#SES-GetIdentityVerificationAttributes)\n\n**Description:** Given a list of identities (email addresses and/or domains), returns the verification status and (for domain identities) the verification token for each identity.\n\n**Related Incidents:**\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n", + "content": "### [GetAccountSendingEnabled](https://traildiscover.cloud/#SES-GetAccountSendingEnabled)\n\n**Description:** Returns the email sending status of the Amazon SES account for the current Region.\n\n**Related Research:**\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15259,9 +15259,9 @@ } }, { - "id": 3283460589, + "id": 1247781723, "definition": { - "title": "GetIdentityVerificationAttributes", + "title": "GetAccountSendingEnabled", "title_size": "16", "title_align": "left", "type": "query_value", @@ -15279,7 +15279,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetIdentityVerificationAttributes $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetAccountSendingEnabled $userIdentity.arn $network.client.ip $account" } } ], @@ -15301,10 +15301,10 @@ } }, { - "id": 2148343690, + "id": 2107552966, "definition": { "type": "note", - "content": "### [GetAccountSendingEnabled](https://traildiscover.cloud/#SES-GetAccountSendingEnabled)\n\n**Description:** Returns the email sending status of the Amazon SES account for the current Region.\n\n**Related Research:**\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n", + "content": "### [GetIdentityVerificationAttributes](https://traildiscover.cloud/#SES-GetIdentityVerificationAttributes)\n\n**Description:** Given a list of identities (email addresses and/or domains), returns the verification status and (for domain identities) the verification token for each identity.\n\n**Related Incidents:**\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15320,9 +15320,9 @@ } }, { - "id": 2025085171, + "id": 1988281223, "definition": { - "title": "GetAccountSendingEnabled", + "title": "GetIdentityVerificationAttributes", "title_size": "16", "title_align": "left", "type": "query_value", @@ -15340,7 +15340,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetAccountSendingEnabled $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetIdentityVerificationAttributes $userIdentity.arn $network.client.ip $account" } } ], @@ -15362,10 +15362,10 @@ } }, { - "id": 994481713, + "id": 1993942420, "definition": { "type": "note", - "content": "### [ListIdentities](https://traildiscover.cloud/#SES-ListIdentities)\n\n**Description:** Returns a list containing all of the identities (email addresses and domains) for your AWS account in the current AWS Region, regardless of verification status.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", + "content": "### [GetSendQuota](https://traildiscover.cloud/#SES-GetSendQuota)\n\n**Description:** Provides the sending limits for the Amazon SES account.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15381,9 +15381,9 @@ } }, { - "id": 3018706842, + "id": 1874670677, "definition": { - "title": "ListIdentities", + "title": "GetSendQuota", "title_size": "16", "title_align": "left", "type": "query_value", @@ -15401,7 +15401,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListIdentities $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetSendQuota $userIdentity.arn $network.client.ip $account" } } ], @@ -15423,10 +15423,10 @@ } }, { - "id": 3656894875, + "id": 1036221086, "definition": { "type": "note", - "content": "### [GetSendQuota](https://traildiscover.cloud/#SES-GetSendQuota)\n\n**Description:** Provides the sending limits for the Amazon SES account.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", + "content": "### [ListIdentities](https://traildiscover.cloud/#SES-ListIdentities)\n\n**Description:** Returns a list containing all of the identities (email addresses and domains) for your AWS account in the current AWS Region, regardless of verification status.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15442,9 +15442,9 @@ } }, { - "id": 3533636356, + "id": 916949343, "definition": { - "title": "GetSendQuota", + "title": "ListIdentities", "title_size": "16", "title_align": "left", "type": "query_value", @@ -15462,7 +15462,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetSendQuota $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListIdentities $userIdentity.arn $network.client.ip $account" } } ], @@ -15484,10 +15484,10 @@ } }, { - "id": 74475616, + "id": 1731692584, "definition": { "type": "note", - "content": "### [GetAccount](https://traildiscover.cloud/#SES-GetAccount)\n\n**Description:** Lists the applied quota values for the specified AWS service.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", + "content": "### [GetSMSAttributes](https://traildiscover.cloud/#SNS-GetSMSAttributes)\n\n**Description:** Returns the settings for sending SMS messages from your AWS account.\n\n**Related Incidents:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n- [Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15503,9 +15503,9 @@ } }, { - "id": 1999361858, + "id": 1612420841, "definition": { - "title": "GetAccount", + "title": "GetSMSAttributes", "title_size": "16", "title_align": "left", "type": "query_value", @@ -15523,7 +15523,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetAccount $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetSMSAttributes $userIdentity.arn $network.client.ip $account" } } ], @@ -15545,10 +15545,10 @@ } }, { - "id": 3129734185, + "id": 1728759844, "definition": { "type": "note", - "content": "### [GetFindings](https://traildiscover.cloud/#GuardDuty-GetFindings)\n\n**Description:** Returns a list of findings that match the specified criteria.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", + "content": "### [GetSMSSandboxAccountStatus](https://traildiscover.cloud/#SNS-GetSMSSandboxAccountStatus)\n\n**Description:** Retrieves the SMS sandbox status for the calling AWS account in the target AWS Region.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/)\n**Related Research:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15564,9 +15564,9 @@ } }, { - "id": 3006475666, + "id": 1609488101, "definition": { - "title": "GetFindings", + "title": "GetSMSSandboxAccountStatus", "title_size": "16", "title_align": "left", "type": "query_value", @@ -15584,7 +15584,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetFindings $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetSMSSandboxAccountStatus $userIdentity.arn $network.client.ip $account" } } ], @@ -15606,10 +15606,10 @@ } }, { - "id": 2590450308, + "id": 2318729372, "definition": { "type": "note", - "content": "### [ListFindings](https://traildiscover.cloud/#GuardDuty-ListFindings)\n\n**Description:** Lists GuardDuty findings for the specified detector ID.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", + "content": "### [ListOriginationNumbers](https://traildiscover.cloud/#SNS-ListOriginationNumbers)\n\n**Description:** Lists the calling AWS account's dedicated origination numbers and their metadata.\n\n**Related Research:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15625,9 +15625,9 @@ } }, { - "id": 319708141, + "id": 2199457629, "definition": { - "title": "ListFindings", + "title": "ListOriginationNumbers", "title_size": "16", "title_align": "left", "type": "query_value", @@ -15645,7 +15645,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListFindings $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListOriginationNumbers $userIdentity.arn $network.client.ip $account" } } ], @@ -15667,10 +15667,10 @@ } }, { - "id": 2267533171, + "id": 2376375856, "definition": { "type": "note", - "content": "### [ListDetectors](https://traildiscover.cloud/#GuardDuty-ListDetectors)\n\n**Description:** Lists detectorIds of all the existing Amazon GuardDuty detector resources.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", + "content": "### [ListSubscriptions](https://traildiscover.cloud/#SNS-ListSubscriptions)\n\n**Description:** Lists the calling AWS account's dedicated origination numbers and their metadata.\n\n**Related Research:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15686,9 +15686,9 @@ } }, { - "id": 4291758300, + "id": 2257104113, "definition": { - "title": "ListDetectors", + "title": "ListSubscriptions", "title_size": "16", "title_align": "left", "type": "query_value", @@ -15706,7 +15706,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListDetectors $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListSubscriptions $userIdentity.arn $network.client.ip $account" } } ], @@ -15728,10 +15728,10 @@ } }, { - "id": 2329275568, + "id": 2123456405, "definition": { "type": "note", - "content": "### [GetDetector](https://traildiscover.cloud/#GuardDuty-GetDetector)\n\n**Description:** Retrieves an Amazon GuardDuty detector specified by the detectorId.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", + "content": "### [ListTopics](https://traildiscover.cloud/#SNS-ListTopics)\n\n**Description:** Returns a list of the requester's topics.\n\n**Related Research:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15747,9 +15747,9 @@ } }, { - "id": 4254161810, + "id": 2004184662, "definition": { - "title": "GetDetector", + "title": "ListTopics", "title_size": "16", "title_align": "left", "type": "query_value", @@ -15767,7 +15767,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetDetector $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListTopics $userIdentity.arn $network.client.ip $account" } } ], @@ -15789,10 +15789,10 @@ } }, { - "id": 563185256, + "id": 2762279184, "definition": { "type": "note", - "content": "### [ListIPSets](https://traildiscover.cloud/#GuardDuty-ListIPSets)\n\n**Description:** Lists the IPSets of the GuardDuty service specified by the detector ID.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", + "content": "### [DescribeInstanceInformation](https://traildiscover.cloud/#SSM-DescribeInstanceInformation)\n\n**Description:** Provides information about one or more of your managed nodes, including the operating system platform, SSM Agent version, association status, and IP address.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15808,9 +15808,9 @@ } }, { - "id": 2488071498, + "id": 495523793, "definition": { - "title": "ListIPSets", + "title": "DescribeInstanceInformation", "title_size": "16", "title_align": "left", "type": "query_value", @@ -15828,7 +15828,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListIPSets $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeInstanceInformation $userIdentity.arn $network.client.ip $account" } } ], @@ -15850,10 +15850,10 @@ } }, { - "id": 392893652, + "id": 345767485, "definition": { "type": "note", - "content": "### [ListServiceQuotas](https://traildiscover.cloud/#ServiceQuotas-ListServiceQuotas)\n\n**Description:** Lists the applied quota values for the specified AWS service.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", + "content": "### [GetParameters](https://traildiscover.cloud/#SSM-GetParameters)\n\n**Description:** Get information about one or more parameters by specifying multiple parameter names.\n\n**Related Research:**\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15869,9 +15869,9 @@ } }, { - "id": 269635133, + "id": 226495742, "definition": { - "title": "ListServiceQuotas", + "title": "GetParameters", "title_size": "16", "title_align": "left", "type": "query_value", @@ -15889,7 +15889,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListServiceQuotas $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetParameters $userIdentity.arn $network.client.ip $account" } } ], @@ -15920,7 +15920,7 @@ } }, { - "id": 1576054290, + "id": 3359535915, "definition": { "type": "group", "layout_type": "ordered", @@ -15929,10 +15929,10 @@ "show_title": true, "widgets": [ { - "id": 2436618693, + "id": 2722254608, "definition": { "type": "note", - "content": "### [AssumeRoleWithWebIdentity](https://traildiscover.cloud/#STS-AssumeRoleWithWebIdentity)\n\n**Description:** Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider.\n\n**Related Research:**\n- [From GitHub To Account Takeover: Misconfigured Actions Place GCP & AWS Accounts At Risk](https://www.rezonate.io/blog/github-misconfigurations-put-gcp-aws-in-account-takeover-risk/)\n", + "content": "### [AttachVolume](https://traildiscover.cloud/#EC2-AttachVolume)\n\n**Description:** Attaches an EBS volume to a running or stopped instance and exposes it to the instance with the specified device name.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15948,9 +15948,9 @@ } }, { - "id": 66537639, + "id": 554838104, "definition": { - "title": "AssumeRoleWithWebIdentity", + "title": "AttachVolume", "title_size": "16", "title_align": "left", "type": "query_value", @@ -15968,7 +15968,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:AssumeRoleWithWebIdentity $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:AttachVolume $userIdentity.arn $network.client.ip $account" } } ], @@ -15990,10 +15990,10 @@ } }, { - "id": 3721825110, + "id": 458637594, "definition": { "type": "note", - "content": "### [SwitchRole](https://traildiscover.cloud/#SignIn-SwitchRole)\n\n**Description:** This event is recorded when a user manually switches to a different IAM role within the AWS Management Console.\n\n**Related Research:**\n- [AWS CloudTrail cheat sheet](https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet)\n", + "content": "### [AuthorizeSecurityGroupIngress](https://traildiscover.cloud/#EC2-AuthorizeSecurityGroupIngress)\n\n**Description:** Adds the specified inbound (ingress) rules to a security group.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Finding evil in AWS](https://expel.com/blog/finding-evil-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [Opening a security group to the Internet](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/opening-security-group-port/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -16009,9 +16009,9 @@ } }, { - "id": 3598566591, + "id": 2586188386, "definition": { - "title": "SwitchRole", + "title": "AuthorizeSecurityGroupIngress", "title_size": "16", "title_align": "left", "type": "query_value", @@ -16029,7 +16029,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:SwitchRole $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:AuthorizeSecurityGroupIngress $userIdentity.arn $network.client.ip $account" } } ], @@ -16051,10 +16051,10 @@ } }, { - "id": 148925664, + "id": 2417729494, "definition": { "type": "note", - "content": "### [EnableSerialConsoleAccess](https://traildiscover.cloud/#EC2-EnableSerialConsoleAccess)\n\n**Description:** Enables access to the EC2 serial console of all instances for your account.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [How to detect EC2 Serial Console enabled](https://sysdig.com/blog/ec2-serial-console-enabled/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", + "content": "### [CreateSecurityGroup](https://traildiscover.cloud/#EC2-CreateSecurityGroup)\n\n**Description:** Creates a security group.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -16070,9 +16070,9 @@ } }, { - "id": 25667145, + "id": 2298457751, "definition": { - "title": "EnableSerialConsoleAccess", + "title": "CreateSecurityGroup", "title_size": "16", "title_align": "left", "type": "query_value", @@ -16090,7 +16090,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:EnableSerialConsoleAccess $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateSecurityGroup $userIdentity.arn $network.client.ip $account" } } ], @@ -16112,10 +16112,10 @@ } }, { - "id": 1228504326, + "id": 2046805019, "definition": { "type": "note", - "content": "### [CreateVolume](https://traildiscover.cloud/#EC2-CreateVolume)\n\n**Description:** Creates an EBS volume that can be attached to an instance in the same Availability Zone.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n", + "content": "### [CreateSnapshot](https://traildiscover.cloud/#EC2-CreateSnapshot)\n\n**Description:** Creates a snapshot of an EBS volume and stores it in Amazon S3.\n\n**Related Incidents:**\n- [CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Stealing an EBS snapshot by creating a snapshot and sharing it](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-ebs-snapshot/)\n- [Exfiltrate EBS Snapshot by Sharing It](https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -16131,9 +16131,9 @@ } }, { - "id": 3252729455, + "id": 4075016924, "definition": { - "title": "CreateVolume", + "title": "CreateSnapshot", "title_size": "16", "title_align": "left", "type": "query_value", @@ -16151,7 +16151,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateVolume $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateSnapshot $userIdentity.arn $network.client.ip $account" } } ], @@ -16173,10 +16173,10 @@ } }, { - "id": 109123231, + "id": 2965745560, "definition": { "type": "note", - "content": "### [CreateSecurityGroup](https://traildiscover.cloud/#EC2-CreateSecurityGroup)\n\n**Description:** Creates a security group.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", + "content": "### [CreateVolume](https://traildiscover.cloud/#EC2-CreateVolume)\n\n**Description:** Creates an EBS volume that can be attached to an instance in the same Availability Zone.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -16192,9 +16192,9 @@ } }, { - "id": 4181493121, + "id": 2846473817, "definition": { - "title": "CreateSecurityGroup", + "title": "CreateVolume", "title_size": "16", "title_align": "left", "type": "query_value", @@ -16212,7 +16212,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateSecurityGroup $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateVolume $userIdentity.arn $network.client.ip $account" } } ], @@ -16234,10 +16234,10 @@ } }, { - "id": 2488560231, + "id": 2471921244, "definition": { "type": "note", - "content": "### [AuthorizeSecurityGroupIngress](https://traildiscover.cloud/#EC2-AuthorizeSecurityGroupIngress)\n\n**Description:** Adds the specified inbound (ingress) rules to a security group.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Finding evil in AWS](https://expel.com/blog/finding-evil-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [Opening a security group to the Internet](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/opening-security-group-port/)\n", + "content": "### [EnableSerialConsoleAccess](https://traildiscover.cloud/#EC2-EnableSerialConsoleAccess)\n\n**Description:** Enables access to the EC2 serial console of all instances for your account.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [How to detect EC2 Serial Console enabled](https://sysdig.com/blog/ec2-serial-console-enabled/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -16253,9 +16253,9 @@ } }, { - "id": 217818064, + "id": 205165853, "definition": { - "title": "AuthorizeSecurityGroupIngress", + "title": "EnableSerialConsoleAccess", "title_size": "16", "title_align": "left", "type": "query_value", @@ -16273,7 +16273,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:AuthorizeSecurityGroupIngress $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:EnableSerialConsoleAccess $userIdentity.arn $network.client.ip $account" } } ], @@ -16295,10 +16295,10 @@ } }, { - "id": 2822364729, + "id": 2994633127, "definition": { "type": "note", - "content": "### [SendSSHPublicKey](https://traildiscover.cloud/#EC2InstanceConnect-SendSSHPublicKey)\n\n**Description:** Pushes an SSH public key to the specified EC2 instance for use by the specified user.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n**Related Research:**\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", + "content": "### [RunInstances](https://traildiscover.cloud/#EC2-RunInstances)\n\n**Description:** Launches the specified number of instances using an AMI for which you have permissions.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [DXC spills AWS private keys on public GitHub](https://www.theregister.com/2017/11/14/dxc_github_aws_keys_leaked/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Clear and Uncommon Story About Overcoming Issues With AWS](https://topdigital.agency/clear-and-uncommon-story-about-overcoming-issues-with-aws/)\n- [onelogin 2017 Security Incident](https://web.archive.org/web/20210620180614/https://www.onelogin.com/blog/may-31-2017-security-incident)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [Launching EC2 instances](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/launching-ec2-instances/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -16314,9 +16314,9 @@ } }, { - "id": 452283675, + "id": 2875361384, "definition": { - "title": "SendSSHPublicKey", + "title": "RunInstances", "title_size": "16", "title_align": "left", "type": "query_value", @@ -16334,7 +16334,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:SendSSHPublicKey $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:RunInstances $userIdentity.arn $network.client.ip $account" } } ], @@ -16356,10 +16356,10 @@ } }, { - "id": 2607739167, + "id": 1356219601, "definition": { "type": "note", - "content": "### [CreateSnapshot](https://traildiscover.cloud/#EC2-CreateSnapshot)\n\n**Description:** Creates a snapshot of an EBS volume and stores it in Amazon S3.\n\n**Related Incidents:**\n- [CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Stealing an EBS snapshot by creating a snapshot and sharing it](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-ebs-snapshot/)\n- [Exfiltrate EBS Snapshot by Sharing It](https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/)\n", + "content": "### [SendSerialConsoleSSHPublicKey](https://traildiscover.cloud/#EC2InstanceConnect-SendSerialConsoleSSHPublicKey)\n\n**Description:** Pushes an SSH public key to the specified EC2 instance.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -16375,9 +16375,9 @@ } }, { - "id": 2385141761, + "id": 1236947858, "definition": { - "title": "CreateSnapshot", + "title": "SendSerialConsoleSSHPublicKey", "title_size": "16", "title_align": "left", "type": "query_value", @@ -16395,7 +16395,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateSnapshot $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:SendSerialConsoleSSHPublicKey $userIdentity.arn $network.client.ip $account" } } ], @@ -16417,10 +16417,10 @@ } }, { - "id": 3158458900, + "id": 804235889, "definition": { "type": "note", - "content": "### [RunInstances](https://traildiscover.cloud/#EC2-RunInstances)\n\n**Description:** Launches the specified number of instances using an AMI for which you have permissions.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [DXC spills AWS private keys on public GitHub](https://www.theregister.com/2017/11/14/dxc_github_aws_keys_leaked/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Clear and Uncommon Story About Overcoming Issues With AWS](https://topdigital.agency/clear-and-uncommon-story-about-overcoming-issues-with-aws/)\n- [onelogin 2017 Security Incident](https://web.archive.org/web/20210620180614/https://www.onelogin.com/blog/may-31-2017-security-incident)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [Launching EC2 instances](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/launching-ec2-instances/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", + "content": "### [SendSSHPublicKey](https://traildiscover.cloud/#EC2InstanceConnect-SendSSHPublicKey)\n\n**Description:** Pushes an SSH public key to the specified EC2 instance for use by the specified user.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n**Related Research:**\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -16436,9 +16436,9 @@ } }, { - "id": 887716733, + "id": 684964146, "definition": { - "title": "RunInstances", + "title": "SendSSHPublicKey", "title_size": "16", "title_align": "left", "type": "query_value", @@ -16456,7 +16456,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:RunInstances $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:SendSSHPublicKey $userIdentity.arn $network.client.ip $account" } } ], @@ -16478,10 +16478,10 @@ } }, { - "id": 192033388, + "id": 1522910029, "definition": { "type": "note", - "content": "### [AttachVolume](https://traildiscover.cloud/#EC2-AttachVolume)\n\n**Description:** Attaches an EBS volume to a running or stopped instance and exposes it to the instance with the specified device name.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n", + "content": "### [AssumeRoleWithWebIdentity](https://traildiscover.cloud/#STS-AssumeRoleWithWebIdentity)\n\n**Description:** Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider.\n\n**Related Research:**\n- [From GitHub To Account Takeover: Misconfigured Actions Place GCP & AWS Accounts At Risk](https://www.rezonate.io/blog/github-misconfigurations-put-gcp-aws-in-account-takeover-risk/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -16497,9 +16497,9 @@ } }, { - "id": 2216258517, + "id": 1403638286, "definition": { - "title": "AttachVolume", + "title": "AssumeRoleWithWebIdentity", "title_size": "16", "title_align": "left", "type": "query_value", @@ -16517,7 +16517,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:AttachVolume $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:AssumeRoleWithWebIdentity $userIdentity.arn $network.client.ip $account" } } ], @@ -16539,10 +16539,10 @@ } }, { - "id": 3073378239, + "id": 3241996449, "definition": { "type": "note", - "content": "### [SendSerialConsoleSSHPublicKey](https://traildiscover.cloud/#EC2InstanceConnect-SendSerialConsoleSSHPublicKey)\n\n**Description:** Pushes an SSH public key to the specified EC2 instance.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n", + "content": "### [SwitchRole](https://traildiscover.cloud/#SignIn-SwitchRole)\n\n**Description:** This event is recorded when a user manually switches to a different IAM role within the AWS Management Console.\n\n**Related Research:**\n- [AWS CloudTrail cheat sheet](https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -16558,9 +16558,9 @@ } }, { - "id": 802636072, + "id": 3122724706, "definition": { - "title": "SendSerialConsoleSSHPublicKey", + "title": "SwitchRole", "title_size": "16", "title_align": "left", "type": "query_value", @@ -16578,7 +16578,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:SendSerialConsoleSSHPublicKey $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:SwitchRole $userIdentity.arn $network.client.ip $account" } } ], @@ -16600,10 +16600,10 @@ } }, { - "id": 2748085124, + "id": 3165577030, "definition": { "type": "note", - "content": "### [SendCommand](https://traildiscover.cloud/#SSM-SendCommand)\n\n**Description:** Runs commands on one or more managed nodes.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Run Shell Commands on EC2 with Send Command or Session Manager](https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", + "content": "### [ResumeSession](https://traildiscover.cloud/#SSM-ResumeSession)\n\n**Description:** Reconnects a session to a managed node after it has been disconnected.\n\n**Related Research:**\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -16619,9 +16619,9 @@ } }, { - "id": 477342957, + "id": 998160526, "definition": { - "title": "SendCommand", + "title": "ResumeSession", "title_size": "16", "title_align": "left", "type": "query_value", @@ -16639,7 +16639,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:SendCommand $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ResumeSession $userIdentity.arn $network.client.ip $account" } } ], @@ -16661,10 +16661,10 @@ } }, { - "id": 955811648, + "id": 4080750434, "definition": { "type": "note", - "content": "### [StartSession](https://traildiscover.cloud/#SSM-StartSession)\n\n**Description:** Initiates a connection to a target (for example, a managed node) for a Session Manager session.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Run Shell Commands on EC2 with Send Command or Session Manager](https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/)\n", + "content": "### [SendCommand](https://traildiscover.cloud/#SSM-SendCommand)\n\n**Description:** Runs commands on one or more managed nodes.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Run Shell Commands on EC2 with Send Command or Session Manager](https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -16680,9 +16680,9 @@ } }, { - "id": 832553129, + "id": 3961478691, "definition": { - "title": "StartSession", + "title": "SendCommand", "title_size": "16", "title_align": "left", "type": "query_value", @@ -16700,7 +16700,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:StartSession $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:SendCommand $userIdentity.arn $network.client.ip $account" } } ], @@ -16722,10 +16722,10 @@ } }, { - "id": 3400639865, + "id": 3536403153, "definition": { "type": "note", - "content": "### [ResumeSession](https://traildiscover.cloud/#SSM-ResumeSession)\n\n**Description:** Reconnects a session to a managed node after it has been disconnected.\n\n**Related Research:**\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", + "content": "### [StartSession](https://traildiscover.cloud/#SSM-StartSession)\n\n**Description:** Initiates a connection to a target (for example, a managed node) for a Session Manager session.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Run Shell Commands on EC2 with Send Command or Session Manager](https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -16741,9 +16741,9 @@ } }, { - "id": 1129897698, + "id": 3417131410, "definition": { - "title": "ResumeSession", + "title": "StartSession", "title_size": "16", "title_align": "left", "type": "query_value", @@ -16761,7 +16761,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ResumeSession $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:StartSession $userIdentity.arn $network.client.ip $account" } } ], @@ -16792,7 +16792,7 @@ } }, { - "id": 2615621173, + "id": 3960243088, "definition": { "type": "group", "layout_type": "ordered", @@ -16801,10 +16801,10 @@ "show_title": true, "widgets": [ { - "id": 2876011537, + "id": 2771606000, "definition": { "type": "note", - "content": "### [UpdateFunctionCode20150331v2](https://traildiscover.cloud/#Lambda-UpdateFunctionCode20150331v2)\n\n**Description:** Updates a Lambda function's code. If code signing is enabled for the function, the code package must be signed by a trusted publisher.\n\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", + "content": "### [CreateFunction](https://traildiscover.cloud/#CloudFront-CreateFunction)\n\n**Description:** Creates a CloudFront function.\n\n**Related Research:**\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -16820,9 +16820,9 @@ } }, { - "id": 605269370, + "id": 604189496, "definition": { - "title": "UpdateFunctionCode20150331v2", + "title": "CreateFunction", "title_size": "16", "title_align": "left", "type": "query_value", @@ -16840,7 +16840,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateFunctionCode20150331v2 $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateFunction $userIdentity.arn $network.client.ip $account" } } ], @@ -16862,10 +16862,10 @@ } }, { - "id": 3951525067, + "id": 435756905, "definition": { "type": "note", - "content": "### [UpdateDistribution](https://traildiscover.cloud/#CloudFront-UpdateDistribution)\n\n**Description:** Updates the configuration for a CloudFront distribution.\n\n**Related Research:**\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", + "content": "### [PublishFunction](https://traildiscover.cloud/#CloudFront-PublishFunction)\n\n**Description:** Publishes a CloudFront function by copying the function code from the DEVELOPMENT stage to LIVE.\n\n**Related Research:**\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -16881,9 +16881,9 @@ } }, { - "id": 3728927661, + "id": 2563307697, "definition": { - "title": "UpdateDistribution", + "title": "PublishFunction", "title_size": "16", "title_align": "left", "type": "query_value", @@ -16901,7 +16901,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateDistribution $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PublishFunction $userIdentity.arn $network.client.ip $account" } } ], @@ -16923,10 +16923,10 @@ } }, { - "id": 3170643624, + "id": 1048805055, "definition": { "type": "note", - "content": "### [PublishFunction](https://traildiscover.cloud/#CloudFront-PublishFunction)\n\n**Description:** Publishes a CloudFront function by copying the function code from the DEVELOPMENT stage to LIVE.\n\n**Related Research:**\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", + "content": "### [UpdateDistribution](https://traildiscover.cloud/#CloudFront-UpdateDistribution)\n\n**Description:** Updates the configuration for a CloudFront distribution.\n\n**Related Research:**\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -16942,9 +16942,9 @@ } }, { - "id": 899901457, + "id": 3176355847, "definition": { - "title": "PublishFunction", + "title": "UpdateDistribution", "title_size": "16", "title_align": "left", "type": "query_value", @@ -16962,7 +16962,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PublishFunction $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:UpdateDistribution $userIdentity.arn $network.client.ip $account" } } ], @@ -16984,10 +16984,10 @@ } }, { - "id": 2484811815, + "id": 1059256312, "definition": { "type": "note", - "content": "### [CreateFunction](https://traildiscover.cloud/#CloudFront-CreateFunction)\n\n**Description:** Creates a CloudFront function.\n\n**Related Research:**\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", + "content": "### [CreateInstanceExportTask](https://traildiscover.cloud/#EC2-CreateInstanceExportTask)\n\n**Description:** Exports a running or stopped instance to an Amazon S3 bucket.\n\n**Related Research:**\n- [AWS EC2 VM Export Failure](https://www.elastic.co/guide/en/security/current/aws-ec2-vm-export-failure.html)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -17003,9 +17003,9 @@ } }, { - "id": 2262214409, + "id": 939984569, "definition": { - "title": "CreateFunction", + "title": "CreateInstanceExportTask", "title_size": "16", "title_align": "left", "type": "query_value", @@ -17023,7 +17023,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateFunction $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateInstanceExportTask $userIdentity.arn $network.client.ip $account" } } ], @@ -17045,10 +17045,10 @@ } }, { - "id": 3300271111, + "id": 715194584, "definition": { "type": "note", - "content": "### [CreateInstanceExportTask](https://traildiscover.cloud/#EC2-CreateInstanceExportTask)\n\n**Description:** Exports a running or stopped instance to an Amazon S3 bucket.\n\n**Related Research:**\n- [AWS EC2 VM Export Failure](https://www.elastic.co/guide/en/security/current/aws-ec2-vm-export-failure.html)\n", + "content": "### [CreateRoute](https://traildiscover.cloud/#EC2-CreateRoute)\n\n**Description:** Creates a route in a route table within a VPC.\n\n**Related Research:**\n- [Ensure CloudWatch has an Alarm for Route Table Changes](https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-route-table-change)\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -17064,9 +17064,9 @@ } }, { - "id": 3177012592, + "id": 2842745376, "definition": { - "title": "CreateInstanceExportTask", + "title": "CreateRoute", "title_size": "16", "title_align": "left", "type": "query_value", @@ -17084,7 +17084,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateInstanceExportTask $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateRoute $userIdentity.arn $network.client.ip $account" } } ], @@ -17106,10 +17106,10 @@ } }, { - "id": 3085322872, + "id": 2772366993, "definition": { "type": "note", - "content": "### [CreateTrafficMirrorTarget](https://traildiscover.cloud/#EC2-CreateTrafficMirrorTarget)\n\n**Description:** Creates a target for your Traffic Mirror session.\n\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", + "content": "### [CreateTrafficMirrorFilter](https://traildiscover.cloud/#EC2-CreateTrafficMirrorFilter)\n\n**Description:** Creates a Traffic Mirror filter.\n\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -17125,9 +17125,9 @@ } }, { - "id": 2962064353, + "id": 604950489, "definition": { - "title": "CreateTrafficMirrorTarget", + "title": "CreateTrafficMirrorFilter", "title_size": "16", "title_align": "left", "type": "query_value", @@ -17145,7 +17145,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateTrafficMirrorTarget $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateTrafficMirrorFilter $userIdentity.arn $network.client.ip $account" } } ], @@ -17167,10 +17167,10 @@ } }, { - "id": 2200323157, + "id": 2074751119, "definition": { "type": "note", - "content": "### [CreateTrafficMirrorSession](https://traildiscover.cloud/#EC2-CreateTrafficMirrorSession)\n\n**Description:** Creates a Traffic Mirror session.\n\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", + "content": "### [CreateTrafficMirrorFilterRule](https://traildiscover.cloud/#EC2-CreateTrafficMirrorFilterRule)\n\n**Description:** Creates a Traffic Mirror filter rule.\n\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -17186,9 +17186,9 @@ } }, { - "id": 4125209399, + "id": 1955479376, "definition": { - "title": "CreateTrafficMirrorSession", + "title": "CreateTrafficMirrorFilterRule", "title_size": "16", "title_align": "left", "type": "query_value", @@ -17206,7 +17206,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateTrafficMirrorSession $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateTrafficMirrorFilterRule $userIdentity.arn $network.client.ip $account" } } ], @@ -17228,10 +17228,10 @@ } }, { - "id": 3260415341, + "id": 610603793, "definition": { "type": "note", - "content": "### [CreateRoute](https://traildiscover.cloud/#EC2-CreateRoute)\n\n**Description:** Creates a route in a route table within a VPC.\n\n**Related Research:**\n- [Ensure CloudWatch has an Alarm for Route Table Changes](https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-route-table-change)\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", + "content": "### [CreateTrafficMirrorSession](https://traildiscover.cloud/#EC2-CreateTrafficMirrorSession)\n\n**Description:** Creates a Traffic Mirror session.\n\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -17247,9 +17247,9 @@ } }, { - "id": 3137156822, + "id": 491332050, "definition": { - "title": "CreateRoute", + "title": "CreateTrafficMirrorSession", "title_size": "16", "title_align": "left", "type": "query_value", @@ -17267,7 +17267,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateRoute $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateTrafficMirrorSession $userIdentity.arn $network.client.ip $account" } } ], @@ -17289,10 +17289,10 @@ } }, { - "id": 3675349788, + "id": 2510020611, "definition": { "type": "note", - "content": "### [CreateTrafficMirrorFilter](https://traildiscover.cloud/#EC2-CreateTrafficMirrorFilter)\n\n**Description:** Creates a Traffic Mirror filter.\n\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", + "content": "### [CreateTrafficMirrorTarget](https://traildiscover.cloud/#EC2-CreateTrafficMirrorTarget)\n\n**Description:** Creates a target for your Traffic Mirror session.\n\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -17308,9 +17308,9 @@ } }, { - "id": 3452752382, + "id": 2390748868, "definition": { - "title": "CreateTrafficMirrorFilter", + "title": "CreateTrafficMirrorTarget", "title_size": "16", "title_align": "left", "type": "query_value", @@ -17328,7 +17328,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateTrafficMirrorFilter $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateTrafficMirrorTarget $userIdentity.arn $network.client.ip $account" } } ], @@ -17350,10 +17350,10 @@ } }, { - "id": 2229939846, + "id": 23985570, "definition": { "type": "note", - "content": "### [CreateTrafficMirrorFilterRule](https://traildiscover.cloud/#EC2-CreateTrafficMirrorFilterRule)\n\n**Description:** Creates a Traffic Mirror filter rule.\n\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", + "content": "### [UpdateFunctionCode20150331v2](https://traildiscover.cloud/#Lambda-UpdateFunctionCode20150331v2)\n\n**Description:** Updates a Lambda function's code. If code signing is enabled for the function, the code package must be signed by a trusted publisher.\n\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -17369,9 +17369,9 @@ } }, { - "id": 4254164975, + "id": 4199681123, "definition": { - "title": "CreateTrafficMirrorFilterRule", + "title": "UpdateFunctionCode20150331v2", "title_size": "16", "title_align": "left", "type": "query_value", @@ -17389,7 +17389,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateTrafficMirrorFilterRule $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:UpdateFunctionCode20150331v2 $userIdentity.arn $network.client.ip $account" } } ], @@ -17420,7 +17420,7 @@ } }, { - "id": 3094699843, + "id": 621074500, "definition": { "type": "group", "layout_type": "ordered", @@ -17429,10 +17429,10 @@ "show_title": true, "widgets": [ { - "id": 2670704099, + "id": 244940977, "definition": { "type": "note", - "content": "### [CreateUser](https://traildiscover.cloud/#TransferFamily-CreateUser)\n\n**Description:** Creates a user and associates them with an existing file transfer protocol-enabled server.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", + "content": "### [AuthorizeSecurityGroupEgress](https://traildiscover.cloud/#EC2-AuthorizeSecurityGroupEgress)\n\n**Description:** Adds the specified outbound (egress) rules to a security group.\n\n**Related Incidents:**\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -17448,9 +17448,9 @@ } }, { - "id": 399961932, + "id": 125669234, "definition": { - "title": "CreateUser", + "title": "AuthorizeSecurityGroupEgress", "title_size": "16", "title_align": "left", "type": "query_value", @@ -17468,7 +17468,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateUser $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:AuthorizeSecurityGroupEgress $userIdentity.arn $network.client.ip $account" } } ], @@ -17490,10 +17490,10 @@ } }, { - "id": 769782214, + "id": 670176333, "definition": { "type": "note", - "content": "### [CreateServer](https://traildiscover.cloud/#TransferFamily-CreateServer)\n\n**Description:** Instantiates an auto-scaling virtual server based on the selected file transfer protocol in AWS.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", + "content": "### [CreateImage](https://traildiscover.cloud/#EC2-CreateImage)\n\n**Description:** Creates an Amazon EBS-backed AMI from an Amazon EBS-backed instance that is either running or stopped.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -17509,9 +17509,9 @@ } }, { - "id": 547184808, + "id": 550904590, "definition": { - "title": "CreateServer", + "title": "CreateImage", "title_size": "16", "title_align": "left", "type": "query_value", @@ -17529,7 +17529,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateServer $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateImage $userIdentity.arn $network.client.ip $account" } } ], @@ -17551,10 +17551,10 @@ } }, { - "id": 1056756398, + "id": 130498201, "definition": { "type": "note", - "content": "### [PutBucketPolicy](https://traildiscover.cloud/#S3-PutBucketPolicy)\n\n**Description:** Applies an Amazon S3 bucket policy to an Amazon S3 bucket.\n\n**Related Research:**\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", + "content": "### [CreateSnapshot](https://traildiscover.cloud/#EC2-CreateSnapshot)\n\n**Description:** Creates a snapshot of an EBS volume and stores it in Amazon S3.\n\n**Related Incidents:**\n- [CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Stealing an EBS snapshot by creating a snapshot and sharing it](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-ebs-snapshot/)\n- [Exfiltrate EBS Snapshot by Sharing It](https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -17570,9 +17570,9 @@ } }, { - "id": 3080981527, + "id": 11226458, "definition": { - "title": "PutBucketPolicy", + "title": "CreateSnapshot", "title_size": "16", "title_align": "left", "type": "query_value", @@ -17590,7 +17590,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutBucketPolicy $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateSnapshot $userIdentity.arn $network.client.ip $account" } } ], @@ -17612,10 +17612,10 @@ } }, { - "id": 1961849023, + "id": 3406942822, "definition": { "type": "note", - "content": "### [PutBucketAcl](https://traildiscover.cloud/#S3-PutBucketAcl)\n\n**Description:** Sets the permissions on an existing bucket using access control lists (ACL).\n\n**Related Research:**\n- [AWS S3 Bucket ACL made public](https://docs.datadoghq.com/security/default_rules/aws-bucket-acl-made-public/)\n", + "content": "### [ModifyImageAttribute](https://traildiscover.cloud/#EC2-ModifyImageAttribute)\n\n**Description:** Modifies the specified attribute of the specified AMI.\n\n**Related Research:**\n- [AWS AMI Atttribute Modification for Exfiltration](https://research.splunk.com/cloud/f2132d74-cf81-4c5e-8799-ab069e67dc9f/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -17631,9 +17631,9 @@ } }, { - "id": 1838590504, + "id": 3287671079, "definition": { - "title": "PutBucketAcl", + "title": "ModifyImageAttribute", "title_size": "16", "title_align": "left", "type": "query_value", @@ -17651,7 +17651,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutBucketAcl $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ModifyImageAttribute $userIdentity.arn $network.client.ip $account" } } ], @@ -17673,10 +17673,10 @@ } }, { - "id": 1583760673, + "id": 2696146899, "definition": { "type": "note", - "content": "### [PutBucketVersioning](https://traildiscover.cloud/#S3-PutBucketVersioning)\n\n**Description:** Sets the versioning state of an existing bucket.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n**Related Research:**\n- [Exfiltrating S3 Data with Bucket Replication Policies](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", + "content": "### [ModifySnapshotAttribute](https://traildiscover.cloud/#EC2-ModifySnapshotAttribute)\n\n**Description:** Adds or removes permission settings for the specified snapshot.\n\n**Related Incidents:**\n- [CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -17692,9 +17692,9 @@ } }, { - "id": 3607985802, + "id": 2576875156, "definition": { - "title": "PutBucketVersioning", + "title": "ModifySnapshotAttribute", "title_size": "16", "title_align": "left", "type": "query_value", @@ -17712,7 +17712,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutBucketVersioning $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ModifySnapshotAttribute $userIdentity.arn $network.client.ip $account" } } ], @@ -17734,10 +17734,10 @@ } }, { - "id": 1014353145, + "id": 591989587, "definition": { "type": "note", - "content": "### [PutBucketReplication](https://traildiscover.cloud/#S3-PutBucketReplication)\n\n**Description:** Creates a replication configuration or replaces an existing one.\n\n**Related Research:**\n- [Exfiltrating S3 Data with Bucket Replication Policies](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", + "content": "### [SharedSnapshotCopyInitiated](https://traildiscover.cloud/#EC2-SharedSnapshotCopyInitiated)\n\n**Description:** Modifies the specified attribute of the specified instance.\n\n**Related Incidents:**\n- [M-Trends Report - 2020](https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf)\n- [Democratic National Committee hack](https://www.politico.com/f/?id=00000168-6161-de11-af7d-ef7327ea0000)\n**Related Research:**\n- [Detecting exfiltration of EBS snapshots in AWS](https://twitter.com/christophetd/status/1574681313218506753)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -17753,9 +17753,9 @@ } }, { - "id": 3038578274, + "id": 472717844, "definition": { - "title": "PutBucketReplication", + "title": "SharedSnapshotCopyInitiated", "title_size": "16", "title_align": "left", "type": "query_value", @@ -17773,7 +17773,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutBucketReplication $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:SharedSnapshotCopyInitiated $userIdentity.arn $network.client.ip $account" } } ], @@ -17795,10 +17795,10 @@ } }, { - "id": 3079404939, + "id": 1237347532, "definition": { "type": "note", - "content": "### [GetObject](https://traildiscover.cloud/#S3-GetObject)\n\n**Description:** Retrieves an object from Amazon S3.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Incident 2 - Additional details of the attack](https://support.lastpass.com/s/document-item?language=en_US&bundleId=lastpass&topicId=LastPass/incident-2-details.html&_LANG=enus)\n- [Aruba Central Security Incident](https://www.arubanetworks.com/support-services/security-bulletins/central-incident-faq/)\n- [Sendtech Pte. Ltd](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Sendtech-Pte-Ltd---220721.ashx?la=en)\n- [GotRoot! AWS root Account Takeover](https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1)\n- [A Technical Analysis of the Capital One Cloud Misconfiguration Breach](https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach)\n- [Chegg, Inc](https://www.ftc.gov/system/files/ftc_gov/pdf/2023151-Chegg-Complaint.pdf)\n- [Scattered Spider Attack Analysis](https://www.reliaquest.com/blog/scattered-spider-attack-analysis-account-compromise/)\n- [Enumerate AWS Account ID from a Public S3 Bucket](https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Data Exfiltration through S3 Server Access Logs](https://hackingthe.cloud/aws/exploitation/s3_server_access_logs/)\n- [S3 Streaming Copy](https://hackingthe.cloud/aws/exploitation/s3_streaming_copy/)\n", + "content": "### [SharedSnapshotVolumeCreated](https://traildiscover.cloud/#EC2-SharedSnapshotVolumeCreated)\n\n**Description:** Modifies the specified attribute of the specified instance.\n\n**Related Incidents:**\n- [M-Trends Report - 2020](https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf)\n- [Democratic National Committee hack](https://www.politico.com/f/?id=00000168-6161-de11-af7d-ef7327ea0000)\n**Related Research:**\n- [Detecting exfiltration of EBS snapshots in AWS](https://twitter.com/christophetd/status/1574681313218506753)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -17814,9 +17814,9 @@ } }, { - "id": 808662772, + "id": 1118075789, "definition": { - "title": "GetObject", + "title": "SharedSnapshotVolumeCreated", "title_size": "16", "title_align": "left", "type": "query_value", @@ -17834,7 +17834,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetObject $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:SharedSnapshotVolumeCreated $userIdentity.arn $network.client.ip $account" } } ], @@ -17856,10 +17856,10 @@ } }, { - "id": 2445809051, + "id": 1680197035, "definition": { "type": "note", - "content": "### [JobCreated](https://traildiscover.cloud/#S3-JobCreated)\n\n**Description:** When a Batch Operations job is created, it is recorded as a JobCreated event in CloudTrail.\n\n**Related Research:**\n- [Exfiltrating S3 Data with Bucket Replication Policies](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", + "content": "### [CreateDBSecurityGroup](https://traildiscover.cloud/#RDS-CreateDBSecurityGroup)\n\n**Description:** Creates a new DB security group. DB security groups control access to a DB instance.\n\n**Related Research:**\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [Hunting AWS RDS security events with Sysdig](https://sysdig.com/blog/aws-rds-security-events-sysdig/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -17875,9 +17875,9 @@ } }, { - "id": 2223211645, + "id": 1560925292, "definition": { - "title": "JobCreated", + "title": "CreateDBSecurityGroup", "title_size": "16", "title_align": "left", "type": "query_value", @@ -17895,7 +17895,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:JobCreated $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateDBSecurityGroup $userIdentity.arn $network.client.ip $account" } } ], @@ -17917,10 +17917,10 @@ } }, { - "id": 619351174, + "id": 725465201, "definition": { "type": "note", - "content": "### [ModifySnapshotAttribute](https://traildiscover.cloud/#EC2-ModifySnapshotAttribute)\n\n**Description:** Adds or removes permission settings for the specified snapshot.\n\n**Related Incidents:**\n- [CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/)\n", + "content": "### [CreateDBSnapshot](https://traildiscover.cloud/#RDS-CreateDBSnapshot)\n\n**Description:** Creates a snapshot of a DB instance.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [Stealing an RDS database by creating a snapshot and sharing it](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-rds-snapshot/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -17936,9 +17936,9 @@ } }, { - "id": 2643576303, + "id": 606193458, "definition": { - "title": "ModifySnapshotAttribute", + "title": "CreateDBSnapshot", "title_size": "16", "title_align": "left", "type": "query_value", @@ -17956,7 +17956,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ModifySnapshotAttribute $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateDBSnapshot $userIdentity.arn $network.client.ip $account" } } ], @@ -17978,10 +17978,10 @@ } }, { - "id": 2409255924, + "id": 2806901857, "definition": { "type": "note", - "content": "### [SharedSnapshotCopyInitiated](https://traildiscover.cloud/#EC2-SharedSnapshotCopyInitiated)\n\n**Description:** Modifies the specified attribute of the specified instance.\n\n**Related Incidents:**\n- [M-Trends Report - 2020](https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf)\n- [Democratic National Committee hack](https://www.politico.com/f/?id=00000168-6161-de11-af7d-ef7327ea0000)\n**Related Research:**\n- [Detecting exfiltration of EBS snapshots in AWS](https://twitter.com/christophetd/status/1574681313218506753)\n", + "content": "### [ModifyDBSnapshotAttribute](https://traildiscover.cloud/#RDS-ModifyDBSnapshotAttribute)\n\n**Description:** Adds an attribute and values to, or removes an attribute and values from, a manual DB snapshot.\n\n**Related Incidents:**\n- [Imperva Security Update](https://www.imperva.com/blog/ceoblog/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Stealing an RDS database by creating a snapshot and sharing it](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-rds-snapshot/)\n- [Hunting AWS RDS security events with Sysdig](https://sysdig.com/blog/aws-rds-security-events-sysdig/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -17997,9 +17997,9 @@ } }, { - "id": 138513757, + "id": 639485353, "definition": { - "title": "SharedSnapshotCopyInitiated", + "title": "ModifyDBSnapshotAttribute", "title_size": "16", "title_align": "left", "type": "query_value", @@ -18017,7 +18017,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:SharedSnapshotCopyInitiated $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ModifyDBSnapshotAttribute $userIdentity.arn $network.client.ip $account" } } ], @@ -18039,10 +18039,10 @@ } }, { - "id": 1564014697, + "id": 2467139299, "definition": { "type": "note", - "content": "### [SharedSnapshotVolumeCreated](https://traildiscover.cloud/#EC2-SharedSnapshotVolumeCreated)\n\n**Description:** Modifies the specified attribute of the specified instance.\n\n**Related Incidents:**\n- [M-Trends Report - 2020](https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf)\n- [Democratic National Committee hack](https://www.politico.com/f/?id=00000168-6161-de11-af7d-ef7327ea0000)\n**Related Research:**\n- [Detecting exfiltration of EBS snapshots in AWS](https://twitter.com/christophetd/status/1574681313218506753)\n", + "content": "### [StartExportTask](https://traildiscover.cloud/#RDS-StartExportTask)\n\n**Description:** Starts an export of DB snapshot or DB cluster data to Amazon S3.\n\n**Related Research:**\n- [AWS - RDS Post Exploitation](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -18058,9 +18058,9 @@ } }, { - "id": 1341417291, + "id": 299722795, "definition": { - "title": "SharedSnapshotVolumeCreated", + "title": "StartExportTask", "title_size": "16", "title_align": "left", "type": "query_value", @@ -18078,7 +18078,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:SharedSnapshotVolumeCreated $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:StartExportTask $userIdentity.arn $network.client.ip $account" } } ], @@ -18100,10 +18100,10 @@ } }, { - "id": 3142056737, + "id": 2236941040, "definition": { "type": "note", - "content": "### [CreateSnapshot](https://traildiscover.cloud/#EC2-CreateSnapshot)\n\n**Description:** Creates a snapshot of an EBS volume and stores it in Amazon S3.\n\n**Related Incidents:**\n- [CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Stealing an EBS snapshot by creating a snapshot and sharing it](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-ebs-snapshot/)\n- [Exfiltrate EBS Snapshot by Sharing It](https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/)\n", + "content": "### [GetObject](https://traildiscover.cloud/#S3-GetObject)\n\n**Description:** Retrieves an object from Amazon S3.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Incident 2 - Additional details of the attack](https://support.lastpass.com/s/document-item?language=en_US&bundleId=lastpass&topicId=LastPass/incident-2-details.html&_LANG=enus)\n- [Aruba Central Security Incident](https://www.arubanetworks.com/support-services/security-bulletins/central-incident-faq/)\n- [Sendtech Pte. Ltd](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Sendtech-Pte-Ltd---220721.ashx?la=en)\n- [GotRoot! AWS root Account Takeover](https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1)\n- [A Technical Analysis of the Capital One Cloud Misconfiguration Breach](https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach)\n- [Chegg, Inc](https://www.ftc.gov/system/files/ftc_gov/pdf/2023151-Chegg-Complaint.pdf)\n- [Scattered Spider Attack Analysis](https://www.reliaquest.com/blog/scattered-spider-attack-analysis-account-compromise/)\n- [Enumerate AWS Account ID from a Public S3 Bucket](https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Data Exfiltration through S3 Server Access Logs](https://hackingthe.cloud/aws/exploitation/s3_server_access_logs/)\n- [S3 Streaming Copy](https://hackingthe.cloud/aws/exploitation/s3_streaming_copy/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -18119,9 +18119,9 @@ } }, { - "id": 3018798218, + "id": 2117669297, "definition": { - "title": "CreateSnapshot", + "title": "GetObject", "title_size": "16", "title_align": "left", "type": "query_value", @@ -18139,7 +18139,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateSnapshot $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetObject $userIdentity.arn $network.client.ip $account" } } ], @@ -18161,10 +18161,10 @@ } }, { - "id": 3541923305, + "id": 232014974, "definition": { "type": "note", - "content": "### [CreateImage](https://traildiscover.cloud/#EC2-CreateImage)\n\n**Description:** Creates an Amazon EBS-backed AMI from an Amazon EBS-backed instance that is either running or stopped.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", + "content": "### [JobCreated](https://traildiscover.cloud/#S3-JobCreated)\n\n**Description:** When a Batch Operations job is created, it is recorded as a JobCreated event in CloudTrail.\n\n**Related Research:**\n- [Exfiltrating S3 Data with Bucket Replication Policies](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -18180,9 +18180,9 @@ } }, { - "id": 3418664786, + "id": 112743231, "definition": { - "title": "CreateImage", + "title": "JobCreated", "title_size": "16", "title_align": "left", "type": "query_value", @@ -18200,7 +18200,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateImage $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:JobCreated $userIdentity.arn $network.client.ip $account" } } ], @@ -18222,10 +18222,10 @@ } }, { - "id": 812870179, + "id": 1593057360, "definition": { "type": "note", - "content": "### [AuthorizeSecurityGroupEgress](https://traildiscover.cloud/#EC2-AuthorizeSecurityGroupEgress)\n\n**Description:** Adds the specified outbound (egress) rules to a security group.\n\n**Related Incidents:**\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n", + "content": "### [PutBucketAcl](https://traildiscover.cloud/#S3-PutBucketAcl)\n\n**Description:** Sets the permissions on an existing bucket using access control lists (ACL).\n\n**Related Research:**\n- [AWS S3 Bucket ACL made public](https://docs.datadoghq.com/security/default_rules/aws-bucket-acl-made-public/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -18241,9 +18241,9 @@ } }, { - "id": 689611660, + "id": 1473785617, "definition": { - "title": "AuthorizeSecurityGroupEgress", + "title": "PutBucketAcl", "title_size": "16", "title_align": "left", "type": "query_value", @@ -18261,7 +18261,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:AuthorizeSecurityGroupEgress $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PutBucketAcl $userIdentity.arn $network.client.ip $account" } } ], @@ -18283,10 +18283,10 @@ } }, { - "id": 1015235657, + "id": 1967415200, "definition": { "type": "note", - "content": "### [ModifyImageAttribute](https://traildiscover.cloud/#EC2-ModifyImageAttribute)\n\n**Description:** Modifies the specified attribute of the specified AMI.\n\n**Related Research:**\n- [AWS AMI Atttribute Modification for Exfiltration](https://research.splunk.com/cloud/f2132d74-cf81-4c5e-8799-ab069e67dc9f/)\n", + "content": "### [PutBucketPolicy](https://traildiscover.cloud/#S3-PutBucketPolicy)\n\n**Description:** Applies an Amazon S3 bucket policy to an Amazon S3 bucket.\n\n**Related Research:**\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -18302,9 +18302,9 @@ } }, { - "id": 2940121899, + "id": 1848143457, "definition": { - "title": "ModifyImageAttribute", + "title": "PutBucketPolicy", "title_size": "16", "title_align": "left", "type": "query_value", @@ -18322,7 +18322,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ModifyImageAttribute $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PutBucketPolicy $userIdentity.arn $network.client.ip $account" } } ], @@ -18344,10 +18344,10 @@ } }, { - "id": 3494832047, + "id": 900415162, "definition": { "type": "note", - "content": "### [ModifyDBSnapshotAttribute](https://traildiscover.cloud/#RDS-ModifyDBSnapshotAttribute)\n\n**Description:** Adds an attribute and values to, or removes an attribute and values from, a manual DB snapshot.\n\n**Related Incidents:**\n- [Imperva Security Update](https://www.imperva.com/blog/ceoblog/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Stealing an RDS database by creating a snapshot and sharing it](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-rds-snapshot/)\n- [Hunting AWS RDS security events with Sysdig](https://sysdig.com/blog/aws-rds-security-events-sysdig/)\n", + "content": "### [PutBucketReplication](https://traildiscover.cloud/#S3-PutBucketReplication)\n\n**Description:** Creates a replication configuration or replaces an existing one.\n\n**Related Research:**\n- [Exfiltrating S3 Data with Bucket Replication Policies](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -18363,9 +18363,9 @@ } }, { - "id": 1224089880, + "id": 781143419, "definition": { - "title": "ModifyDBSnapshotAttribute", + "title": "PutBucketReplication", "title_size": "16", "title_align": "left", "type": "query_value", @@ -18383,7 +18383,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ModifyDBSnapshotAttribute $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PutBucketReplication $userIdentity.arn $network.client.ip $account" } } ], @@ -18405,10 +18405,10 @@ } }, { - "id": 1611972066, + "id": 127027890, "definition": { "type": "note", - "content": "### [StartExportTask](https://traildiscover.cloud/#RDS-StartExportTask)\n\n**Description:** Starts an export of DB snapshot or DB cluster data to Amazon S3.\n\n**Related Research:**\n- [AWS - RDS Post Exploitation](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation)\n", + "content": "### [PutBucketVersioning](https://traildiscover.cloud/#S3-PutBucketVersioning)\n\n**Description:** Sets the versioning state of an existing bucket.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n**Related Research:**\n- [Exfiltrating S3 Data with Bucket Replication Policies](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -18424,9 +18424,9 @@ } }, { - "id": 1389374660, + "id": 2254578682, "definition": { - "title": "StartExportTask", + "title": "PutBucketVersioning", "title_size": "16", "title_align": "left", "type": "query_value", @@ -18444,7 +18444,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:StartExportTask $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PutBucketVersioning $userIdentity.arn $network.client.ip $account" } } ], @@ -18466,10 +18466,10 @@ } }, { - "id": 644703663, + "id": 3547229411, "definition": { "type": "note", - "content": "### [CreateDBSecurityGroup](https://traildiscover.cloud/#RDS-CreateDBSecurityGroup)\n\n**Description:** Creates a new DB security group. DB security groups control access to a DB instance.\n\n**Related Research:**\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [Hunting AWS RDS security events with Sysdig](https://sysdig.com/blog/aws-rds-security-events-sysdig/)\n", + "content": "### [CreateServer](https://traildiscover.cloud/#TransferFamily-CreateServer)\n\n**Description:** Instantiates an auto-scaling virtual server based on the selected file transfer protocol in AWS.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -18485,9 +18485,9 @@ } }, { - "id": 2668928792, + "id": 3427957668, "definition": { - "title": "CreateDBSecurityGroup", + "title": "CreateServer", "title_size": "16", "title_align": "left", "type": "query_value", @@ -18505,7 +18505,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateDBSecurityGroup $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateServer $userIdentity.arn $network.client.ip $account" } } ], @@ -18527,10 +18527,10 @@ } }, { - "id": 1727942185, + "id": 1858417512, "definition": { "type": "note", - "content": "### [CreateDBSnapshot](https://traildiscover.cloud/#RDS-CreateDBSnapshot)\n\n**Description:** Creates a snapshot of a DB instance.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [Stealing an RDS database by creating a snapshot and sharing it](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-rds-snapshot/)\n", + "content": "### [CreateUser](https://traildiscover.cloud/#TransferFamily-CreateUser)\n\n**Description:** Creates a user and associates them with an existing file transfer protocol-enabled server.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -18546,9 +18546,9 @@ } }, { - "id": 3752167314, + "id": 3985968304, "definition": { - "title": "CreateDBSnapshot", + "title": "CreateUser", "title_size": "16", "title_align": "left", "type": "query_value", @@ -18566,7 +18566,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateDBSnapshot $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateUser $userIdentity.arn $network.client.ip $account" } } ], @@ -18597,7 +18597,7 @@ } }, { - "id": 4137379826, + "id": 3121827959, "definition": { "type": "group", "layout_type": "ordered", @@ -18606,10 +18606,10 @@ "show_title": true, "widgets": [ { - "id": 4277246031, + "id": 4225790526, "definition": { "type": "note", - "content": "### [ChangeResourceRecordSets](https://traildiscover.cloud/#Route53-ChangeResourceRecordSets)\n\n**Description:** Creates, changes, or deletes a resource record set, which contains authoritative DNS information for a specified domain name or subdomain name.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS API Call Hijacking via ACM-PCA](https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/)\n", + "content": "### [CreateFoundationModelAgreement](https://traildiscover.cloud/#Bedrock-CreateFoundationModelAgreement)\n\n**Description:** Grants permission to create a new foundation model agreement.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying](https://permiso.io/blog/exploiting-hosted-models)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -18625,9 +18625,9 @@ } }, { - "id": 2006503864, + "id": 2058374022, "definition": { - "title": "ChangeResourceRecordSets", + "title": "CreateFoundationModelAgreement", "title_size": "16", "title_align": "left", "type": "query_value", @@ -18645,7 +18645,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ChangeResourceRecordSets $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateFoundationModelAgreement $userIdentity.arn $network.client.ip $account" } } ], @@ -18667,10 +18667,10 @@ } }, { - "id": 3910498475, + "id": 2286311561, "definition": { "type": "note", - "content": "### [RegisterDomain](https://traildiscover.cloud/#route53domains-RegisterDomain)\n\n**Description:** This operation registers a domain. For some top-level domains (TLDs), this operation requires extra parameters.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", + "content": "### [InvokeModel](https://traildiscover.cloud/#Bedrock-InvokeModel)\n\n**Description:** Invokes the specified Amazon Bedrock model to run inference using the prompt and inference parameters provided in the request body.\n\n**Related Incidents:**\n- [LLMjacking: Stolen Cloud Credentials Used in New AI Attack](https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n- [When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying](https://permiso.io/blog/exploiting-hosted-models)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -18686,9 +18686,9 @@ } }, { - "id": 3687901069, + "id": 2167039818, "definition": { - "title": "RegisterDomain", + "title": "InvokeModel", "title_size": "16", "title_align": "left", "type": "query_value", @@ -18706,7 +18706,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:RegisterDomain $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:InvokeModel $userIdentity.arn $network.client.ip $account" } } ], @@ -18728,10 +18728,10 @@ } }, { - "id": 3745677183, + "id": 538384848, "definition": { "type": "note", - "content": "### [CreateHostedZone](https://traildiscover.cloud/#Route53-CreateHostedZone)\n\n**Description:** Creates a new public or private hosted zone. You create records in a public hosted zone to define how you want to route traffic on the internet for a domain, such as example.com, and its subdomains.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS API Call Hijacking via ACM-PCA](https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/)\n", + "content": "### [InvokeModelWithResponseStream](https://traildiscover.cloud/#Bedrock-InvokeModelWithResponseStream)\n\n**Description:** Grants permission to invoke the specified Bedrock model to run inference using the input provided in the request body with streaming response.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -18747,9 +18747,9 @@ } }, { - "id": 1474935016, + "id": 419113105, "definition": { - "title": "CreateHostedZone", + "title": "InvokeModelWithResponseStream", "title_size": "16", "title_align": "left", "type": "query_value", @@ -18767,7 +18767,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateHostedZone $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:InvokeModelWithResponseStream $userIdentity.arn $network.client.ip $account" } } ], @@ -18789,10 +18789,10 @@ } }, { - "id": 3804708138, + "id": 2587639358, "definition": { "type": "note", - "content": "### [CreateStack](https://traildiscover.cloud/#CloudFormation-CreateStack)\n\n**Description:** Creates a stack as specified in the template.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", + "content": "### [PutFoundationModelEntitlement](https://traildiscover.cloud/#Bedrock-PutFoundationModelEntitlement)\n\n**Description:** Grants permission to put entitlement to access a foundation model.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying](https://permiso.io/blog/exploiting-hosted-models)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -18808,9 +18808,9 @@ } }, { - "id": 1533965971, + "id": 2468367615, "definition": { - "title": "CreateStack", + "title": "PutFoundationModelEntitlement", "title_size": "16", "title_align": "left", "type": "query_value", @@ -18828,7 +18828,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateStack $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PutFoundationModelEntitlement $userIdentity.arn $network.client.ip $account" } } ], @@ -18850,10 +18850,10 @@ } }, { - "id": 1852793609, + "id": 268378469, "definition": { "type": "note", - "content": "### [Publish](https://traildiscover.cloud/#SNS-Publish)\n\n**Description:** Sends a message to an Amazon SNS topic, a text message (SMS message) directly to a phone number, or a message to a mobile platform endpoint (when you specify the TargetArn).\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", + "content": "### [PutUseCaseForModelAccess](https://traildiscover.cloud/#Bedrock-PutUseCaseForModelAccess)\n\n**Description:** Grants permission to put a use case for model access.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying](https://permiso.io/blog/exploiting-hosted-models)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -18869,9 +18869,9 @@ } }, { - "id": 3777679851, + "id": 149106726, "definition": { - "title": "Publish", + "title": "PutUseCaseForModelAccess", "title_size": "16", "title_align": "left", "type": "query_value", @@ -18889,7 +18889,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:Publish $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PutUseCaseForModelAccess $userIdentity.arn $network.client.ip $account" } } ], @@ -18911,10 +18911,10 @@ } }, { - "id": 3688746357, + "id": 3970983764, "definition": { "type": "note", - "content": "### [CreateFunction20150331](https://traildiscover.cloud/#Lambda-CreateFunction20150331)\n\n**Description:** Creates a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [CreateStack](https://traildiscover.cloud/#CloudFormation-CreateStack)\n\n**Description:** Creates a stack as specified in the template.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -18930,9 +18930,9 @@ } }, { - "id": 3565487838, + "id": 3851712021, "definition": { - "title": "CreateFunction20150331", + "title": "CreateStack", "title_size": "16", "title_align": "left", "type": "query_value", @@ -18950,7 +18950,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateFunction20150331 $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateStack $userIdentity.arn $network.client.ip $account" } } ], @@ -18972,10 +18972,10 @@ } }, { - "id": 2389330074, + "id": 3519532994, "definition": { "type": "note", - "content": "### [UpdateFunctionCode20150331v2](https://traildiscover.cloud/#Lambda-UpdateFunctionCode20150331v2)\n\n**Description:** Updates a Lambda function's code. If code signing is enabled for the function, the code package must be signed by a trusted publisher.\n\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", + "content": "### [CreateDefaultVpc](https://traildiscover.cloud/#EC2-CreateDefaultVpc)\n\n**Description:** Creates a default VPC with a size /16 IPv4 CIDR block and a default subnet in each Availability Zone.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -18991,9 +18991,9 @@ } }, { - "id": 118587907, + "id": 3400261251, "definition": { - "title": "UpdateFunctionCode20150331v2", + "title": "CreateDefaultVpc", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19011,7 +19011,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateFunctionCode20150331v2 $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateDefaultVpc $userIdentity.arn $network.client.ip $account" } } ], @@ -19033,10 +19033,10 @@ } }, { - "id": 441940407, + "id": 2829701017, "definition": { "type": "note", - "content": "### [Invoke](https://traildiscover.cloud/#Lambda-Invoke)\n\n**Description:** Invokes a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", + "content": "### [DeleteSnapshot](https://traildiscover.cloud/#EC2-DeleteSnapshot)\n\n**Description:** Deletes the specified snapshot.\n\n**Related Incidents:**\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19052,9 +19052,9 @@ } }, { - "id": 2366826649, + "id": 662284513, "definition": { - "title": "Invoke", + "title": "DeleteSnapshot", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19072,7 +19072,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:Invoke $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteSnapshot $userIdentity.arn $network.client.ip $account" } } ], @@ -19094,10 +19094,10 @@ } }, { - "id": 1253456634, + "id": 4185572617, "definition": { "type": "note", - "content": "### [DeleteFileSystem](https://traildiscover.cloud/#elasticfilesystem-DeleteFileSystem)\n\n**Description:** Deletes a file system, permanently severing access to its contents.\n\n**Related Research:**\n- [AWS EFS File System or Mount Deleted](https://www.elastic.co/guide/en/security/7.17/aws-efs-file-system-or-mount-deleted.html)\n", + "content": "### [DeleteVolume](https://traildiscover.cloud/#EC2-DeleteVolume)\n\n**Description:** Deletes the specified EBS volume. The volume must be in the available state (not attached to an instance).\n\n**Related Incidents:**\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19113,9 +19113,9 @@ } }, { - "id": 1130198115, + "id": 4066300874, "definition": { - "title": "DeleteFileSystem", + "title": "DeleteVolume", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19133,7 +19133,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteFileSystem $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteVolume $userIdentity.arn $network.client.ip $account" } } ], @@ -19155,10 +19155,10 @@ } }, { - "id": 471034442, + "id": 224829074, "definition": { "type": "note", - "content": "### [DeleteMountTarget](https://traildiscover.cloud/#elasticfilesystem-DeleteMountTarget)\n\n**Description:** Deletes the specified mount target.\n\n**Related Research:**\n- [AWS EFS File System or Mount Deleted](https://www.elastic.co/guide/en/security/7.17/aws-efs-file-system-or-mount-deleted.html)\n", + "content": "### [RunInstances](https://traildiscover.cloud/#EC2-RunInstances)\n\n**Description:** Launches the specified number of instances using an AMI for which you have permissions.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [DXC spills AWS private keys on public GitHub](https://www.theregister.com/2017/11/14/dxc_github_aws_keys_leaked/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Clear and Uncommon Story About Overcoming Issues With AWS](https://topdigital.agency/clear-and-uncommon-story-about-overcoming-issues-with-aws/)\n- [onelogin 2017 Security Incident](https://web.archive.org/web/20210620180614/https://www.onelogin.com/blog/may-31-2017-security-incident)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [Launching EC2 instances](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/launching-ec2-instances/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19174,9 +19174,9 @@ } }, { - "id": 248437036, + "id": 105557331, "definition": { - "title": "DeleteMountTarget", + "title": "RunInstances", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19194,7 +19194,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteMountTarget $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:RunInstances $userIdentity.arn $network.client.ip $account" } } ], @@ -19216,10 +19216,10 @@ } }, { - "id": 530523028, + "id": 621932381, "definition": { "type": "note", - "content": "### [DeleteRule](https://traildiscover.cloud/#events-DeleteRule)\n\n**Description:** Deletes the specified rule.\n\n**Related Research:**\n- [AWS EventBridge Rule Disabled or Deleted](https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html)\n- [AWS EventBridge rule disabled or deleted](https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/)\n", + "content": "### [StartInstances](https://traildiscover.cloud/#EC2-StartInstances)\n\n**Description:** Starts an Amazon EBS-backed instance that you've previously stopped.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19235,9 +19235,9 @@ } }, { - "id": 2455409270, + "id": 502660638, "definition": { - "title": "DeleteRule", + "title": "StartInstances", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19255,7 +19255,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteRule $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:StartInstances $userIdentity.arn $network.client.ip $account" } } ], @@ -19277,10 +19277,10 @@ } }, { - "id": 3200260395, + "id": 3868553997, "definition": { "type": "note", - "content": "### [RemoveTargets](https://traildiscover.cloud/#events-RemoveTargets)\n\n**Description:** Removes the specified targets from the specified rule.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", + "content": "### [StopInstances](https://traildiscover.cloud/#EC2-StopInstances)\n\n**Description:** Stops an Amazon EBS-backed instance.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19296,9 +19296,9 @@ } }, { - "id": 2977662989, + "id": 3749282254, "definition": { - "title": "RemoveTargets", + "title": "StopInstances", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19316,7 +19316,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:RemoveTargets $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:StopInstances $userIdentity.arn $network.client.ip $account" } } ], @@ -19338,10 +19338,10 @@ } }, { - "id": 3181062139, + "id": 4161852584, "definition": { "type": "note", - "content": "### [DisableRule](https://traildiscover.cloud/#events-DisableRule)\n\n**Description:** Disables the specified rule.\n\n**Related Research:**\n- [AWS EventBridge Rule Disabled or Deleted](https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html)\n- [AWS EventBridge rule disabled or deleted](https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/)\n", + "content": "### [TerminateInstances](https://traildiscover.cloud/#EC2-TerminateInstances)\n\n**Description:** Shuts down the specified instances. This operation is idempotent; if you terminate an instance more than once, each call succeeds.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Former Cisco engineer sentenced to prison for deleting 16k Webex accounts](https://www.zdnet.com/article/former-cisco-engineer-sentenced-to-prison-for-deleting-16k-webex-accounts/)\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19357,9 +19357,9 @@ } }, { - "id": 910319972, + "id": 4042580841, "definition": { - "title": "DisableRule", + "title": "TerminateInstances", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19377,7 +19377,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DisableRule $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:TerminateInstances $userIdentity.arn $network.client.ip $account" } } ], @@ -19399,10 +19399,10 @@ } }, { - "id": 2868838645, + "id": 850595347, "definition": { "type": "note", - "content": "### [PutRule](https://traildiscover.cloud/#events-PutRule)\n\n**Description:** Creates or updates the specified rule.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", + "content": "### [CreateCluster](https://traildiscover.cloud/#ECS-CreateCluster)\n\n**Description:** Creates a new Amazon ECS cluster.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19418,9 +19418,9 @@ } }, { - "id": 598096478, + "id": 2978146139, "definition": { - "title": "PutRule", + "title": "CreateCluster", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19438,7 +19438,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutRule $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateCluster $userIdentity.arn $network.client.ip $account" } } ], @@ -19460,10 +19460,10 @@ } }, { - "id": 1925651381, + "id": 2955310263, "definition": { "type": "note", - "content": "### [CreateInstances](https://traildiscover.cloud/#Lightsail-CreateInstances)\n\n**Description:** Creates one or more Amazon Lightsail instances.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", + "content": "### [CreateService](https://traildiscover.cloud/#ECS-CreateService)\n\n**Description:** Runs and maintains your desired number of tasks from a specified task definition.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19479,9 +19479,9 @@ } }, { - "id": 1703053975, + "id": 2836038520, "definition": { - "title": "CreateInstances", + "title": "CreateService", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19499,7 +19499,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateInstances $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateService $userIdentity.arn $network.client.ip $account" } } ], @@ -19521,10 +19521,10 @@ } }, { - "id": 650276477, + "id": 1712046594, "definition": { "type": "note", - "content": "### [GenerateDataKeyWithoutPlaintext](https://traildiscover.cloud/#KMS-GenerateDataKeyWithoutPlaintext)\n\n**Description:** Returns a unique symmetric data key for use outside of AWS KMS.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", + "content": "### [RegisterTaskDefinition](https://traildiscover.cloud/#ECS-RegisterTaskDefinition)\n\n**Description:** Registers a new task definition from the supplied family and containerDefinitions.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19540,9 +19540,9 @@ } }, { - "id": 427679071, + "id": 1592774851, "definition": { - "title": "GenerateDataKeyWithoutPlaintext", + "title": "RegisterTaskDefinition", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19560,7 +19560,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GenerateDataKeyWithoutPlaintext $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:RegisterTaskDefinition $userIdentity.arn $network.client.ip $account" } } ], @@ -19582,10 +19582,10 @@ } }, { - "id": 2135445320, + "id": 1839971803, "definition": { "type": "note", - "content": "### [ScheduleKeyDeletion](https://traildiscover.cloud/#KMS-ScheduleKeyDeletion)\n\n**Description:** Schedules the deletion of a KMS key.\n\n**Related Research:**\n- [ Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", + "content": "### [DeleteFileSystem](https://traildiscover.cloud/#elasticfilesystem-DeleteFileSystem)\n\n**Description:** Deletes a file system, permanently severing access to its contents.\n\n**Related Research:**\n- [AWS EFS File System or Mount Deleted](https://www.elastic.co/guide/en/security/7.17/aws-efs-file-system-or-mount-deleted.html)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19601,9 +19601,9 @@ } }, { - "id": 1912847914, + "id": 3967522595, "definition": { - "title": "ScheduleKeyDeletion", + "title": "DeleteFileSystem", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19621,7 +19621,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ScheduleKeyDeletion $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteFileSystem $userIdentity.arn $network.client.ip $account" } } ], @@ -19643,10 +19643,10 @@ } }, { - "id": 790609063, + "id": 3528457586, "definition": { "type": "note", - "content": "### [Encrypt](https://traildiscover.cloud/#KMS-Encrypt)\n\n**Description:** Encrypts plaintext of up to 4,096 bytes using a KMS key. \n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", + "content": "### [DeleteMountTarget](https://traildiscover.cloud/#elasticfilesystem-DeleteMountTarget)\n\n**Description:** Deletes the specified mount target.\n\n**Related Research:**\n- [AWS EFS File System or Mount Deleted](https://www.elastic.co/guide/en/security/7.17/aws-efs-file-system-or-mount-deleted.html)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19662,9 +19662,9 @@ } }, { - "id": 2814834192, + "id": 3409185843, "definition": { - "title": "Encrypt", + "title": "DeleteMountTarget", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19682,7 +19682,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:Encrypt $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteMountTarget $userIdentity.arn $network.client.ip $account" } } ], @@ -19704,10 +19704,10 @@ } }, { - "id": 1063516892, + "id": 2739696966, "definition": { "type": "note", - "content": "### [PutObject](https://traildiscover.cloud/#S3-PutObject)\n\n**Description:** Adds an object to a bucket.\n\n**Related Incidents:**\n- [Incident Report: TaskRouter JS SDK Security Incident - July 19, 2020](https://www.twilio.com/en-us/blog/incident-report-taskrouter-js-sdk-july-2020)\n- [LA Times homicide website throttles cryptojacking attack](https://www.tripwire.com/state-of-security/la-times-website-cryptojacking-attack)\n", + "content": "### [DeleteRule](https://traildiscover.cloud/#events-DeleteRule)\n\n**Description:** Deletes the specified rule.\n\n**Related Research:**\n- [AWS EventBridge Rule Disabled or Deleted](https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html)\n- [AWS EventBridge rule disabled or deleted](https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19723,9 +19723,9 @@ } }, { - "id": 3087742021, + "id": 572280462, "definition": { - "title": "PutObject", + "title": "DeleteRule", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19743,7 +19743,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutObject $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteRule $userIdentity.arn $network.client.ip $account" } } ], @@ -19765,10 +19765,10 @@ } }, { - "id": 301750510, + "id": 2379603859, "definition": { "type": "note", - "content": "### [PutBucketVersioning](https://traildiscover.cloud/#S3-PutBucketVersioning)\n\n**Description:** Sets the versioning state of an existing bucket.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n**Related Research:**\n- [Exfiltrating S3 Data with Bucket Replication Policies](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", + "content": "### [DisableRule](https://traildiscover.cloud/#events-DisableRule)\n\n**Description:** Disables the specified rule.\n\n**Related Research:**\n- [AWS EventBridge Rule Disabled or Deleted](https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html)\n- [AWS EventBridge rule disabled or deleted](https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19784,9 +19784,9 @@ } }, { - "id": 2325975639, + "id": 2260332116, "definition": { - "title": "PutBucketVersioning", + "title": "DisableRule", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19804,7 +19804,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutBucketVersioning $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DisableRule $userIdentity.arn $network.client.ip $account" } } ], @@ -19826,10 +19826,10 @@ } }, { - "id": 3775068706, + "id": 2887930120, "definition": { "type": "note", - "content": "### [PutBucketLifecycle](https://traildiscover.cloud/#S3-PutBucketLifecycle)\n\n**Description:** Creates a new lifecycle configuration for the bucket or replaces an existing lifecycle configuration.\n\n**Related Incidents:**\n- [USA VS Nickolas Sharp](https://www.justice.gov/usao-sdny/press-release/file/1452706/dl)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", + "content": "### [PutRule](https://traildiscover.cloud/#events-PutRule)\n\n**Description:** Creates or updates the specified rule.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19845,9 +19845,9 @@ } }, { - "id": 1504326539, + "id": 2768658377, "definition": { - "title": "PutBucketLifecycle", + "title": "PutRule", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19865,7 +19865,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutBucketLifecycle $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PutRule $userIdentity.arn $network.client.ip $account" } } ], @@ -19887,10 +19887,10 @@ } }, { - "id": 2732910170, + "id": 2324473093, "definition": { "type": "note", - "content": "### [DeleteBucket](https://traildiscover.cloud/#S3-DeleteBucket)\n\n**Description:** Deletes the S3 bucket.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", + "content": "### [RemoveTargets](https://traildiscover.cloud/#events-RemoveTargets)\n\n**Description:** Removes the specified targets from the specified rule.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19906,9 +19906,9 @@ } }, { - "id": 462168003, + "id": 2205201350, "definition": { - "title": "DeleteBucket", + "title": "RemoveTargets", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19926,7 +19926,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteBucket $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:RemoveTargets $userIdentity.arn $network.client.ip $account" } } ], @@ -19948,10 +19948,10 @@ } }, { - "id": 2688664749, + "id": 782670610, "definition": { "type": "note", - "content": "### [DeleteObject](https://traildiscover.cloud/#S3-DeleteObject)\n\n**Description:** Removes an object from a bucket. The behavior depends on the bucket's versioning state.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [The attack on ONUS \u2013 A real-life case of the Log4Shell vulnerability](https://cystack.net/research/the-attack-on-onus-a-real-life-case-of-the-log4shell-vulnerability)\n- [20/20 Eye Care Network and Hearing Care Network notify 3,253,822 health plan members of breach that deleted contents of AWS buckets](https://www.databreaches.net/20-20-eye-care-network-and-hearing-care-network-notify-3253822-health-plan-members-of-breach-that-deleted-contents-of-aws-buckets/)\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", + "content": "### [Encrypt](https://traildiscover.cloud/#KMS-Encrypt)\n\n**Description:** Encrypts plaintext of up to 4,096 bytes using a KMS key. \n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19967,9 +19967,9 @@ } }, { - "id": 2466067343, + "id": 663398867, "definition": { - "title": "DeleteObject", + "title": "Encrypt", "title_size": "16", "title_align": "left", "type": "query_value", @@ -19987,7 +19987,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteObject $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:Encrypt $userIdentity.arn $network.client.ip $account" } } ], @@ -20009,10 +20009,10 @@ } }, { - "id": 2819419174, + "id": 3174234858, "definition": { "type": "note", - "content": "### [InvokeModel](https://traildiscover.cloud/#Bedrock-InvokeModel)\n\n**Description:** Invokes the specified Amazon Bedrock model to run inference using the prompt and inference parameters provided in the request body.\n\n**Related Incidents:**\n- [LLMjacking: Stolen Cloud Credentials Used in New AI Attack](https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", + "content": "### [GenerateDataKeyWithoutPlaintext](https://traildiscover.cloud/#KMS-GenerateDataKeyWithoutPlaintext)\n\n**Description:** Returns a unique symmetric data key for use outside of AWS KMS.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -20028,9 +20028,9 @@ } }, { - "id": 449338120, + "id": 3154302002, "definition": { - "title": "InvokeModel", + "title": "GenerateDataKeyWithoutPlaintext", "title_size": "16", "title_align": "left", "type": "query_value", @@ -20048,7 +20048,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:InvokeModel $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GenerateDataKeyWithoutPlaintext $userIdentity.arn $network.client.ip $account" } } ], @@ -20070,10 +20070,10 @@ } }, { - "id": 3505605826, + "id": 3458694196, "definition": { "type": "note", - "content": "### [PutFoundationModelEntitlement](https://traildiscover.cloud/#Bedrock-PutFoundationModelEntitlement)\n\n**Description:** Grants permission to put entitlement to access a foundation model.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", + "content": "### [ScheduleKeyDeletion](https://traildiscover.cloud/#KMS-ScheduleKeyDeletion)\n\n**Description:** Schedules the deletion of a KMS key.\n\n**Related Research:**\n- [ Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -20089,9 +20089,9 @@ } }, { - "id": 3382347307, + "id": 1291277692, "definition": { - "title": "PutFoundationModelEntitlement", + "title": "ScheduleKeyDeletion", "title_size": "16", "title_align": "left", "type": "query_value", @@ -20109,7 +20109,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutFoundationModelEntitlement $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ScheduleKeyDeletion $userIdentity.arn $network.client.ip $account" } } ], @@ -20131,10 +20131,10 @@ } }, { - "id": 3838348221, + "id": 850813802, "definition": { "type": "note", - "content": "### [InvokeModelWithResponseStream](https://traildiscover.cloud/#Bedrock-InvokeModelWithResponseStream)\n\n**Description:** Grants permission to invoke the specified Bedrock model to run inference using the input provided in the request body with streaming response.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", + "content": "### [CreateFunction20150331](https://traildiscover.cloud/#Lambda-CreateFunction20150331)\n\n**Description:** Creates a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -20150,9 +20150,9 @@ } }, { - "id": 3715089702, + "id": 731542059, "definition": { - "title": "InvokeModelWithResponseStream", + "title": "CreateFunction20150331", "title_size": "16", "title_align": "left", "type": "query_value", @@ -20170,7 +20170,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:InvokeModelWithResponseStream $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateFunction20150331 $userIdentity.arn $network.client.ip $account" } } ], @@ -20192,10 +20192,10 @@ } }, { - "id": 4059847084, + "id": 3498376699, "definition": { "type": "note", - "content": "### [PutUseCaseForModelAccess](https://traildiscover.cloud/#Bedrock-PutUseCaseForModelAccess)\n\n**Description:** Grants permission to put a use case for model access.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", + "content": "### [Invoke](https://traildiscover.cloud/#Lambda-Invoke)\n\n**Description:** Invokes a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -20211,9 +20211,9 @@ } }, { - "id": 3936588565, + "id": 3379104956, "definition": { - "title": "PutUseCaseForModelAccess", + "title": "Invoke", "title_size": "16", "title_align": "left", "type": "query_value", @@ -20231,7 +20231,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutUseCaseForModelAccess $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:Invoke $userIdentity.arn $network.client.ip $account" } } ], @@ -20253,10 +20253,10 @@ } }, { - "id": 2137352945, + "id": 711335014, "definition": { "type": "note", - "content": "### [CreateFoundationModelAgreement](https://traildiscover.cloud/#Bedrock-CreateFoundationModelAgreement)\n\n**Description:** Grants permission to create a new foundation model agreement.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", + "content": "### [UpdateFunctionCode20150331v2](https://traildiscover.cloud/#Lambda-UpdateFunctionCode20150331v2)\n\n**Description:** Updates a Lambda function's code. If code signing is enabled for the function, the code package must be signed by a trusted publisher.\n\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -20272,9 +20272,9 @@ } }, { - "id": 1914755539, + "id": 592063271, "definition": { - "title": "CreateFoundationModelAgreement", + "title": "UpdateFunctionCode20150331v2", "title_size": "16", "title_align": "left", "type": "query_value", @@ -20292,7 +20292,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateFoundationModelAgreement $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:UpdateFunctionCode20150331v2 $userIdentity.arn $network.client.ip $account" } } ], @@ -20314,10 +20314,10 @@ } }, { - "id": 731554091, + "id": 855850436, "definition": { "type": "note", - "content": "### [DeleteVolume](https://traildiscover.cloud/#EC2-DeleteVolume)\n\n**Description:** Deletes the specified EBS volume. The volume must be in the available state (not attached to an instance).\n\n**Related Incidents:**\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", + "content": "### [CreateInstances](https://traildiscover.cloud/#Lightsail-CreateInstances)\n\n**Description:** Creates one or more Amazon Lightsail instances.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -20333,9 +20333,9 @@ } }, { - "id": 608295572, + "id": 736578693, "definition": { - "title": "DeleteVolume", + "title": "CreateInstances", "title_size": "16", "title_align": "left", "type": "query_value", @@ -20353,7 +20353,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteVolume $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateInstances $userIdentity.arn $network.client.ip $account" } } ], @@ -20375,10 +20375,10 @@ } }, { - "id": 1047964517, + "id": 2876905668, "definition": { "type": "note", - "content": "### [StartInstances](https://traildiscover.cloud/#EC2-StartInstances)\n\n**Description:** Starts an Amazon EBS-backed instance that you've previously stopped.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", + "content": "### [DeleteDBCluster](https://traildiscover.cloud/#RDS-DeleteDBCluster)\n\n**Description:** The DeleteDBCluster action deletes a previously provisioned DB cluster.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [Hunting AWS RDS security events with Sysdig](https://sysdig.com/blog/aws-rds-security-events-sysdig/)\n- [AWS Deletion of RDS Instance or Cluster](https://www.elastic.co/guide/en/security/current/aws-deletion-of-rds-instance-or-cluster.html)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -20394,9 +20394,9 @@ } }, { - "id": 924705998, + "id": 2757633925, "definition": { - "title": "StartInstances", + "title": "DeleteDBCluster", "title_size": "16", "title_align": "left", "type": "query_value", @@ -20414,7 +20414,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:StartInstances $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteDBCluster $userIdentity.arn $network.client.ip $account" } } ], @@ -20436,10 +20436,10 @@ } }, { - "id": 1404979794, + "id": 3136337802, "definition": { "type": "note", - "content": "### [CreateDefaultVpc](https://traildiscover.cloud/#EC2-CreateDefaultVpc)\n\n**Description:** Creates a default VPC with a size /16 IPv4 CIDR block and a default subnet in each Availability Zone.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", + "content": "### [DeleteDBInstance](https://traildiscover.cloud/#RDS-DeleteDBInstance)\n\n**Description:** Deletes a previously provisioned DB instance.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -20455,9 +20455,9 @@ } }, { - "id": 3429204923, + "id": 3017066059, "definition": { - "title": "CreateDefaultVpc", + "title": "DeleteDBInstance", "title_size": "16", "title_align": "left", "type": "query_value", @@ -20475,7 +20475,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateDefaultVpc $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteDBInstance $userIdentity.arn $network.client.ip $account" } } ], @@ -20497,10 +20497,10 @@ } }, { - "id": 1724802726, + "id": 2023892831, "definition": { "type": "note", - "content": "### [TerminateInstances](https://traildiscover.cloud/#EC2-TerminateInstances)\n\n**Description:** Shuts down the specified instances. This operation is idempotent; if you terminate an instance more than once, each call succeeds.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Former Cisco engineer sentenced to prison for deleting 16k Webex accounts](https://www.zdnet.com/article/former-cisco-engineer-sentenced-to-prison-for-deleting-16k-webex-accounts/)\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", + "content": "### [DeleteGlobalCluster](https://traildiscover.cloud/#RDS-DeleteGlobalCluster)\n\n**Description:** Deletes a global database cluster. The primary and secondary clusters must already be detached or destroyed first.\n\n**Related Research:**\n- [AWS Deletion of RDS Instance or Cluster](https://www.elastic.co/guide/en/security/current/aws-deletion-of-rds-instance-or-cluster.html)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -20516,9 +20516,9 @@ } }, { - "id": 3649688968, + "id": 1904621088, "definition": { - "title": "TerminateInstances", + "title": "DeleteGlobalCluster", "title_size": "16", "title_align": "left", "type": "query_value", @@ -20536,7 +20536,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:TerminateInstances $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteGlobalCluster $userIdentity.arn $network.client.ip $account" } } ], @@ -20558,10 +20558,10 @@ } }, { - "id": 3850600181, + "id": 945931496, "definition": { "type": "note", - "content": "### [StopInstances](https://traildiscover.cloud/#EC2-StopInstances)\n\n**Description:** Stops an Amazon EBS-backed instance.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", + "content": "### [ChangeResourceRecordSets](https://traildiscover.cloud/#Route53-ChangeResourceRecordSets)\n\n**Description:** Creates, changes, or deletes a resource record set, which contains authoritative DNS information for a specified domain name or subdomain name.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS API Call Hijacking via ACM-PCA](https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -20577,9 +20577,9 @@ } }, { - "id": 1579858014, + "id": 826659753, "definition": { - "title": "StopInstances", + "title": "ChangeResourceRecordSets", "title_size": "16", "title_align": "left", "type": "query_value", @@ -20597,7 +20597,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:StopInstances $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ChangeResourceRecordSets $userIdentity.arn $network.client.ip $account" } } ], @@ -20619,10 +20619,10 @@ } }, { - "id": 2159957024, + "id": 1448140360, "definition": { "type": "note", - "content": "### [DeleteSnapshot](https://traildiscover.cloud/#EC2-DeleteSnapshot)\n\n**Description:** Deletes the specified snapshot.\n\n**Related Incidents:**\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", + "content": "### [CreateHostedZone](https://traildiscover.cloud/#Route53-CreateHostedZone)\n\n**Description:** Creates a new public or private hosted zone. You create records in a public hosted zone to define how you want to route traffic on the internet for a domain, such as example.com, and its subdomains.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS API Call Hijacking via ACM-PCA](https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -20638,9 +20638,9 @@ } }, { - "id": 4184182153, + "id": 1328868617, "definition": { - "title": "DeleteSnapshot", + "title": "CreateHostedZone", "title_size": "16", "title_align": "left", "type": "query_value", @@ -20658,7 +20658,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteSnapshot $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateHostedZone $userIdentity.arn $network.client.ip $account" } } ], @@ -20680,10 +20680,10 @@ } }, { - "id": 4120746894, + "id": 4213156062, "definition": { "type": "note", - "content": "### [RunInstances](https://traildiscover.cloud/#EC2-RunInstances)\n\n**Description:** Launches the specified number of instances using an AMI for which you have permissions.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [DXC spills AWS private keys on public GitHub](https://www.theregister.com/2017/11/14/dxc_github_aws_keys_leaked/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Clear and Uncommon Story About Overcoming Issues With AWS](https://topdigital.agency/clear-and-uncommon-story-about-overcoming-issues-with-aws/)\n- [onelogin 2017 Security Incident](https://web.archive.org/web/20210620180614/https://www.onelogin.com/blog/may-31-2017-security-incident)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [Launching EC2 instances](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/launching-ec2-instances/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", + "content": "### [RegisterDomain](https://traildiscover.cloud/#route53domains-RegisterDomain)\n\n**Description:** This operation registers a domain. For some top-level domains (TLDs), this operation requires extra parameters.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -20699,9 +20699,9 @@ } }, { - "id": 1850004727, + "id": 4093884319, "definition": { - "title": "RunInstances", + "title": "RegisterDomain", "title_size": "16", "title_align": "left", "type": "query_value", @@ -20719,7 +20719,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:RunInstances $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:RegisterDomain $userIdentity.arn $network.client.ip $account" } } ], @@ -20741,10 +20741,10 @@ } }, { - "id": 2835720796, + "id": 2466496851, "definition": { "type": "note", - "content": "### [DeleteGlobalCluster](https://traildiscover.cloud/#RDS-DeleteGlobalCluster)\n\n**Description:** Deletes a global database cluster. The primary and secondary clusters must already be detached or destroyed first.\n\n**Related Research:**\n- [AWS Deletion of RDS Instance or Cluster](https://www.elastic.co/guide/en/security/current/aws-deletion-of-rds-instance-or-cluster.html)\n", + "content": "### [DeleteBucket](https://traildiscover.cloud/#S3-DeleteBucket)\n\n**Description:** Deletes the S3 bucket.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -20760,9 +20760,9 @@ } }, { - "id": 564978629, + "id": 2347225108, "definition": { - "title": "DeleteGlobalCluster", + "title": "DeleteBucket", "title_size": "16", "title_align": "left", "type": "query_value", @@ -20780,7 +20780,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteGlobalCluster $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteBucket $userIdentity.arn $network.client.ip $account" } } ], @@ -20802,10 +20802,10 @@ } }, { - "id": 688746138, + "id": 1168455202, "definition": { "type": "note", - "content": "### [DeleteDBCluster](https://traildiscover.cloud/#RDS-DeleteDBCluster)\n\n**Description:** The DeleteDBCluster action deletes a previously provisioned DB cluster.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [Hunting AWS RDS security events with Sysdig](https://sysdig.com/blog/aws-rds-security-events-sysdig/)\n- [AWS Deletion of RDS Instance or Cluster](https://www.elastic.co/guide/en/security/current/aws-deletion-of-rds-instance-or-cluster.html)\n", + "content": "### [DeleteObject](https://traildiscover.cloud/#S3-DeleteObject)\n\n**Description:** Removes an object from a bucket. The behavior depends on the bucket's versioning state.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [The attack on ONUS \u2013 A real-life case of the Log4Shell vulnerability](https://cystack.net/research/the-attack-on-onus-a-real-life-case-of-the-log4shell-vulnerability)\n- [20/20 Eye Care Network and Hearing Care Network notify 3,253,822 health plan members of breach that deleted contents of AWS buckets](https://www.databreaches.net/20-20-eye-care-network-and-hearing-care-network-notify-3253822-health-plan-members-of-breach-that-deleted-contents-of-aws-buckets/)\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -20821,9 +20821,9 @@ } }, { - "id": 2613632380, + "id": 3196667107, "definition": { - "title": "DeleteDBCluster", + "title": "DeleteObject", "title_size": "16", "title_align": "left", "type": "query_value", @@ -20841,7 +20841,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteDBCluster $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DeleteObject $userIdentity.arn $network.client.ip $account" } } ], @@ -20863,10 +20863,10 @@ } }, { - "id": 2276034071, + "id": 3732545011, "definition": { "type": "note", - "content": "### [DeleteDBInstance](https://traildiscover.cloud/#RDS-DeleteDBInstance)\n\n**Description:** Deletes a previously provisioned DB instance.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", + "content": "### [PutBucketLifecycle](https://traildiscover.cloud/#S3-PutBucketLifecycle)\n\n**Description:** Creates a new lifecycle configuration for the bucket or replaces an existing lifecycle configuration.\n\n**Related Incidents:**\n- [USA VS Nickolas Sharp](https://www.justice.gov/usao-sdny/press-release/file/1452706/dl)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -20882,9 +20882,9 @@ } }, { - "id": 2152775552, + "id": 3613273268, "definition": { - "title": "DeleteDBInstance", + "title": "PutBucketLifecycle", "title_size": "16", "title_align": "left", "type": "query_value", @@ -20902,7 +20902,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DeleteDBInstance $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PutBucketLifecycle $userIdentity.arn $network.client.ip $account" } } ], @@ -20924,10 +20924,10 @@ } }, { - "id": 2004367959, + "id": 225808405, "definition": { "type": "note", - "content": "### [CreateEmailIdentity](https://traildiscover.cloud/#SES-CreateEmailIdentity)\n\n**Description:** Starts the process of verifying an email identity. An identity is an email address or domain that you use when you send email.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", + "content": "### [PutBucketVersioning](https://traildiscover.cloud/#S3-PutBucketVersioning)\n\n**Description:** Sets the versioning state of an existing bucket.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n**Related Research:**\n- [Exfiltrating S3 Data with Bucket Replication Policies](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -20943,9 +20943,9 @@ } }, { - "id": 4028593088, + "id": 106536662, "definition": { - "title": "CreateEmailIdentity", + "title": "PutBucketVersioning", "title_size": "16", "title_align": "left", "type": "query_value", @@ -20963,7 +20963,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateEmailIdentity $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PutBucketVersioning $userIdentity.arn $network.client.ip $account" } } ], @@ -20985,10 +20985,10 @@ } }, { - "id": 3277091216, + "id": 653380330, "definition": { "type": "note", - "content": "### [UpdateAccountSendingEnabled](https://traildiscover.cloud/#SES-UpdateAccountSendingEnabled)\n\n**Description:** Enables or disables email sending across your entire Amazon SES account in the current AWS Region.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n", + "content": "### [PutObject](https://traildiscover.cloud/#S3-PutObject)\n\n**Description:** Adds an object to a bucket.\n\n**Related Incidents:**\n- [Incident Report: TaskRouter JS SDK Security Incident - July 19, 2020](https://www.twilio.com/en-us/blog/incident-report-taskrouter-js-sdk-july-2020)\n- [LA Times homicide website throttles cryptojacking attack](https://www.tripwire.com/state-of-security/la-times-website-cryptojacking-attack)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -21004,9 +21004,9 @@ } }, { - "id": 1006349049, + "id": 534108587, "definition": { - "title": "UpdateAccountSendingEnabled", + "title": "PutObject", "title_size": "16", "title_align": "left", "type": "query_value", @@ -21024,7 +21024,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:UpdateAccountSendingEnabled $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PutObject $userIdentity.arn $network.client.ip $account" } } ], @@ -21046,10 +21046,10 @@ } }, { - "id": 727527979, + "id": 1344162728, "definition": { "type": "note", - "content": "### [VerifyEmailIdentity](https://traildiscover.cloud/#SES-VerifyEmailIdentity)\n\n**Description:** Adds an email address to the list of identities for your Amazon SES account in the current AWS Region and attempts to verify it.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [RequestServiceQuotaIncrease](https://traildiscover.cloud/#ServiceQuotas-RequestServiceQuotaIncrease)\n\n**Description:** Submits a quota increase request for the specified quota at the account or resource level.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -21065,9 +21065,9 @@ } }, { - "id": 2751753108, + "id": 1224890985, "definition": { - "title": "VerifyEmailIdentity", + "title": "RequestServiceQuotaIncrease", "title_size": "16", "title_align": "left", "type": "query_value", @@ -21085,7 +21085,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:VerifyEmailIdentity $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:RequestServiceQuotaIncrease $userIdentity.arn $network.client.ip $account" } } ], @@ -21107,10 +21107,10 @@ } }, { - "id": 2360282647, + "id": 3009580622, "definition": { "type": "note", - "content": "### [RegisterTaskDefinition](https://traildiscover.cloud/#ECS-RegisterTaskDefinition)\n\n**Description:** Registers a new task definition from the supplied family and containerDefinitions.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", + "content": "### [CreateEmailIdentity](https://traildiscover.cloud/#SES-CreateEmailIdentity)\n\n**Description:** Starts the process of verifying an email identity. An identity is an email address or domain that you use when you send email.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -21126,9 +21126,9 @@ } }, { - "id": 4285168889, + "id": 2890308879, "definition": { - "title": "RegisterTaskDefinition", + "title": "CreateEmailIdentity", "title_size": "16", "title_align": "left", "type": "query_value", @@ -21146,7 +21146,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:RegisterTaskDefinition $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateEmailIdentity $userIdentity.arn $network.client.ip $account" } } ], @@ -21168,10 +21168,10 @@ } }, { - "id": 1418818887, + "id": 2595682361, "definition": { "type": "note", - "content": "### [CreateService](https://traildiscover.cloud/#ECS-CreateService)\n\n**Description:** Runs and maintains your desired number of tasks from a specified task definition.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", + "content": "### [UpdateAccountSendingEnabled](https://traildiscover.cloud/#SES-UpdateAccountSendingEnabled)\n\n**Description:** Enables or disables email sending across your entire Amazon SES account in the current AWS Region.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -21187,9 +21187,9 @@ } }, { - "id": 1295560368, + "id": 2476410618, "definition": { - "title": "CreateService", + "title": "UpdateAccountSendingEnabled", "title_size": "16", "title_align": "left", "type": "query_value", @@ -21207,7 +21207,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateService $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:UpdateAccountSendingEnabled $userIdentity.arn $network.client.ip $account" } } ], @@ -21229,10 +21229,10 @@ } }, { - "id": 3018376601, + "id": 2194834984, "definition": { "type": "note", - "content": "### [CreateCluster](https://traildiscover.cloud/#ECS-CreateCluster)\n\n**Description:** Creates a new Amazon ECS cluster.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", + "content": "### [VerifyEmailIdentity](https://traildiscover.cloud/#SES-VerifyEmailIdentity)\n\n**Description:** Adds an email address to the list of identities for your Amazon SES account in the current AWS Region and attempts to verify it.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -21248,9 +21248,9 @@ } }, { - "id": 2895118082, + "id": 2075563241, "definition": { - "title": "CreateCluster", + "title": "VerifyEmailIdentity", "title_size": "16", "title_align": "left", "type": "query_value", @@ -21268,7 +21268,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:CreateCluster $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:VerifyEmailIdentity $userIdentity.arn $network.client.ip $account" } } ], @@ -21290,10 +21290,10 @@ } }, { - "id": 2535459444, + "id": 164292561, "definition": { "type": "note", - "content": "### [RequestServiceQuotaIncrease](https://traildiscover.cloud/#ServiceQuotas-RequestServiceQuotaIncrease)\n\n**Description:** Submits a quota increase request for the specified quota at the account or resource level.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n", + "content": "### [Publish](https://traildiscover.cloud/#SNS-Publish)\n\n**Description:** Sends a message to an Amazon SNS topic, a text message (SMS message) directly to a phone number, or a message to a mobile platform endpoint (when you specify the TargetArn).\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -21309,9 +21309,9 @@ } }, { - "id": 165378390, + "id": 45020818, "definition": { - "title": "RequestServiceQuotaIncrease", + "title": "Publish", "title_size": "16", "title_align": "left", "type": "query_value", @@ -21329,7 +21329,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:RequestServiceQuotaIncrease $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:Publish $userIdentity.arn $network.client.ip $account" } } ], diff --git a/docs/events.csv b/docs/events.csv index 9c3dcb9..f045a35 100644 --- a/docs/events.csv +++ b/docs/events.csv @@ -1,299 +1,299 @@ -eventName,eventSource,awsService,description,mitreAttackTactics,mitreAttackTechniques,usedInWild,incidents,researchLinks,securityImplications,alerting,simulation,permissions -ChangeResourceRecordSets,route53.amazonaws.com,Route53,"Creates, changes, or deletes a resource record set, which contains authoritative DNS information for a specified domain name or subdomain name.",TA0040 - Impact,T1496 - Resource Hijacking,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]","[{""description"": ""AWS API Call Hijacking via ACM-PCA"", ""link"": ""https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/""}]",Attackers might use ChangeResourceRecordSets to redirect traffic to malicious websites.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/route53#route53-ChangeResourceRecordSets -ListDomains,route53domains.amazonaws.com,route53domains,This operation returns all the domain names registered with Amazon Route 53 for the current AWS account if no filtering conditions are used.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,False,[],"[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]",Attackers might use ListDomains to identify potential targets for DNS hijacking or DDoS attacks.,[],"[{""type"": ""commandLine"", ""value"": ""aws route53domains list-domains --region us-east-1""}]",https://aws.permissions.cloud/iam/route53domains#route53domains-ListDomains -GetHostedZoneCount,route53.amazonaws.com,Route53,Retrieves the number of hosted zones that are associated with the current AWS account.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,False,[],"[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]","Attackers might use GetHostedZoneCount to gather information about the number of hosted zones, potentially identifying targets for DNS attacks.",[],"[{""type"": ""commandLine"", ""value"": ""aws route53 get-hosted-zone-count""}]",https://aws.permissions.cloud/iam/route53#route53-GetHostedZoneCount -RegisterDomain,route53domains.amazonaws.com,route53domains,"This operation registers a domain. For some top-level domains (TLDs), this operation requires extra parameters.",TA0040 - Impact,T1496 - Resource Hijacking,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],Attackers might use RegisterDomain to register malicious domains for phishing or malware distribution.,[],"[{""type"": ""commandLine"", ""value"": ""aws route53domains register-domain --region us-east-1 --cli-input-json '{\""DomainName\"": \""\"", \""DurationInYears\"": 1, \""AdminContact\"": { \""FirstName\"": \""\"", \""LastName\"": \""\""}, \""RegistrantContact\"": {\""FirstName\"": \""\"", \""LastName\"": \""\"" }, \""TechContact\"": {\""FirstName\"": \""\"", \""LastName\"": \""\""}}'""}]",https://aws.permissions.cloud/iam/route53domains#route53domains-RegisterDomain -CreateHostedZone,route53.amazonaws.com,Route53,"Creates a new public or private hosted zone. You create records in a public hosted zone to define how you want to route traffic on the internet for a domain, such as example.com, and its subdomains.",TA0040 - Impact,T1496 - Resource Hijacking,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]","[{""description"": ""AWS API Call Hijacking via ACM-PCA"", ""link"": ""https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/""}]",Attackers might use CreateHostedZone to create malicious DNS zones for phishing or redirecting traffic.,[],"[{""type"": ""commandLine"", ""value"": ""aws route53 create-hosted-zone --name traildiscover.cloud --caller-reference 2014-04-01-18:47 --hosted-zone-config Comment='traildiscover'""}]",https://aws.permissions.cloud/iam/route53#route53-CreateHostedZone -InviteAccountToOrganization,organizations.amazonaws.com,Organizations,Sends an invitation to another account to join your organization as a member account.,TA0005 - Defense Evasion,T1535 - Unused/Unsupported Cloud Regions,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],"Attackers might use InviteAccountToOrganization to add an account they control for defense evasion, resource hijacking.",[],"[{""type"": ""commandLine"", ""value"": ""aws organizations invite-account-to-organization --target '{\""Type\"": \""EMAIL\"", \""Id\"": \""traildiscover@example.com\""}'""}]",https://aws.permissions.cloud/iam/organizations#organizations-InviteAccountToOrganization -DescribeOrganization,organizations.amazonaws.com,Organizations,Retrieves information about the organization that the user's account belongs to.,TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]",[],Attackers might use DescribeOrganization to gather information about the structure and details of an AWS organization.,[],"[{""type"": ""commandLine"", ""value"": ""aws organizations describe-organization""}]",https://aws.permissions.cloud/iam/organizations#organizations-DescribeOrganization -ListOrganizationalUnitsForParent,organizations.amazonaws.com,Organizations,Lists the organizational units (OUs) in a parent organizational unit or root.,TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]",[],Attackers might use ListOrganizationalUnitsForParent to map the structure of an organization's AWS environment for potential vulnerabilities.,[],"[{""type"": ""commandLine"", ""value"": ""aws organizations list-organizational-units-for-parent --parent-id r-traildiscover""}]",https://aws.permissions.cloud/iam/organizations#organizations-ListOrganizationalUnitsForParent -CreateAccount,organizations.amazonaws.com,Organizations,Creates an AWS account that is automatically a member of the organization whose credentials made the request.,TA0005 - Defense Evasion,T1535 - Unused/Unsupported Cloud Regions,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],"Attackers might use CreateAccount to add a new account for defense evasion, resource hijacking.",[],"[{""type"": ""commandLine"", ""value"": ""aws organizations create-account --email traildiscover@example.com --account-name \""TrailDiscover Account\""""}]",https://aws.permissions.cloud/iam/organizations#organizations-CreateAccount -LeaveOrganization,organizations.amazonaws.com,Organizations,Removes a member account from its parent organization.,TA0005 - Defense Evasion,T1070 - Indicator Removal,False,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]","[{""description"": ""An AWS account attempted to leave the AWS Organization"", ""link"": ""https://docs.datadoghq.com/security/default_rules/aws-organizations-leave-organization/""}]",Attackers might use LeaveOrganization to disassociate resources and disrupt the structure of AWS organizations.,[],"[{""type"": ""commandLine"", ""value"": ""aws organizations leave-organization""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.organizations-leave""}]",https://aws.permissions.cloud/iam/organizations#organizations-LeaveOrganization -ListAccounts,organizations.amazonaws.com,Organizations,Lists all the accounts in the organization.,TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]",[],Attackers might use ListAccounts to gather information about the structure and resources of an organization's AWS environment.,[],"[{""type"": ""commandLine"", ""value"": ""aws organizations list-accounts""}]",https://aws.permissions.cloud/iam/organizations#organizations-ListAccounts -CreateStack,cloudformation.amazonaws.com,CloudFormation,Creates a stack as specified in the template.,TA0040 - Impact,T1496 - Resource Hijacking,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],Attackers might use CreateStack to provision unauthorized resources,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/cloudformation#cloudformation-CreateStack -AssumeRoleWithWebIdentity,sts.amazonaws.com,STS,Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider.,"TA0001 - Initial Access, TA0008 - Lateral Movement","T1199 - Trusted Relationship, T1550 - Use Alternate Authentication Material",False,[],"[{""description"": ""From GitHub To Account Takeover: Misconfigured Actions Place GCP & AWS Accounts At Risk"", ""link"": ""https://www.rezonate.io/blog/github-misconfigurations-put-gcp-aws-in-account-takeover-risk/""}]",Attackers might use AssumeRoleWithWebIdentity to impersonate legitimate users and gain unauthorized access to an AWS role.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/sts#sts-AssumeRoleWithWebIdentity -GetFederationToken,sts.amazonaws.com,STS,"Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a user.",TA0003 - Persistence,T1078 - Valid Accounts,True,"[{""description"": ""How Adversaries Can Persist with AWS User Federation"", ""link"": ""https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]","[{""description"": ""Create a Console Session from IAM Credentials"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/""}, {""description"": ""Survive Access Key Deletion with sts:GetFederationToken"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/survive_access_key_deletion_with_sts_getfederationtoken/""}]",Attackers might use GetFederationToken to gain temporary access credentials.,[],"[{""type"": ""commandLine"", ""value"": ""aws sts get-federation-token --name TrailDiscover --policy TrailDiscoverPolicy""}]",https://aws.permissions.cloud/iam/sts#sts-GetFederationToken -GetSessionToken,sts.amazonaws.com,STS,Returns a set of temporary credentials for an AWS account or IAM user.,TA0001 - Initial Access,T1199 - Trusted Relationship,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]","[{""description"": ""AWS STS GetSessionToken Abuse"", ""link"": ""https://www.elastic.co/guide/en/security/7.17/aws-sts-getsessiontoken-abuse.html""}]",Attackers might use GetSessionToken to obtain temporary access credentials.,"[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws sts get-session-token --duration-seconds 900 --serial-number 'YourMFADeviceSerialNumber' --token-code 123456""}]",https://aws.permissions.cloud/iam/sts#sts-GetSessionToken -AssumeRole,sts.amazonaws.com,STS,Returns a set of temporary security credentials that you can use to access AWS resources.,"TA0001 - Initial Access, TA0003 - Persistence, TA0004 - Privilege Escalation","T1199 - Trusted Relationship, T1078 - Valid Accounts",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Trouble in Paradise"", ""link"": ""https://blog.darklab.hk/2021/07/06/trouble-in-paradise/""}]","[{""description"": ""Role Chain Juggling"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/""}, {""description"": ""Detecting and removing risky actions out of your IAM security policies"", ""link"": ""https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/""}]","Attackers might use AssumeRole to gain unauthorized access to an AWS role. This might allow them to gain initial access, escalate privileges or in specific scenarios gain persistence.",[],"[{""type"": ""commandLine"", ""value"": ""aws sts assume-role --role-arn arn:aws:iam::123456789012:role/TrailDiscover --role-session-name TrailDiscover""}]",https://aws.permissions.cloud/iam/sts#sts-AssumeRole -AssumeRoleWithSAML,sts.amazonaws.com,STS,Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response.,TA0001 - Initial Access,T1199 - Trusted Relationship,False,[],"[{""description"": ""AWS - STS Privesc"", ""link"": ""https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc""}]",Attackers might use AssumeRoleWithSAML to impersonate legitimate users and gain unauthorized access to an AWS role.,"[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml""}]","[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/sts#sts-AssumeRoleWithSAML -GetCallerIdentity,sts.amazonaws.com,STS,Returns details about the IAM user or role whose credentials are used to call the operation.,TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}, {""description"": ""GotRoot! AWS root Account Takeover"", ""link"": ""https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1""}, {""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}, {""description"": ""Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/""}, {""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}, {""description"": ""New attack vectors in EKS"", ""link"": ""https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features""}, {""description"": ""Enumerate AWS Account ID from an EC2 Instance"", ""link"": ""https://hackingthe.cloud/aws/enumeration/account_id_from_ec2/""}]",Attackers might use GetCallerIdentity to know what user or role are they using. This request does not need any permission.,[],"[{""type"": ""commandLine"", ""value"": ""aws sts get-caller-identity""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials""}]",https://aws.permissions.cloud/iam/sts#sts-GetCallerIdentity -ListTopics,sns.amazonaws.com,SNS,Returns a list of the requester's topics.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,False,[],"[{""description"": ""NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS"", ""link"": ""https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/""}]",Attackers might use ListTopics to identify potential SNS topics for unauthorized access or disruption.,[],"[{""type"": ""commandLine"", ""value"": ""aws sns list-topics""}]",https://aws.permissions.cloud/iam/sns#sns-ListTopics -ListSubscriptions,sns.amazonaws.com,SNS,Lists the calling AWS account's dedicated origination numbers and their metadata.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,False,[],"[{""description"": ""NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS"", ""link"": ""https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/""}]",Attackers might use ListSubscriptions to identify origination numbers for potential smishing campaings.,[],"[{""type"": ""commandLine"", ""value"": ""aws sns list-subscriptions""}]",https://aws.permissions.cloud/iam/sns#sns-ListSubscriptions -ListOriginationNumbers,sns.amazonaws.com,SNS,Lists the calling AWS account's dedicated origination numbers and their metadata.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,False,[],"[{""description"": ""NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS"", ""link"": ""https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/""}]",Attackers might use ListOriginationNumbers to identify origination numbers for potential smishing campaings.,[],"[{""type"": ""commandLine"", ""value"": ""aws sns list-origination-numbers""}]",https://aws.permissions.cloud/iam/sns#sns-ListOriginationNumbers -GetSMSAttributes,sns.amazonaws.com,SNS,Returns the settings for sending SMS messages from your AWS account.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS"", ""link"": ""https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/""}, {""description"": ""Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]",Attackers might use GetSMSAttributes to retrieve sensitive SMS configuration details for potential usage for smishing.,[],"[{""type"": ""commandLine"", ""value"": ""aws sns get-sms-attributes --attributes TrailDiscoverAttributes""}]",https://aws.permissions.cloud/iam/sns#sns-GetSMSAttributes -Publish,sns.amazonaws.com,SNS,"Sends a message to an Amazon SNS topic, a text message (SMS message) directly to a phone number, or a message to a mobile platform endpoint (when you specify the TargetArn).",TA0040 - Impact,T1496 - Resource Hijacking,True,"[{""description"": ""Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/""}, {""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}]",[],Attackers might use Publish for smishing campaigns.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/sns#sns-Publish -GetSMSSandboxAccountStatus,sns.amazonaws.com,SNS,Retrieves the SMS sandbox status for the calling AWS account in the target AWS Region.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/""}]","[{""description"": ""NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS"", ""link"": ""https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/""}]",Attackers might use GetSMSSandboxAccountStatus to monitor the status of a target's AWS SNS sandbox account for potential usage for smishing.,[],"[{""type"": ""commandLine"", ""value"": ""aws sns get-sms-sandbox-account-status""}]",https://aws.permissions.cloud/iam/sns#sns-GetSMSSandboxAccountStatus -IssueCertificate,acm-pca.amazonaws.com,ACMPCA,"Uses your private certificate authority (CA), or one that has been shared with you, to issue a client certificate.",TA0007 - Discovery,T1040- Network Sniffing,False,[],"[{""description"": ""AWS API Call Hijacking via ACM-PCA"", ""link"": ""https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/""}]",Attackers might use IssueCertificate combined with Route 53 control to intercept and read data from AWS API calls.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/acm-pca#acm-pca-IssueCertificate -GetCertificate,acm-pca.amazonaws.com,ACMPCA,Retrieves a certificate from your private CA or one that has been shared with you.,TA0007 - Discovery,T1040- Network Sniffing,False,[],"[{""description"": ""AWS API Call Hijacking via ACM-PCA"", ""link"": ""https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/""}]",Attackers might use GetCertificate combined with Route 53 control to intercept and read data from AWS API calls.,[],"[{""type"": ""commandLine"", ""value"": ""aws acm-pca get-certificate --certificate-authority-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012 --certificate-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/6707447683a9b7f4055627ffd55cebcc""}]",https://aws.permissions.cloud/iam/acm-pca#acm-pca-GetCertificate -GetCredentialsForIdentity,cognito-identity.amazonaws.com,CognitoIdentity,Returns credentials for the provided identity ID. Any provided logins will be validated against supported login providers.,TA0004 - Privilege Escalation,T1078 - Valid Accounts,False,[],"[{""description"": ""Overpermissioned AWS Cognito Identity Pools"", ""link"": ""https://hackingthe.cloud/aws/exploitation/cognito_identity_pool_excessive_privileges/#exploitation""}]","Attackers might use GetCredentialsForIdentity to obtain temporary AWS credentials, potentially accessing resources or executing actions unauthorizedly within the AWS environment.",[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/cognito-identity#cognito-identity-GetCredentialsForIdentity -GetId,cognito-identity.amazonaws.com,CognitoIdentity,Generates (or retrieves) IdentityID. Supplying multiple logins will create an implicit linked account.,TA0004 - Privilege Escalation,T1078 - Valid Accounts,False,[],"[{""description"": ""Overpermissioned AWS Cognito Identity Pools"", ""link"": ""https://hackingthe.cloud/aws/exploitation/cognito_identity_pool_excessive_privileges/#exploitation""}]",Attackers might use GetId to get an IdentityID that might be then used to get AWS credentials.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/cognito-identity#cognito-identity-GetId -PutLogEvents,logs.amazonaws.com,CloudWatchLogs,Uploads a batch of log events to the specified log stream.,TA0005 - Defense Evasion,T1562 - Impair Defenses,True,"[{""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}]",[],"Attackers might use PutLogEvents to add benign log entries, effectively burying any signs of his malicious activities.",[],"[{""type"": ""commandLine"", ""value"": ""aws logs put-log-events --log-group-name my-logs --log-stream-name 20150601 --log-events timestamp=$(date +%s%3N),message='TrailDiscover'""}]",https://aws.permissions.cloud/iam/logs#logs-PutLogEvents -DescribeLogGroups,logs.amazonaws.com,CloudWatchLogs,Lists the specified log groups.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeLogGroups to discover CloudWatch log configurations.,[],"[{""type"": ""commandLine"", ""value"": ""aws logs describe-log-groups --log-group-name-prefix TrailDiscover""}]",https://aws.permissions.cloud/iam/logs#logs-DescribeLogGroups -DeleteAlarms,monitoring.amazonaws.com,CloudWatch,Deletes the specified alarms. You can delete up to 100 alarms in one operation.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""AWS CloudWatch Alarm Deletion"", ""link"": ""https://www.elastic.co/guide/en/security/current/aws-cloudwatch-alarm-deletion.html""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]","Attackers might use DeleteAlarms to disable critical CloudWatch alerts, undermining AWS environment monitoring",[],"[{""type"": ""commandLine"", ""value"": ""aws cloudwatch delete-alarms --alarm-names TrailDiscoverAlarm""}]",https://aws.permissions.cloud/iam/cloudwatch#cloudwatch-DeleteAlarms -DescribeSubscriptionFilters,logs.amazonaws.com,CloudWatchLogs,Lists the subscription filters for the specified log group.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeSubscriptionFilters to discover CloudWatch log configurations.,[],"[{""type"": ""commandLine"", ""value"": ""aws logs describe-subscription-filters --log-group-name TrailDiscoverLogGroupName""}]",https://aws.permissions.cloud/iam/logs#logs-DescribeSubscriptionFilters -DeleteLogGroup,logs.amazonaws.com,CloudWatchLogs,Deletes the specified log group and permanently deletes all the archived log events associated with the log group.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""Penetration testing of aws-based environments"", ""link"": ""https://essay.utwente.nl/76955/1/Szabo_MSc_EEMCS.pdf""}, {""description"": ""Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail"", ""link"": ""https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/""}]","Attackers might use DeleteLogGroup to erase CloudWatch logs, erasing evidence of their activities within AWS.",[],"[{""type"": ""commandLine"", ""value"": ""aws logs delete-log-group --log-group-name TrailDiscoverLogGroup""}]",https://aws.permissions.cloud/iam/logs#logs-DeleteLogGroup -DeleteLogStream,logs.amazonaws.com,CloudWatchLogs,Deletes the specified log stream and permanently deletes all the archived log events associated with the log stream.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail"", ""link"": ""https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/""}]","Attackers might use DeleteLogStream to erase CloudWatch logs, erasing evidence of their activities within AWS.",[],"[{""type"": ""commandLine"", ""value"": ""aws logs delete-log-stream --log-group-name TrailDiscoverLogGroupName --log-stream-name TrailDiscoverLogStreamName""}]",https://aws.permissions.cloud/iam/logs#logs-DeleteLogStream -DescribeLogStreams,logs.amazonaws.com,CloudWatchLogs,Lists the log streams for the specified log group.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeLogStreams to discover CloudWatch log configurations.,[],"[{""type"": ""commandLine"", ""value"": ""aws logs describe-log-streams --log-group-name TrailDiscoverLogGroupName""}]",https://aws.permissions.cloud/iam/logs#logs-DescribeLogStreams -GetLogRecord,logs.amazonaws.com,CloudWatchLogs,Retrieves all of the fields and values of a single log event.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use GetLogRecord to precisely extract information from CloudWatch logs, potentially exposing sensitive data or insights into AWS operational activities.",[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/logs#logs-GetLogRecord -PutLogEvents,logs.amazonaws.com,CloudWatchLogs,Uploads a batch of log events to the specified log stream.,TA0005 - Defense Evasion,T1562 - Impair Defenses,True,"[{""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}]",[],"Attackers might use PutLogEvents to add benign log entries, effectively burying any signs of his malicious activities.",[],"[{""type"": ""commandLine"", ""value"": ""aws logs put-log-events --log-group-name my-logs --log-stream-name 20150601 --log-events timestamp=$(date +%s%3N),message='TrailDiscover'""}]",https://aws.permissions.cloud/iam/logs#logs-PutLogEvents -CreateLogStream,logs.amazonaws.com,CloudWatchLogs,Creates a log stream for the specified log group.,TA0005 - Defense Evasion,T1562 - Impair Defenses,True,"[{""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}]",[],"Attackers might use CreateLogStream to later add benign log entries, effectively burying any signs of his malicious activities.",[],"[{""type"": ""commandLine"", ""value"": ""aws logs create-log-stream --log-group-name my-logs --log-stream-name 20150601""}]",https://aws.permissions.cloud/iam/logs#logs-CreateLogStream -PasswordRecoveryRequested ,signin.amazonaws.com,SignIn,This is the CloudTrail event generated when you request a password recovery.,TA0001 - Initial Access,T1078 - Valid Accounts,True,"[{""description"": ""An Ongoing AWS Phishing Campaign"", ""link"": ""https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/""}, {""description"": ""Disclosure of Security Incidents on imToken"", ""link"": ""https://support.token.im/hc/en-us/articles/360005681954-Disclosure-of-Security-Incidents-on-imToken""}]",[],Attackers might start a password recovery process to steal AWS access if they have compromised the email of the user.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",N/A -SwitchRole,signin.amazonaws.com,SignIn,This event is recorded when a user manually switches to a different IAM role within the AWS Management Console.,TA0008 - Lateral Movement,T1021 - Remote Services,False,[],"[{""description"": ""AWS CloudTrail cheat sheet"", ""link"": ""https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet""}]",Attackers might use SwitchRole when using the console to escalate privileges and gain unauthorized access to AWS resources.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",N/A -ConsoleLogin,signin.amazonaws.com,SignIn,This is the CloudTrail event generated when you sign-in.,TA0001 - Initial Access,T1078 - Valid Accounts,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Responding to an attack in AWS"", ""link"": ""https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac""}, {""description"": ""Credential Phishing"", ""link"": ""https://ramimac.me/aws-phishing#credential-phishing""}, {""description"": ""Incident report: From CLI to console, chasing an attacker in AWS"", ""link"": ""https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}, {""description"": ""Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies"", ""link"": ""https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/""}]","[{""description"": ""Compromising AWS Console credentials"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/compromising-aws-console-credentials/""}, {""description"": ""Create a Console Session from IAM Credentials"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/""}, {""description"": ""Enhancing Your Security Visibility and DetectionResponse Operations in AWS"", ""link"": ""https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf""}]",Attackers might access via AWS console (generating a ConsoleLogin event).,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-6""}, {""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-3""}]","[{""type"": ""commandLine"", ""value"": ""N/A""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.initial-access.console-login-without-mfa""}]",N/A -GetSigninToken,signin.amazonaws.com,SignIn,Generate a SigninToken that can be used to login to the the AWS Management Console.,TA0001 - Initial Access,T1078 - Valid Accounts,True,"[{""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]",[],Attackers might access via a Federated identity (such as AWS SSO) to the Management Console.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",N/A -CreateFunction20150331,lambda.amazonaws.com,Lambda,Creates a Lambda function.,"TA0003 - Persistence, TA0004 - Privilege Escalation, TA0040 - Impact","T1098 - Account Manipulation, T1496 - Resource Hijacking",True,"[{""description"": ""Mining Crypto"", ""link"": ""https://twitter.com/jonnyplatt/status/1471453527390277638""}, {""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}]","[{""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use CreateFunction to deploy malicious code or functions, depending on the scenario this might allow the attacker to gain persistence, escalate privileges, or hijack resources.",[],"[{""type"": ""commandLine"", ""value"": ""aws lambda create-function --function-name my-function --runtime nodejs18.x --code S3Bucket=string --role arn:aws:iam::123456789012:role/service-role/MyTestFunction-role-tges6bf4""}]",https://aws.permissions.cloud/iam/lambda#lambda-CreateFunction -CreateEventSourceMapping20150331,lambda.amazonaws.com,Lambda,Creates a mapping between an event source and an AWS Lambda function.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]",Attackers might use CreateEventSourceMapping to trigger unauthorized Lambda functions with malicious code.,[],"[{""type"": ""commandLine"", ""value"": ""aws lambda create-event-source-mapping --function-name my-function --batch-size 5 --event-source-arn arn:aws:sqs:us-west-2:123456789012:mySQSqueue""}]",https://aws.permissions.cloud/iam/lambda#lambda-CreateEventSourceMapping -UpdateFunctionConfiguration20150331v2,lambda.amazonaws.com,Lambda,Modify the version-specific settings of a Lambda function.,TA0003 - Persistence,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}, {""description"": ""Enhancing Your Security Visibility and DetectionResponse Operations in AWS"", ""link"": ""https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf""}, {""description"": ""LambdaSpy - Implanting the Lambda execution environment (Part two)"", ""link"": ""https://www.clearvector.com/blog/lambda-spy/""}]","Attackers might use UpdateFunctionConfiguration to modify the behavior of Lambda functions, adding a layer that can allow persistence and/or data exfiltration.",[],"[{""type"": ""commandLine"", ""value"": ""aws lambda update-function-configuration --function-name my-function --memory-size 256""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-layer-extension""}]",https://aws.permissions.cloud/iam/lambda#lambda-UpdateFunctionConfiguration -AddPermission20150331v2,lambda.amazonaws.com,Lambda,"Grants an AWS service, AWS account, or AWS organization permission to use a function.",TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]",Attackers might use AddPermission to grant unauthorized access to sensitive Lambda functions and then perform Privilege Escalation.,[],"[{""type"": ""commandLine"", ""value"": ""aws lambda add-permission --function-name my-function --action lambda:InvokeFunction --statement-id sns --principal sns.amazonaws.com""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-backdoor-function""}]",https://aws.permissions.cloud/iam/lambda#lambda-AddPermission -UpdateFunctionCode20150331v2,lambda.amazonaws.com,Lambda,"Updates a Lambda function's code. If code signing is enabled for the function, the code package must be signed by a trusted publisher.","TA0003 - Persistence, TA0040 - Impact, TA0009 - Collection","T1098 - Account Manipulation, T1496 - Resource Hijacking, T1119 - Automated Collection",False,[],"[{""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}, {""description"": ""Enhancing Your Security Visibility and DetectionResponse Operations in AWS"", ""link"": ""https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf""}, {""description"": ""How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies"", ""link"": ""https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c""}]","Attackers might use UpdateFunctionCode to modify the code of a Lambda function, potentially injecting malicious code.",[],"[{""type"": ""commandLine"", ""value"": ""aws lambda update-function-code --function-name my-function""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-overwrite-code""}]",https://aws.permissions.cloud/iam/lambda#lambda-UpdateFunctionCode -Invoke,lambda.amazonaws.com,Lambda,Invokes a Lambda function.,"TA0040 - Impact, TA0004 - Privilege Escalation",T1496 - Resource Hijacking,True,"[{""description"": ""Mining Crypto"", ""link"": ""https://twitter.com/jonnyplatt/status/1471453527390277638""}, {""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}]","[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]",Attackers might use Invoke to execute previously modified functions in AWS Lambda.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/lambda#lambda-InvokeFunction -UpdateEventSourceMapping20150331,lambda.amazonaws.com,Lambda,"Updates an event source mapping. You can change the function that AWS Lambda invokes, or pause invocation and resume later from the same location.",TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""Enhancing Your Security Visibility and DetectionResponse Operations in AWS"", ""link"": ""https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf""}]","Attackers might use UpdateEventSourceMapping to pull data from a different source, leading to incorrect function results.",[],"[{""type"": ""commandLine"", ""value"": ""aws lambda update-event-source-mapping --uuid 'a1b2c3d4-5678-90ab-cdef-11111EXAMPLE' --batch-size 8""}]",https://aws.permissions.cloud/iam/lambda#lambda-UpdateEventSourceMapping -GetQueryResults,athena.amazonaws.com,Athena,Streams the results of a single query execution specified by QueryExecutionId from the Athena query results location in Amazon S3.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use GetQueryResults from Amazon Athena to illicitly access and read potential sensitive data.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/athena#athena-GetQueryResults -UpdateDistribution,cloudfront.amazonaws.com,CloudFront,Updates the configuration for a CloudFront distribution.,TA0009 - Collection,T1119 - Automated Collection,False,[],"[{""description"": ""How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies"", ""link"": ""https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c""}]",Attackers might use UpdateDistribution to add a malicious configuration such as a function to exfiltrate data.,[],"[{""type"": ""commandLine"", ""value"": ""aws cloudfront update-distribution --id EDFDVBD6EXAMPLE --distribution-config '{\""CallerReference\"":\""\"", \""Origins\"":{\""Quantity\"":1,\""Items\"":[{\""Id\"":\""\"", \""DomainName\"":\""\""}]}, \""DefaultCacheBehavior\"":{\""TargetOriginId\"":\""\"", \""ViewerProtocolPolicy\"":\""\""}, \""Comment\"":\""\"", \""Enabled\"":false }'""}]",https://aws.permissions.cloud/iam/cloudfront#cloudfront-UpdateDistribution -PublishFunction,cloudfront.amazonaws.com,CloudFront,Publishes a CloudFront function by copying the function code from the DEVELOPMENT stage to LIVE.,TA0009 - Collection,T1119 - Automated Collection,False,[],"[{""description"": ""How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies"", ""link"": ""https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c""}]",Attackers might use PublishFunction to publish a malicious function that might be used to exfiltrate data.,[],"[{""type"": ""commandLine"", ""value"": ""aws cloudfront publish-function --name trail-discover-function --if-match trail-discover-function""}]",https://aws.permissions.cloud/iam/cloudfront#cloudfront-PublishFunction -CreateFunction,cloudfront.amazonaws.com,CloudFront,Creates a CloudFront function.,TA0009 - Collection,T1119 - Automated Collection,False,[],"[{""description"": ""How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies"", ""link"": ""https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c""}]",Attackers might use CreateFunction to add a new function that can be use to exfiltrate date.,[],"[{""type"": ""commandLine"", ""value"": ""aws cloudfront create-function --name trail-discover-function --function-config Comment='TrailDiscover',Runtime=cloudfront-js-1.0 --function-code VHJhaWxEaXNjb3Zlcgo=""}]",https://aws.permissions.cloud/iam/cloudfront#cloudfront-CreateFunction -DeleteFileSystem,elasticfilesystem.amazonaws.com,elasticfilesystem,"Deletes a file system, permanently severing access to its contents.",TA0040 - Impact,T1485 - Data Destruction,False,[],"[{""description"": ""AWS EFS File System or Mount Deleted"", ""link"": ""https://www.elastic.co/guide/en/security/7.17/aws-efs-file-system-or-mount-deleted.html""}]","Attackers might use DeleteFileSystem in AWS EFS to deliberately erase file systems, leading to data loss.","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_efs_fileshare_modified_or_deleted.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws efs delete-file-system --file-system-id fs-c7a0456e""}]",https://aws.permissions.cloud/iam/elasticfilesystem#elasticfilesystem-DeleteFileSystem -DeleteMountTarget,elasticfilesystem.amazonaws.com,elasticfilesystem,Deletes the specified mount target.,TA0040 - Impact,T1485 - Data Destruction,False,[],"[{""description"": ""AWS EFS File System or Mount Deleted"", ""link"": ""https://www.elastic.co/guide/en/security/7.17/aws-efs-file-system-or-mount-deleted.html""}]","Attackers might use DeleteMountTarget in AWS EFS to remove mount targets, disrupting access to file system and as a preliminary phase before data deletion.","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_efs_fileshare_mount_modified_or_deleted.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws efs delete-mount-target --mount-target-id fsmt-f9a14450""}]",https://aws.permissions.cloud/iam/elasticfilesystem#elasticfilesystem-DeleteMountTarget -DeleteRule,events.amazonaws.com,events,Deletes the specified rule.,"TA0040 - Impact, TA0005 - Defense Evasion","T1489 - Service Stop, T1578 - Modify Cloud Compute Infrastructure",False,[],"[{""description"": ""AWS EventBridge Rule Disabled or Deleted"", ""link"": ""https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html""}, {""description"": ""AWS EventBridge rule disabled or deleted"", ""link"": ""https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/""}]","Attackers might use DeleteRule to disrupt automated security responses and event logging in AWS EventBridge, potentially masking unauthorized activities or compromising system integrity.",[],"[{""type"": ""commandLine"", ""value"": ""aws events delete-rule --name TrailDiscoverRule""}]",https://aws.permissions.cloud/iam/events#events-DeleteRule -ListTargetsByRule,events.amazonaws.com,events,Lists the targets assigned to the specified rule.,TA0007 - Discovery,T1526 - Cloud Service Discovery,False,[],"[{""description"": ""Modify GuardDuty Configuration"", ""link"": ""https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/""}]","Attackers might use ListTargetsByRule in AWS EventBridge to enumerate the targets of specific rules, gaining insights into the architecture and response mechanisms of an environment.",[],"[{""type"": ""commandLine"", ""value"": ""aws events list-targets-by-rule --rule TrailDiscoverRule""}]",https://aws.permissions.cloud/iam/events#events-ListTargetsByRule -RemoveTargets,events.amazonaws.com,events,Removes the specified targets from the specified rule.,"TA0040 - Impact, TA0005 - Defense Evasion","T1489 - Service Stop, T1578 - Modify Cloud Compute Infrastructure",False,[],"[{""description"": ""Modify GuardDuty Configuration"", ""link"": ""https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/""}]","Attackers might use RemoveTargets in AWS EventBridge to eliminate crucial targets from event rules, effectively disabling intended actions or notifications triggered by specific events.",[],"[{""type"": ""commandLine"", ""value"": ""aws events remove-targets --rule TrailDiscoverRule --ids TrailDiscoverTargetId""}]",https://aws.permissions.cloud/iam/events#events-RemoveTargets -DisableRule,events.amazonaws.com,events,Disables the specified rule.,"TA0040 - Impact, TA0005 - Defense Evasion","T1489 - Service Stop, T1578 - Modify Cloud Compute Infrastructure",False,[],"[{""description"": ""AWS EventBridge Rule Disabled or Deleted"", ""link"": ""https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html""}, {""description"": ""AWS EventBridge rule disabled or deleted"", ""link"": ""https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/""}]","Attackers might use DisableRule to deactivate AWS EventBridge rules, effectively silencing alarms and automated responses designed for incident detection and mitigation.",[],"[{""type"": ""commandLine"", ""value"": ""aws events disable-rule --name TrailDiscoverRule --event-bus-name TrailDiscoverBus""}]",https://aws.permissions.cloud/iam/events#events-DisableRule -ListRules,events.amazonaws.com,events,Lists your Amazon EventBridge rules. You can either list all the rules or you can provide a prefix to match to the rule names.,TA0007 - Discovery,T1526 - Cloud Service Discovery,False,[],"[{""description"": ""Modify GuardDuty Configuration"", ""link"": ""https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/""}]","Attackers might use ListRules in AWS EventBridge to catalog active event rules, identifying critical automated security mechanisms or logging functions to target for disruption or evasion.",[],"[{""type"": ""commandLine"", ""value"": ""aws events list-rules --name-prefix TrailDiscover""}]",https://aws.permissions.cloud/iam/events#events-ListRules -PutTargets,events.amazonaws.com,events,"Adds the specified targets to the specified rule, or updates the targets if they are already associated with the rule.",TA0003 - Persistence,T1546 - Event Triggered Execution,True,"[{""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}]",[],Attackers might use PutTargets in AWS EventBridge to trigger a malicious Lambda function periodically.,[],"[{""type"": ""commandLine"", ""value"": ""aws events put-targets --rule TrailDiscoverLambdaFunction --targets \""Id\""=\""1\"",\""Arn\""=\""arn:aws:lambda:us-east-1:123456789012:function:MyFunctionName\""""}]",https://aws.permissions.cloud/iam/events#events-PutTargets -PutRule,events.amazonaws.com,events,Creates or updates the specified rule.,"TA0040 - Impact, TA0005 - Defense Evasion, TA0003 - Persistence","T1489 - Service Stop, T1578 - Modify Cloud Compute Infrastructure, T1546 - Event Triggered Execution",True,"[{""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}]","[{""description"": ""Modify GuardDuty Configuration"", ""link"": ""https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/""}]","Attackers might use PutRule in AWS EventBridge to create unauthorized event rules, potentially automating malicious actions to gain persistence or triggering unwarranted responses within the environment.",[],"[{""type"": ""commandLine"", ""value"": ""aws events put-rule --name TrailDiscoverRule --schedule-expression 'rate(5 minutes)' --state ENABLED --description \""TrailDiscover rule\""""}]",https://aws.permissions.cloud/iam/events#events-PutRule -GetInstances,lightsail.amazonaws.com,LightSail,"Returns information about all Amazon Lightsail virtual private servers, or instances.",TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,False,[],"[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]",Attackers might use GetInstances to gather information about running instances for potential exploitation.,[],"[{""type"": ""commandLine"", ""value"": ""aws lightsail get-instances""}]",https://aws.permissions.cloud/iam/lightsail#lightsail-GetInstances -CreateInstances,lightsail.amazonaws.com,Lightsail,Creates one or more Amazon Lightsail instances.,"TA0005 - Defense Evasion, TA0040 - Impact","T1578 - Modify Cloud Compute Infrastructure, T1496 - Resource Hijacking",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],"Attackers might use CreateInstances to rapidly deploy malicious instances, causing financial loss and resource exhaustion. The use of lightsail might not be monitored.",[],"[{""type"": ""commandLine"", ""value"": ""aws lightsail create-instances --instance-names Instance-1 --availability-zone us-west-2a --blueprint-id wordpress_5_1_1_2 --bundle-id nano_2_0""}]",https://aws.permissions.cloud/iam/lightsail#lightsail-CreateInstances -GetRegions,lightsail.amazonaws.com,LightSail,Returns a list of all valid regions for Amazon Lightsail.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,False,[],"[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]",Attackers might use GetRegions to identify potential targets in different geographical locations on AWS LightSail.,[],"[{""type"": ""commandLine"", ""value"": ""aws lightsail get-regions""}]",https://aws.permissions.cloud/iam/lightsail#lightsail-GetRegions -GetCostAndUsage,ce.amazonaws.com,CostExplorer,Retrieves cost and usage metrics for your account.,TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]",[],Attackers might use GetCostAndUsage to determine how active an account is by understanding the cost within a cloud account.,[],"[{""type"": ""commandLine"", ""value"": ""aws ce get-cost-and-usage --time-period Start=2017-09-01,End=2017-10-01 --granularity MONTHLY --metrics 'BlendedCost' 'UnblendedCost' 'UsageQuantity' --group-by Type=DIMENSION,Key=SERVICE Type=TAG,Key=Environment""}]",https://aws.permissions.cloud/iam/ce#ce-GetCostAndUsage -DeleteMembers,securityhub.amazonaws.com,SecurityHub,Deletes the specified member accounts from Security Hub.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""AWS CloudTrail cheat sheet"", ""link"": ""https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet""}, {""description"": ""AWS Incident Response"", ""link"": ""https://easttimor.github.io/aws-incident-response/""}]","Attackers might use DeleteMembers to remove specific members from the SecurityHub, disrupting security management and monitoring.",[],"[{""type"": ""commandLine"", ""value"": ""aws securityhub delete-members --account-ids TrailDiscoverAccountIds""}]",https://aws.permissions.cloud/iam/securityhub#securityhub-DeleteMembers -ListGroupsForUser,iam.amazonaws.com,IAM,Lists the IAM groups that the specified IAM user belongs to.,TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],Attackers might use ListGroupsForUser to identify privileged groups and target specific users for access escalation.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-groups-for-user --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-ListGroupsForUser -CreateSAMLProvider,iam.amazonaws.com,IAM,Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0.,TA0003 - Persistence,T1136 - Create Account,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],Attackers use CreateSAMLProvider to establish persistent footholds.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/iam#iam-CreateSAMLProvider -ListAccessKeys,iam.amazonaws.com,IAM,Returns information about the access key IDs associated with the specified IAM user.,TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}]",[],Attackers might use ListAccessKeys to identify and exploit unused or unmonitored AWS IAM access keys.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-access-keys --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-ListAccessKeys -DeleteRolePolicy,iam.amazonaws.com,IAM,Deletes the specified inline policy that is embedded in the specified IAM role.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use DeleteRolePolicy to remove security policies, potentially escalating their privileges.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam delete-role-policy --role-name TrailDiscover-Role --policy-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-DeleteRolePolicy -DetachRolePolicy,iam.amazonaws.com,IAM,Removes the specified managed policy from the specified role.,"TA0005 - Defense Evasion, TA0004 - Privilege Escalation","T1578 - Modify Cloud Compute Infrastructure, T1098 - Account Manipulation",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]","[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use DetachRolePolicy to remove crucial permissions from IAM roles, disrupting AWS services.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam detach-role-policy --role-name TrailDiscover --policy-arn arn:aws:iam::123456789012:policy/FederatedTesterAccessPolicy""}]",https://aws.permissions.cloud/iam/iam#iam-DetachRolePolicy -UpdateLoginProfile,iam.amazonaws.com,IAM,"Changes the password for the specified IAM user. You can use the AWS CLI, the AWS API, or the Users page in the IAM console to change the password for any IAM user.","TA0003 - Persistence, TA0004 - Privilege Escalation",T1098 - Account Manipulation,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Incident report: From CLI to console, chasing an attacker in AWS"", ""link"": ""https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/""}, {""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}]","[{""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use UpdateLoginProfile to change the password of an IAM user, gaining unauthorized access to it.","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_update_login_profile.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws iam update-login-profile --user-name TrailDiscover --password TrailDiscover""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-user-login-profile""}]",https://aws.permissions.cloud/iam/iam#iam-UpdateLoginProfile -SimulatePrincipalPolicy,iam.amazonaws.com,IAM,Simulate how a set of IAM policies attached to an IAM entity works with a list of API operations and AWS resources to determine the policies' effective permissions.,TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],"Attackers might use SimulatePrincipalPolicy to understand the permissions of a principal, to later potentially exploiting any over-permissive policies. Using this technique might allow attackers to evade defenses while enumerating permissions.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::123456789012:user/TrailDiscover --action-names codecommit:ListRepositories""}]",https://aws.permissions.cloud/iam/iam#iam-SimulatePrincipalPolicy -GetAccountAuthorizationDetails,iam.amazonaws.com,IAM,"Retrieves information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another.",TA0007 - Discovery,T1087 - Account Discovery,False,[],"[{""description"": ""AWS - IAM Enum"", ""link"": ""https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum""}]","Attackers might use GetAccountAuthorizationDetails to gather information about IAM users, groups, roles, and policies in a targeted AWS account.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam get-account-authorization-details""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance""}]",https://aws.permissions.cloud/iam/iam#iam-GetAccountAuthorizationDetails -AddUserToGroup,iam.amazonaws.com,IAM,Adds the specified user to the specified group.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use AddUserToGroup to add unauthorized users to privileged groups, gaining unauthorized access or escalating privileges.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam add-user-to-group --user-name TrailDiscover --group-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-AddUserToGroup -ListGroups,iam.amazonaws.com,IAM,Lists the IAM groups that have the specified path prefix.,TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]","[{""description"": ""AWS - IAM Enum"", ""link"": ""https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum""}]",Attackers might use ListGroups to identify potential targets by gathering information about IAM groups and their permissions.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-groups""}]",https://aws.permissions.cloud/iam/iam#iam-ListGroups -UpdateAccessKey,iam.amazonaws.com,IAM,"Changes the status of the specified access key from Active to Inactive, or vice versa.",TA0003 - Persistence,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS - IAM Privesc"", ""link"": ""https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc""}]","Attackers might use UpdateAccessKey to modify existing IAM user access keys, potentially gaining unauthorized access to AWS services.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam update-access-key --access-key-id AKIAIOSFODNN7EXAMPLE --status Inactive --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-UpdateAccessKey -ListUsers,iam.amazonaws.com,IAM,"Lists the IAM users that have the specified path prefix. If no path prefix is specified, the operation returns all users in the AWS account.",TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}, {""description"": ""Incident report: From CLI to console, chasing an attacker in AWS"", ""link"": ""https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]","Attackers might use ListUsers to enumerate IAM users for further attacks, such as adding keys or creating a login profile for persistence.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-users""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance""}]",https://aws.permissions.cloud/iam/iam#iam-ListUsers -UpdateAssumeRolePolicy,iam.amazonaws.com,IAM,Updates the policy that grants an IAM entity permission to assume a role.,"TA0003 - Persistence, TA0004 - Privilege Escalation",T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}, {""description"": ""AWS IAM Persistence Methods"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/iam_persistence/""}]",Attackers might use UpdateAssumeRolePolicy to modify the assume role policy allowing access from an attacker compromised account.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam update-assume-role-policy --role-name TrailDiscover-Role --policy-document {}""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-backdoor-role""}]",https://aws.permissions.cloud/iam/iam#iam-UpdateAssumeRolePolicy -CreateAccessKey,iam.amazonaws.com,IAM,Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active.,"TA0003 - Persistence, TA0004 - Privilege Escalation","T1136 - Create Account, T1078 - Valid Accounts",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Incident report: From CLI to console, chasing an attacker in AWS"", ""link"": ""https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/""}, {""description"": ""SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto"", ""link"": ""https://sysdig.com/blog/scarleteel-2-0/""}, {""description"": ""ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING"", ""link"": ""https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}, {""description"": ""BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability"", ""link"": ""https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/""}, {""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}]","[{""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}, {""description"": ""AWS IAM Persistence Methods"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/iam_persistence/""}]","Attackers might use CreateAccessKey to generate unauthorized access keys, enabling them to gain illicit access to AWS services and resources.","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml""}, {""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws iam create-access-key --user-name TrailDiscover""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-admin-user""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-backdoor-user""}]",https://aws.permissions.cloud/iam/iam#iam-CreateAccessKey -CreatePolicyVersion,iam.amazonaws.com,IAM,Creates a new version of the specified managed policy.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use CreatePolicyVersion to modify IAM policies, potentially granting themselves elevated permissions.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam create-policy-version --policy-arn arn:aws:iam::123456789012:policy/TrailDiscover --policy-document {}""}]",https://aws.permissions.cloud/iam/iam#iam-CreatePolicyVersion -DeleteUserPolicy,iam.amazonaws.com,IAM,Deletes the specified inline policy that is embedded in the specified IAM user.,"TA0005 - Defense Evasion, TA0004 - Privilege Escalation","T1578 - Modify Cloud Compute Infrastructure, T1098 - Account Manipulation",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}]","[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]",Attackers might use DeleteUserPolicy to remove security policies and gain unauthorized access to AWS resources.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam delete-user-policy --user-name TrailDiscover --policy-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-DeleteUserPolicy -ListRoles,iam.amazonaws.com,IAM,Lists the IAM roles that have the specified path prefix. ,TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]","[{""description"": ""AWS - IAM Enum"", ""link"": ""https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum""}]",Attackers might use ListRoles to identify potential targets for privilege escalation attacks in AWS.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-roles""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance""}]",https://aws.permissions.cloud/iam/iam#iam-ListRoles -UpdateSAMLProvider,iam.amazonaws.com,IAM,Updates the metadata document for an existing SAML provider resource object.,"TA0003 - Persistence, TA0004 - Privilege Escalation",T1098 - Account Manipulation,False,[],"[{""description"": ""Gaining AWS Persistence by Updating a SAML Identity Provider"", ""link"": ""https://medium.com/@adan.alvarez/gaining-aws-persistence-by-updating-a-saml-identity-provider-ef57ebdc8db5""}]",Attackers might use UpdateSAMLProvider to change the metadata document from a SAML provider for latter being able to assume the roles that trust this provider.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam update-saml-provider --saml-metadata-document file://TrailDiscoverSAMLMetaData.xml --saml-provider-arn arn:aws:iam::123456789012:saml-provider/traildiscover""}]",https://aws.permissions.cloud/iam/iam#iam-UpdateSAMLProvider -PutRolePermissionsBoundary,iam.amazonaws.com,IAM,Adds or updates the policy that is specified as the IAM role's permissions boundary.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use PutRolePermissionsBoundary to modify permissions boundaries, potentially escalating privileges or enabling unauthorized access.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam put-role-permissions-boundary --permissions-boundary arn:aws:iam::123456789012:policy/intern-boundary --role-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-PutRolePermissionsBoundary -StartSSO,sso.amazonaws.com,SSO,Initialize AWS IAM Identity Center,TA0003 - Persistence,T1136 - Create Account,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],Attackers use StartSSO to establish persistent footholds.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/sso#sso-StartSSO -PutUserPermissionsBoundary,iam.amazonaws.com,IAM,Adds or updates the policy that is specified as the IAM user's permissions boundary.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use PutUserPermissionsBoundary to modify the permissions boundary for an IAM user, potentially escalating privileges or enabling unauthorized access.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam put-user-permissions-boundary --permissions-boundary arn:aws:iam::123456789012:policy/intern-boundary --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-PutUserPermissionsBoundary -ListSAMLProviders,iam.amazonaws.com,IAM,Lists the SAML provider resource objects defined in IAM in the account.,TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],Attackers might use ListSAMLProviders to discover if there are SAML providers configured.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-saml-providers""}]",https://aws.permissions.cloud/iam/iam#iam-ListSAMLProviders -DeleteUserPermissionsBoundary,iam.amazonaws.com,IAM,Deletes the permissions boundary for the specified IAM user.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]",Attackers might use DeleteUserPermissionsBoundary to remove restrictions and gain unauthorized access to AWS resources.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam delete-user-permissions-boundary --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-DeleteUserPermissionsBoundary -GetUser,iam.amazonaws.com,IAM,"Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN.",TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""GotRoot! AWS root Account Takeover"", ""link"": ""https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1""}, {""description"": ""Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/""}]",[],Attackers might use GetUser to obtain user information.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam get-user --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-GetUser -DeleteAccessKey,iam.amazonaws.com,IAM,Deletes the access key pair associated with the specified IAM user.,TA0005 - Defense Evasion,"T1578 - Modify Cloud Compute Infrastructure, T1070 - Indicator Removal",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}]",[],"Attackers might use DeleteAccessKey to revoke legitimate user access to AWS services. Also, it can be used to delete previously used keys to avoid detection.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam delete-access-key --access-key-id AKIDPMS9RO4H3FEXAMPLE --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-DeleteAccessKey -DeleteUser,iam.amazonaws.com,IAM,Deletes the specified IAM user.,TA0005 - Defense Evasion,"T1578 - Modify Cloud Compute Infrastructure, T1070 - Indicator Removal",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Insider Threat Risks to Flat Environments"", ""link"": ""https://www.mandiant.com/sites/default/files/2021-09/rpt-mtrends-2021-3.pdf""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}]",[],"Attackers might use DeleteUser to remove users and their permissions, disrupting access control in AWS. Also, it can be used to delete previously used users to avoid detection.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam delete-user --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-DeleteUser -AttachRolePolicy,iam.amazonaws.com,IAM,"Attaches the specified managed policy to the specified IAM role. When you attach a managed policy to a role, the managed policy becomes part of the role's permission (access) policy.",TA0004 - Privilege Escalation,T1098 - Account Manipulation,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]","[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers use AttachRolePolicy to grant malicious policies to IAM roles, potentially escalating privileges or enabling unauthorized access to AWS resources.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/TrailDiscover --role-name TrailDiscover""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-backdoor-role""}]",https://aws.permissions.cloud/iam/iam#iam-AttachRolePolicy -CreateOpenIDConnectProvider,iam.amazonaws.com,IAM,Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC),TA0003 - Persistence,T1136 - Create Account,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],Attackers use CreateOpenIDConnectProvider to establish persistent footholds.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam create-open-id-connect-provider --cli-input-json '{\""Url\"": \""https://server.example.com\"",\""ClientIDList\"": [\""example-application-ID\""],\""ThumbprintList\"": [\""c3768084dfb3d2b68b7897bf5f565da8eEXAMPLE\""]}'""}]",https://aws.permissions.cloud/iam/iam#iam-CreateOpenIDConnectProvider -SetDefaultPolicyVersion,iam.amazonaws.com,IAM,Sets the specified version of the specified policy as the policy's default (operative) version.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use SetDefaultPolicyVersion to revert IAM policies to less secure versions, potentially exposing sensitive resources.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam set-default-policy-version --policy-arn arn:aws:iam::123456789012:policy/TrailDiscover --version-id v2""}]",https://aws.permissions.cloud/iam/iam#iam-SetDefaultPolicyVersion -AttachUserPolicy,iam.amazonaws.com,IAM,Attaches the specified managed policy to the specified user.,"TA0003 - Persistence, TA0004 - Privilege Escalation",T1098 - Account Manipulation,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Incident report: From CLI to console, chasing an attacker in AWS"", ""link"": ""https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}]","[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers use AttachUserPolicy to grant malicious policies to IAM users, potentially escalating privileges or enabling unauthorized access to AWS resources.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --user-name TrailDiscover""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-admin-user""}]",https://aws.permissions.cloud/iam/iam#iam-AttachUserPolicy -CreateGroup,iam.amazonaws.com,IAM,Creates a new group.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Group Creation"", ""link"": ""https://www.elastic.co/guide/en/security/current/aws-iam-group-creation.html""}]",Attackers use CreateGroup to create a group that they can use to escalate privileges.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam create-group --group-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-CreateGroup -ListAttachedRolePolicies,iam.amazonaws.com,IAM,Lists all managed policies that are attached to the specified IAM role.,TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use ListAttachedRolePolicies to identify and exploit permissions associated with various roles in AWS.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-attached-role-policies --role-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-ListAttachedRolePolicies -PutUserPolicy,iam.amazonaws.com,IAM,Adds or updates an inline policy document that is embedded in the specified IAM user.,"TA0003 - Persistence, TA0004 - Privilege Escalation",T1098 - Account Manipulation,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING"", ""link"": ""https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}]","[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers use PutUserPolicy to grant an inline policy to IAM users, potentially escalating privileges or enabling unauthorized access to AWS resources.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}, {""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws iam put-user-policy --user-name TrailDiscover --policy-name TrailDiscover --policy-document {}""}]",https://aws.permissions.cloud/iam/iam#iam-PutUserPolicy -ListServiceSpecificCredentials,iam.amazonaws.com,IAM,Returns information about the service-specific credentials associated with the specified IAM user.,TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],Attackers might use ListServiceSpecificCredentials to get information about the relationship about users and services and gather CredentialIds.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-service-specific-credentials --user-name traildiscover --service-name codecommit.amazonaws.com""}]",https://aws.permissions.cloud/iam/iam#iam-ListServiceSpecificCredentials -DeleteRolePermissionsBoundary,iam.amazonaws.com,IAM,Deletes the permissions boundary for the specified IAM role.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]",Attackers might use DeleteRolePermissionsBoundary to remove restrictions and gain unauthorized access to AWS resources.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam delete-role-permissions-boundary --role-name trail-discover""}]",https://aws.permissions.cloud/iam/iam#iam-DeleteRolePermissionsBoundary -ListRolePolicies,iam.amazonaws.com,IAM,Lists the names of the inline policies that are embedded in the specified IAM role.,TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use ListRolePolicies to identify permissions associated with various roles in AWS.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-role-policies --role-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-ListRolePolicies -PutGroupPolicy,iam.amazonaws.com,IAM,Adds or updates an inline policy document that is embedded in the specified IAM group.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use PutGroupPolicy to modify permissions of a group, potentially granting unauthorized access to sensitive resources.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam put-group-policy --group-name TrailDiscover --policy-document {} --policy-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-PutGroupPolicy -ChangePassword,iam.amazonaws.com,IAM,Changes the password of the IAM user who is calling this operation.,"TA0003 - Persistence, TA0004 - Privilege Escalation","T1136 - Create Account, T1078 - Valid Accounts",False,[],"[{""description"": ""AWS CloudTrail cheat sheet"", ""link"": ""https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet""}, {""description"": ""IAM User Changes Alarm"", ""link"": ""https://asecure.cloud/a/cwalarm_iam_user_changes/""}]",Attackers might use ChangePassword to alter user credentials.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam change-password --old-password TrailDiscover --new-password TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-ChangePassword -CreateLoginProfile,iam.amazonaws.com,IAM,Creates a password for the specified IAM user. A password allows an IAM user to access AWS services through the AWS Management Console.,"TA0003 - Persistence, TA0004 - Privilege Escalation","T1098 - Account Manipulation, T1078 - Valid Accounts",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Incident report: From CLI to console, chasing an attacker in AWS"", ""link"": ""https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}, {""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}, {""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}]","[{""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}, {""description"": ""AWS IAM Persistence Methods"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/iam_persistence/""}]","Attackers use CreateLoginProfile to create login credentials for IAM users, allowing them access to the user via the AWS console.","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws iam create-login-profile --user-name TrailDiscover --password TrailDiscover""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-user-login-profile""}]",https://aws.permissions.cloud/iam/iam#iam-CreateLoginProfile -CreateUser,iam.amazonaws.com,IAM,Creates a new IAM user for your AWS account.,TA0003 - Persistence,T1136 - Create Account,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}, {""description"": ""Responding to an attack in AWS"", ""link"": ""https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac""}, {""description"": ""Incident report: From CLI to console, chasing an attacker in AWS"", ""link"": ""https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/""}, {""description"": ""ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING"", ""link"": ""https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/""}, {""description"": ""Trouble in Paradise"", ""link"": ""https://blog.darklab.hk/2021/07/06/trouble-in-paradise/""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Exposed long-lived access key resulted in unauthorized access"", ""link"": ""https://twitter.com/jhencinski/status/1578371249792724992?t=6oYeGYgGZq1B-LXFZzIqhQ""}, {""description"": ""SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto"", ""link"": ""https://sysdig.com/blog/scarleteel-2-0/""}, {""description"": ""Insider Threat Risks to Flat Environments"", ""link"": ""https://www.mandiant.com/sites/default/files/2021-09/rpt-mtrends-2021-3.pdf""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}, {""description"": ""Sendtech Pte. Ltd"", ""link"": ""https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Sendtech-Pte-Ltd---220721.ashx?la=en""}, {""description"": ""BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability"", ""link"": ""https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/""}, {""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}, {""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}, {""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}]","[{""description"": ""Creating a new IAM user"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/creating-new-iam-user/""}, {""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]","Attackers use CreateUser to establish persistent footholds or in some cases, escalate privileges within AWS environments by creating new IAM users with strategic permissions.","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws iam create-user --user-name TrailDiscover""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-admin-user""}]",https://aws.permissions.cloud/iam/iam#iam-CreateUser -ListSigningCertificates,iam.amazonaws.com,IAM,Returns information about the signing certificates associated with the specified IAM user.,TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],Attackers might use ListSigningCertificates to review which users have active certificates,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-signing-certificates --user-name traildiscover""}]",https://aws.permissions.cloud/iam/iam#iam-ListSigningCertificates -ListInstanceProfiles,iam.amazonaws.com,IAM,"Lists the instance profiles that have the specified path prefix. If there are none, the operation returns an empty list.",TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],Attackers might use ListInstanceProfiles to identify potential targets for privilege escalation attacks in AWS.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-instance-profiles""}]",https://aws.permissions.cloud/iam/iam#iam-ListInstanceProfiles -DetachUserPolicy,iam.amazonaws.com,IAM,Removes the specified managed policy from the specified user.,"TA0005 - Defense Evasion, TA0004 - Privilege Escalation","T1578 - Modify Cloud Compute Infrastructure, T1098 - Account Manipulation",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]","[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]",Attackers might use DetachUserPolicy to remove security policies and gain unauthorized access to AWS resources.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam detach-user-policy --user-name TrailDiscover --policy-arn arn:aws:iam::123456789012:policy/TesterPolicy""}]",https://aws.permissions.cloud/iam/iam#iam-DetachUserPolicy -ListSSHPublicKeys,iam.amazonaws.com,IAM,Returns information about the SSH public keys associated with the specified IAM user.,TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],Attackers might use ListSSHPublicKeys to get information about the user and the potential use of CodeCommit.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-ssh-public-keys --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-ListSSHPublicKeys -ListOpenIDConnectProviders,iam.amazonaws.com,IAM,Lists information about the IAM OpenID Connect (OIDC) provider resource objects defined in the AWS account.,TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],Attackers might use ListOpenIDConnectProviders to discover if there are OIDC providers configured.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-open-id-connect-providers""}]",https://aws.permissions.cloud/iam/iam#iam-ListOpenIDConnectProviders -PutRolePolicy,iam.amazonaws.com,IAM,Adds or updates an inline policy document that is embedded in the specified IAM role.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use PutRolePolicy to modify permissions of IAM roles, potentially granting unauthorized access to AWS resources.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam put-role-policy --role-name TrailDiscover-Role --policy-name TrailDiscover --policy-document {}""}]",https://aws.permissions.cloud/iam/iam#iam-PutRolePolicy -CreateRole,iam.amazonaws.com,IAM,Creates a new role for your AWS account.,TA0003 - Persistence,T1136 - Create Account,True,"[{""description"": ""Attack Scenario 2: From Misconfigured Firewall to Cryptojacking Botnet"", ""link"": ""https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/unit42-cloud-threat-report-volume7.pdf""}, {""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],"Attackers use CreateRole to create roles with trust policies that allow principals from an attacker-controlled AWS account, establishing persistent unauthorized access.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam create-role --role-name TrailDiscover --assume-role-policy-document {}""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-backdoor-role""}]",https://aws.permissions.cloud/iam/iam#iam-CreateRole -DeleteLoginProfile,iam.amazonaws.com,IAM,Deletes the password for the specified IAM user.,TA0005 - Defense Evasion,"T1578 - Modify Cloud Compute Infrastructure, T1070 - Indicator Removal",True,"[{""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}]",[],"Attackers might use DeleteLoginProfile to remove user's login credentials, preventing legitimate access to AWS services. Also, it might be used to delete a previously added profile to avoid detection.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam delete-login-profile --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-DeleteLoginProfile -AddRoleToInstanceProfile,iam.amazonaws.com,IAM,Adds the specified IAM role to the specified instance profile.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""Cloudgoat AWS CTF solution- Scenerio 5 (iam_privesc_by_attachment)"", ""link"": ""https://pswalia2u.medium.com/cloudgoat-aws-ctf-solution-scenerio-5-iam-privesc-by-attachment-22145650f5f5""}]",Attackers might use AddRoleToInstanceProfile to escalate privileges or gain unauthorized access to AWS resources.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam add-role-to-instance-profile --role-name TrailDiscover --instance-profile-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-AddRoleToInstanceProfile -DeactivateMFADevice,iam.amazonaws.com,IAM,Deactivates the specified MFA device and removes it from association with the user name for which it was originally enabled.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""AWS IAM Deactivation of MFA Device"", ""link"": ""https://www.elastic.co/guide/en/security/current/aws-iam-deactivation-of-mfa-device.html""}]","Attackers might use DeactivateMFADevice to disable multi-factor authentication, potentially weakening account security.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam deactivate-mfa-device --user-name TrailDiscover --serial-number arn:aws:iam::210987654321:mfa/BobsMFADevice""}]",https://aws.permissions.cloud/iam/iam#iam-DeactivateMFADevice -AttachGroupPolicy,iam.amazonaws.com,IAM,Attaches the specified managed policy to the specified IAM group.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use AttachGroupPolicy to assign malicious policies to a group, escalating privileges or enabling unauthorized access.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/TrailDiscover --group-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-AttachGroupPolicy -GetLoginProfile,iam.amazonaws.com,IAM,Retrieves the user name for the specified IAM user.,TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}]",[],Attackers might use GetLoginProfile to know if the account has a login profile or to get its user name.,"[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws iam get-login-profile --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-GetLoginProfile -GetSecretValue,secretsmanager.amazonaws.com,SecretsManager,"Retrieves the contents of the encrypted fields SecretString or SecretBinary from the specified version of a secret, whichever contains content.",TA0006 - Credential Access,T1555 - Credentials from Password Stores,True,"[{""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}, {""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]",[],Attackers might use GetSecretValue to illicitly access sensitive information stored in the SecretsManager.,[],"[{""type"": ""commandLine"", ""value"": ""aws secretsmanager get-secret-value --secret-id TrailDiscoverSecretId""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.secretsmanager-batch-retrieve-secrets""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets""}]",https://aws.permissions.cloud/iam/secretsmanager#secretsmanager-GetSecretValue -DescribeSecret,secretsmanager.amazonaws.com,SecretsManager,Retrieves the details of a secret.,TA0006 - Credential Access,T1555 - Credentials from Password Stores,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],Attackers might use DescribeSecret to get more information about the secrets that are stored in Secrets Manager.,[],"[{""type"": ""commandLine"", ""value"": ""aws secretsmanager describe-secret --secret-id TrailDiscover""}]",https://aws.permissions.cloud/iam/secretsmanager#secretsmanager-DescribeSecret -ListSecrets,secretsmanager.amazonaws.com,SecretsManager,"Lists the secrets that are stored by Secrets Manager in the AWS account, not including secrets that are marked for deletion.",TA0006 - Credential Access,T1555 - Credentials from Password Stores,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}, {""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]",[],Attackers might use ListSecrets to list all the secrets and potentially access to them later.,[],"[{""type"": ""commandLine"", ""value"": ""aws secretsmanager list-secrets""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets""}]",https://aws.permissions.cloud/iam/secretsmanager#secretsmanager-ListSecrets -CreateUser,transfer.amazonaws.com,TransferFamily,Creates a user and associates them with an existing file transfer protocol-enabled server.,TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],Attackers might use CreateUser to use the Transfer Family service.,[],"[{""type"": ""commandLine"", ""value"": ""aws transfer create-user --server-id s-1234567890abcdef0 --user-name TrailDiscover --role arn:aws:iam::123456789012:role/TrailDiscover --home-directory /TrailDiscover""}]",https://aws.permissions.cloud/iam/transfer#transfer-CreateUser -CreateServer,transfer.amazonaws.com,TransferFamily,Instantiates an auto-scaling virtual server based on the selected file transfer protocol in AWS.,TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],Attackers might use CreateServer to create a server that allows to transfer files into and out of AWS storage services.,[],"[{""type"": ""commandLine"", ""value"": ""aws transfer create-server --protocols SFTP --endpoint-type PUBLIC --identity-provider-type SERVICE_MANAGED""}]",https://aws.permissions.cloud/iam/transfer#transfer-CreateServer -DescribeLoadBalancers,elasticloadbalancing.amazonaws.com,ELBv2,Describes the specified load balancers or all of your load balancers.,TA0007 - Discovery,T1526 - Cloud Service Discovery,False,[],"[{""description"": ""Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data"", ""link"": ""https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994""}]",Attackers might use DescribeLoadBalancers to get information about the load balancers for potential future attacks.,[],"[{""type"": ""commandLine"", ""value"": ""aws elbv2 describe-load-balancers --names TrailDiscoverLoadBalancer""}]",https://aws.permissions.cloud/iam/elasticloadbalancing#elasticloadbalancing-DescribeLoadBalancers -DescribeListeners,elasticloadbalancing.amazonaws.com,ELBv2,"Describes the specified listeners or the listeners for the specified Application Load Balancer, Network Load Balancer, or Gateway Load Balancer.",TA0007 - Discovery,T1526 - Cloud Service Discovery,False,[],"[{""description"": ""Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data"", ""link"": ""https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994""}]",Attackers might use DescribeListeners to get information about the load balancers listeners for potential future modifications.,[],"[{""type"": ""commandLine"", ""value"": ""aws elbv2 describe-listeners""}]",https://aws.permissions.cloud/iam/elasticloadbalancing#elasticloadbalancing-DescribeListeners -CreateRule,elasticloadbalancing.amazonaws.com,ELBv2,Creates a rule for the specified listener.,TA0005 - Defense Evasion,T1578 - Modify Cloud Compute Infrastructure,False,[],"[{""description"": ""Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data"", ""link"": ""https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994""}]",Attackers might use CreateRule to add rules that allow them access bypassing potential restrictions such as authentication.,[],"[{""type"": ""commandLine"", ""value"": ""aws elbv2 create-rule --listener-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:listener/app/my-load-balancer/50dc6c495c0c9188/f2f7dc8efc522ab2 --priority 5 --actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-west-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 --conditions '[{}]'""}]",https://aws.permissions.cloud/iam/elasticloadbalancing#elasticloadbalancing-CreateRule -AssociateAccessPolicy,eks.amazonaws.com,EKS,Associates an access policy and its scope to an access entry.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""New attack vectors in EKS"", ""link"": ""https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features""}]","Attackers might use AssociateAccessPolicy to escalate privileges by linking access entries with highly privileged policies, allowing unauthorized control over clusters.",[],"[{""type"": ""commandLine"", ""value"": ""aws eks associate-access-policy --cluster-name beta-fish --principal-arn arn:aws:iam::111122223333:role/TrailDiscover --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy --access-scope type=cluster""}]",https://aws.permissions.cloud/iam/eks#eks-AssociateAccessPolicy -ListAssociatedAccessPolicies,eks.amazonaws.com,EKS,Lists the access policies associated with an access entry.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,False,[],"[{""description"": ""New attack vectors in EKS"", ""link"": ""https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features""}]","Attackers might use ListAssociatedAccessPolicies to enumerate policies associated with resources in AWS services, identifying overly permissive access that can be exploited to escalate privileges.",[],"[{""type"": ""commandLine"", ""value"": ""aws eks list-associated-access-policies --cluster-name beta-fish --principal-arn arn:aws:iam::111122223333:role/TrailDiscover""}]",https://aws.permissions.cloud/iam/eks#eks-ListAssociatedAccessPolicies -ListClusters,eks.amazonaws.com,EKS,Lists the Amazon EKS clusters in your AWS account in the specified AWS Region.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,False,[],"[{""description"": ""New attack vectors in EKS"", ""link"": ""https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features""}]","Attackers might use ListClusters to inventory AWS EKS clusters, identifying active clusters for further exploration or to pinpoint potential targets for subsequent attacks.",[],"[{""type"": ""commandLine"", ""value"": ""aws eks list-clusters""}]",https://aws.permissions.cloud/iam/eks#eks-ListClusters -DescribeAccessEntry,eks.amazonaws.com,EKS,Describes an access entry.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,False,[],"[{""description"": ""New attack vectors in EKS"", ""link"": ""https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features""}]","Attackers might use DescribeAccessEntry for reconnaissance, gathering detailed information about access configurations within AWS EKS.",[],"[{""type"": ""commandLine"", ""value"": ""aws eks describe-access-entry --cluster-name beta-fish --principal-arn arn:aws:iam::111122223333:role/TrailDiscover""}]",https://aws.permissions.cloud/iam/eks#eks-DescribeAccessEntry -DescribeCluster,eks.amazonaws.com,EKS,Describes an Amazon EKS cluster.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,False,[],"[{""description"": ""New attack vectors in EKS"", ""link"": ""https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features""}]",Attackers might use DescribeCluster to gain insights into the configuration and status of AWS EKS clusters.,[],"[{""type"": ""commandLine"", ""value"": ""aws eks describe-cluster --name TrailDiscoverCluster""}]",https://aws.permissions.cloud/iam/eks#eks-DescribeCluster -CreateAccessEntry,eks.amazonaws.com,EKS,Creates an access entry.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""New attack vectors in EKS"", ""link"": ""https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features""}]","Attackers might use CreateAccessEntry to craft access entries that link to high-privileged policies, effectively granting themselves unauthorized admin-level access to clusters.",[],"[{""type"": ""commandLine"", ""value"": ""aws eks create-access-entry --cluster-name beta-fish --principal-arn arn:aws:iam::111122223333:role/TrailDiscover""}]",https://aws.permissions.cloud/iam/eks#eks-CreateAccessEntry -Search,resource-explorer-2.amazonaws.com,ResourceExplorer,Searches for resources and displays details about all resources that match the specified criteria.,TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}]",[],Attackers might use Search to list resorces.,[],"[{""type"": ""commandLine"", ""value"": ""aws resource-explorer-2 search --query-string 'service:iam'""}]",https://aws.permissions.cloud/iam/resource-explorer-2#resource-explorer-2-Search -GenerateDataKeyWithoutPlaintext,kms.amazonaws.com,KMS,Returns a unique symmetric data key for use outside of AWS KMS.,TA0040 - Impact,T1486 - Data Encrypted for Impact,True,"[{""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}]",[],Attackers might use GenerateDataKeyWithoutPlaintext to generate encryption keys that can decrypt data in a ransom.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/kms#kms-GenerateDataKeyWithoutPlaintext -ScheduleKeyDeletion,kms.amazonaws.com,KMS,Schedules the deletion of a KMS key.,TA0040 - Impact,T1485 - Data Destruction,False,[],"[{""description"": "" Threat Hunting with CloudTrail and GuardDuty in Splunk"", ""link"": ""https://www.chrisfarris.com/post/reinforce-threat-hunting/""}]","Attackers might use ScheduleKeyDeletion to schedule the deletion of crucial encryption keys, disrupting data security and access.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-7""}]","[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/kms#kms-ScheduleKeyDeletion -Encrypt,kms.amazonaws.com,KMS,"Encrypts plaintext of up to 4,096 bytes using a KMS key. ",TA0040 - Impact,T1486 - Data Encrypted for Impact,True,"[{""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}]",[],Attackers might use Encrypt to encrypt data for ransom.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/kms#kms-Encrypt -LookupEvents,cloudtrail.amazonaws.com,CloudTrail,Looks up management events or CloudTrail Insights events that are captured by CloudTrail.,TA0007 - Discovery,T1654 - Log Enumeration,True,"[{""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}]",[],Attackers might use LookupEvents to monitoring CloudTrail logs for changes that might affect the attack.,[],"[{""type"": ""commandLine"", ""value"": ""aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=TrailDiscover""}]",https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-LookupEvents -StopLogging,cloudtrail.amazonaws.com,CloudTrail,Suspends the recording of AWS API calls and log file delivery for the specified trail.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,"[{""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}]","[{""description"": ""Stopping a CloudTrail trail"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/stopping-cloudtrail-trail/""}, {""description"": ""AWS Defense Evasion Stop Logging Cloudtrail"", ""link"": ""https://research.splunk.com/cloud/8a2f3ca2-4eb5-4389-a549-14063882e537/""}, {""description"": ""AWS Defense Evasion and Centralized Multi-Account Logging"", ""link"": ""https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/""}, {""description"": ""Disrupting AWS logging"", ""link"": ""https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594""}, {""description"": ""Enhancing Your Security Visibility and DetectionResponse Operations in AWS"", ""link"": ""https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf""}]",Attackers might use StopLogging to disrupting AWS logging.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-5""}, {""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws cloudtrail stop-logging --name TrailDiscover""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-stop""}]",https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-StopLogging -UpdateTrail,cloudtrail.amazonaws.com,CloudTrail,"Updates trail settings that control what events you are logging, and how to handle log files.",TA0005 - Defense Evasion,T1562 - Impair Defenses,True,"[{""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]","[{""description"": ""AWS Defense Evasion and Centralized Multi-Account Logging"", ""link"": ""https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/""}, {""description"": ""Disrupting AWS logging"", ""link"": ""https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594""}]",Attackers might use UpdateTrail to disrupting AWS logging.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-5""}, {""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws cloudtrail update-trail --name TrailDiscoverName --s3-bucket-name TrailDiscoverBucketName""}]",https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-UpdateTrail -DeleteTrail,cloudtrail.amazonaws.com,CloudTrail,Deletes a trail.,TA0005 - Defense Evasion,T1562 - Impair Defenses,True,"[{""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]","[{""description"": ""AWS Defense Evasion Delete Cloudtrail"", ""link"": ""https://research.splunk.com/cloud/82092925-9ca1-4e06-98b8-85a2d3889552/""}, {""description"": ""Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail"", ""link"": ""https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/""}, {""description"": ""Disrupting AWS logging"", ""link"": ""https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594""}]",Attackers might use DeleteTrail to disrupting AWS logging.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-5""}, {""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws cloudtrail delete-trail --name TrailDiscoverTrailName""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-delete""}]",https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-DeleteTrail -PutEventSelectors,cloudtrail.amazonaws.com,CloudTrail,Configures an event selector or advanced event selectors for your trail.,TA0005 - Defense Evasion,T1562 - Impair Defenses,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]","[{""description"": ""cloudtrail_guardduty_bypass"", ""link"": ""https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/cloudtrail_guardduty_bypass""}, {""description"": ""Detecting and removing risky actions out of your IAM security policies"", ""link"": ""https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/""}]",Attackers might use PutEventSelectors to disrupting AWS logging.,[],"[{""type"": ""commandLine"", ""value"": ""aws cloudtrail put-event-selectors --trail-name TrailDiscover --event-selectors '[{\""ReadWriteType\"": \""All\"", \""IncludeManagementEvents\"":true, \""DataResources\"": [{\""Type\"": \""AWS::S3::Object\"", \""Values\"": [\""arn:aws:s3\""]}] }]'""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors""}]",https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-PutEventSelectors -UpdateGraphqlApi,appsync.amazonaws.com,AppSync,Updates a GraphqlApi object.,"TA0005 - Defense Evasion, TA0003 - Persistence","T1578 - Modify Cloud Compute Infrastructure, T1556 - Modify Authentication Process",False,[],"[{""description"": ""Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor"", ""link"": ""https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8""}]",Attackers might use UpdateGraphqlApi to add additional authentications options. Bypassing current authentication and potentially allowing persistent access to data.,[],"[{""type"": ""commandLine"", ""value"": ""aws appsync update-graphql-api --api-id TrailDiscoverApiId --name TrailDiscoverName --log-config cloudWatchLogsRoleArn=TrailDiscoverRoleArn,fieldLogLevel=TrailDiscoverLogLevel""}]",https://aws.permissions.cloud/iam/appsync#appsync-UpdateGraphqlApi -CreateApiKey,appsync.amazonaws.com,AppSync,Creates a unique key that you can distribute to clients who invoke your API.,"TA0005 - Defense Evasion, TA0003 - Persistence","T1578 - Modify Cloud Compute Infrastructure, T1556 - Modify Authentication Process",False,[],"[{""description"": ""Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor"", ""link"": ""https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8""}]",Attackers might use CreateApiKey to add a key they control for authentication. Bypassing current authentication and potentially allowing persistent access to data.,[],"[{""type"": ""commandLine"", ""value"": ""aws appsync create-api-key --api-id TrailDiscoverApiId""}]",https://aws.permissions.cloud/iam/appsync#appsync-CreateApiKey -GetIntrospectionSchema,appsync.amazonaws.com,AppSync,Retrieves the introspection schema for a GraphQL API.,TA0007 - Discovery,T1526 - Cloud Service Discovery,False,[],"[{""description"": ""Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor"", ""link"": ""https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8""}]",Attackers might use GetIntrospectionSchema to understand the API for future attacks or use the configuration for future modifications.,[],"[{""type"": ""commandLine"", ""value"": ""aws appsync get-introspection-schema --api-id TrailDiscover --format json output""}]",https://aws.permissions.cloud/iam/appsync#appsync-GetIntrospectionSchema -UpdateResolver,appsync.amazonaws.com,AppSync,Updates a Resolver object.,"TA0005 - Defense Evasion, TA0003 - Persistence","T1578 - Modify Cloud Compute Infrastructure, T1556 - Modify Authentication Process",False,[],"[{""description"": ""Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor"", ""link"": ""https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8""}]",Attackers might use UpdateResolver to execute custom code that could allow potential access to data and bypass protections.,[],"[{""type"": ""commandLine"", ""value"": ""aws appsync update-resolver --api-id TrailDiscoverApiId --type-name TrailDiscoverTypeName --field-name TrailDiscoverFieldName --pipeline-config functions=TrailDiscoverFunctions --request-mapping-template TrailDiscoverRequestMappingTemplate --response-mapping-template TrailDiscoverResponseMappingTemplate""}]",https://aws.permissions.cloud/iam/appsync#appsync-UpdateResolver -PutBucketPolicy,s3.amazonaws.com,S3,Applies an Amazon S3 bucket policy to an Amazon S3 bucket.,TA0010 - Exfiltration,T1048 - Exfiltration Over Alternative Protocol,False,[],"[{""description"": ""Detecting and removing risky actions out of your IAM security policies"", ""link"": ""https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/""}]","Attackers might use PutBucketPolicy to modify bucket permissions, potentially allowing unauthorized access to sensitive data.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8""}]","[{""type"": ""commandLine"", ""value"": ""aws s3api put-bucket-policy --bucket TrailDiscover --policy {}""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.s3-backdoor-bucket-policy""}]",https://aws.permissions.cloud/iam/s3#s3-PutBucketPolicy -PutObject,s3.amazonaws.com,S3,Adds an object to a bucket.,TA0040 - Impact,T1565 - Data Manipulation,True,"[{""description"": ""Incident Report: TaskRouter JS SDK Security Incident - July 19, 2020"", ""link"": ""https://www.twilio.com/en-us/blog/incident-report-taskrouter-js-sdk-july-2020""}, {""description"": ""LA Times homicide website throttles cryptojacking attack"", ""link"": ""https://www.tripwire.com/state-of-security/la-times-website-cryptojacking-attack""}]",[],Attackers might use PutObject to upload malicious content or overwrite existing files in S3 buckets.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/s3#s3-PutObject -GetBucketVersioning,s3.amazonaws.com,S3,Returns the versioning state of a bucket.,TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}, {""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],"Attackers might use GetBucketVersioning to identify unsecured S3 buckets with versioning disabled, making it easier to manipulate or delete data.",[],"[{""type"": ""commandLine"", ""value"": ""aws s3api get-bucket-versioning --bucket TrailDiscoverBucket""}]",https://aws.permissions.cloud/iam/s3#s3-GetBucketVersioning -PutBucketAcl,s3.amazonaws.com,S3,Sets the permissions on an existing bucket using access control lists (ACL).,TA0010 - Exfiltration,T1048 - Exfiltration Over Alternative Protocol,False,[],"[{""description"": ""AWS S3 Bucket ACL made public"", ""link"": ""https://docs.datadoghq.com/security/default_rules/aws-bucket-acl-made-public/""}]","Attackers might use SetBucketAccessControlPolicy to modify access control lists, potentially granting unauthorized access to S3 buckets.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8""}]","[{""type"": ""commandLine"", ""value"": ""aws s3api put-bucket-acl --bucket TrailDiscoverBucket --acl TrailDiscoverAcl""}]",https://aws.permissions.cloud/iam/s3#s3-PutBucketAcl -PutBucketVersioning,s3.amazonaws.com,S3,Sets the versioning state of an existing bucket.,"TA0040 - Impact, TA0010 - Exfiltration","T1490 - Inhibit System Recovery, T1537 - Transfer Data to Cloud Account",True,"[{""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}]","[{""description"": ""Exfiltrating S3 Data with Bucket Replication Policies"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}]",Attackers might set the versioning to 'Suspended' before deleting data. Attackers might enable versioning to add bucket replication to exfiltrate data.,"[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws s3api put-bucket-versioning --bucket TrailDiscoverBucket --versioning-configuration Status=Enabled""}]",https://aws.permissions.cloud/iam/s3#s3-PutBucketVersioning -GetBucketLogging,s3.amazonaws.com,S3,Returns the logging status of a bucket and the permissions users have to view and modify that status.,TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}, {""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],"Attackers might use GetBucketLoggingStatus to identify if logging is enabled, potentially helping them avoid detection during unauthorized activities.",[],"[{""type"": ""commandLine"", ""value"": ""aws s3api get-bucket-logging --bucket TrailDiscoverBucket""}]",https://aws.permissions.cloud/iam/s3#s3-GetBucketLogging -GetBucketPolicy,s3.amazonaws.com,S3,Returns the policy of a specified bucket.,TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}, {""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],Attackers might use GetBucketPolicy to identify weak security policies and exploit them for unauthorized access to S3 buckets.,[],"[{""type"": ""commandLine"", ""value"": ""aws s3api get-bucket-policy --bucket TrailDiscoverBucket""}]",https://aws.permissions.cloud/iam/s3#s3-GetBucketPolicy -PutBucketReplication,s3.amazonaws.com,S3,Creates a replication configuration or replaces an existing one.,TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,False,[],"[{""description"": ""Exfiltrating S3 Data with Bucket Replication Policies"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}]",Attackers might use PutBucketReplication to replicate sensitive data to unauthorized S3 buckets controlled by the attacker.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8""}]","[{""type"": ""commandLine"", ""value"": ""aws s3api put-bucket-replication --bucket AWSDOC-EXAMPLE-BUCKET1 --replication-configuration '{\""Role\"":\""\"",\""Rules\"":[]}'""}]",N/A -ListBuckets,s3.amazonaws.com,S3,Returns a list of all buckets owned by the authenticated sender of the request.,TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}, {""description"": ""ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING"", ""link"": ""https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}, {""description"": ""A Technical Analysis of the Capital One Cloud Misconfiguration Breach"", ""link"": ""https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach""}, {""description"": ""Enumerate AWS Account ID from a Public S3 Bucket"", ""link"": ""https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/""}, {""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}, {""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}, {""description"": ""Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]",Attackers might use ListAllMyBuckets to identify potential targets for data breaches or unauthorized access.,"[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws s3api list-buckets --query \""Buckets[].Name\""""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance""}]",N/A -GetBucketReplication,s3.amazonaws.com,S3,Returns the replication configuration of a bucket.,TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}, {""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],Attackers might use GetBucketReplication to identify replication configurations and target specific data for theft or corruption.,[],"[{""type"": ""commandLine"", ""value"": ""aws s3api get-bucket-replication --bucket TrailDiscoverBucket""}]",N/A -GetObject,s3.amazonaws.com,S3,Retrieves an object from Amazon S3.,TA0010 - Exfiltration,T1048 - Exfiltration Over Alternative Protocol,True,"[{""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Incident 2 - Additional details of the attack"", ""link"": ""https://support.lastpass.com/s/document-item?language=en_US&bundleId=lastpass&topicId=LastPass/incident-2-details.html&_LANG=enus""}, {""description"": ""Aruba Central Security Incident"", ""link"": ""https://www.arubanetworks.com/support-services/security-bulletins/central-incident-faq/""}, {""description"": ""Sendtech Pte. Ltd"", ""link"": ""https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Sendtech-Pte-Ltd---220721.ashx?la=en""}, {""description"": ""GotRoot! AWS root Account Takeover"", ""link"": ""https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1""}, {""description"": ""A Technical Analysis of the Capital One Cloud Misconfiguration Breach"", ""link"": ""https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach""}, {""description"": ""Chegg, Inc"", ""link"": ""https://www.ftc.gov/system/files/ftc_gov/pdf/2023151-Chegg-Complaint.pdf""}, {""description"": ""Scattered Spider Attack Analysis"", ""link"": ""https://www.reliaquest.com/blog/scattered-spider-attack-analysis-account-compromise/""}, {""description"": ""Enumerate AWS Account ID from a Public S3 Bucket"", ""link"": ""https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/""}, {""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}]","[{""description"": ""Data Exfiltration through S3 Server Access Logs"", ""link"": ""https://hackingthe.cloud/aws/exploitation/s3_server_access_logs/""}, {""description"": ""S3 Streaming Copy"", ""link"": ""https://hackingthe.cloud/aws/exploitation/s3_streaming_copy/""}]",Attackers might use GetObject to download data from S3 buckets.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-client-side-encryption""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-individual-deletion""}]",https://aws.permissions.cloud/iam/s3#s3-GetObject -PutBucketLifecycle,s3.amazonaws.com,S3,Creates a new lifecycle configuration for the bucket or replaces an existing lifecycle configuration.,TA0040 - Impact,T1485 - Data Destruction,True,"[{""description"": ""USA VS Nickolas Sharp"", ""link"": ""https://www.justice.gov/usao-sdny/press-release/file/1452706/dl""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],Attackers might use PutBucketLifecycle to add a lifecycle that deletes data after one day.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8""}]","[{""type"": ""commandLine"", ""value"": ""aws s3api put-bucket-lifecycle --bucket my-bucket --lifecycle-configuration '{\""Rules\"":[{\""ID\"":\""\"",\""Status\"": \""Enabled\"", \""Prefix\"": \""TrailDiscover/\""}]}'""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule""}]",N/A -DeleteBucket,s3.amazonaws.com,S3,Deletes the S3 bucket.,TA0040 - Impact,T1485 - Data Destruction,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],Attackers might use DeleteBucket to delete resources.,[],"[{""type"": ""commandLine"", ""value"": ""aws s3api delete-bucket --bucket my-traildiscover-bucket --region us-east-1""}]",https://aws.permissions.cloud/iam/s3#s3-DeleteBucket -GetBucketAcl,s3.amazonaws.com,S3,This implementation of the GET action uses the acl subresource to return the access control list (ACL) of a bucket.,TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]","[{""description"": ""Public S3 bucket through bucket ACL"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/s3-bucket-public-acl/""}]",Attackers might use GetBucketAccessControlPolicy to gain unauthorized access to sensitive data stored in S3 buckets.,[],"[{""type"": ""commandLine"", ""value"": ""aws s3api get-bucket-acl --bucket TrailDiscoverBucket""}]",https://aws.permissions.cloud/iam/s3#s3-GetBucketAcl -DeleteBucketPolicy,s3.amazonaws.com,S3,Deletes the policy of a specified bucket.,TA0005 - Defense Evasion,T1578 - Modify Cloud Compute Infrastructure,False,[],"[{""description"": ""AWS S3 Bucket Configuration Deletion"", ""link"": ""https://www.elastic.co/guide/en/security/7.17/aws-s3-bucket-configuration-deletion.html""}]",Attackers might use DeleteBucketPolicy to remove security policies and gain unauthorized access to S3 buckets.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8""}]","[{""type"": ""commandLine"", ""value"": ""aws s3api delete-bucket-policy --bucket TrailDiscoverBucketName""}]",https://aws.permissions.cloud/iam/s3#s3-DeleteBucketPolicy -HeadObject,s3.amazonaws.com,S3,The HEAD operation retrieves metadata from an object without returning the object itself.,TA0007 - Discovery,T1619 - Cloud Storage Object Discovery,True,"[{""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}]",[],Attackers might use HeadObject to gather metadata about sensitive files stored in S3.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",N/A -ListVaults,glacier.amazonaws.com,S3,This operation lists all vaults owned by the calling user’s account.,TA0007 - Discovery,T1619 - Cloud Storage Object Discovery,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/""}]",[],Attackers might use ListVaults to identify data such as archived training data or related datasets.,[],"[{""type"": ""commandLine"", ""value"": ""aws glacier list-vaults --account-id -""}]",https://aws.permissions.cloud/iam/glacier#glacier-ListVaults -GetPublicAccessBlock,s3.amazonaws.com,S3,Retrieves the PublicAccessBlock configuration for an Amazon S3 bucket.,TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}, {""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],Attackers might use GetPublicAccessBlock to identify S3 buckets with public access for potential data breaches.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",N/A -GetBucketTagging,s3.amazonaws.com,S3,Returns the tag set associated with the bucket.,TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}]",[],Attackers might use GetBucketTagging to look for tags reminiscent of PII or confidential data.,[],"[{""type"": ""commandLine"", ""value"": ""aws s3api get-bucket-tagging --bucket TrailDiscoverBucket""}]",https://aws.permissions.cloud/iam/s3#s3-GetBucketTagging -DeleteObject,s3.amazonaws.com,S3,Removes an object from a bucket. The behavior depends on the bucket's versioning state.,TA0040 - Impact,T1485 - Data Destruction,True,"[{""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}, {""description"": ""The attack on ONUS \u2013 A real-life case of the Log4Shell vulnerability"", ""link"": ""https://cystack.net/research/the-attack-on-onus-a-real-life-case-of-the-log4shell-vulnerability""}, {""description"": ""20/20 Eye Care Network and Hearing Care Network notify 3,253,822 health plan members of breach that deleted contents of AWS buckets"", ""link"": ""https://www.databreaches.net/20-20-eye-care-network-and-hearing-care-network-notify-3253822-health-plan-members-of-breach-that-deleted-contents-of-aws-buckets/""}, {""description"": ""Hacker Puts Hosting Service Code Spaces Out of Business"", ""link"": ""https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],Attackers might use DeleteObject to erase crucial data from S3 buckets.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-client-side-encryption""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-individual-deletion""}]",https://aws.permissions.cloud/iam/s3#s3-DeleteObject -JobCreated,s3.amazonaws.com,S3,"When a Batch Operations job is created, it is recorded as a JobCreated event in CloudTrail.",TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,False,[],"[{""description"": ""Exfiltrating S3 Data with Bucket Replication Policies"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}]",Attackers might use Batch Operations jobs to initiate unauthorized data transfer or manipulation tasks in S3.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",N/A -ListObjects,s3.amazonaws.com,S3,"Returns some or all (up to 1,000) of the objects in a bucket.",TA0007 - Discovery,T1619 - Cloud Storage Object Discovery,True,"[{""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}, {""description"": ""Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/""}]",[],Attackers might use ListObjects to identify potentially sensitive objects stored in S3 buckets.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",N/A -InvokeModel,bedrock.amazonaws.com,Bedrock,Invokes the specified Amazon Bedrock model to run inference using the prompt and inference parameters provided in the request body.,"TA0007 - Discovery, TA0040 - Impact","T1580 - Cloud Infrastructure Discovery, T1496 - Resource Hijacking",True,"[{""description"": ""LLMjacking: Stolen Cloud Credentials Used in New AI Attack"", ""link"": ""https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/""}, {""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}, {""description"": ""When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying"", ""link"": ""https://permiso.io/blog/exploiting-hosted-models""}]",[],Attackers might use InvokeModel to check if the credentials have access to the LLMs and they have been enabled and invoke the model for resource hijacking.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-InvokeModel -GetUseCaseForModelAccess,bedrock.amazonaws.com,Bedrock,Grants permission to retrieve a use case for model access.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying"", ""link"": ""https://permiso.io/blog/exploiting-hosted-models""}]",[],Attackers might use GetUseCaseForModelAccess to enumerate accessible models.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-GetUseCaseForModelAccess -ListProvisionedModelThroughputs,bedrock.amazonaws.com,Bedrock,Grants permission to list provisioned model throughputs that you created earlier.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}]",[],Attackers might use ListProvisionedModelThroughputs to gather information on existing inputs and outputs for models in use.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-ListProvisionedModelThroughputs -PutFoundationModelEntitlement,bedrock.amazonaws.com,Bedrock,Grants permission to put entitlement to access a foundation model.,TA0040 - Impact,T1496 - Resource Hijacking,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying"", ""link"": ""https://permiso.io/blog/exploiting-hosted-models""}]",[],Attackers might use PutFoundationModelEntitlement to prepare for using foundation models for resource hijacking.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-PutFoundationModelEntitlement -InvokeModelWithResponseStream,bedrock.amazonaws.com,Bedrock,Grants permission to invoke the specified Bedrock model to run inference using the input provided in the request body with streaming response.,TA0040 - Impact,T1496 - Resource Hijacking,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],Attackers might use InvokeModelWithResponseStream to invoke the model for resource hijacking.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-InvokeModelWithResponseStream -PutUseCaseForModelAccess,bedrock.amazonaws.com,Bedrock,Grants permission to put a use case for model access.,TA0040 - Impact,T1496 - Resource Hijacking,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying"", ""link"": ""https://permiso.io/blog/exploiting-hosted-models""}]",[],Attackers might use PutUseCaseForModelAccess to prepare for using foundation models for resource hijacking.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-PutUseCaseForModelAccess -GetFoundationModelAvailability,bedrock.amazonaws.com,Bedrock,Grants permission to get the availability of a foundation model.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying"", ""link"": ""https://permiso.io/blog/exploiting-hosted-models""}]",[],Attackers might use GetFoundationModelAvailability to enumerate accessible models,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-GetFoundationModelAvailability -ListFoundationModels,bedrock.amazonaws.com,Bedrock,Grants permission to list Bedrock foundation models that you can use.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}]",[],Attackers might use ListFoundationModels to enumerate accessible models.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-ListFoundationModels -ListFoundationModelAgreementOffers,bedrock.amazonaws.com,Bedrock,Grants permission to get a list of foundation model agreement offers.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}]",[],Attackers might use ListFoundationModelAgreementOffers to enumerate accessible models.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-ListFoundationModelAgreementOffers -GetModelInvocationLoggingConfiguration,bedrock.amazonaws.com,Bedrock,Get the current configuration values for model invocation logging.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""LLMjacking: Stolen Cloud Credentials Used in New AI Attack"", ""link"": ""https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/""}]",[],Attackers might use GetModelInvocationLoggingConfiguration to check S3 and Cloudwatch logging configuration.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-GetModelInvocationLoggingConfiguration -CreateFoundationModelAgreement,bedrock.amazonaws.com,Bedrock,Grants permission to create a new foundation model agreement.,TA0040 - Impact,T1496 - Resource Hijacking,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying"", ""link"": ""https://permiso.io/blog/exploiting-hosted-models""}]",[],Attackers might use CreateFoundationModelAgreement to prepare for using foundation models for resource hijacking.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-CreateFoundationModelAgreement -CreateInstanceExportTask,ec2.amazonaws.com,EC2,Exports a running or stopped instance to an Amazon S3 bucket.,TA0009 - Collection,T1005 - Data from Local System,False,[],"[{""description"": ""AWS EC2 VM Export Failure"", ""link"": ""https://www.elastic.co/guide/en/security/current/aws-ec2-vm-export-failure.html""}]",Attackers might use CreateInstanceExportTask to extract or exfiltrate information,"[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_ec2_vm_export_failure.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws ec2 create-instance-export-task --instance-id TrailDiscoverInstanceId --target-environment TrailDiscoverTargetEnvironment --export-to-s3-task DiskImageFormat=TrailDiscoverDiskImageFormat,ContainerFormat=TrailDiscoverContainerFormat,S3Bucket=TrailDiscoverS3Bucket,S3Prefix=TrailDiscoverS3Prefix""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateInstanceExportTask -GetConsoleScreenshot,ec2.amazonaws.com,EC2,Retrieve a JPG-format screenshot of a running instance to help with troubleshooting.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use GetConsoleScreenshot to capture the current state of an EC2 instance's console, potentially revealing sensitive information displayed on the screen or identifying misconfigurations.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 get-console-screenshot --instance-id TrailDiscoverInstanceId""}]",https://aws.permissions.cloud/iam/ec2#ec2-GetConsoleScreenshot -DeleteVolume,ec2.amazonaws.com,EC2,Deletes the specified EBS volume. The volume must be in the available state (not attached to an instance).,TA0040 - Impact,T1485 - Data Destruction,True,"[{""description"": ""Hacker Puts Hosting Service Code Spaces Out of Business"", ""link"": ""https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/""}]",[],"Attackers might use DeleteVolume to remove Elastic Block Store (EBS) volumes, leading to data loss and potentially disrupting operations.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 delete-volume --volume-id TrailDiscoverVolumeId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DeleteVolume -DescribeSnapshotTierStatus,ec2.amazonaws.com,EC2,Describes the storage tier status of one or more Amazon EBS snapshots.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use DescribeSnapshotTierStatus to assess the tiering status and potential lifecycle transitions of EBS snapshots, seeking to identify snapshots that are less frequently accessed or potentially unmonitored.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-snapshot-tier-status""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeSnapshotTierStatus -DescribeImages,ec2.amazonaws.com,EC2,"Describes the specified images (AMIs, AKIs, and ARIs) available to you or all of the images available to you.",TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeImages to identify AMIs (Amazon Machine Images) within AWS.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-images --filters Name=name,Values=TrailDiscover""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeImages -ModifyInstanceAttribute,ec2.amazonaws.com,EC2,Modifies the specified attribute of the specified instance.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""Executing commands through EC2 user data"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/""}, {""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""EC2 Privilege Escalation Through User Data"", ""link"": ""https://hackingthe.cloud/aws/exploitation/local_ec2_priv_esc_through_user_data/""}, {""description"": ""User Data Script Persistence"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/user_data_script_persistence/""}, {""description"": ""Attack Paths Into VMs in the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/""}]",Attackers might use ModifyInstanceAttribute to change configurations of EC2 instances or overwrite the user data of an EC2 instance to have it execute malicious commands when the instance starts.,"[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_ec2_startup_script_change.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws ec2 modify-instance-attribute --instance-id TrailDiscoverInstanceId --attribute TrailDiscoverAttribute --value TrailDiscoverValue""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ec2-user-data""}]",https://aws.permissions.cloud/iam/ec2#ec2-ModifyInstanceAttribute -GetEbsDefaultKmsKeyId,ec2.amazonaws.com,EC2,Describes the default AWS KMS key for EBS encryption by default for your account in this Region.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use GetEbsDefaultKmsKeyId to identify the default AWS Key Management Service (KMS) key used for encrypting new Amazon EBS volumes.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 get-ebs-default-kms-key-id""}]",https://aws.permissions.cloud/iam/ec2#ec2-GetEbsDefaultKmsKeyId -EnableSerialConsoleAccess,ec2.amazonaws.com,EC2,Enables access to the EC2 serial console of all instances for your account.,TA0008 - Lateral Movement,T1021 - Remote Services,True,"[{""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}]","[{""description"": ""How to detect EC2 Serial Console enabled"", ""link"": ""https://sysdig.com/blog/ec2-serial-console-enabled/""}, {""description"": ""Attack Paths Into VMs in the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/""}]",Attackers might use EnableSerialConsoleAccess to enable the serial console access and bypass security group rules and gain access to EC2 instances.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 enable-serial-console-access""}]",https://aws.permissions.cloud/iam/ec2#ec2-EnableSerialConsoleAccess -DescribeAvailabilityZones,ec2.amazonaws.com,EC2,"Describes the Availability Zones, Local Zones, and Wavelength Zones that are available to you.",TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeAvailabilityZones to map the deployment regions of an AWS environment.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-availability-zones --filters Name=region-name,Values=TrailDiscoverRegion""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeAvailabilityZones -GetPasswordData,ec2.amazonaws.com,EC2,Retrieves the encrypted administrator password for a running Windows instance.,TA0006 - Credential Access,T1555 - Credentials from Password Stores,True,"[{""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Behind the scenes in the Expel SOC: Alert-to-fix in AWS"", ""link"": ""https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/""}, {""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}, {""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use GetPasswordData to retrieve the password data for Windows instances, allowing unauthorized access.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 get-password-data --instance-id TrailDiscoverInstanceId""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data""}]",https://aws.permissions.cloud/iam/ec2#ec2-GetPasswordData -CreateTrafficMirrorTarget,ec2.amazonaws.com,EC2,Creates a target for your Traffic Mirror session.,TA0009 - Collection,T1074 - Data Staged,False,[],"[{""description"": ""Abusing VPC Traffic Mirroring in AWS"", ""link"": ""https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/""}]","Attackers might use CreateTrafficMirrorTarget to establish destinations for mirrored traffic, potentially facilitating the unauthorized observation or capture of sensitive information.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 create-traffic-mirror-target --description TrailDiscoverDescription --network-interface-id TrailDiscoverNetworkInterfaceId --network-load-balancer-arn TrailDiscoverNetworkLoadBalancerArn""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateTrafficMirrorTarget -CreateVolume,ec2.amazonaws.com,EC2,Creates an EBS volume that can be attached to an instance in the same Availability Zone.,TA0008 - Lateral Movement,T1021 - Remote Services,True,"[{""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}]",[],Attackers might use CreateVolume to create a volume from a snapshot and mount it to an EC2 instance under their control.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 create-volume --size 80 --availability-zone us-east-1a""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateVolume -StartInstances,ec2.amazonaws.com,EC2,Starts an Amazon EBS-backed instance that you've previously stopped.,"TA0003 - Persistence, TA0040 - Impact","T1098 - Account Manipulation, T1496 - Resource Hijacking",True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]","[{""description"": ""Executing commands through EC2 user data"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/""}, {""description"": ""Attack Paths Into VMs in the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/""}]",Attackers might use StartInstances to reactivate dormant EC2 instances or after having modified the user data for execution of commands.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 start-instances --instance-ids TrailDiscoverInstanceID""}]",https://aws.permissions.cloud/iam/ec2#ec2-StartInstances -CreateSecurityGroup,ec2.amazonaws.com,EC2,Creates a security group.,"TA0003 - Persistence, TA0008 - Lateral Movement","T1098 - Account Manipulation, T1021 - Remote Services",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Behind the scenes in the Expel SOC: Alert-to-fix in AWS"", ""link"": ""https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/""}, {""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}, {""description"": ""ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING"", ""link"": ""https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}, {""description"": ""Abusing VPC Traffic Mirroring in AWS"", ""link"": ""https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/""}]","Attackers might use CreateSecurityGroup to establish new security groups with lax rules, facilitating unauthorized access or resource exploitation within AWS environments.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-10""}]","[{""type"": ""commandLine"", ""value"": ""aws ec2 create-security-group --group-name TrailDiscoverGroupName --description \""TrailDiscoverDescription\""""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateSecurityGroup -DescribeInstances,ec2.amazonaws.com,EC2,Describes the specified instances or all instances.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]","[{""description"": ""Abusing VPC Traffic Mirroring in AWS"", ""link"": ""https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/""}]",Attackers might use DescribeInstances to inventory EC2 instances within an AWS environment.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-instances --instance-ids TrailDiscoverInstanceID""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeInstances -GetTransitGatewayRouteTableAssociations,ec2.amazonaws.com,EC2,Gets information about the associations for the specified transit gateway route table.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use GetTransitGatewayRouteTableAssociations to examine the associations between transit gateway route tables and attached resources, potentially to understand network routing policies.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 get-transit-gateway-route-table-associations --transit-gateway-route-table-id tgw-rtb-0a823edbdeEXAMPLE""}]",https://aws.permissions.cloud/iam/ec2#ec2-GetTransitGatewayRouteTableAssociations -ModifySnapshotAttribute,ec2.amazonaws.com,EC2,Adds or removes permission settings for the specified snapshot.,TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,True,"[{""description"": ""CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight"", ""link"": ""https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/""}]",[],"Attackers might use ModifySnapshotAttribute to change permissions on Amazon EBS snapshots, potentially making them accessible to unauthorized users or public.","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_snapshot_backup_exfiltration.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws ec2 modify-snapshot-attribute --snapshot-id snap-046281ab24d756c50 --attribute createVolumePermission --operation-type remove --user-ids 123456789012""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot""}]",https://aws.permissions.cloud/iam/ec2#ec2-ModifySnapshotAttribute -CreateDefaultVpc,ec2.amazonaws.com,EC2,Creates a default VPC with a size /16 IPv4 CIDR block and a default subnet in each Availability Zone.,"TA0003 - Persistence, TA0040 - Impact","T1098 - Account Manipulation, T1496 - Resource Hijacking",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],Attackers might use CreateDefaultVpc to create a VPC and lauch EC2 instances.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 create-default-vpc""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateDefaultVpc -DeleteFlowLogs,ec2.amazonaws.com,EC2,Deletes one or more flow logs.,TA0005 - Defense Evasion,T1089 - Disabling Security Tools,True,"[{""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]","[{""description"": ""Removing VPC flow logs"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/removing-vpc-flow-logs/""}, {""description"": ""AWS Incident Response"", ""link"": ""https://github.com/easttimor/aws-incident-response""}, {""description"": ""Proactive Cloud Security w/ AWS Organizations"", ""link"": ""https://witoff.medium.com/proactive-cloud-security-w-aws-organizations-d58695bcae16""}]",Attackers might use DeleteFlowLogs to remove records of network traffic within AWS.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 delete-flow-logs --flow-log-ids TrailDiscoverFlowLogId""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs""}]",https://aws.permissions.cloud/iam/ec2#ec2-DeleteFlowLogs -GetLaunchTemplateData,ec2.amazonaws.com,EC2,Retrieves the configuration data of the specified instance. You can use this data to create a launch template.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use GetLaunchTemplateData to obtain configurations of EC2 launch templates, identifying predefined instance settings, network configurations.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 get-launch-template-data --instance-id TrailDiscoverInstanceId""}]",https://aws.permissions.cloud/iam/ec2#ec2-GetLaunchTemplateData -CreateNetworkAclEntry,ec2.amazonaws.com,EC2,Creates an entry (a rule) in a network ACL with the specified rule number.,TA0003 - Persistence,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS EC2 Network Access Control List Creation"", ""link"": ""https://www.elastic.co/guide/en/security/current/aws-ec2-network-access-control-list-creation.html""}, {""description"": ""Enhancing Your Security Visibility and DetectionResponse Operations in AWS"", ""link"": ""https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf""}]",Attackers might use CreateNetworkAclEntry to allow traffic to the network from an IP they control.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-11""}]","[{""type"": ""commandLine"", ""value"": ""aws ec2 create-network-acl-entry --network-acl-id acl-5fb85d36 --ingress --rule-number 100 --protocol udp --port-range From=53,To=53 --cidr-block 0.0.0.0/0 --rule-action allow""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateNetworkAclEntry -DescribeKeyPairs,ec2.amazonaws.com,EC2,Describes the specified key pairs or all of your key pairs.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Behind the scenes in the Expel SOC: Alert-to-fix in AWS"", ""link"": ""https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/""}]",[],Attackers might use DescribeKeyPairs to audit the SSH key pairs associated with EC2 instances,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-key-pairs --key-names TrailDiscoverKeyPair""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeKeyPairs -DeleteNetworkAcl,ec2.amazonaws.com,EC2,Deletes the specified network ACL.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""Ensure CloudWatch has an Alarm for Network ACL Changes"", ""link"": ""https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-network-acl-change""}]","Attackers might use DeleteNetworkAcl to remove network access control lists, potentially opening up network segments for unauthorized access.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-11""}]","[{""type"": ""commandLine"", ""value"": ""aws ec2 delete-network-acl --network-acl-id TrailDiscoverNetworkAclId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DeleteNetworkAcl -CreateTrafficMirrorSession,ec2.amazonaws.com,EC2,Creates a Traffic Mirror session.,TA0009 - Collection,T1074 - Data Staged,False,[],"[{""description"": ""Abusing VPC Traffic Mirroring in AWS"", ""link"": ""https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/""}]","Attackers might use CreateTrafficMirrorSession to initiate a session for mirroring network traffic, potentially for malicious monitoring or data exfiltration.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 create-traffic-mirror-session --description TrailDiscoverDescription --traffic-mirror-target-id tmt-07f75d8feeEXAMPLE --network-interface-id eni-070203f901EXAMPLE --session-number 1 --packet-length 25 --traffic-mirror-filter-id tmf-04812ff784EXAMPLE""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateTrafficMirrorSession -GetEbsEncryptionByDefault,ec2.amazonaws.com,EC2,Describes whether EBS encryption by default is enabled for your account in the current Region.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use GetEbsEncryptionByDefault to determine if new Amazon EBS volumes are encrypted by default, seeking to exploit unencrypted volumes.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 get-ebs-encryption-by-default""}]",https://aws.permissions.cloud/iam/ec2#ec2-GetEbsEncryptionByDefault -CreateKeyPair,ec2.amazonaws.com,EC2,Creates an ED25519 or 2048-bit RSA key pair with the specified name and in the specified PEM or PPK format.,TA0003 - Persistence,T1098 - Account Manipulation,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING"", ""link"": ""https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]",Attackers might use CreateKeyPair to generate keys that can latter be used to access EC2s.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 create-key-pair --key-name TrailDiscoverKeyPair""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateKeyPair -SharedSnapshotCopyInitiated,ec2.amazonaws.com,EC2,Modifies the specified attribute of the specified instance.,TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,True,"[{""description"": ""M-Trends Report - 2020"", ""link"": ""https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf""}, {""description"": ""Democratic National Committee hack"", ""link"": ""https://www.politico.com/f/?id=00000168-6161-de11-af7d-ef7327ea0000""}]","[{""description"": ""Detecting exfiltration of EBS snapshots in AWS"", ""link"": ""https://twitter.com/christophetd/status/1574681313218506753""}]",SharedSnapshotCopyInitiated might be a signal of an attacker copying a snapshot to their account.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot""}]",N/A -DescribeCarrierGateways,ec2.amazonaws.com,EC2,Describes one or more of your carrier gateways.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use DescribeCarrierGateways to uncover details about carrier gateways in an AWS environment, which could reveal network configurations.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-carrier-gateways --carrier-gateway-ids TrailDiscoverCarrierGatewayId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeCarrierGateways -TerminateInstances,ec2.amazonaws.com,EC2,"Shuts down the specified instances. This operation is idempotent; if you terminate an instance more than once, each call succeeds.","TA0040 - Impact, TA0005 - Defense Evasion","T1485 - Data Destruction, T1070 - Indicator Removal",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}, {""description"": ""Former Cisco engineer sentenced to prison for deleting 16k Webex accounts"", ""link"": ""https://www.zdnet.com/article/former-cisco-engineer-sentenced-to-prison-for-deleting-16k-webex-accounts/""}, {""description"": ""Hacker Puts Hosting Service Code Spaces Out of Business"", ""link"": ""https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/""}]",[],"Attackers might use TerminateInstances to permanently delete EC2 instances, resulting in irreversible data loss and service disruption or for defense evasion.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 terminate-instances --instance-ids TrailDiscoverInstanceID""}]",https://aws.permissions.cloud/iam/ec2#ec2-TerminateInstances -DeleteNetworkAclEntry,ec2.amazonaws.com,EC2,Deletes the specified ingress or egress entry (rule) from the specified network ACL.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""Ensure CloudWatch has an Alarm for Network ACL Changes"", ""link"": ""https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-network-acl-change""}]","Attackers might use DeleteNetworkAclEntry to remove specific rules from network access control lists, potentially opening network paths for unauthorized access.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-11""}]","[{""type"": ""commandLine"", ""value"": ""aws ec2 delete-network-acl-entry --network-acl-id acl-5fb85d36 --ingress --rule-number 100""}]",https://aws.permissions.cloud/iam/ec2#ec2-DeleteNetworkAclEntry -CreateRoute,ec2.amazonaws.com,EC2,Creates a route in a route table within a VPC.,TA0009 - Collection,T1074 - Data Staged,False,[],"[{""description"": ""Ensure CloudWatch has an Alarm for Route Table Changes"", ""link"": ""https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-route-table-change""}, {""description"": ""AWS Incident Response"", ""link"": ""https://easttimor.github.io/aws-incident-response/""}]",Attackers might use CreateRoute to redirect network traffic within AWS VPCs to eavesdrop or exfiltrate data.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-13""}]","[{""type"": ""commandLine"", ""value"": ""aws ec2 create-route --route-table-id TrailDiscoverRouteTableId --destination-cidr-block TrailDiscoverDestinationCidrBlock --gateway-id TrailDiscoverGatewayId""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateRoute -GetFlowLogsIntegrationTemplate,ec2.amazonaws.com,EC2,Generates a CloudFormation template that streamlines and automates the integration of VPC flow logs with Amazon Athena.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use GetFlowLogsIntegrationTemplate to create templates for integrating VPC flow logs with external monitoring solutions, potentially to configure exfiltration pathways for gathered data or to understand security monitoring setups.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 get-flow-logs-integration-template --flow-log-id fl-1234567890abcdef0 --config-delivery-s3-destination-arn arn:aws:s3:::DOC-EXAMPLE-BUCKET --integrate-services AthenaIntegrations='[{IntegrationResultS3DestinationArn=arn:aws:s3:::DOC-EXAMPLE-BUCKET,PartitionLoadFrequency=none,PartitionStartDate=2021-07-21T00:40:00,PartitionEndDate=2021-07-21T00:42:00},{IntegrationResultS3DestinationArn=arn:aws:s3:::DOC-EXAMPLE-BUCKET,PartitionLoadFrequency=none,PartitionStartDate=2021-07-21T00:40:00,PartitionEndDate=2021-07-21T00:42:00}]'""}]",https://aws.permissions.cloud/iam/ec2#ec2-GetFlowLogsIntegrationTemplate -DescribeTransitGatewayMulticastDomains,ec2.amazonaws.com,EC2,Describes one or more transit gateway multicast domains.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use DescribeTransitGatewayMulticastDomains to obtain details on multicast domains within AWS Transit Gateways, identifying network segments and multicast configurations.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-transit-gateway-multicast-domains --transit-gateway-multicast-domain-ids TrailDiscoverTransitGatewayMulticastDomainId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeTransitGatewayMulticastDomains -StopInstances,ec2.amazonaws.com,EC2,Stops an Amazon EBS-backed instance.,"TA0040 - Impact, TA0005 - Defense Evasion","T1499 - Endpoint Denial of Service, T1578 - Modify Cloud Compute Infrastructure",True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]","[{""description"": ""Executing commands through EC2 user data"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/""}, {""description"": ""Attack Paths Into VMs in the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/""}]",Attackers might use StopInstances to avoid being detected or to do changes that will be executed when the EC2 is started.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 stop-instances --instance-ids TrailDiscoverInstanceID""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ec2-user-data""}]",https://aws.permissions.cloud/iam/ec2#ec2-StopInstances -DescribeInstanceAttribute,ec2.amazonaws.com,EC2,Describes the specified attribute of the specified instance. You can specify only one attribute at a time.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeInstanceAttribute to inspect detailed configurations of EC2 instances.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-instance-attribute --instance-id TrailDiscoverInstanceId --attribute TrailDiscoverAttribute""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-download-user-data""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeInstanceAttribute -DescribeDhcpOptions,ec2.amazonaws.com,EC2,Describes one or more of your DHCP options sets.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeDhcpOptions to inspect DHCP configurations in an AWS VPC.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-dhcp-options --dhcp-options-ids TrailDiscoverDhcpOptionsId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeDhcpOptions -AuthorizeSecurityGroupIngress,ec2.amazonaws.com,EC2,Adds the specified inbound (ingress) rules to a security group.,"TA0003 - Persistence, TA0008 - Lateral Movement","T1098 - Account Manipulation, T1021 - Remote Services",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Finding evil in AWS"", ""link"": ""https://expel.com/blog/finding-evil-in-aws/""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Behind the scenes in the Expel SOC: Alert-to-fix in AWS"", ""link"": ""https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/""}, {""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}, {""description"": ""BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability"", ""link"": ""https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/""}, {""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]","[{""description"": ""Opening a security group to the Internet"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/opening-security-group-port/""}]",Attackers might use AuthorizeSecurityGroupIngress to allow access to resources to gain persistence or move laterally.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-10""}]","[{""type"": ""commandLine"", ""value"": ""aws ec2 authorize-security-group-ingress --group-id sg-0683fcf7a41c82593 --protocol tcp --port 22 --cidr 203.0.113.0/24""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-security-group-open-port-22-ingress""}]",https://aws.permissions.cloud/iam/ec2#ec2-AuthorizeSecurityGroupIngress -DescribeVpcEndpointConnectionNotifications,ec2.amazonaws.com,EC2,Describes the connection notifications for VPC endpoints and VPC endpoint services.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeVpcEndpointConnectionNotifications to monitor notification configurations for VPC endpoints.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-vpc-endpoint-connection-notifications --connection-notification-id TrailDiscoverConnectionNotificationId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeVpcEndpointConnectionNotifications -DescribeFlowLogs,ec2.amazonaws.com,EC2,Describes one or more flow logs.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use DescribeFlowLogs to review VPC flow log configurations, aiming to understand what network traffic is being logged.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-flow-logs --filter Name=resource-id,Values=TrailDiscoverResourceId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeFlowLogs -SendSSHPublicKey,ec2-instance-connect.amazonaws.com,EC2InstanceConnect,Pushes an SSH public key to the specified EC2 instance for use by the specified user.,TA0008 - Lateral Movement,T1021 - Remote Services,True,"[{""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]","[{""description"": ""Attack Paths Into VMs in the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/""}]","Attackers might use SendSSHPublicKey to inject unauthorized SSH keys into EC2 instances, granting them access for remote control.",[],"[{""type"": ""commandLine"", ""value"": ""N/A""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.lateral-movement.ec2-instance-connect""}]",https://aws.permissions.cloud/iam/ec2-instance-connect#ec2-instance-connect-SendSSHPublicKey -DescribeSnapshotAttribute,ec2.amazonaws.com,EC2,Describes the specified attribute of the specified snapshot.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use DescribeSnapshotAttribute to inspect attributes of EBS snapshots, such as permissions, aiming to find snapshots shared publicly or with broad access.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-snapshot-attribute --snapshot-id TrailDiscoverSnapshotId --attribute TrailDiscoverAttribute""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeSnapshotAttribute -DescribeVolumesModifications,ec2.amazonaws.com,EC2,Describes the most recent volume modification request for the specified EBS volumes.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeVolumesModifications to track changes in EBS volumes.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-volumes-modifications --volume-ids TrailDiscoverVolumeId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeVolumesModifications -DescribeRegions,ec2.amazonaws.com,EC2,"Describes the Regions that are enabled for your account, or all Regions.",TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]","Attackers might use DescribeRegions to identify all available AWS regions, possibly to explore regional deployment patterns and target specific regions where defenses might be weaker.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-regions""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeRegions -DeleteSnapshot,ec2.amazonaws.com,EC2,Deletes the specified snapshot.,TA0040 - Impact,T1485 - Data Destruction,True,"[{""description"": ""Hacker Puts Hosting Service Code Spaces Out of Business"", ""link"": ""https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/""}]",[],"Attackers might use DeleteSnapshot to erase Amazon EBS snapshots, potentially destroying backup data and hampering recovery efforts after an attack.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 delete-snapshot --snapshot-id TrailDiscoverSnapshotId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DeleteSnapshot -SharedSnapshotVolumeCreated,ec2.amazonaws.com,EC2,Modifies the specified attribute of the specified instance.,TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,True,"[{""description"": ""M-Trends Report - 2020"", ""link"": ""https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf""}, {""description"": ""Democratic National Committee hack"", ""link"": ""https://www.politico.com/f/?id=00000168-6161-de11-af7d-ef7327ea0000""}]","[{""description"": ""Detecting exfiltration of EBS snapshots in AWS"", ""link"": ""https://twitter.com/christophetd/status/1574681313218506753""}]",SharedSnapshotVolumeCreated might be a signal of an attacker copying a snapshot to their account.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot""}]",N/A -CreateSnapshot,ec2.amazonaws.com,EC2,Creates a snapshot of an EBS volume and stores it in Amazon S3.,"TA0008 - Lateral Movement, TA0010 - Exfiltration","T1537 - Transfer Data to Cloud Account, T1021 - Remote Services",True,"[{""description"": ""CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight"", ""link"": ""https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/""}, {""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}]","[{""description"": ""Stealing an EBS snapshot by creating a snapshot and sharing it"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-ebs-snapshot/""}, {""description"": ""Exfiltrate EBS Snapshot by Sharing It"", ""link"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/""}]","Attackers might use ModifySnapshotAttribute to alter permissions on EBS snapshots, potentially exposing sensitive data to unauthorized parties.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 modify-snapshot-attribute --snapshot-id snap-1234567890abcdef0 --attribute createVolumePermission --operation-type remove --user-ids 123456789012""}]",https://aws.permissions.cloud/iam/ec2#ec2-ModifySnapshotAttribute -ReplaceIamInstanceProfileAssociation,ec2.amazonaws.com,EC2,Replaces an IAM instance profile for the specified running instance.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,True,"[{""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}]",[],Attackers might use ReplaceIamInstanceProfileAssociation to replace the IAM instance profile on an instance they control with one that has higher privileges.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 replace-iam-instance-profile-association --iam-instance-profile Name=TrailDiscoverAdminRole --association-id iip-assoc-060bae234aac2e7fa""}]",https://aws.permissions.cloud/iam/ec2#ec2-ReplaceIamInstanceProfileAssociation -RunInstances,ec2.amazonaws.com,EC2,Launches the specified number of instances using an AMI for which you have permissions.,"TA0003 - Persistence, TA0040 - Impact, TA0008 - Lateral Movement","T1098 - Account Manipulation, T1496 - Resource Hijacking, T1021 - Remote Services",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""DXC spills AWS private keys on public GitHub"", ""link"": ""https://www.theregister.com/2017/11/14/dxc_github_aws_keys_leaked/""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Behind the scenes in the Expel SOC: Alert-to-fix in AWS"", ""link"": ""https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/""}, {""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}, {""description"": ""SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto"", ""link"": ""https://sysdig.com/blog/scarleteel-2-0/""}, {""description"": ""ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING"", ""link"": ""https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}, {""description"": ""Clear and Uncommon Story About Overcoming Issues With AWS"", ""link"": ""https://topdigital.agency/clear-and-uncommon-story-about-overcoming-issues-with-aws/""}, {""description"": ""onelogin 2017 Security Incident"", ""link"": ""https://web.archive.org/web/20210620180614/https://www.onelogin.com/blog/may-31-2017-security-incident""}, {""description"": ""BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability"", ""link"": ""https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/""}, {""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]","[{""description"": ""Launching EC2 instances"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/launching-ec2-instances/""}, {""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}, {""description"": ""Abusing VPC Traffic Mirroring in AWS"", ""link"": ""https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/""}]",Attackers might use RunInstances to programmatically launch unauthorized EC2 instances for crypto mining or to create a foothold within the AWS environment for further exploitation.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 run-instances --image-id ami-0b98a32b1c5e0d105 --instance-type t2.micro --key-name MyKeyPair""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ec2-launch-unusual-instances""}]",https://aws.permissions.cloud/iam/ec2#ec2-RunInstances -CreateTrafficMirrorFilter,ec2.amazonaws.com,EC2,Creates a Traffic Mirror filter.,TA0009 - Collection,T1074 - Data Staged,False,[],"[{""description"": ""Abusing VPC Traffic Mirroring in AWS"", ""link"": ""https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/""}]",Attackers might use CreateTrafficMirrorFilter to clandestinely mirror network traffic for analysis or exfiltration.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 create-traffic-mirror-filter --description 'TCP Filter'""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateTrafficMirrorFilter -DescribeSecurityGroups,ec2.amazonaws.com,EC2,Describes the specified security groups or all of your security groups.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Case Study: Responding to an Attack in AWS"", ""link"": ""https://www.cadosecurity.com/case-study-responding-to-an-attack-in-aws/""}]",[],"Attackers might use DescribeSecurityGroups to review AWS VPC security group configurations, seeking misconfigurations that could be exploited for unauthorized access or to bypass network security controls.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-security-groups --group-names TrailDiscoverSecurityGroup""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeSecurityGroups -CreateTrafficMirrorFilterRule,ec2.amazonaws.com,EC2,Creates a Traffic Mirror filter rule.,TA0009 - Collection,T1074 - Data Staged,False,[],"[{""description"": ""Abusing VPC Traffic Mirroring in AWS"", ""link"": ""https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/""}]",Attackers might use CreateTrafficMirrorFilterRule to fine-tune traffic mirroring for selective interception.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 create-traffic-mirror-filter-rule --description 'TCP Rule' --destination-cidr-block 0.0.0.0/0 --protocol 6 --rule-action accept --rule-number 1 --source-cidr-block 0.0.0.0/0 --traffic-direction ingress --traffic-mirror-filter-id tmf-04812ff784b25ae67""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateTrafficMirrorFilterRule -DescribeVpcs,ec2.amazonaws.com,EC2,Describes one or more of your VPCs.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]",[],"Attackers might use DescribeVpcs to enumerate all Virtual Private Clouds (VPCs) within an AWS environment, aiming to map out network architectures.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-vpcs --vpc-ids TrailDiscoverVpcId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeVpcs -AttachVolume,ec2.amazonaws.com,EC2,Attaches an EBS volume to a running or stopped instance and exposes it to the instance with the specified device name.,TA0008 - Lateral Movement,T1021 - Remote Services,True,"[{""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}]",[],Attackers might use AttachVolume to mount a volume to an EC2 instance under their control.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 attach-volume --volume-id TrailDiscoverVolumeId --instance-id TrailDiscoverInstanceId --device TrailDiscoverDeviceName""}]",https://aws.permissions.cloud/iam/ec2#ec2-AttachVolume -ImportKeyPair,ec2.amazonaws.com,EC2,Imports the public key from an RSA or ED25519 key pair that you created with a third-party tool.,TA0003 - Persistence,T1098 - Account Manipulation,True,"[{""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Behind the scenes in the Expel SOC: Alert-to-fix in AWS"", ""link"": ""https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/""}, {""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]","[{""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}]","Attackers might use ImportKeyPair to upload malicious SSH keys to AWS EC2 instances, granting unauthorized access.",[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/ec2#ec2-ImportKeyPair -DescribeBundleTasks,ec2.amazonaws.com,EC2,Describes the specified bundle tasks or all of your bundle tasks.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeBundleTasks to gain insights into the bundling tasks of EC2 instances.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-bundle-tasks --bundle-ids TrailDiscoverBundleId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeBundleTasks -DescribeAccountAttributes,ec2.amazonaws.com,EC2,Describes attributes of your AWS account.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeAccountAttributes to gather detailed information about AWS account configurations and limits.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-account-attributes --attribute-names TrailDiscoverAttribute""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeAccountAttributes -DescribeVolumes,ec2.amazonaws.com,EC2,Describes the specified EBS volumes or all of your EBS volumes.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use DescribeVolumes to enumerate EBS volumes in an AWS environment, identifying valuable data storage.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-volumes --volume-ids TrailDiscoverVolumeId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeVolumes -DescribeInstanceTypes,ec2.amazonaws.com,EC2,Describes the details of the instance types that are offered in a location.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeInstanceTypes to assess the capabilities and resources of EC2 instance types.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-instance-types --instance-types TrailDiscoverInstanceType""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeInstanceTypes -DescribeClientVpnRoutes,ec2.amazonaws.com,EC2,Describes the routes for the specified Client VPN endpoint.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use DescribeClientVpnRoutes to gather information about the routing configuration of an AWS Client VPN endpoint, potentially identifying routes that could be exploited for network access.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-client-vpn-routes --client-vpn-endpoint-id cvpn-endpoint-123456789123abcde""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeClientVpnRoutes -GetLaunchTemplateData,ec2.amazonaws.com,EC2,Retrieves the configuration data of the specified instance. You can use this data to create a launch template.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use GetLaunchTemplateData to obtain configurations of EC2 launch templates, identifying predefined instance settings or network configuration.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 get-launch-template-data --instance-id TrailDiscoverInstanceId""}]",https://aws.permissions.cloud/iam/ec2#ec2-GetLaunchTemplateData -CreateImage,ec2.amazonaws.com,EC2,Creates an Amazon EBS-backed AMI from an Amazon EBS-backed instance that is either running or stopped.,TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]",[],Attackers might use CreateImage to create images from running EC2s and use them after adding their own keys,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 create-image --instance-id TrailDiscoverInstanceId --name \""TrailDiscoverImageName\"" --description \""TrailDiscoverImageDescription\""""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateImage -AuthorizeSecurityGroupEgress,ec2.amazonaws.com,EC2,Adds the specified outbound (egress) rules to a security group.,TA0010 - Exfiltration,T1048 - Exfiltration Over Alternative Protocol,True,"[{""description"": ""Trouble in Paradise"", ""link"": ""https://blog.darklab.hk/2021/07/06/trouble-in-paradise/""}]",[],Attackers might use AuthorizeSecurityGroupEgress to allow exfiltration.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-10""}]","[{""type"": ""commandLine"", ""value"": ""aws ec2 authorize-security-group-egress --group-id sg-1a2b3c4d --ip-permissions IpProtocol=tcp,FromPort=80,ToPort=80,IpRanges='[{CidrIp=10.0.0.0/16}]'""}]",https://aws.permissions.cloud/iam/ec2#ec2-AuthorizeSecurityGroupEgress -SendSerialConsoleSSHPublicKey,ec2-instance-connect.amazonaws.com,EC2InstanceConnect,Pushes an SSH public key to the specified EC2 instance.,TA0008 - Lateral Movement,T1021 - Remote Services,True,"[{""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}, {""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]",[],"Attackers might use SendSerialConsoleSSHPublicKey to inject unauthorized SSH keys into EC2 instances, granting them access for remote control.",[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/ec2-instance-connect#ec2-instance-connect-SendSerialConsoleSSHPublicKey -ModifyImageAttribute,ec2.amazonaws.com,EC2,Modifies the specified attribute of the specified AMI.,TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,False,[],"[{""description"": ""AWS AMI Atttribute Modification for Exfiltration"", ""link"": ""https://research.splunk.com/cloud/f2132d74-cf81-4c5e-8799-ab069e67dc9f/""}]","Attackers might use ModifyImageAttribute to alter permissions or settings of Amazon Machine Images (AMIs), potentially exposing them to unauthorized users or making them public.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 modify-image-attribute --image-id TrailDiscoverImageId --attribute TrailDiscoverAttribute --value TrailDiscoverValue""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami""}]",https://aws.permissions.cloud/iam/ec2#ec2-ModifyImageAttribute -ModifyDBSnapshotAttribute,rds.amazonaws.com,RDS,"Adds an attribute and values to, or removes an attribute and values from, a manual DB snapshot.",TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,True,"[{""description"": ""Imperva Security Update"", ""link"": ""https://www.imperva.com/blog/ceoblog/""}, {""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]","[{""description"": ""Stealing an RDS database by creating a snapshot and sharing it"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-rds-snapshot/""}, {""description"": ""Hunting AWS RDS security events with Sysdig"", ""link"": ""https://sysdig.com/blog/aws-rds-security-events-sysdig/""}]","Attackers might use ModifyDBSnapshotAttribute to alter database snapshot permissions, potentially gaining unauthorized access to sensitive data via sharing it.",[],"[{""type"": ""commandLine"", ""value"": ""aws rds modify-db-snapshot-attribute --db-snapshot-identifier TrailDiscoverDBSnapshotIdentifier --attribute-name TrailDiscoverAttributeName --values-to-add TrailDiscoverValuesToAdd""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.rds-share-snapshot""}]",https://aws.permissions.cloud/iam/rds#rds-ModifyDBSnapshotAttribute -AuthorizeDBSecurityGroupIngress,rds.amazonaws.com,RDS,Enables ingress to a DBSecurityGroup using one of two forms of authorization.,TA0005 - Defense Evasion,T1578 - Modify Cloud Compute Infrastructure,False,[],"[{""description"": ""Enhancing Your Security Visibility and DetectionResponse Operations in AWS"", ""link"": ""https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf""}, {""description"": ""Hunting AWS RDS security events with Sysdig"", ""link"": ""https://sysdig.com/blog/aws-rds-security-events-sysdig/""}]",Attackers might use AuthorizeDBSecurityGroupIngress to allow unauthorized access to the database by modifying security group rules.,[],"[{""type"": ""commandLine"", ""value"": ""aws rds authorize-db-security-group-ingress --db-security-group-name TrailDiscoverDBSecurityGroupName --cidrip TrailDiscoverCIDRIP""}]",https://aws.permissions.cloud/iam/rds#rds-AuthorizeDBSecurityGroupIngress -DeleteGlobalCluster,rds.amazonaws.com,RDS,Deletes a global database cluster. The primary and secondary clusters must already be detached or destroyed first.,TA0040 - Impact,T1485 - Data Destruction,False,[],"[{""description"": ""AWS Deletion of RDS Instance or Cluster"", ""link"": ""https://www.elastic.co/guide/en/security/current/aws-deletion-of-rds-instance-or-cluster.html""}]",Attackers might use DeleteGlobalCluster to disrupt database services by deleting global clusters in AWS RDS.,[],"[{""type"": ""commandLine"", ""value"": ""aws rds delete-global-cluster --global-cluster-identifier TrailDiscoverGlobalClusterIdentifier""}]",https://aws.permissions.cloud/iam/rds#rds-DeleteGlobalCluster -DeleteDBCluster,rds.amazonaws.com,RDS,The DeleteDBCluster action deletes a previously provisioned DB cluster.,TA0040 - Impact,T1485 - Data Destruction,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]","[{""description"": ""Hunting AWS RDS security events with Sysdig"", ""link"": ""https://sysdig.com/blog/aws-rds-security-events-sysdig/""}, {""description"": ""AWS Deletion of RDS Instance or Cluster"", ""link"": ""https://www.elastic.co/guide/en/security/current/aws-deletion-of-rds-instance-or-cluster.html""}]","Attackers might use DeleteDBCluster to delete crucial databases, causing data loss and service disruption.",[],"[{""type"": ""commandLine"", ""value"": ""aws rds delete-db-cluster --db-cluster-identifier TrailDiscoverDBCluster""}]",https://aws.permissions.cloud/iam/rds#rds-DeleteDBCluster -StartExportTask,rds.amazonaws.com,RDS,Starts an export of DB snapshot or DB cluster data to Amazon S3.,TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,False,[],"[{""description"": ""AWS - RDS Post Exploitation"", ""link"": ""https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation""}]",Attackers might use StartExportTask to export database snapshots to an S3 they control and gain access to the data.,[],"[{""type"": ""commandLine"", ""value"": ""aws rds start-export-task --export-task-identifier my-s3-export --source-arn arn:aws:rds:us-west-2:123456789012:snapshot:db5-snapshot-test --s3-bucket-name mybucket --iam-role-arn arn:aws:iam::123456789012:role/service-role/TrailDiscover --kms-key-id arn:aws:kms:us-west-2:123456789012:key/abcd0000-7fca-4128-82f2-aabbccddeeff""}]",https://aws.permissions.cloud/iam/rds#rds-StartExportTask -DeleteDBInstance,rds.amazonaws.com,RDS,Deletes a previously provisioned DB instance.,TA0040 - Impact,T1485 - Data Destruction,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],"Attackers might use DeleteDBInstance to delete crucial databases, causing data loss and service disruption.",[],"[{""type"": ""commandLine"", ""value"": ""aws rds delete-db-instance --db-instance-identifier TrailDiscoverDB""}]",https://aws.permissions.cloud/iam/rds#rds-DeleteDBInstance -CreateDBSecurityGroup,rds.amazonaws.com,RDS,Creates a new DB security group. DB security groups control access to a DB instance.,TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,False,[],"[{""description"": ""Enhancing Your Security Visibility and DetectionResponse Operations in AWS"", ""link"": ""https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf""}, {""description"": ""Hunting AWS RDS security events with Sysdig"", ""link"": ""https://sysdig.com/blog/aws-rds-security-events-sysdig/""}]","Attackers might use CreateDBSecurityGroup to create new security groups with lax rules, potentially allowing unauthorized access to the database.",[],"[{""type"": ""commandLine"", ""value"": ""aws rds create-db-security-group --db-security-group-name TrailDiscoverSecurityGroupName --db-security-group-description TrailDiscoverDescription""}]",https://aws.permissions.cloud/iam/rds#rds-CreateDBSecurityGroup -CreateDBSnapshot,rds.amazonaws.com,RDS,Creates a snapshot of a DB instance.,TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]","[{""description"": ""Stealing an RDS database by creating a snapshot and sharing it"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-rds-snapshot/""}]",Attackers might use CreateDBSnapshot to create unauthorized backups of sensitive databases for data theft.,[],"[{""type"": ""commandLine"", ""value"": ""aws rds create-db-snapshot --db-instance-identifier TrailDiscoverDBInstance --db-snapshot-identifier TrailDiscoverDBSnapshot""}]",https://aws.permissions.cloud/iam/rds#rds-CreateDBSnapshot -ModifyActivityStream,rds.amazonaws.com,RDS,Changes the audit policy state of a database activity stream to either locked (default) or unlocked.,TA0005 - Defense Evasion,T1578 - Modify Cloud Compute Infrastructure,True,"[{""description"": ""Uncovering Hybrid Cloud Attacks Through Intelligence-Driven Incident Response: Part 3 \u2013 The Response"", ""link"": ""https://www.gem.security/post/uncovering-hybrid-cloud-attacks-through-intelligence-driven-incident-response-part-3-the-response""}]",[],"Attackers might use ModifyActivityStream to alter the configuration of the activity stream, potentially hiding malicious activities or causing disruptions in the database operations.",[],"[{""type"": ""commandLine"", ""value"": ""aws rds modify-activity-stream""}]",https://aws.permissions.cloud/iam/rds#rds-ModifyActivityStream -CreateDevEndpoint,glue.amazonaws.com,Glue,Creates a new development endpoint.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use CreateDevEndpoint in AWS Glue to escalate privileges or provision development endpoints, potentially exploiting them.","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws glue create-dev-endpoint --endpoint-name TrailDiscover --role-arn arn:aws:iam::111122223333:role/TrailDiscover""}]",https://aws.permissions.cloud/iam/glue#glue-CreateDevEndpoint -UpdateJob,glue.amazonaws.com,Glue,Updates an existing job definition.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use UpdateJob to modify Glue job parameters, potentially disrupting data processing or injecting malicious code.",[],"[{""type"": ""commandLine"", ""value"": ""aws glue update-job --job-name TrailDiscoverJob --job-update '{\""Role\"": \""TrailDiscoverRole\"", \""Command\"": {\""Name\"": \""glueetl\"", \""ScriptLocation\"": \""s3://mybucket/myscript.py\""}}'""}]",https://aws.permissions.cloud/iam/glue#glue-UpdateJob -CreateJob,glue.amazonaws.com,Glue,Creates a new job definition.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]",Attackers might use CreateJob to create a glue job with a role with higer privileges to gain these privileges.,[],"[{""type"": ""commandLine"", ""value"": ""aws glue create-job --name TrailDiscoverJob --role TrailDiscoverRole --command Name=pythonshell,ScriptLocation=s3://TrailDiscoverBucket/TrailDiscoverScript.py --default-arguments '{\""--job-language\"": \""python\""}'""}]",https://aws.permissions.cloud/iam/glue#glue-CreateJob -UpdateDevEndpoint,glue.amazonaws.com,Glue,Updates a specified development endpoint.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use UpdateDevEndpoint to modify the settings of a development endpoint, potentially disrupting data processing tasks or gaining unauthorized access to data.","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws glue update-dev-endpoint --endpoint-name TrailDiscover""}]",https://aws.permissions.cloud/iam/glue#glue-UpdateDevEndpoint -SendCommand,ssm.amazonaws.com,SSM,Runs commands on one or more managed nodes.,"TA0008 - Lateral Movement, TA0002 - Execution","T1021 - Remote Services, T1651 - Cloud Administration Command",True,"[{""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]","[{""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""Run Shell Commands on EC2 with Send Command or Session Manager"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/""}, {""description"": ""Attack Paths Into VMs in the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/""}]",Attackers might use SendCommand to execute malicious commands on managed instances.,[],"[{""type"": ""commandLine"", ""value"": ""aws ssm send-command --instance-ids \""TrailDiscoverInstanceID\"" --document-name \""AWS-RunShellScript\"" --parameters commands=ls --output text""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ssm-send-command""}]",https://aws.permissions.cloud/iam/ssm#ssm-SendCommand -GetParameters,ssm.amazonaws.com,SSM,Get information about one or more parameters by specifying multiple parameter names.,"TA0007 - Discovery, TA0006 - Credential Access","T1526 - Cloud Service Discovery, T1552 - Unsecured Credentials",False,[],"[{""description"": ""Detecting and removing risky actions out of your IAM security policies"", ""link"": ""https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/""}]",Attackers might use GetParameters to gather sensitive information such as api keys or other secrets.,[],"[{""type"": ""commandLine"", ""value"": ""aws ssm get-parameters --names TrailDiscoverParameters""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ssm-retrieve-securestring-parameters""}]",https://aws.permissions.cloud/iam/ssm#ssm-GetParameters -StartSession,ssm.amazonaws.com,SSM,"Initiates a connection to a target (for example, a managed node) for a Session Manager session.","TA0008 - Lateral Movement, TA0002 - Execution","T1021 - Remote Services, T1651 - Cloud Administration Command",True,"[{""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}]","[{""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""Run Shell Commands on EC2 with Send Command or Session Manager"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/""}]",Attackers might use StartSession to gain unauthorized access to managed instances.,[],"[{""type"": ""commandLine"", ""value"": ""aws ssm start-session --target TrailDiscoverTarget""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ssm-start-session""}]",https://aws.permissions.cloud/iam/ssm#ssm-StartSession -DescribeInstanceInformation,ssm.amazonaws.com,SSM,"Provides information about one or more of your managed nodes, including the operating system platform, SSM Agent version, association status, and IP address.",TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],"Attackers might use DescribeInstanceInformation to gather sensitive information about the instances, potentially leading to unauthorized access.",[],"[{""type"": ""commandLine"", ""value"": ""aws ssm describe-instance-information --instance-information-filter-list key=InstanceIds,valueSet=TrailDiscoverInstanceIds""}]",https://aws.permissions.cloud/iam/ssm#ssm-DescribeInstanceInformation -ResumeSession,ssm.amazonaws.com,SSM,Reconnects a session to a managed node after it has been disconnected.,"TA0008 - Lateral Movement, TA0002 - Execution","T1021 - Remote Services, T1651 - Cloud Administration Command",False,[],"[{""description"": ""Attack Paths Into VMs in the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/""}]",Attackers might use ResumeSession to gain unauthorized access to managed instances.,[],"[{""type"": ""commandLine"", ""value"": ""aws ssm resume-session --session-id TrailDiscoverTarget""}]",https://aws.permissions.cloud/iam/ssm#ssm-ResumeSession -CreateEmailIdentity,ses.amazonaws.com,SES,Starts the process of verifying an email identity. An identity is an email address or domain that you use when you send email.,TA0040 - Impact,T1496 - Resource Hijacking,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],Attackers use CreateEmailIdentity to create its own identity for sending spam or phishing emails later.,[],"[{""type"": ""commandLine"", ""value"": ""aws sesv2 create-email-identity --email-identity cloudtrail.cloud""}]",https://aws.permissions.cloud/iam/ses#ses-CreateEmailIdentity -GetIdentityVerificationAttributes,ses.amazonaws.com,SES,"Given a list of identities (email addresses and/or domains), returns the verification status and (for domain identities) the verification token for each identity.",TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""SES-PIONAGE"", ""link"": ""https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/""}]",[],Attackers might use GetIdentityVerificationAttributes to gather sensitive information about the verification status of email addresses and domains.,[],"[{""type"": ""commandLine"", ""value"": ""aws ses get-identity-verification-attributes --identities TrailDiscoverIdentity""}]",https://aws.permissions.cloud/iam/ses#ses-GetIdentityVerificationAttributes -UpdateAccountSendingEnabled,ses.amazonaws.com,SES,Enables or disables email sending across your entire Amazon SES account in the current AWS Region.,TA0040 - Impact,T1496 - Resource Hijacking,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}, {""description"": ""SES-PIONAGE"", ""link"": ""https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/""}]",[],"Attackers might use UpdateAccountSendingEnabled to enable sending from compromised AWS accounts, facilitating spam or phishing campaigns.",[],"[{""type"": ""commandLine"", ""value"": ""aws ses update-account-sending-enabled""}]",https://aws.permissions.cloud/iam/ses#ses-UpdateAccountSendingEnabled -GetAccountSendingEnabled,ses.amazonaws.com,SES,Returns the email sending status of the Amazon SES account for the current Region.,TA0007 - Discovery,T1087 - Account Discovery,False,[],"[{""description"": ""SES-PIONAGE"", ""link"": ""https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/""}]","Attackers might use GetAccountSendingEnabled to identify if an AWS account's email sending capabilities are enabled, potentially exploiting it for spamming or phishing activities.",[],"[{""type"": ""commandLine"", ""value"": ""aws ses get-account-sending-enabled""}]",https://aws.permissions.cloud/iam/ses#ses-GetAccountSendingEnabled -ListIdentities,ses.amazonaws.com,SES,"Returns a list containing all of the identities (email addresses and domains) for your AWS account in the current AWS Region, regardless of verification status.",TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}, {""description"": ""SES-PIONAGE"", ""link"": ""https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]",Attackers use ListIdentities from SES to enumerate email addresses or domains verified under the AWS account.,[],"[{""type"": ""commandLine"", ""value"": ""aws ses list-identities --identity-type \""EmailAddress\""""}]",https://aws.permissions.cloud/iam/ses#ses-ListIdentities -GetSendQuota,ses.amazonaws.com,SES,Provides the sending limits for the Amazon SES account.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""SES-PIONAGE"", ""link"": ""https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]","Attackers use GetSendQuota to assess the email sending capacity of an AWS account, potentially planning persistent spam or phishing campaigns by identifying limits they can exploit or escalate.",[],"[{""type"": ""commandLine"", ""value"": ""aws ses get-send-quota""}]",https://aws.permissions.cloud/iam/ses#ses-GetSendQuota -VerifyEmailIdentity,ses.amazonaws.com,SES,Adds an email address to the list of identities for your Amazon SES account in the current AWS Region and attempts to verify it.,TA0040 - Impact,T1496 - Resource Hijacking,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use VerifyEmailIdentity to send phishing emails or spam from a verified email address.,[],"[{""type"": ""commandLine"", ""value"": ""aws ses verify-email-identity --email-address TrailDiscoverEmail""}]",https://aws.permissions.cloud/iam/ses#ses-VerifyEmailIdentity -GetAccount,ses.amazonaws.com,SES,Lists the applied quota values for the specified AWS service.,TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}, {""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}, {""description"": ""SES-PIONAGE"", ""link"": ""https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]",Attackers might use GetAccount to gather sensitive information about the AWS SES account for malicious purposes.,[],"[{""type"": ""commandLine"", ""value"": ""aws sesv2 get-account""}]",https://aws.permissions.cloud/iam/ses#ses-GetAccount -DeleteIdentity,ses.amazonaws.com,SES,Deletes the specified identity (an email address or a domain) from the list of verified identities.,TA0005 - Defense Evasion,"T1578 - Modify Cloud Compute Infrastructure, T1070 - Indicator Removal",True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DeleteIdentity to disrupt email sending capabilities or delete an identity previously used attackers.,"[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_delete_identity.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws ses delete-identity --identity TrailDiscoverIdentity""}]",https://aws.permissions.cloud/iam/ses#ses-DeleteIdentity -UpdateIPSet,guardduty.amazonaws.com,GuardDuty,Updates the IPSet specified by the IPSet ID.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""Modify GuardDuty Configuration"", ""link"": ""https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/""}]","Attackers might use UpdateIPSet to modify the IP address filters, potentially allowing malicious traffic to bypass detection.",[],"[{""type"": ""commandLine"", ""value"": ""aws wafv2 update-ip-set --name testip --scope REGIONAL --id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 --addresses 198.51.100.0/16 --lock-token 447e55ac-2396-4c6d-b9f9-86b67c17f8b5""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-UpdateIPSet -DeleteInvitations,guardduty.amazonaws.com,GuardDuty,Deletes invitations sent to the current member account by AWS accounts specified by their account IDs.,TA0005 - Defense Evasion,T1562 - Impair Defenses,True,"[{""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}]",[],"Attackers might use DeleteInvitations to avoid the use of GuardDuty, thereby evading detection of malicious activity.",[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty delete-invitations --account-ids 111222333444""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-DeleteInvitations -UpdateDetector,guardduty.amazonaws.com,GuardDuty,Updates the GuardDuty detector specified by the detectorId.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""Modify GuardDuty Configuration"", ""link"": ""https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/""}]","Attackers might use UpdateDetector to modify the settings of GuardDuty, potentially disabling or weakening security monitoring.",[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty update-detector --detector-id TrailDiscoverDetectorId --enable --finding-publishing-frequency TrailDiscoverFrequency""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-UpdateDetector -GetFindings,guardduty.amazonaws.com,GuardDuty,Returns a list of findings that match the specified criteria.,TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],Attackers might use GetFindings to identify if previous actions generated alerts.,[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty get-findings --detector-id TrailDiscoverDetectorId --finding-ids TrailDiscoverFindingIds""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-GetFindings -ListFindings,guardduty.amazonaws.com,GuardDuty,Lists GuardDuty findings for the specified detector ID.,TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],Attackers might use ListFindings to identify if previous actions generated alerts.,[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty list-findings --detector-id TrailDiscoverDetectorId""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-ListFindings -ListDetectors,guardduty.amazonaws.com,GuardDuty,Lists detectorIds of all the existing Amazon GuardDuty detector resources.,TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]","[{""description"": ""Modify GuardDuty Configuration"", ""link"": ""https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/""}]",Attackers might use ListDetectors to identify active threat detection systems in AWS GuardDuty.,[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty list-detectors""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-ListDetectors -DeleteDetector,guardduty.amazonaws.com,GuardDuty,Deletes an Amazon GuardDuty detector that is specified by the detector ID.,TA0005 - Defense Evasion,T1562 - Impair Defenses,True,"[{""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}]","[{""description"": ""AWS GuardDuty detector deleted"", ""link"": ""https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-guardduty-detector-deleted/""}, {""description"": ""AWS GuardDuty Evasion"", ""link"": ""https://medium.com/@cloud_tips/aws-guardduty-evasion-c181e55f3af1""}, {""description"": ""Threat Hunting with CloudTrail and GuardDuty in Splunk"", ""link"": ""https://www.chrisfarris.com/post/reinforce-threat-hunting/""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]","Attackers might use DeleteDetector to disable GuardDuty, thereby evading detection of malicious activity.",[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty delete-detector --detector-id TrailDiscoverDetectorId""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-DeleteDetector -GetDetector,guardduty.amazonaws.com,GuardDuty,Retrieves an Amazon GuardDuty detector specified by the detectorId.,TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],Attackers might use GetDetector to identify active threat detection systems in AWS GuardDuty.,[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty get-detector --detector-id TrailDiscoverDetectorId""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-GetDetector -DeletePublishingDestination,guardduty.amazonaws.com,GuardDuty,Deletes the publishing definition with the specified destinationId.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""Modify GuardDuty Configuration"", ""link"": ""https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/""}]",Attackers might use DeletePublishingDestination to disrupt the security monitoring and incident response process in AWS GuardDuty.,[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty delete-publishing-destination --detector-id TrailDiscoverDetectorId --destination-id TrailDiscoverDestinationId""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-DeletePublishingDestination -ListIPSets,guardduty.amazonaws.com,GuardDuty,Lists the IPSets of the GuardDuty service specified by the detector ID.,TA0007 - Discovery,T1526 - Cloud Service Discovery,False,[],"[{""description"": ""Modify GuardDuty Configuration"", ""link"": ""https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/""}]",Attackers might use ListIPSets to identify what IPs won't generate an alert.,[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty list-ip-sets --detector-id TrailDiscoverDetectorId""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-ListIPSets -DisassociateMembers,guardduty.amazonaws.com,GuardDuty,Disassociates GuardDuty member accounts (from the current administrator account) specified by the account IDs.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""Threat Hunting with CloudTrail and GuardDuty in Splunk"", ""link"": ""https://www.chrisfarris.com/post/reinforce-threat-hunting/""}]","Attackers might use DisassociateMembers to remove members from a GuardDuty detector, disrupting threat detection and security analysis.",[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty disassociate-members --detector-id TrailDiscoverDetectorId --account-ids TrailDiscoverAccountIds""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-DisassociateMembers -DisassociateFromMasterAccount,guardduty.amazonaws.com,GuardDuty,Disassociates the current GuardDuty member account from its administrator account.,TA0005 - Defense Evasion,T1562 - Impair Defenses,True,"[{""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}]","[{""description"": ""Threat Hunting with CloudTrail and GuardDuty in Splunk"", ""link"": ""https://www.chrisfarris.com/post/reinforce-threat-hunting/""}]","Attackers might use DisassociateFromMasterAccount to remove the link to the master GuardDuty account, disrupting centralized security monitoring and analysis.",[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty disassociate-from-master-account --detector-id TrailDiscoverDetectorId""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-DisassociateFromMasterAccount -StopMonitoringMembers,guardduty.amazonaws.com,GuardDuty,Stops GuardDuty monitoring for the specified member accounts.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""Threat Hunting with CloudTrail and GuardDuty in Splunk"", ""link"": ""https://www.chrisfarris.com/post/reinforce-threat-hunting/""}]","Attackers might use StopMonitoringMembers to halt the surveillance of specific AWS accounts, reducing security visibility.",[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty stop-monitoring-members --account-ids TrailDiscoverAccountIds --detector-id TrailDiscoverDetectorId""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-StopMonitoringMembers -CreateIPSet,guardduty.amazonaws.com,GuardDuty,"Creates a new IPSet, which is called a trusted IP list in the console user interface.",TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""Modify GuardDuty Configuration"", ""link"": ""https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/""}]","Attackers might use CreateIPSet to add malicious IP addresses to the GuardDuty whitelist, bypassing security measures.","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_guardduty_disruption.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws guardduty create-ip-set --detector-id 12abc34d567e8fa901bc2d34eexample --name new-ip-set --format TXT --location s3://traildiscover/traildiscover.csv --activate""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-CreateIPSet -CreateFilter,guardduty.amazonaws.com,GuardDuty,Creates a filter using the specified finding criteria.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""Modify GuardDuty Configuration"", ""link"": ""https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/""}]","Attackers might use CreateFilter to manipulate GuardDuty settings, potentially allowing malicious activity to go undetected.",[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty create-filter --detector-id TrailDiscoverDetectorId --name TrailDiscoverFilterName --finding-criteria '{\""Criterion\"": {\""service.action.actionType\"": {\""Eq\"": [\""TrailDiscover\""]}}}' --action NOOP""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-CreateFilter -DeleteMembers,guardduty.amazonaws.com,GuardDuty,Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""Threat Hunting with CloudTrail and GuardDuty in Splunk"", ""link"": ""https://www.chrisfarris.com/post/reinforce-threat-hunting/""}]","Attackers might use DeleteMembers to remove members from a GuardDuty detector, disrupting threat detection and security analysis.",[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty delete-members --account-ids TrailDiscoverAccountIds --detector-id TrailDiscoverDetectorId""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-DeleteMembers -RegisterTaskDefinition,ecs.amazonaws.com,ECS,Registers a new task definition from the supplied family and containerDefinitions.,TA0040 - Impact,T1496 - Resource Hijacking,True,"[{""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}]",[],Attackers might use RegisterTaskDefinition to deploy containers with malicious tasks in AWS ECS.,"[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws ecs register-task-definition --family 'xtdb-bench-dev' --network-mode 'awsvpc' --container-definitions '[{\""name\"":\""bench-container\"", \""cpu\"":2048, \""memory\"":4092 }]'""}]",https://aws.permissions.cloud/iam/ecs#ecs-RegisterTaskDefinition -CreateService,ecs.amazonaws.com,ECS,Runs and maintains your desired number of tasks from a specified task definition.,TA0040 - Impact,T1496 - Resource Hijacking,True,"[{""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}]",[],"Attackers might use CreateService in AWS ECS to orchestrate and deploy unauthorized services, potentially for malicious activities such as resource hijacking.",[],"[{""type"": ""commandLine"", ""value"": ""aws ecs create-service --service-name TrailDiscoverService --task-definition TrailDiscoverTaskDefinition""}]",https://aws.permissions.cloud/iam/ecs#ecs-CreateService -CreateCluster,ecs.amazonaws.com,ECS,Creates a new Amazon ECS cluster.,TA0040 - Impact,T1496 - Resource Hijacking,True,"[{""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],"Attackers might use CreateCluster to provision unauthorized cluster resources, aiming to deploy malicious workloads or use compute resources for cryptojacking","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_eks_cluster_created_or_deleted.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws ecs create-cluster --cluster-name TrailDiscoverCluster""}]",https://aws.permissions.cloud/iam/ecs#ecs-CreateCluster -DeleteConfigurationRecorder,config.amazonaws.com,Config,Deletes the configuration recorder.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""AWS Config Resource Deletion"", ""link"": ""https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion""}]",Attackers might use DeleteConfigurationRecorder to disrupt AWS configuration auditing.,[],"[{""type"": ""commandLine"", ""value"": ""aws configservice delete-configuration-recorder --configuration-recorder-name TrailDiscoverRecorder""}]",https://aws.permissions.cloud/iam/config#config-DeleteConfigurationRecorder -DeleteDeliveryChannel,config.amazonaws.com,Config,Deletes the delivery channel.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""AWS Config Resource Deletion"", ""link"": ""https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion""}, {""description"": ""AWS Config modified"", ""link"": ""https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-config-disabled/""}, {""description"": ""Threat Hunting with CloudTrail and GuardDuty in Splunk"", ""link"": ""https://www.chrisfarris.com/post/reinforce-threat-hunting/""}]",Attackers might use DeleteDeliveryChannel to disrupt the flow of configuration history and compliance data in AWS.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-9""}, {""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws configservice delete-delivery-channel --delivery-channel-name TrailDiscoverDeliveryChannel""}]",https://aws.permissions.cloud/iam/config#config-DeleteDeliveryChannel -StopConfigurationRecorder,config.amazonaws.com,Config,Stops recording configurations of the AWS resources you have selected to record in your AWS account.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""AWS Configuration Recorder Stopped"", ""link"": ""https://www.elastic.co/guide/en/security/current/prebuilt-rule-8-2-1-aws-configuration-recorder-stopped.html#prebuilt-rule-8-2-1-aws-configuration-recorder-stopped""}, {""description"": ""AWS Config modified"", ""link"": ""https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-config-disabled/""}, {""description"": ""Threat Hunting with CloudTrail and GuardDuty in Splunk"", ""link"": ""https://www.chrisfarris.com/post/reinforce-threat-hunting/""}]","Attackers might use StopConfigurationRecorder to halt the recording of AWS resource configurations, hindering audit trails.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-9""}, {""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws configservice stop-configuration-recorder --configuration-recorder-name TrailDiscoverRecorder""}]",https://aws.permissions.cloud/iam/config#config-StopConfigurationRecorder -DeleteConfigRule,config.amazonaws.com,Config,Deletes the specified AWS Config rule and all of its evaluation results.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""AWS Config Resource Deletion"", ""link"": ""https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion""}]","Attackers might use DeleteConfigRule to remove compliance rules, potentially affecting the response plan.",[],"[{""type"": ""commandLine"", ""value"": ""aws configservice delete-config-rule --config-rule-name TrailDiscoverConfigRule""}]",https://aws.permissions.cloud/iam/config#config-DeleteConfigRule -ListServiceQuotas,servicequotas.amazonaws.com,ServiceQuotas,Lists the applied quota values for the specified AWS service.,TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}, {""description"": ""SES-PIONAGE"", ""link"": ""https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]",Attackers might use ListServiceQuotas to identify potential services to exploit by understanding their usage limits.,[],"[{""type"": ""commandLine"", ""value"": ""aws service-quotas list-service-quotas --service-code TrailDiscoverServiceCode""}]",https://aws.permissions.cloud/iam/servicequotas#servicequotas-ListServiceQuotas -RequestServiceQuotaIncrease,servicequotas.amazonaws.com,ServiceQuotas,Submits a quota increase request for the specified quota at the account or resource level.,TA0040 - Impact,T1496 - Resource Hijacking,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Incident report: From CLI to console, chasing an attacker in AWS"", ""link"": ""https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/""}]",[],Attackers might use RequestServiceQuotaIncrease to increase the quotas and so resource hijacking will have a bigger impact.,[],"[{""type"": ""commandLine"", ""value"": ""aws service-quotas request-service-quota-increase --service-code ec2 --quota-code L-20F13EBD --desired-value 2""}]",https://aws.permissions.cloud/iam/servicequotas#servicequotas-RequestServiceQuotaIncrease -DeleteRuleGroup,wafv2.amazonaws.com,WAFV2,Deletes the specified RuleGroup.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""AWS WAF Rule or Rule Group Deletion"", ""link"": ""https://www.elastic.co/guide/en/security/current/aws-waf-rule-or-rule-group-deletion.html""}, {""description"": ""AWS Incident Response"", ""link"": ""https://easttimor.github.io/aws-incident-response/""}]","Attackers might use DeleteRuleGroup to disable security rules, making the system vulnerable to cyber attacks.",[],"[{""type"": ""commandLine"", ""value"": ""aws wafv2 delete-rule-group --name TestRuleGroup --scope REGIONAL --id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 --lock-token 7b3bcec2-0000-0000-0000-563bf47249f0""}]",https://aws.permissions.cloud/iam/wafv2#wafv2-DeleteRuleGroup -UpdateIPSet,wafv2.amazonaws.com,WAFV2,Updates the specified IPSet.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""AWS Incident Response"", ""link"": ""https://easttimor.github.io/aws-incident-response/""}]","Attackers might use UpdateIPSet to modify IP address rules, potentially allowing unauthorized access from IPs they control.",[],"[{""type"": ""commandLine"", ""value"": ""aws wafv2 update-ip-set --name testip --scope REGIONAL --id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 --addresses 198.51.100.0/16 --lock-token 447e55ac-2396-4c6d-b9f9-86b67c17f8b5""}]",https://aws.permissions.cloud/iam/wafv2#wafv2-UpdateIPSet -DeleteWebACL,wafv2.amazonaws.com,WAFV2,Deletes the specified WebACL.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""AWS Incident Response"", ""link"": ""https://easttimor.github.io/aws-incident-response/""}]","Attackers might use DeleteWebACL to remove web access control lists, thereby disrupting web application firewall protections.",[],"[{""type"": ""commandLine"", ""value"": ""aws wafv2 delete-web-acl --name TrailDiscoverWebACL --scope REGIONAL --id TrailDiscoverId --lock-token TrailDiscoverLockToken""}]",https://aws.permissions.cloud/iam/wafv2#wafv2-DeleteWebACL +eventName,eventSource,awsService,description,mitreAttackTactics,mitreAttackTechniques,mitreAttackSubTechniques,usedInWild,incidents,researchLinks,securityImplications,alerting,simulation,permissions,unverifiedMitreAttackTechniques +GetCertificate,acm-pca.amazonaws.com,ACMPCA,Retrieves a certificate from your private CA or one that has been shared with you.,TA0007 - Discovery,T1040- Network Sniffing,,False,[],"[{""description"": ""AWS API Call Hijacking via ACM-PCA"", ""link"": ""https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/""}]",Attackers might use GetCertificate combined with Route 53 control to intercept and read data from AWS API calls.,[],"[{""type"": ""commandLine"", ""value"": ""aws acm-pca get-certificate --certificate-authority-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012 --certificate-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/6707447683a9b7f4055627ffd55cebcc""}]",https://aws.permissions.cloud/iam/acm-pca#acm-pca-GetCertificate,"[{""technique"": ""T1119 - Automated Collection"", ""reason"": ""An attacker could write a script that continiously calls GetCertificate to get all certificates""}, {""technique"": ""T1580 - Cloud Infrastructure Discovery"", ""reason"": ""Using GetCertificate, adversaries can discover details about the cloud infrastructure, including how certificates are managed and issued within the environment.""}, {""technique"": ""TT1589 - Gather Victim Identity Information"", ""reason"": ""Often times victim information is present in the certificate, f.e. email adresses.""}, {""technique"": ""T1526 - Cloud Service Discovery"", ""reason"": ""Often times certificates are issued for single cloud services. ""}, {""technique"": ""T1530 - Data from Cloud Storage"", ""reason"": ""One could label the ACMPCA as a cloud storage, because the certificates are stored in there.""}, {""technique"": ""T1021.007 - Remote Services: Cloud Services"", ""reason"": ""The GetCertificate API call retrieves certificates from a private CA or one that has been shared, which can then be used to authenticate access to various cloud services. Adversaries can use these certificates to authenticate themselves to cloud services remotely, leveraging the trust established by the certificate. This enables the adversary to move laterally within the cloud environment, access additional resources, or establish persistence by maintaining authenticated sessions with the compromised certificates""}, {""technique"": ""T1212 - Exploitation for Credential Access"", ""reason"": ""Certificates can be exploited to gain credential access, especially if they include sensitive authentication details""}, {""technique"": ""T1557 - Adversary-in-the-Middle"", ""reason"": ""Certificates retrieved can be used in Man-in-the-Middle (MitM) attacks to intercept and decrypt secure communications.""}, {""technique"": ""T1021 - Remote Services"", ""reason"": ""Certificates are often used as an authetication material, especially in enterprise environments and can be therefore used to move laterally.""}]" +IssueCertificate,acm-pca.amazonaws.com,ACMPCA,"Uses your private certificate authority (CA), or one that has been shared with you, to issue a client certificate.",TA0007 - Discovery,T1040- Network Sniffing,,False,[],"[{""description"": ""AWS API Call Hijacking via ACM-PCA"", ""link"": ""https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/""}]",Attackers might use IssueCertificate combined with Route 53 control to intercept and read data from AWS API calls.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/acm-pca#acm-pca-IssueCertificate,"[{""technique"": ""T1078- Valid Accounts"", ""reason"": ""Issuing a certificate can create a valid cloud account credential. This certificate could be used to authenticate against various services. Issued certificates could be used to create or access local accounts within the cloud infrastructure. ""}, {""technique"": ""T1212- Exploitation for Credential Access"", ""reason"": ""Certificates can be exploited to gain credential access, especially if they include sensitive authentication details or are from a trustd CA.""}, {""technique"": ""T1136- Create Account"", ""reason"": ""An adversary might use a certificate to create new cloud accounts or gain access to existing ones under the guise of legitimate credentials.""}, {""technique"": ""T1588- Obtain Capabilities"", ""reason"": ""By using this API call an adversary has successfully gained the capability to create digital certificates.""}, {""technique"": ""T1550- Use Alternate Authentication Material"", ""reason"": ""Issued certificates can be used as alternative authentication material in place of traditional credentials like web cookies, aiding in Credential Access and Defense Evasion.""}, {""technique"": ""T1586.003- Compromise Accounts"", ""reason"": ""By issuing certificates through the IssueCertificate API call, adversaries can compromise cloud accounts by creating legitimate credentials for accessing cloud services. These certificates can be used to authenticate and gain control over cloud accounts, facilitating Initial Access and Persistence. The adversary can then maintain access by leveraging these certificates, bypassing traditional authentication mechanisms and evading detection.""}, {""technique"": ""T1027- Obfuscated Files or Information"", ""reason"": ""Certificates issued via this API call can be used to obfuscate the true nature of communication and data, aiding in Defense Evasion.""}, {""technique"": ""T1553- Subvert Trust Controls"", ""reason"": ""By issuing a certificate, an adversary can sign malicious binaries, making them appear legitimate and trusted, aiding in Defense Evasion.""}, {""technique"": ""T1071.001- Application Layer Protocol - Web Protocols"", ""reason"": ""Issued certificates can be used to secure communication over web protocols, potentially aiding in Defense Evasion and Credential Access by making malicious traffic appear legitimate.""}]" +CreateApiKey,appsync.amazonaws.com,AppSync,Creates a unique key that you can distribute to clients who invoke your API.,"TA0005 - Defense Evasion, TA0003 - Persistence","T1578 - Modify Cloud Compute Infrastructure, T1556 - Modify Authentication Process",,False,[],"[{""description"": ""Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor"", ""link"": ""https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8""}]",Attackers might use CreateApiKey to add a key they control for authentication. Bypassing current authentication and potentially allowing persistent access to data.,[],"[{""type"": ""commandLine"", ""value"": ""aws appsync create-api-key --api-id TrailDiscoverApiId""}]",https://aws.permissions.cloud/iam/appsync#appsync-CreateApiKey,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""API keys are a form of credentials that attackers can use to gain and maintain access to cloud services.""}, {""technique"": ""T1098 - Account Manipulation"", ""reason"": ""Attackers may manipulate API keys to alter account permissions and settings, maintaining persistence and access.""}, {""technique"": ""T1531 - Account Access Removal"", ""reason"": ""API keys can be used to remove legitimate accounts, thereby maintaining persistence and disrupting normal operations.""}, {""technique"": ""T1550.001 - Use Alternate Authentication Material: Application Access Token"", ""reason"": ""API keys serve as alternate authentication material, in this case as application access tokens to access AppSync APIs.""}, {""technique"": ""T1090 - Proxy"", ""reason"": ""Attackers can use API keys to route their malicious traffic through a AppSync, which acts here as a proxy, hiding their true origin and bypassing security measures.""}]" +GetIntrospectionSchema,appsync.amazonaws.com,AppSync,Retrieves the introspection schema for a GraphQL API.,TA0007 - Discovery,T1526 - Cloud Service Discovery,,False,[],"[{""description"": ""Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor"", ""link"": ""https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8""}]",Attackers might use GetIntrospectionSchema to understand the API for future attacks or use the configuration for future modifications.,[],"[{""type"": ""commandLine"", ""value"": ""aws appsync get-introspection-schema --api-id TrailDiscover --format json output""}]",https://aws.permissions.cloud/iam/appsync#appsync-GetIntrospectionSchema,"[{""technique"": ""T1087 - Account Discovery"", ""reason"": ""The GetIntrospectionSchema API call can be used to gather detailed information about the structure of an AWS AppSync GraphQL schema. This can help in identifying user roles, permissions, and accounts associated with the schema in this AWS account.""}, {""technique"": ""T1590: Gather Victim Network Information"", ""reason"": ""Through the introspection schema, an attacker can identify dependencies and integrations with other network services or external APIs, revealing trust relationships and potential attack vectors. By retrieving the introspection schema, an attacker can map out the network structure as exposed by the GraphQL API, including services, endpoints, and connections within the AWS environment.""}]" +UpdateGraphqlApi,appsync.amazonaws.com,AppSync,Updates a GraphqlApi object.,"TA0005 - Defense Evasion, TA0003 - Persistence","T1578 - Modify Cloud Compute Infrastructure, T1556 - Modify Authentication Process",,False,[],"[{""description"": ""Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor"", ""link"": ""https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8""}]",Attackers might use UpdateGraphqlApi to add additional authentications options. Bypassing current authentication and potentially allowing persistent access to data.,[],"[{""type"": ""commandLine"", ""value"": ""aws appsync update-graphql-api --api-id TrailDiscoverApiId --name TrailDiscoverName --log-config cloudWatchLogsRoleArn=TrailDiscoverRoleArn,fieldLogLevel=TrailDiscoverLogLevel""}]",https://aws.permissions.cloud/iam/appsync#appsync-UpdateGraphqlApi,"[{""technique"": ""T1136 - Create Account"", ""reason"": ""An attacker might use UpdateGraphqlApi to update settings in a way that allows creating new user accounts with elevated privileges.""}, {""technique"": ""T1212 - Exploitation for Credential Dumping"", ""reason"": ""Updating GraphQL API could be abused to alter application behavior to facilitate credential dumping.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""An attacker could use the API call to modify existing configurations to maintain access through valid cloud accounts.""}, {""technique"": ""T1098 - Account Manipulation"", ""reason"": ""The API call could allow manipulation of user accounts or roles to maintain access or escalate privileges.""}, {""technique"": ""T1027 - Obfuscated Files or Information"", ""reason"": ""The API call might be used to modify or obfuscate logs and configurations to avoid detection.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""By updating the API, attackers might ensure they can access privileged accounts for persistent access.""}]" +UpdateResolver,appsync.amazonaws.com,AppSync,Updates a Resolver object.,"TA0005 - Defense Evasion, TA0003 - Persistence","T1578 - Modify Cloud Compute Infrastructure, T1556 - Modify Authentication Process",,False,[],"[{""description"": ""Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor"", ""link"": ""https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8""}]",Attackers might use UpdateResolver to execute custom code that could allow potential access to data and bypass protections.,[],"[{""type"": ""commandLine"", ""value"": ""aws appsync update-resolver --api-id TrailDiscoverApiId --type-name TrailDiscoverTypeName --field-name TrailDiscoverFieldName --pipeline-config functions=TrailDiscoverFunctions --request-mapping-template TrailDiscoverRequestMappingTemplate --response-mapping-template TrailDiscoverResponseMappingTemplate""}]",https://aws.permissions.cloud/iam/appsync#appsync-UpdateResolver,"[{""technique"": ""T1136 - Create Account"", ""reason"": ""Using the UpdateResolver API, an adversary can manipulate the AppSync resolver to create new user accounts with specific roles or permissions, enabling persistent access to the AWS environment.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""By updating the resolver, adversaries can utilize valid credentials to access AppSync and maintain persistence.""}, {""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Adversaries can update resolvers to manipulate logs or delete records, evading detection by altering or concealing their tracks.""}, {""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Adversaries can use the UpdateResolver API to revoke access for legitimate users, thereby preventing them from detecting the adversarial activities.""}, {""technique"": ""T1003 - Credential Dumping"", ""reason"": ""By updating the resolver to capture sensitive data passed through AppSync, adversaries could dump credentials for further exploitation.""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""Modifying the resolver might allow adversaries to covertly communicate using AppSync's standard protocols, blending in with normal traffic and evading network defenses.""}, {""technique"": ""T1562.001 - Impair Defenses: Disable or Modify Tools"", ""reason"": ""An adversary might update the resolver to disable security tools or modify their behavior, thereby evading detection and maintaining access.""}, {""technique"": ""T1027 - Obfuscated Files or Information"", ""reason"": ""By updating resolvers, adversaries can obfuscate the information passed through AppSync, making it difficult to detect malicious activities within the data flow.""}]" +GetQueryResults,athena.amazonaws.com,Athena,Streams the results of a single query execution specified by QueryExecutionId from the Athena query results location in Amazon S3.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use GetQueryResults from Amazon Athena to illicitly access and read potential sensitive data.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/athena#athena-GetQueryResults,"[{""technique"": ""T1082 - System Information Discovery"", ""reason"": ""GetQueryResults can be used to gather information about the Athena environment, such as the metadata of the queries and databases. This can reveal insights about the system configuration and the types of data stored.""}, {""technique"": ""T1213 - Data from Information Repositories"", ""reason"": ""Athena queries can access and retrieve data from various repositories like S3. GetQueryResults is used to obtain this data, making it a critical step in extracting information from these repositories.""}, {""technique"": ""T1039 - Data from Network Shared Drive"", ""reason"": "" If Athena queries target data stored in network shared drives (like those mounted on EC2 instances and accessible via S3), the GetQueryResults API will be used to collect this data.""}, {""technique"": ""T1074 - Data Staged"", ""reason"": ""Attackers may stage data in a specific location after retrieving it with GetQueryResults before exfiltration. This staging is a preparatory step for further data handling or analysis.""}]" +CreateFoundationModelAgreement,bedrock.amazonaws.com,Bedrock,Grants permission to create a new foundation model agreement.,TA0040 - Impact,T1496 - Resource Hijacking,,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying"", ""link"": ""https://permiso.io/blog/exploiting-hosted-models""}]",[],Attackers might use CreateFoundationModelAgreement to prepare for using foundation models for resource hijacking.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-CreateFoundationModelAgreement,"[{""technique"": ""T1098 - Account Manipulation"", ""reason"": ""The CreateFoundationModelAgreement API call allows users to create or modify agreements, which can be used to manipulate account permissions. Attackers can create agreements with elevated privileges or modify existing ones to gain unauthorized access or escalate privileges.""}]" +GetFoundationModelAvailability,bedrock.amazonaws.com,Bedrock,Grants permission to get the availability of a foundation model.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying"", ""link"": ""https://permiso.io/blog/exploiting-hosted-models""}]",[],Attackers might use GetFoundationModelAvailability to enumerate accessible models,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-GetFoundationModelAvailability,"[{""technique"": ""T1082 - System Information Discovery"", ""reason"": ""Querying the availability of foundation models is a form of system information discovery, as it provides insight into the operational aspects of the system.""}, {""technique"": ""T1590 - Gather Victim Network Information"", ""reason"": ""The GetFoundationModelAvailability call can be used to determine the state and availability of foundation models, which is valuable host information.""}]" +GetModelInvocationLoggingConfiguration,bedrock.amazonaws.com,Bedrock,Get the current configuration values for model invocation logging.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""LLMjacking: Stolen Cloud Credentials Used in New AI Attack"", ""link"": ""https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/""}]",[],Attackers might use GetModelInvocationLoggingConfiguration to check S3 and Cloudwatch logging configuration.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-GetModelInvocationLoggingConfiguration,"[{""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Knowing the logging setup allows attackers to delete or alter logs to avoid detection and cover their tracks.""}, {""technique"": ""T1027 - Obfuscated Files or Information"", ""reason"": ""Attackers may use knowledge of logging configurations to craft their actions in ways that avoid triggering specific logging mechanisms.""}, {""technique"": ""T1518.001 - Software Discovery"", ""reason"": ""Understanding how model invocation is logged can reveal what security software is in use.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Knowing the logging configuration can help attackers understand how to disable or evade defensive logging.""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""Attackers might tailor their command and control communication methods based on the logging configurations discovered.""}, {""technique"": ""T1212 - Exploitation for Credential Access"", ""reason"": ""If the option textDataDeliveryEnabled is activated there could be credentials in it which attackers can exploit. If the option imageDataDeliveryEnabled is activated there could be sensitive information in the images which are delivered in the logs.""}]" +GetUseCaseForModelAccess,bedrock.amazonaws.com,Bedrock,Grants permission to retrieve a use case for model access.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying"", ""link"": ""https://permiso.io/blog/exploiting-hosted-models""}]",[],Attackers might use GetUseCaseForModelAccess to enumerate accessible models.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-GetUseCaseForModelAccess,"[{""technique"": ""T1078 - Valid Accounts: Cloud Accounts"", ""reason"": ""If an attacker obtains credentials to use the GetUseCaseForModelAccess API call, they can gather sensitive information about model access use cases, which may aid further malicious activity.""}, {""technique"": ""T1082 - System Information Discovery"", ""reason"": ""The GetUseCaseForModelAccess API call can be used to collect details about model access, revealing important information about the environment and configurations, which is a form of system discovery.""}, {""technique"": ""T1005 - Data from Local System"", ""reason"": ""The API call can potentially be used to extract detailed data regarding model use cases, equivalent to gathering sensitive data from the local cloud environment.""}, {""technique"": ""T1530 - Data from Cloud Storage"", ""reason"": ""If the GetUseCaseForModelAccess API provides links or references to data stored in cloud storage, an attacker could use it to access and exfiltrate sensitive data.""}, {""technique"": ""T1020 - Automated Exfiltration"", ""reason"": ""An attacker could script the API call to automatically extract and exfiltrate information about model use cases over time.""}, {""technique"": ""T1074 - Data Staged"", ""reason"": ""Step-by-step explanation: The results from the GetUseCaseForModelAccess call could be staged locally in the attacker's environment for later exfiltration or use.""}]" +InvokeModel,bedrock.amazonaws.com,Bedrock,Invokes the specified Amazon Bedrock model to run inference using the prompt and inference parameters provided in the request body.,"TA0007 - Discovery, TA0040 - Impact","T1580 - Cloud Infrastructure Discovery, T1496 - Resource Hijacking",,True,"[{""description"": ""LLMjacking: Stolen Cloud Credentials Used in New AI Attack"", ""link"": ""https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/""}, {""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}, {""description"": ""When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying"", ""link"": ""https://permiso.io/blog/exploiting-hosted-models""}]",[],Attackers might use InvokeModel to check if the credentials have access to the LLMs and they have been enabled and invoke the model for resource hijacking.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-InvokeModel,"[{""technique"": ""T1020 - Automated Exfiltration"", ""reason"": ""The InvokeModel API call can be scripted to run repeatedly, allowing for the continuous extraction of data. For example, an attacker could automate requests to the API, each time providing new or varied prompts that extract different pieces of sensitive information""}, {""technique"": ""T1567 - Exfiltration Over Web Service"", ""reason"": ""An attacker who has access to AWS credentials can set up a process where InvokeModel API calls are made to generate sensitive information in small chunks. Each chunk of data, once generated, can be immediately sent to an S3 bucket or another cloud storage service controlled by the attacker. This method ensures that data is consistently moved out of the compromised environment without raising alarms associated with large data transfers.""}, {""technique"": ""T1203 - Exploitation for Client Execution"", ""reason"": ""Exploiting vulnerabilities in a model's interface could trigger unintended code execution through the InvokeModel API.""}]" +InvokeModelWithResponseStream,bedrock.amazonaws.com,Bedrock,Grants permission to invoke the specified Bedrock model to run inference using the input provided in the request body with streaming response.,TA0040 - Impact,T1496 - Resource Hijacking,,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],Attackers might use InvokeModelWithResponseStream to invoke the model for resource hijacking.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-InvokeModelWithResponseStream,"[{""technique"": ""T1059 - Command and Scripting Interpreter"", ""reason"": ""Attackers could potentially exploit the model invocation process to execute arbitrary commands or scripts, depending on how the input data to the model is handled and interpreted.""}, {""technique"": ""T1020 - Automated Exfiltration"", ""reason"": ""The streaming response can be used to automatically exfiltrate data as it is processed by the model.""}, {""technique"": ""T1041 - Exfiltration Over C2 Channel"", ""reason"": ""The streaming response feature can be exploited to send sensitive data back to an attacker over an established C2 channel.""}, {""technique"": ""T1005 - Data from Local System"", ""reason"": ""If the Bedrock model has access to and processes local system data, attackers could leverage the API call to collect sensitive information. This scenario assumes that the model's processing involves data that might include confidential or proprietary information.""}, {""technique"": ""T1071.004 - Application Layer Protocol: DNS"", ""reason"": ""DNS can be used for exfiltration or command and control if the model's streaming response can be encoded into DNS queries/responses.""}]" +ListFoundationModelAgreementOffers,bedrock.amazonaws.com,Bedrock,Grants permission to get a list of foundation model agreement offers.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}]",[],Attackers might use ListFoundationModelAgreementOffers to enumerate accessible models.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-ListFoundationModelAgreementOffers,"[{""technique"": ""T1591.002 - Gather Victim Org Information: Business Relationships"", ""reason"": ""The list of foundation model agreement offers can provide insights into the organization's partnerships and agreements with other entities, revealing valuable business relationship details.""}, {""technique"": ""T1591 - Gather Victim Org Information"", ""reason"": ""This API call might yield information about the internal structure of the organization, such as departments or teams involved with foundation models, contributing to a broader understanding of the target's organizational setup.""}, {""technique"": ""T1069 - Permission Groups Discovery"", ""reason"": ""The information retrieved from this API call could indicate which groups or roles within the AWS account have permissions to access these foundation models, helping to understand the permission hierarchy and potential targets for privilege escalation or further discovery.""}]" +ListFoundationModels,bedrock.amazonaws.com,Bedrock,Grants permission to list Bedrock foundation models that you can use.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}]",[],Attackers might use ListFoundationModels to enumerate accessible models.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-ListFoundationModels,"[{""technique"": ""T1087 - Account Discovery"", ""reason"": ""Listing foundation models can help an adversary understand what cloud resources are available and their configurations""}, {""technique"": ""T1057 - Process Discovery"", ""reason"": ""Listing foundation models can be a step towards understanding the processes and operations running within the cloud environment.""}, {""technique"": ""T1069 - Permission Groups Discovery"", ""reason"": ""Identifying which models are accessible can reveal information about permission groups and roles within the cloud environment""}, {""technique"": ""T1082 - System Information Discovery"", ""reason"": ""Listing foundation models helps in gathering detailed system information.""}, {""technique"": ""T1482 - Domain Trust Discovery"", ""reason"": ""Adversaries may list foundation models to understand the trust relationships and dependencies between different cloud resources.""}]" +ListProvisionedModelThroughputs,bedrock.amazonaws.com,Bedrock,Grants permission to list provisioned model throughputs that you created earlier.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}]",[],Attackers might use ListProvisionedModelThroughputs to gather information on existing inputs and outputs for models in use.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-ListProvisionedModelThroughputs,"[{""technique"": ""T1087.004 - Cloud Account"", ""reason"": ""The ListProvisionedModelThroughputs API call can help an attacker identify active cloud accounts and associated resources by listing the provisioned models, providing insight into the resources allocated in the cloud environment.""}, {""technique"": ""T1082 - System Information Discovery"", ""reason"": ""This API call can be used to gather information about the configuration and state of the provisioned model throughputs, which contributes to understanding the system's current setup and operational status.""}, {""technique"": ""T1530 - Data from Cloud Storage Object"", ""reason"": ""By listing provisioned model throughputs, an attacker can potentially identify models and associated data stored in cloud storage, enabling them to target specific data repositories.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Legitimate cloud accounts with access to this API call can be used to gather information on provisioned models. If an attacker gains control of such an account, they can enumerate resources to assess what data and services are available within the cloud environment.""}]" +PutFoundationModelEntitlement,bedrock.amazonaws.com,Bedrock,Grants permission to put entitlement to access a foundation model.,TA0040 - Impact,T1496 - Resource Hijacking,,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying"", ""link"": ""https://permiso.io/blog/exploiting-hosted-models""}]",[],Attackers might use PutFoundationModelEntitlement to prepare for using foundation models for resource hijacking.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-PutFoundationModelEntitlement,"[{""technique"": ""T1098 - Account Manipulation"", ""reason"": """"}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Authorized accounts might be modified or managed to maintain persistent access to foundational models. Cloud accounts could be granted additional entitlements, leading to unauthorized access or privileges within the cloud environment. Access might be granted to default accounts, which could be exploited if not properly managed. Local accounts could be granted access, potentially leading to unauthorized activities within the environment.""}, {""technique"": ""T1059 - Command and Scripting Interpreter"", ""reason"": ""The granted entitlements may include permissions that enable the execution of scripts or code, potentially facilitating the execution of malicious scripts under legitimate operations within a controlled environment.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Adjusting entitlements could be used to weaken security controls and mechanisms, aiding in defense evasion.""}]" +PutUseCaseForModelAccess,bedrock.amazonaws.com,Bedrock,Grants permission to put a use case for model access.,TA0040 - Impact,T1496 - Resource Hijacking,,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying"", ""link"": ""https://permiso.io/blog/exploiting-hosted-models""}]",[],Attackers might use PutUseCaseForModelAccess to prepare for using foundation models for resource hijacking.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-PutUseCaseForModelAccess,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Although not creating new users, it enables valid accounts to access models, which can be exploited for continued access.""}, {""technique"": ""T1098 - Account Manipulation"", ""reason"": ""This API call allows manipulation of permissions related to model access, which can be leveraged for privilege escalation or maintaining access.""}]" +CreateStack,cloudformation.amazonaws.com,CloudFormation,Creates a stack as specified in the template.,TA0040 - Impact,T1496 - Resource Hijacking,,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],Attackers might use CreateStack to provision unauthorized resources,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/cloudformation#cloudformation-CreateStack,"[{""technique"": ""T1136 - Create Account"", ""reason"": ""The CreateStack API call can be used to set up new accounts within the cloud environment as part of deploying a CloudFormation stack, which aids in gaining and maintaining access.""}, {""technique"": ""T1578 - Modify Cloud Compute Infrastructure"", ""reason"": ""The creation of new stacks can be used to modify or add cloud compute infrastructure, which can be part of defense evasion by creating resources that blend into the existing environment.""}, {""technique"": ""T1098 - Account Manipulation"", ""reason"": ""Creating new stacks could involve setting up new accounts or roles that can be used later, contributing to persistence within the environment.""}]" +CreateFunction,cloudfront.amazonaws.com,CloudFront,Creates a CloudFront function.,TA0009 - Collection,T1119 - Automated Collection,,False,[],"[{""description"": ""How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies"", ""link"": ""https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c""}]",Attackers might use CreateFunction to add a new function that can be use to exfiltrate date.,[],"[{""type"": ""commandLine"", ""value"": ""aws cloudfront create-function --name trail-discover-function --function-config Comment='TrailDiscover',Runtime=cloudfront-js-1.0 --function-code VHJhaWxEaXNjb3Zlcgo=""}]",https://aws.permissions.cloud/iam/cloudfront#cloudfront-CreateFunction,"[{""technique"": ""T1059 - Command and Scripting Interpreter"", ""reason"": ""CloudFront functions are written in JavaScript, enabling the execution of scripts.""}, {""technique"": ""T1546 - Event Triggered Execution"", ""reason"": ""A CloudFront function can be set to trigger on specific events, establishing persistence.""}, {""technique"": ""T1562.001 - Impair Defenses"", ""reason"": ""CloudFront functions can modify requests and responses, which can be used to evade detection tools.""}, {""technique"": ""T1027 - Obfuscated Files or Information"", ""reason"": ""The JavaScript code within CloudFront functions can be obfuscated to hide malicious intent.""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""CloudFront functions can communicate using web protocols, facilitating command and control.""}, {""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Functions can be used to remove or alter log files, helping in defense evasion.""}, {""technique"": ""T1574 - Hijack Execution Flow"", ""reason"": ""CloudFront functions manipulate the flow of requests, which can be seen as hijacking the execution flow within the cloud infrastructure.""}, {""technique"": ""T1008 - Fallback Channels"", ""reason"": ""CloudFront functions can be designed to use fallback channels for command and control if the primary method is disrupted.""}, {""technique"": ""T1499 - Endpoint Denial of Service"", ""reason"": ""Improperly configured or malicious CloudFront functions can cause application exhaustion, leading to denial-of-service attacks.""}]" +PublishFunction,cloudfront.amazonaws.com,CloudFront,Publishes a CloudFront function by copying the function code from the DEVELOPMENT stage to LIVE.,TA0009 - Collection,T1119 - Automated Collection,,False,[],"[{""description"": ""How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies"", ""link"": ""https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c""}]",Attackers might use PublishFunction to publish a malicious function that might be used to exfiltrate data.,[],"[{""type"": ""commandLine"", ""value"": ""aws cloudfront publish-function --name trail-discover-function --if-match trail-discover-function""}]",https://aws.permissions.cloud/iam/cloudfront#cloudfront-PublishFunction,"[{""technique"": ""T1560 - Archive Collected Data"", ""reason"": ""A published CloudFront function could aggregate and compress data, preparing it for exfiltration.""}, {""technique"": ""T1070 - Indicator Removal"", ""reason"": ""A function can be programmed to clean up or remove indicators of compromise, aiding in evasion of detection""}, {""technique"": ""T1036 - Masquerading"", ""reason"": ""Malicious functions can be disguised as legitimate CloudFront functions, hiding malicious activities within seemingly normal operations.""}, {""technique"": ""T1090 - Proxy"", ""reason"": ""A CloudFront function could redirect traffic through CloudFront, acting as a proxy and obscuring the origin of command and control traffic.""}, {""technique"": ""T1102 - Web Service"", ""reason"": ""Leveraging CloudFront functions to interact with web services, enabling command and control via HTTP or HTTPS, blending with regular web traffic""}, {""technique"": ""T1204 - User Execution"", ""reason"": ""If the published function requires user interaction or specific conditions to trigger, it aligns with techniques requiring user execution.""}, {""technique"": ""T1048 - Exfiltration Over Alternative Protocol"", ""reason"": ""A CloudFront function could use alternative protocols for data exfiltration, bypassing standard monitoring tools.""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""The function may use application layer protocols (HTTP/S) for communication, facilitating command and control or data exfiltration.""}, {""technique"": ""T1574 - Hijack Execution Flow"", ""reason"": ""The PublishFunction API can be used to modify how CloudFront handles requests, potentially hijacking the execution flow to achieve malicious objectives""}]" +UpdateDistribution,cloudfront.amazonaws.com,CloudFront,Updates the configuration for a CloudFront distribution.,TA0009 - Collection,T1119 - Automated Collection,,False,[],"[{""description"": ""How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies"", ""link"": ""https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c""}]",Attackers might use UpdateDistribution to add a malicious configuration such as a function to exfiltrate data.,[],"[{""type"": ""commandLine"", ""value"": ""aws cloudfront update-distribution --id EDFDVBD6EXAMPLE --distribution-config '{\""CallerReference\"":\""\"", \""Origins\"":{\""Quantity\"":1,\""Items\"":[{\""Id\"":\""\"", \""DomainName\"":\""\""}]}, \""DefaultCacheBehavior\"":{\""TargetOriginId\"":\""\"", \""ViewerProtocolPolicy\"":\""\""}, \""Comment\"":\""\"", \""Enabled\"":false }'""}]",https://aws.permissions.cloud/iam/cloudfront#cloudfront-UpdateDistribution,"[{""technique"": ""T1070 - Indicator Removal"", ""reason"": ""An attacker could modify CloudFront distribution settings to remove or alter logging configurations, thus deleting or hiding evidence of malicious activities.""}, {""technique"": ""T1090 - Proxy"", ""reason"": ""By updating CloudFront distribution, an attacker can route traffic through CloudFront, effectively hiding the origin of malicious traffic and obfuscating command and control communications.""}, {""technique"": ""T1567 - Exfiltration Over Web Service"", ""reason"": ""An attacker might reconfigure CloudFront to redirect sensitive data to an external endpoint under their control, facilitating data exfiltration over a web service.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Modifying CloudFront distribution settings can be used to impair security monitoring and defense mechanisms by disabling or altering configurations that are critical for security monitoring.""}, {""technique"": ""T1560 - Archive Collected Data"", ""reason"": ""An attacker might modify the CloudFront distribution to use cloud storage as a method to archive and exfiltrate collected data.""}, {""technique"": ""T1497 - Virtualization/Sandbox Evasion"", ""reason"": ""CloudFront configurations can be updated to delay or slow responses, making detection and analysis more difficult, effectively evading automated analysis systems.""}, {""technique"": ""T1568 - Dynamic Resolution"", ""reason"": ""By updating CloudFront distributions, an attacker can implement domain generation algorithms to dynamically change domain names for command and control, evading detection.""}, {""technique"": ""T1095 - Non-Application Layer Protocol"", ""reason"": ""By configuring CloudFront to use non-standard protocols for data transmission, an attacker can exfiltrate data or communicate with compromised assets using non-application layer protocols.""}, {""technique"": ""T1071.001 - Application Layer Protocol: Web Protocols"", ""reason"": ""loudFront can be configured to use common web protocols (HTTP/HTTPS) for malicious command and control communications, blending in with normal traffic and avoiding detection.""}, {""technique"": ""T1565.002 - Data Manipulation: Transmitted Data Manipulation"", ""reason"": ""Attackers can update CloudFront distribution settings to manipulate data as it transits through CloudFront, altering its content for malicious purposes or exfiltrating manipulated data.""}]" +DeleteTrail,cloudtrail.amazonaws.com,CloudTrail,Deletes a trail.,TA0005 - Defense Evasion,T1562 - Impair Defenses,"T1562.001 - Impair Defenses: Disable or Modify Tools, T1562.008 - Impair Defenses: Disable or Modify Cloud Logs",True,"[{""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]","[{""description"": ""AWS Defense Evasion Delete Cloudtrail"", ""link"": ""https://research.splunk.com/cloud/82092925-9ca1-4e06-98b8-85a2d3889552/""}, {""description"": ""Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail"", ""link"": ""https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/""}, {""description"": ""Disrupting AWS logging"", ""link"": ""https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594""}]",Attackers might use DeleteTrail to disrupting AWS logging.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-5""}, {""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws cloudtrail delete-trail --name TrailDiscoverTrailName""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-delete""}]",https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-DeleteTrail,"[{""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Deleting a CloudTrail trail can be seen as an attempt to remove logs that could be used to detect malicious activity, thereby evading detection.""}, {""technique"": ""T1485 - Data Destruction"", ""reason"": ""Deleting the CloudTrail trail results in the destruction of important log data, which can impact the ability to investigate and respond to incidents.""}]" +LookupEvents,cloudtrail.amazonaws.com,CloudTrail,Looks up management events or CloudTrail Insights events that are captured by CloudTrail.,TA0007 - Discovery,T1654 - Log Enumeration,,True,"[{""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}]",[],Attackers might use LookupEvents to monitoring CloudTrail logs for changes that might affect the attack.,[],"[{""type"": ""commandLine"", ""value"": ""aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=TrailDiscover""}]",https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-LookupEvents,"[{""technique"": ""T1087 - Account Discovery"", ""reason"": ""The LookupEvents API call can be used to identify information about AWS cloud accounts, potentially revealing new or unused accounts that can be targeted.""}, {""technique"": ""T1530 - Data from Cloud Storage"", ""reason"": ""By looking up events, attackers can identify access patterns or sensitive data locations within cloud storage, facilitating data collection or exfiltration.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": "" If attackers are trying to access accounts, LookupEvents can help them discover which accounts are being used, aiding in the identification of valid credentials. By using LookupEvents, attackers can gain insights into which accounts have been accessed, helping them target specific accounts for compromise.""}, {""technique"": ""T1033 - System Owner/User Discovery"", ""reason"": ""Discovering user activities and patterns can help attackers understand who owns or uses specific systems, making it easier to target high-value accounts.""}, {""technique"": ""T1580 - Cloud Infrastructure Discovery"", ""reason"": ""LookupEvents can reveal information about the cloud infrastructure, including services and resources used within the environment.""}, {""technique"": ""T1020 - Automated Exfiltration"", ""reason"": "" By understanding event patterns and data flows, attackers can automate the exfiltration of data from the cloud environment.""}, {""technique"": ""T1057 - Process Discovery"", ""reason"": ""Attackers can use LookupEvents to see which processes or applications are being invoked, gaining insight into the operational environment.""}]" +PutEventSelectors,cloudtrail.amazonaws.com,CloudTrail,Configures an event selector or advanced event selectors for your trail.,TA0005 - Defense Evasion,T1562 - Impair Defenses,T1562.001: Impair Defenses: Disable or Modify Tools,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]","[{""description"": ""cloudtrail_guardduty_bypass"", ""link"": ""https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/cloudtrail_guardduty_bypass""}, {""description"": ""Detecting and removing risky actions out of your IAM security policies"", ""link"": ""https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/""}]",Attackers might use PutEventSelectors to disrupting AWS logging.,[],"[{""type"": ""commandLine"", ""value"": ""aws cloudtrail put-event-selectors --trail-name TrailDiscover --event-selectors '[{\""ReadWriteType\"": \""All\"", \""IncludeManagementEvents\"":true, \""DataResources\"": [{\""Type\"": \""AWS::S3::Object\"", \""Values\"": [\""arn:aws:s3\""]}] }]'""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors""}]",https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-PutEventSelectors,"[{""technique"": ""T1070 - Indicator Removal"", ""reason"": ""By configuring event selectors, adversaries can exclude certain activities from being logged, effectively removing traces of their presence and actions, which hinders detection and forensic analysis.""}]" +StopLogging,cloudtrail.amazonaws.com,CloudTrail,Suspends the recording of AWS API calls and log file delivery for the specified trail.,TA0005 - Defense Evasion,T1562 - Impair Defenses,"T1562.001 - Impair Defenses: Disable or Modify Tools, T1562.008 - Impair Defenses: Disable or Modify Cloud Logs",False,"[{""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}]","[{""description"": ""Stopping a CloudTrail trail"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/stopping-cloudtrail-trail/""}, {""description"": ""AWS Defense Evasion Stop Logging Cloudtrail"", ""link"": ""https://research.splunk.com/cloud/8a2f3ca2-4eb5-4389-a549-14063882e537/""}, {""description"": ""AWS Defense Evasion and Centralized Multi-Account Logging"", ""link"": ""https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/""}, {""description"": ""Disrupting AWS logging"", ""link"": ""https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594""}, {""description"": ""Enhancing Your Security Visibility and DetectionResponse Operations in AWS"", ""link"": ""https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf""}]",Attackers might use StopLogging to disrupting AWS logging.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-5""}, {""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws cloudtrail stop-logging --name TrailDiscover""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-stop""}]",https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-StopLogging,"[{""technique"": ""T1070 - Indicator Removal"", ""reason"": ""By stopping the logging, the adversary prevents the creation of future log entries, effectively removing indicators that would otherwise be generated, thus evading detection and hindering incident response efforts.""}]" +UpdateTrail,cloudtrail.amazonaws.com,CloudTrail,"Updates trail settings that control what events you are logging, and how to handle log files.",TA0005 - Defense Evasion,T1562 - Impair Defenses,T1562.001 - Impair Defenses: Disable or Modify Tools,True,"[{""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]","[{""description"": ""AWS Defense Evasion and Centralized Multi-Account Logging"", ""link"": ""https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/""}, {""description"": ""Disrupting AWS logging"", ""link"": ""https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594""}]",Attackers might use UpdateTrail to disrupting AWS logging.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-5""}, {""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws cloudtrail update-trail --name TrailDiscoverName --s3-bucket-name TrailDiscoverBucketName""}]",https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-UpdateTrail,"[{""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Modifying CloudTrail settings can involve stopping log generation or deleting logs, removing evidence of activities.""}, {""technique"": ""T1098 - Account Manipulation"", ""reason"": ""Changing CloudTrail settings might require manipulating account permissions or configurations to control logging.""}, {""technique"": ""T1537 - Transfer Data to Cloud Account"", ""reason"": ""Updating trail settings could facilitate the transfer of logs or sensitive data to an attacker-controlled cloud account for exfiltration.""}]" +PutLogEvents,logs.amazonaws.com,CloudWatchLogs,Uploads a batch of log events to the specified log stream.,TA0005 - Defense Evasion,T1562 - Impair Defenses,,True,"[{""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}]",[],"Attackers might use PutLogEvents to add benign log entries, effectively burying any signs of his malicious activities.",[],"[{""type"": ""commandLine"", ""value"": ""aws logs put-log-events --log-group-name my-logs --log-stream-name 20150601 --log-events timestamp=$(date +%s%3N),message='TrailDiscover'""}]",https://aws.permissions.cloud/iam/logs#logs-PutLogEvents,"[{""technique"": ""T1567 - Exfiltration Over Web Service"", ""reason"": ""The attacker leverages CloudWatchLogs as an AWS web service to exfiltrate data, making it blend in with legitimate service use.""}, {""technique"": ""T1102 - Web Service"", ""reason"": ""The attacker uses PutLogEvents to upload sensitive data to CloudWatchLogs, which can then be accessed remotely as part of their command and control strategy.""}, {""technique"": ""T1074 - Data Staged"", ""reason"": ""The attacker stages collected data on the local system and then uses PutLogEvents to upload it to CloudWatchLogs for further use or exfiltration.""}]" +CreateLogStream,logs.amazonaws.com,CloudWatchLogs,Creates a log stream for the specified log group.,TA0005 - Defense Evasion,T1562 - Impair Defenses,T1562.001 Impair Defenses: Disable or Modify Tools,True,"[{""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}]",[],"Attackers might use CreateLogStream to later add benign log entries, effectively burying any signs of his malicious activities.",[],"[{""type"": ""commandLine"", ""value"": ""aws logs create-log-stream --log-group-name my-logs --log-stream-name 20150601""}]",https://aws.permissions.cloud/iam/logs#logs-CreateLogStream,"[{""technique"": ""T1036 - Masquerading"", ""reason"": ""Creating log streams with names that mimic legitimate applications or services helps attackers blend in with normal operations and evade detection.""}, {""technique"": ""T1119 - Automated Collection"", ""reason"": ""Log streams can be used to automate the collection of log data from various sources within the cloud environment, aiding attackers in data aggregation.""}, {""technique"": ""T1074 - Data Staged"", ""reason"": ""Using log streams to stage data before it is exfiltrated, organizing it for easy access and transfer.""}]" +DeleteAlarms,monitoring.amazonaws.com,CloudWatch,Deletes the specified alarms. You can delete up to 100 alarms in one operation.,TA0005 - Defense Evasion,T1562 - Impair Defenses,"T1562.001 - Impair Defenses: Disable or Modify Tools, T1562.006 - Impair Defenses: Indicator Blocking",False,[],"[{""description"": ""AWS CloudWatch Alarm Deletion"", ""link"": ""https://www.elastic.co/guide/en/security/current/aws-cloudwatch-alarm-deletion.html""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]","Attackers might use DeleteAlarms to disable critical CloudWatch alerts, undermining AWS environment monitoring",[],"[{""type"": ""commandLine"", ""value"": ""aws cloudwatch delete-alarms --alarm-names TrailDiscoverAlarm""}]",https://aws.permissions.cloud/iam/cloudwatch#cloudwatch-DeleteAlarms,"[{""technique"": ""T1485 - Data Destruction"", ""reason"": ""Deleting alarms can be part of a broader strategy to destroy or disrupt data by removing key monitoring and alert mechanisms.""}, {""technique"": ""T1489 - Service Stop"", ""reason"": ""By deleting alarms, an attacker can effectively stop the alerting service from functioning as expected, similar to stopping a service""}, {""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Deleting alarms can be seen as removing indicators of potential issues or past activities, which is a broader form of indicator removal than just file deletion.""}]" +DeleteLogGroup,logs.amazonaws.com,CloudWatchLogs,Deletes the specified log group and permanently deletes all the archived log events associated with the log group.,TA0005 - Defense Evasion,T1562 - Impair Defenses,T1562.001 - Impair Defenses: Disable or Modify Tools,False,[],"[{""description"": ""Penetration testing of aws-based environments"", ""link"": ""https://essay.utwente.nl/76955/1/Szabo_MSc_EEMCS.pdf""}, {""description"": ""Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail"", ""link"": ""https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/""}]","Attackers might use DeleteLogGroup to erase CloudWatch logs, erasing evidence of their activities within AWS.",[],"[{""type"": ""commandLine"", ""value"": ""aws logs delete-log-group --log-group-name TrailDiscoverLogGroup""}]",https://aws.permissions.cloud/iam/logs#logs-DeleteLogGroup,"[{""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Deleting log groups removes evidence of activities from log files, thus covering tracks and aiding in evading detection.""}, {""technique"": ""T1485 - Data Destruction"", ""reason"": ""Deleting log groups leads to the permanent removal of critical log data, effectively erasing records that could be used for forensic analysis or troubleshooting. This action disrupts the availability of essential logs, potentially causing significant operational impact and hindering incident response efforts.""}, {""technique"": ""T1565.001 - Data Manipulation: Stored Data Manipulation"", ""reason"": ""The deletion of log groups can be considered a form of data manipulation, as it involves removing stored data, impacting its integrity and availability.""}]" +DeleteLogStream,logs.amazonaws.com,CloudWatchLogs,Deletes the specified log stream and permanently deletes all the archived log events associated with the log stream.,TA0005 - Defense Evasion,T1562 - Impair Defenses,T1562.001 - Impair Defenses: Disable or Modify Tools,False,[],"[{""description"": ""Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail"", ""link"": ""https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/""}]","Attackers might use DeleteLogStream to erase CloudWatch logs, erasing evidence of their activities within AWS.",[],"[{""type"": ""commandLine"", ""value"": ""aws logs delete-log-stream --log-group-name TrailDiscoverLogGroupName --log-stream-name TrailDiscoverLogStreamName""}]",https://aws.permissions.cloud/iam/logs#logs-DeleteLogStream,"[{""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Deleting log streams removes critical log data, effectively erasing evidence of activities that could be used to detect or investigate malicious behavior. This action makes it difficult for defenders to trace the attacker's steps or identify potential indicators of compromise.""}, {""technique"": ""T1485 - Data Destruction"", ""reason"": ""The permanent deletion of archived log events constitutes data destruction, impacting the organization\u00e2\u20ac\u2122s ability to conduct forensic analysis and understand the scope of an attack.""}]" +DescribeLogGroups,logs.amazonaws.com,CloudWatchLogs,Lists the specified log groups.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeLogGroups to discover CloudWatch log configurations.,[],"[{""type"": ""commandLine"", ""value"": ""aws logs describe-log-groups --log-group-name-prefix TrailDiscover""}]",https://aws.permissions.cloud/iam/logs#logs-DescribeLogGroups,"[{""technique"": ""T1007 - System Service Discovery"", ""reason"": ""Listing log groups can provide insights into the services and activities running within the AWS environment, aiding in identifying active services and their configurations.""}, {""technique"": ""T1018 - Remote System Discovery"", ""reason"": ""Describing log groups can reveal information about the systems and their operations, helping in mapping out remote systems within the cloud infrastructure.""}, {""technique"": ""T1046 - Network Service Discovery"", ""reason"": ""By examining log groups, attackers can understand the network services being utilized and their respective configurations, which is crucial for further discovery and potential exploitation.""}, {""technique"": ""T1087 - Account Discovery"", ""reason"": ""Log groups often include data about different user activities and roles, which can be used to discover account details and permissions within the cloud environment.""}]" +DescribeLogStreams,logs.amazonaws.com,CloudWatchLogs,Lists the log streams for the specified log group.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeLogStreams to discover CloudWatch log configurations.,[],"[{""type"": ""commandLine"", ""value"": ""aws logs describe-log-streams --log-group-name TrailDiscoverLogGroupName""}]",https://aws.permissions.cloud/iam/logs#logs-DescribeLogStreams,"[{""technique"": ""T1087 - Account Discovery"", ""reason"": ""Listing log streams can help identify different cloud accounts or services that are being logged.""}, {""technique"": ""T1119 - Automated Collection"", ""reason"": ""Automating the listing of log streams is a part of setting up a system for automated data collection.""}, {""technique"": ""T1057 - Process Discovery"", ""reason"": ""Log streams may include process logs that reveal information about running processes in the environment.""}, {""technique"": ""T1033 - System Owner/User Discovery"", ""reason"": ""Log streams can help in identifying which users or systems are generating logs, aiding in system owner/user discovery.""}, {""technique"": ""T1018 - Remote System Discovery"", ""reason"": ""By listing log streams, one can determine the existence of remote systems being logged.""}, {""technique"": ""T1082 - System Information Discovery"", ""reason"": ""Logs may contain information about system configurations, operating systems, and other details relevant for system information discovery.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Identifying log streams can help in discovering the usage of valid accounts, potentially indicating compromised or misused accounts.""}]" +DescribeSubscriptionFilters,logs.amazonaws.com,CloudWatchLogs,Lists the subscription filters for the specified log group.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeSubscriptionFilters to discover CloudWatch log configurations.,[],"[{""type"": ""commandLine"", ""value"": ""aws logs describe-subscription-filters --log-group-name TrailDiscoverLogGroupName""}]",https://aws.permissions.cloud/iam/logs#logs-DescribeSubscriptionFilters,"[{""technique"": ""T1087 - Account Discovery"", ""reason"": ""Attackers might use DescribeSubscriptionFilters to identify log groups and their associated subscription filters, which can provide insight into monitoring and logging configurations specific to cloud infrastructure. This information helps attackers understand the cloud environment and its accounts.""}, {""technique"": ""T1046 - Network Service Scanning"", ""reason"": ""By listing subscription filters, attackers can determine what types of network services and activities are being monitored. This can help them identify potential targets or services that are not being adequately monitored.""}, {""technique"": ""T1007 - System Service Discovery"", ""reason"": ""DescribeSubscriptionFilters can reveal details about the log group's configuration, helping attackers discover how system services are being logged and monitored. This can aid in understanding the security posture and identifying potential weaknesses.""}]" +GetLogRecord,logs.amazonaws.com,CloudWatchLogs,Retrieves all of the fields and values of a single log event.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use GetLogRecord to precisely extract information from CloudWatch logs, potentially exposing sensitive data or insights into AWS operational activities.",[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/logs#logs-GetLogRecord,"[{""technique"": ""T1087.004 - Account Discovery: Cloud Account"", ""reason"": ""Retrieving log records can help identify details about cloud accounts in use, such as who accessed certain services and when.""}, {""technique"": ""T1057 - Process Discovery"", ""reason"": ""Logs may contain information about processes running in the cloud environment, which can help in identifying active processes and their behavior.""}, {""technique"": ""T1033 - System Owner/User Discovery"", ""reason"": ""Log records can reveal information about system owners or users who are interacting with the cloud environment, such as user activity logs and access patterns.""}]" +PutLogEvents,logs.amazonaws.com,CloudWatchLogs,Uploads a batch of log events to the specified log stream.,TA0005 - Defense Evasion,T1562 - Impair Defenses,,True,"[{""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}]",[],"Attackers might use PutLogEvents to add benign log entries, effectively burying any signs of his malicious activities.",[],"[{""type"": ""commandLine"", ""value"": ""aws logs put-log-events --log-group-name my-logs --log-stream-name 20150601 --log-events timestamp=$(date +%s%3N),message='TrailDiscover'""}]",https://aws.permissions.cloud/iam/logs#logs-PutLogEvents,"[{""technique"": ""T1027 - Obfuscated Files or Information"", ""reason"": ""Attackers may obfuscate the content of logs or include obfuscated commands in logs to avoid detection and analysis.""}, {""technique"": ""T1074 - Data Staged"", ""reason"": ""Logs might be staged in a certain format before being uploaded, allowing attackers to organize and structure the data for further analysis or exfiltration.""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""The use of AWS APIs like PutLogEvents to communicate can serve as a method to transfer data stealthily.""}, {""technique"": ""T1119 - Automated Collection"", ""reason"": ""Automated tools or scripts could be used to collect and upload log data regularly to CloudWatchLogs for monitoring or further use.""}, {""technique"": ""T1213 - Data from Information Repositories"", ""reason"": ""Logs from various information repositories might be collected and uploaded to CloudWatchLogs to facilitate data aggregation and analysis.""}, {""technique"": ""T1029 - Scheduled Transfer"", ""reason"": ""Log uploads could be scheduled at specific intervals to CloudWatchLogs to ensure consistent data transfer.""}, {""technique"": ""T1036.004 - Masquerading"", ""reason"": ""An attacker might disguise malicious activities or uploads as legitimate CloudWatch log entries to evade detection.""}]" +GetCredentialsForIdentity,cognito-identity.amazonaws.com,CognitoIdentity,Returns credentials for the provided identity ID. Any provided logins will be validated against supported login providers.,TA0004 - Privilege Escalation,T1078 - Valid Accounts,"T1078.004: Valid Accounts: Cloud Accounts, T1078.001: Valid Accounts: Default Accounts, T1078.003: Valid Accounts: Local Accounts, T1078.002: Valid Accounts: Domain Accounts",False,[],"[{""description"": ""Overpermissioned AWS Cognito Identity Pools"", ""link"": ""https://hackingthe.cloud/aws/exploitation/cognito_identity_pool_excessive_privileges/#exploitation""}]","Attackers might use GetCredentialsForIdentity to obtain temporary AWS credentials, potentially accessing resources or executing actions unauthorizedly within the AWS environment.",[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/cognito-identity#cognito-identity-GetCredentialsForIdentity,"[{""technique"": ""T1550.004: Use Alternate Authentication Material: Web Session Cookie"", ""reason"": ""Attackers may use credentials obtained from this API to generate session tokens or cookies for web sessions.""}, {""technique"": ""T1212: Exploitation for Credential Access"", ""reason"": ""Exploiting the GetCredentialsForIdentity API call can be a direct method to gain credentials.""}, {""technique"": ""T1528: Steal Application Access Token"", ""reason"": ""The credentials obtained from the API call could include tokens that grant access to applications, allowing attackers to impersonate legitimate users or services.""}, {""technique"": ""T1098: Account Manipulation"", ""reason"": ""With the credentials returned by this API call, attackers might manipulate account settings or permissions to maintain access or escalate privileges.""}]" +GetId,cognito-identity.amazonaws.com,CognitoIdentity,Generates (or retrieves) IdentityID. Supplying multiple logins will create an implicit linked account.,TA0004 - Privilege Escalation,T1078 - Valid Accounts,"T1078.004 - Valid Accounts: Cloud Accounts, T1078.002 - Valid Accounts: Domain Accounts, T1078.001 - Valid Accounts: Default Accounts",False,[],"[{""description"": ""Overpermissioned AWS Cognito Identity Pools"", ""link"": ""https://hackingthe.cloud/aws/exploitation/cognito_identity_pool_excessive_privileges/#exploitation""}]",Attackers might use GetId to get an IdentityID that might be then used to get AWS credentials.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/cognito-identity#cognito-identity-GetId,"[{""technique"": ""T1110 - Brute Force"", ""reason"": ""Attackers might attempt to generate or retrieve multiple IdentityIDs through brute force, seeking unauthorized access.""}, {""technique"": ""T1589 - Gather Victim Identity Information"", ""reason"": ""The Logins parameter allows attackers to gather or brute-force information tied to identity providers (e.g., linked Google or Facebook accounts), which might reveal valuable identity information.""}, {""technique"": ""T1087 - Account Discovery"", ""reason"": ""By retrieving an IdentityId, attackers could discover cloud accounts linked to multiple identity providers, which might give them further access or knowledge about an organization's cloud infrastructure.""}]" +DeleteConfigRule,config.amazonaws.com,Config,Deletes the specified AWS Config rule and all of its evaluation results.,TA0005 - Defense Evasion,T1562 - Impair Defenses,,False,[],"[{""description"": ""AWS Config Resource Deletion"", ""link"": ""https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion""}]","Attackers might use DeleteConfigRule to remove compliance rules, potentially affecting the response plan.",[],"[{""type"": ""commandLine"", ""value"": ""aws configservice delete-config-rule --config-rule-name TrailDiscoverConfigRule""}]",https://aws.permissions.cloud/iam/config#config-DeleteConfigRule,"[{""technique"": ""T1485 - Data Destruction"", ""reason"": ""By deleting configuration rules and their results, an attacker could be aiming to destroy security data that would alert defenders to their activities.""}, {""technique"": ""T1499 - Endpoint Denial of Service"", ""reason"": ""While not directly causing a denial of service, deleting config rules could indirectly contribute by removing mechanisms that ensure the stability and compliance of services.""}]" +DeleteConfigurationRecorder,config.amazonaws.com,Config,Deletes the configuration recorder.,TA0005 - Defense Evasion,T1562 - Impair Defenses,T1562.001 - Impair Defenses: Disable or Modify Tools,False,[],"[{""description"": ""AWS Config Resource Deletion"", ""link"": ""https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion""}]",Attackers might use DeleteConfigurationRecorder to disrupt AWS configuration auditing.,[],"[{""type"": ""commandLine"", ""value"": ""aws configservice delete-configuration-recorder --configuration-recorder-name TrailDiscoverRecorder""}]",https://aws.permissions.cloud/iam/config#config-DeleteConfigurationRecorder,"[{""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Deleting the configuration recorder aligns with the broader goal of eliminating records that could be used for forensic purposes, removing indicators of compromise.""}, {""technique"": ""T1098 - Account Manipulation"", ""reason"": ""Disabling the configuration recorder could be part of manipulating accounts or roles to evade detection and maintain control over the environment.""}]" +DeleteDeliveryChannel,config.amazonaws.com,Config,Deletes the delivery channel.,TA0005 - Defense Evasion,T1562 - Impair Defenses,T1562.001 - Impair Defenses: Disable or Modify Tools,False,[],"[{""description"": ""AWS Config Resource Deletion"", ""link"": ""https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion""}, {""description"": ""AWS Config modified"", ""link"": ""https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-config-disabled/""}, {""description"": ""Threat Hunting with CloudTrail and GuardDuty in Splunk"", ""link"": ""https://www.chrisfarris.com/post/reinforce-threat-hunting/""}]",Attackers might use DeleteDeliveryChannel to disrupt the flow of configuration history and compliance data in AWS.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-9""}, {""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws configservice delete-delivery-channel --delivery-channel-name TrailDiscoverDeliveryChannel""}]",https://aws.permissions.cloud/iam/config#config-DeleteDeliveryChannel,"[{""technique"": ""T1070 - Indicator Removal"", ""reason"": ""By deleting the delivery channel, logs that might contain evidence of malicious activities are removed.""}, {""technique"": ""T1485 - Data Destruction"", ""reason"": ""Deleting the delivery channel could be part of a broader tactic to destroy data, including configuration logs that are crucial for incident response and auditing.""}]" +StopConfigurationRecorder,config.amazonaws.com,Config,Stops recording configurations of the AWS resources you have selected to record in your AWS account.,TA0005 - Defense Evasion,T1562 - Impair Defenses,T1562.001 - Impair Defenses: Disable or Modify Tools,False,[],"[{""description"": ""AWS Configuration Recorder Stopped"", ""link"": ""https://www.elastic.co/guide/en/security/current/prebuilt-rule-8-2-1-aws-configuration-recorder-stopped.html#prebuilt-rule-8-2-1-aws-configuration-recorder-stopped""}, {""description"": ""AWS Config modified"", ""link"": ""https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-config-disabled/""}, {""description"": ""Threat Hunting with CloudTrail and GuardDuty in Splunk"", ""link"": ""https://www.chrisfarris.com/post/reinforce-threat-hunting/""}]","Attackers might use StopConfigurationRecorder to halt the recording of AWS resource configurations, hindering audit trails.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-9""}, {""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws configservice stop-configuration-recorder --configuration-recorder-name TrailDiscoverRecorder""}]",https://aws.permissions.cloud/iam/config#config-StopConfigurationRecorder,"[{""technique"": ""T1485 - Data Destruction"", ""reason"": ""By stopping the configuration recorder, an attacker can effectively disrupt the ability to track and monitor changes, which can be a precursor to or part of a broader data destruction strategy.""}, {""technique"": ""T1489 - Service Stop"", ""reason"": ""Stopping a critical service like the configuration recorder can be part of a larger strategy to disrupt services, resulting in a loss of visibility and monitoring, hence impacting the organization.""}]" +GetCostAndUsage,ce.amazonaws.com,CostExplorer,Retrieves cost and usage metrics for your account.,TA0007 - Discovery,T1526 - Cloud Service Discovery,,True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]",[],Attackers might use GetCostAndUsage to determine how active an account is by understanding the cost within a cloud account.,[],"[{""type"": ""commandLine"", ""value"": ""aws ce get-cost-and-usage --time-period Start=2017-09-01,End=2017-10-01 --granularity MONTHLY --metrics 'BlendedCost' 'UnblendedCost' 'UsageQuantity' --group-by Type=DIMENSION,Key=SERVICE Type=TAG,Key=Environment""}]",https://aws.permissions.cloud/iam/ce#ce-GetCostAndUsage,"[{""technique"": ""T1082 - System Information Discovery"", ""reason"": ""The attacker calls the GetCostAndUsage API to gather detailed usage information about the AWS resources being utilized. By analyzing the cost and usage data, the attacker can infer details about the types of services, their usage patterns, and potentially the structure of the environment.""}, {""technique"": ""T1518 - Software Discovery"", ""reason"": ""By reviewing the cost and usage metrics, the attacker identifies expenditures related to security services (e.g., GuardDuty, CloudTrail). This information helps the attacker understand the security posture and tools in use, potentially avoiding or disabling them during an attack.""}, {""technique"": ""T1213 - Data from Information Repositories"", ""reason"": ""The attacker uses the GetCostAndUsage API to access billing and usage metrics stored in the AWS CostExplorer service. This data is collected to understand the financial and resource allocation details of the target environment.""}, {""technique"": ""T1071.001 - Application Layer Protocol: Web Protocols"", ""reason"": ""The attacker uses web protocols (e.g., HTTPS) to interact with the CostExplorer service and retrieve cost and usage metrics. The data collected is then sent over the web protocol to a remote server controlled by the attacker.""}, {""technique"": ""T1020 - Automated Exfiltration"", ""reason"": ""The attacker scripts the retrieval of cost and usage metrics using the GetCostAndUsage API. This script regularly exfiltrates data, providing continuous updates to the attacker on the victim's cloud usage patterns.""}, {""technique"": ""T1530 - Data from Cloud Storage Object"", ""reason"": ""The attacker stores the retrieved cost and usage data in a cloud storage object (e.g., S3 bucket). This stored data is later accessed or transferred to the attacker's own environment for further analysis or sale.""}]" +AttachVolume,ec2.amazonaws.com,EC2,Attaches an EBS volume to a running or stopped instance and exposes it to the instance with the specified device name.,TA0008 - Lateral Movement,T1021 - Remote Services,,True,"[{""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}]",[],Attackers might use AttachVolume to mount a volume to an EC2 instance under their control.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 attach-volume --volume-id TrailDiscoverVolumeId --instance-id TrailDiscoverInstanceId --device TrailDiscoverDeviceName""}]",https://aws.permissions.cloud/iam/ec2#ec2-AttachVolume,"[{""technique"": ""T1098 - Account Manipulation"", ""reason"": ""By attaching or detaching volumes, attackers can manipulate account settings or the environment to further their objectives, such as making specific data accessible or inaccessible.""}, {""technique"": ""T1036 - Masquerading"", ""reason"": ""Attackers might attach volumes that appear legitimate or contain misleading data, thereby disguising their malicious activities.""}, {""technique"": ""T1074 - Data Staged"", ""reason"": ""EBS volumes can be used to stage data for exfiltration or further manipulation by the attackers.""}, {""technique"": ""T1105 - Ingress Tool Transfer"", ""reason"": ""Attackers can use attached volumes to transfer tools, scripts, or other malicious files into the target environment.""}, {""technique"": ""T1027 - Obfuscated Files or Information"", ""reason"": ""Malicious actors can store obfuscated data or tools on an EBS volume to evade detection mechanisms.""}, {""technique"": ""T1560 - Archive Collected Data"", ""reason"": ""Attackers may attach volumes to archive collected data for exfiltration or future use, leveraging the storage capacity of the EBS volumes.""}, {""technique"": ""T1213 - Data from Information Repositories"", ""reason"": ""By attaching a volume that contains information repositories, attackers can access and extract sensitive data stored within these repositories""}, {""technique"": ""T1530 - Data from Cloud Storage"", ""reason"": ""Attackers can attach volumes that contain cloud storage objects, allowing them to access and manipulate the data stored within these objects.""}, {""technique"": ""T1030 - Data Transfer Size Limits"", ""reason"": ""Attackers may attach EBS volumes to instances to handle large amounts of data transfer without triggering size-based detection mechanisms.""}, {""technique"": ""T1005 - Data from Local System"", ""reason"": ""By attaching an EBS volume, attackers can access and extract data from the local file system of the EC2 instance.""}]" +AuthorizeSecurityGroupEgress,ec2.amazonaws.com,EC2,Adds the specified outbound (egress) rules to a security group.,TA0010 - Exfiltration,T1048 - Exfiltration Over Alternative Protocol,,True,"[{""description"": ""Trouble in Paradise"", ""link"": ""https://blog.darklab.hk/2021/07/06/trouble-in-paradise/""}]",[],Attackers might use AuthorizeSecurityGroupEgress to allow exfiltration.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-10""}]","[{""type"": ""commandLine"", ""value"": ""aws ec2 authorize-security-group-egress --group-id sg-1a2b3c4d --ip-permissions IpProtocol=tcp,FromPort=80,ToPort=80,IpRanges='[{CidrIp=10.0.0.0/16}]'""}]",https://aws.permissions.cloud/iam/ec2#ec2-AuthorizeSecurityGroupEgress,"[{""technique"": ""T1040 - Network Sniffing"", ""reason"": ""Outbound rules can be adjusted to send traffic to specific external destinations, which may allow attackers to capture or monitor network traffic for sensitive information.""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""Attackers can use specific egress rules to allow communication over commonly used application layer protocols.""}, {""technique"": ""T1074 - Data Staged"", ""reason"": ""Attackers can set up egress rules to exfiltrate staged data through approved channels.""}, {""technique"": ""T1021 - Remote Services"", ""reason"": ""By setting egress rules, attackers can allow outbound traffic for remote desktop connections, facilitating lateral movement.""}, {""technique"": ""T1095 - Non-Application Layer Protocol"", ""reason"": ""Attackers might configure rules to allow exfiltration using non-standard protocols.""}, {""technique"": ""T1571 - Non-Standard Port"", ""reason"": ""By authorizing specific outbound ports, attackers can use non-standard ports for communication to evade defenses.""}, {""technique"": ""T1599 - Network Boundary Bridging"", ""reason"": ""Attackers can use egress rules to bridge network boundaries, aiding lateral movement or exfiltration""}]" +AuthorizeSecurityGroupIngress,ec2.amazonaws.com,EC2,Adds the specified inbound (ingress) rules to a security group.,"TA0003 - Persistence, TA0008 - Lateral Movement","T1098 - Account Manipulation, T1021 - Remote Services",T1021.004 - Remote Services: SSH,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Finding evil in AWS"", ""link"": ""https://expel.com/blog/finding-evil-in-aws/""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Behind the scenes in the Expel SOC: Alert-to-fix in AWS"", ""link"": ""https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/""}, {""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}, {""description"": ""BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability"", ""link"": ""https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/""}, {""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]","[{""description"": ""Opening a security group to the Internet"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/opening-security-group-port/""}]",Attackers might use AuthorizeSecurityGroupIngress to allow access to resources to gain persistence or move laterally.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-10""}]","[{""type"": ""commandLine"", ""value"": ""aws ec2 authorize-security-group-ingress --group-id sg-0683fcf7a41c82593 --protocol tcp --port 22 --cidr 203.0.113.0/24""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-security-group-open-port-22-ingress""}]",https://aws.permissions.cloud/iam/ec2#ec2-AuthorizeSecurityGroupIngress,"[{""technique"": ""T1133 - External Remote Services"", ""reason"": ""By adding or modifying ingress rules, attackers can enable remote access to the EC2 instances, which is a direct use of the AuthorizeSecurityGroupIngress API call to allow external services.""}, {""technique"": ""T1105 - Ingress Tool Transfer"", ""reason"": ""Attackers can use the API call to allow inbound traffic, facilitating the transfer of tools or payloads directly into the compromised environment.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Modifying security group rules to disable defenses or monitoring directly involves the AuthorizeSecurityGroupIngress API call.""}, {""technique"": ""T1069 - Permission Groups Discovery"", ""reason"": ""Discovering which permission groups can modify security group rules is directly relevant as it informs the attacker's strategy to use the AuthorizeSecurityGroupIngress API call.""}, {""technique"": ""T1203 - Exploitation for Client Execution"", ""reason"": ""If an attacker exploits a vulnerability and gains access to an AWS account, they might use the AuthorizeSecurityGroupIngress API call to allow them to exploit applications that were not previously reachable.""}, {""technique"": ""T1090 - Proxy"", ""reason"": ""Attackers might modify ingress rules to allow traffic through a proxy, enabling them to route malicious traffic through the compromised environment.""}]" +CreateDefaultVpc,ec2.amazonaws.com,EC2,Creates a default VPC with a size /16 IPv4 CIDR block and a default subnet in each Availability Zone.,"TA0003 - Persistence, TA0040 - Impact","T1098 - Account Manipulation, T1496 - Resource Hijacking",,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],Attackers might use CreateDefaultVpc to create a VPC and lauch EC2 instances.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 create-default-vpc""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateDefaultVpc,"[{""technique"": ""T1021 - Remote Services"", ""reason"": ""With a default VPC in place, adversaries can use it to establish connections between various services, facilitating lateral movement across different instances and resources.""}, {""technique"": ""T1133 - External Remote Services"", ""reason"": ""The VPC configuration can be exploited to set up remote access points, which adversaries can use to maintain command and control over compromised resources.""}, {""technique"": ""T1041 - Exfiltration Over C2 Channel"", ""reason"": ""Once command and control is established within the VPC, data can be exfiltrated through these channels without raising immediate suspicion, leveraging the network infrastructure.""}]" +CreateImage,ec2.amazonaws.com,EC2,Creates an Amazon EBS-backed AMI from an Amazon EBS-backed instance that is either running or stopped.,TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,,True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]",[],Attackers might use CreateImage to create images from running EC2s and use them after adding their own keys,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 create-image --instance-id TrailDiscoverInstanceId --name \""TrailDiscoverImageName\"" --description \""TrailDiscoverImageDescription\""""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateImage,"[{""technique"": ""T1003 - OS Credential Dumping"", ""reason"": ""Attackers can create an AMI, then analyze the offline image to perform credential dumping, extracting sensitive information from the instance's filesystem""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Attackers can create an AMI from an instance, disable or alter security tools and configurations within the AMI, and redeploy the compromised AMI to evade detection and maintain control.""}, {""technique"": ""T1578 - Modify Cloud Compute Infrastructure"", ""reason"": ""Creating an AMI involves creating a snapshot of the instance's state. Attackers can use this snapshot to capture and analyze the data and configurations of the instance, which may include sensitive information or enable further attacks.""}, {""technique"": ""T1098 - Account Manipulation"", ""reason"": ""Attackers can use the CreateImage API to create an AMI from an instance they control. This AMI can then be used to deploy new instances with pre-configured settings, including backdoors or other malicious configurations, effectively manipulating accounts and resources within the cloud environment.""}]" +CreateInstanceExportTask,ec2.amazonaws.com,EC2,Exports a running or stopped instance to an Amazon S3 bucket.,TA0009 - Collection,T1005 - Data from Local System,,False,[],"[{""description"": ""AWS EC2 VM Export Failure"", ""link"": ""https://www.elastic.co/guide/en/security/current/aws-ec2-vm-export-failure.html""}]",Attackers might use CreateInstanceExportTask to extract or exfiltrate information,"[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_ec2_vm_export_failure.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws ec2 create-instance-export-task --instance-id TrailDiscoverInstanceId --target-environment TrailDiscoverTargetEnvironment --export-to-s3-task DiskImageFormat=TrailDiscoverDiskImageFormat,ContainerFormat=TrailDiscoverContainerFormat,S3Bucket=TrailDiscoverS3Bucket,S3Prefix=TrailDiscoverS3Prefix""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateInstanceExportTask,"[{""technique"": ""T1567 - Exfiltration Over Web Service"", ""reason"": ""Exporting an EC2 instance to an S3 bucket involves transferring data over a web service, which aligns with exfiltrating data through a web-based method.""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""The export task utilizes application layer protocols for communication, relevant for exfiltrating data using such protocols.""}, {""technique"": ""T1537 - Transfer Data to Cloud Account"", ""reason"": ""Exporting an EC2 instance to an S3 bucket involves moving data within the same cloud account and region, but it still represents a transfer of potentially sensitive data to another location within the cloud. ""}, {""technique"": ""T1496 - Resource Hijacking"", ""reason"": ""The export task could be used in combination with other tactics to hijack the resource for further malicious activities or unauthorized access.""}, {""technique"": ""T1005 - Data from Local System"", ""reason"": ""The instance's data being exported can be seen as collecting data from a local system before transferring it to another location.""}]" +CreateKeyPair,ec2.amazonaws.com,EC2,Creates an ED25519 or 2048-bit RSA key pair with the specified name and in the specified PEM or PPK format.,TA0003 - Persistence,T1098 - Account Manipulation,T1098.001 - Account Manipulation: Additional Cloud Credentials,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING"", ""link"": ""https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]",Attackers might use CreateKeyPair to generate keys that can latter be used to access EC2s.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 create-key-pair --key-name TrailDiscoverKeyPair""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateKeyPair,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""The creation of a new key pair can facilitate unauthorized access to cloud accounts if an attacker obtains the private key, allowing them to log in and perform actions within the compromised account. By creating a new key pair, attackers can establish valid accounts that can be used to maintain access and evade detection, as the access looks legitimate. Similar to cloud accounts, valid local accounts can be exploited if the attacker uses the key pair to gain access to specific instances or services within the local environment. If the key pair is used to authenticate to domain accounts within the cloud environment, it can provide attackers with persistent access to those accounts, facilitating further malicious activities.""}, {""technique"": ""T1562 - Impair Defense"", ""reason"": ""An attacker with a newly created key pair might use it to disable security tools or modify settings within the cloud environment to avoid detection and maintain persistence.""}, {""technique"": ""T1552 - Unsecured Credentials"", ""reason"": ""The private key returned is unencrypted, which poses a risk if intercepted or improperly stored, leading to potential credential exposure. The private key might be stored in files within the cloud instances, which could be exploited by an attacker to gain unauthorized access.""}, {""technique"": ""T1040 - Network Sniffing"", ""reason"": ""If the private key is transmitted over the network in plaintext, it can be intercepted by an attacker, leading to credential access.""}, {""technique"": ""T1530 - Data from Cloud Storage Object"", ""reason"": ""If the EC2 instance has permissions to access Cloud storage, the key can be used to get this data via the EC2 permissions""}, {""technique"": ""T1212 - Exploitation for Credential Access"", ""reason"": ""An attacker might exploit the creation and handling of key pairs to gain access to credentials if there are vulnerabilities or misconfigurations in how the keys are managed and stored.""}]" +CreateNetworkAclEntry,ec2.amazonaws.com,EC2,Creates an entry (a rule) in a network ACL with the specified rule number.,TA0003 - Persistence,T1098 - Account Manipulation,,False,[],"[{""description"": ""AWS EC2 Network Access Control List Creation"", ""link"": ""https://www.elastic.co/guide/en/security/current/aws-ec2-network-access-control-list-creation.html""}, {""description"": ""Enhancing Your Security Visibility and DetectionResponse Operations in AWS"", ""link"": ""https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf""}]",Attackers might use CreateNetworkAclEntry to allow traffic to the network from an IP they control.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-11""}]","[{""type"": ""commandLine"", ""value"": ""aws ec2 create-network-acl-entry --network-acl-id acl-5fb85d36 --ingress --rule-number 100 --protocol udp --port-range From=53,To=53 --cidr-block 0.0.0.0/0 --rule-action allow""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateNetworkAclEntry,"[{""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Creating or modifying network ACLs can disable or alter firewall rules, thus impairing defenses. By modifying ACLs, attackers might disable security tools that rely on specific network configurations.""}, {""technique"": ""T1105 - Ingress Tool Transfer"", ""reason"": ""Modifying network ACLs could allow malicious payloads to be transferred into the network.""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""By changing ACL rules, an attacker might permit unauthorized web traffic for command and control. By modifying network ACLs, an attacker could allow unauthorized email traffic for exfiltration or command and control.""}, {""technique"": ""T1021 - Remote Services"", ""reason"": ""Creating or modifying ACL entries can facilitate unauthorized RDP access, aiding lateral movement.""}, {""technique"": ""T1090 - Proxy"", ""reason"": ""Attackers could create ACL rules that permit traffic to and from external proxies, aiding command and control operations""}, {""technique"": ""T1033 - System Owner/User Discovery"", ""reason"": ""By modifying network ACL rules, an attacker can enable access to specific ports used by services like SMB (TCP/445). SMB ports are often used for sharing files and resources within a network. Access to these ports can provide the attacker with the ability to query for system information, users, and groups (such as through NetSessionEnum or NetUserEnum calls), helping them to discover the system owner or logged-in users, which aids in understanding the target environment.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""An attacker might create ACL entries to allow traffic to sites or services where the attacker has valid accounts.""}, {""technique"": ""T1049 - System Network Connections Discovery"", ""reason"": ""Creating specific ACL rules might help attackers map out network connections and understand the network layout.""}]" +CreateRoute,ec2.amazonaws.com,EC2,Creates a route in a route table within a VPC.,TA0009 - Collection,T1074 - Data Staged,,False,[],"[{""description"": ""Ensure CloudWatch has an Alarm for Route Table Changes"", ""link"": ""https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-route-table-change""}, {""description"": ""AWS Incident Response"", ""link"": ""https://easttimor.github.io/aws-incident-response/""}]",Attackers might use CreateRoute to redirect network traffic within AWS VPCs to eavesdrop or exfiltrate data.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-13""}]","[{""type"": ""commandLine"", ""value"": ""aws ec2 create-route --route-table-id TrailDiscoverRouteTableId --destination-cidr-block TrailDiscoverDestinationCidrBlock --gateway-id TrailDiscoverGatewayId""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateRoute,"[{""technique"": ""T1090 - Proxy"", ""reason"": ""Creating a route can facilitate the use of external proxies by directing traffic through a specific intermediary node. Using the CreateRoute API can set up routing that utilizes proxies to hide the origin of network traffic.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""The creation of routes might involve the use of compromised cloud accounts to establish persistence within a network.""}, {""technique"": ""T1570 - Lateral Tool Transfer"", ""reason"": ""Routes can be used to facilitate the transfer of tools across different segments of a network, aiding lateral movement.""}, {""technique"": ""T1070: Indicator Removal"", ""reason"": ""Creating routes might assist in evading detection and preserving stealth by directing traffic in a way that avoids logging mechanisms, aiding in the removal or obfuscation of evidence.""}, {""technique"": ""T1046: Network Service Discovery"", ""reason"": ""Adjusting routes can help in discovering network services by ensuring that specific network segments are reachable, aiding in reconnaissance.""}]" +CreateSecurityGroup,ec2.amazonaws.com,EC2,Creates a security group.,"TA0003 - Persistence, TA0008 - Lateral Movement","T1098 - Account Manipulation, T1021 - Remote Services","T1021.001 - Remote Services: Remote Desktop Protocol, T1021.004 - Remote Services: SSH",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Behind the scenes in the Expel SOC: Alert-to-fix in AWS"", ""link"": ""https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/""}, {""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}, {""description"": ""ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING"", ""link"": ""https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}, {""description"": ""Abusing VPC Traffic Mirroring in AWS"", ""link"": ""https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/""}]","Attackers might use CreateSecurityGroup to establish new security groups with lax rules, facilitating unauthorized access or resource exploitation within AWS environments.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-10""}]","[{""type"": ""commandLine"", ""value"": ""aws ec2 create-security-group --group-name TrailDiscoverGroupName --description \""TrailDiscoverDescription\""""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateSecurityGroup,"[{""technique"": ""T1562 - Impair Defenses"", ""reason"": ""By creating or modifying security group rules, adversaries can manipulate the flow of network traffic to bypass security monitoring tools, which aids in defense evasion.""}, {""technique"": ""T1036 - Masquerading"", ""reason"": ""By configuring security groups under seemingly legitimate purposes while actually facilitating malicious activities, adversaries can use this to disguise their network traffic and actions.""}, {""technique"": ""T1499 - Endpoint Denial of Service"", ""reason"": ""Adversaries may configure security groups to specifically allow traffic types that can cause application layer exhaustion, effectively using this method to flood systems with requests that exhaust resources and lead to service disruption.""}]" +CreateSnapshot,ec2.amazonaws.com,EC2,Creates a snapshot of an EBS volume and stores it in Amazon S3.,"TA0008 - Lateral Movement, TA0010 - Exfiltration","T1537 - Transfer Data to Cloud Account, T1021 - Remote Services",,True,"[{""description"": ""CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight"", ""link"": ""https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/""}, {""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}]","[{""description"": ""Stealing an EBS snapshot by creating a snapshot and sharing it"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-ebs-snapshot/""}, {""description"": ""Exfiltrate EBS Snapshot by Sharing It"", ""link"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/""}]","Attackers might use ModifySnapshotAttribute to alter permissions on EBS snapshots, potentially exposing sensitive data to unauthorized parties.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 modify-snapshot-attribute --snapshot-id snap-1234567890abcdef0 --attribute createVolumePermission --operation-type remove --user-ids 123456789012""}]",https://aws.permissions.cloud/iam/ec2#ec2-ModifySnapshotAttribute,"[{""technique"": ""T1537 - Transfer Data to Cloud Account"", ""reason"": ""Creating a snapshot and storing it in S3 can be used to exfiltrate data by transferring it to another account or region.""}, {""technique"": ""T1003 - OS Credential Dumping"", ""reason"": ""If an adversary has access to an EBS volume containing credentials, creating a snapshot of that volume could allow them to extract those credentials.""}, {""technique"": ""T1485 - Data Destruction"", ""reason"": ""An adversary could create a snapshot before deleting the original volume, ensuring they can still access the data""}, {""technique"": ""T1567 - Exfiltration Over Web Service"", ""reason"": ""The snapshot data can be exfiltrated using AWS APIs, moving it to S3 or other cloud storage.""}, {""technique"": ""T1030 - Data Transfer Size Limits"", ""reason"": ""Creating multiple snapshots to evade detection mechanisms that monitor for large data transfers.""}, {""technique"": ""T1027 - Obfuscated Files or Information"", ""reason"": ""By creating snapshots of EBS volumes, adversaries can hide data transfers under the guise of legitimate backup operations. This makes it harder to distinguish between regular snapshot activities and potential malicious data movements.""}, {""technique"": ""T1074 - Data Staged"", ""reason"": ""Snapshots can serve as a stage for data before exfiltration""}, {""technique"": ""T1550 - Use Alternate Authentication Material"", ""reason"": ""Adversaries might use stolen keys or other credentials extracted from snapshots as authentication material.""}, {""technique"": ""T1496 - Resource Hijacking"", ""reason"": ""Adversaries could create snapshots and use them in other environments, leveraging the stored resources for malicious purposes.""}]" +CreateTrafficMirrorFilter,ec2.amazonaws.com,EC2,Creates a Traffic Mirror filter.,TA0009 - Collection,T1074 - Data Staged,,False,[],"[{""description"": ""Abusing VPC Traffic Mirroring in AWS"", ""link"": ""https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/""}]",Attackers might use CreateTrafficMirrorFilter to clandestinely mirror network traffic for analysis or exfiltration.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 create-traffic-mirror-filter --description 'TCP Filter'""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateTrafficMirrorFilter,"[{""technique"": ""T1040 - Network Sniffing"", ""reason"": ""By creating a Traffic Mirror filter, attackers can intercept and analyze network traffic to capture sensitive information. This directly relates to the ability to observe all mirrored network traffic.""}, {""technique"": ""T1046 - Network Service Scanning"", ""reason"": ""raffic mirroring can be used to observe and scan network services and discover active services and devices on the network. By analyzing mirrored traffic, attackers can map the network and identify active services.""}, {""technique"": ""T1020 - Automated Exfiltration"", ""reason"": ""Traffic mirroring can facilitate the automated exfiltration of data through observed network traffic. Mirrored traffic can be continuously collected and sent to an attacker's controlled server for automatic processing and exfiltration.""}, {""technique"": ""T1033 - System Owner/User Discovery"", ""reason"": ""Mirrored traffic can help attackers discover information about system owners or users by analyzing the traffic. For instance, login attempts, user credentials, and other user-related information might be observed.""}, {""technique"": ""T1518 - Software Discovery"", ""reason"": ""Traffic mirroring can be used to identify security software and appliances by analyzing network traffic. Attackers can look for traffic patterns related to security software to understand the defenses in place.""}, {""technique"": ""T1005 - Data from Local System"", ""reason"": ""By capturing mirrored traffic, attackers can collect data from local systems indirectly by observing network communications. This can include files being transferred over the network, credentials, and other sensitive information.""}]" +CreateTrafficMirrorFilterRule,ec2.amazonaws.com,EC2,Creates a Traffic Mirror filter rule.,TA0009 - Collection,T1074 - Data Staged,,False,[],"[{""description"": ""Abusing VPC Traffic Mirroring in AWS"", ""link"": ""https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/""}]",Attackers might use CreateTrafficMirrorFilterRule to fine-tune traffic mirroring for selective interception.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 create-traffic-mirror-filter-rule --description 'TCP Rule' --destination-cidr-block 0.0.0.0/0 --protocol 6 --rule-action accept --rule-number 1 --source-cidr-block 0.0.0.0/0 --traffic-direction ingress --traffic-mirror-filter-id tmf-04812ff784b25ae67""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateTrafficMirrorFilterRule,"[{""technique"": ""T1020 - Automated Collection"", ""reason"": ""Traffic mirroring can automate the collection of network traffic, which can include sensitive data.""}, {""technique"": ""T1033 - System Owner/User Discovery"", ""reason"": ""By intercepting traffic, an attacker can discover information about the system owner or users based on network communications.""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""Traffic mirroring can help attackers understand and manipulate application layer protocols by observing the traffic.""}, {""technique"": ""T1040: Network Sniffing"", ""reason"": ""Traffic mirroring is essentially a form of network sniffing, capturing data in transit for further analysis""}, {""technique"": ""T1567: Exfiltration Over Web Service"", ""reason"": ""Intercepted traffic can be exfiltrated over web services if the mirrored data is sent to an external destination.""}, {""technique"": ""T1213: Data from Information Repositories"", ""reason"": ""T1213: Data from Information Repositories""}, {""technique"": ""T1005: Data from Local System"", ""reason"": ""Traffic mirroring can capture data from the local system that is transmitted over the network.""}, {""technique"": ""T1083: File and Directory Discovery"", ""reason"": ""Analysis of mirrored traffic can help in discovering files and directories being accessed and used on the network""}]" +CreateTrafficMirrorSession,ec2.amazonaws.com,EC2,Creates a Traffic Mirror session.,TA0009 - Collection,T1074 - Data Staged,,False,[],"[{""description"": ""Abusing VPC Traffic Mirroring in AWS"", ""link"": ""https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/""}]","Attackers might use CreateTrafficMirrorSession to initiate a session for mirroring network traffic, potentially for malicious monitoring or data exfiltration.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 create-traffic-mirror-session --description TrailDiscoverDescription --traffic-mirror-target-id tmt-07f75d8feeEXAMPLE --network-interface-id eni-070203f901EXAMPLE --session-number 1 --packet-length 25 --traffic-mirror-filter-id tmf-04812ff784EXAMPLE""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateTrafficMirrorSession,"[{""technique"": ""T1040 - Network Sniffing"", ""reason"": ""By creating a Traffic Mirror session, an adversary can passively collect data on the network, capturing traffic to gather sensitive information.""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""Traffic Mirror sessions can be used to monitor application layer protocols to understand communication patterns""}, {""technique"": ""T1020 - Automated Exfiltration"", ""reason"": ""The mirrored traffic could be sent to an external system for automated analysis and potential exfiltration of data.""}, {""technique"": ""T1036 - Masquerading"", ""reason"": ""In the later stages of an attack, traffic mirrored sessions might help disguise malicious traffic by blending it with legitimate traffic, by using already learnt traffic patterns, aiding in evasion of detection""}, {""technique"": ""T1018 - Remote System Discovery"", ""reason"": ""Analyzing the mirrored traffic can provide information on remote systems, including their IP addresses and services, aiding in further discovery.""}, {""technique"": ""T1090 - Proxy"", ""reason"": ""raffic Mirror can be utilized to capture and analyze traffic routed through proxy servers, identifying potential points of interest for further compromise.""}, {""technique"": ""T1119 - Automated Collection"", ""reason"": ""Automating the creation of Traffic Mirror sessions allows for continuous data collection without manual intervention""}, {""technique"": ""T1213 - Data from Information Repositories"", ""reason"": ""Traffic Mirror sessions could capture data from repositories by monitoring traffic related to repository access""}, {""technique"": ""T1560 - Archive Collected Data"", ""reason"": ""Adversaries can use traffic mirroring to collect and then archive large amounts of network traffic for later analysis or exfiltration.""}, {""technique"": ""T1049 - System Network Connections Discovery"", ""reason"": ""Monitoring mirrored traffic can reveal details about network connections on systems, such as active connections, protocols used, and the nature of the traffic.""}]" +CreateTrafficMirrorTarget,ec2.amazonaws.com,EC2,Creates a target for your Traffic Mirror session.,TA0009 - Collection,T1074 - Data Staged,,False,[],"[{""description"": ""Abusing VPC Traffic Mirroring in AWS"", ""link"": ""https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/""}]","Attackers might use CreateTrafficMirrorTarget to establish destinations for mirrored traffic, potentially facilitating the unauthorized observation or capture of sensitive information.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 create-traffic-mirror-target --description TrailDiscoverDescription --network-interface-id TrailDiscoverNetworkInterfaceId --network-load-balancer-arn TrailDiscoverNetworkLoadBalancerArn""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateTrafficMirrorTarget,"[{""technique"": ""T1016 - System Network Configuration Discovery"", ""reason"": ""When a Traffic Mirror target is created, it enables the capture of network traffic, which can be analyzed to understand the network configuration, including IP addresses, subnets, and routing.""}, {""technique"": ""T1046 - Network Service Scanning"", ""reason"": ""Mirrored traffic provides visibility into the types of services running on the network, allowing adversaries to map out the network services and identify potential vulnerabilities.""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""By examining the mirrored traffic, attackers can identify and understand the protocols used at the application layer, which can be exploited for further attacks.""}, {""technique"": ""T1567 - Exfiltration Over Web Service"", ""reason"": ""The data captured through traffic mirroring can be exfiltrated via web services, making it easier for attackers to move large amounts of data without detection.""}, {""technique"": ""T1571 - Non-Standard Port"", ""reason"": ""Traffic mirroring can uncover the use of non-standard ports, which can then be targeted in later stages of the attack for covert command and control communications.""}, {""technique"": ""1590 - Gather Victim Network Information"", ""reason"": ""The detailed information gathered from traffic mirroring helps attackers build a comprehensive profile of the victim's network.""}, {""technique"": ""T1580 - Cloud Infrastructure Discovery"", ""reason"": ""By analyzing the traffic within a cloud environment, adversaries can discover cloud infrastructure details and configurations, which can be critical for planning further attacks.""}, {""technique"": ""T1033 - System Owner/User Discovery"", ""reason"": ""Analysis of mirrored traffic can reveal information about system owners or users, which can be leveraged for further attacks.""}, {""technique"": ""T1005 - Data from Local System"", ""reason"": ""Mirrored traffic can reveal sensitive data being transmitted within the network, which can be captured and analyzed.""}, {""technique"": ""T1020 - Automated Exfiltration"", ""reason"": ""Traffic mirroring enables the continuous collection of network traffic, which can then be automatically exfiltrated for further analysis or exploitation.""}]" +CreateVolume,ec2.amazonaws.com,EC2,Creates an EBS volume that can be attached to an instance in the same Availability Zone.,TA0008 - Lateral Movement,T1021 - Remote Services,,True,"[{""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}]",[],Attackers might use CreateVolume to create a volume from a snapshot and mount it to an EC2 instance under their control.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 create-volume --size 80 --availability-zone us-east-1a""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateVolume,"[{""technique"": ""T1003 - OS Credential Dumping"", ""reason"": ""Attackers can create volumes and attach them to instances to access filesystems and potentially extract sensitive files such as /etc/passwd and /etc/shadow on Linux systems for credential dumping.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""By creating a volume from a snapshot that contains valid credentials or authentication tokens, attackers can gain persistent access to cloud resources.""}, {""technique"": ""T1202 - Indirect Command Execution"", ""reason"": ""Attackers might use the creation of volumes and the data contained within them to execute commands indirectly by leveraging scripts or binaries stored in these volumes. Some of the commands could be called by methods like autorun scripts or similar""}, {""technique"": ""T1496 - Resource Hijacking"", ""reason"": ""Creating and using volumes for storing large amounts of data or for computational tasks can be a form of resource hijacking, impacting the cloud environment's availability and cost.""}, {""technique"": ""T1485 - Data Destruction"", ""reason"": ""Attackers might use newly created volumes to overwrite sensitive data, effectively destroying it and causing a significant impact""}, {""technique"": ""T1486 - Data Encrypted for Impact"", ""reason"": ""Encrypted volumes can be used by attackers to encrypt data and then demand ransom for decryption keys, directly impacting data availability.""}, {""technique"": ""T1074 - Data Staged"", ""reason"": ""Attackers can use created volumes to stage collected data locally before exfiltration, facilitating the organization and preparation of data for extraction.""}, {""technique"": ""T1036 - Masquerading"", ""reason"": ""Attackers might create volumes that mimic legitimate snapshots or backups to evade detection and maintain persistent access by blending into normal operations.""}, {""technique"": ""T1537 - Transfer Data to Cloud Account"", ""reason"": ""Attackers can create volumes to transfer and store exfiltrated data within a cloud account, enabling them to securely move sensitive information out of the victim's environment""}]" +DeleteFlowLogs,ec2.amazonaws.com,EC2,Deletes one or more flow logs.,TA0005 - Defense Evasion,T1089 - Disabling Security Tools,,True,"[{""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]","[{""description"": ""Removing VPC flow logs"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/removing-vpc-flow-logs/""}, {""description"": ""AWS Incident Response"", ""link"": ""https://github.com/easttimor/aws-incident-response""}, {""description"": ""Proactive Cloud Security w/ AWS Organizations"", ""link"": ""https://witoff.medium.com/proactive-cloud-security-w-aws-organizations-d58695bcae16""}]",Attackers might use DeleteFlowLogs to remove records of network traffic within AWS.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 delete-flow-logs --flow-log-ids TrailDiscoverFlowLogId""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs""}]",https://aws.permissions.cloud/iam/ec2#ec2-DeleteFlowLogs,"[{""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Deleting flow logs can remove indicators that were stored, making it harder to detect malicious activities""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Disabling or deleting flow logs can impair defensive mechanisms by removing visibility into network traffic. It also supersedes T1089 since v7.1.""}, {""technique"": ""T1485 - Data Destruction"", ""reason"": ""Deleting flow logs can be part of a broader data destruction strategy. By removing logs that track network activity, an attacker can ensure that no historical data remains to aid in the forensic investigation of their activities. This makes it significantly harder to trace malicious actions back to the perpetrator, thus effectively destroying critical evidence""}, {""technique"": ""T1098 - Account Manipulation"", ""reason"": ""Deleting flow logs can be part of account manipulation to hide tracks and activities conducted using compromised accounts.""}]" +DeleteNetworkAcl,ec2.amazonaws.com,EC2,Deletes the specified network ACL.,TA0005 - Defense Evasion,T1562 - Impair Defenses,T1562.007 - Impair Defenses: Disable or Modify Cloud Firewall,False,[],"[{""description"": ""Ensure CloudWatch has an Alarm for Network ACL Changes"", ""link"": ""https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-network-acl-change""}]","Attackers might use DeleteNetworkAcl to remove network access control lists, potentially opening up network segments for unauthorized access.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-11""}]","[{""type"": ""commandLine"", ""value"": ""aws ec2 delete-network-acl --network-acl-id TrailDiscoverNetworkAclId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DeleteNetworkAcl,"[{""technique"": ""T1485 - Data Destruction"", ""reason"": ""Deleting a network ACL can be a form of data destruction as it disrupts the network configuration, potentially leading to data loss or service disruption""}, {""technique"": ""T1489 - Service Stop"", ""reason"": ""Removing network ACLs can stop or disrupt services by blocking legitimate network traffic, effectively causing denial of service conditions""}, {""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Deleting network ACLs can be part of a broader strategy to remove access to resources, making it difficult for legitimate users to access networked systems and services. For example, deleting a network ACL that allows SSH access.""}]" +DeleteNetworkAclEntry,ec2.amazonaws.com,EC2,Deletes the specified ingress or egress entry (rule) from the specified network ACL.,TA0005 - Defense Evasion,T1562 - Impair Defenses,"T1562.001: Impair Defenses - Disable or Modify Tools, T1562.004: Impair Defenses - Disable or Modify System Firewall",False,[],"[{""description"": ""Ensure CloudWatch has an Alarm for Network ACL Changes"", ""link"": ""https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-network-acl-change""}]","Attackers might use DeleteNetworkAclEntry to remove specific rules from network access control lists, potentially opening network paths for unauthorized access.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-11""}]","[{""type"": ""commandLine"", ""value"": ""aws ec2 delete-network-acl-entry --network-acl-id acl-5fb85d36 --ingress --rule-number 100""}]",https://aws.permissions.cloud/iam/ec2#ec2-DeleteNetworkAclEntry,"[{""technique"": ""T1098 - Account Manipulation"", ""reason"": ""Attackers may manipulate network ACLs as part of account manipulation to remove or alter security controls. This can enable unauthorized access or disrupt normal operations within the cloud environment.""}, {""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Deleting network ACL entries could be part of an attack to disrupt services and remove access to accounts, affecting the availability of resources. For example, deleting a network ACL that allows SSH access.""}, {""technique"": ""T1489 - Service Stop"", ""reason"": ""By deleting critical network ACL entries, an attacker can disrupt or stop essential services by either blocking required traffic or allowing malicious traffic, leading to a service interruption.""}]" +DeleteSnapshot,ec2.amazonaws.com,EC2,Deletes the specified snapshot.,TA0040 - Impact,T1485 - Data Destruction,,True,"[{""description"": ""Hacker Puts Hosting Service Code Spaces Out of Business"", ""link"": ""https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/""}]",[],"Attackers might use DeleteSnapshot to erase Amazon EBS snapshots, potentially destroying backup data and hampering recovery efforts after an attack.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 delete-snapshot --snapshot-id TrailDiscoverSnapshotId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DeleteSnapshot,"[{""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Deleting snapshots can be part of an effort to remove indicators of compromise or evidence of malicious activity.""}, {""technique"": ""T1486 - Data Encrypted for Impact"", ""reason"": ""If the adversary has encrypted the data and then deletes snapshots, it makes recovery impossible without the decryption keys, thus increasing the impact.""}, {""technique"": ""T1565 - Data Manipulation"", ""reason"": ""Deleting snapshots can be a form of manipulating stored data, particularly if snapshots are used for data recovery and the deletion disrupts normal recovery processes.""}, {""technique"": ""T1561 - Disk Wipe"", ""reason"": ""Deleting snapshots can be considered a form of disk wipe if the snapshots contain the only copies of certain data, effectively wiping that data from existence.""}]" +DeleteVolume,ec2.amazonaws.com,EC2,Deletes the specified EBS volume. The volume must be in the available state (not attached to an instance).,TA0040 - Impact,T1485 - Data Destruction,,True,"[{""description"": ""Hacker Puts Hosting Service Code Spaces Out of Business"", ""link"": ""https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/""}]",[],"Attackers might use DeleteVolume to remove Elastic Block Store (EBS) volumes, leading to data loss and potentially disrupting operations.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 delete-volume --volume-id TrailDiscoverVolumeId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DeleteVolume,"[{""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Deleting an EBS volume can be used to remove evidence of malicious activity, such as log files or other data stored on the volume.""}, {""technique"": ""T1485 - Data Destruction"", ""reason"": ""The deletion of an EBS volume results in the permanent loss of the data it contained, which is a form of data destruction.""}, {""technique"": ""T1561 - Disk Wipe"", ""reason"": ""Deleting the volume ensures that all data on the volume is removed, which is similar to a disk wipe.""}]" +DescribeAccountAttributes,ec2.amazonaws.com,EC2,Describes attributes of your AWS account.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeAccountAttributes to gather detailed information about AWS account configurations and limits.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-account-attributes --attribute-names TrailDiscoverAttribute""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeAccountAttributes,"[{""technique"": ""T1082 - System Information Discovery"", ""reason"": ""By describing the account attributes, an adversary can gather information about the AWS environment, such as supported platforms, EC2 limitations, and default settings, which aids in understanding the overall cloud infrastructure.""}, {""technique"": ""T1069 - Permission Groups Discovery"", ""reason"": ""Understanding the maximum number of security groups that can be assigned to a network interface can help an adversary in identifying the possible scope and structure of permissions within the account.""}, {""technique"": ""T1526 - Cloud Service Discovery"", ""reason"": ""his technique is relevant as it involves obtaining information about the cloud services and configurations, such as the maximum number of instances and Elastic IP addresses, supported platforms, and default VPC ID""}, {""technique"": ""T1538 - Cloud Service Dashboard"", ""reason"": ""Accessing the account attributes via the API is akin to viewing settings in the cloud service dashboard, providing a view into the configurations and limitations of the AWS environment.""}]" +DescribeAvailabilityZones,ec2.amazonaws.com,EC2,"Describes the Availability Zones, Local Zones, and Wavelength Zones that are available to you.",TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeAvailabilityZones to map the deployment regions of an AWS environment.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-availability-zones --filters Name=region-name,Values=TrailDiscoverRegion""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeAvailabilityZones,"[{""technique"": ""T1082 - System Information Discovery"", ""reason"": ""Knowing the availability zones is a part of system information that an attacker might want to know. This API call provides insights into the environment setup and operational state.""}, {""technique"": ""T1526 - Cloud Service Discovery"", ""reason"": ""The DescribeAvailabilityZones API call provides information about the geographical distribution of cloud services, aiding in the identification of cloud services in use.""}, {""technique"": ""T1018 - Remote System Discovery"", ""reason"": ""By knowing which availability zones are in use, attackers can identify the distribution of systems and services across the cloud environment. This helps in mapping the network architecture and planning subsequent lateral movement or targeted attacks.""}]" +DescribeBundleTasks,ec2.amazonaws.com,EC2,Describes the specified bundle tasks or all of your bundle tasks.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeBundleTasks to gain insights into the bundling tasks of EC2 instances.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-bundle-tasks --bundle-ids TrailDiscoverBundleId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeBundleTasks,"[{""technique"": ""T1082 - System Information Discovery"", ""reason"": ""The DescribeBundleTasks API call can provide details about the instance, which can be used to gather information about the system's configuration and status. The description of what a Bundle Task is not even available on AWS anymore.""}, {""technique"": ""T1553.002 - Subvert Trust Controls: Code Signing"", ""reason"": ""nsuring that the bundled data is from a legitimate source and not tampered with might involve code signing, particularly if the bundle is intended for deployment or transfer. The description of what a Bundle Task is not even available on AWS anymore.""}, {""technique"": ""T1074 - Data Staged"", ""reason"": ""The bundling process involves staging data for bundling and transfer, which is a crucial step in the data management process. The description of what a Bundle Task is not even available on AWS anymore.""}]" +DescribeCarrierGateways,ec2.amazonaws.com,EC2,Describes one or more of your carrier gateways.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use DescribeCarrierGateways to uncover details about carrier gateways in an AWS environment, which could reveal network configurations.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-carrier-gateways --carrier-gateway-ids TrailDiscoverCarrierGatewayId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeCarrierGateways,"[{""technique"": ""T1016 - System Network Configuration Discovery"", ""reason"": ""This API call helps in discovering the network configuration, including the carrier gateway, which can provide insight into how traffic is routed""}, {""technique"": ""T1049 - System Network Connections Discovery"", ""reason"": ""Describing the carrier gateways can reveal details about network connections and traffic flow between Wavelength Zones and carrier networks.""}, {""technique"": ""T1090 - Proxy"", ""reason"": ""Carrier gateways' NAT function can be leveraged to hide the source of attack traffic, aiding in defense evasion""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Identifying carrier gateways could be useful for attackers aiming to gain access to the network using valid accounts""}, {""technique"": ""T1210 - Exploitation of Remote Services"", ""reason"": ""Knowing the setup of carrier gateways can help in exploiting remote services that rely on this infrastructure""}, {""technique"": ""T1482 - Domain Trust Discovery"", ""reason"": ""Insights into carrier gateways might reveal trust relationships between different network segments and domains""}, {""technique"": ""T1018 - Remote System Discovery"", ""reason"": ""Information from the carrier gateway description can help identify other remote systems within the network.""}]" +DescribeClientVpnRoutes,ec2.amazonaws.com,EC2,Describes the routes for the specified Client VPN endpoint.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use DescribeClientVpnRoutes to gather information about the routing configuration of an AWS Client VPN endpoint, potentially identifying routes that could be exploited for network access.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-client-vpn-routes --client-vpn-endpoint-id cvpn-endpoint-123456789123abcde""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeClientVpnRoutes,"[{""technique"": ""T1046 - Network Service Scanning"", ""reason"": ""An adversary might use DescribeClientVpnRoutes to enumerate network routes within the VPN, identifying potential targets and pivot points within the network.""}, {""technique"": ""T1021- Remote Services"", ""reason"": ""This API call can provide details on how to access different parts of the network remotely, which could facilitate lateral movement or remote execution of commands""}, {""technique"": ""T1016 - System Network Configuration Discovery"", ""reason"": ""Information from DescribeClientVpnRoutes can reveal internal network structures, including IP ranges and network topologies, which can be used for further discovery and evasion activities""}]" +DescribeDhcpOptions,ec2.amazonaws.com,EC2,Describes one or more of your DHCP options sets.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeDhcpOptions to inspect DHCP configurations in an AWS VPC.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-dhcp-options --dhcp-options-ids TrailDiscoverDhcpOptionsId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeDhcpOptions,"[{""technique"": ""T1049 - System Network Connections Discovery"", ""reason"": ""Describing DHCP options is directly related to understanding network configurations and connections within the AWS environment""}, {""technique"": ""T1590 - Gather Victim Network Information"", ""reason"": ""The DHCP options can reveal information about DNS servers, domain names, NTP servers, and other network configurations, aiding in network discovery""}, {""technique"": ""T1018 - Remote System Discovery"", ""reason"": ""Describing DHCP options can help attackers discover remote systems within the network, providing a map of targets for lateral movement.""}, {""technique"": ""T1033 - System Owner/User Discovery"", ""reason"": ""Understanding DHCP options might reveal information about the system owners or users, helping attackers tailor their strategies for further exploitation.""}]" +DescribeFlowLogs,ec2.amazonaws.com,EC2,Describes one or more flow logs.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use DescribeFlowLogs to review VPC flow log configurations, aiming to understand what network traffic is being logged.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-flow-logs --filter Name=resource-id,Values=TrailDiscoverResourceId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeFlowLogs,"[{""technique"": ""T1033 - System Owner/User Discovery"", ""reason"": ""Describing flow logs can help attackers understand which users are accessing specific network resources.""}, {""technique"": ""T1016 - System Network Configuration Discovery"", ""reason"": ""Flow logs can reveal network configurations, allowing attackers to map out the network layout""}, {""technique"": ""T1040 - Network Sniffing"", ""reason"": ""By analyzing flow logs, attackers can infer traffic patterns and potentially sensitive information about network communications""}, {""technique"": ""T1020 - Automated Collection"", ""reason"": ""Attackers can use the flow logs to automate the collection of network traffic data for further analysis""}]" +DescribeImages,ec2.amazonaws.com,EC2,"Describes the specified images (AMIs, AKIs, and ARIs) available to you or all of the images available to you.",TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeImages to identify AMIs (Amazon Machine Images) within AWS.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-images --filters Name=name,Values=TrailDiscover""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeImages,"[{""technique"": ""T1082 - System Information Discovery"", ""reason"": ""DescribeImages can be used to gather detailed information about the system images in use, which is critical for planning further attacks or understanding the environment.""}, {""technique"": ""T1202 - Indirect Command Execution"", ""reason"": ""By using DescribeImages, attackers can identify images that may allow them to indirectly execute commands through specific software or configurations present in the images""}, {""technique"": ""T1608 - Stage Capabilities"", ""reason"": ""An attacker might use DescribeImages to find specific images to stage capabilities like installing digital certificates on chosen instances.""}, {""technique"": ""T1083 - File and Directory Discovery"", ""reason"": ""DescribeImages can reveal the existence and properties of files and directories associated with specific AMIs, aiding in discovery efforts""}, {""technique"": ""T1613 - Container and Resource Discovery"", ""reason"": ""Attackers can use DescribeImages to identify available container images and resources in the environment. This helps them understand the infrastructure and identify potential targets for exploitation within containerized applications.""}, {""technique"": ""T1526 - Cloud Service Discovery"", ""reason"": ""Using DescribeImages helps attackers discover available cloud services, their configurations, and associated resources.""}, {""technique"": ""T1195 - Supply Chain Compromise"", ""reason"": ""Attackers can use DescribeImages to identify and exploit vulnerabilities in the software dependencies and development tools used within specific images, leading to a supply chain compromise.""}]" +DescribeInstanceAttribute,ec2.amazonaws.com,EC2,Describes the specified attribute of the specified instance. You can specify only one attribute at a time.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeInstanceAttribute to inspect detailed configurations of EC2 instances.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-instance-attribute --instance-id TrailDiscoverInstanceId --attribute TrailDiscoverAttribute""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-download-user-data""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeInstanceAttribute,"[{""technique"": ""T1082 - System Information Discovery"", ""reason"": ""Using DescribeInstanceAttribute can reveal information about the instance's configuration, such as instance type, which aids in understanding the system environment.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Information about the instance attributes can be used to identify potential valid accounts associated with the instance, particularly if the attribute reveals details about the IAM roles or users associated with it.""}, {""technique"": ""T1069 - Permission Groups Discovery"", ""reason"": ""Describing instance attributes can provide details about the permissions and security groups associated with the instance, aiding in the discovery of network access control configurations.""}, {""technique"": ""T1033 - System Owner/User Discovery"", ""reason"": ""The attribute information might include details about the instance owner or users, helping to identify key individuals for potential targeted attacks""}, {""technique"": ""T1074 - Data Staged"", ""reason"": ""Information about storage attributes of an instance can help in planning the staging of data for exfiltration.""}, {""technique"": ""T1007 - System Service Discovery"", ""reason"": ""Attributes related to the services running on the instance can be described, aiding in the discovery of available services for further exploitation.""}, {""technique"": ""T1018 - Remote System Discovery"", ""reason"": ""Details about network interfaces and configurations discovered through instance attributes can assist in identifying other remote systems and services within the network.""}, {""technique"": ""T1518 - Software Discovery"", ""reason"": ""Describing instance attributes may reveal information about the installed software and applications, assisting in software discovery efforts.""}]" +DescribeInstances,ec2.amazonaws.com,EC2,Describes the specified instances or all instances.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]","[{""description"": ""Abusing VPC Traffic Mirroring in AWS"", ""link"": ""https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/""}]",Attackers might use DescribeInstances to inventory EC2 instances within an AWS environment.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-instances --instance-ids TrailDiscoverInstanceID""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeInstances,"[{""technique"": ""T1082 - System Information Discovery"", ""reason"": ""The DescribeInstances call provides detailed information about the EC2 instances, including instance type, state, and configuration details. This information is essential for an adversary performing system information discovery to understand the environment.""}, {""technique"": ""T1033 - System Owner/User Discovery"", ""reason"": ""The DescribeInstances output can include tags and other metadata that may contain user information, helping adversaries to identify system owners and users.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Discovering the details of security configurations, such as security groups and network ACLs associated with instances, can help adversaries to plan how to impair or bypass defenses""}, {""technique"": ""T1098 - Account Manipulation"", ""reason"": ""Understanding the details of EC2 instances can enable an adversary to manipulate accounts associated with those instances, such as creating or deleting IAM roles attached to instances.""}, {""technique"": ""T1016 - System Network Configuration Discovery"", ""reason"": ""DescribeInstances can reveal network configurations of instances, including VPC, subnet, and security group details, aiding in network discovery""}, {""technique"": ""T1046 - Network Service Scanning"", ""reason"": ""While DescribeInstances does not directly perform network service scanning, the information it provides about instance IP addresses and configurations can be used to facilitate subsequent network scanning activities.""}, {""technique"": ""T1210 - Exploitation of Remote Services"", ""reason"": ""Detailed information about EC2 instances, such as their public IP addresses and running services, can be used to exploit remote services running on these instances.""}, {""technique"": ""T1135 - Network Share Discovery"", ""reason"": ""Information from DescribeInstances can indicate the presence of network shares or attached storage, which may be targeted for further discovery or exploitation.""}, {""technique"": ""T1057 - Process Discovery"", ""reason"": ""DescribeInstances can provide insights into the software and processes running on the instances, helping adversaries identify potential targets for process discovery and further exploitation.""}]" +DescribeInstanceTypes,ec2.amazonaws.com,EC2,Describes the details of the instance types that are offered in a location.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeInstanceTypes to assess the capabilities and resources of EC2 instance types.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-instance-types --instance-types TrailDiscoverInstanceType""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeInstanceTypes,"[{""technique"": ""T1590 - Gather Victim Network Information"", ""reason"": ""By describing instance types, attackers can identify the network configurations and resources used in the target's AWS environment. This information aids in understanding the network structure and potential vulnerabilities that could be exploited.""}, {""technique"": ""T1082 - System Information Discovery"", ""reason"": ""DescribeInstanceTypes provides detailed information about different instance types, including their capabilities and configurations, which can help an attacker understand the system architecture and capabilities.""}, {""technique"": ""T1213 - Data from Information Repositories"", ""reason"": ""Knowing the types of instances helps in determining how data might be stored or managed in cloud repositories, aiding in planning data collection strategies.""}, {""technique"": ""T1592 - Gather Victim Host Information"", ""reason"": ""DescribeInstanceTypes can provide details on the hardware and software configurations of the instances, helping attackers gather comprehensive information about the victim's host environment.""}, {""technique"": ""T1046 - Network Service Discovery"", ""reason"": ""By knowing the instance types, attackers can infer what network services might be running, aiding in the discovery of network service configurations and potential vulnerabilities.""}, {""technique"": ""T1526 - Cloud Service Discovery"", ""reason"": ""DescribeInstanceTypes helps attackers discover the available cloud services and their configurations, which is crucial for understanding the overall cloud environment and potential targets.""}, {""technique"": ""T1497 - Virtualization/Sandbox Evasion"", ""reason"": ""Knowing the instance types can help attackers tailor their techniques to evade detection within virtualized environments specific to the cloud infrastructure in use.""}, {""technique"": ""T1482 - Domain Trust Discovery"", ""reason"": ""DescribeInstanceTypes can provide insights into the types of instances and their configurations, which may include details relevant to domain trust relationships within the cloud infrastructure.""}]" +DescribeKeyPairs,ec2.amazonaws.com,EC2,Describes the specified key pairs or all of your key pairs.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Behind the scenes in the Expel SOC: Alert-to-fix in AWS"", ""link"": ""https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/""}]",[],Attackers might use DescribeKeyPairs to audit the SSH key pairs associated with EC2 instances,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-key-pairs --key-names TrailDiscoverKeyPair""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeKeyPairs,"[{""technique"": ""T1580 - Cloud Service Discovery"", ""reason"": ""The DescribeKeyPairs API call can be used to enumerate key pairs associated with EC2 instances, which aids in discovering cloud resources and configurations.""}, {""technique"": ""T1528 - Steal Application Access Token"", ""reason"": ""Key pairs can be used to steal application access tokens if they are used for application authentication mechanisms.""}]" +DescribeRegions,ec2.amazonaws.com,EC2,"Describes the Regions that are enabled for your account, or all Regions.",TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]","Attackers might use DescribeRegions to identify all available AWS regions, possibly to explore regional deployment patterns and target specific regions where defenses might be weaker.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-regions""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeRegions,"[{""technique"": ""T1590 - Gather Victim Network Information"", ""reason"": ""Attackers can use the DescribeRegions API call to obtain information about the cloud regions where a victim's resources are deployed. This helps in mapping the network and understanding the potential attack surface.""}, {""technique"": ""T1082 - System Information Discovery"", ""reason"": ""By utilizing DescribeRegions, attackers can gain insights into the geographical distribution of the victim's cloud infrastructure, contributing to the overall system information.""}, {""technique"": ""T1213 - Data from Information Repositories"", ""reason"": ""DescribeRegions gives access to the regional metadata of AWS, which acts as an information repository. Attackers may exploit this data to gain insights into the structure and status of the cloud environment.""}, {""technique"": ""T1135 - Network Share Discovery"", ""reason"": ""Although not directly relevant attackers can use DescribeRegions to understand the layout of network resources across different regions, which can aid in discovering network shares and how resources are distributed geographically.""}]" +GetLaunchTemplateData,ec2.amazonaws.com,EC2,Retrieves the configuration data of the specified instance. You can use this data to create a launch template.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use GetLaunchTemplateData to obtain configurations of EC2 launch templates, identifying predefined instance settings or network configuration.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 get-launch-template-data --instance-id TrailDiscoverInstanceId""}]",https://aws.permissions.cloud/iam/ec2#ec2-GetLaunchTemplateData,"[{""technique"": ""T1082 - System Information Discovery"", ""reason"": ""The GetLaunchTemplateData API call retrieves configuration data of an instance, providing detailed information about the system, including its configurations and metadata.""}, {""technique"": ""T1046 - Network Service Scanning"", ""reason"": ""Information about the instance's network configurations can aid in scanning for active services and identifying potential targets""}, {""technique"": ""T1560 - Archive Collected Data"", ""reason"": ""Adversaries might use the gathered configuration data to create archives for exfiltration purposes""}, {""technique"": ""T1033 - System Owner/User Discovery"", ""reason"": ""The GetLaunchTemplateData call may reveal information about the system owner or users associated with the instance.""}]" +DescribeSecurityGroups,ec2.amazonaws.com,EC2,Describes the specified security groups or all of your security groups.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Case Study: Responding to an Attack in AWS"", ""link"": ""https://www.cadosecurity.com/case-study-responding-to-an-attack-in-aws/""}]",[],"Attackers might use DescribeSecurityGroups to review AWS VPC security group configurations, seeking misconfigurations that could be exploited for unauthorized access or to bypass network security controls.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-security-groups --group-names TrailDiscoverSecurityGroup""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeSecurityGroups,"[{""technique"": ""T1526 - Cloud Service Discovery"", ""reason"": ""The DescribeSecurityGroups API call allows an adversary to gather information about security groups, which is crucial for understanding the security posture and configurations of the cloud environment""}, {""technique"": ""T1087 - Account Discovery"", ""reason"": ""By describing security groups, adversaries can infer the roles and privileges associated with different accounts and identify potential targets for further compromise.""}, {""technique"": ""T1046 - Network Service Scanning"", ""reason"": ""Knowledge of security group configurations can help adversaries understand which network services are exposed, enabling them to scan for open ports and services""}, {""technique"": ""T1069 - Permission Groups Discovery"", ""reason"": ""Security groups often define permissions for accessing various resources within the cloud environment. Understanding these groups can help adversaries identify critical permissions and exploit them.""}, {""technique"": ""T1105 - Ingress Tool Transfer"", ""reason"": ""If an adversary identifies security groups that allow inbound access, they might transfer tools or malware into the environment through these entry points""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""Understanding security group rules helps adversaries in crafting communication methods that can bypass security controls using allowed protocols.""}, {""technique"": ""T1040 - Network Sniffing"", ""reason"": ""By knowing the security groups, adversaries can position themselves in a network segment where they can capture sensitive traffic.""}, {""technique"": ""T1021 - Remote Services"", ""reason"": ""Knowledge of security group configurations that allow remote services access can be exploited to move laterally within the network using those services.""}]" +DescribeSnapshotAttribute,ec2.amazonaws.com,EC2,Describes the specified attribute of the specified snapshot.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use DescribeSnapshotAttribute to inspect attributes of EBS snapshots, such as permissions, aiming to find snapshots shared publicly or with broad access.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-snapshot-attribute --snapshot-id TrailDiscoverSnapshotId --attribute TrailDiscoverAttribute""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeSnapshotAttribute,"[{""technique"": ""T1087 - Account Discovery"", ""reason"": ""By describing snapshot attributes, an adversary can discover accounts associated with specific snapshots, providing insight into user and service accounts in the environment.""}, {""technique"": ""T1530 - Data from Cloud Storage"", ""reason"": "" Snapshots often contain data stored in the cloud, and describing their attributes is a step towards accessing and exploiting this data.""}, {""technique"": ""T1119 - Automated Collection"", ""reason"": ""DescribeSnapshotAttribute can be used in scripts to automatically collect data on snapshots for further analysis or malicious use.""}, {""technique"": ""T1033 - System Owner/User Discovery"", ""reason"": ""By gathering detailed information about snapshots, an adversary can infer the system owner or user details, which is crucial for furthering their attack strategy.""}, {""technique"": ""T1602 - Data from Configuration Repository"", ""reason"": ""Snapshot attributes may include configuration information that could be valuable for understanding the environment or identifying further targets for exfiltration or attack.""}]" +DescribeSnapshotTierStatus,ec2.amazonaws.com,EC2,Describes the storage tier status of one or more Amazon EBS snapshots.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use DescribeSnapshotTierStatus to assess the tiering status and potential lifecycle transitions of EBS snapshots, seeking to identify snapshots that are less frequently accessed or potentially unmonitored.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-snapshot-tier-status""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeSnapshotTierStatus,"[{""technique"": ""T1087 - Account Discovery"", ""reason"": ""By analyzing the snapshot tier status, an attacker could infer which accounts have access to particular snapshots, thereby gaining insights into the account structures and permissions within the target environment.""}, {""technique"": ""T1033 - System Owner/User Discovery"", ""reason"": ""Information about the storage tier status of snapshots includes metadata that helps identify system owners or users associated with those snapshots, thus aiding in the discovery of target users within the environment.""}, {""technique"": ""T1213 - Data from Information Repositories"", ""reason"": ""This API call provides detailed information about EBS snapshots, which are a form of cloud storage. An attacker can use this to identify and access sensitive data stored within these snapshots.""}]" +DescribeTransitGatewayMulticastDomains,ec2.amazonaws.com,EC2,Describes one or more transit gateway multicast domains.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use DescribeTransitGatewayMulticastDomains to obtain details on multicast domains within AWS Transit Gateways, identifying network segments and multicast configurations.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-transit-gateway-multicast-domains --transit-gateway-multicast-domain-ids TrailDiscoverTransitGatewayMulticastDomainId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeTransitGatewayMulticastDomains,"[{""technique"": ""T1590 - Gather Victim Network Information"", ""reason"": ""This api call involves identifying details about the victim's network, such as the structure and topology, which can be aided by describing transit gateway multicast domains.""}, {""technique"": ""T1592 - Gather Victim Host Information"", ""reason"": ""The information from the API call could help an attacker understand the hosts connected via the multicast domains.""}, {""technique"": ""T1087 - Account Discovery"", ""reason"": ""Information from transit gateway multicast domains could include details about the accounts associated with them.""}, {""technique"": ""T1049 - System Network Connections Discovery"", ""reason"": ""Describing multicast domains helps in mapping out system network connections.""}, {""technique"": ""T1033 - System Owner/User Discovery"", ""reason"": ""The API call may return information about the users or owners of the systems within the multicast domains.""}]" +DescribeVolumes,ec2.amazonaws.com,EC2,Describes the specified EBS volumes or all of your EBS volumes.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use DescribeVolumes to enumerate EBS volumes in an AWS environment, identifying valuable data storage.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-volumes --volume-ids TrailDiscoverVolumeId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeVolumes,"[{""technique"": ""T1087 - Account Discovery"", ""reason"": ""The DescribeVolumes API call can reveal information about EBS volumes which might contain details about the accounts that created or use them.""}, {""technique"": ""T1526 - Cloud Service Discovery"", ""reason"": ""DescribeVolumes allows attackers to list and understand the configuration of EBS volumes within a cloud environment. This information helps map out the storage resources, potentially revealing sensitive data or misconfigurations.""}, {""technique"": ""T1069 - Permission Groups Discovery"", ""reason"": ""By describing volumes, attackers can infer the permissions set on EBS volumes and potentially discover groups with access to these volumes""}, {""technique"": ""T1613 - Container and Resource Discovery"", ""reason"": ""Volumes can be linked to container storage. Discovering volumes helps in mapping container usage and dependencies""}]" +DescribeVolumesModifications,ec2.amazonaws.com,EC2,Describes the most recent volume modification request for the specified EBS volumes.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeVolumesModifications to track changes in EBS volumes.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-volumes-modifications --volume-ids TrailDiscoverVolumeId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeVolumesModifications,"[{""technique"": ""T1087 - Account Discovery"", ""reason"": ""Viewing volume modifications might help attackers understand cloud account structures and usage patterns, aiding in discovering privileged accounts""}]" +DescribeVpcEndpointConnectionNotifications,ec2.amazonaws.com,EC2,Describes the connection notifications for VPC endpoints and VPC endpoint services.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeVpcEndpointConnectionNotifications to monitor notification configurations for VPC endpoints.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-vpc-endpoint-connection-notifications --connection-notification-id TrailDiscoverConnectionNotificationId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeVpcEndpointConnectionNotifications,"[{""technique"": ""T1135 - Network Share Discovery"", ""reason"": ""Describing VPC endpoint connection notifications can help identify shared resources within the VPC, providing information on the network structure and potential entry points.""}, {""technique"": ""T1049 - System Network Connections Discovery"", ""reason"": ""By describing VPC endpoint connection notifications, an attacker can gather information about the network connections and endpoints configured in the VPC.""}, {""technique"": ""T1007 - Network Service Scanning"", ""reason"": ""Describing VPC endpoint connection notifications can reveal details about network services in use, which can be leveraged for further network service scanning.""}]" +DescribeVpcs,ec2.amazonaws.com,EC2,Describes one or more of your VPCs.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]",[],"Attackers might use DescribeVpcs to enumerate all Virtual Private Clouds (VPCs) within an AWS environment, aiming to map out network architectures.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-vpcs --vpc-ids TrailDiscoverVpcId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeVpcs,"[{""technique"": ""T1016 - System Network Configuration Discovery"", ""reason"": ""Understanding the network configuration by querying VPCs helps an attacker identify the architecture, including subnets, route tables, and network ACLs. This information can reveal how the network is structured and potential points for further exploitation.""}, {""technique"": ""T1040 - Network Sniffing"", ""reason"": ""By describing the VPCs, attackers can identify potential points of network sniffing to capture valuable information traversing the network.""}, {""technique"": ""T1087 - Account Discovery"", ""reason"": ""Understanding the VPCs helps in mapping out the cloud environment, potentially identifying accounts that manage or are associated with those VPCs.""}, {""technique"": ""T1482 - Domain Trust Discovery"", ""reason"": ""By describing VPCs, adversaries can identify trusts between different VPCs or between on-premises and cloud environments, aiding lateral movement and privilege escalation attempts.""}, {""technique"": ""T1590 - Gather Victim Network Information"", ""reason"": ""Describing VPCs directly aligns with gathering information about cloud network configurations, including CIDR blocks, subnets, and associated components.""}, {""technique"": ""T1526 - Cloud Service Discovery"", ""reason"": ""Discovering details about VPCs is part of a broader effort to map out cloud services and their configurations, providing a clearer picture of the cloud environment's landscape.""}]" +EnableSerialConsoleAccess,ec2.amazonaws.com,EC2,Enables access to the EC2 serial console of all instances for your account.,TA0008 - Lateral Movement,T1021 - Remote Services,,True,"[{""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}]","[{""description"": ""How to detect EC2 Serial Console enabled"", ""link"": ""https://sysdig.com/blog/ec2-serial-console-enabled/""}, {""description"": ""Attack Paths Into VMs in the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/""}]",Attackers might use EnableSerialConsoleAccess to enable the serial console access and bypass security group rules and gain access to EC2 instances.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 enable-serial-console-access""}]",https://aws.permissions.cloud/iam/ec2#ec2-EnableSerialConsoleAccess,"[{""technique"": ""T1059 - Command and Scripting Interpreter"", ""reason"": ""Enabling serial console access allows attackers to execute commands directly in the Unix shell of the EC2 instances.""}, {""technique"": ""T1098 - Account Manipulation"", ""reason"": ""Serial console access can be used to manipulate or create new accounts on the instance, ensuring persistent access.""}, {""technique"": ""T1037 - Boot or Logon Initialization Scripts"", ""reason"": ""Attackers can use the console to modify initialization scripts, ensuring their scripts run on startup for persistence.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Serial console access might be exploited using compromised credentials, allowing attackers to use valid accounts to access the console.""}, {""technique"": ""T1547 - Boot or Logon Autostart Execution"", ""reason"": ""The serial console can be used to modify system configurations or add scripts to ensure code execution upon system start.""}, {""technique"": ""T1543 - Create or Modify System Process"", ""reason"": ""If the instances are running Windows, attackers might use the serial console to create or modify services for persistence and privilege escalation.""}, {""technique"": ""T1055 - Process Injection"", ""reason"": ""Serial console access could potentially be used for injecting code into running processes to evade defenses""}, {""technique"": ""T1207 - Rogue Domain Controller"", ""reason"": ""Attackers with console access could promote a compromised instance to a domain controller in an Active Directory environment, escalating privileges.""}, {""technique"": ""T1070 - Indicator Removal"", ""reason"": ""The serial console allows attackers to directly interact with the system to delete logs and other indicators of their presence.""}]" +GetConsoleScreenshot,ec2.amazonaws.com,EC2,Retrieve a JPG-format screenshot of a running instance to help with troubleshooting.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use GetConsoleScreenshot to capture the current state of an EC2 instance's console, potentially revealing sensitive information displayed on the screen or identifying misconfigurations.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 get-console-screenshot --instance-id TrailDiscoverInstanceId""}]",https://aws.permissions.cloud/iam/ec2#ec2-GetConsoleScreenshot,"[{""technique"": ""T1113 - Screen Capture"", ""reason"": ""The GetConsoleScreenshot API call captures a screenshot of a running EC2 instance, providing a visual snapshot of the system's state. This can reveal sensitive information displayed on the screen, such as open applications, user activities, or visible credentials.""}, {""technique"": ""T1087 - Account Discovery"", ""reason"": ""The screenshot can provide insights into user accounts and other details visible on the instance, aiding in account discovery.""}, {""technique"": ""T1057 - Process Discovery"", ""reason"": ""The screenshot might reveal running processes or applications, helping in process discovery.""}, {""technique"": ""T1016 - System Network Configuration Discovery"", ""reason"": ""Screenshots may reveal network configurations displayed on the system's desktop.""}, {""technique"": ""T1018 - Remote System Discovery"", ""reason"": ""Information visible in the screenshot might provide details about other systems or network topology.""}, {""technique"": ""T1110 - Brute Force"", ""reason"": ""If the screenshot shows login prompts or error messages related to login attempts, it can aid in brute force attempts.""}]" +GetEbsDefaultKmsKeyId,ec2.amazonaws.com,EC2,Describes the default AWS KMS key for EBS encryption by default for your account in this Region.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use GetEbsDefaultKmsKeyId to identify the default AWS Key Management Service (KMS) key used for encrypting new Amazon EBS volumes.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 get-ebs-default-kms-key-id""}]",https://aws.permissions.cloud/iam/ec2#ec2-GetEbsDefaultKmsKeyId,"[{""technique"": ""T1082 - System Information Discovery"", ""reason"": ""Retrieving the default KMS key provides information about the encryption settings of the EBS volumes in the account.""}, {""technique"": ""T1530 - Data from Cloud Storage Object"", ""reason"": ""By knowing the KMS key, attackers could potentially access encrypted data if they manage to retrieve the corresponding encrypted volumes.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Attackers could use this information to modify or disable encryption settings, impacting defenses.""}, {""technique"": ""T1036 - Masquerading"", ""reason"": ""Attackers might use the default KMS key information to create resources that appear legitimate but are malicious in nature.""}]" +GetEbsEncryptionByDefault,ec2.amazonaws.com,EC2,Describes whether EBS encryption by default is enabled for your account in the current Region.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use GetEbsEncryptionByDefault to determine if new Amazon EBS volumes are encrypted by default, seeking to exploit unencrypted volumes.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 get-ebs-encryption-by-default""}]",https://aws.permissions.cloud/iam/ec2#ec2-GetEbsEncryptionByDefault,"[{""technique"": ""T1538 - Cloud Service Dashboard"", ""reason"": ""Accessing configuration information through API calls to understand settings.""}]" +GetFlowLogsIntegrationTemplate,ec2.amazonaws.com,EC2,Generates a CloudFormation template that streamlines and automates the integration of VPC flow logs with Amazon Athena.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use GetFlowLogsIntegrationTemplate to create templates for integrating VPC flow logs with external monitoring solutions, potentially to configure exfiltration pathways for gathered data or to understand security monitoring setups.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 get-flow-logs-integration-template --flow-log-id fl-1234567890abcdef0 --config-delivery-s3-destination-arn arn:aws:s3:::DOC-EXAMPLE-BUCKET --integrate-services AthenaIntegrations='[{IntegrationResultS3DestinationArn=arn:aws:s3:::DOC-EXAMPLE-BUCKET,PartitionLoadFrequency=none,PartitionStartDate=2021-07-21T00:40:00,PartitionEndDate=2021-07-21T00:42:00},{IntegrationResultS3DestinationArn=arn:aws:s3:::DOC-EXAMPLE-BUCKET,PartitionLoadFrequency=none,PartitionStartDate=2021-07-21T00:40:00,PartitionEndDate=2021-07-21T00:42:00}]'""}]",https://aws.permissions.cloud/iam/ec2#ec2-GetFlowLogsIntegrationTemplate,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""By analyzing the resulting template, adversaries might identify configurations and permissions related to valid accounts""}, {""technique"": ""T1203 - Exploitation for Client Execution"", ""reason"": ""The template could potentially include commands or scripts that are executed in the cloud environment, exploiting existing vulnerabilities for execution.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""The template could include configurations that disable or alter logging, monitoring, or other security tools.""}, {""technique"": ""T1027 - Obfuscated Files or Information"", ""reason"": ""The CloudFormation template could include obfuscated scripts or configurations to evade detection""}, {""technique"": ""T1210 - Exploitation of Remote Services"", ""reason"": ""The setup process defined in the template might interact with remote services, offering a vector for exploitation.""}, {""technique"": ""T1046 - Network Service Scanning"", ""reason"": ""The information gleaned from the template can assist adversaries in understanding the network services in use, aiding in further network scanning and enumeration.""}, {""technique"": ""T1497 - Virtualization/Sandbox Evasion"", ""reason"": ""The template could be designed to detect and avoid execution within certain virtualized environments or sandboxes, thereby evading analysis or detection.""}, {""technique"": ""T1059 - Command and Scripting Interpreter"", ""reason"": ""The CloudFormation template might include scripts executed via command and scripting interpreters, which can be leveraged for execution.""}, {""technique"": ""T1560 - Archive Collected Data"", ""reason"": ""By using the CloudFormation template to configure the VPC flow logs integration, adversaries can automate the collection, archiving, and storage of flow logs data, potentially using S3 to archive collected logs before exfiltration or analysis.""}]" +GetLaunchTemplateData,ec2.amazonaws.com,EC2,Retrieves the configuration data of the specified instance. You can use this data to create a launch template.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use GetLaunchTemplateData to obtain configurations of EC2 launch templates, identifying predefined instance settings, network configurations.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 get-launch-template-data --instance-id TrailDiscoverInstanceId""}]",https://aws.permissions.cloud/iam/ec2#ec2-GetLaunchTemplateData,"[{""technique"": ""T1082 - System Information Discovery"", ""reason"": ""Retrieving the configuration data of instances can provide attackers with detailed system information that can be used for further reconnaissance and discovery of system characteristics.""}, {""technique"": ""T1135 - Network Share Discovery"", ""reason"": ""Attackers might use this data to discover network shares and storage configurations, aiding in understanding the network topology and resources""}, {""technique"": ""T1518 - Software Discovery"", ""reason"": ""By accessing instance configuration data, attackers can determine what software is running on the instance, including security software, enabling them to plan further attacks.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Information obtained can be used to identify valid accounts within the cloud environment, potentially leading to misuse of credentials.""}, {""technique"": ""T1195 - Supply Chain Compromise"", ""reason"": ""Attackers can create a launch template based on the retrieved data, embedding malicious software or configurations, thus compromising the software supply chain.""}, {""technique"": ""T1059 - Command and Scripting Interpreter"", ""reason"": ""The configuration data may include scripts or commands that can be leveraged to gain further access or control over the instance""}, {""technique"": ""T1070 - Indicator Removal"", ""reason"": ""By understanding the configuration and storage locations, attackers can delete logs or files to evade detection""}, {""technique"": ""T1496 - Resource Hijacking"", ""reason"": ""Attackers might use the launch template to spin up instances for resource hijacking, such as cryptocurrency mining.""}]" +GetPasswordData,ec2.amazonaws.com,EC2,Retrieves the encrypted administrator password for a running Windows instance.,TA0006 - Credential Access,T1555 - Credentials from Password Stores,,True,"[{""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Behind the scenes in the Expel SOC: Alert-to-fix in AWS"", ""link"": ""https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/""}, {""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}, {""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use GetPasswordData to retrieve the password data for Windows instances, allowing unauthorized access.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 get-password-data --instance-id TrailDiscoverInstanceId""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data""}]",https://aws.permissions.cloud/iam/ec2#ec2-GetPasswordData,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""By decrypting the administrator password with the key pair, an attacker can obtain valid credentials for the Windows instance, allowing them to log in with legitimate access. z If the Windows instance is part of a domain, obtaining the administrator password could provide domain-level access, enabling further exploitation within the domain. The password retrieved is for the local administrator account, giving full access to the instance's local resources and potentially allowing further escalation.""}, {""technique"": ""T1098 - Account Manipulation"", ""reason"": ""Attackers can use the retrieved administrator credentials to create new accounts or manipulate existing ones to ensure continued access to the instance.""}, {""technique"": ""T1531 - Account Access Removal"", ""reason"": ""With the administrator password, an attacker can remove access to existing accounts, locking out legitimate users and maintaining control over the instance.""}, {""technique"": ""T1548.002 - Abuse Elevation Control Mechanism"", ""reason"": ""Once an attacker has the administrator password, they can bypass User Account Control (UAC) on the instance to elevate privileges without user consent.""}, {""technique"": ""T1070 - Indicator Removal"", ""reason"": ""An attacker with administrator access might delete logs and other files to cover their tracks and ensure persistent access without detection.""}]" +GetTransitGatewayRouteTableAssociations,ec2.amazonaws.com,EC2,Gets information about the associations for the specified transit gateway route table.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use GetTransitGatewayRouteTableAssociations to examine the associations between transit gateway route tables and attached resources, potentially to understand network routing policies.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 get-transit-gateway-route-table-associations --transit-gateway-route-table-id tgw-rtb-0a823edbdeEXAMPLE""}]",https://aws.permissions.cloud/iam/ec2#ec2-GetTransitGatewayRouteTableAssociations,"[{""technique"": ""T1018 - Remote System Discovery"", ""reason"": ""The API call provides information about the transit gateway route table associations, which can be used to identify and map remote systems within the network.""}, {""technique"": ""T1423 - Network Service Scanning"", ""reason"": ""Understanding route table associations helps in scanning and identifying active services and their routing paths, facilitating network service discovery.""}, {""technique"": ""T1133 - External Remote Services"", ""reason"": ""By analyzing transit gateway associations, attackers can identify potential external services that can be targeted for initial access or further exploitation""}, {""technique"": ""T1219 - Remote Access Software"", ""reason"": ""Knowledge of network routes and associations is crucial for deploying and managing remote access tools within the network""}, {""technique"": ""T1570 - Lateral Tool Transfer"", ""reason"": ""Route table information can be used to facilitate the transfer of tools across different segments of the network, aiding lateral movement.""}, {""technique"": ""T1021 - Remote Services"", ""reason"": ""The information obtained from the API call can be used to identify and exploit remote services for lateral movement or persistence""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""Attackers can use knowledge of network routing to communicate using application layer protocols that traverse the transit gateway routes""}, {""technique"": ""T1590 - Gather Victim Network Information"", ""reason"": ""The transit gateway route table associations provide valuable insights into the network's structure and configuration, useful for gathering detailed network information""}]" +ImportKeyPair,ec2.amazonaws.com,EC2,Imports the public key from an RSA or ED25519 key pair that you created with a third-party tool.,TA0003 - Persistence,T1098 - Account Manipulation,,True,"[{""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Behind the scenes in the Expel SOC: Alert-to-fix in AWS"", ""link"": ""https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/""}, {""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]","[{""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}]","Attackers might use ImportKeyPair to upload malicious SSH keys to AWS EC2 instances, granting unauthorized access.",[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/ec2#ec2-ImportKeyPair,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""An attacker can import their own key pair to gain initial access to the AWS environment using a compromised or newly created account. The imported key can also be used to maintain persistent access. This can be applied to both cloud and domain accounts in the cloud, ensuring access across different services.""}, {""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Attackers may delete logs or evidence after importing the keypair.""}]" +ModifyImageAttribute,ec2.amazonaws.com,EC2,Modifies the specified attribute of the specified AMI.,TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,,False,[],"[{""description"": ""AWS AMI Atttribute Modification for Exfiltration"", ""link"": ""https://research.splunk.com/cloud/f2132d74-cf81-4c5e-8799-ab069e67dc9f/""}]","Attackers might use ModifyImageAttribute to alter permissions or settings of Amazon Machine Images (AMIs), potentially exposing them to unauthorized users or making them public.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 modify-image-attribute --image-id TrailDiscoverImageId --attribute TrailDiscoverAttribute --value TrailDiscoverValue""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami""}]",https://aws.permissions.cloud/iam/ec2#ec2-ModifyImageAttribute,"[{""technique"": ""T1098 - Account Manipulation"", ""reason"": ""Modifying AMI launch permissions could allow an attacker to grant additional cloud accounts the ability to launch instances with the compromised AMI.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Modifying launchPermission can be used to grant access to valid accounts or remove access, effectively controlling which accounts can launch instances from the AMI.""}, {""technique"": ""T1003 - OS Credential Dumping"", ""reason"": ""Changing launch permissions to launch the AMI in an attacker AWS account might grant attackers access to instances where they can execute credential dumping tools.""}, {""technique"": ""T1021 - Remote Services"", ""reason"": ""If the AMI is launched by specific users, it could enable the attacker to move laterally by exploiting remote services and admin privileges.""}, {""technique"": ""T1036 - Masquerading"", ""reason"": ""By modifying the AMI description, attackers can disguise malicious activities under benign-sounding descriptions to evade detection.""}]" +ModifyInstanceAttribute,ec2.amazonaws.com,EC2,Modifies the specified attribute of the specified instance.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,,False,[],"[{""description"": ""Executing commands through EC2 user data"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/""}, {""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""EC2 Privilege Escalation Through User Data"", ""link"": ""https://hackingthe.cloud/aws/exploitation/local_ec2_priv_esc_through_user_data/""}, {""description"": ""User Data Script Persistence"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/user_data_script_persistence/""}, {""description"": ""Attack Paths Into VMs in the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/""}]",Attackers might use ModifyInstanceAttribute to change configurations of EC2 instances or overwrite the user data of an EC2 instance to have it execute malicious commands when the instance starts.,"[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_ec2_startup_script_change.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws ec2 modify-instance-attribute --instance-id TrailDiscoverInstanceId --attribute TrailDiscoverAttribute --value TrailDiscoverValue""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ec2-user-data""}]",https://aws.permissions.cloud/iam/ec2#ec2-ModifyInstanceAttribute,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Modifying instance attributes can involve, via modifications of the UserData, changing account settings to maintain access to the instance, including the use or creation of default, local, or cloud accounts.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Via modifications of the UserData an attacker could disable or modify security tools and defenses on the instance, impairing the system's ability to detect or respond to threats""}, {""technique"": ""T1496 - Resource Hijacking"", ""reason"": ""Modifying instance attributes could allow the hijacking of resources for unauthorized uses such as cryptocurrency mining. You could also increase the size of CPU or RAM""}, {""technique"": ""T1485 - Data Destruction"", ""reason"": ""Changes in instance attributes could be used to facilitate the destruction of data on the instance, impacting the integrity and availability of information.""}]" +ModifySnapshotAttribute,ec2.amazonaws.com,EC2,Adds or removes permission settings for the specified snapshot.,TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,,True,"[{""description"": ""CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight"", ""link"": ""https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/""}]",[],"Attackers might use ModifySnapshotAttribute to change permissions on Amazon EBS snapshots, potentially making them accessible to unauthorized users or public.","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_snapshot_backup_exfiltration.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws ec2 modify-snapshot-attribute --snapshot-id snap-046281ab24d756c50 --attribute createVolumePermission --operation-type remove --user-ids 123456789012""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot""}]",https://aws.permissions.cloud/iam/ec2#ec2-ModifySnapshotAttribute,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""By adding permissions to a snapshot, attackers can grant access to unauthorized cloud accounts or default accounts, which can be used for persistence and privilege escalation.""}, {""technique"": ""T1552 - Unsecured Credentials"", ""reason"": ""Adding permissions to a snapshot might expose sensitive files that contain credentials, aiding in credential access.""}, {""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Removing permissions from a snapshot can be used to hide or delete evidence of unauthorized access, aiding in defense evasion.""}, {""technique"": ""T1530 - Data from Cloud Storage"", ""reason"": ""By modifying snapshot permissions, attackers can gain access to sensitive data stored within snapshots, aiding in data collection and exfiltration.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Modifying permissions could impair security controls or defenses by granting unauthorized access to the snapshots, potentially containing security-related configurations, backups, or tools.""}, {""technique"": ""T1087 - Account Discovery"", ""reason"": ""Modifying snapshot permissions could help attackers discover cloud accounts with access to the snapshot, aiding in further attacks.""}, {""technique"": ""T1003 - OS Credential Dumping"", ""reason"": ""If a snapshot contains OS-level files, attackers can use it to extract credentials, aiding in credential access.""}, {""technique"": ""T1074 - Data Staged"", ""reason"": ""Snapshots can be used to stage data locally for later exfiltration, aiding in data collection and exfiltration""}]" +ReplaceIamInstanceProfileAssociation,ec2.amazonaws.com,EC2,Replaces an IAM instance profile for the specified running instance.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,T1098.003 - Account Manipulation: Additional Cloud Roles,True,"[{""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}]",[],Attackers might use ReplaceIamInstanceProfileAssociation to replace the IAM instance profile on an instance they control with one that has higher privileges.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 replace-iam-instance-profile-association --iam-instance-profile Name=TrailDiscoverAdminRole --association-id iip-assoc-060bae234aac2e7fa""}]",https://aws.permissions.cloud/iam/ec2#ec2-ReplaceIamInstanceProfileAssociation,"[{""technique"": ""T1548 - Abuse Elevation Control Mechanism"", ""reason"": ""By changing the IAM instance profile, an attacker can elevate the privileges of the EC2 instance, allowing it to perform actions that require higher permissions. This abuse of the role mechanism can be used to execute privileged commands.""}, {""technique"": ""T1556 - Modify Authentication Process"", ""reason"": ""By altering the IAM instance profile, an attacker can modify the authentication process. This change could allow the instance to authenticate as a different role with different permissions, potentially bypassing security controls.""}, {""technique"": ""T1531 - Account Access Removal"", ""reason"": ""An attacker might replace an IAM instance profile to remove certain access controls or permissions temporarily to perform specific actions without triggering alerts or restrictions. Additionally they might remove the instances from the contol of certain accounts to maybe evade detection. AN example would be to remove access from known cloud security tools.""}]" +RunInstances,ec2.amazonaws.com,EC2,Launches the specified number of instances using an AMI for which you have permissions.,"TA0003 - Persistence, TA0040 - Impact, TA0008 - Lateral Movement","T1098 - Account Manipulation, T1496 - Resource Hijacking, T1021 - Remote Services",,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""DXC spills AWS private keys on public GitHub"", ""link"": ""https://www.theregister.com/2017/11/14/dxc_github_aws_keys_leaked/""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Behind the scenes in the Expel SOC: Alert-to-fix in AWS"", ""link"": ""https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/""}, {""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}, {""description"": ""SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto"", ""link"": ""https://sysdig.com/blog/scarleteel-2-0/""}, {""description"": ""ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING"", ""link"": ""https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}, {""description"": ""Clear and Uncommon Story About Overcoming Issues With AWS"", ""link"": ""https://topdigital.agency/clear-and-uncommon-story-about-overcoming-issues-with-aws/""}, {""description"": ""onelogin 2017 Security Incident"", ""link"": ""https://web.archive.org/web/20210620180614/https://www.onelogin.com/blog/may-31-2017-security-incident""}, {""description"": ""BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability"", ""link"": ""https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/""}, {""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]","[{""description"": ""Launching EC2 instances"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/launching-ec2-instances/""}, {""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}, {""description"": ""Abusing VPC Traffic Mirroring in AWS"", ""link"": ""https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/""}]",Attackers might use RunInstances to programmatically launch unauthorized EC2 instances for crypto mining or to create a foothold within the AWS environment for further exploitation.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 run-instances --image-id ami-0b98a32b1c5e0d105 --instance-type t2.micro --key-name MyKeyPair""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ec2-launch-unusual-instances""}]",https://aws.permissions.cloud/iam/ec2#ec2-RunInstances,"[{""technique"": ""T1133 - External Remote Services"", ""reason"": ""Adversaries can launch EC2 instances that can be remotely accessed via SSH, RDP, or other protocols, gaining an initial access point into the AWS environment or maintaining persistence.""}, {""technique"": ""T1578 - Modify Cloud Compute Infrastructure"", ""reason"": ""Launching instances directly modifies the cloud compute infrastructure, which can be leveraged by adversaries to create a foothold, evade defenses, or escalate privileges.""}, {""technique"": ""T1105 - Ingress Tool Transfer"", ""reason"": ""Instances launched can be used to transfer malicious tools into the cloud environment, supporting various attack strategies. This is especally true if the instance is initiated with an malicious image.""}, {""technique"": ""T1570 - Lateral Tool Transfer"", ""reason"": ""New instances can facilitate the lateral movement of tools and malware across the cloud infrastructure, aiding in broader attack campaigns.""}]" +SendSerialConsoleSSHPublicKey,ec2-instance-connect.amazonaws.com,EC2InstanceConnect,Pushes an SSH public key to the specified EC2 instance.,TA0008 - Lateral Movement,T1021 - Remote Services,T1021.004 - Remote Services: SSH,True,"[{""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}, {""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]",[],"Attackers might use SendSerialConsoleSSHPublicKey to inject unauthorized SSH keys into EC2 instances, granting them access for remote control.",[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/ec2-instance-connect#ec2-instance-connect-SendSerialConsoleSSHPublicKey,"[{""technique"": ""T1059 - Command and Scripting Interpreter"", ""reason"": ""Once access is established, attackers can use the command and scripting interpreter to execute commands on the instance.""}, {""technique"": ""T1098 - Account Manipulation"", ""reason"": ""Attackers may push their own SSH keys to the EC2 instances, effectively manipulating access control.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""After gaining access, attackers could disable security tools or logs to evade detection.""}, {""technique"": ""T1036 - Masquerading"", ""reason"": ""Attackers may use legitimate commands and tools to mask their activities within the compromised instance""}, {""technique"": ""T1203 - Exploitation for Client Execution"", ""reason"": ""Exploiting the SSH access to execute further malicious code or scripts within the EC2 instance.""}, {""technique"": ""T1219 - Remote Access Software"", ""reason"": ""Using SSH as a remote access tool to maintain control over the compromised EC2 instance.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Attackers may use or create local accounts on the EC2 instance to facilitate further access and actions.""}]" +SendSSHPublicKey,ec2-instance-connect.amazonaws.com,EC2InstanceConnect,Pushes an SSH public key to the specified EC2 instance for use by the specified user.,TA0008 - Lateral Movement,T1021 - Remote Services,T1021.004 - Remote Services: SSH,True,"[{""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]","[{""description"": ""Attack Paths Into VMs in the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/""}]","Attackers might use SendSSHPublicKey to inject unauthorized SSH keys into EC2 instances, granting them access for remote control.",[],"[{""type"": ""commandLine"", ""value"": ""N/A""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.lateral-movement.ec2-instance-connect""}]",https://aws.permissions.cloud/iam/ec2-instance-connect#ec2-instance-connect-SendSSHPublicKey,"[{""technique"": ""T1021 - Remote Services"", ""reason"": ""Pushing an SSH public key to an EC2 instance allows remote access to the system over SSH. This API call enables secure communication and command execution on the instance, potentially giving adversaries the ability to interact with and control the system remotely.""}, {""technique"": ""T1136 - Create Account"", ""reason"": ""Pushing a new SSH key can be seen as creating a new means of access for a specific user, akin to account creation.""}, {""technique"": ""T1578 - Modify Cloud Compute Infrastructure"", ""reason"": ""The API call modifies the authentication state of an EC2 instance, part of cloud compute infrastructure.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Pushing a new key could be used to temporarily bypass defenses or monitoring on the instance.""}, {""technique"": ""T1210 - Exploitation of Remote Services"", ""reason"": ""An adversary can misuse the SendSSHPublicKey API to gain unauthorized access to an EC2 instance by injecting their SSH key. This allows them to control the instance remotely, leveraging legitimate remote services for malicious purposes.""}]" +SharedSnapshotCopyInitiated,ec2.amazonaws.com,EC2,Modifies the specified attribute of the specified instance.,TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,,True,"[{""description"": ""M-Trends Report - 2020"", ""link"": ""https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf""}, {""description"": ""Democratic National Committee hack"", ""link"": ""https://www.politico.com/f/?id=00000168-6161-de11-af7d-ef7327ea0000""}]","[{""description"": ""Detecting exfiltration of EBS snapshots in AWS"", ""link"": ""https://twitter.com/christophetd/status/1574681313218506753""}]",SharedSnapshotCopyInitiated might be a signal of an attacker copying a snapshot to their account.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot""}]",N/A,"[{""technique"": ""T1530 - Data from Cloud Storage Object"", ""reason"": ""Snapshots can contain data stored in cloud environments which may be exfiltrated. Attackers can access sensitive information stored within these snapshots, which can include configuration data, database contents, or other critical data.""}, {""technique"": ""T1027 - Obfuscated Files or Information"", ""reason"": ""Adversaries might obfuscate the data within snapshots to avoid detection during transfer. This can involve encrypting the contents of a snapshot or otherwise making the data less recognizable to automated defense mechanisms""}, {""technique"": ""T1567 - Exfiltration Over Web Service"", ""reason"": ""Copying a snapshot to another region or account over AWS services can be a form of exfiltration. Attackers can exploit this API call to move large volumes of data seamlessly across AWS infrastructure, avoiding some traditional network-based exfiltration detection mechanisms.""}, {""technique"": ""T1074 - Data Staged"", ""reason"": ""Creating a shared snapshot can be used to stage data before exfiltration, preparing it for easy transfer or download.""}]" +SharedSnapshotVolumeCreated,ec2.amazonaws.com,EC2,Modifies the specified attribute of the specified instance.,TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,,True,"[{""description"": ""M-Trends Report - 2020"", ""link"": ""https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf""}, {""description"": ""Democratic National Committee hack"", ""link"": ""https://www.politico.com/f/?id=00000168-6161-de11-af7d-ef7327ea0000""}]","[{""description"": ""Detecting exfiltration of EBS snapshots in AWS"", ""link"": ""https://twitter.com/christophetd/status/1574681313218506753""}]",SharedSnapshotVolumeCreated might be a signal of an attacker copying a snapshot to their account.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot""}]",N/A,"[{""technique"": ""T1530 - Data from Cloud Storage Object"", ""reason"": ""Snapshots can contain data stored in cloud environments which may be exfiltrated. Attackers can access sensitive information stored within these snapshots, which can include configuration data, database contents, or other critical data.""}, {""technique"": ""T1027 - Obfuscated Files or Information"", ""reason"": ""Adversaries might obfuscate the data within snapshots to avoid detection during transfer. This can involve encrypting the contents of a snapshot or otherwise making the data less recognizable to automated defense mechanisms""}, {""technique"": ""T1567 - Exfiltration Over Web Service"", ""reason"": ""Copying a snapshot to another region or account over AWS services can be a form of exfiltration. Attackers can exploit this API call to move large volumes of data seamlessly across AWS infrastructure, avoiding some traditional network-based exfiltration detection mechanisms.""}, {""technique"": ""T1074 - Data Staged"", ""reason"": ""Creating a shared snapshot can be used to stage data before exfiltration, preparing it for easy transfer or download.""}]" +StartInstances,ec2.amazonaws.com,EC2,Starts an Amazon EBS-backed instance that you've previously stopped.,"TA0003 - Persistence, TA0040 - Impact","T1098 - Account Manipulation, T1496 - Resource Hijacking",,True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]","[{""description"": ""Executing commands through EC2 user data"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/""}, {""description"": ""Attack Paths Into VMs in the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/""}]",Attackers might use StartInstances to reactivate dormant EC2 instances or after having modified the user data for execution of commands.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 start-instances --instance-ids TrailDiscoverInstanceID""}]",https://aws.permissions.cloud/iam/ec2#ec2-StartInstances,"[{""technique"": ""T1036 - Masquerading"", ""reason"": ""Adversaries could rename stopped instances to appear legitimate and start them without raising alarms.""}, {""technique"": ""T1053 - Scheduled Task/Job"", ""reason"": ""Attackers might schedule tasks to automatically start stopped instances at certain times to execute malicious actions""}, {""technique"": ""T1105 - Ingress Tool Transfer"", ""reason"": ""Once the instance is started, adversaries could transfer tools and malware to the instance for execution""}, {""technique"": ""T1219 - Remote Access Software"", ""reason"": ""Adversaries might start instances that have remote access tools installed to regain control over the environment.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Starting instances can impair defenses by creating new workloads that may not be monitored by existing security tools, enabling attackers to perform malicious activities without detection.""}, {""technique"": ""T1578 - Modify Cloud Compute Infrastructure"", ""reason"": ""Attackers can directly use the StartInstances API call to manipulate the state of instances, aiding in persistence and execution of tasks.""}, {""technique"": ""T1074 - Data Staged"", ""reason"": ""Starting an instance can be used to stage data locally before exfiltration.""}]" +StopInstances,ec2.amazonaws.com,EC2,Stops an Amazon EBS-backed instance.,"TA0040 - Impact, TA0005 - Defense Evasion","T1499 - Endpoint Denial of Service, T1578 - Modify Cloud Compute Infrastructure",T1578.003 - Modify Cloud Compute Infrastructure: Delete Cloud Instance,True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]","[{""description"": ""Executing commands through EC2 user data"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/""}, {""description"": ""Attack Paths Into VMs in the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/""}]",Attackers might use StopInstances to avoid being detected or to do changes that will be executed when the EC2 is started.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 stop-instances --instance-ids TrailDiscoverInstanceID""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ec2-user-data""}]",https://aws.permissions.cloud/iam/ec2#ec2-StopInstances,"[{""technique"": ""T1565 - Data Manipulation"", ""reason"": ""Stopping an instance can be a precursor to manipulating the stored data, especially if the instance is hibernated and the memory contents are preserved but the disk is later modified.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Stopping instances can disable security monitoring tools and defenses running on those instances, hindering their ability to detect malicious activities.""}, {""technique"": ""T1489 - Service Stop"", ""reason"": ""Stopping an instance directly impacts availability and can be used as part of a larger attack to disrupt services.""}]" +TerminateInstances,ec2.amazonaws.com,EC2,"Shuts down the specified instances. This operation is idempotent; if you terminate an instance more than once, each call succeeds.","TA0040 - Impact, TA0005 - Defense Evasion","T1485 - Data Destruction, T1070 - Indicator Removal",T1070.004 - Indicator Removal: File Deletion,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}, {""description"": ""Former Cisco engineer sentenced to prison for deleting 16k Webex accounts"", ""link"": ""https://www.zdnet.com/article/former-cisco-engineer-sentenced-to-prison-for-deleting-16k-webex-accounts/""}, {""description"": ""Hacker Puts Hosting Service Code Spaces Out of Business"", ""link"": ""https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/""}]",[],"Attackers might use TerminateInstances to permanently delete EC2 instances, resulting in irreversible data loss and service disruption or for defense evasion.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 terminate-instances --instance-ids TrailDiscoverInstanceID""}]",https://aws.permissions.cloud/iam/ec2#ec2-TerminateInstances,"[{""technique"": ""T1489 - Service Stop"", ""reason"": ""Terminating instances disrupts the availability of services hosted on those instances.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Terminating instances can remove defensive tools installed on those instances""}, {""technique"": ""T1496 - Resource Hijacking"", ""reason"": ""Attackers might terminate instances to free up resources for other malicious activities.""}, {""technique"": ""T1098 - Account Manipulation"", ""reason"": ""The TerminateInstances API call can be a form of account manipulation when an attacker uses it to interfere with the normal operations of an account. By terminating instances, an attacker can disrupt services, remove evidence of their activities, and create obstacles for account recovery. This manipulation ensures that the attacker maintains control over the account\u00e2\u20ac\u2122s activities and resources.""}, {""technique"": ""T1499 - Endpoint Denial of Service"", ""reason"": ""Terminating critical instances can be a form of denial of service against specific endpoints or applications.""}, {""technique"": ""T1565 - Data Manipulation"", ""reason"": ""If instance termination leads to data loss or corruption, it can be considered a form of data manipulation.""}, {""technique"": ""T1488 - Disk Wipe"", ""reason"": ""Terminating an instance with attached EBS volumes may result in wiping the data on those volumes if they are deleted as part of the termination process""}]" +CreateCluster,ecs.amazonaws.com,ECS,Creates a new Amazon ECS cluster.,TA0040 - Impact,T1496 - Resource Hijacking,,True,"[{""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],"Attackers might use CreateCluster to provision unauthorized cluster resources, aiming to deploy malicious workloads or use compute resources for cryptojacking","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_eks_cluster_created_or_deleted.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws ecs create-cluster --cluster-name TrailDiscoverCluster""}]",https://aws.permissions.cloud/iam/ecs#ecs-CreateCluster,"[{""technique"": ""T1098 - Account Manipulation"", ""reason"": ""The creation of a new cluster could be part of manipulating accounts within AWS, enabling the attacker to maintain control or establish backdoor access.""}, {""technique"": ""T1053 - Scheduled Task/Job"", ""reason"": ""New ECS clusters can be configured to run tasks at scheduled intervals, which can be used to execute malicious activities regularly.""}, {""technique"": ""T1090 - Proxy"", ""reason"": ""An attacker might use the new ECS cluster to set up an external proxy, which can be used to relay commands and data, aiding in defense evasion and persistent access.""}, {""technique"": ""T1204 - User Execution"", ""reason"": ""Creating an ECS cluster to run container images, which might be malicious, facilitating execution of malicious code in the environment.""}, {""technique"": ""T1583 - Acquire Infrastructure"", ""reason"": ""Creating new ECS clusters is a form of acquiring infrastructure within AWS, which can be used to support further malicious activities.""}, {""technique"": ""T1027 - Obfuscated Files or Information"", ""reason"": ""The cluster could be used to deploy obfuscated code or data, making it harder to detect malicious activities.""}, {""technique"": ""T1578 - Modify Cloud Compute Infrastructure"", ""reason"": ""Creating a new ECS cluster modifies the cloud compute infrastructure, which can be leveraged for both execution and evasion purposes.""}, {""technique"": ""T1584 - Compromise Infrastructure"", ""reason"": ""Compromising cloud infrastructure to create ECS clusters enables attackers to establish control over resources. This can support further malicious activities, such as launching attacks or maintaining persistence in the environment.""}, {""technique"": ""T1210 - Exploitation of Remote Services"", ""reason"": ""An attacker might create a new ECS cluster to host services that exploit vulnerabilities in remote services for lateral movement or further attacks.""}]" +CreateService,ecs.amazonaws.com,ECS,Runs and maintains your desired number of tasks from a specified task definition.,TA0040 - Impact,T1496 - Resource Hijacking,,True,"[{""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}]",[],"Attackers might use CreateService in AWS ECS to orchestrate and deploy unauthorized services, potentially for malicious activities such as resource hijacking.",[],"[{""type"": ""commandLine"", ""value"": ""aws ecs create-service --service-name TrailDiscoverService --task-definition TrailDiscoverTaskDefinition""}]",https://aws.permissions.cloud/iam/ecs#ecs-CreateService,"[{""technique"": ""T1059 - Command and Scripting Interpreter"", ""reason"": ""By creating ECS services, adversaries can execute commands or scripts in the context of containers that run on Unix-based systems""}, {""technique"": ""T1556 - Modify Authentication Process"", ""reason"": ""The AWS CreateService API call can be used to create tasks that modify authentication processes within a cloud environment.""}, {""technique"": ""T1036 - Masquerading"", ""reason"": ""Match Legitimate Name or Location: An adversary could create services with names that mimic legitimate services to avoid detection.""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""Malicious ECS tasks could communicate over common web protocols to blend in with normal network traffic.""}, {""technique"": ""T1090 - Proxy"", ""reason"": ""Adversaries might set up a chain of ECS services to act as proxies, hiding their true location.""}, {""technique"": ""T1027 - Obfuscated Files or Information"", ""reason"": ""Adversaries might create services that deploy obfuscated scripts or binaries to evade detection.""}, {""technique"": ""T1046 - Network Service Discovery"", ""reason"": ""ECS tasks might be used to run discovery scripts to enumerate network services.""}, {""technique"": ""T1210 - Exploitation of Remote Services"", ""reason"": ""Adversaries might create services that exploit vulnerabilities in other services or tasks within the ECS cluster to gain unauthorized access or escalate privileges""}]" +RegisterTaskDefinition,ecs.amazonaws.com,ECS,Registers a new task definition from the supplied family and containerDefinitions.,TA0040 - Impact,T1496 - Resource Hijacking,,True,"[{""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}]",[],Attackers might use RegisterTaskDefinition to deploy containers with malicious tasks in AWS ECS.,"[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws ecs register-task-definition --family 'xtdb-bench-dev' --network-mode 'awsvpc' --container-definitions '[{\""name\"":\""bench-container\"", \""cpu\"":2048, \""memory\"":4092 }]'""}]",https://aws.permissions.cloud/iam/ecs#ecs-RegisterTaskDefinition,"[{""technique"": ""T1053 - Scheduled Task/Job"", ""reason"": ""Registering a task definition can be leveraged to create scheduled tasks within ECS, allowing for persistence and automated execution of malicious tasks.""}, {""technique"": ""T1105 - Ingress Tool Transfer"", ""reason"": ""Task definitions could be used to download and execute additional tools or scripts from external sources""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""ECS tasks can be configured to disable or modify security tools within the container environment, aiding in defense evasion.""}, {""technique"": ""T1059 - Command and Scripting Interpreter"", ""reason"": ""The task definitions can contain Unix shell commands, facilitating execution of malicious scripts or commands.""}, {""technique"": ""T1036 - Masquerading"", ""reason"": ""Malicious task definitions can be disguised as legitimate ones to evade detection and blend in with normal operations""}, {""technique"": ""T1027 - Obfuscated Files or Information"", ""reason"": ""Container definitions within ECS can include obfuscated or packed scripts and binaries, making detection harder.""}]" +DeleteFileSystem,elasticfilesystem.amazonaws.com,elasticfilesystem,"Deletes a file system, permanently severing access to its contents.",TA0040 - Impact,T1485 - Data Destruction,,False,[],"[{""description"": ""AWS EFS File System or Mount Deleted"", ""link"": ""https://www.elastic.co/guide/en/security/7.17/aws-efs-file-system-or-mount-deleted.html""}]","Attackers might use DeleteFileSystem in AWS EFS to deliberately erase file systems, leading to data loss.","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_efs_fileshare_modified_or_deleted.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws efs delete-file-system --file-system-id fs-c7a0456e""}]",https://aws.permissions.cloud/iam/elasticfilesystem#elasticfilesystem-DeleteFileSystem,"[{""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Deleting an EFS file system removes all its contents, including logs and other forensic evidence, effectively erasing any indicators of malicious activity. This action helps attackers avoid detection by eliminating traces of their presence in the environment.""}, {""technique"": ""T1565 - Data Manipulation"", ""reason"": ""Deleting an EFS file system alters the state of stored data by permanently removing it. This can disrupt operations and affect data integrity, making it a significant form of data manipulation.""}, {""technique"": ""T1107 - File Deletion"", ""reason"": ""File deletion focuses on the removal of files to impact data availability or to hide malicious activity. Deleting a file system in AWS EFS results in the removal of all files and directories within that file system.""}]" +DeleteMountTarget,elasticfilesystem.amazonaws.com,elasticfilesystem,Deletes the specified mount target.,TA0040 - Impact,T1485 - Data Destruction,,False,[],"[{""description"": ""AWS EFS File System or Mount Deleted"", ""link"": ""https://www.elastic.co/guide/en/security/7.17/aws-efs-file-system-or-mount-deleted.html""}]","Attackers might use DeleteMountTarget in AWS EFS to remove mount targets, disrupting access to file system and as a preliminary phase before data deletion.","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_efs_fileshare_mount_modified_or_deleted.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws efs delete-mount-target --mount-target-id fsmt-f9a14450""}]",https://aws.permissions.cloud/iam/elasticfilesystem#elasticfilesystem-DeleteMountTarget,"[{""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Removing a mount target may disrupt monitoring or defense mechanisms that rely on the file system for logging or other security functions.""}, {""technique"": ""T1070 - Indicator Removal"", ""reason"": ""By deleting the mount target and the associated network interface, traces and logs of malicious activity stored on the file system may be removed, aiding in defense evasion.""}]" +AssociateAccessPolicy,eks.amazonaws.com,EKS,Associates an access policy and its scope to an access entry.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,,False,[],"[{""description"": ""New attack vectors in EKS"", ""link"": ""https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features""}]","Attackers might use AssociateAccessPolicy to escalate privileges by linking access entries with highly privileged policies, allowing unauthorized control over clusters.",[],"[{""type"": ""commandLine"", ""value"": ""aws eks associate-access-policy --cluster-name beta-fish --principal-arn arn:aws:iam::111122223333:role/TrailDiscover --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy --access-scope type=cluster""}]",https://aws.permissions.cloud/iam/eks#eks-AssociateAccessPolicy,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""By associating an access policy, attackers can use legitimate credentials to access the system, either by modifying existing ones or changing permissions.""}, {""technique"": ""T1543 - Create or Modify System Process"", ""reason"": ""Associating an access policy can be used to modify the permissions of processes within the EKS environment, ensuring the attacker retains control or gains elevated privileges for their processes.""}, {""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Associating access policies can assist attackers in evading detection by allowing them to remove or alter logs and other indicators that track account and permission changes, thereby obscuring their activities.""}, {""technique"": ""T1003 - OS Credential Dumping"", ""reason"": ""Modifying access policies might allow attackers to gain access to sensitive areas of the system where they can extract credentials.""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""Associating new access policies can help attackers use application layer protocols more effectively to communicate with compromised systems, especially if these policies grant access to necessary network services.""}]" +CreateAccessEntry,eks.amazonaws.com,EKS,Creates an access entry.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,,False,[],"[{""description"": ""New attack vectors in EKS"", ""link"": ""https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features""}]","Attackers might use CreateAccessEntry to craft access entries that link to high-privileged policies, effectively granting themselves unauthorized admin-level access to clusters.",[],"[{""type"": ""commandLine"", ""value"": ""aws eks create-access-entry --cluster-name beta-fish --principal-arn arn:aws:iam::111122223333:role/TrailDiscover""}]",https://aws.permissions.cloud/iam/eks#eks-CreateAccessEntry,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Creating an access entry for an IAM principal can establish valid credentials that can be used for access.""}]" +DescribeAccessEntry,eks.amazonaws.com,EKS,Describes an access entry.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,False,[],"[{""description"": ""New attack vectors in EKS"", ""link"": ""https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features""}]","Attackers might use DescribeAccessEntry for reconnaissance, gathering detailed information about access configurations within AWS EKS.",[],"[{""type"": ""commandLine"", ""value"": ""aws eks describe-access-entry --cluster-name beta-fish --principal-arn arn:aws:iam::111122223333:role/TrailDiscover""}]",https://aws.permissions.cloud/iam/eks#eks-DescribeAccessEntry,"[{""technique"": ""T1526 - Cloud Service Discovery"", ""reason"": ""The DescribeAccessEntry API call can be used to identify access permissions and configurations within the EKS service, revealing which cloud services are in use. This information helps attackers understand the cloud environment and potential targets.""}, {""technique"": ""T1587 - Develop Capabilities"", ""reason"": ""Access information can aid in developing tailored malware that exploits specific permissions or configurations discovered within EKS.""}]" +DescribeCluster,eks.amazonaws.com,EKS,Describes an Amazon EKS cluster.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,False,[],"[{""description"": ""New attack vectors in EKS"", ""link"": ""https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features""}]",Attackers might use DescribeCluster to gain insights into the configuration and status of AWS EKS clusters.,[],"[{""type"": ""commandLine"", ""value"": ""aws eks describe-cluster --name TrailDiscoverCluster""}]",https://aws.permissions.cloud/iam/eks#eks-DescribeCluster,"[{""technique"": ""T1087 - Account Discovery"", ""reason"": ""Information from DescribeCluster can reveal IAM roles and identities associated with the cluster, aiding in the discovery of accounts.""}, {""technique"": ""T1069 - Permission Groups Discovery"", ""reason"": ""The DescribeCluster call might include details about Kubernetes RBAC roles and permissions, helping to discover privilege groups.""}, {""technique"": ""T1082 - System Information Discovery"", ""reason"": ""The DescribeCluster API reveals extensive system information about the EKS cluster, such as Kubernetes version, endpoint, and VPC configuration, aiding in system information discovery.""}, {""technique"": ""T1482 - Domain Trust Discovery"", ""reason"": ""The DescribeCluster call can provide insights into how the cluster is integrated with other AWS services and trust relationships, such as IAM roles and policies""}]" +ListAssociatedAccessPolicies,eks.amazonaws.com,EKS,Lists the access policies associated with an access entry.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,False,[],"[{""description"": ""New attack vectors in EKS"", ""link"": ""https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features""}]","Attackers might use ListAssociatedAccessPolicies to enumerate policies associated with resources in AWS services, identifying overly permissive access that can be exploited to escalate privileges.",[],"[{""type"": ""commandLine"", ""value"": ""aws eks list-associated-access-policies --cluster-name beta-fish --principal-arn arn:aws:iam::111122223333:role/TrailDiscover""}]",https://aws.permissions.cloud/iam/eks#eks-ListAssociatedAccessPolicies,"[{""technique"": ""T1087 - Account Discovery - Cloud Account"", ""reason"": ""Listing associated access policies allows adversaries to discover the cloud accounts associated with those policies, identifying potential targets""}, {""technique"": ""T1069 - Permission Groups Discovery"", ""reason"": ""By listing the access policies, adversaries can discern the permission groups within the EKS cluster, aiding in understanding the permissions and roles configured.""}, {""technique"": ""T1046 - Network Service Scanning"", ""reason"": ""Listing access policies helps map out the services and permissions in use, aiding in reconnaissance efforts to identify potential targets and vulnerabilities.""}, {""technique"": ""T1552 - Unsecured Credentials"", ""reason"": ""By listing associated access policies, adversaries might identify misconfigurations or unsecured credentials that can be exploited to gain further access.""}]" +ListClusters,eks.amazonaws.com,EKS,Lists the Amazon EKS clusters in your AWS account in the specified AWS Region.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,False,[],"[{""description"": ""New attack vectors in EKS"", ""link"": ""https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features""}]","Attackers might use ListClusters to inventory AWS EKS clusters, identifying active clusters for further exploration or to pinpoint potential targets for subsequent attacks.",[],"[{""type"": ""commandLine"", ""value"": ""aws eks list-clusters""}]",https://aws.permissions.cloud/iam/eks#eks-ListClusters,"[{""technique"": ""T1526 - Cloud Service Discovery"", ""reason"": ""Listing EKS clusters helps adversaries understand the cloud services being used and their configurations.""}, {""technique"": ""T1087 - Account Discovery"", ""reason"": ""By listing clusters, attackers can infer the structure and number of accounts that manage these resources.""}, {""technique"": ""T1135 - Network Share Discovery"", ""reason"": ""Knowing the clusters can help adversaries understand shared network resources within the EKS environment.""}, {""technique"": ""T1007 - Network Service Scanning"", ""reason"": ""Identifying clusters can help adversaries in mapping the network services exposed by these clusters.""}, {""technique"": ""T1590 - Gather Victim Network Information"", ""reason"": ""Identifying clusters helps in understanding the internal network architecture and relationships.""}]" +CreateRule,elasticloadbalancing.amazonaws.com,ELBv2,Creates a rule for the specified listener.,TA0005 - Defense Evasion,T1578 - Modify Cloud Compute Infrastructure,,False,[],"[{""description"": ""Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data"", ""link"": ""https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994""}]",Attackers might use CreateRule to add rules that allow them access bypassing potential restrictions such as authentication.,[],"[{""type"": ""commandLine"", ""value"": ""aws elbv2 create-rule --listener-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:listener/app/my-load-balancer/50dc6c495c0c9188/f2f7dc8efc522ab2 --priority 5 --actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-west-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 --conditions '[{}]'""}]",https://aws.permissions.cloud/iam/elasticloadbalancing#elasticloadbalancing-CreateRule,"[{""technique"": ""T1203 - Exploitation for Client Execution"", ""reason"": ""By creating a malicious rule that directs traffic to a compromised endpoint, an attacker could exploit vulnerabilities in client applications to execute malicious code.""}, {""technique"": ""T1190 - Exploit Public-Facing Application"", ""reason"": ""By modifying or creating new rules, an attacker could exploit vulnerabilities in the public-facing application load balancer to gain initial access.""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""Creating rules that redirect traffic to malicious servers using HTTP/S or mail protocols for command and control communication.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Rules could be used to disable security controls or modify traffic patterns to evade detection tools and logs.""}, {""technique"": ""T1105 - Ingress Tool Transfer"", ""reason"": ""Rules can be set to allow the transfer of malicious tools or payloads through the load balancer to a compromised system.""}, {""technique"": ""T1027 - Obfuscated Files or Information"", ""reason"": ""Attackers can create rules that handle or route traffic in a manner that uses encoded or obfuscated data. This can include routing traffic to endpoints that encrypt the data payloads or encode commands to be less conspicuous""}, {""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Rules could be used to route traffic in ways that delete or bypass log files to avoid detection.""}, {""technique"": ""T1496 - Resource Hijacking"", ""reason"": ""Creating rules that direct traffic to perform unauthorized actions like cryptocurrency mining or other forms of resource hijacking.""}]" +DescribeListeners,elasticloadbalancing.amazonaws.com,ELBv2,"Describes the specified listeners or the listeners for the specified Application Load Balancer, Network Load Balancer, or Gateway Load Balancer.",TA0007 - Discovery,T1526 - Cloud Service Discovery,,False,[],"[{""description"": ""Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data"", ""link"": ""https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994""}]",Attackers might use DescribeListeners to get information about the load balancers listeners for potential future modifications.,[],"[{""type"": ""commandLine"", ""value"": ""aws elbv2 describe-listeners""}]",https://aws.permissions.cloud/iam/elasticloadbalancing#elasticloadbalancing-DescribeListeners,"[{""technique"": ""T1087 - Account Discovery"", ""reason"": ""By describing listeners, an adversary could identify configurations and attributes related to the load balancer, which may include discovering IAM roles or users with specific permissions.""}, {""technique"": ""T1046 - Network Service Scanning"", ""reason"": ""Describing listeners provides details about the services exposed by the load balancer, which helps in scanning and understanding the network topology.""}, {""technique"": ""T1069 - Permission Groups Discovery"", ""reason"": ""Querying listener details can reveal information about the permissions and roles associated with the load balancer, providing insight into group policies.""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""Load balancers typically handle various application layer protocols, and knowing listener configurations can assist in crafting command and control channels over allowed protocols.""}]" +DescribeLoadBalancers,elasticloadbalancing.amazonaws.com,ELBv2,Describes the specified load balancers or all of your load balancers.,TA0007 - Discovery,T1526 - Cloud Service Discovery,,False,[],"[{""description"": ""Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data"", ""link"": ""https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994""}]",Attackers might use DescribeLoadBalancers to get information about the load balancers for potential future attacks.,[],"[{""type"": ""commandLine"", ""value"": ""aws elbv2 describe-load-balancers --names TrailDiscoverLoadBalancer""}]",https://aws.permissions.cloud/iam/elasticloadbalancing#elasticloadbalancing-DescribeLoadBalancers,"[{""technique"": ""T1580 - Cloud Infrastructure Discovery"", ""reason"": ""The DescribeLoadBalancers API call directly provides information about the cloud infrastructure, specifically the load balancers, which can be used to understand the deployment and configurations of network resources in the cloud.""}, {""technique"": ""T1590 - Gather Victim Network Information"", ""reason"": ""Describing load balancers allows an adversary to obtain details on how network traffic is managed and routed within the cloud environment. This information can reveal critical network components and their configurations.""}, {""technique"": ""T1046 - Network Service Discovery"", ""reason"": ""Describing load balancers can reveal the network services that are being managed by these load balancers, including ports, protocols, and the IP ranges used, which are crucial for understanding the network service layout.""}, {""technique"": ""T1133 - External Remote Services"", ""reason"": ""Load balancers often manage external access to services. By describing them, an adversary can identify the external endpoints and understand how remote services are being accessed and managed.""}, {""technique"": ""T1482 - Domain Trust Discovery"", ""reason"": ""The DescribeLoadBalancers API call can provide information on how load balancers are configured across different domains, revealing trust relationships and how traffic is managed between different parts of the network.""}]" +DeleteRule,events.amazonaws.com,events,Deletes the specified rule.,"TA0040 - Impact, TA0005 - Defense Evasion","T1489 - Service Stop, T1578 - Modify Cloud Compute Infrastructure",,False,[],"[{""description"": ""AWS EventBridge Rule Disabled or Deleted"", ""link"": ""https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html""}, {""description"": ""AWS EventBridge rule disabled or deleted"", ""link"": ""https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/""}]","Attackers might use DeleteRule to disrupt automated security responses and event logging in AWS EventBridge, potentially masking unauthorized activities or compromising system integrity.",[],"[{""type"": ""commandLine"", ""value"": ""aws events delete-rule --name TrailDiscoverRule""}]",https://aws.permissions.cloud/iam/events#events-DeleteRule,"[{""technique"": ""T1070 - Indicator Removal"", ""reason"": ""By deleting a rule, attackers can remove evidence of malicious activity.""}, {""technique"": ""T1098 - Account Manipulation"", ""reason"": ""Attackers might delete rules to alter the behavior of scheduled tasks, maintaining persistence. By manipulating accounts and associated rules, they ensure their malicious processes can run without interruption or detection.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Deleting rules can weaken security monitoring by removing triggers that would generate alerts, effectively blinding security teams to ongoing malicious activities. This action allows attackers to operate with reduced risk of detection, making further exploitation easier.""}]" +DisableRule,events.amazonaws.com,events,Disables the specified rule.,"TA0040 - Impact, TA0005 - Defense Evasion","T1489 - Service Stop, T1578 - Modify Cloud Compute Infrastructure",,False,[],"[{""description"": ""AWS EventBridge Rule Disabled or Deleted"", ""link"": ""https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html""}, {""description"": ""AWS EventBridge rule disabled or deleted"", ""link"": ""https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/""}]","Attackers might use DisableRule to deactivate AWS EventBridge rules, effectively silencing alarms and automated responses designed for incident detection and mitigation.",[],"[{""type"": ""commandLine"", ""value"": ""aws events disable-rule --name TrailDiscoverRule --event-bus-name TrailDiscoverBus""}]",https://aws.permissions.cloud/iam/events#events-DisableRule,"[{""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Disabling a rule can be used to impair defenses by preventing the triggering of certain automated responses or detections.""}, {""technique"": ""T1531 - Account Access Removal"", ""reason"": ""T1531 - Account Access Removal""}, {""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Disabling a rule can be a part of removing evidence of the attack by stopping logging and monitoring for certain activities, which helps in evading detection.""}]" +ListRules,events.amazonaws.com,events,Lists your Amazon EventBridge rules. You can either list all the rules or you can provide a prefix to match to the rule names.,TA0007 - Discovery,T1526 - Cloud Service Discovery,,False,[],"[{""description"": ""Modify GuardDuty Configuration"", ""link"": ""https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/""}]","Attackers might use ListRules in AWS EventBridge to catalog active event rules, identifying critical automated security mechanisms or logging functions to target for disruption or evasion.",[],"[{""type"": ""commandLine"", ""value"": ""aws events list-rules --name-prefix TrailDiscover""}]",https://aws.permissions.cloud/iam/events#events-ListRules,"[{""technique"": ""T1580 - Cloud Infrastructure Discovery"", ""reason"": ""By using ListRules to view the configuration of EventBridge rules, an adversary gains understanding of the event-driven workflows and integrations within the target's AWS environment. This can reveal insights into operational processes and potential areas for deeper exploration or exploitation.""}, {""technique"": ""T1082 - System Information Discovery"", ""reason"": ""Listing rules helps attackers understand what events are being monitored, giving insight into the environment.""}, {""technique"": ""T1069 - Permission Groups Discovery"", ""reason"": ""By examining the conditions and targets of EventBridge rules, attackers can infer the roles and permissions required to trigger these rules, which might provide insights into permission configurations and potential privilege escalation paths.""}, {""technique"": ""T1018 - Remote System Discovery"", ""reason"": ""Identifying EventBridge rules can help attackers understand the configuration and interconnectivity of remote systems and services in the environment.""}, {""technique"": ""T1482 - Domain Trust Discovery"", ""reason"": ""Listing rules may reveal integrations and trust relationships with other domains or AWS accounts, aiding in the mapping of domain trust paths.""}]" +ListTargetsByRule,events.amazonaws.com,events,Lists the targets assigned to the specified rule.,TA0007 - Discovery,T1526 - Cloud Service Discovery,,False,[],"[{""description"": ""Modify GuardDuty Configuration"", ""link"": ""https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/""}]","Attackers might use ListTargetsByRule in AWS EventBridge to enumerate the targets of specific rules, gaining insights into the architecture and response mechanisms of an environment.",[],"[{""type"": ""commandLine"", ""value"": ""aws events list-targets-by-rule --rule TrailDiscoverRule""}]",https://aws.permissions.cloud/iam/events#events-ListTargetsByRule,"[{""technique"": ""T1007 - System Service Discovery"", ""reason"": ""Attackers can use this API call to discover information about targets assigned to specific rules within the AWS EventBridge service, providing insights into potentially vulnerable or interesting systems.""}, {""technique"": ""T1087 - Account Discovery"", ""reason"": ""By listing targets assigned to rules, an attacker can gather information about AWS accounts and their configurations, aiding in understanding the environment and potential attack paths.""}, {""technique"": ""T1046 - Network Service Scanning"", ""reason"": ""Understanding the targets associated with EventBridge rules allows an attacker to potentially identify network services that could be targeted for further exploration or exploitation.""}, {""technique"": ""T1018 - Remote System Discovery"", ""reason"": ""The API call provides information about remote systems (AWS resources) that are targeted by specific rules, aiding attackers in identifying potential entry points into the environment.""}, {""technique"": ""T1033 - System Owner/User Discovery"", ""reason"": ""Listing targets by rule in EventBridge can reveal details about the users or roles associated with those resources. This information helps attackers identify key personnel or accounts with access, aiding in targeted attacks or privilege escalation efforts.""}, {""technique"": ""T1057 - Process Discovery"", ""reason"": ""The ListTargetsByRule call can be used to discover the targets (potentially processes or functions) that are triggered by specific CloudWatch rules, helping attackers understand what processes might be running in the environment.""}, {""technique"": ""T1087 - Account Discovery"", ""reason"": ""By understanding the targets associated with specific rules, attackers might infer the existence of certain IAM roles or accounts that have the permissions to execute these targets.""}, {""technique"": ""T1069 - Permission Groups Discovery"", ""reason"": ""By listing the targets of rules, attackers can identify which resources and permissions are associated with specific rules, aiding in understanding the permission structures.""}]" +PutRule,events.amazonaws.com,events,Creates or updates the specified rule.,"TA0040 - Impact, TA0005 - Defense Evasion, TA0003 - Persistence","T1489 - Service Stop, T1578 - Modify Cloud Compute Infrastructure, T1546 - Event Triggered Execution",,True,"[{""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}]","[{""description"": ""Modify GuardDuty Configuration"", ""link"": ""https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/""}]","Attackers might use PutRule in AWS EventBridge to create unauthorized event rules, potentially automating malicious actions to gain persistence or triggering unwarranted responses within the environment.",[],"[{""type"": ""commandLine"", ""value"": ""aws events put-rule --name TrailDiscoverRule --schedule-expression 'rate(5 minutes)' --state ENABLED --description \""TrailDiscover rule\""""}]",https://aws.permissions.cloud/iam/events#events-PutRule,"[{""technique"": ""T1205 - Traffic Signaling"", ""reason"": ""EventBridge rules can be configured to trigger signals that facilitate command and control communication, masking malicious traffic as legitimate event triggers.""}, {""technique"": ""T1053 - Scheduled Task/Job: Scheduled Task"", ""reason"": ""Creating or updating EventBridge rules can schedule tasks or jobs that perform malicious activities without user intervention.""}, {""technique"": ""T1070 - Indicator Removal"", ""reason"": ""By manipulating EventBridge rules, attackers can potentially alter the flow of logs and events to hide their activities.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""By updating EventBridge rules, attackers can disable or modify security tools and alerts, impairing defenses and ensuring continued access.""}]" +PutTargets,events.amazonaws.com,events,"Adds the specified targets to the specified rule, or updates the targets if they are already associated with the rule.",TA0003 - Persistence,T1546 - Event Triggered Execution,,True,"[{""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}]",[],Attackers might use PutTargets in AWS EventBridge to trigger a malicious Lambda function periodically.,[],"[{""type"": ""commandLine"", ""value"": ""aws events put-targets --rule TrailDiscoverLambdaFunction --targets \""Id\""=\""1\"",\""Arn\""=\""arn:aws:lambda:us-east-1:123456789012:function:MyFunctionName\""""}]",https://aws.permissions.cloud/iam/events#events-PutTargets,"[{""technique"": ""T1059 - Command and Scripting Interpreter"", ""reason"": ""An attacker could add a target that executes a script or command interpreter, allowing for arbitrary command execution""}, {""technique"": ""T1098 - Account Manipulation"", ""reason"": ""An attacker could add a target that executes a script or command interpreter, allowing for arbitrary command execution""}, {""technique"": ""T1105 - Ingress Tool Transfer"", ""reason"": ""The attacker could configure targets that download and execute malicious tools, facilitating further exploitation.""}, {""technique"": ""T1560 - Archive Collected Data"", ""reason"": ""If targets are added to an event rule to trigger actions like archiving (e.g., invoking a Lambda function to zip and store data in an S3 bucket), this can be used to collect and prepare data for later exfiltration.""}, {""technique"": ""T1070 - Indicator Removal"", ""reason"": ""The attacker could configure targets to delete logs or other indicators of compromise upon execution, aiding in defense evasion""}, {""technique"": ""T1203 - Exploitation for Client Execution"", ""reason"": ""An attacker could create or modify a target to execute a particular payload or exploit code on services that are automatically triggered by the event, which might lead to exploiting client applications or services.""}]" +RemoveTargets,events.amazonaws.com,events,Removes the specified targets from the specified rule.,"TA0040 - Impact, TA0005 - Defense Evasion","T1489 - Service Stop, T1578 - Modify Cloud Compute Infrastructure",,False,[],"[{""description"": ""Modify GuardDuty Configuration"", ""link"": ""https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/""}]","Attackers might use RemoveTargets in AWS EventBridge to eliminate crucial targets from event rules, effectively disabling intended actions or notifications triggered by specific events.",[],"[{""type"": ""commandLine"", ""value"": ""aws events remove-targets --rule TrailDiscoverRule --ids TrailDiscoverTargetId""}]",https://aws.permissions.cloud/iam/events#events-RemoveTargets,"[{""technique"": ""T1098 - Account Manipulation"", ""reason"": ""Manipulating EventBridge rules by removing targets can alter the capabilities and behaviors of accounts without directly deleting them.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Removing security monitoring targets from EventBridge rules can impair defenses by preventing certain security actions from being triggered.""}]" +CreateDevEndpoint,glue.amazonaws.com,Glue,Creates a new development endpoint.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use CreateDevEndpoint in AWS Glue to escalate privileges or provision development endpoints, potentially exploiting them.","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws glue create-dev-endpoint --endpoint-name TrailDiscover --role-arn arn:aws:iam::111122223333:role/TrailDiscover""}]",https://aws.permissions.cloud/iam/glue#glue-CreateDevEndpoint,"[{""technique"": ""T1133 - External Remote Services"", ""reason"": ""Development endpoints can be accessed remotely, providing a vector for persistent remote access by attackers.""}]" +CreateJob,glue.amazonaws.com,Glue,Creates a new job definition.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]",Attackers might use CreateJob to create a glue job with a role with higer privileges to gain these privileges.,[],"[{""type"": ""commandLine"", ""value"": ""aws glue create-job --name TrailDiscoverJob --role TrailDiscoverRole --command Name=pythonshell,ScriptLocation=s3://TrailDiscoverBucket/TrailDiscoverScript.py --default-arguments '{\""--job-language\"": \""python\""}'""}]",https://aws.permissions.cloud/iam/glue#glue-CreateJob,"[{""technique"": ""T1059 - Command and Scripting Interpreter"", ""reason"": ""Glue jobs can be defined to execute Python scripts for various data manipulation tasks.""}, {""technique"": ""T1560 - Archive Collected Data"", ""reason"": ""Glue jobs can be used to collect, compress, and store large datasets, which can later be exfiltrated.""}, {""technique"": ""T1027 - Obfuscated Files or Information"", ""reason"": ""Job definitions may include obfuscated scripts or commands to avoid detection.""}, {""technique"": ""T1074 - Data Staged"", ""reason"": ""Glue jobs can be configured to stage data in S3 buckets, making it easier for exfiltration.""}, {""technique"": ""T1083 - File and Directory Discovery"", ""reason"": ""Glue jobs can be scripted to discover and list files and directories in S3 or other storage services.""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""Glue jobs might be used to exfiltrate data using DNS queries, a method that can bypass some network monitoring tools. Python or Java jobs are extremely likely to do this. Glue jobs can send data over HTTP/S, facilitating communication with external servers for command and control or exfiltration""}, {""technique"": ""T1105 - Ingress Tool Transfer"", ""reason"": ""Glue jobs can be created to download and execute additional scripts or tools from external sources.""}, {""technique"": ""T1567 - Exfiltration Over Web Service"", ""reason"": ""Data processed by Glue jobs can be moved to external cloud storage for exfiltration purposes.""}, {""technique"": ""T1552 - Unsecured Credentials"", ""reason"": ""Glue jobs might access files containing credentials, which can then be exfiltrated.""}]" +UpdateDevEndpoint,glue.amazonaws.com,Glue,Updates a specified development endpoint.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use UpdateDevEndpoint to modify the settings of a development endpoint, potentially disrupting data processing tasks or gaining unauthorized access to data.","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws glue update-dev-endpoint --endpoint-name TrailDiscover""}]",https://aws.permissions.cloud/iam/glue#glue-UpdateDevEndpoint,"[{""technique"": ""T1059 - Command and Scripting Interpreter"", ""reason"": ""Glue allows the use of Python scripts - updating the endpoint could change the scripts to execute arbitrary code directly in the development environment.""}, {""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Adversaries may update the endpoint to include scripts that delete logs or other files, helping to evade detection.""}, {""technique"": ""T1027 - Obfuscated Files or Information"", ""reason"": ""Updates could involve obfuscated scripts or configurations to hide malicious code and evade detection mechanisms""}, {""technique"": ""T1036 - Masquerading"", ""reason"": ""Adversaries could update the endpoint to masquerade malicious activities as legitimate by matching names or locations.""}]" +UpdateJob,glue.amazonaws.com,Glue,Updates an existing job definition.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use UpdateJob to modify Glue job parameters, potentially disrupting data processing or injecting malicious code.",[],"[{""type"": ""commandLine"", ""value"": ""aws glue update-job --job-name TrailDiscoverJob --job-update '{\""Role\"": \""TrailDiscoverRole\"", \""Command\"": {\""Name\"": \""glueetl\"", \""ScriptLocation\"": \""s3://mybucket/myscript.py\""}}'""}]",https://aws.permissions.cloud/iam/glue#glue-UpdateJob,"[{""technique"": ""T1036 - Masquerading"", ""reason"": ""Adversaries can modify the job definition to make the job appear legitimate, effectively hiding malicious activities within a seemingly benign job.""}, {""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Updating a job definition can include instructions to remove or alter logs and other artifacts, helping adversaries evade detection.""}, {""technique"": ""T1480 - Execution Guardrails"", ""reason"": ""Adversaries can update the job definition to include specific conditions or constraints, ensuring the job only executes under certain circumstances, which helps in evading detection.""}, {""technique"": ""T1565 - Data Manipulation"", ""reason"": ""Adversaries can alter the job definition to manipulate data processed by the Glue job, affecting the integrity and outcome of the data workflows.""}, {""technique"": ""T1496 - Resource Hijacking"", ""reason"": ""By altering job definitions, adversaries can repurpose AWS Glue jobs for their own computational needs, impacting the resource allocation of the environment.""}]" +CreateFilter,guardduty.amazonaws.com,GuardDuty,Creates a filter using the specified finding criteria.,TA0005 - Defense Evasion,T1562 - Impair Defenses,T1562.001 - Impair Defenses: Disable or Modify Tools,False,[],"[{""description"": ""Modify GuardDuty Configuration"", ""link"": ""https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/""}]","Attackers might use CreateFilter to manipulate GuardDuty settings, potentially allowing malicious activity to go undetected.",[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty create-filter --detector-id TrailDiscoverDetectorId --name TrailDiscoverFilterName --finding-criteria '{\""Criterion\"": {\""service.action.actionType\"": {\""Eq\"": [\""TrailDiscover\""]}}}' --action NOOP""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-CreateFilter,[] +CreateIPSet,guardduty.amazonaws.com,GuardDuty,"Creates a new IPSet, which is called a trusted IP list in the console user interface.",TA0005 - Defense Evasion,T1562 - Impair Defenses,T1562.001 - Impair Defenses: Disable or Modify Tools,False,[],"[{""description"": ""Modify GuardDuty Configuration"", ""link"": ""https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/""}]","Attackers might use CreateIPSet to add malicious IP addresses to the GuardDuty whitelist, bypassing security measures.","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_guardduty_disruption.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws guardduty create-ip-set --detector-id 12abc34d567e8fa901bc2d34eexample --name new-ip-set --format TXT --location s3://traildiscover/traildiscover.csv --activate""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-CreateIPSet,"[{""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Adding an IP address to a trusted list effectively removes the monitoring of network traffic and activities associated with that IP, making it undetectable by GuardDuty, similar to how indicator removal hides evidence of malicious activity.""}, {""technique"": ""T1090 - Proxy"", ""reason"": ""Adversaries may use a proxy to route their traffic through trusted IP addresses added to the IPSet, thereby evading detection and maintaining persistence.""}]" +DeleteDetector,guardduty.amazonaws.com,GuardDuty,Deletes an Amazon GuardDuty detector that is specified by the detector ID.,TA0005 - Defense Evasion,T1562 - Impair Defenses,T1562.001 - Impair Defenses: Disable or Modify Tools,True,"[{""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}]","[{""description"": ""AWS GuardDuty detector deleted"", ""link"": ""https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-guardduty-detector-deleted/""}, {""description"": ""AWS GuardDuty Evasion"", ""link"": ""https://medium.com/@cloud_tips/aws-guardduty-evasion-c181e55f3af1""}, {""description"": ""Threat Hunting with CloudTrail and GuardDuty in Splunk"", ""link"": ""https://www.chrisfarris.com/post/reinforce-threat-hunting/""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]","Attackers might use DeleteDetector to disable GuardDuty, thereby evading detection of malicious activity.",[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty delete-detector --detector-id TrailDiscoverDetectorId""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-DeleteDetector,"[{""technique"": ""T1485 - Data Destruction"", ""reason"": ""Deleting the GuardDuty detector can be part of a larger strategy to destroy or manipulate security configurations and logs, impacting the integrity of the security monitoring system.""}]" +DeleteInvitations,guardduty.amazonaws.com,GuardDuty,Deletes invitations sent to the current member account by AWS accounts specified by their account IDs.,TA0005 - Defense Evasion,T1562 - Impair Defenses,"T1562.001 - Impair Defenses: Disable or Modify Tools, T1562.006 - Impair Defenses: Indicator Blocking",True,"[{""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}]",[],"Attackers might use DeleteInvitations to avoid the use of GuardDuty, thereby evading detection of malicious activity.",[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty delete-invitations --account-ids 111222333444""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-DeleteInvitations,"[{""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Deleting GuardDuty invitations can be seen as a form of defense evasion by removing traces of an invitation that might otherwise be used for investigative purposes. Invitations could be used by security teams to track and verify legitimate connections between AWS accounts. By removing these invitations, the adversary might prevent the detection of unauthorized or suspicious account activities.""}]" +DeleteMembers,guardduty.amazonaws.com,GuardDuty,Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.,TA0005 - Defense Evasion,T1562 - Impair Defenses,T1562.001 - Impair Defenses: Disable or Modify Tools,False,[],"[{""description"": ""Threat Hunting with CloudTrail and GuardDuty in Splunk"", ""link"": ""https://www.chrisfarris.com/post/reinforce-threat-hunting/""}]","Attackers might use DeleteMembers to remove members from a GuardDuty detector, disrupting threat detection and security analysis.",[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty delete-members --account-ids TrailDiscoverAccountIds --detector-id TrailDiscoverDetectorId""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-DeleteMembers,"[{""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Deleting GuardDuty member accounts can prevent legitimate accounts from getting data from member accounts, thus disrupting monitoring and security alerts.""}, {""technique"": ""T1070 - Indicator Removal"", ""reason"": ""By deleting member accounts, logs and other related files might be purged or altered, aiding in hiding the malicious activities.""}, {""technique"": ""T1098 - Account Manipulation"", ""reason"": ""Deleting GuardDuty member accounts involves altering account configurations, potentially changing access controls or permissions. This action can disrupt security monitoring and allow unauthorized activities to go undetected.""}]" +DeletePublishingDestination,guardduty.amazonaws.com,GuardDuty,Deletes the publishing definition with the specified destinationId.,TA0005 - Defense Evasion,T1562 - Impair Defenses,T1562.001 - Impair Defenses: Disable or Modify Tools,False,[],"[{""description"": ""Modify GuardDuty Configuration"", ""link"": ""https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/""}]",Attackers might use DeletePublishingDestination to disrupt the security monitoring and incident response process in AWS GuardDuty.,[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty delete-publishing-destination --detector-id TrailDiscoverDetectorId --destination-id TrailDiscoverDestinationId""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-DeletePublishingDestination,"[{""technique"": ""T1565 - Data Manipulation"", ""reason"": ""By deleting the publishing destination, critical security findings are not reported, which can be seen as manipulating the availability of security data and hindering incident response efforts.""}]" +DisassociateFromMasterAccount,guardduty.amazonaws.com,GuardDuty,Disassociates the current GuardDuty member account from its administrator account.,TA0005 - Defense Evasion,T1562 - Impair Defenses,T1562.001 - Impair Defenses: Disable or Modify Tools,True,"[{""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}]","[{""description"": ""Threat Hunting with CloudTrail and GuardDuty in Splunk"", ""link"": ""https://www.chrisfarris.com/post/reinforce-threat-hunting/""}]","Attackers might use DisassociateFromMasterAccount to remove the link to the master GuardDuty account, disrupting centralized security monitoring and analysis.",[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty disassociate-from-master-account --detector-id TrailDiscoverDetectorId""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-DisassociateFromMasterAccount,"[{""technique"": ""T1098 - Account Manipulation"", ""reason"": ""This involves actions taken to manipulate accounts to maintain access or evade detection. Disassociating the GuardDuty member account from its master account can be seen as a form of account manipulation to avoid centralized logging and monitoring.""}, {""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Disassociating from the master account effectively removes the centralized management and monitoring capabilities, making it harder to regain control or visibility over the account.""}]" +DisassociateMembers,guardduty.amazonaws.com,GuardDuty,Disassociates GuardDuty member accounts (from the current administrator account) specified by the account IDs.,TA0005 - Defense Evasion,T1562 - Impair Defenses,T1562.001 - Impair Defenses: Disable or Modify Tools,False,[],"[{""description"": ""Threat Hunting with CloudTrail and GuardDuty in Splunk"", ""link"": ""https://www.chrisfarris.com/post/reinforce-threat-hunting/""}]","Attackers might use DisassociateMembers to remove members from a GuardDuty detector, disrupting threat detection and security analysis.",[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty disassociate-members --detector-id TrailDiscoverDetectorId --account-ids TrailDiscoverAccountIds""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-DisassociateMembers,"[{""technique"": ""T1531 - Account Access Removal"", ""reason"": ""By disassociating member accounts, an adversary could remove access to GuardDuty for specific accounts, reducing the ability to detect and respond to malicious activities.""}, {""technique"": ""T1489 - Service Stop"", ""reason"": ""Disassociating member accounts might effectively stop the GuardDuty service from monitoring those accounts, similar to stopping a security service to avoid detection.""}]" +GetDetector,guardduty.amazonaws.com,GuardDuty,Retrieves an Amazon GuardDuty detector specified by the detectorId.,TA0007 - Discovery,T1526 - Cloud Service Discovery,,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],Attackers might use GetDetector to identify active threat detection systems in AWS GuardDuty.,[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty get-detector --detector-id TrailDiscoverDetectorId""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-GetDetector,"[{""technique"": ""T1082 - System Information Discovery"", ""reason"": ""Retrieving a GuardDuty detector provides information about the security monitoring and configurations in the AWS environment.""}, {""technique"": ""T1580 - Cloud Infrastructure Discovery"", ""reason"": ""Accessing the GuardDuty detector can give insights into the cloud infrastructure setup and the security measures in place.""}]" +GetFindings,guardduty.amazonaws.com,GuardDuty,Returns a list of findings that match the specified criteria.,TA0007 - Discovery,T1526 - Cloud Service Discovery,,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],Attackers might use GetFindings to identify if previous actions generated alerts.,[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty get-findings --detector-id TrailDiscoverDetectorId --finding-ids TrailDiscoverFindingIds""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-GetFindings,"[{""technique"": ""T1057 - Process Discovery"", ""reason"": ""Adversaries can use the findings to discover details about processes running on compromised instances, aiding them in identifying and targeting specific processes for further exploitation.""}, {""technique"": ""T1020 - Automated Exfiltration"", ""reason"": ""An adversary can identify findings that indicate automated data exfiltration activities, allowing them to understand what methods were detected and possibly refine their tactics.""}, {""technique"": ""T1580 - Cloud Infrastructure Discovery"", ""reason"": ""Analyzing findings can help adversaries discover details about the cloud infrastructure, such as the types of resources and their configurations, aiding in planning further attacks.""}]" +ListDetectors,guardduty.amazonaws.com,GuardDuty,Lists detectorIds of all the existing Amazon GuardDuty detector resources.,TA0007 - Discovery,T1526 - Cloud Service Discovery,,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]","[{""description"": ""Modify GuardDuty Configuration"", ""link"": ""https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/""}]",Attackers might use ListDetectors to identify active threat detection systems in AWS GuardDuty.,[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty list-detectors""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-ListDetectors,"[{""technique"": ""T1580 - Cloud Infrastructure Discovery"", ""reason"": ""Knowledge of detector IDs can guide attackers in identifying monitored versus unmonitored cloud assets, facilitating targeted reconnaissance on less protected resources.""}]" +ListFindings,guardduty.amazonaws.com,GuardDuty,Lists GuardDuty findings for the specified detector ID.,TA0007 - Discovery,T1526 - Cloud Service Discovery,,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],Attackers might use ListFindings to identify if previous actions generated alerts.,[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty list-findings --detector-id TrailDiscoverDetectorId""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-ListFindings,"[{""technique"": ""T1057 - Process Discovery"", ""reason"": ""By retrieving and analyzing finding IDs, attackers can discover details about processes associated with GuardDuty findings, helping them understand which processes were flagged and why.""}]" +ListIPSets,guardduty.amazonaws.com,GuardDuty,Lists the IPSets of the GuardDuty service specified by the detector ID.,TA0007 - Discovery,T1526 - Cloud Service Discovery,,False,[],"[{""description"": ""Modify GuardDuty Configuration"", ""link"": ""https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/""}]",Attackers might use ListIPSets to identify what IPs won't generate an alert.,[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty list-ip-sets --detector-id TrailDiscoverDetectorId""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-ListIPSets,"[{""technique"": ""T1590 - Gather Victim Network Information"", ""reason"": ""Listing IPSets provides insights into the network's structure and the external IPs that are considered trusted or monitored. This information is crucial for attackers to map out the network and plan their actions accordingly.""}, {""technique"": ""T1016 - System Network Configuration Discovery"", ""reason"": ""By accessing the list of IPSets, attackers can understand the network configuration, including which IP addresses are allowed or blocked. This helps in identifying potential weak points or entry points into the network.""}]" +StopMonitoringMembers,guardduty.amazonaws.com,GuardDuty,Stops GuardDuty monitoring for the specified member accounts.,TA0005 - Defense Evasion,T1562 - Impair Defenses,T1562.001 - Impair Defenses: Disable or Modify Tools,False,[],"[{""description"": ""Threat Hunting with CloudTrail and GuardDuty in Splunk"", ""link"": ""https://www.chrisfarris.com/post/reinforce-threat-hunting/""}]","Attackers might use StopMonitoringMembers to halt the surveillance of specific AWS accounts, reducing security visibility.",[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty stop-monitoring-members --account-ids TrailDiscoverAccountIds --detector-id TrailDiscoverDetectorId""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-StopMonitoringMembers,"[{""technique"": ""T1489 - Service Stop"", ""reason"": ""Stopping GuardDuty monitoring is an example of halting a service, which can impact the overall security monitoring and incident response capabilities.""}]" +UpdateDetector,guardduty.amazonaws.com,GuardDuty,Updates the GuardDuty detector specified by the detectorId.,TA0005 - Defense Evasion,T1562 - Impair Defenses,T1562.001 - Impair Defenses: Disable or Modify Tools,False,[],"[{""description"": ""Modify GuardDuty Configuration"", ""link"": ""https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/""}]","Attackers might use UpdateDetector to modify the settings of GuardDuty, potentially disabling or weakening security monitoring.",[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty update-detector --detector-id TrailDiscoverDetectorId --enable --finding-publishing-frequency TrailDiscoverFrequency""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-UpdateDetector,"[{""technique"": ""T1070 - Indicator Removal"", ""reason"": ""An attacker may update the GuardDuty detector to avoid detection by altering or hiding security logs and alarms""}]" +UpdateIPSet,guardduty.amazonaws.com,GuardDuty,Updates the IPSet specified by the IPSet ID.,TA0005 - Defense Evasion,T1562 - Impair Defenses,T1562.001 - Impair Defenses: Disable or Modify Tools,False,[],"[{""description"": ""Modify GuardDuty Configuration"", ""link"": ""https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/""}]","Attackers might use UpdateIPSet to modify the IP address filters, potentially allowing malicious traffic to bypass detection.",[],"[{""type"": ""commandLine"", ""value"": ""aws wafv2 update-ip-set --name testip --scope REGIONAL --id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 --addresses 198.51.100.0/16 --lock-token 447e55ac-2396-4c6d-b9f9-86b67c17f8b5""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-UpdateIPSet,"[{""technique"": ""T1070.004 - Indicator Removal"", ""reason"": ""Modifying an IPSet can remove IPs that would otherwise generate security findings, thus evading detection.""}]" +AddRoleToInstanceProfile,iam.amazonaws.com,IAM,Adds the specified IAM role to the specified instance profile.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,T1098.001 - Account Manipulation: Additional Cloud Credentials,False,[],"[{""description"": ""Cloudgoat AWS CTF solution- Scenerio 5 (iam_privesc_by_attachment)"", ""link"": ""https://pswalia2u.medium.com/cloudgoat-aws-ctf-solution-scenerio-5-iam-privesc-by-attachment-22145650f5f5""}]",Attackers might use AddRoleToInstanceProfile to escalate privileges or gain unauthorized access to AWS resources.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam add-role-to-instance-profile --role-name TrailDiscover --instance-profile-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-AddRoleToInstanceProfile,"[{""technique"": ""T1068 - Exploitation for Privilege Escalation"", ""reason"": "" - Exploitation for Privilege Escalation""}]" +AddUserToGroup,iam.amazonaws.com,IAM,Adds the specified user to the specified group.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use AddUserToGroup to add unauthorized users to privileged groups, gaining unauthorized access or escalating privileges.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam add-user-to-group --user-name TrailDiscover --group-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-AddUserToGroup,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Adding a user to a group with elevated permissions can allow the user to maintain access to the AWS environment with legitimate credentials.""}]" +AttachGroupPolicy,iam.amazonaws.com,IAM,Attaches the specified managed policy to the specified IAM group.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use AttachGroupPolicy to assign malicious policies to a group, escalating privileges or enabling unauthorized access.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/TrailDiscover --group-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-AttachGroupPolicy,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""By attaching a policy to a group, an adversary can ensure that even if certain accounts are revoked, the group as a whole still retains the permissions.""}]" +AttachRolePolicy,iam.amazonaws.com,IAM,"Attaches the specified managed policy to the specified IAM role. When you attach a managed policy to a role, the managed policy becomes part of the role's permission (access) policy.",TA0004 - Privilege Escalation,T1098 - Account Manipulation,,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]","[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers use AttachRolePolicy to grant malicious policies to IAM roles, potentially escalating privileges or enabling unauthorized access to AWS resources.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/TrailDiscover --role-name TrailDiscover""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-backdoor-role""}]",https://aws.permissions.cloud/iam/iam#iam-AttachRolePolicy,"[{""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Attaching policies with permissions that affect logging or monitoring tools can be used to evade detection by modifying the environment to reduce visibility.""}]" +AttachUserPolicy,iam.amazonaws.com,IAM,Attaches the specified managed policy to the specified user.,"TA0003 - Persistence, TA0004 - Privilege Escalation",T1098 - Account Manipulation,,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Incident report: From CLI to console, chasing an attacker in AWS"", ""link"": ""https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}]","[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers use AttachUserPolicy to grant malicious policies to IAM users, potentially escalating privileges or enabling unauthorized access to AWS resources.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --user-name TrailDiscover""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-admin-user""}]",https://aws.permissions.cloud/iam/iam#iam-AttachUserPolicy,"[{""technique"": ""T1556 - Modify Authentication Process"", ""reason"": ""By attaching a policy, an adversary can alter the authentication process, potentially bypassing multi-factor authentication (MFA) or other security measures.""}]" +ChangePassword,iam.amazonaws.com,IAM,Changes the password of the IAM user who is calling this operation.,"TA0003 - Persistence, TA0004 - Privilege Escalation","T1136 - Create Account, T1078 - Valid Accounts",,False,[],"[{""description"": ""AWS CloudTrail cheat sheet"", ""link"": ""https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet""}, {""description"": ""IAM User Changes Alarm"", ""link"": ""https://asecure.cloud/a/cwalarm_iam_user_changes/""}]",Attackers might use ChangePassword to alter user credentials.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam change-password --old-password TrailDiscover --new-password TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-ChangePassword,"[{""technique"": ""T1098 - Account Manipulation"", ""reason"": ""Changing the password of an IAM user can be used to maintain access to an account, thus manipulating account credentials.""}, {""technique"": ""T1556 - Modify Authentication Process"", ""reason"": ""Changing the password modifies the authentication process for the IAM user, which can be a method to evade detection.""}, {""technique"": ""T1531 - Account Access Removal"", ""reason"": ""An attacker might change a password to lock out the legitimate user, removing their access.""}]" +CreateAccessKey,iam.amazonaws.com,IAM,Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active.,"TA0003 - Persistence, TA0004 - Privilege Escalation","T1136 - Create Account, T1078 - Valid Accounts","T1078.004 - Valid Accounts: Cloud Accounts, T1136.003 - Create Account: Cloud Account",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Incident report: From CLI to console, chasing an attacker in AWS"", ""link"": ""https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/""}, {""description"": ""SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto"", ""link"": ""https://sysdig.com/blog/scarleteel-2-0/""}, {""description"": ""ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING"", ""link"": ""https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}, {""description"": ""BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability"", ""link"": ""https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/""}, {""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}]","[{""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}, {""description"": ""AWS IAM Persistence Methods"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/iam_persistence/""}]","Attackers might use CreateAccessKey to generate unauthorized access keys, enabling them to gain illicit access to AWS services and resources.","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml""}, {""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws iam create-access-key --user-name TrailDiscover""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-admin-user""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-backdoor-user""}]",https://aws.permissions.cloud/iam/iam#iam-CreateAccessKey,"[{""technique"": ""T1098 - Account Manipulation"", ""reason"": ""New keys can be used for account manipulation activities, providing additional or unauthorized access.""}]" +CreateGroup,iam.amazonaws.com,IAM,Creates a new group.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,,False,[],"[{""description"": ""AWS IAM Group Creation"", ""link"": ""https://www.elastic.co/guide/en/security/current/aws-iam-group-creation.html""}]",Attackers use CreateGroup to create a group that they can use to escalate privileges.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam create-group --group-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-CreateGroup,"[{""technique"": ""T1036 - Masquerading"", ""reason"": ""Creating a new group with a name similar to existing groups can help attackers blend in and avoid detection""}]" +CreateLoginProfile,iam.amazonaws.com,IAM,Creates a password for the specified IAM user. A password allows an IAM user to access AWS services through the AWS Management Console.,"TA0003 - Persistence, TA0004 - Privilege Escalation","T1098 - Account Manipulation, T1078 - Valid Accounts","T1078.004 - Valid Accounts: Cloud Accounts, T1078.001 - Valid Accounts: Local Accounts",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Incident report: From CLI to console, chasing an attacker in AWS"", ""link"": ""https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}, {""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}, {""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}]","[{""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}, {""description"": ""AWS IAM Persistence Methods"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/iam_persistence/""}]","Attackers use CreateLoginProfile to create login credentials for IAM users, allowing them access to the user via the AWS console.","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws iam create-login-profile --user-name TrailDiscover --password TrailDiscover""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-user-login-profile""}]",https://aws.permissions.cloud/iam/iam#iam-CreateLoginProfile,"[{""technique"": ""T1556 - Modify Authentication Process"", ""reason"": ""The CreateLoginProfile API call can be used to set a new password for an existing IAM user, effectively modifying the authentication process for that user.""}]" +CreateOpenIDConnectProvider,iam.amazonaws.com,IAM,Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC),TA0003 - Persistence,T1136 - Create Account,,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],Attackers use CreateOpenIDConnectProvider to establish persistent footholds.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam create-open-id-connect-provider --cli-input-json '{\""Url\"": \""https://server.example.com\"",\""ClientIDList\"": [\""example-application-ID\""],\""ThumbprintList\"": [\""c3768084dfb3d2b68b7897bf5f565da8eEXAMPLE\""]}'""}]",https://aws.permissions.cloud/iam/iam#iam-CreateOpenIDConnectProvider,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Creating an OpenID Connect Provider can be used to generate valid credentials that can be exploited for persistent access""}, {""technique"": ""T1136 - Create Account"", ""reason"": ""Establishing new accounts or providers in the IAM can assist in maintaining access over time""}, {""technique"": ""T1556 - Modify Authentication Process"", ""reason"": ""Adjusting authentication settings to include a new provider can bypass certain security measures.""}, {""technique"": ""T1098 - Account Manipulation"", ""reason"": ""Creating and managing new accounts or providers can lead to manipulation of permissions and roles.""}]" +CreatePolicyVersion,iam.amazonaws.com,IAM,Creates a new version of the specified managed policy.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use CreatePolicyVersion to modify IAM policies, potentially granting themselves elevated permissions.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam create-policy-version --policy-arn arn:aws:iam::123456789012:policy/TrailDiscover --policy-document {}""}]",https://aws.permissions.cloud/iam/iam#iam-CreatePolicyVersion,"[{""technique"": ""T1531 - Account Access Removal"", ""reason"": ""By altering IAM policies, attackers can remove access for legitimate users, ensuring only malicious actors maintain control.""}, {""technique"": ""T1489 - Service Stop"", ""reason"": ""By altering permissions with a new policy version, an attacker could restrict or stop critical services within an AWS environment.""}]" +CreateRole,iam.amazonaws.com,IAM,Creates a new role for your AWS account.,TA0003 - Persistence,T1136 - Create Account,,True,"[{""description"": ""Attack Scenario 2: From Misconfigured Firewall to Cryptojacking Botnet"", ""link"": ""https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/unit42-cloud-threat-report-volume7.pdf""}, {""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],"Attackers use CreateRole to create roles with trust policies that allow principals from an attacker-controlled AWS account, establishing persistent unauthorized access.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam create-role --role-name TrailDiscover --assume-role-policy-document {}""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-backdoor-role""}]",https://aws.permissions.cloud/iam/iam#iam-CreateRole,"[{""technique"": ""T1098 - Account Manipulation"", ""reason"": ""Attackers might create a new role to maintain access or elevate privileges within the environment.""}]" +CreateSAMLProvider,iam.amazonaws.com,IAM,Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0.,TA0003 - Persistence,T1136 - Create Account,,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],Attackers use CreateSAMLProvider to establish persistent footholds.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/iam#iam-CreateSAMLProvider,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": "" Creating a SAML provider can lead to the creation and use of valid credentials, allowing the adversary to maintain persistence.""}, {""technique"": ""T1098 - Account Manipulation"", ""reason"": ""The creation of a SAML provider involves the manipulation of account settings to allow federated authentication, which can be used by adversaries to maintain access and evade detection.""}, {""technique"": ""T1556 - Modify Authentication Process"", ""reason"": ""The creation of a SAML provider could be used to modify the authentication process, allowing adversaries to authenticate as different users within the AWS environment.""}]" +StartSSO,sso.amazonaws.com,SSO,Initialize AWS IAM Identity Center,TA0003 - Persistence,T1136 - Create Account,,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],Attackers use StartSSO to establish persistent footholds.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/sso#sso-StartSSO,"[{""technique"": ""T1098 - Account Manipulation"", ""reason"": ""By starting SSO, an adversary can manipulate IAM user accounts, adding or modifying permissions to maintain persistent access.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Use of valid SSO credentials can help adversaries gain access to various services and resources without raising alarms.""}]" +CreateUser,iam.amazonaws.com,IAM,Creates a new IAM user for your AWS account.,TA0003 - Persistence,T1136 - Create Account,T1136.001 - Create Account: Local Account,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}, {""description"": ""Responding to an attack in AWS"", ""link"": ""https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac""}, {""description"": ""Incident report: From CLI to console, chasing an attacker in AWS"", ""link"": ""https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/""}, {""description"": ""ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING"", ""link"": ""https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/""}, {""description"": ""Trouble in Paradise"", ""link"": ""https://blog.darklab.hk/2021/07/06/trouble-in-paradise/""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Exposed long-lived access key resulted in unauthorized access"", ""link"": ""https://twitter.com/jhencinski/status/1578371249792724992?t=6oYeGYgGZq1B-LXFZzIqhQ""}, {""description"": ""SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto"", ""link"": ""https://sysdig.com/blog/scarleteel-2-0/""}, {""description"": ""Insider Threat Risks to Flat Environments"", ""link"": ""https://www.mandiant.com/sites/default/files/2021-09/rpt-mtrends-2021-3.pdf""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}, {""description"": ""Sendtech Pte. Ltd"", ""link"": ""https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Sendtech-Pte-Ltd---220721.ashx?la=en""}, {""description"": ""BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability"", ""link"": ""https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/""}, {""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}, {""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}, {""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}]","[{""description"": ""Creating a new IAM user"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/creating-new-iam-user/""}, {""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]","Attackers use CreateUser to establish persistent footholds or in some cases, escalate privileges within AWS environments by creating new IAM users with strategic permissions.","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws iam create-user --user-name TrailDiscover""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-admin-user""}]",https://aws.permissions.cloud/iam/iam#iam-CreateUser,"[{""technique"": ""T1098 - Account Manipulation"", ""reason"": ""Adversaries may create new IAM users to manipulate accounts for continuous access or privilege escalation.""}]" +DeactivateMFADevice,iam.amazonaws.com,IAM,Deactivates the specified MFA device and removes it from association with the user name for which it was originally enabled.,TA0005 - Defense Evasion,T1562 - Impair Defenses,T1562.001 - Impair Defenses: Disable or Modify Tools,False,[],"[{""description"": ""AWS IAM Deactivation of MFA Device"", ""link"": ""https://www.elastic.co/guide/en/security/current/aws-iam-deactivation-of-mfa-device.html""}]","Attackers might use DeactivateMFADevice to disable multi-factor authentication, potentially weakening account security.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam deactivate-mfa-device --user-name TrailDiscover --serial-number arn:aws:iam::210987654321:mfa/BobsMFADevice""}]",https://aws.permissions.cloud/iam/iam#iam-DeactivateMFADevice,"[{""technique"": ""T1586 - Compromise Accounts"", ""reason"": ""Deactivating MFA might be part of an account compromise if the attacker knows the password but has no access to the MFA. By disabling the MFA the attacker will be able to compromise the account.""}]" +DeleteAccessKey,iam.amazonaws.com,IAM,Deletes the access key pair associated with the specified IAM user.,TA0005 - Defense Evasion,"T1578 - Modify Cloud Compute Infrastructure, T1070 - Indicator Removal",,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}]",[],"Attackers might use DeleteAccessKey to revoke legitimate user access to AWS services. Also, it can be used to delete previously used keys to avoid detection.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam delete-access-key --access-key-id AKIDPMS9RO4H3FEXAMPLE --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-DeleteAccessKey,"[{""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Deleting the access key pair is a direct method to remove access credentials, which aligns with the technique of account access removal.""}]" +DeleteLoginProfile,iam.amazonaws.com,IAM,Deletes the password for the specified IAM user.,TA0005 - Defense Evasion,"T1578 - Modify Cloud Compute Infrastructure, T1070 - Indicator Removal",,True,"[{""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}]",[],"Attackers might use DeleteLoginProfile to remove user's login credentials, preventing legitimate access to AWS services. Also, it might be used to delete a previously added profile to avoid detection.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam delete-login-profile --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-DeleteLoginProfile,"[{""technique"": ""T1098 - Account Manipulation"", ""reason"": ""The deletion of a login profile is a form of account manipulation, altering the state of an IAM user account to possibly favor continued unauthorized access through other means like access keys or roles""}, {""technique"": ""T1531 - Account Access Removal"", ""reason"": ""By deleting the login profile, an attacker can remove a user's ability to log in with a password, thus removing an access method that might be used for legitimate purposes or incident response, aiding in persistence and defense evasion.""}, {""technique"": ""T1556 - Modify Authentication Process"", ""reason"": ""Removing the password of an IAM user modifies the way that user can authenticate, potentially replacing it with a method controlled by the attacker, facilitating unauthorized access while evading detection.""}]" +DeleteRolePermissionsBoundary,iam.amazonaws.com,IAM,Deletes the permissions boundary for the specified IAM role.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]",Attackers might use DeleteRolePermissionsBoundary to remove restrictions and gain unauthorized access to AWS resources.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam delete-role-permissions-boundary --role-name trail-discover""}]",https://aws.permissions.cloud/iam/iam#iam-DeleteRolePermissionsBoundary,"[{""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Removing permissions boundaries can weaken the security posture by reducing the effectiveness of policies designed to limit role actions.""}, {""technique"": ""T1068 - Exploitation for Privilege Escalation"", ""reason"": ""Removing permissions boundaries may be used as part of exploiting a misconfiguration to gain elevated privileges.""}]" +DeleteRolePolicy,iam.amazonaws.com,IAM,Deletes the specified inline policy that is embedded in the specified IAM role.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use DeleteRolePolicy to remove security policies, potentially escalating their privileges.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam delete-role-policy --role-name TrailDiscover-Role --policy-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-DeleteRolePolicy,"[{""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Deleting inline policies from IAM roles can remove critical permissions, effectively locking out legitimate users or restricting their access. This action can hinder incident response and obscure the attacker's presence in the environment.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""By deleting IAM role policies, an attacker could impair security tools that rely on those policies for correct operation, effectively reducing the efficacy of security defenses.""}]" +DeleteUser,iam.amazonaws.com,IAM,Deletes the specified IAM user.,TA0005 - Defense Evasion,"T1578 - Modify Cloud Compute Infrastructure, T1070 - Indicator Removal",,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Insider Threat Risks to Flat Environments"", ""link"": ""https://www.mandiant.com/sites/default/files/2021-09/rpt-mtrends-2021-3.pdf""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}]",[],"Attackers might use DeleteUser to remove users and their permissions, disrupting access control in AWS. Also, it can be used to delete previously used users to avoid detection.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam delete-user --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-DeleteUser,"[{""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Deleting a user account immediately revokes all permissions and access rights associated with that IAM user, disrupting access to critical resources. This action can prevent legitimate users from performing essential tasks, effectively halting operations and response efforts.""}, {""technique"": ""T1485 - Data Destruction"", ""reason"": "" The deletion of an IAM user can be part of a deliberate attempt to destroy data or disrupt normal operations. Users often have associated data, policies, and access controls that, when removed, can result in data loss or corruption. ""}]" +DeleteUserPermissionsBoundary,iam.amazonaws.com,IAM,Deletes the permissions boundary for the specified IAM user.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]",Attackers might use DeleteUserPermissionsBoundary to remove restrictions and gain unauthorized access to AWS resources.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam delete-user-permissions-boundary --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-DeleteUserPermissionsBoundary,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Compromised cloud accounts can be manipulated by deleting permissions boundaries, giving adversaries increased permissions to execute further malicious activities.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Deleting the permissions boundary could be part of a broader strategy to disable or modify security tools or settings to avoid detection.""}]" +DeleteUserPolicy,iam.amazonaws.com,IAM,Deletes the specified inline policy that is embedded in the specified IAM user.,"TA0005 - Defense Evasion, TA0004 - Privilege Escalation","T1578 - Modify Cloud Compute Infrastructure, T1098 - Account Manipulation",,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}]","[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]",Attackers might use DeleteUserPolicy to remove security policies and gain unauthorized access to AWS resources.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam delete-user-policy --user-name TrailDiscover --policy-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-DeleteUserPolicy,"[{""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Removing a policy from an IAM user could be a step to disable access for an account, which aligns with tactics for impact.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Removing policies can help adversaries to evade detection and persist in the environment by modifying account permissions.""}]" +DetachRolePolicy,iam.amazonaws.com,IAM,Removes the specified managed policy from the specified role.,"TA0005 - Defense Evasion, TA0004 - Privilege Escalation","T1578 - Modify Cloud Compute Infrastructure, T1098 - Account Manipulation",,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]","[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use DetachRolePolicy to remove crucial permissions from IAM roles, disrupting AWS services.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam detach-role-policy --role-name TrailDiscover --policy-arn arn:aws:iam::123456789012:policy/FederatedTesterAccessPolicy""}]",https://aws.permissions.cloud/iam/iam#iam-DetachRolePolicy,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""By detaching policies from roles, attackers can invalidate certain permissions, reducing the risk of detection while using compromised accounts.""}, {""technique"": ""T1531 - Account Access Removal"", ""reason"": ""By detaching policies, attackers can remove access permissions, disrupting legitimate user operations and evading detection.""}, {""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Removing policies can be part of a strategy to clean up indicators of malicious activity on the account, aiding in defense evasion.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Detaching policies may impair security configurations, reducing the ability of the environment to detect or prevent further malicious activities.""}]" +DetachUserPolicy,iam.amazonaws.com,IAM,Removes the specified managed policy from the specified user.,"TA0005 - Defense Evasion, TA0004 - Privilege Escalation","T1578 - Modify Cloud Compute Infrastructure, T1098 - Account Manipulation",,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]","[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]",Attackers might use DetachUserPolicy to remove security policies and gain unauthorized access to AWS resources.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam detach-user-policy --user-name TrailDiscover --policy-arn arn:aws:iam::123456789012:policy/TesterPolicy""}]",https://aws.permissions.cloud/iam/iam#iam-DetachUserPolicy,"[{""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Detaching a policy can be used as a way to remove or limit access to critical accounts, impacting operational capabilities.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Security controls relying on certain policies may be disabled or impaired when those policies are detached.""}, {""technique"": ""T1499 - Endpoint Denial of Service"", ""reason"": ""By removing critical policies, the attacker can cause a denial of service for endpoints relying on those permissions to function properly.""}]" +GetAccountAuthorizationDetails,iam.amazonaws.com,IAM,"Retrieves information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another.",TA0007 - Discovery,T1087 - Account Discovery,T1087.004 - Account Discovery: Cloud Account,False,[],"[{""description"": ""AWS - IAM Enum"", ""link"": ""https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum""}]","Attackers might use GetAccountAuthorizationDetails to gather information about IAM users, groups, roles, and policies in a targeted AWS account.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam get-account-authorization-details""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance""}]",https://aws.permissions.cloud/iam/iam#iam-GetAccountAuthorizationDetails,"[{""technique"": ""T1069 - Permission Groups Discovery"", ""reason"": ""By retrieving information on IAM groups and their policies, attackers can understand the permissions associated with each group. This information is useful for identifying which groups have elevated privileges.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""If an adversary gains access to this information, they can identify valid accounts within the AWS environment, aiding in furthering access or compromising specific accounts.""}, {""technique"": ""T1580 - Cloud Infrastructure Discovery"", ""reason"": ""By gathering detailed information on IAM roles and policies, attackers can map out the cloud infrastructure, understand the hierarchy and relationships between resources, and identify potential weaknesses or entry points.""}]" +GetLoginProfile,iam.amazonaws.com,IAM,Retrieves the user name for the specified IAM user.,TA0007 - Discovery,T1087 - Account Discovery,,True,"[{""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}]",[],Attackers might use GetLoginProfile to know if the account has a login profile or to get its user name.,"[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws iam get-login-profile --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-GetLoginProfile,"[{""technique"": ""T1580 - Cloud Infrastructure Discovery"", ""reason"": ""Retrieving IAM user details can help attackers understand the structure and users within the cloud infrastructure.""}]" +GetUser,iam.amazonaws.com,IAM,"Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN.",TA0007 - Discovery,T1087 - Account Discovery,T1087.004 - Account Discovery: Cloud Account,True,"[{""description"": ""GotRoot! AWS root Account Takeover"", ""link"": ""https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1""}, {""description"": ""Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/""}]",[],Attackers might use GetUser to obtain user information.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam get-user --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-GetUser,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Adversaries use existing cloud accounts to gain access to cloud services. The GetUser API call can reveal information useful for identifying valid accounts.""}, {""technique"": ""T1082 - System Information Discovery"", ""reason"": ""By retrieving information about IAM users, adversaries can gather details about the system environment and user configurations.""}, {""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Adversaries may enumerate existing IAM users to identify which accounts can be targeted for access removal in order to evade detection and maintain access.""}]" +ListAccessKeys,iam.amazonaws.com,IAM,Returns information about the access key IDs associated with the specified IAM user.,TA0007 - Discovery,T1087 - Account Discovery,,True,"[{""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}]",[],Attackers might use ListAccessKeys to identify and exploit unused or unmonitored AWS IAM access keys.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-access-keys --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-ListAccessKeys,"[{""technique"": ""T1589 - Gather Victim Identity Information"", ""reason"": ""Access key information can reveal details about the IAM user's identity, such as their role and permissions, which can be valuable for planning further attacks.""}, {""technique"": ""T1580 - Cloud Infrastructure Discovery"", ""reason"": ""By listing access keys, attackers can identify existing cloud infrastructure accounts and keys, revealing how the cloud environment is structured.""}]" +ListAttachedRolePolicies,iam.amazonaws.com,IAM,Lists all managed policies that are attached to the specified IAM role.,TA0007 - Discovery,T1087 - Account Discovery,T1087.004 - Account Discovery: Cloud Account,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use ListAttachedRolePolicies to identify and exploit permissions associated with various roles in AWS.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-attached-role-policies --role-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-ListAttachedRolePolicies,"[{""technique"": ""T1069 - Permission Groups Discovery"", ""reason"": ""By listing attached role policies, attackers can understand the permissions associated with specific roles, which is essential for discovering permission groups within a cloud environment.""}, {""technique"": ""T1526 - Cloud Service Discovery"", ""reason"": ""Listing attached role policies reveals the configuration and permissions of cloud services tied to specific roles. This information helps attackers map out the cloud environment and identify potential targets for further exploitation.""}]" +ListGroups,iam.amazonaws.com,IAM,Lists the IAM groups that have the specified path prefix.,TA0007 - Discovery,T1087 - Account Discovery,T1087.004 - Account Discovery: Cloud Account,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]","[{""description"": ""AWS - IAM Enum"", ""link"": ""https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum""}]",Attackers might use ListGroups to identify potential targets by gathering information about IAM groups and their permissions.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-groups""}]",https://aws.permissions.cloud/iam/iam#iam-ListGroups,"[{""technique"": ""T1069 - Permission Groups Discovery"", ""reason"": ""Listing IAM groups helps identify the permission groups within an AWS environment, which is crucial for understanding the access levels and privileges assigned to different users.""}]" +ListGroupsForUser,iam.amazonaws.com,IAM,Lists the IAM groups that the specified IAM user belongs to.,TA0007 - Discovery,T1087 - Account Discovery,T1087.004 - Account Discovery: Cloud Account,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],Attackers might use ListGroupsForUser to identify privileged groups and target specific users for access escalation.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-groups-for-user --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-ListGroupsForUser,"[{""technique"": ""T1069 - Permission Group Discovery"", ""reason"": ""By listing the groups for a user, adversaries can identify the permissions associated with different IAM groups and plan further actions based on the discovered roles and policies.""}, {""technique"": ""T1057 - Process Discovery"", ""reason"": ""Information about user groups can be utilized by adversaries to infer the types of processes and operations a user can perform, aiding in planning subsequent steps of an attack.""}]" +ListInstanceProfiles,iam.amazonaws.com,IAM,"Lists the instance profiles that have the specified path prefix. If there are none, the operation returns an empty list.",TA0007 - Discovery,T1087 - Account Discovery,T1087.004 - Account Discovery: Cloud Account,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],Attackers might use ListInstanceProfiles to identify potential targets for privilege escalation attacks in AWS.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-instance-profiles""}]",https://aws.permissions.cloud/iam/iam#iam-ListInstanceProfiles,"[{""technique"": ""T1580 - Cloud Infrastructure Discovery"", ""reason"": ""The ListInstanceProfiles API call provides details about instance profiles and their associated IAM roles, helping an attacker map out the cloud infrastructure. Understanding the roles in use aids in identifying potential targets for further exploitation or privilege escalation.""}, {""technique"": ""T1589 - Gather Victim Identity Information"", ""reason"": ""The API call can help gather information about the identities and roles within the AWS environment, which could be used for further attacks or social engineering.""}]" +ListOpenIDConnectProviders,iam.amazonaws.com,IAM,Lists information about the IAM OpenID Connect (OIDC) provider resource objects defined in the AWS account.,TA0007 - Discovery,T1087 - Account Discovery,,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],Attackers might use ListOpenIDConnectProviders to discover if there are OIDC providers configured.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-open-id-connect-providers""}]",https://aws.permissions.cloud/iam/iam#iam-ListOpenIDConnectProviders,"[{""technique"": ""T1580 - Cloud Infrastructure Discovery"", ""reason"": ""Identifying OIDC providers gives attackers insights into the cloud infrastructure, revealing the different third-party services and platforms integrated with the AWS environment.""}, {""technique"": ""T1082 - System Information Discovery"", ""reason"": ""Listing OIDC providers provides details about the system's authentication setup, contributing to the overall system information an attacker can gather.""}]" +ListRolePolicies,iam.amazonaws.com,IAM,Lists the names of the inline policies that are embedded in the specified IAM role.,TA0007 - Discovery,T1087 - Account Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use ListRolePolicies to identify permissions associated with various roles in AWS.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-role-policies --role-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-ListRolePolicies,"[{""technique"": ""T1484 - Domain Policy Discovery"", ""reason"": ""Inline policies may reveal roles with the ability to discover or enumerate domain policies, which can be used to further understand the security posture and potential attack paths within the environment.""}, {""technique"": ""T1057 - Process Discovery"", ""reason"": ""Inline policies may help identify roles with permissions to discover running processes, aiding in reconnaissance activities.""}]" +ListRoles,iam.amazonaws.com,IAM,Lists the IAM roles that have the specified path prefix. ,TA0007 - Discovery,T1087 - Account Discovery,,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]","[{""description"": ""AWS - IAM Enum"", ""link"": ""https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum""}]",Attackers might use ListRoles to identify potential targets for privilege escalation attacks in AWS.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-roles""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance""}]",https://aws.permissions.cloud/iam/iam#iam-ListRoles,"[{""technique"": ""T1069 - Permission Groups Discovery"", ""reason"": ""Discovering IAM roles helps adversaries understand their permissions and group memberships, enabling them to identify roles with excessive privileges that can be misused for unauthorized activities.""}, {""technique"": ""T1518 - Software Discovery"", ""reason"": ""Listing IAM roles can reveal roles associated with various software applications, including security, administrative, and operational tools.""}]" +ListSAMLProviders,iam.amazonaws.com,IAM,Lists the SAML provider resource objects defined in IAM in the account.,TA0007 - Discovery,T1087 - Account Discovery,,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],Attackers might use ListSAMLProviders to discover if there are SAML providers configured.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-saml-providers""}]",https://aws.permissions.cloud/iam/iam#iam-ListSAMLProviders,"[{""technique"": ""T1580 - Cloud Infrastructure Discovery"", ""reason"": ""Listing SAML providers can help attackers map out the cloud infrastructure and understand how identity federation is being handled within the account.""}, {""technique"": ""T1592 - Gather Victim Host Information"", ""reason"": ""Identifying SAML providers can reveal details about the host environment and configurations, which may be used to further map the attack surface.""}, {""technique"": ""T1589 - Gather Victim Identity Information"", ""reason"": ""Listing SAML providers can help attackers collect information about identities and roles within the target environment, aiding in crafting more targeted attacks""}]" +ListServiceSpecificCredentials,iam.amazonaws.com,IAM,Returns information about the service-specific credentials associated with the specified IAM user.,TA0007 - Discovery,T1087 - Account Discovery,,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],Attackers might use ListServiceSpecificCredentials to get information about the relationship about users and services and gather CredentialIds.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-service-specific-credentials --user-name traildiscover --service-name codecommit.amazonaws.com""}]",https://aws.permissions.cloud/iam/iam#iam-ListServiceSpecificCredentials,"[{""technique"": ""T1580 - Cloud Infrastructure Discovery"", ""reason"": ""Adversaries may enumerate cloud infrastructure to understand the environment better, and listing service-specific credentials provides information about the associated IAM users""}]" +ListSigningCertificates,iam.amazonaws.com,IAM,Returns information about the signing certificates associated with the specified IAM user.,TA0007 - Discovery,T1087 - Account Discovery,,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],Attackers might use ListSigningCertificates to review which users have active certificates,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-signing-certificates --user-name traildiscover""}]",https://aws.permissions.cloud/iam/iam#iam-ListSigningCertificates,"[{""technique"": ""T1550 - Use Alternate Authentication Material"", ""reason"": ""Identifying signing certificates shows which users have configured alternate authentication mechanisms, revealing potential entry points that do not rely on passwords.""}, {""technique"": ""T1580 - Cloud Infrastructure Discovery"", ""reason"": ""Gaining information about signing certificates aids in mapping the IAM infrastructure, helping to understand the authentication methods and structure of the cloud environment.""}, {""technique"": ""T1033 - System Owner/User Discovery"", ""reason"": ""Listing signing certificates assists in discovering the primary users and owners of the accounts, which aids in planning targeted attacks.""}]" +ListSSHPublicKeys,iam.amazonaws.com,IAM,Returns information about the SSH public keys associated with the specified IAM user.,TA0007 - Discovery,T1087 - Account Discovery,,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],Attackers might use ListSSHPublicKeys to get information about the user and the potential use of CodeCommit.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-ssh-public-keys --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-ListSSHPublicKeys,"[{""technique"": ""T1078. - Valid Accounts"", ""reason"": ""If attackers can associate public keys with user accounts, they might leverage this information to attempt to use stolen or weak credentials elsewhere.""}]" +ListUsers,iam.amazonaws.com,IAM,"Lists the IAM users that have the specified path prefix. If no path prefix is specified, the operation returns all users in the AWS account.",TA0007 - Discovery,T1087 - Account Discovery,,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}, {""description"": ""Incident report: From CLI to console, chasing an attacker in AWS"", ""link"": ""https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]","Attackers might use ListUsers to enumerate IAM users for further attacks, such as adding keys or creating a login profile for persistence.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-users""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance""}]",https://aws.permissions.cloud/iam/iam#iam-ListUsers,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Attackers may use the ListUsers API call to discover valid user accounts within an AWS environment. Knowledge of valid accounts can help in attempts to compromise or leverage these accounts.""}, {""technique"": ""T1057 - Process Discovery"", ""reason"": ""Knowledge of IAM users can help an attacker identify which processes might be running under specific user accounts, assisting in further exploitation or lateral movement within the cloud environment.""}]" +PutGroupPolicy,iam.amazonaws.com,IAM,Adds or updates an inline policy document that is embedded in the specified IAM group.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use PutGroupPolicy to modify permissions of a group, potentially granting unauthorized access to sensitive resources.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam put-group-policy --group-name TrailDiscover --policy-document {} --policy-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-PutGroupPolicy,"[{""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Inline policies can be altered to disable or impair security features such as monitoring and alerting.""}, {""technique"": ""T1556 - Modify Authentication Process"", ""reason"": ""Inline policies can be modified to change authentication processes, making it easier to bypass existing security controls.""}]" +PutRolePermissionsBoundary,iam.amazonaws.com,IAM,Adds or updates the policy that is specified as the IAM role's permissions boundary.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use PutRolePermissionsBoundary to modify permissions boundaries, potentially escalating privileges or enabling unauthorized access.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam put-role-permissions-boundary --permissions-boundary arn:aws:iam::123456789012:policy/intern-boundary --role-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-PutRolePermissionsBoundary,"[{""technique"": ""T1212 - Exploitation for Privilege Escalation"", ""reason"": ""Modifying permissions boundaries can be used to elevate the privileges of the role, enabling actions that would otherwise be restricted.""}, {""technique"": ""T1556 - Modify Authentication Process"", ""reason"": ""By altering the permissions boundary, attackers can change the authentication process for the role to grant themselves higher privileges.""}]" +PutRolePolicy,iam.amazonaws.com,IAM,Adds or updates an inline policy document that is embedded in the specified IAM role.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use PutRolePolicy to modify permissions of IAM roles, potentially granting unauthorized access to AWS resources.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam put-role-policy --role-name TrailDiscover-Role --policy-name TrailDiscover --policy-document {}""}]",https://aws.permissions.cloud/iam/iam#iam-PutRolePolicy,"[{""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Modifying IAM role policies can be used to restrict or remove access to certain users or roles, aiding in defense evasion.""}]" +PutUserPermissionsBoundary,iam.amazonaws.com,IAM,Adds or updates the policy that is specified as the IAM user's permissions boundary.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use PutUserPermissionsBoundary to modify the permissions boundary for an IAM user, potentially escalating privileges or enabling unauthorized access.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam put-user-permissions-boundary --permissions-boundary arn:aws:iam::123456789012:policy/intern-boundary --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-PutUserPermissionsBoundary,"[{""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Setting a permissions boundary might be part of a strategy to later remove access to certain resources or actions, effectively controlling or limiting account capabilities.""}, {""technique"": ""T1556 - Modify Authentication Process"", ""reason"": ""Attackers may modify permissions boundaries to ensure their access is maintained across cloud accounts, preventing account lockout or access removal.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Changing the permissions boundary might be used to impact security settings or access, impairing the effectiveness of security tools and preventing detection or response to malicious activity.""}]" +PutUserPolicy,iam.amazonaws.com,IAM,Adds or updates an inline policy document that is embedded in the specified IAM user.,"TA0003 - Persistence, TA0004 - Privilege Escalation",T1098 - Account Manipulation,,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING"", ""link"": ""https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}]","[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers use PutUserPolicy to grant an inline policy to IAM users, potentially escalating privileges or enabling unauthorized access to AWS resources.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}, {""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws iam put-user-policy --user-name TrailDiscover --policy-name TrailDiscover --policy-document {}""}]",https://aws.permissions.cloud/iam/iam#iam-PutUserPolicy,"[{""technique"": ""T1562 - Impair Defenses"", ""reason"": ""By embedding policies that allow for disabling or bypassing security controls, adversaries can impair defense mechanisms.""}, {""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Adversaries may use PutUserPolicy to remove access rights for legitimate users, causing disruption.""}, {""technique"": ""T1068 - Exploitation for Privilege Escalation"", ""reason"": ""If an adversary can modify policies to grant administrative privileges, they effectively escalate their privileges.""}, {""technique"": ""T1556 - Modify Authentication Process"", ""reason"": ""Inline policies can be changed to weaken authentication requirements, making it easier for adversaries to access the account.""}]" +SetDefaultPolicyVersion,iam.amazonaws.com,IAM,Sets the specified version of the specified policy as the policy's default (operative) version.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use SetDefaultPolicyVersion to revert IAM policies to less secure versions, potentially exposing sensitive resources.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam set-default-policy-version --policy-arn arn:aws:iam::123456789012:policy/TrailDiscover --version-id v2""}]",https://aws.permissions.cloud/iam/iam#iam-SetDefaultPolicyVersion,"[{""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Modifying the policy's default version can be used to evade detection by setting the policy version that was in place before the attack.""}, {""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Attackers can use this API call to update policies in a way that prevents legitimate users from accessing resources, ensuring continued control over the compromised environment.""}]" +SimulatePrincipalPolicy,iam.amazonaws.com,IAM,Simulate how a set of IAM policies attached to an IAM entity works with a list of API operations and AWS resources to determine the policies' effective permissions.,TA0007 - Discovery,T1087 - Account Discovery,,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],"Attackers might use SimulatePrincipalPolicy to understand the permissions of a principal, to later potentially exploiting any over-permissive policies. Using this technique might allow attackers to evade defenses while enumerating permissions.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::123456789012:user/TrailDiscover --action-names codecommit:ListRepositories""}]",https://aws.permissions.cloud/iam/iam#iam-SimulatePrincipalPolicy,"[{""technique"": ""T1069 - Permission Groups Discovery"", ""reason"": "" Using this API, attackers can determine the permissions associated with specific IAM roles or users, aiding in privilege escalation planning.""}, {""technique"": ""T1615 - Group Policy Discovery"", ""reason"": ""By simulating principal policies, attackers can identify the group policies and their impact on IAM roles and entities.""}]" +UpdateAccessKey,iam.amazonaws.com,IAM,"Changes the status of the specified access key from Active to Inactive, or vice versa.",TA0003 - Persistence,T1098 - Account Manipulation,,False,[],"[{""description"": ""AWS - IAM Privesc"", ""link"": ""https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc""}]","Attackers might use UpdateAccessKey to modify existing IAM user access keys, potentially gaining unauthorized access to AWS services.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam update-access-key --access-key-id AKIAIOSFODNN7EXAMPLE --status Inactive --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-UpdateAccessKey,"[{""technique"": ""T1070. - Indicator Removal"", ""reason"": ""Disabling keys can be a tactic to remove indicators of compromise, because keys need to be disabled before deletion, preventing detection and forensic analysis.""}, {""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Temporarily deactivating keys to remove access can help adversaries evade detection while they perform malicious activities.""}]" +UpdateAssumeRolePolicy,iam.amazonaws.com,IAM,Updates the policy that grants an IAM entity permission to assume a role.,"TA0003 - Persistence, TA0004 - Privilege Escalation",T1098 - Account Manipulation,,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}, {""description"": ""AWS IAM Persistence Methods"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/iam_persistence/""}]",Attackers might use UpdateAssumeRolePolicy to modify the assume role policy allowing access from an attacker compromised account.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam update-assume-role-policy --role-name TrailDiscover-Role --policy-document {}""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-backdoor-role""}]",https://aws.permissions.cloud/iam/iam#iam-UpdateAssumeRolePolicy,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Updating the assume role policy can allow attackers to use valid IAM roles to maintain access.""}, {""technique"": ""T1036 - Masquerading"", ""reason"": ""Attackers can allow access from an account they control to assume a valid role that is used in the organization making the access appear legitimate""}]" +UpdateLoginProfile,iam.amazonaws.com,IAM,"Changes the password for the specified IAM user. You can use the AWS CLI, the AWS API, or the Users page in the IAM console to change the password for any IAM user.","TA0003 - Persistence, TA0004 - Privilege Escalation",T1098 - Account Manipulation,,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Incident report: From CLI to console, chasing an attacker in AWS"", ""link"": ""https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/""}, {""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}]","[{""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use UpdateLoginProfile to change the password of an IAM user, gaining unauthorized access to it.","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_update_login_profile.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws iam update-login-profile --user-name TrailDiscover --password TrailDiscover""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-user-login-profile""}]",https://aws.permissions.cloud/iam/iam#iam-UpdateLoginProfile,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Changing an IAM user's password allows an attacker to maintain access using a legitimate account.""}, {""technique"": ""T1556 - Modify Authentication Process"", ""reason"": ""Changing the password directly impacts the authentication process, potentially locking out legitimate users and ensuring only the attacker has access.""}, {""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Changing the password of an IAM user can also serve as a means to remove legitimate account access for the rightful user, ensuring only the attacker can access the account.""}]" +UpdateSAMLProvider,iam.amazonaws.com,IAM,Updates the metadata document for an existing SAML provider resource object.,"TA0003 - Persistence, TA0004 - Privilege Escalation",T1098 - Account Manipulation,,False,[],"[{""description"": ""Gaining AWS Persistence by Updating a SAML Identity Provider"", ""link"": ""https://medium.com/@adan.alvarez/gaining-aws-persistence-by-updating-a-saml-identity-provider-ef57ebdc8db5""}]",Attackers might use UpdateSAMLProvider to change the metadata document from a SAML provider for latter being able to assume the roles that trust this provider.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam update-saml-provider --saml-metadata-document file://TrailDiscoverSAMLMetaData.xml --saml-provider-arn arn:aws:iam::123456789012:saml-provider/traildiscover""}]",https://aws.permissions.cloud/iam/iam#iam-UpdateSAMLProvider,"[{""technique"": ""T1556 - Modify Authentication Process"", ""reason"": ""The UpdateSAMLProvider API call allows changing the SAML metadata document, directly affecting how AWS handles authentication through SAML assertions. This can enable an attacker to alter authentication mechanisms or potentially introduce unauthorized access methods.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""By changing the SAML metadata document, an attacker could gain access to valid accounts. The new or altered assertions in the SAML metadata can be used to authenticate as legitimate AWS users or roles.""}, {""technique"": ""T1550 - Use Alternate Authentication Material"", ""reason"": ""Altering the SAML metadata document provides an opportunity to use different authentication material. An attacker could insert alternate cryptographic keys or certificates into the SAML assertions, allowing them to authenticate to AWS resources as a trusted user or entity.""}]" +Encrypt,kms.amazonaws.com,KMS,"Encrypts plaintext of up to 4,096 bytes using a KMS key. ",TA0040 - Impact,T1486 - Data Encrypted for Impact,,True,"[{""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}]",[],Attackers might use Encrypt to encrypt data for ransom.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/kms#kms-Encrypt,"[{""technique"": ""T1560 - Archive Collected Data"", ""reason"": ""Encrypting data before exfiltration can help to evade detection and bypass certain security controls, however this would be quite noisy.""}, {""technique"": ""T1027 - Obfuscated Files or Information"", ""reason"": ""Encrypting information can make it harder for security tools to analyze the content of the data, aiding in evasion. This could be used for things like other keys to avoid suspicion.""}]" +GenerateDataKeyWithoutPlaintext,kms.amazonaws.com,KMS,Returns a unique symmetric data key for use outside of AWS KMS.,TA0040 - Impact,T1486 - Data Encrypted for Impact,,True,"[{""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}]",[],Attackers might use GenerateDataKeyWithoutPlaintext to generate encryption keys that can decrypt data in a ransom.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/kms#kms-GenerateDataKeyWithoutPlaintext,"[{""technique"": ""T1485 - Data Destruction"", ""reason"": ""The symmetric data key can be used to encrypt or delete critical data, rendering it useless and causing operational disruptions.""}, {""technique"": ""T1560 - Archive Collected Data"", ""reason"": ""The data key can facilitate the encryption of collected data before exfiltration to avoid detection.""}]" +ScheduleKeyDeletion,kms.amazonaws.com,KMS,Schedules the deletion of a KMS key.,TA0040 - Impact,T1485 - Data Destruction,,False,[],"[{""description"": "" Threat Hunting with CloudTrail and GuardDuty in Splunk"", ""link"": ""https://www.chrisfarris.com/post/reinforce-threat-hunting/""}]","Attackers might use ScheduleKeyDeletion to schedule the deletion of crucial encryption keys, disrupting data security and access.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-7""}]","[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/kms#kms-ScheduleKeyDeletion,"[{""technique"": ""T1561 - Disk Wipe"", ""reason"": ""By scheduling the deletion of a KMS key, the adversary could render encrypted data useless, effectively wiping the disk content indirectly.""}, {""technique"": ""T1499 - Endpoint Denial of Service"", ""reason"": ""Deleting a KMS key can disrupt the availability of data, causing a denial of service on the applications relying on the encrypted data.""}, {""technique"": ""T1098 - Account Manipulation"", ""reason"": ""The scheduling of a key deletion might involve manipulating existing KMS permissions or roles to gain the necessary rights to perform the action.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Deleting a KMS key can impair security defenses by making logs or other critical data inaccessible if they are encrypted with the deleted key.""}, {""technique"": ""T1486 - Data Encrypted for Impact"", ""reason"": ""By deleting the encryption key, the adversary ensures that the encrypted data is rendered unusable, impacting the integrity and availability of the data.""}]" +AddPermission20150331v2,lambda.amazonaws.com,Lambda,"Grants an AWS service, AWS account, or AWS organization permission to use a function.",TA0004 - Privilege Escalation,T1098 - Account Manipulation,,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]",Attackers might use AddPermission to grant unauthorized access to sensitive Lambda functions and then perform Privilege Escalation.,[],"[{""type"": ""commandLine"", ""value"": ""aws lambda add-permission --function-name my-function --action lambda:InvokeFunction --statement-id sns --principal sns.amazonaws.com""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-backdoor-function""}]",https://aws.permissions.cloud/iam/lambda#lambda-AddPermission,"[{""technique"": ""T1098 - Account Manipulation"", ""reason"": ""The AddPermission API call can be used to alter permissions, effectively manipulating accounts to maintain access or escalate privileges.""}, {""technique"": ""T1090 - Proxy"", ""reason"": ""Permissions granted via AddPermission could enable an attacker to set up functions that act as proxies, helping to evade defenses.""}, {""technique"": ""T1087 - Account Discovery"", ""reason"": ""Attackers could use the AddPermission call to discover additional accounts that have access to specific Lambda functions, aiding in lateral movement.""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""Permissions can be used to manipulate Lambda functions to communicate over various application layer protocols, aiding in command and control.""}]" +CreateEventSourceMapping20150331,lambda.amazonaws.com,Lambda,Creates a mapping between an event source and an AWS Lambda function.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]",Attackers might use CreateEventSourceMapping to trigger unauthorized Lambda functions with malicious code.,[],"[{""type"": ""commandLine"", ""value"": ""aws lambda create-event-source-mapping --function-name my-function --batch-size 5 --event-source-arn arn:aws:sqs:us-west-2:123456789012:mySQSqueue""}]",https://aws.permissions.cloud/iam/lambda#lambda-CreateEventSourceMapping,"[{""technique"": ""T1059 - Command and Scripting Interpreter"", ""reason"": ""The Lambda function might execute code based on the event source data, potentially running JavaScript if included in the payload.""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""Lambda functions can communicate over web protocols, enabling command and control through event source triggers.""}, {""technique"": ""T1546 - Event Triggered Execution"", ""reason"": ""Event source mappings can be used to trigger Lambda functions, executing code in response to specific events or data.""}, {""technique"": ""T1098 - Account Manipulation"", ""reason"": ""Modifying the event source mappings can change the behavior of Lambda functions, possibly to escalate privileges or persist in the environment.""}]" +CreateFunction20150331,lambda.amazonaws.com,Lambda,Creates a Lambda function.,"TA0003 - Persistence, TA0004 - Privilege Escalation, TA0040 - Impact","T1098 - Account Manipulation, T1496 - Resource Hijacking",,True,"[{""description"": ""Mining Crypto"", ""link"": ""https://twitter.com/jonnyplatt/status/1471453527390277638""}, {""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}]","[{""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use CreateFunction to deploy malicious code or functions, depending on the scenario this might allow the attacker to gain persistence, escalate privileges, or hijack resources.",[],"[{""type"": ""commandLine"", ""value"": ""aws lambda create-function --function-name my-function --runtime nodejs18.x --code S3Bucket=string --role arn:aws:iam::123456789012:role/service-role/MyTestFunction-role-tges6bf4""}]",https://aws.permissions.cloud/iam/lambda#lambda-CreateFunction,"[{""technique"": ""T1059 - Command and Scripting Interpreter"", ""reason"": ""The Lambda function can be configured to execute JavaScript code, enabling attackers to run malicious scripts.""}, {""technique"": ""T1070 - Indicator Removal"", ""reason"": "" By using Lambda, attackers can delete logs or files to evade detection.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Attackers might create Lambda functions designed to disable security monitoring tools or alerts.""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""Lambda functions can communicate over standard web protocols, enabling Command and Control communication that blends with regular traffic.""}, {""technique"": ""T1027 - Obfuscated Files or Information"", ""reason"": ""If attackers use code-signing configurations and different deployment packaging (e.g., obfuscated container images or encrypted .zip archives), it can help evade detection by concealing the true nature of the function code.""}, {""technique"": ""T1053 - Scheduled Task/Job"", ""reason"": ""Attackers might schedule Lambda functions to execute at specific intervals, providing a means of persistence or delayed execution.""}]" +Invoke,lambda.amazonaws.com,Lambda,Invokes a Lambda function.,"TA0040 - Impact, TA0004 - Privilege Escalation",T1496 - Resource Hijacking,,True,"[{""description"": ""Mining Crypto"", ""link"": ""https://twitter.com/jonnyplatt/status/1471453527390277638""}, {""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}]","[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]",Attackers might use Invoke to execute previously modified functions in AWS Lambda.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/lambda#lambda-InvokeFunction,"[{""technique"": ""T1059 - Command and Scripting Interpreter"", ""reason"": ""Lambda functions can be used to execute scripts and commands, allowing attackers to run arbitrary code within the AWS environment.""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""The Invoke API call can be used to establish communication channels over various application layer protocols for command and control purposes.""}, {""technique"": ""T1036 - Masquerading"", ""reason"": ""Attackers can invoke Lambda functions under the guise of legitimate requests to evade detection.""}, {""technique"": ""T1105 - Ingress Tool Transfer"", ""reason"": ""An attacker can use Lambda functions to download or transfer malicious tools into the environment.""}, {""technique"": ""T1074 - Data Staged"", ""reason"": ""Lambda functions can be used to stage data for exfiltration, storing collected information temporarily.""}, {""technique"": ""T1219 - Remote Access Software"", ""reason"": ""Attackers can use Lambda functions as a form of remote access to maintain control over compromised systems.""}, {""technique"": ""T1190 - Exploit Public-Facing Application"", ""reason"": ""If the Lambda function is triggered via a public-facing API endpoint, it could be exploited to gain unauthorized access. Attackers may abuse vulnerable API configurations or input validation flaws to invoke the function, thus compromising the environment.""}, {""technique"": ""T1053 - Scheduled Task/Job"", ""reason"": ""Lambda functions can be scheduled to execute tasks periodically, allowing persistent execution of malicious code.""}, {""technique"": ""T1648 - Serverless Execution"", ""reason"": ""By invoking a Lambda function, an attacker can leverage the serverless environment to run malicious code, perform lateral movement, or conduct other post-exploitation activities while taking advantage of the scalability and ephemeral nature of serverless computing to evade detection and persist within the environment.""}]" +UpdateEventSourceMapping20150331,lambda.amazonaws.com,Lambda,"Updates an event source mapping. You can change the function that AWS Lambda invokes, or pause invocation and resume later from the same location.",TA0004 - Privilege Escalation,T1098 - Account Manipulation,,False,[],"[{""description"": ""Enhancing Your Security Visibility and DetectionResponse Operations in AWS"", ""link"": ""https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf""}]","Attackers might use UpdateEventSourceMapping to pull data from a different source, leading to incorrect function results.",[],"[{""type"": ""commandLine"", ""value"": ""aws lambda update-event-source-mapping --uuid 'a1b2c3d4-5678-90ab-cdef-11111EXAMPLE' --batch-size 8""}]",https://aws.permissions.cloud/iam/lambda#lambda-UpdateEventSourceMapping,"[{""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""Changing the event source mapping can be used to invoke a function via HTTP/S requests, which aligns with utilizing web protocols for execution.""}, {""technique"": ""T1053 - Scheduled Task/Job"", ""reason"": ""Adversaries can use this API call to set up or alter scheduled tasks or jobs, such as Lambda functions, to achieve persistence by ensuring repeated or delayed execution.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Adversaries can pause the invocation of a Lambda function to impair or disable security tools or monitoring functions, thereby evading detection or preventing logging.""}, {""technique"": ""T1027 - Obfuscated Files or Information"", ""reason"": ""Adversaries can obfuscate their actions by frequently changing the event source mapping, making it harder to trace the function invocations.""}, {""technique"": ""T1098 - Account Manipulation"", ""reason"": ""Changing the event source mapping can also be used to manipulate which account or function is invoked, potentially changing the permissions context.""}, {""technique"": ""T1578 - Modify Cloud Compute Infrastructure"", ""reason"": ""Updating the event source mapping involves modifying the cloud infrastructure to change how functions are executed, which is a form of altering cloud resources for persistence or evasion.""}]" +UpdateFunctionCode20150331v2,lambda.amazonaws.com,Lambda,"Updates a Lambda function's code. If code signing is enabled for the function, the code package must be signed by a trusted publisher.","TA0003 - Persistence, TA0040 - Impact, TA0009 - Collection","T1098 - Account Manipulation, T1496 - Resource Hijacking, T1119 - Automated Collection",,False,[],"[{""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}, {""description"": ""Enhancing Your Security Visibility and DetectionResponse Operations in AWS"", ""link"": ""https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf""}, {""description"": ""How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies"", ""link"": ""https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c""}]","Attackers might use UpdateFunctionCode to modify the code of a Lambda function, potentially injecting malicious code.",[],"[{""type"": ""commandLine"", ""value"": ""aws lambda update-function-code --function-name my-function""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-overwrite-code""}]",https://aws.permissions.cloud/iam/lambda#lambda-UpdateFunctionCode,"[{""technique"": ""T1059 - Command and Scripting Interpreter"", ""reason"": ""Adversaries can use AWS Lambda to execute commands or scripts by updating the function code to include the desired commands or scripts.""}, {""technique"": ""T1648 - Serverless Execution"", ""reason"": ""Attackers may maintain persistence in a target environment by continually updating Lambda function code in serverless environments.""}, {""technique"": ""T1074 - Data Staged"", ""reason"": ""Staging data in cloud storage services can be facilitated by updating the Lambda function code to interact with these storage resources.""}, {""technique"": ""T1560 - Archive Collected Data"", ""reason"": ""Updating Lambda function code to access metadata services enables the function to collect and archive data.""}, {""technique"": ""T1578 - Modify Cloud Compute Infrastructure"", ""reason"": ""Attackers can modify cloud compute infrastructure to execute malicious activities by updating the Lambda function.""}, {""technique"": ""T1056 - Input Capture"", ""reason"": ""By updating the Lambda function code to capture inputs, such as keystrokes or API inputs, adversaries can collect sensitive information.""}]" +UpdateFunctionConfiguration20150331v2,lambda.amazonaws.com,Lambda,Modify the version-specific settings of a Lambda function.,TA0003 - Persistence,T1098 - Account Manipulation,,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}, {""description"": ""Enhancing Your Security Visibility and DetectionResponse Operations in AWS"", ""link"": ""https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf""}, {""description"": ""LambdaSpy - Implanting the Lambda execution environment (Part two)"", ""link"": ""https://www.clearvector.com/blog/lambda-spy/""}]","Attackers might use UpdateFunctionConfiguration to modify the behavior of Lambda functions, adding a layer that can allow persistence and/or data exfiltration.",[],"[{""type"": ""commandLine"", ""value"": ""aws lambda update-function-configuration --function-name my-function --memory-size 256""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-layer-extension""}]",https://aws.permissions.cloud/iam/lambda#lambda-UpdateFunctionConfiguration,"[{""technique"": ""T1059 - Command and Scripting Interpreter"", ""reason"": ""Modifying Lambda function configurations allows execution of scripts or commands in the runtime environment.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Attackers might modify configurations like logging settings or environment variables to prevent detection efforts.""}]" +CreateInstances,lightsail.amazonaws.com,Lightsail,Creates one or more Amazon Lightsail instances.,"TA0005 - Defense Evasion, TA0040 - Impact","T1578 - Modify Cloud Compute Infrastructure, T1496 - Resource Hijacking",,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],"Attackers might use CreateInstances to rapidly deploy malicious instances, causing financial loss and resource exhaustion. The use of lightsail might not be monitored.",[],"[{""type"": ""commandLine"", ""value"": ""aws lightsail create-instances --instance-names Instance-1 --availability-zone us-west-2a --blueprint-id wordpress_5_1_1_2 --bundle-id nano_2_0""}]",https://aws.permissions.cloud/iam/lightsail#lightsail-CreateInstances,"[{""technique"": ""T1583 - Acquire Infrastructure"", ""reason"": ""CreateInstances can be used by adversaries to acquire infrastructure for future operations by provisioning new instances.""}, {""technique"": ""T1090 - Proxy"", ""reason"": ""Instances could act as proxies to route malicious traffic and hide the true source of the attack.""}, {""technique"": ""T1102 - Web Services"", ""reason"": ""Instances may be used to communicate with web services to facilitate command and control or data exfiltration.""}, {""technique"": ""T1036 - Masquerading"", ""reason"": ""Instances may be named or configured to masquerade as legitimate services or systems.""}, {""technique"": ""T1074 - Data Staged"", ""reason"": ""Instances can be used to stage data before exfiltration, serving as temporary storage points.""}]" +GetInstances,lightsail.amazonaws.com,LightSail,"Returns information about all Amazon Lightsail virtual private servers, or instances.",TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,False,[],"[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]",Attackers might use GetInstances to gather information about running instances for potential exploitation.,[],"[{""type"": ""commandLine"", ""value"": ""aws lightsail get-instances""}]",https://aws.permissions.cloud/iam/lightsail#lightsail-GetInstances,"[{""technique"": ""T1082 - System Information Discovery"", ""reason"": ""Using GetInstances, attackers can retrieve detailed information about the instances, such as instance IDs, names, and states, providing insight into the system's configuration.""}, {""technique"": ""T1057 - Process Discovery"", ""reason"": ""Although indirect, details about instances can hint at the types of processes and services running within those instances.""}, {""technique"": ""T1033 - System Owner/User Discovery"", ""reason"": ""Instance metadata often includes user or owner information, which can be used to identify who is responsible for the instances.""}]" +GetRegions,lightsail.amazonaws.com,LightSail,Returns a list of all valid regions for Amazon Lightsail.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,False,[],"[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]",Attackers might use GetRegions to identify potential targets in different geographical locations on AWS LightSail.,[],"[{""type"": ""commandLine"", ""value"": ""aws lightsail get-regions""}]",https://aws.permissions.cloud/iam/lightsail#lightsail-GetRegions,"[{""technique"": ""T1082 - System Information Discovery"", ""reason"": ""The GetRegions API call can provide information about the geographical distribution of LightSail resources, which is useful for understanding the environment.""}]" +DescribeOrganization,organizations.amazonaws.com,Organizations,Retrieves information about the organization that the user's account belongs to.,TA0007 - Discovery,T1526 - Cloud Service Discovery,,True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]",[],Attackers might use DescribeOrganization to gather information about the structure and details of an AWS organization.,[],"[{""type"": ""commandLine"", ""value"": ""aws organizations describe-organization""}]",https://aws.permissions.cloud/iam/organizations#organizations-DescribeOrganization,"[{""technique"": ""T1087 - Account Discovery"", ""reason"": ""DescribeOrganization can be used to discover details about accounts within the organization, including account IDs and email addresses.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Information gathered can assist in identifying valid accounts within the organization, aiding further actions that require valid credentials.""}]" +CreateAccount,organizations.amazonaws.com,Organizations,Creates an AWS account that is automatically a member of the organization whose credentials made the request.,TA0005 - Defense Evasion,T1535 - Unused/Unsupported Cloud Regions,,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],"Attackers might use CreateAccount to add a new account for defense evasion, resource hijacking.",[],"[{""type"": ""commandLine"", ""value"": ""aws organizations create-account --email traildiscover@example.com --account-name \""TrailDiscover Account\""""}]",https://aws.permissions.cloud/iam/organizations#organizations-CreateAccount,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""By creating a new AWS account within the organization, attackers can obtain valid cloud credentials for future access and operations.""}, {""technique"": ""T1098 - Account Manipulation"", ""reason"": ""Creating a new account can be used to manipulate and manage user accounts, potentially hiding malicious activities under a legitimate-looking account.""}, {""technique"": ""T1136 - Create Account"", ""reason"": ""Creating a new account can establish persistence, allowing an attacker to maintain access even if the initially compromised account is detected and removed.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Attackers can use the new account to disable or modify security tools and configurations within the cloud environment to avoid detection.""}]" +InviteAccountToOrganization,organizations.amazonaws.com,Organizations,Sends an invitation to another account to join your organization as a member account.,TA0005 - Defense Evasion,T1535 - Unused/Unsupported Cloud Regions,,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],"Attackers might use InviteAccountToOrganization to add an account they control for defense evasion, resource hijacking.",[],"[{""type"": ""commandLine"", ""value"": ""aws organizations invite-account-to-organization --target '{\""Type\"": \""EMAIL\"", \""Id\"": \""traildiscover@example.com\""}'""}]",https://aws.permissions.cloud/iam/organizations#organizations-InviteAccountToOrganization,"[{""technique"": ""T1098 - Account Manipulation"", ""reason"": ""Adding accounts to the organization can be used to manipulate account permissions and roles for persistence or escalation of privileges.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""By adding new accounts, an attacker might impair the existing security defenses, such as monitoring and logging configurations, by creating noise or adding trusted accounts.""}, {""technique"": ""T1199 - Trusted Relationship"", ""reason"": ""Inviting an account creates a trusted relationship that can be exploited for initial access or lateral movement within the organization.""}]" +LeaveOrganization,organizations.amazonaws.com,Organizations,Removes a member account from its parent organization.,TA0005 - Defense Evasion,T1070 - Indicator Removal,,False,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]","[{""description"": ""An AWS account attempted to leave the AWS Organization"", ""link"": ""https://docs.datadoghq.com/security/default_rules/aws-organizations-leave-organization/""}]",Attackers might use LeaveOrganization to disassociate resources and disrupt the structure of AWS organizations.,[],"[{""type"": ""commandLine"", ""value"": ""aws organizations leave-organization""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.organizations-leave""}]",https://aws.permissions.cloud/iam/organizations#organizations-LeaveOrganization,"[{""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Leaving the organization can be used to evade security controls and monitoring that are applied at the organization level, reducing the chances of detection.""}]" +ListAccounts,organizations.amazonaws.com,Organizations,Lists all the accounts in the organization.,TA0007 - Discovery,T1526 - Cloud Service Discovery,,True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]",[],Attackers might use ListAccounts to gather information about the structure and resources of an organization's AWS environment.,[],"[{""type"": ""commandLine"", ""value"": ""aws organizations list-accounts""}]",https://aws.permissions.cloud/iam/organizations#organizations-ListAccounts,"[{""technique"": ""T1087 - Account Discovery"", ""reason"": ""Using the ListAccounts API call, an attacker can enumerate all accounts within the AWS organization, gaining insight into the structure and scope of the organization's AWS environment.""}]" +ListOrganizationalUnitsForParent,organizations.amazonaws.com,Organizations,Lists the organizational units (OUs) in a parent organizational unit or root.,TA0007 - Discovery,T1526 - Cloud Service Discovery,,True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]",[],Attackers might use ListOrganizationalUnitsForParent to map the structure of an organization's AWS environment for potential vulnerabilities.,[],"[{""type"": ""commandLine"", ""value"": ""aws organizations list-organizational-units-for-parent --parent-id r-traildiscover""}]",https://aws.permissions.cloud/iam/organizations#organizations-ListOrganizationalUnitsForParent,"[{""technique"": ""T1482 - Domain Trust Discovery"", ""reason"": ""By listing the organizational units, an adversary can identify relationships and trust boundaries between different parts of the organization, gaining insight into the hierarchical structure that may be exploited later.""}, {""technique"": ""T1018 - Remote System Discovery"", ""reason"": ""Knowledge of the organizational units can inform an adversary about different parts of the cloud infrastructure, helping to discover systems or accounts that can be targeted for further actions.""}, {""technique"": ""T1069 - Permission Groups Discovery"", ""reason"": ""The API can reveal different organizational units that might correspond to permission groupings or roles within the AWS environment, which is crucial for understanding how access is managed across the organization.""}, {""technique"": ""T1590 - Gather Victim Network Information"", ""reason"": ""By understanding the organizational units, an adversary can piece together information about the internal network structure, which can be critical for furthering internal reconnaissance efforts.""}]" +AuthorizeDBSecurityGroupIngress,rds.amazonaws.com,RDS,Enables ingress to a DBSecurityGroup using one of two forms of authorization.,TA0005 - Defense Evasion,T1578 - Modify Cloud Compute Infrastructure,,False,[],"[{""description"": ""Enhancing Your Security Visibility and DetectionResponse Operations in AWS"", ""link"": ""https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf""}, {""description"": ""Hunting AWS RDS security events with Sysdig"", ""link"": ""https://sysdig.com/blog/aws-rds-security-events-sysdig/""}]",Attackers might use AuthorizeDBSecurityGroupIngress to allow unauthorized access to the database by modifying security group rules.,[],"[{""type"": ""commandLine"", ""value"": ""aws rds authorize-db-security-group-ingress --db-security-group-name TrailDiscoverDBSecurityGroupName --cidrip TrailDiscoverCIDRIP""}]",https://aws.permissions.cloud/iam/rds#rds-AuthorizeDBSecurityGroupIngress,"[{""technique"": ""T1021 - Remote Services"", ""reason"": ""By authorizing specific IP ranges or security groups, this API call can enable remote access to the database from specified instances or IP addresses, potentially allowing attackers to establish unauthorized access directly.""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""The authorization of ingress rules through this API call may enable attackers to use common web protocols (HTTP/S) to interact with the database, facilitating access over application-layer protocols.""}, {""technique"": ""T1090 - Proxy"", ""reason"": ""Attackers might exploit the authorized IP range through this API call by routing their traffic via an external proxy, masking their true origin and evading detection.""}, {""technique"": ""T1133 - External Remote Services"", ""reason"": ""The API call directly allows the configuration of external access to cloud-based database services, which could be exploited by attackers to bypass internal network protections by directly accessing the database.""}, {""technique"": ""T1036 - Masquerading"", ""reason"": ""Attackers might use the API call to authorize ingress for IP addresses or security groups that appear legitimate or benign, thus evading detection by security monitoring tools that rely on expected network traffic patterns.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""By carefully selecting which IPs or security groups to authorize, attackers can effectively impair or avoid network-based defenses, such as firewalls or intrusion detection systems (IDS), that rely on stricter ingress rules to protect the database.""}]" +CreateDBSecurityGroup,rds.amazonaws.com,RDS,Creates a new DB security group. DB security groups control access to a DB instance.,TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,,False,[],"[{""description"": ""Enhancing Your Security Visibility and DetectionResponse Operations in AWS"", ""link"": ""https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf""}, {""description"": ""Hunting AWS RDS security events with Sysdig"", ""link"": ""https://sysdig.com/blog/aws-rds-security-events-sysdig/""}]","Attackers might use CreateDBSecurityGroup to create new security groups with lax rules, potentially allowing unauthorized access to the database.",[],"[{""type"": ""commandLine"", ""value"": ""aws rds create-db-security-group --db-security-group-name TrailDiscoverSecurityGroupName --db-security-group-description TrailDiscoverDescription""}]",https://aws.permissions.cloud/iam/rds#rds-CreateDBSecurityGroup,"[{""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""The security group settings can be configured to allow specific protocols or applications to communicate with the DB instance, facilitating control or exfiltration methods.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Modifying or creating a security group that permits broader access to the DB instance could serve as a form of defense evasion by bypassing firewall rules set to protect the database.""}, {""technique"": ""T1098 - Account Manipulation"", ""reason"": ""Creating or modifying a security group could be a method to manipulate access controls and permissions, thereby escalating privileges or creating a backdoor for persistent access.""}, {""technique"": ""T1036 - Masquerading"", ""reason"": ""An attacker could create or name a DB security group to resemble legitimate or existing groups to avoid detection. This can deceive administrators or monitoring systems, allowing malicious actions to go unnoticed.""}]" +CreateDBSnapshot,rds.amazonaws.com,RDS,Creates a snapshot of a DB instance.,TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,,True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]","[{""description"": ""Stealing an RDS database by creating a snapshot and sharing it"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-rds-snapshot/""}]",Attackers might use CreateDBSnapshot to create unauthorized backups of sensitive databases for data theft.,[],"[{""type"": ""commandLine"", ""value"": ""aws rds create-db-snapshot --db-instance-identifier TrailDiscoverDBInstance --db-snapshot-identifier TrailDiscoverDBSnapshot""}]",https://aws.permissions.cloud/iam/rds#rds-CreateDBSnapshot,"[{""technique"": ""T1003 - OS Credential Dumping"", ""reason"": ""Snapshots could contain credentials or other sensitive information that can be extracted and exploited by an attacker.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Snapshots containing authentication data or API keys can be used by attackers to maintain unauthorized access to cloud environments.""}, {""technique"": ""T1530 - Data from Cloud Storage Object"", ""reason"": ""Snapshots stored in cloud storage can be accessed by attackers to extract sensitive information.""}, {""technique"": ""T1005 - Data from Local System"", ""reason"": ""The snapshot may contain data from the local system of the database instance that attackers could extract.""}, {""technique"": ""T1020 - Automated Exfiltration"", ""reason"": ""The snapshot could be automatically transferred out of the environment to an external location, facilitating data exfiltration without manual intervention.""}]" +DeleteDBCluster,rds.amazonaws.com,RDS,The DeleteDBCluster action deletes a previously provisioned DB cluster.,TA0040 - Impact,T1485 - Data Destruction,,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]","[{""description"": ""Hunting AWS RDS security events with Sysdig"", ""link"": ""https://sysdig.com/blog/aws-rds-security-events-sysdig/""}, {""description"": ""AWS Deletion of RDS Instance or Cluster"", ""link"": ""https://www.elastic.co/guide/en/security/current/aws-deletion-of-rds-instance-or-cluster.html""}]","Attackers might use DeleteDBCluster to delete crucial databases, causing data loss and service disruption.",[],"[{""type"": ""commandLine"", ""value"": ""aws rds delete-db-cluster --db-cluster-identifier TrailDiscoverDBCluster""}]",https://aws.permissions.cloud/iam/rds#rds-DeleteDBCluster,"[{""technique"": ""T1562 - Impair Defenses"", ""reason"": ""By deleting the DB cluster, an attacker could disable or remove a crucial part of an organization\u00e2\u20ac\u2122s monitoring or logging setup if these were hosted on the RDS instance.""}, {""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Deleting a DB cluster could also serve to remove access to critical data and services, thereby disrupting operations and hindering incident response.""}, {""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Deleting the DB cluster may remove evidence of previous activities, such as logs or data that could be used to investigate the attack, serving as a method to evade detection.""}, {""technique"": ""T1489 - Service Stop"", ""reason"": ""The deletion of a DB cluster directly results in stopping the associated service, causing disruption to any applications or services relying on that database.""}, {""technique"": ""T1499 - Endpoint Denial of Service"", ""reason"": ""By deleting the DB cluster, the attacker effectively denies access to the endpoint associated with the database, preventing legitimate users from interacting with the data and services hosted on the DB cluster.""}, {""technique"": ""T1490 - Inhibit System Recovery"", ""reason"": ""Deleting a DB cluster can prevent data recovery if backups are also targeted or if the deletion is part of a strategy to ensure that data cannot be restored.""}]" +DeleteDBInstance,rds.amazonaws.com,RDS,Deletes a previously provisioned DB instance.,TA0040 - Impact,T1485 - Data Destruction,,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],"Attackers might use DeleteDBInstance to delete crucial databases, causing data loss and service disruption.",[],"[{""type"": ""commandLine"", ""value"": ""aws rds delete-db-instance --db-instance-identifier TrailDiscoverDB""}]",https://aws.permissions.cloud/iam/rds#rds-DeleteDBInstance,"[{""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Removing a DB instance can help an adversary eliminate logs or traces of malicious activity by erasing the entire database where logs might be stored.""}, {""technique"": ""T1531 - Account Access Removal"", ""reason"": ""If an attacker deletes a DB instance, it could be a part of denying access to legitimate users by removing the resource they need.""}, {""technique"": ""T1489 - Service Stop"", ""reason"": ""Deleting a DB instance can effectively stop a critical service, rendering the associated application or service unavailable.""}, {""technique"": ""T1499 - Endpoint Denial of Service"", ""reason"": ""By deleting a DB instance, an attacker can cause a denial of service by removing the endpoint that the application or users rely on for database services.""}, {""technique"": ""T1565 - Data Manipulation"", ""reason"": ""While not strictly altering data, deleting a DB instance can result in the loss of data integrity, as the sudden removal can lead to incomplete data or service disruptions.""}]" +DeleteGlobalCluster,rds.amazonaws.com,RDS,Deletes a global database cluster. The primary and secondary clusters must already be detached or destroyed first.,TA0040 - Impact,T1485 - Data Destruction,,False,[],"[{""description"": ""AWS Deletion of RDS Instance or Cluster"", ""link"": ""https://www.elastic.co/guide/en/security/current/aws-deletion-of-rds-instance-or-cluster.html""}]",Attackers might use DeleteGlobalCluster to disrupt database services by deleting global clusters in AWS RDS.,[],"[{""type"": ""commandLine"", ""value"": ""aws rds delete-global-cluster --global-cluster-identifier TrailDiscoverGlobalClusterIdentifier""}]",https://aws.permissions.cloud/iam/rds#rds-DeleteGlobalCluster,"[{""technique"": ""T1499 - Endpoint Denial of Service"", ""reason"": ""Deleting a global database cluster can cause an application or system to become unavailable, effectively denying service to legitimate users.""}, {""technique"": ""T1561 - Disk Wipe"", ""reason"": ""The deletion of a global database cluster can be seen as a form of storage deletion, where critical data is irreversibly destroyed.""}, {""technique"": ""T1070 - Indicator Removal"", ""reason"": ""By deleting the global database cluster, an attacker can remove evidence of the existence of that cluster, potentially hindering forensic investigations.""}, {""technique"": ""T1489 - Service Stop"", ""reason"": ""Deleting a global database cluster will stop associated services, disrupting operations and causing an impact on availability.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Deleting the database cluster can disable monitoring or logging capabilities, thus impairing defenses by making it harder to detect malicious activity.""}, {""technique"": ""T1490 - Inhibit System Recovery"", ""reason"": ""By deleting a global database cluster, an attacker may prevent system recovery by ensuring that critical data or configurations cannot be restored.""}, {""technique"": ""T1531 - Account Access Removal"", ""reason"": ""If the global database cluster contains authentication information or is tied to account access mechanisms, deleting it can effectively remove or disrupt account access.""}]" +ModifyActivityStream,rds.amazonaws.com,RDS,Changes the audit policy state of a database activity stream to either locked (default) or unlocked.,TA0005 - Defense Evasion,T1578 - Modify Cloud Compute Infrastructure,,True,"[{""description"": ""Uncovering Hybrid Cloud Attacks Through Intelligence-Driven Incident Response: Part 3 \u2013 The Response"", ""link"": ""https://www.gem.security/post/uncovering-hybrid-cloud-attacks-through-intelligence-driven-incident-response-part-3-the-response""}]",[],"Attackers might use ModifyActivityStream to alter the configuration of the activity stream, potentially hiding malicious activities or causing disruptions in the database operations.",[],"[{""type"": ""commandLine"", ""value"": ""aws rds modify-activity-stream""}]",https://aws.permissions.cloud/iam/rds#rds-ModifyActivityStream,"[{""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Modifying the database activity stream to an unlocked state could impair logging and monitoring, effectively evading defenses.""}, {""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Attackers might reconfigure the audit policy state to the original state to avoid an investigation.""}]" +ModifyDBSnapshotAttribute,rds.amazonaws.com,RDS,"Adds an attribute and values to, or removes an attribute and values from, a manual DB snapshot.",TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,,True,"[{""description"": ""Imperva Security Update"", ""link"": ""https://www.imperva.com/blog/ceoblog/""}, {""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]","[{""description"": ""Stealing an RDS database by creating a snapshot and sharing it"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-rds-snapshot/""}, {""description"": ""Hunting AWS RDS security events with Sysdig"", ""link"": ""https://sysdig.com/blog/aws-rds-security-events-sysdig/""}]","Attackers might use ModifyDBSnapshotAttribute to alter database snapshot permissions, potentially gaining unauthorized access to sensitive data via sharing it.",[],"[{""type"": ""commandLine"", ""value"": ""aws rds modify-db-snapshot-attribute --db-snapshot-identifier TrailDiscoverDBSnapshotIdentifier --attribute-name TrailDiscoverAttributeName --values-to-add TrailDiscoverValuesToAdd""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.rds-share-snapshot""}]",https://aws.permissions.cloud/iam/rds#rds-ModifyDBSnapshotAttribute,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""By adding specific AWS account IDs to the ValuesToAdd parameter, an attacker can ensure persistent access to a DB snapshot by authorized accounts.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Modifying the snapshot to make it public or share it with specific accounts might bypass certain security controls, aiding in defense evasion.""}, {""technique"": ""T1537 - Transfer Data to Cloud Account"", ""reason"": ""Making a DB snapshot public or sharing it with specific accounts allows unauthorized access, facilitating the exfiltration of sensitive data to an attacker-controlled AWS account.""}, {""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Removing attributes or specific account IDs from the ValuesToAdd parameter can be used to cover tracks by eliminating evidence of unauthorized access.""}, {""technique"": ""T1087 - Account Manipulation"", ""reason"": ""Modifying the attributes to include or exclude certain account IDs is a form of account manipulation, impacting who can access the snapshot.""}, {""technique"": ""T1531 - Account Access Removal"", ""reason"": ""By removing access to certain AWS accounts from the ValuesToAdd parameter, legitimate users may be denied access, contributing to account access removal tactics.""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""The API call itself operates over an application layer protocol (typically HTTPS) and can be part of a communication channel used by the attacker to modify and transfer data within the cloud.""}]" +StartExportTask,rds.amazonaws.com,RDS,Starts an export of DB snapshot or DB cluster data to Amazon S3.,TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,,False,[],"[{""description"": ""AWS - RDS Post Exploitation"", ""link"": ""https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation""}]",Attackers might use StartExportTask to export database snapshots to an S3 they control and gain access to the data.,[],"[{""type"": ""commandLine"", ""value"": ""aws rds start-export-task --export-task-identifier my-s3-export --source-arn arn:aws:rds:us-west-2:123456789012:snapshot:db5-snapshot-test --s3-bucket-name mybucket --iam-role-arn arn:aws:iam::123456789012:role/service-role/TrailDiscover --kms-key-id arn:aws:kms:us-west-2:123456789012:key/abcd0000-7fca-4128-82f2-aabbccddeeff""}]",https://aws.permissions.cloud/iam/rds#rds-StartExportTask,"[{""technique"": ""T1567 - Exfiltration Over Web Service"", ""reason"": ""By exporting data to an S3 bucket, adversaries can use cloud services as a method to exfiltrate data without direct interaction with the database.""}, {""technique"": ""T1530 - Data from Cloud Storage Object"", ""reason"": ""After exporting snapshot data to S3, an adversary can retrieve and analyze the data from the S3 bucket, provided they maintain access to the cloud storage.""}, {""technique"": ""T1213 - Data from Information Repositories"", ""reason"": ""By exporting the RDS snapshot, an adversary gains access to a repository of information stored within the database, which they can then access through the S3 bucket.""}, {""technique"": ""T1078 - Cloud Accounts"", ""reason"": ""Adversaries may leverage compromised cloud accounts to persist within the environment, using cloud-native functionality like the StartExportTask to maintain access to sensitive data over time.""}]" +Search,resource-explorer-2.amazonaws.com,ResourceExplorer,Searches for resources and displays details about all resources that match the specified criteria.,TA0007 - Discovery,T1087 - Account Discovery,,True,"[{""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}]",[],Attackers might use Search to list resorces.,[],"[{""type"": ""commandLine"", ""value"": ""aws resource-explorer-2 search --query-string 'service:iam'""}]",https://aws.permissions.cloud/iam/resource-explorer-2#resource-explorer-2-Search,"[{""technique"": ""T1069 - Permission Groups Discovery"", ""reason"": ""Attackers can create queries to discover permission groups, roles, and policies within the AWS environment, which might aid in understanding access levels across different resources.""}, {""technique"": ""T1538 - Cloud Service Discovery"", ""reason"": ""By specifying queries related to cloud services, attackers can discover details about various services in use, aiding in the mapping of the environment.""}, {""technique"": ""T1580 - Cloud Infrastructure Discovery"", ""reason"": ""The search results can reveal information about infrastructure components like EC2 instances, S3 buckets, and databases, providing attackers with critical data about the cloud architecture.""}, {""technique"": ""T1201 - Password Policy Discovery"", ""reason"": ""Queries can be tailored to discover password policies related to IAM users, assisting attackers in crafting password-based attacks.""}, {""technique"": ""T1552 - Unsecured Credentials"", ""reason"": ""If the search results reveal IAM roles or users with associated access keys, attackers might identify unsecured credentials that could be exploited for unauthorized access.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Searches might return details about valid accounts that could be targeted for unauthorized access, particularly if accounts are not adequately secured.""}]" +ChangeResourceRecordSets,route53.amazonaws.com,Route53,"Creates, changes, or deletes a resource record set, which contains authoritative DNS information for a specified domain name or subdomain name.",TA0040 - Impact,T1496 - Resource Hijacking,,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]","[{""description"": ""AWS API Call Hijacking via ACM-PCA"", ""link"": ""https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/""}]",Attackers might use ChangeResourceRecordSets to redirect traffic to malicious websites.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/route53#route53-ChangeResourceRecordSets,"[{""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""The ChangeResourceRecordSets API can be used to modify DNS records, allowing attackers to establish command and control channels using DNS or other application-layer protocols like HTTP/HTTPS.""}, {""technique"": ""T1070 - Indicator Removal"", ""reason"": ""By altering DNS records, attackers can hide or modify evidence of their activities, such as tampering with or removing logs associated with DNS queries to avoid detection by security systems.""}, {""technique"": ""T1090 - Proxy"", ""reason"": ""Attackers may use this API to redirect network traffic through external or internal proxies by changing DNS records, which helps conceal the true destination of the traffic and evade monitoring tools.""}, {""technique"": ""T1565 - Data Manipulation"", ""reason"": ""Altering DNS records can mislead or redirect users and systems, potentially sending them to malicious IP addresses or disrupting the normal operation of services by providing false information.""}, {""technique"": ""T1568 - Dynamic Resolution"", ""reason"": ""Attackers can frequently update DNS entries using this API to maintain control over compromised systems or to evade detection by constantly altering the destination of command and control traffic.""}, {""technique"": ""T1531 - Account Access Removal"", ""reason"": ""By modifying or deleting DNS records, attackers can effectively deny legitimate users access to services, redirecting traffic to incorrect or malicious servers, thereby locking out authorized access.""}, {""technique"": ""T1499 - Endpoint Denial of Service"", ""reason"": ""Changing or deleting essential DNS records can lead to a denial of service, where users are unable to access critical resources because DNS queries resolve to incorrect addresses.""}, {""technique"": ""T1027 - Obfuscated Files or Information"", ""reason"": ""Constant manipulation of DNS records may be used to obscure the attacker's activities, making it more challenging for defenders to trace or understand the methods used for command and control or data exfiltration.""}, {""technique"": ""T1213 - Data from Information Repositories"", ""reason"": ""By redirecting traffic from legitimate information repositories to a malicious destination through altered DNS records, attackers can collect sensitive data under the guise of normal operations""}, {""technique"": ""T1557 - Man-in-the-Middle"", ""reason"": ""Modifying DNS records to reroute traffic to malicious sites can facilitate man-in-the-middle attacks, allowing attackers to intercept or manipulate communications between users and services.""}]" +CreateHostedZone,route53.amazonaws.com,Route53,"Creates a new public or private hosted zone. You create records in a public hosted zone to define how you want to route traffic on the internet for a domain, such as example.com, and its subdomains.",TA0040 - Impact,T1496 - Resource Hijacking,,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]","[{""description"": ""AWS API Call Hijacking via ACM-PCA"", ""link"": ""https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/""}]",Attackers might use CreateHostedZone to create malicious DNS zones for phishing or redirecting traffic.,[],"[{""type"": ""commandLine"", ""value"": ""aws route53 create-hosted-zone --name traildiscover.cloud --caller-reference 2014-04-01-18:47 --hosted-zone-config Comment='traildiscover'""}]",https://aws.permissions.cloud/iam/route53#route53-CreateHostedZone,"[{""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""Creating a hosted zone allows attackers to use DNS or web protocols for communication between compromised systems and attacker-controlled infrastructure, facilitating covert command and control operations.""}, {""technique"": ""T1090 - Proxy"", ""reason"": ""The hosted zone can be configured to route traffic through multiple proxies, aiding in defense evasion by obscuring the true source or destination of the traffic.""}, {""technique"": ""T1568 - Dynamic Resolution"", ""reason"": ""Attackers may use dynamically generated domains within the hosted zone to maintain command and control, making it difficult for defenders to track or block these communications.""}, {""technique"": ""T1036 - Masquerading"", ""reason"": ""Attackers might create a hosted zone with a domain or subdomain that closely mimics a legitimate one, aiding in phishing or other forms of deception to mislead users or systems.""}]" +GetHostedZoneCount,route53.amazonaws.com,Route53,Retrieves the number of hosted zones that are associated with the current AWS account.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,False,[],"[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]","Attackers might use GetHostedZoneCount to gather information about the number of hosted zones, potentially identifying targets for DNS attacks.",[],"[{""type"": ""commandLine"", ""value"": ""aws route53 get-hosted-zone-count""}]",https://aws.permissions.cloud/iam/route53#route53-GetHostedZoneCount,"[{""technique"": ""T1087 - Account Discovery"", ""reason"": ""The GetHostedZoneCount API call can be used to enumerate the number of DNS zones hosted in a cloud environment, which reveals information about the cloud account's resources.""}, {""technique"": ""T1526 - Cloud Service Discovery"", ""reason"": ""The GetHostedZoneCount API call reveals the presence and scale of Route 53 DNS services within the cloud environment. This information helps adversaries understand the cloud infrastructure and identify potential targets for further actions.""}]" +ListDomains,route53domains.amazonaws.com,route53domains,This operation returns all the domain names registered with Amazon Route 53 for the current AWS account if no filtering conditions are used.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,False,[],"[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]",Attackers might use ListDomains to identify potential targets for DNS hijacking or DDoS attacks.,[],"[{""type"": ""commandLine"", ""value"": ""aws route53domains list-domains --region us-east-1""}]",https://aws.permissions.cloud/iam/route53domains#route53domains-ListDomains,"[{""technique"": ""T1526 - Cloud Service Discovery"", ""reason"": ""The ListDomains API call allows an adversary to discover domain names associated with the AWS account, providing insights into the cloud infrastructure.""}, {""technique"": ""T1590 - Gather Victim Network Information"", ""reason"": ""The ListDomains API call can be used to gather DNS information, which may reveal the structure of the victim\u00e2\u20ac\u2122s network and other valuable network details.""}, {""technique"": ""T1087 - Account Discovery"", ""reason"": ""Knowing the domains registered within the AWS account can help identify associated cloud resources and potential attack vectors within the cloud environment.""}, {""technique"": ""T1046 - Network Service Scanning"", ""reason"": ""The ListDomains API call could assist an adversary in identifying network services associated with the domain names, contributing to their reconnaissance efforts.""}]" +RegisterDomain,route53domains.amazonaws.com,route53domains,"This operation registers a domain. For some top-level domains (TLDs), this operation requires extra parameters.",TA0040 - Impact,T1496 - Resource Hijacking,,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],Attackers might use RegisterDomain to register malicious domains for phishing or malware distribution.,[],"[{""type"": ""commandLine"", ""value"": ""aws route53domains register-domain --region us-east-1 --cli-input-json '{\""DomainName\"": \""\"", \""DurationInYears\"": 1, \""AdminContact\"": { \""FirstName\"": \""\"", \""LastName\"": \""\""}, \""RegistrantContact\"": {\""FirstName\"": \""\"", \""LastName\"": \""\"" }, \""TechContact\"": {\""FirstName\"": \""\"", \""LastName\"": \""\""}}'""}]",https://aws.permissions.cloud/iam/route53domains#route53domains-RegisterDomain,"[{""technique"": ""T1583 - Acquire Infrastructure"", ""reason"": ""The RegisterDomain API call is used to acquire a new domain, which can be leveraged to set up malicious infrastructure, such as phishing sites or command and control servers.""}, {""technique"": ""T1584 - Compromise Infrastructure"", ""reason"": ""Registering a domain and creating a corresponding hosted zone allows attackers to establish and control an infrastructure that supports malicious activities.""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""By creating a hosted zone and assigning name servers, the domain can be used to facilitate communication via DNS, a common method for establishing command and control channels.""}]" +DeleteBucket,s3.amazonaws.com,S3,Deletes the S3 bucket.,TA0040 - Impact,T1485 - Data Destruction,,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],Attackers might use DeleteBucket to delete resources.,[],"[{""type"": ""commandLine"", ""value"": ""aws s3api delete-bucket --bucket my-traildiscover-bucket --region us-east-1""}]",https://aws.permissions.cloud/iam/s3#s3-DeleteBucket,"[{""technique"": ""T1485 - Data Destruction"", ""reason"": ""Permanently deleting objects or versions from S3 can result in the loss of critical data, affecting the availability and integrity of information. This action can disrupt business operations by removing essential files, leading to significant data loss and operational downtime.""}, {""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Deleting an S3 bucket can serve as a method of removing evidence or logs that may be stored within the bucket, helping to evade detection.""}, {""technique"": ""T1499 - Endpoint Denial of Service"", ""reason"": ""Deleting an S3 bucket could result in a denial of service if critical data or services that rely on that bucket become unavailable.""}, {""technique"": ""T1489 - Service Stop"", ""reason"": ""Deleting key objects or configuration files from S3 can cause critical services to stop functioning. This disruption can lead to downtime and loss of access to essential systems, impacting business operations.""}]" +DeleteBucketPolicy,s3.amazonaws.com,S3,Deletes the policy of a specified bucket.,TA0005 - Defense Evasion,T1578 - Modify Cloud Compute Infrastructure,,False,[],"[{""description"": ""AWS S3 Bucket Configuration Deletion"", ""link"": ""https://www.elastic.co/guide/en/security/7.17/aws-s3-bucket-configuration-deletion.html""}]",Attackers might use DeleteBucketPolicy to remove security policies and gain unauthorized access to S3 buckets.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8""}]","[{""type"": ""commandLine"", ""value"": ""aws s3api delete-bucket-policy --bucket TrailDiscoverBucketName""}]",https://aws.permissions.cloud/iam/s3#s3-DeleteBucketPolicy,"[{""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Deleting a bucket policy can remove specific account or role permissions, effectively locking out other identities from accessing the bucket, which supports account access removal.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""By deleting a bucket policy, an attacker could disable or weaken security controls that were enforced by the policy, making it easier to execute subsequent malicious actions.""}, {""technique"": ""T1098 - Account Manipulation"", ""reason"": ""If an attacker deletes the bucket policy, they can manipulate access controls to further their persistence or impede legitimate access, which could be considered a form of account manipulation.""}, {""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Deleting the bucket policy can remove key indicators of unauthorized access or changes. Since the policy itself might contain logging configurations or access control rules, its removal could make it harder to detect and track the attacker's actions, thereby aiding in evasion of detection.""}, {""technique"": ""T1499 - Endpoint Denial of Service"", ""reason"": ""Deleting the bucket policy can lead to denial of service for legitimate users who rely on the policy to access the bucket, especially if the policy enforced critical access controls.""}, {""technique"": ""T1489 - Service Stop"", ""reason"": ""By deleting the bucket policy, an attacker might indirectly cause services depending on that policy to stop functioning correctly, thereby achieving a form of service stop.""}]" +DeleteObject,s3.amazonaws.com,S3,Removes an object from a bucket. The behavior depends on the bucket's versioning state.,TA0040 - Impact,T1485 - Data Destruction,,True,"[{""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}, {""description"": ""The attack on ONUS \u2013 A real-life case of the Log4Shell vulnerability"", ""link"": ""https://cystack.net/research/the-attack-on-onus-a-real-life-case-of-the-log4shell-vulnerability""}, {""description"": ""20/20 Eye Care Network and Hearing Care Network notify 3,253,822 health plan members of breach that deleted contents of AWS buckets"", ""link"": ""https://www.databreaches.net/20-20-eye-care-network-and-hearing-care-network-notify-3253822-health-plan-members-of-breach-that-deleted-contents-of-aws-buckets/""}, {""description"": ""Hacker Puts Hosting Service Code Spaces Out of Business"", ""link"": ""https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],Attackers might use DeleteObject to erase crucial data from S3 buckets.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-client-side-encryption""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-individual-deletion""}]",https://aws.permissions.cloud/iam/s3#s3-DeleteObject,"[{""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Deleting an object can be used to remove evidence of prior activity, aiding in evasion of detection and analysis.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""By deleting logs, configurations, or security-related data stored in S3, attackers can impair defensive mechanisms, reducing the effectiveness of monitoring and alerting systems.""}, {""technique"": ""T1490 - Inhibit System Recovery"", ""reason"": ""By deleting critical backups or data versions in S3, an attacker can inhibit recovery processes, making it difficult to restore systems to their pre-attack state.""}, {""technique"": ""T1499 - Endpoint Denial of Service"", ""reason"": ""Deleting important objects required for system functionality or application performance could result in a denial of service, preventing users from accessing necessary resources or causing system disruptions.""}, {""technique"": ""T1489 - Service Stop"", ""reason"": ""Deleting configuration files or objects critical to the operation of a service hosted in AWS can lead to a service stop, effectively disrupting operations and causing downtime.""}]" +GetBucketAcl,s3.amazonaws.com,S3,This implementation of the GET action uses the acl subresource to return the access control list (ACL) of a bucket.,TA0007 - Discovery,T1526 - Cloud Service Discovery,,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]","[{""description"": ""Public S3 bucket through bucket ACL"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/s3-bucket-public-acl/""}]",Attackers might use GetBucketAccessControlPolicy to gain unauthorized access to sensitive data stored in S3 buckets.,[],"[{""type"": ""commandLine"", ""value"": ""aws s3api get-bucket-acl --bucket TrailDiscoverBucket""}]",https://aws.permissions.cloud/iam/s3#s3-GetBucketAcl,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""By examining the ACL, an attacker can identify accounts or roles that have access to the bucket, which can then be used to gain unauthorized access through valid credentials.""}, {""technique"": ""T1589 - Gather Victim Identity Information"", ""reason"": ""By examining the ACL, an attacker could gather information about the identities (users, roles, or accounts) that have access to the bucket, which can be useful in planning further attacks.""}]" +GetBucketLogging,s3.amazonaws.com,S3,Returns the logging status of a bucket and the permissions users have to view and modify that status.,TA0007 - Discovery,T1526 - Cloud Service Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}, {""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],"Attackers might use GetBucketLoggingStatus to identify if logging is enabled, potentially helping them avoid detection during unauthorized activities.",[],"[{""type"": ""commandLine"", ""value"": ""aws s3api get-bucket-logging --bucket TrailDiscoverBucket""}]",https://aws.permissions.cloud/iam/s3#s3-GetBucketLogging,"[{""technique"": ""T1087 - Account Discovery"", ""reason"": ""The API call provides insights into which IAM accounts have permissions to view or modify bucket logging, aiding an attacker in identifying accounts with specific privileges.""}]" +GetBucketPolicy,s3.amazonaws.com,S3,Returns the policy of a specified bucket.,TA0007 - Discovery,T1526 - Cloud Service Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}, {""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],Attackers might use GetBucketPolicy to identify weak security policies and exploit them for unauthorized access to S3 buckets.,[],"[{""type"": ""commandLine"", ""value"": ""aws s3api get-bucket-policy --bucket TrailDiscoverBucket""}]",https://aws.permissions.cloud/iam/s3#s3-GetBucketPolicy,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""If an adversary can access a bucket policy, it may provide insights into valid accounts or roles that can be exploited for further access.""}, {""technique"": ""T1087 - Account Discovery"", ""reason"": ""By analyzing the bucket policy, an attacker can discover accounts or IAM roles that have access to the S3 bucket, which may help in escalating privileges within the environment.""}]" +GetPublicAccessBlock,s3.amazonaws.com,S3,Retrieves the PublicAccessBlock configuration for an Amazon S3 bucket.,TA0007 - Discovery,T1526 - Cloud Service Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}, {""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],Attackers might use GetPublicAccessBlock to identify S3 buckets with public access for potential data breaches.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",N/A,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Adversaries might use the GetPublicAccessBlock API call to check for misconfigurations or overly permissive settings in S3 buckets, potentially leading to unauthorized access and exploitation of valid cloud accounts.""}, {""technique"": ""T1530 - Data from Cloud Storage"", ""reason"": ""Retrieving the PublicAccessBlock configuration can assist attackers in identifying S3 buckets that are misconfigured to allow public access, which may lead to unauthorized access and potential exfiltration of data from cloud storage.""}]" +GetBucketReplication,s3.amazonaws.com,S3,Returns the replication configuration of a bucket.,TA0007 - Discovery,T1526 - Cloud Service Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}, {""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],Attackers might use GetBucketReplication to identify replication configurations and target specific data for theft or corruption.,[],"[{""type"": ""commandLine"", ""value"": ""aws s3api get-bucket-replication --bucket TrailDiscoverBucket""}]",N/A,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Accessing replication configuration details could help an adversary identify which accounts or roles have permissions related to replication, enabling targeted attacks on these accounts for unauthorized access.""}, {""technique"": ""T1036 - Masquerading"", ""reason"": ""With knowledge of the replication setup, an adversary can craft actions that closely mimic legitimate activities, such as modifying replication settings, which helps them evade detection by blending in with normal operations.""}]" +GetBucketTagging,s3.amazonaws.com,S3,Returns the tag set associated with the bucket.,TA0007 - Discovery,T1526 - Cloud Service Discovery,,True,"[{""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}]",[],Attackers might use GetBucketTagging to look for tags reminiscent of PII or confidential data.,[],"[{""type"": ""commandLine"", ""value"": ""aws s3api get-bucket-tagging --bucket TrailDiscoverBucket""}]",https://aws.permissions.cloud/iam/s3#s3-GetBucketTagging,"[{""technique"": ""T1482 - Domain Trust Discovery"", ""reason"": ""The GetBucketTagging API call can reveal tag information that may indicate domain or organizational trust relationships within AWS, helping adversaries understand the trust boundaries of the bucket.""}, {""technique"": ""T1530 - Data from Cloud Storage Object"", ""reason"": ""Tags may include sensitive information or classifications about the data stored in the S3 bucket, aiding attackers in prioritizing which data to exfiltrate or further target.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""ags retrieved from the bucket may contain information about the AWS accounts, IAM roles, or user groups with permissions, which can be used to identify potential targets for credential theft or account takeover.""}, {""technique"": ""T1087 - Account Discovery"", ""reason"": ""The API call might provide insights into user or service accounts associated with the bucket through tags, allowing adversaries to identify accounts that have access to critical resources.""}, {""technique"": ""T1033 - System Owner/User Discovery"", ""reason"": ""Tags could provide information about the owner of the bucket or associated resources, which could help attackers in social engineering or in targeting specific individuals or roles within the organization.""}, {""technique"": ""T1484 - Group Policy Discovery"", ""reason"": ""Tags could indicate group-like configurations or policies associated with buckets, such as those related to access control or data management, offering insights into how resources are managed or accessed.""}]" +GetBucketVersioning,s3.amazonaws.com,S3,Returns the versioning state of a bucket.,TA0007 - Discovery,T1526 - Cloud Service Discovery,,True,"[{""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}, {""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],"Attackers might use GetBucketVersioning to identify unsecured S3 buckets with versioning disabled, making it easier to manipulate or delete data.",[],"[{""type"": ""commandLine"", ""value"": ""aws s3api get-bucket-versioning --bucket TrailDiscoverBucket""}]",https://aws.permissions.cloud/iam/s3#s3-GetBucketVersioning,"[{""technique"": ""T1530 - Data from Cloud Storage Object"", ""reason"": ""Understanding the versioning and MFA Delete status allows attackers to potentially collect older or deleted versions of data, which might not be available in a non-versioned setup.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Attackers with valid accounts (e.g., those who have compromised credentials) may use this API call to gather information that could further their goals, such as determining the best method to evade detection or exfiltrate data.""}, {""technique"": ""T1213 - Data from Information Repositories"", ""reason"": ""The versioning status of a bucket might indicate the presence of multiple versions of stored data, which attackers could access and collect as part of their broader objective of gathering information from cloud storage.""}]" +GetObject,s3.amazonaws.com,S3,Retrieves an object from Amazon S3.,TA0010 - Exfiltration,T1048 - Exfiltration Over Alternative Protocol,,True,"[{""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Incident 2 - Additional details of the attack"", ""link"": ""https://support.lastpass.com/s/document-item?language=en_US&bundleId=lastpass&topicId=LastPass/incident-2-details.html&_LANG=enus""}, {""description"": ""Aruba Central Security Incident"", ""link"": ""https://www.arubanetworks.com/support-services/security-bulletins/central-incident-faq/""}, {""description"": ""Sendtech Pte. Ltd"", ""link"": ""https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Sendtech-Pte-Ltd---220721.ashx?la=en""}, {""description"": ""GotRoot! AWS root Account Takeover"", ""link"": ""https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1""}, {""description"": ""A Technical Analysis of the Capital One Cloud Misconfiguration Breach"", ""link"": ""https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach""}, {""description"": ""Chegg, Inc"", ""link"": ""https://www.ftc.gov/system/files/ftc_gov/pdf/2023151-Chegg-Complaint.pdf""}, {""description"": ""Scattered Spider Attack Analysis"", ""link"": ""https://www.reliaquest.com/blog/scattered-spider-attack-analysis-account-compromise/""}, {""description"": ""Enumerate AWS Account ID from a Public S3 Bucket"", ""link"": ""https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/""}, {""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}]","[{""description"": ""Data Exfiltration through S3 Server Access Logs"", ""link"": ""https://hackingthe.cloud/aws/exploitation/s3_server_access_logs/""}, {""description"": ""S3 Streaming Copy"", ""link"": ""https://hackingthe.cloud/aws/exploitation/s3_streaming_copy/""}]",Attackers might use GetObject to download data from S3 buckets.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-client-side-encryption""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-individual-deletion""}]",https://aws.permissions.cloud/iam/s3#s3-GetObject,"[{""technique"": ""T1530 - Data from Cloud Storage Object"", ""reason"": ""The GetObject API call is used to retrieve data from specific objects within S3 buckets, making it essential for adversaries collecting data from cloud storage.""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""The GetObject operation can be invoked over HTTPS, which is a common method for communicating with AWS services and could be used to exfiltrate data covertly.""}, {""technique"": ""T1074 - Data Staged"", ""reason"": ""The GetObject operation might be part of a process where data is retrieved and temporarily stored (staged) before further processing or exfiltration.""}, {""technique"": ""T1570 - Lateral Tool Transfer"", ""reason"": ""Retrieving an object that contains tools or scripts via GetObject can be part of a lateral movement strategy, where tools are transferred between compromised systems.""}]" +HeadObject,s3.amazonaws.com,S3,The HEAD operation retrieves metadata from an object without returning the object itself.,TA0007 - Discovery,T1619 - Cloud Storage Object Discovery,,True,"[{""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}]",[],Attackers might use HeadObject to gather metadata about sensitive files stored in S3.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",N/A,"[{""technique"": ""T1537 - Transfer Data to Cloud Account"", ""reason"": ""The HeadObject API call helps verify the existence of data in S3 buckets, allowing attackers to understand what data is available for transfer or collection.""}, {""technique"": ""T1087 - Account Discovery"", ""reason"": ""Attackers may use HeadObject to discover information about objects in S3 buckets, which can help identify sensitive accounts or resources within a cloud environment.""}, {""technique"": ""T1083 - File and Directory Discovery"", ""reason"": ""This API call provides metadata about objects, helping attackers discover the organization and structure of files stored in S3, facilitating further actions.""}, {""technique"": ""T1530 - Data from Cloud Storage Object"", ""reason"": ""The operation assists in identifying which specific cloud storage objects might contain valuable data for exfiltration.""}, {""technique"": ""T1580 - Cloud Infrastructure Discovery"", ""reason"": ""By accessing metadata, attackers can infer details about the cloud infrastructure, such as object creation dates, storage classes, and more, providing insights into the environment's configuration.""}, {""technique"": ""T1557 - Service Discovery"", ""reason"": ""The ability to query metadata from S3 objects can help attackers gather information about the usage and configuration of cloud services, potentially revealing misconfigurations or security weaknesses.""}]" +JobCreated,s3.amazonaws.com,S3,"When a Batch Operations job is created, it is recorded as a JobCreated event in CloudTrail.",TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,,False,[],"[{""description"": ""Exfiltrating S3 Data with Bucket Replication Policies"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}]",Attackers might use Batch Operations jobs to initiate unauthorized data transfer or manipulation tasks in S3.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",N/A,"[{""technique"": ""T1560 - Archive Collected Data"", ""reason"": ""An attacker could use the S3 Batch Operations to aggregate and compress large amounts of data for exfiltration, creating a job that is recorded as a JobCreated event.""}, {""technique"": ""T1074 - Data Staged"", ""reason"": ""The JobCreated event indicates that data could be staged in an S3 bucket, possibly in preparation for further actions such as exfiltration.""}, {""technique"": ""T1020 - Automated Exfiltration"", ""reason"": ""The job creation could be part of an automated process designed to move data out of the environment, with minimal manual intervention required once set up.""}, {""technique"": ""T1105 - Ingress Tool Transfer"", ""reason"": ""A JobCreated event could be used to transfer tools or scripts into the environment, using S3 as a storage mechanism before execution.""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""The Batch Operations job may involve communication over standard protocols (like HTTPS) for command and control, making it harder to detect malicious activity.""}, {""technique"": ""T1098 - Account Manipulation"", ""reason"": ""Attackers may manipulate or create new accounts with the necessary permissions to execute Batch Operations jobs, facilitating unauthorized data access or exfiltration.""}]" +ListBuckets,s3.amazonaws.com,S3,Returns a list of all buckets owned by the authenticated sender of the request.,TA0007 - Discovery,T1526 - Cloud Service Discovery,,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}, {""description"": ""ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING"", ""link"": ""https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}, {""description"": ""A Technical Analysis of the Capital One Cloud Misconfiguration Breach"", ""link"": ""https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach""}, {""description"": ""Enumerate AWS Account ID from a Public S3 Bucket"", ""link"": ""https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/""}, {""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}, {""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}, {""description"": ""Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]",Attackers might use ListAllMyBuckets to identify potential targets for data breaches or unauthorized access.,"[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws s3api list-buckets --query \""Buckets[].Name\""""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance""}]",N/A,"[{""technique"": ""T1087 - Account Discovery"", ""reason"": ""he ListBuckets API call helps identify the scope of an AWS account by revealing all S3 buckets owned by the account, giving insight into the account's cloud resources.""}, {""technique"": ""T1530 - Data from Cloud Storage Object"", ""reason"": ""Once buckets are listed, attackers can target specific buckets for data extraction, which is critical for both understanding and potentially exfiltrating data stored in the cloud.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""The ability to list buckets verifies that the credentials used have sufficient permissions, which can inform the attacker about the level of access they have and what actions they can perform.""}, {""technique"": ""T1082 - System Information Discovery"", ""reason"": ""By listing buckets, attackers can gather information about the organization of data and system configurations within the cloud environment, indirectly giving insight into how the cloud infrastructure is managed.""}]" +ListObjects,s3.amazonaws.com,S3,"Returns some or all (up to 1,000) of the objects in a bucket.",TA0007 - Discovery,T1619 - Cloud Storage Object Discovery,,True,"[{""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}, {""description"": ""Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/""}]",[],Attackers might use ListObjects to identify potentially sensitive objects stored in S3 buckets.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",N/A,"[{""technique"": ""T1083 - File and Directory Discovery"", ""reason"": ""Even though directory buckets are not supported, ListObjects allows an attacker to discover the contents and structure of an S3 bucket by listing objects.""}, {""technique"": ""T1213 - Data from Information Repositories"", ""reason"": ""The ListObjects call enables the retrieval of data stored within S3 buckets, which are often utilized as information repositories.""}]" +ListVaults,glacier.amazonaws.com,S3,This operation lists all vaults owned by the calling user’s account.,TA0007 - Discovery,T1619 - Cloud Storage Object Discovery,,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/""}]",[],Attackers might use ListVaults to identify data such as archived training data or related datasets.,[],"[{""type"": ""commandLine"", ""value"": ""aws glacier list-vaults --account-id -""}]",https://aws.permissions.cloud/iam/glacier#glacier-ListVaults,"[{""technique"": ""T1530 - Data from Cloud Storage Object"", ""reason"": ""The ListVaults API call is used to enumerate all vaults within S3 Glacier, which could help an attacker identify potential storage locations for exfiltration.""}, {""technique"": ""T1087 - Account Discovery"", ""reason"": ""Listing vaults provides insight into the structure and ownership of cloud storage resources, which can be useful for discovering cloud accounts and identifying valuable targets.""}, {""technique"": ""T1213 - Data from Information Repositories"", ""reason"": ""The API call can be used to list and access data stored in vaults, which may be part of broader data collection or exfiltration efforts.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Understanding the vaults associated with an account can inform attackers about which accounts manage sensitive data, potentially guiding further credential access attempts.""}]" +PutBucketAcl,s3.amazonaws.com,S3,Sets the permissions on an existing bucket using access control lists (ACL).,TA0010 - Exfiltration,T1048 - Exfiltration Over Alternative Protocol,,False,[],"[{""description"": ""AWS S3 Bucket ACL made public"", ""link"": ""https://docs.datadoghq.com/security/default_rules/aws-bucket-acl-made-public/""}]","Attackers might use SetBucketAccessControlPolicy to modify access control lists, potentially granting unauthorized access to S3 buckets.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8""}]","[{""type"": ""commandLine"", ""value"": ""aws s3api put-bucket-acl --bucket TrailDiscoverBucket --acl TrailDiscoverAcl""}]",https://aws.permissions.cloud/iam/s3#s3-PutBucketAcl,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Adjusting the ACL to include additional accounts or groups can provide persistent access to unauthorized entities, allowing the adversary to maintain control over the resource.""}, {""technique"": ""T1548 - Abuse Elevation Control Mechanism"", ""reason"": ""By setting the ACL with more permissive controls, an attacker could elevate their access privileges, gaining the ability to perform actions beyond their intended scope.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Modifying ACLs can be used to prevent security tools or monitoring from detecting malicious actions by restricting access to logging or alerting services.""}, {""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Changing ACLs can serve to obscure evidence of unauthorized access or changes by modifying who has visibility into the bucket, thereby evading detection.""}, {""technique"": ""T1036 - Masquerading"", ""reason"": ""An attacker can alter the ACL to make unauthorized access appear as legitimate traffic, thus avoiding suspicion and detection.""}, {""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Adjusting the ACL could be used to remove legitimate access to a bucket, effectively denying access to authorized users while maintaining control over the resource.""}, {""technique"": ""T1098 - Account Manipulation"", ""reason"": ""The ability to modify ACLs directly correlates with manipulating which accounts have what level of access to a resource, aligning with broader account manipulation strategies.""}, {""technique"": ""T1199 - Trusted Relationship"", ""reason"": ""If an attacker modifies ACLs to include entities that are typically trusted, this can facilitate initial access through a trusted relationship, leveraging the trust model to gain unauthorized access.""}]" +PutBucketLifecycle,s3.amazonaws.com,S3,Creates a new lifecycle configuration for the bucket or replaces an existing lifecycle configuration.,TA0040 - Impact,T1485 - Data Destruction,,True,"[{""description"": ""USA VS Nickolas Sharp"", ""link"": ""https://www.justice.gov/usao-sdny/press-release/file/1452706/dl""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],Attackers might use PutBucketLifecycle to add a lifecycle that deletes data after one day.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8""}]","[{""type"": ""commandLine"", ""value"": ""aws s3api put-bucket-lifecycle --bucket my-bucket --lifecycle-configuration '{\""Rules\"":[{\""ID\"":\""\"",\""Status\"": \""Enabled\"", \""Prefix\"": \""TrailDiscover/\""}]}'""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule""}]",N/A,"[{""technique"": ""T1562 - Impair Defenses"", ""reason"": ""An attacker could manipulate lifecycle configurations to delete, transition, or obscure data, effectively impairing defensive mechanisms by reducing the visibility or availability of critical data.""}, {""technique"": ""T1537 - Transfer Data to Cloud Account"", ""reason"": ""Manipulating lifecycle configurations could facilitate the movement of data to different storage locations or accounts, enabling data exfiltration or staging of information.""}, {""technique"": ""T1486 - Data Encrypted for Impact"", ""reason"": ""Lifecycle configurations could be altered to move data into encrypted storage, rendering it inaccessible as a form of impact, effectively denying access to the legitimate users.""}, {""technique"": ""T1027 - Obfuscated Files or Information"", ""reason"": ""An attacker might adjust lifecycle configurations to archive or obscure files, making them harder to detect or stage them for later exfiltration, thus evading detection.""}]" +PutBucketPolicy,s3.amazonaws.com,S3,Applies an Amazon S3 bucket policy to an Amazon S3 bucket.,TA0010 - Exfiltration,T1048 - Exfiltration Over Alternative Protocol,,False,[],"[{""description"": ""Detecting and removing risky actions out of your IAM security policies"", ""link"": ""https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/""}]","Attackers might use PutBucketPolicy to modify bucket permissions, potentially allowing unauthorized access to sensitive data.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8""}]","[{""type"": ""commandLine"", ""value"": ""aws s3api put-bucket-policy --bucket TrailDiscover --policy {}""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.s3-backdoor-bucket-policy""}]",https://aws.permissions.cloud/iam/s3#s3-PutBucketPolicy,"[{""technique"": ""T1567 - Exfiltration Over Web Service"", ""reason"": ""A malicious policy could allow an attacker to exfiltrate data from an S3 bucket to an external location.""}, {""technique"": ""T1550 - Use Alternate Authentication Material"", ""reason"": ""An attacker might leverage the modified bucket policy to maintain access via alternate authentication methods, such as session tokens or identity federation mechanisms.""}, {""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Attackers can modify a bucket policy to revoke access from certain users or roles, making it difficult for legitimate users to regain control over the resource.""}, {""technique"": ""T1098 - Account Manipulation"", ""reason"": ""Modifying the bucket policy can directly alter the permissions and access rights of various accounts, effectively manipulating who has control over the S3 resources.""}]" +PutBucketReplication,s3.amazonaws.com,S3,Creates a replication configuration or replaces an existing one.,TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,,False,[],"[{""description"": ""Exfiltrating S3 Data with Bucket Replication Policies"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}]",Attackers might use PutBucketReplication to replicate sensitive data to unauthorized S3 buckets controlled by the attacker.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8""}]","[{""type"": ""commandLine"", ""value"": ""aws s3api put-bucket-replication --bucket AWSDOC-EXAMPLE-BUCKET1 --replication-configuration '{\""Role\"":\""\"",\""Rules\"":[]}'""}]",N/A,"[{""technique"": ""T1098 - Account Manipulation"", ""reason"": ""The ability to modify or create replication configurations can be used to ensure that critical data is continuously replicated to an attacker-controlled bucket, maintaining persistence even if access controls are modified or removed.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""An attacker could misuse the replication configuration to redirect logs or other monitoring data away from security tools, effectively evading detection and disabling defenses.""}, {""technique"": ""T1020 - Automated Exfiltration"", ""reason"": ""By setting up replication to an external or unauthorized S3 bucket, an attacker can automatically exfiltrate data, transferring large volumes without direct manual intervention.""}]" +PutBucketVersioning,s3.amazonaws.com,S3,Sets the versioning state of an existing bucket.,"TA0040 - Impact, TA0010 - Exfiltration","T1490 - Inhibit System Recovery, T1537 - Transfer Data to Cloud Account",,True,"[{""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}]","[{""description"": ""Exfiltrating S3 Data with Bucket Replication Policies"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}]",Attackers might set the versioning to 'Suspended' before deleting data. Attackers might enable versioning to add bucket replication to exfiltrate data.,"[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws s3api put-bucket-versioning --bucket TrailDiscoverBucket --versioning-configuration Status=Enabled""}]",https://aws.permissions.cloud/iam/s3#s3-PutBucketVersioning,"[{""technique"": ""T1531 - Account Access Removal"", ""reason"": ""If an attacker suspends versioning, they could delete IAM policies or credentials stored in S3, making recovery of previous versions impossible, thereby preventing account recovery.""}, {""technique"": ""T1070 - Indicator Removal"", ""reason"": ""An attacker might disable versioning or enable it without MFA Delete, which allows them to delete or overwrite objects in a way that removes evidence of their activity, complicating forensic investigation.""}, {""technique"": ""T1488 - Data Destruction"", ""reason"": ""If an attacker sets an object expiration lifecycle in a version-enabled bucket and suspends versioning, they could effectively destroy all noncurrent object versions over time, leading to the loss of data.""}]" +PutObject,s3.amazonaws.com,S3,Adds an object to a bucket.,TA0040 - Impact,T1565 - Data Manipulation,,True,"[{""description"": ""Incident Report: TaskRouter JS SDK Security Incident - July 19, 2020"", ""link"": ""https://www.twilio.com/en-us/blog/incident-report-taskrouter-js-sdk-july-2020""}, {""description"": ""LA Times homicide website throttles cryptojacking attack"", ""link"": ""https://www.tripwire.com/state-of-security/la-times-website-cryptojacking-attack""}]",[],Attackers might use PutObject to upload malicious content or overwrite existing files in S3 buckets.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/s3#s3-PutObject,"[{""technique"": ""T1074 - Data Staged"", ""reason"": ""The PutObject API call can be used to store objects in S3 as a staging area for data that might be collected or processed before exfiltration or further use.""}, {""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Attackers can use PutObject to overwrite existing objects with benign data or to modify metadata, helping to conceal malicious activity by removing indicators of compromise within cloud storage.""}, {""technique"": ""T1105 - Ingress Tool Transfer"", ""reason"": ""The PutObject API can be used to transfer tools or malicious binaries into an S3 bucket, facilitating their retrieval and execution elsewhere in the environment.""}, {""technique"": ""T1036 - Masquerading"", ""reason"": ""Attackers could upload objects with names or metadata that mimic legitimate files using the PutObject API, making malicious content harder to detect.""}, {""technique"": ""T1485 - Data Destruction"", ""reason"": ""The PutObject API could be used to overwrite critical objects, leading to data loss or destruction, particularly if previous versions are not preserved.""}, {""technique"": ""T1027 - Obfuscated Files or Information"", ""reason"": ""Attackers can use PutObject to upload files containing hidden or obfuscated data (e.g., within images), supporting defense evasion.""}, {""technique"": ""T1570 - Lateral Tool Transfer"", ""reason"": ""Objects added to an S3 bucket via PutObject can be used to transfer tools or payloads across different cloud environments, supporting lateral movement within compromised infrastructure.""}]" +DescribeSecret,secretsmanager.amazonaws.com,SecretsManager,Retrieves the details of a secret.,TA0006 - Credential Access,T1555 - Credentials from Password Stores,,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],Attackers might use DescribeSecret to get more information about the secrets that are stored in Secrets Manager.,[],"[{""type"": ""commandLine"", ""value"": ""aws secretsmanager describe-secret --secret-id TrailDiscover""}]",https://aws.permissions.cloud/iam/secretsmanager#secretsmanager-DescribeSecret,"[{""technique"": ""T1087 - Account Discovery"", ""reason"": ""The API call could reveal metadata about the secret, including associated AWS accounts or services, contributing to account discovery.""}, {""technique"": ""T1552 - Unsecured Credentials"", ""reason"": ""Although the secret value is not retrieved, the API may still provide information about the existence and purpose of certain credentials, which could be used to find unsecured credentials elsewhere""}, {""technique"": ""T1580 - Cloud Storage Object Discovery"", ""reason"": ""Information revealed by the API could point to cloud storage objects associated with the secret, helping to identify and potentially target cloud resources.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Metadata obtained might give clues about the existence of valid accounts, which could be useful in further attempts to gain unauthorized access.""}, {""technique"": ""T1213 - Data from Information Repositories"", ""reason"": ""Even without the secret value, information from the API could reveal details about data repositories or services that are secured by the secret, which could be exploited in further attacks.""}]" +GetSecretValue,secretsmanager.amazonaws.com,SecretsManager,"Retrieves the contents of the encrypted fields SecretString or SecretBinary from the specified version of a secret, whichever contains content.",TA0006 - Credential Access,T1555 - Credentials from Password Stores,,True,"[{""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}, {""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]",[],Attackers might use GetSecretValue to illicitly access sensitive information stored in the SecretsManager.,[],"[{""type"": ""commandLine"", ""value"": ""aws secretsmanager get-secret-value --secret-id TrailDiscoverSecretId""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.secretsmanager-batch-retrieve-secrets""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets""}]",https://aws.permissions.cloud/iam/secretsmanager#secretsmanager-GetSecretValue,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Attackers can use retrieved secrets to log into cloud accounts or services, expanding their control over the cloud environment.""}, {""technique"": ""T1580 - Cloud Infrastructure Discovery"", ""reason"": ""Accessing secrets via GetSecretValue provides insights into cloud resource configurations and other details useful for discovering and mapping the cloud infrastructure.""}, {""technique"": ""T1082 - System Information Discovery"", ""reason"": ""Retrieving secrets may give attackers information about the system, such as environment configurations, which helps them understand the environment they are targeting.""}]" +ListSecrets,secretsmanager.amazonaws.com,SecretsManager,"Lists the secrets that are stored by Secrets Manager in the AWS account, not including secrets that are marked for deletion.",TA0006 - Credential Access,T1555 - Credentials from Password Stores,,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}, {""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]",[],Attackers might use ListSecrets to list all the secrets and potentially access to them later.,[],"[{""type"": ""commandLine"", ""value"": ""aws secretsmanager list-secrets""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets""}]",https://aws.permissions.cloud/iam/secretsmanager#secretsmanager-ListSecrets,"[{""technique"": ""T1526 - Cloud Service Discovery"", ""reason"": ""The ListSecrets API call allows an attacker to enumerate stored secrets within the AWS environment, facilitating discovery of sensitive information or configurations.""}, {""technique"": ""T1552 - Unsecured Credentials"", ""reason"": ""An attacker listing secrets might identify credentials stored within Secrets Manager, which could lead to unauthorized access if those credentials are not properly secured or rotated.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""By listing secrets, an attacker could discover credentials for valid accounts stored in Secrets Manager, which could then be used to gain unauthorized access to services or resources.""}, {""technique"": ""T1036 - Masquerading"", ""reason"": ""An attacker could use discovered secrets to masquerade as legitimate tasks or services, blending in with normal operations to avoid detection.""}]" +DeleteMembers,securityhub.amazonaws.com,SecurityHub,Deletes the specified member accounts from Security Hub.,TA0005 - Defense Evasion,T1562 - Impair Defenses,,False,[],"[{""description"": ""AWS CloudTrail cheat sheet"", ""link"": ""https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet""}, {""description"": ""AWS Incident Response"", ""link"": ""https://easttimor.github.io/aws-incident-response/""}]","Attackers might use DeleteMembers to remove specific members from the SecurityHub, disrupting security management and monitoring.",[],"[{""type"": ""commandLine"", ""value"": ""aws securityhub delete-members --account-ids TrailDiscoverAccountIds""}]",https://aws.permissions.cloud/iam/securityhub#securityhub-DeleteMembers,"[{""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Deleting invited member accounts might be used to cover tracks by eliminating evidence of prior monitoring or alerts associated with those accounts.""}, {""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Deleting member accounts can serve as a way to remove or prevent access to security services and monitoring, effectively denying those accounts access to critical security insights.""}]" +AssumeRole,sts.amazonaws.com,STS,Returns a set of temporary security credentials that you can use to access AWS resources.,"TA0001 - Initial Access, TA0003 - Persistence, TA0004 - Privilege Escalation","T1199 - Trusted Relationship, T1078 - Valid Accounts",,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Trouble in Paradise"", ""link"": ""https://blog.darklab.hk/2021/07/06/trouble-in-paradise/""}]","[{""description"": ""Role Chain Juggling"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/""}, {""description"": ""Detecting and removing risky actions out of your IAM security policies"", ""link"": ""https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/""}]","Attackers might use AssumeRole to gain unauthorized access to an AWS role. This might allow them to gain initial access, escalate privileges or in specific scenarios gain persistence.",[],"[{""type"": ""commandLine"", ""value"": ""aws sts assume-role --role-arn arn:aws:iam::123456789012:role/TrailDiscover --role-session-name TrailDiscover""}]",https://aws.permissions.cloud/iam/sts#sts-AssumeRole,[] +AssumeRoleWithSAML,sts.amazonaws.com,STS,Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response.,TA0001 - Initial Access,T1199 - Trusted Relationship,,False,[],"[{""description"": ""AWS - STS Privesc"", ""link"": ""https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc""}]",Attackers might use AssumeRoleWithSAML to impersonate legitimate users and gain unauthorized access to an AWS role.,"[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml""}]","[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/sts#sts-AssumeRoleWithSAML,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""The AssumeRoleWithSAML API call allows attackers to use valid SAML assertions to gain temporary access to AWS resources, enabling them to gain initial access, maintain persistence, or escalate privileges.""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""Since SAML authentication typically uses web-based protocols, attackers can use the AssumeRoleWithSAML API call to blend in with legitimate web traffic, making their actions harder to detect.""}, {""technique"": ""T1550 - Use Alternate Authentication Material"", ""reason"": ""By using SAML tokens via the AssumeRoleWithSAML API, attackers can authenticate to AWS services without traditional credentials, assisting in defense evasion.""}]" +AssumeRoleWithWebIdentity,sts.amazonaws.com,STS,Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider.,"TA0001 - Initial Access, TA0008 - Lateral Movement","T1199 - Trusted Relationship, T1550 - Use Alternate Authentication Material",,False,[],"[{""description"": ""From GitHub To Account Takeover: Misconfigured Actions Place GCP & AWS Accounts At Risk"", ""link"": ""https://www.rezonate.io/blog/github-misconfigurations-put-gcp-aws-in-account-takeover-risk/""}]",Attackers might use AssumeRoleWithWebIdentity to impersonate legitimate users and gain unauthorized access to an AWS role.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/sts#sts-AssumeRoleWithWebIdentity,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""The AssumeRoleWithWebIdentity API allows an attacker to gain valid temporary AWS credentials through a web identity provider, enabling them to access AWS services with authenticated permissions.""}, {""technique"": ""T1505 - Server Software Component"", ""reason"": ""If an attacker has compromised a web application, they can use the AssumeRoleWithWebIdentity API to escalate privileges or maintain persistence by obtaining temporary credentials.""}]" +GetCallerIdentity,sts.amazonaws.com,STS,Returns details about the IAM user or role whose credentials are used to call the operation.,TA0007 - Discovery,T1087 - Account Discovery,,True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}, {""description"": ""GotRoot! AWS root Account Takeover"", ""link"": ""https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1""}, {""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}, {""description"": ""Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/""}, {""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}, {""description"": ""New attack vectors in EKS"", ""link"": ""https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features""}, {""description"": ""Enumerate AWS Account ID from an EC2 Instance"", ""link"": ""https://hackingthe.cloud/aws/enumeration/account_id_from_ec2/""}]",Attackers might use GetCallerIdentity to know what user or role are they using. This request does not need any permission.,[],"[{""type"": ""commandLine"", ""value"": ""aws sts get-caller-identity""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials""}]",https://aws.permissions.cloud/iam/sts#sts-GetCallerIdentity,"[{""technique"": ""T1082 - System Information Discovery"", ""reason"": ""The GetCallerIdentity API call provides detailed information about the IAM user or role making the request, enabling an attacker to understand the current access context and tailor subsequent actions based on available permissions.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""By successfully calling GetCallerIdentity, an attacker can confirm that a set of credentials is valid and active, which is essential for leveraging these credentials to access additional resources within the AWS environment.""}, {""technique"": ""T1550 - Use Alternate Authentication Material"", ""reason"": ""Attackers can use stolen or compromised credentials to invoke GetCallerIdentity, verifying the legitimacy and scope of these credentials without needing specific permissions, aiding in maintaining unauthorized access.""}, {""technique"": ""T1580 - Cloud Infrastructure Discovery"", ""reason"": ""The information retrieved can help map out aspects of the cloud environment, such as account numbers and associated roles, providing insight necessary for further reconnaissance and targeted attacks.""}]" +GetFederationToken,sts.amazonaws.com,STS,"Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a user.",TA0003 - Persistence,T1078 - Valid Accounts,,True,"[{""description"": ""How Adversaries Can Persist with AWS User Federation"", ""link"": ""https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]","[{""description"": ""Create a Console Session from IAM Credentials"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/""}, {""description"": ""Survive Access Key Deletion with sts:GetFederationToken"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/survive_access_key_deletion_with_sts_getfederationtoken/""}]",Attackers might use GetFederationToken to gain temporary access credentials.,[],"[{""type"": ""commandLine"", ""value"": ""aws sts get-federation-token --name TrailDiscover --policy TrailDiscoverPolicy""}]",https://aws.permissions.cloud/iam/sts#sts-GetFederationToken,"[{""technique"": ""T1550 - Use Alternate Authentication Material"", ""reason"": ""The temporary credentials provided by GetFederationToken can serve as alternate authentication tokens, enabling access to various AWS services without relying on long-term credentials, thereby aiding in defense evasion.""}, {""technique"": ""T1212 - Exploitation for Credential Access"", ""reason"": ""An attacker with access to the credentials of an IAM user could exploit GetFederationToken to generate new credentials, which can be used to escalate their privileges or access other resources.""}, {""technique"": ""T1134 - Access Token Manipulation"", ""reason"": ""Similar to manipulating access tokens, attackers can use GetFederationToken to create temporary sessions that spoof legitimate access patterns, aiding in evasion and unauthorized access.""}]" +GetSessionToken,sts.amazonaws.com,STS,Returns a set of temporary credentials for an AWS account or IAM user.,TA0001 - Initial Access,T1199 - Trusted Relationship,,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]","[{""description"": ""AWS STS GetSessionToken Abuse"", ""link"": ""https://www.elastic.co/guide/en/security/7.17/aws-sts-getsessiontoken-abuse.html""}]",Attackers might use GetSessionToken to obtain temporary access credentials.,"[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws sts get-session-token --duration-seconds 900 --serial-number 'YourMFADeviceSerialNumber' --token-code 123456""}]",https://aws.permissions.cloud/iam/sts#sts-GetSessionToken,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""The GetSessionToken API call generates temporary credentials that can be used as valid accounts, allowing an adversary to bypass certain security measures by leveraging these temporary credentials.""}, {""technique"": ""T1550 - Use Alternate Authentication Material"", ""reason"": ""The temporary credentials from GetSessionToken can act as alternative authentication material, enabling attackers to maintain access without the need to use the compromised long-term credentials again, thus evading certain detection mechanisms.""}]" +ListServiceQuotas,servicequotas.amazonaws.com,ServiceQuotas,Lists the applied quota values for the specified AWS service.,TA0007 - Discovery,T1087 - Account Discovery,,True,"[{""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}, {""description"": ""SES-PIONAGE"", ""link"": ""https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]",Attackers might use ListServiceQuotas to identify potential services to exploit by understanding their usage limits.,[],"[{""type"": ""commandLine"", ""value"": ""aws service-quotas list-service-quotas --service-code TrailDiscoverServiceCode""}]",https://aws.permissions.cloud/iam/servicequotas#servicequotas-ListServiceQuotas,"[{""technique"": ""T1082 - System Information Discovery"", ""reason"": ""Listing service quotas provides detailed information about the configuration and resource limits within an AWS environment. This information helps attackers understand the system's structure, enabling them to identify potential areas for exploitation or further reconnaissance.""}, {""technique"": ""T1069 - Permission Groups Discovery"", ""reason"": ""Filtering by account or resource level when retrieving quotas may expose details about which permissions are associated with different accounts or roles.""}, {""technique"": ""T1007 - System Service Discovery"", ""reason"": ""Listing quotas can reveal which AWS services are in use and their configurations, helping attackers map out the environment and understand what services are available.""}]" +RequestServiceQuotaIncrease,servicequotas.amazonaws.com,ServiceQuotas,Submits a quota increase request for the specified quota at the account or resource level.,TA0040 - Impact,T1496 - Resource Hijacking,,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Incident report: From CLI to console, chasing an attacker in AWS"", ""link"": ""https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/""}]",[],Attackers might use RequestServiceQuotaIncrease to increase the quotas and so resource hijacking will have a bigger impact.,[],"[{""type"": ""commandLine"", ""value"": ""aws service-quotas request-service-quota-increase --service-code ec2 --quota-code L-20F13EBD --desired-value 2""}]",https://aws.permissions.cloud/iam/servicequotas#servicequotas-RequestServiceQuotaIncrease,"[{""technique"": ""T1583 - Acquire Infrastructure"", ""reason"": ""The API allows for requesting additional resources, enabling the attacker to develop infrastructure needed for further malicious activities.""}]" +CreateEmailIdentity,ses.amazonaws.com,SES,Starts the process of verifying an email identity. An identity is an email address or domain that you use when you send email.,TA0040 - Impact,T1496 - Resource Hijacking,,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],Attackers use CreateEmailIdentity to create its own identity for sending spam or phishing emails later.,[],"[{""type"": ""commandLine"", ""value"": ""aws sesv2 create-email-identity --email-identity cloudtrail.cloud""}]",https://aws.permissions.cloud/iam/ses#ses-CreateEmailIdentity,"[{""technique"": ""T1583 - Acquire Infrastructure"", ""reason"": ""Verifying an email identity or domain is part of acquiring the necessary infrastructure for sending emails, which could be used for malicious activities such as phishing or command and control.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""The verification of an email identity, especially when using DKIM, helps establish a legitimate-looking account or service that can be exploited for malicious purposes.""}, {""technique"": ""T1566 - Phishing"", ""reason"": ""The verified email identity or domain can be utilized to send phishing emails, leveraging the trust established by a verified and legitimate-looking sender address or domain.""}]" +DeleteIdentity,ses.amazonaws.com,SES,Deletes the specified identity (an email address or a domain) from the list of verified identities.,TA0005 - Defense Evasion,"T1578 - Modify Cloud Compute Infrastructure, T1070 - Indicator Removal",,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DeleteIdentity to disrupt email sending capabilities or delete an identity previously used attackers.,"[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_delete_identity.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws ses delete-identity --identity TrailDiscoverIdentity""}]",https://aws.permissions.cloud/iam/ses#ses-DeleteIdentity,"[{""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Deleting an email address or domain from the list of verified identities can remove access for legitimate users, thereby evading detection by disrupting normal email flows and alert mechanisms that rely on these identities.""}, {""technique"": ""T1485 - Data Destruction"", ""reason"": ""Deleting a verified identity can disrupt communication channels, especially if the identity is tied to critical email systems, effectively leading to the destruction of necessary operational data.""}, {""technique"": ""T1499 - Endpoint Denial of Service"", ""reason"": ""This operation could contribute to a denial of service by removing a critical identity that is required for sending emails, thus halting communication or alerting capabilities within the affected system.""}]" +GetAccount,ses.amazonaws.com,SES,Obtain information about the email-sending status and capabilities of your Amazon SES account in the current AWS Region.,TA0007 - Discovery,T1087 - Account Discovery,,True,"[{""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}, {""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}, {""description"": ""SES-PIONAGE"", ""link"": ""https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]",Attackers might use GetAccount to gather sensitive information about the AWS SES account for malicious purposes.,[],"[{""type"": ""commandLine"", ""value"": ""aws sesv2 get-account""}]",https://aws.permissions.cloud/iam/ses#ses-GetAccount,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""By obtaining information about the SES account, attackers can identify if an account is enabled for sending emails, aiding in the identification of valid accounts for unauthorized access.""}, {""technique"": ""T1580 - Cloud Infrastructure Discovery"", ""reason"": ""The GetAccount API call allows an attacker to gather information related to the cloud infrastructure's email capabilities, essential for understanding the cloud environment and planning further malicious activities.""}]" +GetAccountSendingEnabled,ses.amazonaws.com,SES,Returns the email sending status of the Amazon SES account for the current Region.,TA0007 - Discovery,T1087 - Account Discovery,,False,[],"[{""description"": ""SES-PIONAGE"", ""link"": ""https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/""}]","Attackers might use GetAccountSendingEnabled to identify if an AWS account's email sending capabilities are enabled, potentially exploiting it for spamming or phishing activities.",[],"[{""type"": ""commandLine"", ""value"": ""aws ses get-account-sending-enabled""}]",https://aws.permissions.cloud/iam/ses#ses-GetAccountSendingEnabled,"[{""technique"": ""T1082 - System Information Discovery"", ""reason"": ""By querying the SES email sending status, attackers can learn whether the service is configured and operational, revealing critical details about the cloud environment's setup.""}, {""technique"": ""T1590 - Gather Victim Identity Information"", ""reason"": ""Understanding the email sending status through GetAccountSendingEnabled may provide insights into associated email addresses or domains, which can be used for further reconnaissance activities.""}]" +GetIdentityVerificationAttributes,ses.amazonaws.com,SES,"Given a list of identities (email addresses and/or domains), returns the verification status and (for domain identities) the verification token for each identity.",TA0007 - Discovery,T1526 - Cloud Service Discovery,,True,"[{""description"": ""SES-PIONAGE"", ""link"": ""https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/""}]",[],Attackers might use GetIdentityVerificationAttributes to gather sensitive information about the verification status of email addresses and domains.,[],"[{""type"": ""commandLine"", ""value"": ""aws ses get-identity-verification-attributes --identities TrailDiscoverIdentity""}]",https://aws.permissions.cloud/iam/ses#ses-GetIdentityVerificationAttributes,"[{""technique"": ""T1589 - Gather Victim Identity Information"", ""reason"": ""The API can be used to verify the status of email addresses, enabling attackers to identify active and valid email addresses that may be targeted for social engineering or phishing attacks.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Access to this API could indicate that an attacker has compromised cloud credentials, allowing them to monitor or manipulate email verification statuses, potentially leading to further unauthorized access.""}]" +GetSendQuota,ses.amazonaws.com,SES,Provides the sending limits for the Amazon SES account.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""SES-PIONAGE"", ""link"": ""https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]","Attackers use GetSendQuota to assess the email sending capacity of an AWS account, potentially planning persistent spam or phishing campaigns by identifying limits they can exploit or escalate.",[],"[{""type"": ""commandLine"", ""value"": ""aws ses get-send-quota""}]",https://aws.permissions.cloud/iam/ses#ses-GetSendQuota,"[{""technique"": ""T1082 - System Information Discovery"", ""reason"": ""The GetSendQuota API call can be used to determine the current email sending limits of an account, which is a form of system information that could help an adversary understand the operational capabilities of the target environment.""}, {""technique"": ""T1602 - Gather Victim Host Information"", ""reason"": ""By using GetSendQuota, an attacker could gather details about the SES service's capacity and limitations, which is part of understanding the victim's resources.""}, {""technique"": ""T1580 - Cloud Service Discovery"", ""reason"": ""This API call allows adversaries to discover details about the cloud services in use (SES in this case), contributing to broader cloud service reconnaissance.""}]" +ListIdentities,ses.amazonaws.com,SES,"Returns a list containing all of the identities (email addresses and domains) for your AWS account in the current AWS Region, regardless of verification status.",TA0007 - Discovery,T1087 - Account Discovery,,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}, {""description"": ""SES-PIONAGE"", ""link"": ""https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]",Attackers use ListIdentities from SES to enumerate email addresses or domains verified under the AWS account.,[],"[{""type"": ""commandLine"", ""value"": ""aws ses list-identities --identity-type \""EmailAddress\""""}]",https://aws.permissions.cloud/iam/ses#ses-ListIdentities,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""The ListIdentities API might help an attacker identify valid cloud accounts or identities to target for subsequent attacks, such as trying to access these accounts using stolen or guessed credentials.""}, {""technique"": ""T1033 - System Owner/User Discovery"", ""reason"": ""Identifying system owners or users based on the listed identities can help attackers target specific accounts or tailor attacks based on the roles of those users.""}]" +UpdateAccountSendingEnabled,ses.amazonaws.com,SES,Enables or disables email sending across your entire Amazon SES account in the current AWS Region.,TA0040 - Impact,T1496 - Resource Hijacking,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}, {""description"": ""SES-PIONAGE"", ""link"": ""https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/""}]",[],"Attackers might use UpdateAccountSendingEnabled to enable sending from compromised AWS accounts, facilitating spam or phishing campaigns.",[],"[{""type"": ""commandLine"", ""value"": ""aws ses update-account-sending-enabled""}]",https://aws.permissions.cloud/iam/ses#ses-UpdateAccountSendingEnabled,"[{""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Disabling email sending can help evade detection by preventing the generation of SES-based alerts or logs that might indicate malicious activities.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""An attacker could use this API call to disable email sending, potentially preventing security teams from receiving critical alerts and impairing the defenses of the environment.""}]" +VerifyEmailIdentity,ses.amazonaws.com,SES,Adds an email address to the list of identities for your Amazon SES account in the current AWS Region and attempts to verify it.,TA0040 - Impact,T1496 - Resource Hijacking,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use VerifyEmailIdentity to send phishing emails or spam from a verified email address.,[],"[{""type"": ""commandLine"", ""value"": ""aws ses verify-email-identity --email-address TrailDiscoverEmail""}]",https://aws.permissions.cloud/iam/ses#ses-VerifyEmailIdentity,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": "" By verifying an email address, an adversary might create a valid cloud account identity that could be used in subsequent malicious activities, making it appear as if actions are being carried out by a legitimate user.""}, {""technique"": ""T1588 - Obtain Capabilities"", ""reason"": ""Adversaries could use the API to validate an email identity, thereby acquiring a tool or resource that can be utilized in future phishing or spamming campaigns.""}]" +ConsoleLogin,signin.amazonaws.com,SignIn,This is the CloudTrail event generated when you sign-in.,TA0001 - Initial Access,T1078 - Valid Accounts,,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Responding to an attack in AWS"", ""link"": ""https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac""}, {""description"": ""Credential Phishing"", ""link"": ""https://ramimac.me/aws-phishing#credential-phishing""}, {""description"": ""Incident report: From CLI to console, chasing an attacker in AWS"", ""link"": ""https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}, {""description"": ""Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies"", ""link"": ""https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/""}]","[{""description"": ""Compromising AWS Console credentials"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/compromising-aws-console-credentials/""}, {""description"": ""Create a Console Session from IAM Credentials"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/""}, {""description"": ""Enhancing Your Security Visibility and DetectionResponse Operations in AWS"", ""link"": ""https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf""}]",Attackers might access via AWS console (generating a ConsoleLogin event).,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-6""}, {""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-3""}]","[{""type"": ""commandLine"", ""value"": ""N/A""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.initial-access.console-login-without-mfa""}]",N/A,"[{""technique"": ""T1199 - Trusted Relationship"", ""reason"": ""An attacker might exploit trusted relationships between accounts, leading to a console login that can be traced back to an initial access attempt.""}]" +GetSigninToken,signin.amazonaws.com,SignIn,Generate a SigninToken that can be used to login to the the AWS Management Console.,TA0001 - Initial Access,T1078 - Valid Accounts,,True,"[{""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]",[],Attackers might access via a Federated identity (such as AWS SSO) to the Management Console.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",N/A,[] +PasswordRecoveryRequested,signin.amazonaws.com,SignIn,This is the CloudTrail event generated when you request a password recovery.,TA0001 - Initial Access,T1078 - Valid Accounts,,True,"[{""description"": ""An Ongoing AWS Phishing Campaign"", ""link"": ""https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/""}, {""description"": ""Disclosure of Security Incidents on imToken"", ""link"": ""https://support.token.im/hc/en-us/articles/360005681954-Disclosure-of-Security-Incidents-on-imToken""}]",[],Attackers might start a password recovery process to steal AWS access if they have compromised the email of the user.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",N/A,"[{""technique"": ""T1212 - Exploitation for Credential Access"", ""reason"": ""The password recovery process could be manipulated or exploited to gain access to credentials, especially if the attacker can intercept or redirect the recovery process.""}]" +SwitchRole,signin.amazonaws.com,SignIn,This event is recorded when a user manually switches to a different IAM role within the AWS Management Console.,TA0008 - Lateral Movement,T1021 - Remote Services,,False,[],"[{""description"": ""AWS CloudTrail cheat sheet"", ""link"": ""https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet""}]",Attackers might use SwitchRole when using the console to escalate privileges and gain unauthorized access to AWS resources.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",N/A,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""The SwitchRole API call indicates that a user is leveraging valid credentials to access different roles, which could be used for maintaining persistence, evading detection, or moving laterally within the AWS environment.""}, {""technique"": ""T1068 - Exploitation for Privilege Escalation"", ""reason"": ""Switching to a role with higher privileges could be an attempt to escalate privileges within the AWS environment.""}, {""technique"": ""T1036 - Masquerading"", ""reason"": ""The API call might be used to masquerade as a different user or role, enabling an attacker to carry out malicious activities under the guise of a legitimate user.""}]" +GetSMSAttributes,sns.amazonaws.com,SNS,Returns the settings for sending SMS messages from your AWS account.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS"", ""link"": ""https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/""}, {""description"": ""Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]",Attackers might use GetSMSAttributes to retrieve sensitive SMS configuration details for potential usage for smishing.,[],"[{""type"": ""commandLine"", ""value"": ""aws sns get-sms-attributes --attributes TrailDiscoverAttributes""}]",https://aws.permissions.cloud/iam/sns#sns-GetSMSAttributes,"[{""technique"": ""T1082 - System Information Discovery"", ""reason"": ""The GetSMSAttributes call can reveal details about the SMS configuration, including regions, usage patterns, and sender IDs, providing an attacker with valuable information about the environment.""}]" +GetSMSSandboxAccountStatus,sns.amazonaws.com,SNS,Retrieves the SMS sandbox status for the calling AWS account in the target AWS Region.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/""}]","[{""description"": ""NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS"", ""link"": ""https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/""}]",Attackers might use GetSMSSandboxAccountStatus to monitor the status of a target's AWS SNS sandbox account for potential usage for smishing.,[],"[{""type"": ""commandLine"", ""value"": ""aws sns get-sms-sandbox-account-status""}]",https://aws.permissions.cloud/iam/sns#sns-GetSMSSandboxAccountStatus,"[{""technique"": ""T1087 - Account Discovery"", ""reason"": ""This API call allows an adversary to determine the SMS sandbox status, which can reveal if an AWS account is still in a test phase or if it's been moved to production, indicating how the account might be used or targeted.""}]" +ListOriginationNumbers,sns.amazonaws.com,SNS,Lists the calling AWS account's dedicated origination numbers and their metadata.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,False,[],"[{""description"": ""NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS"", ""link"": ""https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/""}]",Attackers might use ListOriginationNumbers to identify origination numbers for potential smishing campaings.,[],"[{""type"": ""commandLine"", ""value"": ""aws sns list-origination-numbers""}]",https://aws.permissions.cloud/iam/sns#sns-ListOriginationNumbers,"[{""technique"": ""T1087 - Account Discovery"", ""reason"": ""The ListOriginationNumbers API call provides information on the account's SMS origination numbers, which could help an adversary discover and map out cloud resources associated with the account.""}]" +ListSubscriptions,sns.amazonaws.com,SNS,Lists the calling AWS account's dedicated origination numbers and their metadata.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,False,[],"[{""description"": ""NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS"", ""link"": ""https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/""}]",Attackers might use ListSubscriptions to identify origination numbers for potential smishing campaings.,[],"[{""type"": ""commandLine"", ""value"": ""aws sns list-subscriptions""}]",https://aws.permissions.cloud/iam/sns#sns-ListSubscriptions,"[{""technique"": ""T1087 - Account Discovery"", ""reason"": ""An attacker could use ListSubscriptions to enumerate all subscriptions associated with SNS topics, providing insight into the AWS environment and identifying active accounts.""}, {""technique"": ""T1007 - System Service Discovery"", ""reason"": ""The information retrieved via ListSubscriptions can reveal details about services in the AWS environment, helping an attacker understand available resources and configurations.""}]" +ListTopics,sns.amazonaws.com,SNS,Returns a list of the requester's topics.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,False,[],"[{""description"": ""NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS"", ""link"": ""https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/""}]",Attackers might use ListTopics to identify potential SNS topics for unauthorized access or disruption.,[],"[{""type"": ""commandLine"", ""value"": ""aws sns list-topics""}]",https://aws.permissions.cloud/iam/sns#sns-ListTopics,"[{""technique"": ""T1087 - Account Discovery"", ""reason"": ""An attacker could use ListSubscriptions to enumerate all subscriptions associated with SNS topics, providing insight into the AWS environment and identifying active accounts.""}, {""technique"": ""T1007 - System Service Discovery"", ""reason"": ""The information retrieved via ListSubscriptions can reveal details about services in the AWS environment, helping an attacker understand available resources and configurations.""}]" +Publish,sns.amazonaws.com,SNS,"Sends a message to an Amazon SNS topic, a text message (SMS message) directly to a phone number, or a message to a mobile platform endpoint (when you specify the TargetArn).",TA0040 - Impact,T1496 - Resource Hijacking,,True,"[{""description"": ""Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/""}, {""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}]",[],Attackers might use Publish for smishing campaigns.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/sns#sns-Publish,"[{""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""The SNS Publish API can send messages using common application layer protocols such as HTTPS. This can be used for command and control communication by sending instructions or payloads to subscribed endpoints in a covert manner.""}, {""technique"": ""T1537 - Transfer Data to Cloud Account"", ""reason"": ""Attackers can use SNS to exfiltrate data by sending it as a message to a subscribed endpoint, which may belong to an external cloud account controlled by the adversary.""}, {""technique"": ""T1090 - Proxy"", ""reason"": ""The SNS service can act as a relay for communications, allowing attackers to hide the true source and destination of their messages by using SNS as an intermediary, which can evade detection mechanisms.""}, {""technique"": ""T1020 - Automated Exfiltration"", ""reason"": ""By automating the use of SNS Publish to regularly send messages containing exfiltrated data to external endpoints, attackers can maintain a consistent and automated exfiltration channel.""}]" +DescribeInstanceInformation,ssm.amazonaws.com,SSM,"Provides information about one or more of your managed nodes, including the operating system platform, SSM Agent version, association status, and IP address.",TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],"Attackers might use DescribeInstanceInformation to gather sensitive information about the instances, potentially leading to unauthorized access.",[],"[{""type"": ""commandLine"", ""value"": ""aws ssm describe-instance-information --instance-information-filter-list key=InstanceIds,valueSet=TrailDiscoverInstanceIds""}]",https://aws.permissions.cloud/iam/ssm#ssm-DescribeInstanceInformation,"[{""technique"": ""T1082 - System Information Discovery"", ""reason"": ""The API retrieves comprehensive details about the managed nodes, including platform name, version, and agent status, which helps in understanding the target system.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""The IAM role associated with each managed node can be analyzed to identify and potentially exploit valid credentials, leading to unauthorized access.""}, {""technique"": ""T1018 - Remote System Discovery"", ""reason"": ""IP addresses and system information can be used to discover and map out other systems within the network environment.""}]" +GetParameters,ssm.amazonaws.com,SSM,Get information about one or more parameters by specifying multiple parameter names.,"TA0007 - Discovery, TA0006 - Credential Access","T1526 - Cloud Service Discovery, T1552 - Unsecured Credentials",,False,[],"[{""description"": ""Detecting and removing risky actions out of your IAM security policies"", ""link"": ""https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/""}]",Attackers might use GetParameters to gather sensitive information such as api keys or other secrets.,[],"[{""type"": ""commandLine"", ""value"": ""aws ssm get-parameters --names TrailDiscoverParameters""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ssm-retrieve-securestring-parameters""}]",https://aws.permissions.cloud/iam/ssm#ssm-GetParameters,"[{""technique"": ""T1552 - Unsecured Credentials"", ""reason"": ""The GetParameters API, particularly with decryption enabled, can be used to retrieve sensitive credentials if they are stored in the SSM Parameter Store. This can expose API keys, passwords, or other authentication materials.""}, {""technique"": ""T1082 - System Information Discovery"", ""reason"": ""By using GetParameters, an attacker can gather configuration and environment details stored in the parameters, aiding in system information discovery.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""If parameter values include credentials or tokens, the attacker could use them to access valid accounts, facilitating further malicious activity.""}]" +ResumeSession,ssm.amazonaws.com,SSM,Reconnects a session to a managed node after it has been disconnected.,"TA0008 - Lateral Movement, TA0002 - Execution","T1021 - Remote Services, T1651 - Cloud Administration Command",,False,[],"[{""description"": ""Attack Paths Into VMs in the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/""}]",Attackers might use ResumeSession to gain unauthorized access to managed instances.,[],"[{""type"": ""commandLine"", ""value"": ""aws ssm resume-session --session-id TrailDiscoverTarget""}]",https://aws.permissions.cloud/iam/ssm#ssm-ResumeSession,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Attackers can use valid credentials to reconnect to a previously disconnected session, allowing them to maintain persistent access to a system without re-authenticating.""}, {""technique"": ""T1105 - Ingress Tool Transfer"", ""reason"": ""By reconnecting to an active session, attackers can continue to upload malicious tools or scripts to the managed node without needing to initiate a new session, facilitating ongoing exploitation.""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""The reconnection process uses HTTPS, allowing attackers to maintain an encrypted communication channel, which could be used for executing commands or transferring data during the resumed session.""}]" +SendCommand,ssm.amazonaws.com,SSM,Runs commands on one or more managed nodes.,"TA0008 - Lateral Movement, TA0002 - Execution","T1021 - Remote Services, T1651 - Cloud Administration Command",,True,"[{""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]","[{""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""Run Shell Commands on EC2 with Send Command or Session Manager"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/""}, {""description"": ""Attack Paths Into VMs in the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/""}]",Attackers might use SendCommand to execute malicious commands on managed instances.,[],"[{""type"": ""commandLine"", ""value"": ""aws ssm send-command --instance-ids \""TrailDiscoverInstanceID\"" --document-name \""AWS-RunShellScript\"" --parameters commands=ls --output text""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ssm-send-command""}]",https://aws.permissions.cloud/iam/ssm#ssm-SendCommand,"[{""technique"": ""T1059 - Command and Scripting Interpreter"", ""reason"": ""The SendCommand API is designed to execute commands on managed nodes, which directly involves the use of command and scripting interpreters to run scripts or commands.""}, {""technique"": ""T1053 - Scheduled Task/Job"", ""reason"": ""The SendCommand API can be used to create or modify scheduled tasks on managed nodes, enabling the execution of commands at specified times, which is essential for maintaining persistence.""}, {""technique"": ""T1105 - Ingress Tool Transfer"", ""reason"": ""Attackers can use SendCommand to download and execute additional tools or payloads on the managed nodes, which is directly relevant to executing commands that facilitate further compromise.""}, {""technique"": ""T1569 - System Services"", ""reason"": ""The SendCommand API can start, stop, or restart system services on managed nodes, allowing for the execution of commands that may serve various purposes, including persistence or privilege escalation.""}]" +StartSession,ssm.amazonaws.com,SSM,"Initiates a connection to a target (for example, a managed node) for a Session Manager session.","TA0008 - Lateral Movement, TA0002 - Execution","T1021 - Remote Services, T1651 - Cloud Administration Command",,True,"[{""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}]","[{""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""Run Shell Commands on EC2 with Send Command or Session Manager"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/""}]",Attackers might use StartSession to gain unauthorized access to managed instances.,[],"[{""type"": ""commandLine"", ""value"": ""aws ssm start-session --target TrailDiscoverTarget""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ssm-start-session""}]",https://aws.permissions.cloud/iam/ssm#ssm-StartSession,"[{""technique"": ""T1059 - Command and Scripting Interpreter"", ""reason"": ""The StartSession API allows for establishing a session where commands can be executed on the managed node through a command-line interface. This enables direct interaction with the system, facilitating the execution of scripts or commands remotely.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""The StartSession API requires valid credentials and an authenticated token to initiate a session, allowing access to managed nodes. Attackers with compromised credentials can exploit this to gain unauthorized access to systems.""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""The StartSession API uses WebSocket connections over HTTPS, enabling communication with the managed node. This can be leveraged to disguise command and control traffic within regular web traffic, making detection more challenging.""}]" +CreateServer,transfer.amazonaws.com,TransferFamily,Instantiates an auto-scaling virtual server based on the selected file transfer protocol in AWS.,TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],Attackers might use CreateServer to create a server that allows to transfer files into and out of AWS storage services.,[],"[{""type"": ""commandLine"", ""value"": ""aws transfer create-server --protocols SFTP --endpoint-type PUBLIC --identity-provider-type SERVICE_MANAGED""}]",https://aws.permissions.cloud/iam/transfer#transfer-CreateServer,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""The server creation process may involve generating or utilizing valid credentials, which can be leveraged by attackers to gain unauthorized access to the system.""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""The server can be used to facilitate command and control communications using standard file transfer protocols (e.g., SFTP, FTPS), which are application layer protocols.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Attackers could configure the server to allow them to access from the internet to S3 files.""}]" +CreateUser,transfer.amazonaws.com,TransferFamily,Creates a user and associates them with an existing file transfer protocol-enabled server.,TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],Attackers might use CreateUser to use the Transfer Family service.,[],"[{""type"": ""commandLine"", ""value"": ""aws transfer create-user --server-id s-1234567890abcdef0 --user-name TrailDiscover --role arn:aws:iam::123456789012:role/TrailDiscover --home-directory /TrailDiscover""}]",https://aws.permissions.cloud/iam/transfer#transfer-CreateUser,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Creating a user in the Transfer Family service results in valid credentials that could be exploited for unauthorized access.""}, {""technique"": ""T1136 - Create Account"", ""reason"": ""The CreateUser API call involves the creation of a new account, which can be used by attackers to establish persistence in the environment.""}, {""technique"": ""T1098 - Account Manipulation"", ""reason"": ""The creation of a new user account allows for the potential manipulation of user roles or permissions, enabling privilege escalation.""}]" +DeleteRuleGroup,wafv2.amazonaws.com,WAFV2,Deletes the specified RuleGroup.,TA0005 - Defense Evasion,T1562 - Impair Defenses,,False,[],"[{""description"": ""AWS WAF Rule or Rule Group Deletion"", ""link"": ""https://www.elastic.co/guide/en/security/current/aws-waf-rule-or-rule-group-deletion.html""}, {""description"": ""AWS Incident Response"", ""link"": ""https://easttimor.github.io/aws-incident-response/""}]","Attackers might use DeleteRuleGroup to disable security rules, making the system vulnerable to cyber attacks.",[],"[{""type"": ""commandLine"", ""value"": ""aws wafv2 delete-rule-group --name TestRuleGroup --scope REGIONAL --id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 --lock-token 7b3bcec2-0000-0000-0000-563bf47249f0""}]",https://aws.permissions.cloud/iam/wafv2#wafv2-DeleteRuleGroup,"[{""technique"": ""T1098 - Account Manipulation"", ""reason"": ""By deleting a RuleGroup that is crucial for access management, an attacker could manipulate accounts or credentials to bypass security controls.""}, {""technique"": ""T1499 - Endpoint Denial of Service"", ""reason"": ""Removing critical firewall rules could lead to a Denial of Service (DoS) by allowing malicious traffic to overwhelm the system or service endpoints.""}, {""technique"": ""T1070 - Indicator Removal"", ""reason"": ""The deletion of a RuleGroup can be used to eliminate logs or indicators of malicious activity by disabling the mechanisms that detect and log those activities.""}]" +DeleteWebACL,wafv2.amazonaws.com,WAFV2,Deletes the specified WebACL.,TA0005 - Defense Evasion,T1562 - Impair Defenses,,False,[],"[{""description"": ""AWS Incident Response"", ""link"": ""https://easttimor.github.io/aws-incident-response/""}]","Attackers might use DeleteWebACL to remove web access control lists, thereby disrupting web application firewall protections.",[],"[{""type"": ""commandLine"", ""value"": ""aws wafv2 delete-web-acl --name TrailDiscoverWebACL --scope REGIONAL --id TrailDiscoverId --lock-token TrailDiscoverLockToken""}]",https://aws.permissions.cloud/iam/wafv2#wafv2-DeleteWebACL,"[{""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Deleting the WebACL after disassociating it from resources could be used to remove evidence of previous configurations that could have logged or blocked malicious activity.""}, {""technique"": ""T1036 - Masquerading"", ""reason"": ""By deleting the WebACL, an attacker could attempt to make malicious traffic appear legitimate by removing the security policies that would identify or block it.""}, {""technique"": ""T1499 - Endpoint Denial of Service"", ""reason"": ""Deleting critical WebACL protections, especially after disassociating them from resources, may increase the likelihood of successful DoS attacks against those now-unprotected resources, affecting service availability.""}]" +UpdateIPSet,wafv2.amazonaws.com,WAFV2,Updates the specified IPSet.,TA0005 - Defense Evasion,T1562 - Impair Defenses,,False,[],"[{""description"": ""AWS Incident Response"", ""link"": ""https://easttimor.github.io/aws-incident-response/""}]","Attackers might use UpdateIPSet to modify IP address rules, potentially allowing unauthorized access from IPs they control.",[],"[{""type"": ""commandLine"", ""value"": ""aws wafv2 update-ip-set --name testip --scope REGIONAL --id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 --addresses 198.51.100.0/16 --lock-token 447e55ac-2396-4c6d-b9f9-86b67c17f8b5""}]",https://aws.permissions.cloud/iam/wafv2#wafv2-UpdateIPSet,"[{""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""By updating an IPSet to allow or block specific IP addresses, an attacker can manipulate web traffic to facilitate or evade detection during Command and Control activities.""}, {""technique"": ""T1489 - Service Stop"", ""reason"": ""An attacker could update the IPSet to block access to critical services, effectively stopping them by denying network access. This is relevant because the API call can alter IP address permissions, potentially disrupting service availability.""}, {""technique"": ""T1499 - Endpoint Denial of Service"", ""reason"": ""By modifying the IPSet to block or allow certain IP addresses, an attacker could cause a Denial of Service (DoS) attack by either overwhelming a service with traffic or cutting off access to legitimate users.""}]" diff --git a/docs/events.json b/docs/events.json index aedca0e..a5d8471 100644 --- a/docs/events.json +++ b/docs/events.json @@ -1,362 +1,655 @@ [ { - "eventName": "ChangeResourceRecordSets", - "eventSource": "route53.amazonaws.com", - "awsService": "Route53", - "description": "Creates, changes, or deletes a resource record set, which contains authoritative DNS information for a specified domain name or subdomain name.", + "eventName": "GetCertificate", + "eventSource": "acm-pca.amazonaws.com", + "awsService": "ACMPCA", + "description": "Retrieves a certificate from your private CA or one that has been shared with you.", "mitreAttackTactics": [ - "TA0040 - Impact" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1496 - Resource Hijacking" + "T1040- Network Sniffing" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + "technique": "T1119 - Automated Collection", + "reason": "An attacker could write a script that continiously calls GetCertificate to get all certificates" + }, + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "Using GetCertificate, adversaries can discover details about the cloud infrastructure, including how certificates are managed and issued within the environment." + }, + { + "technique": "TT1589 - Gather Victim Identity Information", + "reason": "Often times victim information is present in the certificate, f.e. email adresses." + }, + { + "technique": "T1526 - Cloud Service Discovery", + "reason": "Often times certificates are issued for single cloud services. " + }, + { + "technique": "T1530 - Data from Cloud Storage", + "reason": "One could label the ACMPCA as a cloud storage, because the certificates are stored in there." + }, + { + "technique": "T1021.007 - Remote Services: Cloud Services", + "reason": "The GetCertificate API call retrieves certificates from a private CA or one that has been shared, which can then be used to authenticate access to various cloud services. Adversaries can use these certificates to authenticate themselves to cloud services remotely, leveraging the trust established by the certificate. This enables the adversary to move laterally within the cloud environment, access additional resources, or establish persistence by maintaining authenticated sessions with the compromised certificates" + }, + { + "technique": "T1212 - Exploitation for Credential Access", + "reason": "Certificates can be exploited to gain credential access, especially if they include sensitive authentication details" + }, + { + "technique": "T1557 - Adversary-in-the-Middle", + "reason": "Certificates retrieved can be used in Man-in-the-Middle (MitM) attacks to intercept and decrypt secure communications." + }, + { + "technique": "T1021 - Remote Services", + "reason": "Certificates are often used as an authetication material, especially in enterprise environments and can be therefore used to move laterally." } ], + "usedInWild": false, + "incidents": [], "researchLinks": [ { "description": "AWS API Call Hijacking via ACM-PCA", "link": "https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/" } ], - "securityImplications": "Attackers might use ChangeResourceRecordSets to redirect traffic to malicious websites.", + "securityImplications": "Attackers might use GetCertificate combined with Route 53 control to intercept and read data from AWS API calls.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "N/A" + "value": "aws acm-pca get-certificate --certificate-authority-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012 --certificate-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/6707447683a9b7f4055627ffd55cebcc" } ], - "permissions": "https://aws.permissions.cloud/iam/route53#route53-ChangeResourceRecordSets" + "permissions": "https://aws.permissions.cloud/iam/acm-pca#acm-pca-GetCertificate" }, { - "eventName": "ListDomains", - "eventSource": "route53domains.amazonaws.com", - "awsService": "route53domains", - "description": "This operation returns all the domain names registered with Amazon Route 53 for the current AWS account if no filtering conditions are used.", + "eventName": "IssueCertificate", + "eventSource": "acm-pca.amazonaws.com", + "awsService": "ACMPCA", + "description": "Uses your private certificate authority (CA), or one that has been shared with you, to issue a client certificate.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1040- Network Sniffing" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078- Valid Accounts", + "reason": "Issuing a certificate can create a valid cloud account credential. This certificate could be used to authenticate against various services. Issued certificates could be used to create or access local accounts within the cloud infrastructure. " + }, + { + "technique": "T1212- Exploitation for Credential Access", + "reason": "Certificates can be exploited to gain credential access, especially if they include sensitive authentication details or are from a trustd CA." + }, + { + "technique": "T1136- Create Account", + "reason": "An adversary might use a certificate to create new cloud accounts or gain access to existing ones under the guise of legitimate credentials." + }, + { + "technique": "T1588- Obtain Capabilities", + "reason": "By using this API call an adversary has successfully gained the capability to create digital certificates." + }, + { + "technique": "T1550- Use Alternate Authentication Material", + "reason": "Issued certificates can be used as alternative authentication material in place of traditional credentials like web cookies, aiding in Credential Access and Defense Evasion." + }, + { + "technique": "T1586.003- Compromise Accounts", + "reason": "By issuing certificates through the IssueCertificate API call, adversaries can compromise cloud accounts by creating legitimate credentials for accessing cloud services. These certificates can be used to authenticate and gain control over cloud accounts, facilitating Initial Access and Persistence. The adversary can then maintain access by leveraging these certificates, bypassing traditional authentication mechanisms and evading detection." + }, + { + "technique": "T1027- Obfuscated Files or Information", + "reason": "Certificates issued via this API call can be used to obfuscate the true nature of communication and data, aiding in Defense Evasion." + }, + { + "technique": "T1553- Subvert Trust Controls", + "reason": "By issuing a certificate, an adversary can sign malicious binaries, making them appear legitimate and trusted, aiding in Defense Evasion." + }, + { + "technique": "T1071.001- Application Layer Protocol - Web Protocols", + "reason": "Issued certificates can be used to secure communication over web protocols, potentially aiding in Defense Evasion and Credential Access by making malicious traffic appear legitimate." + } ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", - "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" + "description": "AWS API Call Hijacking via ACM-PCA", + "link": "https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/" } ], - "securityImplications": "Attackers might use ListDomains to identify potential targets for DNS hijacking or DDoS attacks.", + "securityImplications": "Attackers might use IssueCertificate combined with Route 53 control to intercept and read data from AWS API calls.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws route53domains list-domains --region us-east-1" + "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/route53domains#route53domains-ListDomains" + "permissions": "https://aws.permissions.cloud/iam/acm-pca#acm-pca-IssueCertificate" }, { - "eventName": "GetHostedZoneCount", - "eventSource": "route53.amazonaws.com", - "awsService": "Route53", - "description": "Retrieves the number of hosted zones that are associated with the current AWS account.", + "eventName": "CreateApiKey", + "eventSource": "appsync.amazonaws.com", + "awsService": "AppSync", + "description": "Creates a unique key that you can distribute to clients who invoke your API.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0005 - Defense Evasion", + "TA0003 - Persistence" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1578 - Modify Cloud Compute Infrastructure", + "T1556 - Modify Authentication Process" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "API keys are a form of credentials that attackers can use to gain and maintain access to cloud services." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Attackers may manipulate API keys to alter account permissions and settings, maintaining persistence and access." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "API keys can be used to remove legitimate accounts, thereby maintaining persistence and disrupting normal operations." + }, + { + "technique": "T1550.001 - Use Alternate Authentication Material: Application Access Token", + "reason": "API keys serve as alternate authentication material, in this case as application access tokens to access AppSync APIs." + }, + { + "technique": "T1090 - Proxy", + "reason": "Attackers can use API keys to route their malicious traffic through a AppSync, which acts here as a proxy, hiding their true origin and bypassing security measures." + } ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", - "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" + "description": "Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor", + "link": "https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8" } ], - "securityImplications": "Attackers might use GetHostedZoneCount to gather information about the number of hosted zones, potentially identifying targets for DNS attacks.", + "securityImplications": "Attackers might use CreateApiKey to add a key they control for authentication. Bypassing current authentication and potentially allowing persistent access to data.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws route53 get-hosted-zone-count" + "value": "aws appsync create-api-key --api-id TrailDiscoverApiId" } ], - "permissions": "https://aws.permissions.cloud/iam/route53#route53-GetHostedZoneCount" + "permissions": "https://aws.permissions.cloud/iam/appsync#appsync-CreateApiKey" }, { - "eventName": "RegisterDomain", - "eventSource": "route53domains.amazonaws.com", - "awsService": "route53domains", - "description": "This operation registers a domain. For some top-level domains (TLDs), this operation requires extra parameters.", + "eventName": "GetIntrospectionSchema", + "eventSource": "appsync.amazonaws.com", + "awsService": "AppSync", + "description": "Retrieves the introspection schema for a GraphQL API.", "mitreAttackTactics": [ - "TA0040 - Impact" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1496 - Resource Hijacking" + "T1526 - Cloud Service Discovery" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + "technique": "T1087 - Account Discovery", + "reason": "The GetIntrospectionSchema API call can be used to gather detailed information about the structure of an AWS AppSync GraphQL schema. This can help in identifying user roles, permissions, and accounts associated with the schema in this AWS account." + }, + { + "technique": "T1590: Gather Victim Network Information", + "reason": "Through the introspection schema, an attacker can identify dependencies and integrations with other network services or external APIs, revealing trust relationships and potential attack vectors. By retrieving the introspection schema, an attacker can map out the network structure as exposed by the GraphQL API, including services, endpoints, and connections within the AWS environment." } ], - "researchLinks": [], - "securityImplications": "Attackers might use RegisterDomain to register malicious domains for phishing or malware distribution.", + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor", + "link": "https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8" + } + ], + "securityImplications": "Attackers might use GetIntrospectionSchema to understand the API for future attacks or use the configuration for future modifications.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws route53domains register-domain --region us-east-1 --cli-input-json '{\"DomainName\": \"\", \"DurationInYears\": 1, \"AdminContact\": { \"FirstName\": \"\", \"LastName\": \"\"}, \"RegistrantContact\": {\"FirstName\": \"\", \"LastName\": \"\" }, \"TechContact\": {\"FirstName\": \"\", \"LastName\": \"\"}}'" + "value": "aws appsync get-introspection-schema --api-id TrailDiscover --format json output" } ], - "permissions": "https://aws.permissions.cloud/iam/route53domains#route53domains-RegisterDomain" + "permissions": "https://aws.permissions.cloud/iam/appsync#appsync-GetIntrospectionSchema" }, { - "eventName": "CreateHostedZone", - "eventSource": "route53.amazonaws.com", - "awsService": "Route53", - "description": "Creates a new public or private hosted zone. You create records in a public hosted zone to define how you want to route traffic on the internet for a domain, such as example.com, and its subdomains.", + "eventName": "UpdateGraphqlApi", + "eventSource": "appsync.amazonaws.com", + "awsService": "AppSync", + "description": "Updates a GraphqlApi object.", "mitreAttackTactics": [ - "TA0040 - Impact" + "TA0005 - Defense Evasion", + "TA0003 - Persistence" ], "mitreAttackTechniques": [ - "T1496 - Resource Hijacking" + "T1578 - Modify Cloud Compute Infrastructure", + "T1556 - Modify Authentication Process" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + "technique": "T1136 - Create Account", + "reason": "An attacker might use UpdateGraphqlApi to update settings in a way that allows creating new user accounts with elevated privileges." + }, + { + "technique": "T1212 - Exploitation for Credential Dumping", + "reason": "Updating GraphQL API could be abused to alter application behavior to facilitate credential dumping." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "An attacker could use the API call to modify existing configurations to maintain access through valid cloud accounts." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "The API call could allow manipulation of user accounts or roles to maintain access or escalate privileges." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "The API call might be used to modify or obfuscate logs and configurations to avoid detection." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "By updating the API, attackers might ensure they can access privileged accounts for persistent access." } ], + "usedInWild": false, + "incidents": [], "researchLinks": [ { - "description": "AWS API Call Hijacking via ACM-PCA", - "link": "https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/" + "description": "Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor", + "link": "https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8" } ], - "securityImplications": "Attackers might use CreateHostedZone to create malicious DNS zones for phishing or redirecting traffic.", + "securityImplications": "Attackers might use UpdateGraphqlApi to add additional authentications options. Bypassing current authentication and potentially allowing persistent access to data.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws route53 create-hosted-zone --name traildiscover.cloud --caller-reference 2014-04-01-18:47 --hosted-zone-config Comment='traildiscover'" + "value": "aws appsync update-graphql-api --api-id TrailDiscoverApiId --name TrailDiscoverName --log-config cloudWatchLogsRoleArn=TrailDiscoverRoleArn,fieldLogLevel=TrailDiscoverLogLevel" } ], - "permissions": "https://aws.permissions.cloud/iam/route53#route53-CreateHostedZone" + "permissions": "https://aws.permissions.cloud/iam/appsync#appsync-UpdateGraphqlApi" }, { - "eventName": "InviteAccountToOrganization", - "eventSource": "organizations.amazonaws.com", - "awsService": "Organizations", - "description": "Sends an invitation to another account to join your organization as a member account.", + "eventName": "UpdateResolver", + "eventSource": "appsync.amazonaws.com", + "awsService": "AppSync", + "description": "Updates a Resolver object.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0005 - Defense Evasion", + "TA0003 - Persistence" ], "mitreAttackTechniques": [ - "T1535 - Unused/Unsupported Cloud Regions" + "T1578 - Modify Cloud Compute Infrastructure", + "T1556 - Modify Authentication Process" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "New tactics and techniques for proactive threat detection", - "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + "technique": "T1136 - Create Account", + "reason": "Using the UpdateResolver API, an adversary can manipulate the AppSync resolver to create new user accounts with specific roles or permissions, enabling persistent access to the AWS environment." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "By updating the resolver, adversaries can utilize valid credentials to access AppSync and maintain persistence." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "Adversaries can update resolvers to manipulate logs or delete records, evading detection by altering or concealing their tracks." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "Adversaries can use the UpdateResolver API to revoke access for legitimate users, thereby preventing them from detecting the adversarial activities." + }, + { + "technique": "T1003 - Credential Dumping", + "reason": "By updating the resolver to capture sensitive data passed through AppSync, adversaries could dump credentials for further exploitation." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "Modifying the resolver might allow adversaries to covertly communicate using AppSync's standard protocols, blending in with normal traffic and evading network defenses." + }, + { + "technique": "T1562.001 - Impair Defenses: Disable or Modify Tools", + "reason": "An adversary might update the resolver to disable security tools or modify their behavior, thereby evading detection and maintaining access." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "By updating resolvers, adversaries can obfuscate the information passed through AppSync, making it difficult to detect malicious activities within the data flow." } ], - "researchLinks": [], - "securityImplications": "Attackers might use InviteAccountToOrganization to add an account they control for defense evasion, resource hijacking.", + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor", + "link": "https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8" + } + ], + "securityImplications": "Attackers might use UpdateResolver to execute custom code that could allow potential access to data and bypass protections.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws organizations invite-account-to-organization --target '{\"Type\": \"EMAIL\", \"Id\": \"traildiscover@example.com\"}'" + "value": "aws appsync update-resolver --api-id TrailDiscoverApiId --type-name TrailDiscoverTypeName --field-name TrailDiscoverFieldName --pipeline-config functions=TrailDiscoverFunctions --request-mapping-template TrailDiscoverRequestMappingTemplate --response-mapping-template TrailDiscoverResponseMappingTemplate" } ], - "permissions": "https://aws.permissions.cloud/iam/organizations#organizations-InviteAccountToOrganization" + "permissions": "https://aws.permissions.cloud/iam/appsync#appsync-UpdateResolver" }, { - "eventName": "DescribeOrganization", - "eventSource": "organizations.amazonaws.com", - "awsService": "Organizations", - "description": "Retrieves information about the organization that the user's account belongs to.", + "eventName": "GetQueryResults", + "eventSource": "athena.amazonaws.com", + "awsService": "Athena", + "description": "Streams the results of a single query execution specified by QueryExecutionId from the Athena query results location in Amazon S3.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1526 - Cloud Service Discovery" + "T1580 - Cloud Infrastructure Discovery" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", - "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" + "technique": "T1082 - System Information Discovery", + "reason": "GetQueryResults can be used to gather information about the Athena environment, such as the metadata of the queries and databases. This can reveal insights about the system configuration and the types of data stored." + }, + { + "technique": "T1213 - Data from Information Repositories", + "reason": "Athena queries can access and retrieve data from various repositories like S3. GetQueryResults is used to obtain this data, making it a critical step in extracting information from these repositories." + }, + { + "technique": "T1039 - Data from Network Shared Drive", + "reason": " If Athena queries target data stored in network shared drives (like those mounted on EC2 instances and accessible via S3), the GetQueryResults API will be used to collect this data." + }, + { + "technique": "T1074 - Data Staged", + "reason": "Attackers may stage data in a specific location after retrieving it with GetQueryResults before exfiltration. This staging is a preparatory step for further data handling or analysis." } ], - "researchLinks": [], - "securityImplications": "Attackers might use DescribeOrganization to gather information about the structure and details of an AWS organization.", + "usedInWild": true, + "incidents": [ + { + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use GetQueryResults from Amazon Athena to illicitly access and read potential sensitive data.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws organizations describe-organization" + "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/organizations#organizations-DescribeOrganization" + "permissions": "https://aws.permissions.cloud/iam/athena#athena-GetQueryResults" }, { - "eventName": "ListOrganizationalUnitsForParent", - "eventSource": "organizations.amazonaws.com", - "awsService": "Organizations", - "description": "Lists the organizational units (OUs) in a parent organizational unit or root.", + "eventName": "CreateFoundationModelAgreement", + "eventSource": "bedrock.amazonaws.com", + "awsService": "Bedrock", + "description": "Grants permission to create a new foundation model agreement.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0040 - Impact" ], "mitreAttackTechniques": [ - "T1526 - Cloud Service Discovery" + "T1496 - Resource Hijacking" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1098 - Account Manipulation", + "reason": "The CreateFoundationModelAgreement API call allows users to create or modify agreements, which can be used to manipulate account permissions. Attackers can create agreements with elevated privileges or modify existing ones to gain unauthorized access or escalate privileges." + } ], "usedInWild": true, "incidents": [ { - "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", - "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" + "description": "Detecting AI resource-hijacking with Composite Alerts", + "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + }, + { + "description": "When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying", + "link": "https://permiso.io/blog/exploiting-hosted-models" } ], "researchLinks": [], - "securityImplications": "Attackers might use ListOrganizationalUnitsForParent to map the structure of an organization's AWS environment for potential vulnerabilities.", + "securityImplications": "Attackers might use CreateFoundationModelAgreement to prepare for using foundation models for resource hijacking.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws organizations list-organizational-units-for-parent --parent-id r-traildiscover" + "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/organizations#organizations-ListOrganizationalUnitsForParent" + "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-CreateFoundationModelAgreement" }, { - "eventName": "CreateAccount", - "eventSource": "organizations.amazonaws.com", - "awsService": "Organizations", - "description": "Creates an AWS account that is automatically a member of the organization whose credentials made the request.", + "eventName": "GetFoundationModelAvailability", + "eventSource": "bedrock.amazonaws.com", + "awsService": "Bedrock", + "description": "Grants permission to get the availability of a foundation model.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1535 - Unused/Unsupported Cloud Regions" + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "Querying the availability of foundation models is a form of system information discovery, as it provides insight into the operational aspects of the system." + }, + { + "technique": "T1590 - Gather Victim Network Information", + "reason": "The GetFoundationModelAvailability call can be used to determine the state and availability of foundation models, which is valuable host information." + } ], "usedInWild": true, "incidents": [ { - "description": "New tactics and techniques for proactive threat detection", - "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + "description": "Detecting AI resource-hijacking with Composite Alerts", + "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + }, + { + "description": "When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying", + "link": "https://permiso.io/blog/exploiting-hosted-models" } ], "researchLinks": [], - "securityImplications": "Attackers might use CreateAccount to add a new account for defense evasion, resource hijacking.", + "securityImplications": "Attackers might use GetFoundationModelAvailability to enumerate accessible models", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws organizations create-account --email traildiscover@example.com --account-name \"TrailDiscover Account\"" + "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/organizations#organizations-CreateAccount" + "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-GetFoundationModelAvailability" }, { - "eventName": "LeaveOrganization", - "eventSource": "organizations.amazonaws.com", - "awsService": "Organizations", - "description": "Removes a member account from its parent organization.", + "eventName": "GetModelInvocationLoggingConfiguration", + "eventSource": "bedrock.amazonaws.com", + "awsService": "Bedrock", + "description": "Get the current configuration values for model invocation logging.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1070 - Indicator Removal" + "T1580 - Cloud Infrastructure Discovery" ], - "usedInWild": false, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "New tactics and techniques for proactive threat detection", - "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + "technique": "T1070 - Indicator Removal", + "reason": "Knowing the logging setup allows attackers to delete or alter logs to avoid detection and cover their tracks." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "Attackers may use knowledge of logging configurations to craft their actions in ways that avoid triggering specific logging mechanisms." + }, + { + "technique": "T1518.001 - Software Discovery", + "reason": "Understanding how model invocation is logged can reveal what security software is in use." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Knowing the logging configuration can help attackers understand how to disable or evade defensive logging." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "Attackers might tailor their command and control communication methods based on the logging configurations discovered." + }, + { + "technique": "T1212 - Exploitation for Credential Access", + "reason": "If the option textDataDeliveryEnabled is activated there could be credentials in it which attackers can exploit. If the option imageDataDeliveryEnabled is activated there could be sensitive information in the images which are delivered in the logs." } ], - "researchLinks": [ + "usedInWild": true, + "incidents": [ { - "description": "An AWS account attempted to leave the AWS Organization", - "link": "https://docs.datadoghq.com/security/default_rules/aws-organizations-leave-organization/" + "description": "LLMjacking: Stolen Cloud Credentials Used in New AI Attack", + "link": "https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/" } ], - "securityImplications": "Attackers might use LeaveOrganization to disassociate resources and disrupt the structure of AWS organizations.", + "researchLinks": [], + "securityImplications": "Attackers might use GetModelInvocationLoggingConfiguration to check S3 and Cloudwatch logging configuration.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws organizations leave-organization" - }, - { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.organizations-leave" + "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/organizations#organizations-LeaveOrganization" + "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-GetModelInvocationLoggingConfiguration" }, { - "eventName": "ListAccounts", - "eventSource": "organizations.amazonaws.com", - "awsService": "Organizations", - "description": "Lists all the accounts in the organization.", + "eventName": "GetUseCaseForModelAccess", + "eventSource": "bedrock.amazonaws.com", + "awsService": "Bedrock", + "description": "Grants permission to retrieve a use case for model access.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1526 - Cloud Service Discovery" + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts: Cloud Accounts", + "reason": "If an attacker obtains credentials to use the GetUseCaseForModelAccess API call, they can gather sensitive information about model access use cases, which may aid further malicious activity." + }, + { + "technique": "T1082 - System Information Discovery", + "reason": "The GetUseCaseForModelAccess API call can be used to collect details about model access, revealing important information about the environment and configurations, which is a form of system discovery." + }, + { + "technique": "T1005 - Data from Local System", + "reason": "The API call can potentially be used to extract detailed data regarding model use cases, equivalent to gathering sensitive data from the local cloud environment." + }, + { + "technique": "T1530 - Data from Cloud Storage", + "reason": "If the GetUseCaseForModelAccess API provides links or references to data stored in cloud storage, an attacker could use it to access and exfiltrate sensitive data." + }, + { + "technique": "T1020 - Automated Exfiltration", + "reason": "An attacker could script the API call to automatically extract and exfiltrate information about model use cases over time." + }, + { + "technique": "T1074 - Data Staged", + "reason": "Step-by-step explanation: The results from the GetUseCaseForModelAccess call could be staged locally in the attacker's environment for later exfiltration or use." + } ], "usedInWild": true, "incidents": [ { - "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", - "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" + "description": "Detecting AI resource-hijacking with Composite Alerts", + "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + }, + { + "description": "When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying", + "link": "https://permiso.io/blog/exploiting-hosted-models" } ], "researchLinks": [], - "securityImplications": "Attackers might use ListAccounts to gather information about the structure and resources of an organization's AWS environment.", + "securityImplications": "Attackers might use GetUseCaseForModelAccess to enumerate accessible models.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws organizations list-accounts" + "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/organizations#organizations-ListAccounts" + "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-GetUseCaseForModelAccess" }, { - "eventName": "CreateStack", - "eventSource": "cloudformation.amazonaws.com", - "awsService": "CloudFormation", - "description": "Creates a stack as specified in the template.", + "eventName": "InvokeModel", + "eventSource": "bedrock.amazonaws.com", + "awsService": "Bedrock", + "description": "Invokes the specified Amazon Bedrock model to run inference using the prompt and inference parameters provided in the request body.", "mitreAttackTactics": [ + "TA0007 - Discovery", "TA0040 - Impact" ], "mitreAttackTechniques": [ + "T1580 - Cloud Infrastructure Discovery", "T1496 - Resource Hijacking" ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1020 - Automated Exfiltration", + "reason": "The InvokeModel API call can be scripted to run repeatedly, allowing for the continuous extraction of data. For example, an attacker could automate requests to the API, each time providing new or varied prompts that extract different pieces of sensitive information" + }, + { + "technique": "T1567 - Exfiltration Over Web Service", + "reason": "An attacker who has access to AWS credentials can set up a process where InvokeModel API calls are made to generate sensitive information in small chunks. Each chunk of data, once generated, can be immediately sent to an S3 bucket or another cloud storage service controlled by the attacker. This method ensures that data is consistently moved out of the compromised environment without raising alarms associated with large data transfers." + }, + { + "technique": "T1203 - Exploitation for Client Execution", + "reason": "Exploiting vulnerabilities in a model's interface could trigger unintended code execution through the InvokeModel API." + } + ], "usedInWild": true, "incidents": [ + { + "description": "LLMjacking: Stolen Cloud Credentials Used in New AI Attack", + "link": "https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/" + }, + { + "description": "Detecting AI resource-hijacking with Composite Alerts", + "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + }, { "description": "New tactics and techniques for proactive threat detection", "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + }, + { + "description": "When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying", + "link": "https://permiso.io/blog/exploiting-hosted-models" } ], "researchLinks": [], - "securityImplications": "Attackers might use CreateStack to provision unauthorized resources", + "securityImplications": "Attackers might use InvokeModel to check if the credentials have access to the LLMs and they have been enabled and invoke the model for resource hijacking.", "alerting": [], "simulation": [ { @@ -364,30 +657,55 @@ "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/cloudformation#cloudformation-CreateStack" + "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-InvokeModel" }, { - "eventName": "AssumeRoleWithWebIdentity", - "eventSource": "sts.amazonaws.com", - "awsService": "STS", - "description": "Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider.", + "eventName": "InvokeModelWithResponseStream", + "eventSource": "bedrock.amazonaws.com", + "awsService": "Bedrock", + "description": "Grants permission to invoke the specified Bedrock model to run inference using the input provided in the request body with streaming response.", "mitreAttackTactics": [ - "TA0001 - Initial Access", - "TA0008 - Lateral Movement" + "TA0040 - Impact" ], "mitreAttackTechniques": [ - "T1199 - Trusted Relationship", - "T1550 - Use Alternate Authentication Material" + "T1496 - Resource Hijacking" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "From GitHub To Account Takeover: Misconfigured Actions Place GCP & AWS Accounts At Risk", - "link": "https://www.rezonate.io/blog/github-misconfigurations-put-gcp-aws-in-account-takeover-risk/" + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "Attackers could potentially exploit the model invocation process to execute arbitrary commands or scripts, depending on how the input data to the model is handled and interpreted." + }, + { + "technique": "T1020 - Automated Exfiltration", + "reason": "The streaming response can be used to automatically exfiltrate data as it is processed by the model." + }, + { + "technique": "T1041 - Exfiltration Over C2 Channel", + "reason": "The streaming response feature can be exploited to send sensitive data back to an attacker over an established C2 channel." + }, + { + "technique": "T1005 - Data from Local System", + "reason": "If the Bedrock model has access to and processes local system data, attackers could leverage the API call to collect sensitive information. This scenario assumes that the model's processing involves data that might include confidential or proprietary information." + }, + { + "technique": "T1071.004 - Application Layer Protocol: DNS", + "reason": "DNS can be used for exfiltration or command and control if the model's streaming response can be encoded into DNS queries/responses." } ], - "securityImplications": "Attackers might use AssumeRoleWithWebIdentity to impersonate legitimate users and gain unauthorized access to an AWS role.", + "usedInWild": true, + "incidents": [ + { + "description": "Detecting AI resource-hijacking with Composite Alerts", + "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + }, + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use InvokeModelWithResponseStream to invoke the model for resource hijacking.", "alerting": [], "simulation": [ { @@ -395,549 +713,820 @@ "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/sts#sts-AssumeRoleWithWebIdentity" + "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-InvokeModelWithResponseStream" }, { - "eventName": "GetFederationToken", - "eventSource": "sts.amazonaws.com", - "awsService": "STS", - "description": "Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a user.", + "eventName": "ListFoundationModelAgreementOffers", + "eventSource": "bedrock.amazonaws.com", + "awsService": "Bedrock", + "description": "Grants permission to get a list of foundation model agreement offers.", "mitreAttackTactics": [ - "TA0003 - Persistence" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1078 - Valid Accounts" + "T1580 - Cloud Infrastructure Discovery" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "How Adversaries Can Persist with AWS User Federation", - "link": "https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/" + "technique": "T1591.002 - Gather Victim Org Information: Business Relationships", + "reason": "The list of foundation model agreement offers can provide insights into the organization's partnerships and agreements with other entities, revealing valuable business relationship details." }, { - "description": "New tactics and techniques for proactive threat detection", - "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + "technique": "T1591 - Gather Victim Org Information", + "reason": "This API call might yield information about the internal structure of the organization, such as departments or teams involved with foundation models, contributing to a broader understanding of the target's organizational setup." }, { - "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", - "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" + "technique": "T1069 - Permission Groups Discovery", + "reason": "The information retrieved from this API call could indicate which groups or roles within the AWS account have permissions to access these foundation models, helping to understand the permission hierarchy and potential targets for privilege escalation or further discovery." } ], - "researchLinks": [ + "usedInWild": true, + "incidents": [ { - "description": "Create a Console Session from IAM Credentials", - "link": "https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/" - }, - { - "description": "Survive Access Key Deletion with sts:GetFederationToken", - "link": "https://hackingthe.cloud/aws/post_exploitation/survive_access_key_deletion_with_sts_getfederationtoken/" + "description": "Detecting AI resource-hijacking with Composite Alerts", + "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" } ], - "securityImplications": "Attackers might use GetFederationToken to gain temporary access credentials.", + "researchLinks": [], + "securityImplications": "Attackers might use ListFoundationModelAgreementOffers to enumerate accessible models.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws sts get-federation-token --name TrailDiscover --policy TrailDiscoverPolicy" + "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/sts#sts-GetFederationToken" + "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-ListFoundationModelAgreementOffers" }, { - "eventName": "GetSessionToken", - "eventSource": "sts.amazonaws.com", - "awsService": "STS", - "description": "Returns a set of temporary credentials for an AWS account or IAM user.", + "eventName": "ListFoundationModels", + "eventSource": "bedrock.amazonaws.com", + "awsService": "Bedrock", + "description": "Grants permission to list Bedrock foundation models that you can use.", "mitreAttackTactics": [ - "TA0001 - Initial Access" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1199 - Trusted Relationship" + "T1580 - Cloud Infrastructure Discovery" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "New tactics and techniques for proactive threat detection", - "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" - } - ], - "researchLinks": [ + "technique": "T1087 - Account Discovery", + "reason": "Listing foundation models can help an adversary understand what cloud resources are available and their configurations" + }, { - "description": "AWS STS GetSessionToken Abuse", - "link": "https://www.elastic.co/guide/en/security/7.17/aws-sts-getsessiontoken-abuse.html" + "technique": "T1057 - Process Discovery", + "reason": "Listing foundation models can be a step towards understanding the processes and operations running within the cloud environment." + }, + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "Identifying which models are accessible can reveal information about permission groups and roles within the cloud environment" + }, + { + "technique": "T1082 - System Information Discovery", + "reason": "Listing foundation models helps in gathering detailed system information." + }, + { + "technique": "T1482 - Domain Trust Discovery", + "reason": "Adversaries may list foundation models to understand the trust relationships and dependencies between different cloud resources." } ], - "securityImplications": "Attackers might use GetSessionToken to obtain temporary access credentials.", - "alerting": [ + "usedInWild": true, + "incidents": [ { - "type": "sigma", - "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml" + "description": "Detecting AI resource-hijacking with Composite Alerts", + "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" } ], + "researchLinks": [], + "securityImplications": "Attackers might use ListFoundationModels to enumerate accessible models.", + "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws sts get-session-token --duration-seconds 900 --serial-number 'YourMFADeviceSerialNumber' --token-code 123456" + "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/sts#sts-GetSessionToken" + "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-ListFoundationModels" }, { - "eventName": "AssumeRole", - "eventSource": "sts.amazonaws.com", - "awsService": "STS", - "description": "Returns a set of temporary security credentials that you can use to access AWS resources.", + "eventName": "ListProvisionedModelThroughputs", + "eventSource": "bedrock.amazonaws.com", + "awsService": "Bedrock", + "description": "Grants permission to list provisioned model throughputs that you created earlier.", "mitreAttackTactics": [ - "TA0001 - Initial Access", - "TA0003 - Persistence", - "TA0004 - Privilege Escalation" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1199 - Trusted Relationship", - "T1078 - Valid Accounts" + "T1580 - Cloud Infrastructure Discovery" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + "technique": "T1087.004 - Cloud Account", + "reason": "The ListProvisionedModelThroughputs API call can help an attacker identify active cloud accounts and associated resources by listing the provisioned models, providing insight into the resources allocated in the cloud environment." }, { - "description": "Trouble in Paradise", - "link": "https://blog.darklab.hk/2021/07/06/trouble-in-paradise/" - } - ], - "researchLinks": [ + "technique": "T1082 - System Information Discovery", + "reason": "This API call can be used to gather information about the configuration and state of the provisioned model throughputs, which contributes to understanding the system's current setup and operational status." + }, { - "description": "Role Chain Juggling", - "link": "https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/" + "technique": "T1530 - Data from Cloud Storage Object", + "reason": "By listing provisioned model throughputs, an attacker can potentially identify models and associated data stored in cloud storage, enabling them to target specific data repositories." }, { - "description": "Detecting and removing risky actions out of your IAM security policies", - "link": "https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/" + "technique": "T1078 - Valid Accounts", + "reason": "Legitimate cloud accounts with access to this API call can be used to gather information on provisioned models. If an attacker gains control of such an account, they can enumerate resources to assess what data and services are available within the cloud environment." } ], - "securityImplications": "Attackers might use AssumeRole to gain unauthorized access to an AWS role. This might allow them to gain initial access, escalate privileges or in specific scenarios gain persistence.", + "usedInWild": true, + "incidents": [ + { + "description": "Detecting AI resource-hijacking with Composite Alerts", + "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use ListProvisionedModelThroughputs to gather information on existing inputs and outputs for models in use.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws sts assume-role --role-arn arn:aws:iam::123456789012:role/TrailDiscover --role-session-name TrailDiscover" + "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/sts#sts-AssumeRole" + "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-ListProvisionedModelThroughputs" }, { - "eventName": "AssumeRoleWithSAML", - "eventSource": "sts.amazonaws.com", - "awsService": "STS", - "description": "Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response.", + "eventName": "PutFoundationModelEntitlement", + "eventSource": "bedrock.amazonaws.com", + "awsService": "Bedrock", + "description": "Grants permission to put entitlement to access a foundation model.", "mitreAttackTactics": [ - "TA0001 - Initial Access" + "TA0040 - Impact" ], "mitreAttackTechniques": [ - "T1199 - Trusted Relationship" + "T1496 - Resource Hijacking" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "AWS - STS Privesc", - "link": "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc" + "technique": "T1098 - Account Manipulation", + "reason": "" + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "Authorized accounts might be modified or managed to maintain persistent access to foundational models. Cloud accounts could be granted additional entitlements, leading to unauthorized access or privileges within the cloud environment. Access might be granted to default accounts, which could be exploited if not properly managed. Local accounts could be granted access, potentially leading to unauthorized activities within the environment." + }, + { + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "The granted entitlements may include permissions that enable the execution of scripts or code, potentially facilitating the execution of malicious scripts under legitimate operations within a controlled environment." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Adjusting entitlements could be used to weaken security controls and mechanisms, aiding in defense evasion." } ], - "securityImplications": "Attackers might use AssumeRoleWithSAML to impersonate legitimate users and gain unauthorized access to an AWS role.", - "alerting": [ + "usedInWild": true, + "incidents": [ { - "type": "sigma", - "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml" + "description": "Detecting AI resource-hijacking with Composite Alerts", + "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + }, + { + "description": "When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying", + "link": "https://permiso.io/blog/exploiting-hosted-models" } ], + "researchLinks": [], + "securityImplications": "Attackers might use PutFoundationModelEntitlement to prepare for using foundation models for resource hijacking.", + "alerting": [], "simulation": [ { "type": "commandLine", "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/sts#sts-AssumeRoleWithSAML" + "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-PutFoundationModelEntitlement" }, { - "eventName": "GetCallerIdentity", - "eventSource": "sts.amazonaws.com", - "awsService": "STS", - "description": "Returns details about the IAM user or role whose credentials are used to call the operation.", + "eventName": "PutUseCaseForModelAccess", + "eventSource": "bedrock.amazonaws.com", + "awsService": "Bedrock", + "description": "Grants permission to put a use case for model access.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0040 - Impact" ], "mitreAttackTechniques": [ - "T1087 - Account Discovery" + "T1496 - Resource Hijacking" ], - "usedInWild": true, - "incidents": [ - { - "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", - "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" - }, - { - "description": "GotRoot! AWS root Account Takeover", - "link": "https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1" - }, + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" - }, - { - "description": "Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns", - "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/" - }, - { - "description": "Detecting AI resource-hijacking with Composite Alerts", - "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + "technique": "T1078 - Valid Accounts", + "reason": "Although not creating new users, it enables valid accounts to access models, which can be exploited for continued access." }, { - "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", - "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" + "technique": "T1098 - Account Manipulation", + "reason": "This API call allows manipulation of permissions related to model access, which can be leveraged for privilege escalation or maintaining access." } ], - "researchLinks": [ - { - "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", - "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" - }, + "usedInWild": true, + "incidents": [ { - "description": "New attack vectors in EKS", - "link": "https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features" + "description": "Detecting AI resource-hijacking with Composite Alerts", + "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" }, { - "description": "Enumerate AWS Account ID from an EC2 Instance", - "link": "https://hackingthe.cloud/aws/enumeration/account_id_from_ec2/" + "description": "When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying", + "link": "https://permiso.io/blog/exploiting-hosted-models" } ], - "securityImplications": "Attackers might use GetCallerIdentity to know what user or role are they using. This request does not need any permission.", + "researchLinks": [], + "securityImplications": "Attackers might use PutUseCaseForModelAccess to prepare for using foundation models for resource hijacking.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws sts get-caller-identity" - }, - { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance" - }, - { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials" + "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/sts#sts-GetCallerIdentity" + "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-PutUseCaseForModelAccess" }, { - "eventName": "ListTopics", - "eventSource": "sns.amazonaws.com", - "awsService": "SNS", - "description": "Returns a list of the requester's topics.", + "eventName": "CreateStack", + "eventSource": "cloudformation.amazonaws.com", + "awsService": "CloudFormation", + "description": "Creates a stack as specified in the template.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0040 - Impact" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1496 - Resource Hijacking" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS", - "link": "https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/" + "technique": "T1136 - Create Account", + "reason": "The CreateStack API call can be used to set up new accounts within the cloud environment as part of deploying a CloudFormation stack, which aids in gaining and maintaining access." + }, + { + "technique": "T1578 - Modify Cloud Compute Infrastructure", + "reason": "The creation of new stacks can be used to modify or add cloud compute infrastructure, which can be part of defense evasion by creating resources that blend into the existing environment." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Creating new stacks could involve setting up new accounts or roles that can be used later, contributing to persistence within the environment." } ], - "securityImplications": "Attackers might use ListTopics to identify potential SNS topics for unauthorized access or disruption.", + "usedInWild": true, + "incidents": [ + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use CreateStack to provision unauthorized resources", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws sns list-topics" + "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/sns#sns-ListTopics" + "permissions": "https://aws.permissions.cloud/iam/cloudformation#cloudformation-CreateStack" }, { - "eventName": "ListSubscriptions", - "eventSource": "sns.amazonaws.com", - "awsService": "SNS", - "description": "Lists the calling AWS account's dedicated origination numbers and their metadata.", + "eventName": "CreateFunction", + "eventSource": "cloudfront.amazonaws.com", + "awsService": "CloudFront", + "description": "Creates a CloudFront function.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0009 - Collection" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1119 - Automated Collection" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS", - "link": "https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/" - } - ], - "securityImplications": "Attackers might use ListSubscriptions to identify origination numbers for potential smishing campaings.", - "alerting": [], - "simulation": [ + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "CloudFront functions are written in JavaScript, enabling the execution of scripts." + }, { - "type": "commandLine", - "value": "aws sns list-subscriptions" + "technique": "T1546 - Event Triggered Execution", + "reason": "A CloudFront function can be set to trigger on specific events, establishing persistence." + }, + { + "technique": "T1562.001 - Impair Defenses", + "reason": "CloudFront functions can modify requests and responses, which can be used to evade detection tools." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "The JavaScript code within CloudFront functions can be obfuscated to hide malicious intent." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "CloudFront functions can communicate using web protocols, facilitating command and control." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "Functions can be used to remove or alter log files, helping in defense evasion." + }, + { + "technique": "T1574 - Hijack Execution Flow", + "reason": "CloudFront functions manipulate the flow of requests, which can be seen as hijacking the execution flow within the cloud infrastructure." + }, + { + "technique": "T1008 - Fallback Channels", + "reason": "CloudFront functions can be designed to use fallback channels for command and control if the primary method is disrupted." + }, + { + "technique": "T1499 - Endpoint Denial of Service", + "reason": "Improperly configured or malicious CloudFront functions can cause application exhaustion, leading to denial-of-service attacks." } ], - "permissions": "https://aws.permissions.cloud/iam/sns#sns-ListSubscriptions" - }, - { - "eventName": "ListOriginationNumbers", - "eventSource": "sns.amazonaws.com", - "awsService": "SNS", - "description": "Lists the calling AWS account's dedicated origination numbers and their metadata.", - "mitreAttackTactics": [ - "TA0007 - Discovery" - ], - "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" - ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS", - "link": "https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/" + "description": "How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies", + "link": "https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c" } ], - "securityImplications": "Attackers might use ListOriginationNumbers to identify origination numbers for potential smishing campaings.", + "securityImplications": "Attackers might use CreateFunction to add a new function that can be use to exfiltrate date.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws sns list-origination-numbers" + "value": "aws cloudfront create-function --name trail-discover-function --function-config Comment='TrailDiscover',Runtime=cloudfront-js-1.0 --function-code VHJhaWxEaXNjb3Zlcgo=" } ], - "permissions": "https://aws.permissions.cloud/iam/sns#sns-ListOriginationNumbers" + "permissions": "https://aws.permissions.cloud/iam/cloudfront#cloudfront-CreateFunction" }, { - "eventName": "GetSMSAttributes", - "eventSource": "sns.amazonaws.com", - "awsService": "SNS", - "description": "Returns the settings for sending SMS messages from your AWS account.", + "eventName": "PublishFunction", + "eventSource": "cloudfront.amazonaws.com", + "awsService": "CloudFront", + "description": "Publishes a CloudFront function by copying the function code from the DEVELOPMENT stage to LIVE.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0009 - Collection" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1119 - Automated Collection" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS", - "link": "https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/" + "technique": "T1560 - Archive Collected Data", + "reason": "A published CloudFront function could aggregate and compress data, preparing it for exfiltration." }, { - "description": "Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns", - "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/" + "technique": "T1070 - Indicator Removal", + "reason": "A function can be programmed to clean up or remove indicators of compromise, aiding in evasion of detection" + }, + { + "technique": "T1036 - Masquerading", + "reason": "Malicious functions can be disguised as legitimate CloudFront functions, hiding malicious activities within seemingly normal operations." + }, + { + "technique": "T1090 - Proxy", + "reason": "A CloudFront function could redirect traffic through CloudFront, acting as a proxy and obscuring the origin of command and control traffic." + }, + { + "technique": "T1102 - Web Service", + "reason": "Leveraging CloudFront functions to interact with web services, enabling command and control via HTTP or HTTPS, blending with regular web traffic" + }, + { + "technique": "T1204 - User Execution", + "reason": "If the published function requires user interaction or specific conditions to trigger, it aligns with techniques requiring user execution." + }, + { + "technique": "T1048 - Exfiltration Over Alternative Protocol", + "reason": "A CloudFront function could use alternative protocols for data exfiltration, bypassing standard monitoring tools." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "The function may use application layer protocols (HTTP/S) for communication, facilitating command and control or data exfiltration." + }, + { + "technique": "T1574 - Hijack Execution Flow", + "reason": "The PublishFunction API can be used to modify how CloudFront handles requests, potentially hijacking the execution flow to achieve malicious objectives" } ], + "usedInWild": false, + "incidents": [], "researchLinks": [ { - "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", - "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" + "description": "How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies", + "link": "https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c" } ], - "securityImplications": "Attackers might use GetSMSAttributes to retrieve sensitive SMS configuration details for potential usage for smishing.", + "securityImplications": "Attackers might use PublishFunction to publish a malicious function that might be used to exfiltrate data.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws sns get-sms-attributes --attributes TrailDiscoverAttributes" + "value": "aws cloudfront publish-function --name trail-discover-function --if-match trail-discover-function" } ], - "permissions": "https://aws.permissions.cloud/iam/sns#sns-GetSMSAttributes" + "permissions": "https://aws.permissions.cloud/iam/cloudfront#cloudfront-PublishFunction" }, { - "eventName": "Publish", - "eventSource": "sns.amazonaws.com", - "awsService": "SNS", - "description": "Sends a message to an Amazon SNS topic, a text message (SMS message) directly to a phone number, or a message to a mobile platform endpoint (when you specify the TargetArn).", + "eventName": "UpdateDistribution", + "eventSource": "cloudfront.amazonaws.com", + "awsService": "CloudFront", + "description": "Updates the configuration for a CloudFront distribution.", "mitreAttackTactics": [ - "TA0040 - Impact" + "TA0009 - Collection" ], "mitreAttackTechniques": [ - "T1496 - Resource Hijacking" + "T1119 - Automated Collection" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns", - "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/" + "technique": "T1070 - Indicator Removal", + "reason": "An attacker could modify CloudFront distribution settings to remove or alter logging configurations, thus deleting or hiding evidence of malicious activities." }, { - "description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", - "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/" + "technique": "T1090 - Proxy", + "reason": "By updating CloudFront distribution, an attacker can route traffic through CloudFront, effectively hiding the origin of malicious traffic and obfuscating command and control communications." + }, + { + "technique": "T1567 - Exfiltration Over Web Service", + "reason": "An attacker might reconfigure CloudFront to redirect sensitive data to an external endpoint under their control, facilitating data exfiltration over a web service." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Modifying CloudFront distribution settings can be used to impair security monitoring and defense mechanisms by disabling or altering configurations that are critical for security monitoring." + }, + { + "technique": "T1560 - Archive Collected Data", + "reason": "An attacker might modify the CloudFront distribution to use cloud storage as a method to archive and exfiltrate collected data." + }, + { + "technique": "T1497 - Virtualization/Sandbox Evasion", + "reason": "CloudFront configurations can be updated to delay or slow responses, making detection and analysis more difficult, effectively evading automated analysis systems." + }, + { + "technique": "T1568 - Dynamic Resolution", + "reason": "By updating CloudFront distributions, an attacker can implement domain generation algorithms to dynamically change domain names for command and control, evading detection." + }, + { + "technique": "T1095 - Non-Application Layer Protocol", + "reason": "By configuring CloudFront to use non-standard protocols for data transmission, an attacker can exfiltrate data or communicate with compromised assets using non-application layer protocols." + }, + { + "technique": "T1071.001 - Application Layer Protocol: Web Protocols", + "reason": "loudFront can be configured to use common web protocols (HTTP/HTTPS) for malicious command and control communications, blending in with normal traffic and avoiding detection." + }, + { + "technique": "T1565.002 - Data Manipulation: Transmitted Data Manipulation", + "reason": "Attackers can update CloudFront distribution settings to manipulate data as it transits through CloudFront, altering its content for malicious purposes or exfiltrating manipulated data." } ], - "researchLinks": [], - "securityImplications": "Attackers might use Publish for smishing campaigns.", + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies", + "link": "https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c" + } + ], + "securityImplications": "Attackers might use UpdateDistribution to add a malicious configuration such as a function to exfiltrate data.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "N/A" + "value": "aws cloudfront update-distribution --id EDFDVBD6EXAMPLE --distribution-config '{\"CallerReference\":\"\", \"Origins\":{\"Quantity\":1,\"Items\":[{\"Id\":\"\", \"DomainName\":\"\"}]}, \"DefaultCacheBehavior\":{\"TargetOriginId\":\"\", \"ViewerProtocolPolicy\":\"\"}, \"Comment\":\"\", \"Enabled\":false }'" } ], - "permissions": "https://aws.permissions.cloud/iam/sns#sns-Publish" + "permissions": "https://aws.permissions.cloud/iam/cloudfront#cloudfront-UpdateDistribution" }, { - "eventName": "GetSMSSandboxAccountStatus", - "eventSource": "sns.amazonaws.com", - "awsService": "SNS", - "description": "Retrieves the SMS sandbox status for the calling AWS account in the target AWS Region.", + "eventName": "DeleteTrail", + "eventSource": "cloudtrail.amazonaws.com", + "awsService": "CloudTrail", + "description": "Deletes a trail.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1562 - Impair Defenses" + ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools", + "T1562.008 - Impair Defenses: Disable or Modify Cloud Logs" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "Deleting a CloudTrail trail can be seen as an attempt to remove logs that could be used to detect malicious activity, thereby evading detection." + }, + { + "technique": "T1485 - Data Destruction", + "reason": "Deleting the CloudTrail trail results in the destruction of important log data, which can impact the ability to investigate and respond to incidents." + } ], "usedInWild": true, "incidents": [ { - "description": "Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns", - "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/" + "description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", + "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud" + }, + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" } ], "researchLinks": [ { - "description": "NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS", - "link": "https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/" + "description": "AWS Defense Evasion Delete Cloudtrail", + "link": "https://research.splunk.com/cloud/82092925-9ca1-4e06-98b8-85a2d3889552/" + }, + { + "description": "Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail", + "link": "https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/" + }, + { + "description": "Disrupting AWS logging", + "link": "https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594" + } + ], + "securityImplications": "Attackers might use DeleteTrail to disrupting AWS logging.", + "alerting": [ + { + "type": "cloudwatchCISControls", + "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-5" + }, + { + "type": "sigma", + "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml" } ], - "securityImplications": "Attackers might use GetSMSSandboxAccountStatus to monitor the status of a target's AWS SNS sandbox account for potential usage for smishing.", - "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws sns get-sms-sandbox-account-status" + "value": "aws cloudtrail delete-trail --name TrailDiscoverTrailName" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-delete" } ], - "permissions": "https://aws.permissions.cloud/iam/sns#sns-GetSMSSandboxAccountStatus" + "permissions": "https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-DeleteTrail" }, { - "eventName": "IssueCertificate", - "eventSource": "acm-pca.amazonaws.com", - "awsService": "ACMPCA", - "description": "Uses your private certificate authority (CA), or one that has been shared with you, to issue a client certificate.", + "eventName": "LookupEvents", + "eventSource": "cloudtrail.amazonaws.com", + "awsService": "CloudTrail", + "description": "Looks up management events or CloudTrail Insights events that are captured by CloudTrail.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1040- Network Sniffing" + "T1654 - Log Enumeration" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "AWS API Call Hijacking via ACM-PCA", - "link": "https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/" + "technique": "T1087 - Account Discovery", + "reason": "The LookupEvents API call can be used to identify information about AWS cloud accounts, potentially revealing new or unused accounts that can be targeted." + }, + { + "technique": "T1530 - Data from Cloud Storage", + "reason": "By looking up events, attackers can identify access patterns or sensitive data locations within cloud storage, facilitating data collection or exfiltration." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": " If attackers are trying to access accounts, LookupEvents can help them discover which accounts are being used, aiding in the identification of valid credentials. By using LookupEvents, attackers can gain insights into which accounts have been accessed, helping them target specific accounts for compromise." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "Discovering user activities and patterns can help attackers understand who owns or uses specific systems, making it easier to target high-value accounts." + }, + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "LookupEvents can reveal information about the cloud infrastructure, including services and resources used within the environment." + }, + { + "technique": "T1020 - Automated Exfiltration", + "reason": " By understanding event patterns and data flows, attackers can automate the exfiltration of data from the cloud environment." + }, + { + "technique": "T1057 - Process Discovery", + "reason": "Attackers can use LookupEvents to see which processes or applications are being invoked, gaining insight into the operational environment." } ], - "securityImplications": "Attackers might use IssueCertificate combined with Route 53 control to intercept and read data from AWS API calls.", + "usedInWild": true, + "incidents": [ + { + "description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", + "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use LookupEvents to monitoring CloudTrail logs for changes that might affect the attack.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "N/A" + "value": "aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=TrailDiscover" } ], - "permissions": "https://aws.permissions.cloud/iam/acm-pca#acm-pca-IssueCertificate" + "permissions": "https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-LookupEvents" }, { - "eventName": "GetCertificate", - "eventSource": "acm-pca.amazonaws.com", - "awsService": "ACMPCA", - "description": "Retrieves a certificate from your private CA or one that has been shared with you.", + "eventName": "PutEventSelectors", + "eventSource": "cloudtrail.amazonaws.com", + "awsService": "CloudTrail", + "description": "Configures an event selector or advanced event selectors for your trail.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1040- Network Sniffing" + "T1562 - Impair Defenses" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [ + "T1562.001: Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ { - "description": "AWS API Call Hijacking via ACM-PCA", - "link": "https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/" + "technique": "T1070 - Indicator Removal", + "reason": "By configuring event selectors, adversaries can exclude certain activities from being logged, effectively removing traces of their presence and actions, which hinders detection and forensic analysis." } ], - "securityImplications": "Attackers might use GetCertificate combined with Route 53 control to intercept and read data from AWS API calls.", - "alerting": [], + "usedInWild": true, + "incidents": [ + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + } + ], + "researchLinks": [ + { + "description": "cloudtrail_guardduty_bypass", + "link": "https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/cloudtrail_guardduty_bypass" + }, + { + "description": "Detecting and removing risky actions out of your IAM security policies", + "link": "https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/" + } + ], + "securityImplications": "Attackers might use PutEventSelectors to disrupting AWS logging.", + "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws acm-pca get-certificate --certificate-authority-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012 --certificate-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/6707447683a9b7f4055627ffd55cebcc" + "value": "aws cloudtrail put-event-selectors --trail-name TrailDiscover --event-selectors '[{\"ReadWriteType\": \"All\", \"IncludeManagementEvents\":true, \"DataResources\": [{\"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3\"]}] }]'" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors" } ], - "permissions": "https://aws.permissions.cloud/iam/acm-pca#acm-pca-GetCertificate" + "permissions": "https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-PutEventSelectors" }, { - "eventName": "GetCredentialsForIdentity", - "eventSource": "cognito-identity.amazonaws.com", - "awsService": "CognitoIdentity", - "description": "Returns credentials for the provided identity ID. Any provided logins will be validated against supported login providers.", + "eventName": "StopLogging", + "eventSource": "cloudtrail.amazonaws.com", + "awsService": "CloudTrail", + "description": "Suspends the recording of AWS API calls and log file delivery for the specified trail.", "mitreAttackTactics": [ - "TA0004 - Privilege Escalation" + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1078 - Valid Accounts" + "T1562 - Impair Defenses" + ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools", + "T1562.008 - Impair Defenses: Disable or Modify Cloud Logs" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "By stopping the logging, the adversary prevents the creation of future log entries, effectively removing indicators that would otherwise be generated, thus evading detection and hindering incident response efforts." + } ], "usedInWild": false, - "incidents": [], + "incidents": [ + { + "description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", + "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud" + } + ], "researchLinks": [ { - "description": "Overpermissioned AWS Cognito Identity Pools", - "link": "https://hackingthe.cloud/aws/exploitation/cognito_identity_pool_excessive_privileges/#exploitation" + "description": "Stopping a CloudTrail trail", + "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/stopping-cloudtrail-trail/" + }, + { + "description": "AWS Defense Evasion Stop Logging Cloudtrail", + "link": "https://research.splunk.com/cloud/8a2f3ca2-4eb5-4389-a549-14063882e537/" + }, + { + "description": "AWS Defense Evasion and Centralized Multi-Account Logging", + "link": "https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/" + }, + { + "description": "Disrupting AWS logging", + "link": "https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594" + }, + { + "description": "Enhancing Your Security Visibility and DetectionResponse Operations in AWS", + "link": "https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf" + } + ], + "securityImplications": "Attackers might use StopLogging to disrupting AWS logging.", + "alerting": [ + { + "type": "cloudwatchCISControls", + "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-5" + }, + { + "type": "sigma", + "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml" } ], - "securityImplications": "Attackers might use GetCredentialsForIdentity to obtain temporary AWS credentials, potentially accessing resources or executing actions unauthorizedly within the AWS environment.", - "alerting": [], "simulation": [ { "type": "commandLine", - "value": "N/A" + "value": "aws cloudtrail stop-logging --name TrailDiscover" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-stop" } ], - "permissions": "https://aws.permissions.cloud/iam/cognito-identity#cognito-identity-GetCredentialsForIdentity" + "permissions": "https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-StopLogging" }, { - "eventName": "GetId", - "eventSource": "cognito-identity.amazonaws.com", - "awsService": "CognitoIdentity", - "description": "Generates (or retrieves) IdentityID. Supplying multiple logins will create an implicit linked account.", + "eventName": "UpdateTrail", + "eventSource": "cloudtrail.amazonaws.com", + "awsService": "CloudTrail", + "description": "Updates trail settings that control what events you are logging, and how to handle log files.", "mitreAttackTactics": [ - "TA0004 - Privilege Escalation" + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1078 - Valid Accounts" + "T1562 - Impair Defenses" + ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "Modifying CloudTrail settings can involve stopping log generation or deleting logs, removing evidence of activities." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Changing CloudTrail settings might require manipulating account permissions or configurations to control logging." + }, + { + "technique": "T1537 - Transfer Data to Cloud Account", + "reason": "Updating trail settings could facilitate the transfer of logs or sensitive data to an attacker-controlled cloud account for exfiltration." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" + } ], - "usedInWild": false, - "incidents": [], "researchLinks": [ { - "description": "Overpermissioned AWS Cognito Identity Pools", - "link": "https://hackingthe.cloud/aws/exploitation/cognito_identity_pool_excessive_privileges/#exploitation" + "description": "AWS Defense Evasion and Centralized Multi-Account Logging", + "link": "https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/" + }, + { + "description": "Disrupting AWS logging", + "link": "https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594" + } + ], + "securityImplications": "Attackers might use UpdateTrail to disrupting AWS logging.", + "alerting": [ + { + "type": "cloudwatchCISControls", + "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-5" + }, + { + "type": "sigma", + "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml" } ], - "securityImplications": "Attackers might use GetId to get an IdentityID that might be then used to get AWS credentials.", - "alerting": [], "simulation": [ { "type": "commandLine", - "value": "N/A" + "value": "aws cloudtrail update-trail --name TrailDiscoverName --s3-bucket-name TrailDiscoverBucketName" } ], - "permissions": "https://aws.permissions.cloud/iam/cognito-identity#cognito-identity-GetId" + "permissions": "https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-UpdateTrail" }, { "eventName": "PutLogEvents", @@ -950,6 +1539,21 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1567 - Exfiltration Over Web Service", + "reason": "The attacker leverages CloudWatchLogs as an AWS web service to exfiltrate data, making it blend in with legitimate service use." + }, + { + "technique": "T1102 - Web Service", + "reason": "The attacker uses PutLogEvents to upload sensitive data to CloudWatchLogs, which can then be accessed remotely as part of their command and control strategy." + }, + { + "technique": "T1074 - Data Staged", + "reason": "The attacker stages collected data on the local system and then uses PutLogEvents to upload it to CloudWatchLogs for further use or exfiltration." + } + ], "usedInWild": true, "incidents": [ { @@ -969,33 +1573,50 @@ "permissions": "https://aws.permissions.cloud/iam/logs#logs-PutLogEvents" }, { - "eventName": "DescribeLogGroups", + "eventName": "CreateLogStream", "eventSource": "logs.amazonaws.com", "awsService": "CloudWatchLogs", - "description": "Lists the specified log groups.", + "description": "Creates a log stream for the specified log group.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1562 - Impair Defenses" + ], + "mitreAttackSubTechniques": [ + "T1562.001 Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1036 - Masquerading", + "reason": "Creating log streams with names that mimic legitimate applications or services helps attackers blend in with normal operations and evade detection." + }, + { + "technique": "T1119 - Automated Collection", + "reason": "Log streams can be used to automate the collection of log data from various sources within the cloud environment, aiding attackers in data aggregation." + }, + { + "technique": "T1074 - Data Staged", + "reason": "Using log streams to stage data before it is exfiltrated, organizing it for easy access and transfer." + } ], "usedInWild": true, "incidents": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + "description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", + "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/" } ], "researchLinks": [], - "securityImplications": "Attackers might use DescribeLogGroups to discover CloudWatch log configurations.", + "securityImplications": "Attackers might use CreateLogStream to later add benign log entries, effectively burying any signs of his malicious activities.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws logs describe-log-groups --log-group-name-prefix TrailDiscover" + "value": "aws logs create-log-stream --log-group-name my-logs --log-stream-name 20150601" } ], - "permissions": "https://aws.permissions.cloud/iam/logs#logs-DescribeLogGroups" + "permissions": "https://aws.permissions.cloud/iam/logs#logs-CreateLogStream" }, { "eventName": "DeleteAlarms", @@ -1008,6 +1629,24 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools", + "T1562.006 - Impair Defenses: Indicator Blocking" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1485 - Data Destruction", + "reason": "Deleting alarms can be part of a broader strategy to destroy or disrupt data by removing key monitoring and alert mechanisms." + }, + { + "technique": "T1489 - Service Stop", + "reason": "By deleting alarms, an attacker can effectively stop the alerting service from functioning as expected, similar to stopping a service" + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "Deleting alarms can be seen as removing indicators of potential issues or past activities, which is a broader form of indicator removal than just file deletion." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ @@ -1030,35 +1669,6 @@ ], "permissions": "https://aws.permissions.cloud/iam/cloudwatch#cloudwatch-DeleteAlarms" }, - { - "eventName": "DescribeSubscriptionFilters", - "eventSource": "logs.amazonaws.com", - "awsService": "CloudWatchLogs", - "description": "Lists the subscription filters for the specified log group.", - "mitreAttackTactics": [ - "TA0007 - Discovery" - ], - "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" - ], - "usedInWild": true, - "incidents": [ - { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" - } - ], - "researchLinks": [], - "securityImplications": "Attackers might use DescribeSubscriptionFilters to discover CloudWatch log configurations.", - "alerting": [], - "simulation": [ - { - "type": "commandLine", - "value": "aws logs describe-subscription-filters --log-group-name TrailDiscoverLogGroupName" - } - ], - "permissions": "https://aws.permissions.cloud/iam/logs#logs-DescribeSubscriptionFilters" - }, { "eventName": "DeleteLogGroup", "eventSource": "logs.amazonaws.com", @@ -1070,6 +1680,23 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "Deleting log groups removes evidence of activities from log files, thus covering tracks and aiding in evading detection." + }, + { + "technique": "T1485 - Data Destruction", + "reason": "Deleting log groups leads to the permanent removal of critical log data, effectively erasing records that could be used for forensic analysis or troubleshooting. This action disrupts the availability of essential logs, potentially causing significant operational impact and hindering incident response efforts." + }, + { + "technique": "T1565.001 - Data Manipulation: Stored Data Manipulation", + "reason": "The deletion of log groups can be considered a form of data manipulation, as it involves removing stored data, impacting its integrity and availability." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ @@ -1103,6 +1730,19 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "Deleting log streams removes critical log data, effectively erasing evidence of activities that could be used to detect or investigate malicious behavior. This action makes it difficult for defenders to trace the attacker's steps or identify potential indicators of compromise." + }, + { + "technique": "T1485 - Data Destruction", + "reason": "The permanent deletion of archived log events constitutes data destruction, impacting the organization\u00e2\u20ac\u2122s ability to conduct forensic analysis and understand the scope of an attack." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ @@ -1122,16 +1762,35 @@ "permissions": "https://aws.permissions.cloud/iam/logs#logs-DeleteLogStream" }, { - "eventName": "DescribeLogStreams", + "eventName": "DescribeLogGroups", "eventSource": "logs.amazonaws.com", "awsService": "CloudWatchLogs", - "description": "Lists the log streams for the specified log group.", + "description": "Lists the specified log groups.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1007 - System Service Discovery", + "reason": "Listing log groups can provide insights into the services and activities running within the AWS environment, aiding in identifying active services and their configurations." + }, + { + "technique": "T1018 - Remote System Discovery", + "reason": "Describing log groups can reveal information about the systems and their operations, helping in mapping out remote systems within the cloud infrastructure." + }, + { + "technique": "T1046 - Network Service Discovery", + "reason": "By examining log groups, attackers can understand the network services being utilized and their respective configurations, which is crucial for further discovery and potential exploitation." + }, + { + "technique": "T1087 - Account Discovery", + "reason": "Log groups often include data about different user activities and roles, which can be used to discover account details and permissions within the cloud environment." + } + ], "usedInWild": true, "incidents": [ { @@ -1140,156 +1799,268 @@ } ], "researchLinks": [], - "securityImplications": "Attackers might use DescribeLogStreams to discover CloudWatch log configurations.", + "securityImplications": "Attackers might use DescribeLogGroups to discover CloudWatch log configurations.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws logs describe-log-streams --log-group-name TrailDiscoverLogGroupName" + "value": "aws logs describe-log-groups --log-group-name-prefix TrailDiscover" } ], - "permissions": "https://aws.permissions.cloud/iam/logs#logs-DescribeLogStreams" + "permissions": "https://aws.permissions.cloud/iam/logs#logs-DescribeLogGroups" }, { - "eventName": "GetLogRecord", + "eventName": "DescribeLogStreams", "eventSource": "logs.amazonaws.com", "awsService": "CloudWatchLogs", - "description": "Retrieves all of the fields and values of a single log event.", + "description": "Lists the log streams for the specified log group.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + "technique": "T1087 - Account Discovery", + "reason": "Listing log streams can help identify different cloud accounts or services that are being logged." + }, + { + "technique": "T1119 - Automated Collection", + "reason": "Automating the listing of log streams is a part of setting up a system for automated data collection." + }, + { + "technique": "T1057 - Process Discovery", + "reason": "Log streams may include process logs that reveal information about running processes in the environment." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "Log streams can help in identifying which users or systems are generating logs, aiding in system owner/user discovery." + }, + { + "technique": "T1018 - Remote System Discovery", + "reason": "By listing log streams, one can determine the existence of remote systems being logged." + }, + { + "technique": "T1082 - System Information Discovery", + "reason": "Logs may contain information about system configurations, operating systems, and other details relevant for system information discovery." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "Identifying log streams can help in discovering the usage of valid accounts, potentially indicating compromised or misused accounts." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" } ], "researchLinks": [], - "securityImplications": "Attackers might use GetLogRecord to precisely extract information from CloudWatch logs, potentially exposing sensitive data or insights into AWS operational activities.", + "securityImplications": "Attackers might use DescribeLogStreams to discover CloudWatch log configurations.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "N/A" + "value": "aws logs describe-log-streams --log-group-name TrailDiscoverLogGroupName" } ], - "permissions": "https://aws.permissions.cloud/iam/logs#logs-GetLogRecord" + "permissions": "https://aws.permissions.cloud/iam/logs#logs-DescribeLogStreams" }, { - "eventName": "PutLogEvents", + "eventName": "DescribeSubscriptionFilters", "eventSource": "logs.amazonaws.com", "awsService": "CloudWatchLogs", - "description": "Uploads a batch of log events to the specified log stream.", + "description": "Lists the subscription filters for the specified log group.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1562 - Impair Defenses" + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087 - Account Discovery", + "reason": "Attackers might use DescribeSubscriptionFilters to identify log groups and their associated subscription filters, which can provide insight into monitoring and logging configurations specific to cloud infrastructure. This information helps attackers understand the cloud environment and its accounts." + }, + { + "technique": "T1046 - Network Service Scanning", + "reason": "By listing subscription filters, attackers can determine what types of network services and activities are being monitored. This can help them identify potential targets or services that are not being adequately monitored." + }, + { + "technique": "T1007 - System Service Discovery", + "reason": "DescribeSubscriptionFilters can reveal details about the log group's configuration, helping attackers discover how system services are being logged and monitored. This can aid in understanding the security posture and identifying potential weaknesses." + } ], "usedInWild": true, "incidents": [ { - "description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", - "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/" + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" } ], "researchLinks": [], - "securityImplications": "Attackers might use PutLogEvents to add benign log entries, effectively burying any signs of his malicious activities.", + "securityImplications": "Attackers might use DescribeSubscriptionFilters to discover CloudWatch log configurations.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws logs put-log-events --log-group-name my-logs --log-stream-name 20150601 --log-events timestamp=$(date +%s%3N),message='TrailDiscover'" + "value": "aws logs describe-subscription-filters --log-group-name TrailDiscoverLogGroupName" } ], - "permissions": "https://aws.permissions.cloud/iam/logs#logs-PutLogEvents" + "permissions": "https://aws.permissions.cloud/iam/logs#logs-DescribeSubscriptionFilters" }, { - "eventName": "CreateLogStream", + "eventName": "GetLogRecord", "eventSource": "logs.amazonaws.com", "awsService": "CloudWatchLogs", - "description": "Creates a log stream for the specified log group.", + "description": "Retrieves all of the fields and values of a single log event.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1562 - Impair Defenses" + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087.004 - Account Discovery: Cloud Account", + "reason": "Retrieving log records can help identify details about cloud accounts in use, such as who accessed certain services and when." + }, + { + "technique": "T1057 - Process Discovery", + "reason": "Logs may contain information about processes running in the cloud environment, which can help in identifying active processes and their behavior." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "Log records can reveal information about system owners or users who are interacting with the cloud environment, such as user activity logs and access patterns." + } ], "usedInWild": true, "incidents": [ { - "description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", - "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/" + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" } ], "researchLinks": [], - "securityImplications": "Attackers might use CreateLogStream to later add benign log entries, effectively burying any signs of his malicious activities.", + "securityImplications": "Attackers might use GetLogRecord to precisely extract information from CloudWatch logs, potentially exposing sensitive data or insights into AWS operational activities.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws logs create-log-stream --log-group-name my-logs --log-stream-name 20150601" + "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/logs#logs-CreateLogStream" + "permissions": "https://aws.permissions.cloud/iam/logs#logs-GetLogRecord" }, { - "eventName": "PasswordRecoveryRequested ", - "eventSource": "signin.amazonaws.com", - "awsService": "SignIn", - "description": "This is the CloudTrail event generated when you request a password recovery.", + "eventName": "PutLogEvents", + "eventSource": "logs.amazonaws.com", + "awsService": "CloudWatchLogs", + "description": "Uploads a batch of log events to the specified log stream.", "mitreAttackTactics": [ - "TA0001 - Initial Access" + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1078 - Valid Accounts" + "T1562 - Impair Defenses" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "An Ongoing AWS Phishing Campaign", - "link": "https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/" + "technique": "T1027 - Obfuscated Files or Information", + "reason": "Attackers may obfuscate the content of logs or include obfuscated commands in logs to avoid detection and analysis." }, { - "description": "Disclosure of Security Incidents on imToken", - "link": "https://support.token.im/hc/en-us/articles/360005681954-Disclosure-of-Security-Incidents-on-imToken" + "technique": "T1074 - Data Staged", + "reason": "Logs might be staged in a certain format before being uploaded, allowing attackers to organize and structure the data for further analysis or exfiltration." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "The use of AWS APIs like PutLogEvents to communicate can serve as a method to transfer data stealthily." + }, + { + "technique": "T1119 - Automated Collection", + "reason": "Automated tools or scripts could be used to collect and upload log data regularly to CloudWatchLogs for monitoring or further use." + }, + { + "technique": "T1213 - Data from Information Repositories", + "reason": "Logs from various information repositories might be collected and uploaded to CloudWatchLogs to facilitate data aggregation and analysis." + }, + { + "technique": "T1029 - Scheduled Transfer", + "reason": "Log uploads could be scheduled at specific intervals to CloudWatchLogs to ensure consistent data transfer." + }, + { + "technique": "T1036.004 - Masquerading", + "reason": "An attacker might disguise malicious activities or uploads as legitimate CloudWatch log entries to evade detection." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", + "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/" } ], "researchLinks": [], - "securityImplications": "Attackers might start a password recovery process to steal AWS access if they have compromised the email of the user.", + "securityImplications": "Attackers might use PutLogEvents to add benign log entries, effectively burying any signs of his malicious activities.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "N/A" + "value": "aws logs put-log-events --log-group-name my-logs --log-stream-name 20150601 --log-events timestamp=$(date +%s%3N),message='TrailDiscover'" } ], - "permissions": "N/A" + "permissions": "https://aws.permissions.cloud/iam/logs#logs-PutLogEvents" }, { - "eventName": "SwitchRole", - "eventSource": "signin.amazonaws.com", - "awsService": "SignIn", - "description": "This event is recorded when a user manually switches to a different IAM role within the AWS Management Console.", + "eventName": "GetCredentialsForIdentity", + "eventSource": "cognito-identity.amazonaws.com", + "awsService": "CognitoIdentity", + "description": "Returns credentials for the provided identity ID. Any provided logins will be validated against supported login providers.", "mitreAttackTactics": [ - "TA0008 - Lateral Movement" + "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1021 - Remote Services" + "T1078 - Valid Accounts" + ], + "mitreAttackSubTechniques": [ + "T1078.004: Valid Accounts: Cloud Accounts", + "T1078.001: Valid Accounts: Default Accounts", + "T1078.003: Valid Accounts: Local Accounts", + "T1078.002: Valid Accounts: Domain Accounts" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1550.004: Use Alternate Authentication Material: Web Session Cookie", + "reason": "Attackers may use credentials obtained from this API to generate session tokens or cookies for web sessions." + }, + { + "technique": "T1212: Exploitation for Credential Access", + "reason": "Exploiting the GetCredentialsForIdentity API call can be a direct method to gain credentials." + }, + { + "technique": "T1528: Steal Application Access Token", + "reason": "The credentials obtained from the API call could include tokens that grant access to applications, allowing attackers to impersonate legitimate users or services." + }, + { + "technique": "T1098: Account Manipulation", + "reason": "With the credentials returned by this API call, attackers might manipulate account settings or permissions to maintain access or escalate privileges." + } ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "AWS CloudTrail cheat sheet", - "link": "https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet" + "description": "Overpermissioned AWS Cognito Identity Pools", + "link": "https://hackingthe.cloud/aws/exploitation/cognito_identity_pool_excessive_privileges/#exploitation" } ], - "securityImplications": "Attackers might use SwitchRole when using the console to escalate privileges and gain unauthorized access to AWS resources.", + "securityImplications": "Attackers might use GetCredentialsForIdentity to obtain temporary AWS credentials, potentially accessing resources or executing actions unauthorizedly within the AWS environment.", "alerting": [], "simulation": [ { @@ -1297,991 +2068,3332 @@ "value": "N/A" } ], - "permissions": "N/A" + "permissions": "https://aws.permissions.cloud/iam/cognito-identity#cognito-identity-GetCredentialsForIdentity" }, { - "eventName": "ConsoleLogin", - "eventSource": "signin.amazonaws.com", - "awsService": "SignIn", - "description": "This is the CloudTrail event generated when you sign-in.", + "eventName": "GetId", + "eventSource": "cognito-identity.amazonaws.com", + "awsService": "CognitoIdentity", + "description": "Generates (or retrieves) IdentityID. Supplying multiple logins will create an implicit linked account.", "mitreAttackTactics": [ - "TA0001 - Initial Access" + "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ "T1078 - Valid Accounts" ], - "usedInWild": true, - "incidents": [ - { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" - }, - { - "description": "Responding to an attack in AWS", - "link": "https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac" - }, - { - "description": "Credential Phishing", - "link": "https://ramimac.me/aws-phishing#credential-phishing" - }, - { - "description": "Incident report: From CLI to console, chasing an attacker in AWS", - "link": "https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/" - }, - { - "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", - "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" - }, - { - "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", - "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" - }, - { - "description": "Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies", - "link": "https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/" - } + "mitreAttackSubTechniques": [ + "T1078.004 - Valid Accounts: Cloud Accounts", + "T1078.002 - Valid Accounts: Domain Accounts", + "T1078.001 - Valid Accounts: Default Accounts" ], - "researchLinks": [ + "unverifiedMitreAttackTechniques": [ { - "description": "Compromising AWS Console credentials", - "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/compromising-aws-console-credentials/" + "technique": "T1110 - Brute Force", + "reason": "Attackers might attempt to generate or retrieve multiple IdentityIDs through brute force, seeking unauthorized access." }, { - "description": "Create a Console Session from IAM Credentials", - "link": "https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/" + "technique": "T1589 - Gather Victim Identity Information", + "reason": "The Logins parameter allows attackers to gather or brute-force information tied to identity providers (e.g., linked Google or Facebook accounts), which might reveal valuable identity information." }, { - "description": "Enhancing Your Security Visibility and DetectionResponse Operations in AWS", - "link": "https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf" + "technique": "T1087 - Account Discovery", + "reason": "By retrieving an IdentityId, attackers could discover cloud accounts linked to multiple identity providers, which might give them further access or knowledge about an organization's cloud infrastructure." } ], - "securityImplications": "Attackers might access via AWS console (generating a ConsoleLogin event).", - "alerting": [ - { - "type": "cloudwatchCISControls", - "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-6" - }, + "usedInWild": false, + "incidents": [], + "researchLinks": [ { - "type": "cloudwatchCISControls", - "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-3" + "description": "Overpermissioned AWS Cognito Identity Pools", + "link": "https://hackingthe.cloud/aws/exploitation/cognito_identity_pool_excessive_privileges/#exploitation" } ], + "securityImplications": "Attackers might use GetId to get an IdentityID that might be then used to get AWS credentials.", + "alerting": [], "simulation": [ { "type": "commandLine", "value": "N/A" - }, - { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.initial-access.console-login-without-mfa" } ], - "permissions": "N/A" + "permissions": "https://aws.permissions.cloud/iam/cognito-identity#cognito-identity-GetId" }, { - "eventName": "GetSigninToken", - "eventSource": "signin.amazonaws.com", - "awsService": "SignIn", - "description": "Generate a SigninToken that can be used to login to the the AWS Management Console.", + "eventName": "DeleteConfigRule", + "eventSource": "config.amazonaws.com", + "awsService": "Config", + "description": "Deletes the specified AWS Config rule and all of its evaluation results.", "mitreAttackTactics": [ - "TA0001 - Initial Access" + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1078 - Valid Accounts" + "T1562 - Impair Defenses" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", - "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" + "technique": "T1485 - Data Destruction", + "reason": "By deleting configuration rules and their results, an attacker could be aiming to destroy security data that would alert defenders to their activities." + }, + { + "technique": "T1499 - Endpoint Denial of Service", + "reason": "While not directly causing a denial of service, deleting config rules could indirectly contribute by removing mechanisms that ensure the stability and compliance of services." } ], - "researchLinks": [], - "securityImplications": "Attackers might access via a Federated identity (such as AWS SSO) to the Management Console.", + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "AWS Config Resource Deletion", + "link": "https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion" + } + ], + "securityImplications": "Attackers might use DeleteConfigRule to remove compliance rules, potentially affecting the response plan.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "N/A" + "value": "aws configservice delete-config-rule --config-rule-name TrailDiscoverConfigRule" } ], - "permissions": "N/A" + "permissions": "https://aws.permissions.cloud/iam/config#config-DeleteConfigRule" }, { - "eventName": "CreateFunction20150331", - "eventSource": "lambda.amazonaws.com", - "awsService": "Lambda", - "description": "Creates a Lambda function.", + "eventName": "DeleteConfigurationRecorder", + "eventSource": "config.amazonaws.com", + "awsService": "Config", + "description": "Deletes the configuration recorder.", "mitreAttackTactics": [ - "TA0003 - Persistence", - "TA0004 - Privilege Escalation", - "TA0040 - Impact" + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1098 - Account Manipulation", - "T1496 - Resource Hijacking" + "T1562 - Impair Defenses" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ { - "description": "Mining Crypto", - "link": "https://twitter.com/jonnyplatt/status/1471453527390277638" + "technique": "T1070 - Indicator Removal", + "reason": "Deleting the configuration recorder aligns with the broader goal of eliminating records that could be used for forensic purposes, removing indicators of compromise." }, { - "description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", - "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/" + "technique": "T1098 - Account Manipulation", + "reason": "Disabling the configuration recorder could be part of manipulating accounts or roles to evade detection and maintain control over the environment." } ], + "usedInWild": false, + "incidents": [], "researchLinks": [ { - "description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", - "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide" - }, - { - "description": "AWS IAM Privilege Escalation Techniques", - "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + "description": "AWS Config Resource Deletion", + "link": "https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion" } ], - "securityImplications": "Attackers might use CreateFunction to deploy malicious code or functions, depending on the scenario this might allow the attacker to gain persistence, escalate privileges, or hijack resources.", + "securityImplications": "Attackers might use DeleteConfigurationRecorder to disrupt AWS configuration auditing.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws lambda create-function --function-name my-function --runtime nodejs18.x --code S3Bucket=string --role arn:aws:iam::123456789012:role/service-role/MyTestFunction-role-tges6bf4" + "value": "aws configservice delete-configuration-recorder --configuration-recorder-name TrailDiscoverRecorder" } ], - "permissions": "https://aws.permissions.cloud/iam/lambda#lambda-CreateFunction" + "permissions": "https://aws.permissions.cloud/iam/config#config-DeleteConfigurationRecorder" }, { - "eventName": "CreateEventSourceMapping20150331", - "eventSource": "lambda.amazonaws.com", - "awsService": "Lambda", - "description": "Creates a mapping between an event source and an AWS Lambda function.", + "eventName": "DeleteDeliveryChannel", + "eventSource": "config.amazonaws.com", + "awsService": "Config", + "description": "Deletes the delivery channel.", "mitreAttackTactics": [ - "TA0004 - Privilege Escalation" + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1098 - Account Manipulation" + "T1562 - Impair Defenses" + ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "By deleting the delivery channel, logs that might contain evidence of malicious activities are removed." + }, + { + "technique": "T1485 - Data Destruction", + "reason": "Deleting the delivery channel could be part of a broader tactic to destroy data, including configuration logs that are crucial for incident response and auditing." + } ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "AWS IAM Privilege Escalation Techniques", - "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + "description": "AWS Config Resource Deletion", + "link": "https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion" + }, + { + "description": "AWS Config modified", + "link": "https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-config-disabled/" + }, + { + "description": "Threat Hunting with CloudTrail and GuardDuty in Splunk", + "link": "https://www.chrisfarris.com/post/reinforce-threat-hunting/" + } + ], + "securityImplications": "Attackers might use DeleteDeliveryChannel to disrupt the flow of configuration history and compliance data in AWS.", + "alerting": [ + { + "type": "cloudwatchCISControls", + "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-9" + }, + { + "type": "sigma", + "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml" } ], - "securityImplications": "Attackers might use CreateEventSourceMapping to trigger unauthorized Lambda functions with malicious code.", - "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws lambda create-event-source-mapping --function-name my-function --batch-size 5 --event-source-arn arn:aws:sqs:us-west-2:123456789012:mySQSqueue" + "value": "aws configservice delete-delivery-channel --delivery-channel-name TrailDiscoverDeliveryChannel" } ], - "permissions": "https://aws.permissions.cloud/iam/lambda#lambda-CreateEventSourceMapping" + "permissions": "https://aws.permissions.cloud/iam/config#config-DeleteDeliveryChannel" }, { - "eventName": "UpdateFunctionConfiguration20150331v2", - "eventSource": "lambda.amazonaws.com", - "awsService": "Lambda", - "description": "Modify the version-specific settings of a Lambda function.", + "eventName": "StopConfigurationRecorder", + "eventSource": "config.amazonaws.com", + "awsService": "Config", + "description": "Stops recording configurations of the AWS resources you have selected to record in your AWS account.", "mitreAttackTactics": [ - "TA0003 - Persistence" + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1098 - Account Manipulation" + "T1562 - Impair Defenses" + ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1485 - Data Destruction", + "reason": "By stopping the configuration recorder, an attacker can effectively disrupt the ability to track and monitor changes, which can be a precursor to or part of a broader data destruction strategy." + }, + { + "technique": "T1489 - Service Stop", + "reason": "Stopping a critical service like the configuration recorder can be part of a larger strategy to disrupt services, resulting in a loss of visibility and monitoring, hence impacting the organization." + } ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "AWS IAM Privilege Escalation Techniques", - "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + "description": "AWS Configuration Recorder Stopped", + "link": "https://www.elastic.co/guide/en/security/current/prebuilt-rule-8-2-1-aws-configuration-recorder-stopped.html#prebuilt-rule-8-2-1-aws-configuration-recorder-stopped" }, { - "description": "Enhancing Your Security Visibility and DetectionResponse Operations in AWS", - "link": "https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf" + "description": "AWS Config modified", + "link": "https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-config-disabled/" }, { - "description": "LambdaSpy - Implanting the Lambda execution environment (Part two)", - "link": "https://www.clearvector.com/blog/lambda-spy/" + "description": "Threat Hunting with CloudTrail and GuardDuty in Splunk", + "link": "https://www.chrisfarris.com/post/reinforce-threat-hunting/" } ], - "securityImplications": "Attackers might use UpdateFunctionConfiguration to modify the behavior of Lambda functions, adding a layer that can allow persistence and/or data exfiltration.", - "alerting": [], - "simulation": [ + "securityImplications": "Attackers might use StopConfigurationRecorder to halt the recording of AWS resource configurations, hindering audit trails.", + "alerting": [ { - "type": "commandLine", - "value": "aws lambda update-function-configuration --function-name my-function --memory-size 256" + "type": "cloudwatchCISControls", + "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-9" }, { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-layer-extension" - } - ], - "permissions": "https://aws.permissions.cloud/iam/lambda#lambda-UpdateFunctionConfiguration" - }, - { - "eventName": "AddPermission20150331v2", - "eventSource": "lambda.amazonaws.com", - "awsService": "Lambda", - "description": "Grants an AWS service, AWS account, or AWS organization permission to use a function.", - "mitreAttackTactics": [ - "TA0004 - Privilege Escalation" - ], - "mitreAttackTechniques": [ - "T1098 - Account Manipulation" - ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ - { - "description": "AWS IAM Privilege Escalation Techniques", - "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + "type": "sigma", + "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml" } ], - "securityImplications": "Attackers might use AddPermission to grant unauthorized access to sensitive Lambda functions and then perform Privilege Escalation.", - "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws lambda add-permission --function-name my-function --action lambda:InvokeFunction --statement-id sns --principal sns.amazonaws.com" - }, - { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-backdoor-function" + "value": "aws configservice stop-configuration-recorder --configuration-recorder-name TrailDiscoverRecorder" } ], - "permissions": "https://aws.permissions.cloud/iam/lambda#lambda-AddPermission" + "permissions": "https://aws.permissions.cloud/iam/config#config-StopConfigurationRecorder" }, { - "eventName": "UpdateFunctionCode20150331v2", - "eventSource": "lambda.amazonaws.com", - "awsService": "Lambda", - "description": "Updates a Lambda function's code. If code signing is enabled for the function, the code package must be signed by a trusted publisher.", + "eventName": "GetCostAndUsage", + "eventSource": "ce.amazonaws.com", + "awsService": "CostExplorer", + "description": "Retrieves cost and usage metrics for your account.", "mitreAttackTactics": [ - "TA0003 - Persistence", - "TA0040 - Impact", - "TA0009 - Collection" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1098 - Account Manipulation", - "T1496 - Resource Hijacking", - "T1119 - Automated Collection" + "T1526 - Cloud Service Discovery" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", - "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide" + "technique": "T1082 - System Information Discovery", + "reason": "The attacker calls the GetCostAndUsage API to gather detailed usage information about the AWS resources being utilized. By analyzing the cost and usage data, the attacker can infer details about the types of services, their usage patterns, and potentially the structure of the environment." }, { - "description": "AWS IAM Privilege Escalation Techniques", - "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + "technique": "T1518 - Software Discovery", + "reason": "By reviewing the cost and usage metrics, the attacker identifies expenditures related to security services (e.g., GuardDuty, CloudTrail). This information helps the attacker understand the security posture and tools in use, potentially avoiding or disabling them during an attack." }, { - "description": "Enhancing Your Security Visibility and DetectionResponse Operations in AWS", - "link": "https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf" + "technique": "T1213 - Data from Information Repositories", + "reason": "The attacker uses the GetCostAndUsage API to access billing and usage metrics stored in the AWS CostExplorer service. This data is collected to understand the financial and resource allocation details of the target environment." }, { - "description": "How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies", - "link": "https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c" + "technique": "T1071.001 - Application Layer Protocol: Web Protocols", + "reason": "The attacker uses web protocols (e.g., HTTPS) to interact with the CostExplorer service and retrieve cost and usage metrics. The data collected is then sent over the web protocol to a remote server controlled by the attacker." + }, + { + "technique": "T1020 - Automated Exfiltration", + "reason": "The attacker scripts the retrieval of cost and usage metrics using the GetCostAndUsage API. This script regularly exfiltrates data, providing continuous updates to the attacker on the victim's cloud usage patterns." + }, + { + "technique": "T1530 - Data from Cloud Storage Object", + "reason": "The attacker stores the retrieved cost and usage data in a cloud storage object (e.g., S3 bucket). This stored data is later accessed or transferred to the attacker's own environment for further analysis or sale." } ], - "securityImplications": "Attackers might use UpdateFunctionCode to modify the code of a Lambda function, potentially injecting malicious code.", + "usedInWild": true, + "incidents": [ + { + "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", + "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use GetCostAndUsage to determine how active an account is by understanding the cost within a cloud account.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws lambda update-function-code --function-name my-function" - }, - { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-overwrite-code" + "value": "aws ce get-cost-and-usage --time-period Start=2017-09-01,End=2017-10-01 --granularity MONTHLY --metrics 'BlendedCost' 'UnblendedCost' 'UsageQuantity' --group-by Type=DIMENSION,Key=SERVICE Type=TAG,Key=Environment" } ], - "permissions": "https://aws.permissions.cloud/iam/lambda#lambda-UpdateFunctionCode" + "permissions": "https://aws.permissions.cloud/iam/ce#ce-GetCostAndUsage" }, { - "eventName": "Invoke", - "eventSource": "lambda.amazonaws.com", - "awsService": "Lambda", - "description": "Invokes a Lambda function.", + "eventName": "AttachVolume", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Attaches an EBS volume to a running or stopped instance and exposes it to the instance with the specified device name.", "mitreAttackTactics": [ - "TA0040 - Impact", - "TA0004 - Privilege Escalation" + "TA0008 - Lateral Movement" ], "mitreAttackTechniques": [ - "T1496 - Resource Hijacking" + "T1021 - Remote Services" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Mining Crypto", - "link": "https://twitter.com/jonnyplatt/status/1471453527390277638" + "technique": "T1098 - Account Manipulation", + "reason": "By attaching or detaching volumes, attackers can manipulate account settings or the environment to further their objectives, such as making specific data accessible or inaccessible." }, { - "description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", - "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/" + "technique": "T1036 - Masquerading", + "reason": "Attackers might attach volumes that appear legitimate or contain misleading data, thereby disguising their malicious activities." + }, + { + "technique": "T1074 - Data Staged", + "reason": "EBS volumes can be used to stage data for exfiltration or further manipulation by the attackers." + }, + { + "technique": "T1105 - Ingress Tool Transfer", + "reason": "Attackers can use attached volumes to transfer tools, scripts, or other malicious files into the target environment." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "Malicious actors can store obfuscated data or tools on an EBS volume to evade detection mechanisms." + }, + { + "technique": "T1560 - Archive Collected Data", + "reason": "Attackers may attach volumes to archive collected data for exfiltration or future use, leveraging the storage capacity of the EBS volumes." + }, + { + "technique": "T1213 - Data from Information Repositories", + "reason": "By attaching a volume that contains information repositories, attackers can access and extract sensitive data stored within these repositories" + }, + { + "technique": "T1530 - Data from Cloud Storage", + "reason": "Attackers can attach volumes that contain cloud storage objects, allowing them to access and manipulate the data stored within these objects." + }, + { + "technique": "T1030 - Data Transfer Size Limits", + "reason": "Attackers may attach EBS volumes to instances to handle large amounts of data transfer without triggering size-based detection mechanisms." + }, + { + "technique": "T1005 - Data from Local System", + "reason": "By attaching an EBS volume, attackers can access and extract data from the local file system of the EC2 instance." } ], - "researchLinks": [ + "usedInWild": true, + "incidents": [ { - "description": "AWS IAM Privilege Escalation Techniques", - "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + "description": "Navigating the Cloud: Exploring Lateral Movement Techniques", + "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/" } ], - "securityImplications": "Attackers might use Invoke to execute previously modified functions in AWS Lambda.", + "researchLinks": [], + "securityImplications": "Attackers might use AttachVolume to mount a volume to an EC2 instance under their control.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "N/A" + "value": "aws ec2 attach-volume --volume-id TrailDiscoverVolumeId --instance-id TrailDiscoverInstanceId --device TrailDiscoverDeviceName" } ], - "permissions": "https://aws.permissions.cloud/iam/lambda#lambda-InvokeFunction" + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-AttachVolume" }, { - "eventName": "UpdateEventSourceMapping20150331", - "eventSource": "lambda.amazonaws.com", - "awsService": "Lambda", - "description": "Updates an event source mapping. You can change the function that AWS Lambda invokes, or pause invocation and resume later from the same location.", + "eventName": "AuthorizeSecurityGroupEgress", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Adds the specified outbound (egress) rules to a security group.", "mitreAttackTactics": [ - "TA0004 - Privilege Escalation" + "TA0010 - Exfiltration" ], "mitreAttackTechniques": [ - "T1098 - Account Manipulation" + "T1048 - Exfiltration Over Alternative Protocol" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Enhancing Your Security Visibility and DetectionResponse Operations in AWS", - "link": "https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf" - } - ], - "securityImplications": "Attackers might use UpdateEventSourceMapping to pull data from a different source, leading to incorrect function results.", - "alerting": [], - "simulation": [ + "technique": "T1040 - Network Sniffing", + "reason": "Outbound rules can be adjusted to send traffic to specific external destinations, which may allow attackers to capture or monitor network traffic for sensitive information." + }, { - "type": "commandLine", - "value": "aws lambda update-event-source-mapping --uuid 'a1b2c3d4-5678-90ab-cdef-11111EXAMPLE' --batch-size 8" + "technique": "T1071 - Application Layer Protocol", + "reason": "Attackers can use specific egress rules to allow communication over commonly used application layer protocols." + }, + { + "technique": "T1074 - Data Staged", + "reason": "Attackers can set up egress rules to exfiltrate staged data through approved channels." + }, + { + "technique": "T1021 - Remote Services", + "reason": "By setting egress rules, attackers can allow outbound traffic for remote desktop connections, facilitating lateral movement." + }, + { + "technique": "T1095 - Non-Application Layer Protocol", + "reason": "Attackers might configure rules to allow exfiltration using non-standard protocols." + }, + { + "technique": "T1571 - Non-Standard Port", + "reason": "By authorizing specific outbound ports, attackers can use non-standard ports for communication to evade defenses." + }, + { + "technique": "T1599 - Network Boundary Bridging", + "reason": "Attackers can use egress rules to bridge network boundaries, aiding lateral movement or exfiltration" } ], - "permissions": "https://aws.permissions.cloud/iam/lambda#lambda-UpdateEventSourceMapping" - }, - { - "eventName": "GetQueryResults", - "eventSource": "athena.amazonaws.com", - "awsService": "Athena", - "description": "Streams the results of a single query execution specified by QueryExecutionId from the Athena query results location in Amazon S3.", - "mitreAttackTactics": [ - "TA0007 - Discovery" - ], - "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" - ], "usedInWild": true, "incidents": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + "description": "Trouble in Paradise", + "link": "https://blog.darklab.hk/2021/07/06/trouble-in-paradise/" } ], "researchLinks": [], - "securityImplications": "Attackers might use GetQueryResults from Amazon Athena to illicitly access and read potential sensitive data.", - "alerting": [], + "securityImplications": "Attackers might use AuthorizeSecurityGroupEgress to allow exfiltration.", + "alerting": [ + { + "type": "cloudwatchCISControls", + "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-10" + } + ], "simulation": [ { "type": "commandLine", - "value": "N/A" + "value": "aws ec2 authorize-security-group-egress --group-id sg-1a2b3c4d --ip-permissions IpProtocol=tcp,FromPort=80,ToPort=80,IpRanges='[{CidrIp=10.0.0.0/16}]'" } ], - "permissions": "https://aws.permissions.cloud/iam/athena#athena-GetQueryResults" + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-AuthorizeSecurityGroupEgress" }, { - "eventName": "UpdateDistribution", - "eventSource": "cloudfront.amazonaws.com", - "awsService": "CloudFront", - "description": "Updates the configuration for a CloudFront distribution.", + "eventName": "AuthorizeSecurityGroupIngress", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Adds the specified inbound (ingress) rules to a security group.", "mitreAttackTactics": [ - "TA0009 - Collection" + "TA0003 - Persistence", + "TA0008 - Lateral Movement" ], "mitreAttackTechniques": [ - "T1119 - Automated Collection" + "T1098 - Account Manipulation", + "T1021 - Remote Services" + ], + "mitreAttackSubTechniques": [ + "T1021.004 - Remote Services: SSH" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1133 - External Remote Services", + "reason": "By adding or modifying ingress rules, attackers can enable remote access to the EC2 instances, which is a direct use of the AuthorizeSecurityGroupIngress API call to allow external services." + }, + { + "technique": "T1105 - Ingress Tool Transfer", + "reason": "Attackers can use the API call to allow inbound traffic, facilitating the transfer of tools or payloads directly into the compromised environment." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Modifying security group rules to disable defenses or monitoring directly involves the AuthorizeSecurityGroupIngress API call." + }, + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "Discovering which permission groups can modify security group rules is directly relevant as it informs the attacker's strategy to use the AuthorizeSecurityGroupIngress API call." + }, + { + "technique": "T1203 - Exploitation for Client Execution", + "reason": "If an attacker exploits a vulnerability and gains access to an AWS account, they might use the AuthorizeSecurityGroupIngress API call to allow them to exploit applications that were not previously reachable." + }, + { + "technique": "T1090 - Proxy", + "reason": "Attackers might modify ingress rules to allow traffic through a proxy, enabling them to route malicious traffic through the compromised environment." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + }, + { + "description": "Finding evil in AWS", + "link": "https://expel.com/blog/finding-evil-in-aws/" + }, + { + "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", + "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + }, + { + "description": "Behind the scenes in the Expel SOC: Alert-to-fix in AWS", + "link": "https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/" + }, + { + "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", + "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" + }, + { + "description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", + "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/" + }, + { + "description": "BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability", + "link": "https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/" + }, + { + "description": "Navigating the Cloud: Exploring Lateral Movement Techniques", + "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/" + }, + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + } ], - "usedInWild": false, - "incidents": [], "researchLinks": [ { - "description": "How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies", - "link": "https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c" + "description": "Opening a security group to the Internet", + "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/opening-security-group-port/" + } + ], + "securityImplications": "Attackers might use AuthorizeSecurityGroupIngress to allow access to resources to gain persistence or move laterally.", + "alerting": [ + { + "type": "cloudwatchCISControls", + "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-10" } ], - "securityImplications": "Attackers might use UpdateDistribution to add a malicious configuration such as a function to exfiltrate data.", - "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws cloudfront update-distribution --id EDFDVBD6EXAMPLE --distribution-config '{\"CallerReference\":\"\", \"Origins\":{\"Quantity\":1,\"Items\":[{\"Id\":\"\", \"DomainName\":\"\"}]}, \"DefaultCacheBehavior\":{\"TargetOriginId\":\"\", \"ViewerProtocolPolicy\":\"\"}, \"Comment\":\"\", \"Enabled\":false }'" + "value": "aws ec2 authorize-security-group-ingress --group-id sg-0683fcf7a41c82593 --protocol tcp --port 22 --cidr 203.0.113.0/24" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-security-group-open-port-22-ingress" } ], - "permissions": "https://aws.permissions.cloud/iam/cloudfront#cloudfront-UpdateDistribution" + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-AuthorizeSecurityGroupIngress" }, { - "eventName": "PublishFunction", - "eventSource": "cloudfront.amazonaws.com", - "awsService": "CloudFront", - "description": "Publishes a CloudFront function by copying the function code from the DEVELOPMENT stage to LIVE.", + "eventName": "CreateDefaultVpc", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Creates a default VPC with a size /16 IPv4 CIDR block and a default subnet in each Availability Zone.", "mitreAttackTactics": [ - "TA0009 - Collection" + "TA0003 - Persistence", + "TA0040 - Impact" ], "mitreAttackTechniques": [ - "T1119 - Automated Collection" + "T1098 - Account Manipulation", + "T1496 - Resource Hijacking" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies", - "link": "https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c" + "technique": "T1021 - Remote Services", + "reason": "With a default VPC in place, adversaries can use it to establish connections between various services, facilitating lateral movement across different instances and resources." + }, + { + "technique": "T1133 - External Remote Services", + "reason": "The VPC configuration can be exploited to set up remote access points, which adversaries can use to maintain command and control over compromised resources." + }, + { + "technique": "T1041 - Exfiltration Over C2 Channel", + "reason": "Once command and control is established within the VPC, data can be exfiltrated through these channels without raising immediate suspicion, leveraging the network infrastructure." } ], - "securityImplications": "Attackers might use PublishFunction to publish a malicious function that might be used to exfiltrate data.", + "usedInWild": true, + "incidents": [ + { + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use CreateDefaultVpc to create a VPC and lauch EC2 instances.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws cloudfront publish-function --name trail-discover-function --if-match trail-discover-function" + "value": "aws ec2 create-default-vpc" } ], - "permissions": "https://aws.permissions.cloud/iam/cloudfront#cloudfront-PublishFunction" + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateDefaultVpc" }, { - "eventName": "CreateFunction", - "eventSource": "cloudfront.amazonaws.com", - "awsService": "CloudFront", - "description": "Creates a CloudFront function.", + "eventName": "CreateImage", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Creates an Amazon EBS-backed AMI from an Amazon EBS-backed instance that is either running or stopped.", "mitreAttackTactics": [ - "TA0009 - Collection" + "TA0010 - Exfiltration" ], "mitreAttackTechniques": [ - "T1119 - Automated Collection" + "T1537 - Transfer Data to Cloud Account" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies", - "link": "https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c" + "technique": "T1003 - OS Credential Dumping", + "reason": "Attackers can create an AMI, then analyze the offline image to perform credential dumping, extracting sensitive information from the instance's filesystem" + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Attackers can create an AMI from an instance, disable or alter security tools and configurations within the AMI, and redeploy the compromised AMI to evade detection and maintain control." + }, + { + "technique": "T1578 - Modify Cloud Compute Infrastructure", + "reason": "Creating an AMI involves creating a snapshot of the instance's state. Attackers can use this snapshot to capture and analyze the data and configurations of the instance, which may include sensitive information or enable further attacks." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Attackers can use the CreateImage API to create an AMI from an instance they control. This AMI can then be used to deploy new instances with pre-configured settings, including backdoors or other malicious configurations, effectively manipulating accounts and resources within the cloud environment." } ], - "securityImplications": "Attackers might use CreateFunction to add a new function that can be use to exfiltrate date.", + "usedInWild": true, + "incidents": [ + { + "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", + "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use CreateImage to create images from running EC2s and use them after adding their own keys", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws cloudfront create-function --name trail-discover-function --function-config Comment='TrailDiscover',Runtime=cloudfront-js-1.0 --function-code VHJhaWxEaXNjb3Zlcgo=" + "value": "aws ec2 create-image --instance-id TrailDiscoverInstanceId --name \"TrailDiscoverImageName\" --description \"TrailDiscoverImageDescription\"" } ], - "permissions": "https://aws.permissions.cloud/iam/cloudfront#cloudfront-CreateFunction" + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateImage" }, { - "eventName": "DeleteFileSystem", - "eventSource": "elasticfilesystem.amazonaws.com", - "awsService": "elasticfilesystem", - "description": "Deletes a file system, permanently severing access to its contents.", + "eventName": "CreateInstanceExportTask", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Exports a running or stopped instance to an Amazon S3 bucket.", "mitreAttackTactics": [ - "TA0040 - Impact" + "TA0009 - Collection" ], "mitreAttackTechniques": [ - "T1485 - Data Destruction" + "T1005 - Data from Local System" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1567 - Exfiltration Over Web Service", + "reason": "Exporting an EC2 instance to an S3 bucket involves transferring data over a web service, which aligns with exfiltrating data through a web-based method." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "The export task utilizes application layer protocols for communication, relevant for exfiltrating data using such protocols." + }, + { + "technique": "T1537 - Transfer Data to Cloud Account", + "reason": "Exporting an EC2 instance to an S3 bucket involves moving data within the same cloud account and region, but it still represents a transfer of potentially sensitive data to another location within the cloud. " + }, + { + "technique": "T1496 - Resource Hijacking", + "reason": "The export task could be used in combination with other tactics to hijack the resource for further malicious activities or unauthorized access." + }, + { + "technique": "T1005 - Data from Local System", + "reason": "The instance's data being exported can be seen as collecting data from a local system before transferring it to another location." + } ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "AWS EFS File System or Mount Deleted", - "link": "https://www.elastic.co/guide/en/security/7.17/aws-efs-file-system-or-mount-deleted.html" + "description": "AWS EC2 VM Export Failure", + "link": "https://www.elastic.co/guide/en/security/current/aws-ec2-vm-export-failure.html" } ], - "securityImplications": "Attackers might use DeleteFileSystem in AWS EFS to deliberately erase file systems, leading to data loss.", + "securityImplications": "Attackers might use CreateInstanceExportTask to extract or exfiltrate information", "alerting": [ { "type": "sigma", - "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_efs_fileshare_modified_or_deleted.yml" + "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_ec2_vm_export_failure.yml" } ], "simulation": [ { "type": "commandLine", - "value": "aws efs delete-file-system --file-system-id fs-c7a0456e" + "value": "aws ec2 create-instance-export-task --instance-id TrailDiscoverInstanceId --target-environment TrailDiscoverTargetEnvironment --export-to-s3-task DiskImageFormat=TrailDiscoverDiskImageFormat,ContainerFormat=TrailDiscoverContainerFormat,S3Bucket=TrailDiscoverS3Bucket,S3Prefix=TrailDiscoverS3Prefix" } ], - "permissions": "https://aws.permissions.cloud/iam/elasticfilesystem#elasticfilesystem-DeleteFileSystem" + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateInstanceExportTask" }, { - "eventName": "DeleteMountTarget", - "eventSource": "elasticfilesystem.amazonaws.com", - "awsService": "elasticfilesystem", - "description": "Deletes the specified mount target.", + "eventName": "CreateKeyPair", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Creates an ED25519 or 2048-bit RSA key pair with the specified name and in the specified PEM or PPK format.", + "mitreAttackTactics": [ + "TA0003 - Persistence" + ], + "mitreAttackTechniques": [ + "T1098 - Account Manipulation" + ], + "mitreAttackSubTechniques": [ + "T1098.001 - Account Manipulation: Additional Cloud Credentials" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "The creation of a new key pair can facilitate unauthorized access to cloud accounts if an attacker obtains the private key, allowing them to log in and perform actions within the compromised account. By creating a new key pair, attackers can establish valid accounts that can be used to maintain access and evade detection, as the access looks legitimate. Similar to cloud accounts, valid local accounts can be exploited if the attacker uses the key pair to gain access to specific instances or services within the local environment. If the key pair is used to authenticate to domain accounts within the cloud environment, it can provide attackers with persistent access to those accounts, facilitating further malicious activities." + }, + { + "technique": "T1562 - Impair Defense", + "reason": "An attacker with a newly created key pair might use it to disable security tools or modify settings within the cloud environment to avoid detection and maintain persistence." + }, + { + "technique": "T1552 - Unsecured Credentials", + "reason": "The private key returned is unencrypted, which poses a risk if intercepted or improperly stored, leading to potential credential exposure. The private key might be stored in files within the cloud instances, which could be exploited by an attacker to gain unauthorized access." + }, + { + "technique": "T1040 - Network Sniffing", + "reason": "If the private key is transmitted over the network in plaintext, it can be intercepted by an attacker, leading to credential access." + }, + { + "technique": "T1530 - Data from Cloud Storage Object", + "reason": "If the EC2 instance has permissions to access Cloud storage, the key can be used to get this data via the EC2 permissions" + }, + { + "technique": "T1212 - Exploitation for Credential Access", + "reason": "An attacker might exploit the creation and handling of key pairs to gain access to credentials if there are vulnerabilities or misconfigurations in how the keys are managed and stored." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + }, + { + "description": "ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING", + "link": "https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/" + }, + { + "description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", + "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/" + } + ], + "researchLinks": [ + { + "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", + "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" + } + ], + "securityImplications": "Attackers might use CreateKeyPair to generate keys that can latter be used to access EC2s.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws ec2 create-key-pair --key-name TrailDiscoverKeyPair" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateKeyPair" + }, + { + "eventName": "CreateNetworkAclEntry", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Creates an entry (a rule) in a network ACL with the specified rule number.", + "mitreAttackTactics": [ + "TA0003 - Persistence" + ], + "mitreAttackTechniques": [ + "T1098 - Account Manipulation" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1562 - Impair Defenses", + "reason": "Creating or modifying network ACLs can disable or alter firewall rules, thus impairing defenses. By modifying ACLs, attackers might disable security tools that rely on specific network configurations." + }, + { + "technique": "T1105 - Ingress Tool Transfer", + "reason": "Modifying network ACLs could allow malicious payloads to be transferred into the network." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "By changing ACL rules, an attacker might permit unauthorized web traffic for command and control. By modifying network ACLs, an attacker could allow unauthorized email traffic for exfiltration or command and control." + }, + { + "technique": "T1021 - Remote Services", + "reason": "Creating or modifying ACL entries can facilitate unauthorized RDP access, aiding lateral movement." + }, + { + "technique": "T1090 - Proxy", + "reason": "Attackers could create ACL rules that permit traffic to and from external proxies, aiding command and control operations" + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "By modifying network ACL rules, an attacker can enable access to specific ports used by services like SMB (TCP/445). SMB ports are often used for sharing files and resources within a network. Access to these ports can provide the attacker with the ability to query for system information, users, and groups (such as through NetSessionEnum or NetUserEnum calls), helping them to discover the system owner or logged-in users, which aids in understanding the target environment." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "An attacker might create ACL entries to allow traffic to sites or services where the attacker has valid accounts." + }, + { + "technique": "T1049 - System Network Connections Discovery", + "reason": "Creating specific ACL rules might help attackers map out network connections and understand the network layout." + } + ], + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "AWS EC2 Network Access Control List Creation", + "link": "https://www.elastic.co/guide/en/security/current/aws-ec2-network-access-control-list-creation.html" + }, + { + "description": "Enhancing Your Security Visibility and DetectionResponse Operations in AWS", + "link": "https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf" + } + ], + "securityImplications": "Attackers might use CreateNetworkAclEntry to allow traffic to the network from an IP they control.", + "alerting": [ + { + "type": "cloudwatchCISControls", + "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-11" + } + ], + "simulation": [ + { + "type": "commandLine", + "value": "aws ec2 create-network-acl-entry --network-acl-id acl-5fb85d36 --ingress --rule-number 100 --protocol udp --port-range From=53,To=53 --cidr-block 0.0.0.0/0 --rule-action allow" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateNetworkAclEntry" + }, + { + "eventName": "CreateRoute", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Creates a route in a route table within a VPC.", + "mitreAttackTactics": [ + "TA0009 - Collection" + ], + "mitreAttackTechniques": [ + "T1074 - Data Staged" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1090 - Proxy", + "reason": "Creating a route can facilitate the use of external proxies by directing traffic through a specific intermediary node. Using the CreateRoute API can set up routing that utilizes proxies to hide the origin of network traffic." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "The creation of routes might involve the use of compromised cloud accounts to establish persistence within a network." + }, + { + "technique": "T1570 - Lateral Tool Transfer", + "reason": "Routes can be used to facilitate the transfer of tools across different segments of a network, aiding lateral movement." + }, + { + "technique": "T1070: Indicator Removal", + "reason": "Creating routes might assist in evading detection and preserving stealth by directing traffic in a way that avoids logging mechanisms, aiding in the removal or obfuscation of evidence." + }, + { + "technique": "T1046: Network Service Discovery", + "reason": "Adjusting routes can help in discovering network services by ensuring that specific network segments are reachable, aiding in reconnaissance." + } + ], + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "Ensure CloudWatch has an Alarm for Route Table Changes", + "link": "https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-route-table-change" + }, + { + "description": "AWS Incident Response", + "link": "https://easttimor.github.io/aws-incident-response/" + } + ], + "securityImplications": "Attackers might use CreateRoute to redirect network traffic within AWS VPCs to eavesdrop or exfiltrate data.", + "alerting": [ + { + "type": "cloudwatchCISControls", + "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-13" + } + ], + "simulation": [ + { + "type": "commandLine", + "value": "aws ec2 create-route --route-table-id TrailDiscoverRouteTableId --destination-cidr-block TrailDiscoverDestinationCidrBlock --gateway-id TrailDiscoverGatewayId" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateRoute" + }, + { + "eventName": "CreateSecurityGroup", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Creates a security group.", + "mitreAttackTactics": [ + "TA0003 - Persistence", + "TA0008 - Lateral Movement" + ], + "mitreAttackTechniques": [ + "T1098 - Account Manipulation", + "T1021 - Remote Services" + ], + "mitreAttackSubTechniques": [ + "T1021.001 - Remote Services: Remote Desktop Protocol", + "T1021.004 - Remote Services: SSH" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1562 - Impair Defenses", + "reason": "By creating or modifying security group rules, adversaries can manipulate the flow of network traffic to bypass security monitoring tools, which aids in defense evasion." + }, + { + "technique": "T1036 - Masquerading", + "reason": "By configuring security groups under seemingly legitimate purposes while actually facilitating malicious activities, adversaries can use this to disguise their network traffic and actions." + }, + { + "technique": "T1499 - Endpoint Denial of Service", + "reason": "Adversaries may configure security groups to specifically allow traffic types that can cause application layer exhaustion, effectively using this method to flood systems with requests that exhaust resources and lead to service disruption." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + }, + { + "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", + "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + }, + { + "description": "Behind the scenes in the Expel SOC: Alert-to-fix in AWS", + "link": "https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/" + }, + { + "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", + "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" + }, + { + "description": "ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING", + "link": "https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/" + } + ], + "researchLinks": [ + { + "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", + "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" + }, + { + "description": "Abusing VPC Traffic Mirroring in AWS", + "link": "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/" + } + ], + "securityImplications": "Attackers might use CreateSecurityGroup to establish new security groups with lax rules, facilitating unauthorized access or resource exploitation within AWS environments.", + "alerting": [ + { + "type": "cloudwatchCISControls", + "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-10" + } + ], + "simulation": [ + { + "type": "commandLine", + "value": "aws ec2 create-security-group --group-name TrailDiscoverGroupName --description \"TrailDiscoverDescription\"" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateSecurityGroup" + }, + { + "eventName": "CreateSnapshot", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Creates a snapshot of an EBS volume and stores it in Amazon S3.", + "mitreAttackTactics": [ + "TA0008 - Lateral Movement", + "TA0010 - Exfiltration" + ], + "mitreAttackTechniques": [ + "T1537 - Transfer Data to Cloud Account", + "T1021 - Remote Services" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1537 - Transfer Data to Cloud Account", + "reason": "Creating a snapshot and storing it in S3 can be used to exfiltrate data by transferring it to another account or region." + }, + { + "technique": "T1003 - OS Credential Dumping", + "reason": "If an adversary has access to an EBS volume containing credentials, creating a snapshot of that volume could allow them to extract those credentials." + }, + { + "technique": "T1485 - Data Destruction", + "reason": "An adversary could create a snapshot before deleting the original volume, ensuring they can still access the data" + }, + { + "technique": "T1567 - Exfiltration Over Web Service", + "reason": "The snapshot data can be exfiltrated using AWS APIs, moving it to S3 or other cloud storage." + }, + { + "technique": "T1030 - Data Transfer Size Limits", + "reason": "Creating multiple snapshots to evade detection mechanisms that monitor for large data transfers." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "By creating snapshots of EBS volumes, adversaries can hide data transfers under the guise of legitimate backup operations. This makes it harder to distinguish between regular snapshot activities and potential malicious data movements." + }, + { + "technique": "T1074 - Data Staged", + "reason": "Snapshots can serve as a stage for data before exfiltration" + }, + { + "technique": "T1550 - Use Alternate Authentication Material", + "reason": "Adversaries might use stolen keys or other credentials extracted from snapshots as authentication material." + }, + { + "technique": "T1496 - Resource Hijacking", + "reason": "Adversaries could create snapshots and use them in other environments, leveraging the stored resources for malicious purposes." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight", + "link": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" + }, + { + "description": "Navigating the Cloud: Exploring Lateral Movement Techniques", + "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/" + } + ], + "researchLinks": [ + { + "description": "Stealing an EBS snapshot by creating a snapshot and sharing it", + "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-ebs-snapshot/" + }, + { + "description": "Exfiltrate EBS Snapshot by Sharing It", + "link": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/" + } + ], + "securityImplications": "Attackers might use ModifySnapshotAttribute to alter permissions on EBS snapshots, potentially exposing sensitive data to unauthorized parties.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws ec2 modify-snapshot-attribute --snapshot-id snap-1234567890abcdef0 --attribute createVolumePermission --operation-type remove --user-ids 123456789012" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-ModifySnapshotAttribute" + }, + { + "eventName": "CreateTrafficMirrorFilter", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Creates a Traffic Mirror filter.", + "mitreAttackTactics": [ + "TA0009 - Collection" + ], + "mitreAttackTechniques": [ + "T1074 - Data Staged" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1040 - Network Sniffing", + "reason": "By creating a Traffic Mirror filter, attackers can intercept and analyze network traffic to capture sensitive information. This directly relates to the ability to observe all mirrored network traffic." + }, + { + "technique": "T1046 - Network Service Scanning", + "reason": "raffic mirroring can be used to observe and scan network services and discover active services and devices on the network. By analyzing mirrored traffic, attackers can map the network and identify active services." + }, + { + "technique": "T1020 - Automated Exfiltration", + "reason": "Traffic mirroring can facilitate the automated exfiltration of data through observed network traffic. Mirrored traffic can be continuously collected and sent to an attacker's controlled server for automatic processing and exfiltration." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "Mirrored traffic can help attackers discover information about system owners or users by analyzing the traffic. For instance, login attempts, user credentials, and other user-related information might be observed." + }, + { + "technique": "T1518 - Software Discovery", + "reason": "Traffic mirroring can be used to identify security software and appliances by analyzing network traffic. Attackers can look for traffic patterns related to security software to understand the defenses in place." + }, + { + "technique": "T1005 - Data from Local System", + "reason": "By capturing mirrored traffic, attackers can collect data from local systems indirectly by observing network communications. This can include files being transferred over the network, credentials, and other sensitive information." + } + ], + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "Abusing VPC Traffic Mirroring in AWS", + "link": "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/" + } + ], + "securityImplications": "Attackers might use CreateTrafficMirrorFilter to clandestinely mirror network traffic for analysis or exfiltration.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws ec2 create-traffic-mirror-filter --description 'TCP Filter'" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateTrafficMirrorFilter" + }, + { + "eventName": "CreateTrafficMirrorFilterRule", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Creates a Traffic Mirror filter rule.", + "mitreAttackTactics": [ + "TA0009 - Collection" + ], + "mitreAttackTechniques": [ + "T1074 - Data Staged" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1020 - Automated Collection", + "reason": "Traffic mirroring can automate the collection of network traffic, which can include sensitive data." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "By intercepting traffic, an attacker can discover information about the system owner or users based on network communications." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "Traffic mirroring can help attackers understand and manipulate application layer protocols by observing the traffic." + }, + { + "technique": "T1040: Network Sniffing", + "reason": "Traffic mirroring is essentially a form of network sniffing, capturing data in transit for further analysis" + }, + { + "technique": "T1567: Exfiltration Over Web Service", + "reason": "Intercepted traffic can be exfiltrated over web services if the mirrored data is sent to an external destination." + }, + { + "technique": "T1213: Data from Information Repositories", + "reason": "T1213: Data from Information Repositories" + }, + { + "technique": "T1005: Data from Local System", + "reason": "Traffic mirroring can capture data from the local system that is transmitted over the network." + }, + { + "technique": "T1083: File and Directory Discovery", + "reason": "Analysis of mirrored traffic can help in discovering files and directories being accessed and used on the network" + } + ], + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "Abusing VPC Traffic Mirroring in AWS", + "link": "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/" + } + ], + "securityImplications": "Attackers might use CreateTrafficMirrorFilterRule to fine-tune traffic mirroring for selective interception.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws ec2 create-traffic-mirror-filter-rule --description 'TCP Rule' --destination-cidr-block 0.0.0.0/0 --protocol 6 --rule-action accept --rule-number 1 --source-cidr-block 0.0.0.0/0 --traffic-direction ingress --traffic-mirror-filter-id tmf-04812ff784b25ae67" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateTrafficMirrorFilterRule" + }, + { + "eventName": "CreateTrafficMirrorSession", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Creates a Traffic Mirror session.", + "mitreAttackTactics": [ + "TA0009 - Collection" + ], + "mitreAttackTechniques": [ + "T1074 - Data Staged" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1040 - Network Sniffing", + "reason": "By creating a Traffic Mirror session, an adversary can passively collect data on the network, capturing traffic to gather sensitive information." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "Traffic Mirror sessions can be used to monitor application layer protocols to understand communication patterns" + }, + { + "technique": "T1020 - Automated Exfiltration", + "reason": "The mirrored traffic could be sent to an external system for automated analysis and potential exfiltration of data." + }, + { + "technique": "T1036 - Masquerading", + "reason": "In the later stages of an attack, traffic mirrored sessions might help disguise malicious traffic by blending it with legitimate traffic, by using already learnt traffic patterns, aiding in evasion of detection" + }, + { + "technique": "T1018 - Remote System Discovery", + "reason": "Analyzing the mirrored traffic can provide information on remote systems, including their IP addresses and services, aiding in further discovery." + }, + { + "technique": "T1090 - Proxy", + "reason": "raffic Mirror can be utilized to capture and analyze traffic routed through proxy servers, identifying potential points of interest for further compromise." + }, + { + "technique": "T1119 - Automated Collection", + "reason": "Automating the creation of Traffic Mirror sessions allows for continuous data collection without manual intervention" + }, + { + "technique": "T1213 - Data from Information Repositories", + "reason": "Traffic Mirror sessions could capture data from repositories by monitoring traffic related to repository access" + }, + { + "technique": "T1560 - Archive Collected Data", + "reason": "Adversaries can use traffic mirroring to collect and then archive large amounts of network traffic for later analysis or exfiltration." + }, + { + "technique": "T1049 - System Network Connections Discovery", + "reason": "Monitoring mirrored traffic can reveal details about network connections on systems, such as active connections, protocols used, and the nature of the traffic." + } + ], + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "Abusing VPC Traffic Mirroring in AWS", + "link": "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/" + } + ], + "securityImplications": "Attackers might use CreateTrafficMirrorSession to initiate a session for mirroring network traffic, potentially for malicious monitoring or data exfiltration.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws ec2 create-traffic-mirror-session --description TrailDiscoverDescription --traffic-mirror-target-id tmt-07f75d8feeEXAMPLE --network-interface-id eni-070203f901EXAMPLE --session-number 1 --packet-length 25 --traffic-mirror-filter-id tmf-04812ff784EXAMPLE" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateTrafficMirrorSession" + }, + { + "eventName": "CreateTrafficMirrorTarget", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Creates a target for your Traffic Mirror session.", + "mitreAttackTactics": [ + "TA0009 - Collection" + ], + "mitreAttackTechniques": [ + "T1074 - Data Staged" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1016 - System Network Configuration Discovery", + "reason": "When a Traffic Mirror target is created, it enables the capture of network traffic, which can be analyzed to understand the network configuration, including IP addresses, subnets, and routing." + }, + { + "technique": "T1046 - Network Service Scanning", + "reason": "Mirrored traffic provides visibility into the types of services running on the network, allowing adversaries to map out the network services and identify potential vulnerabilities." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "By examining the mirrored traffic, attackers can identify and understand the protocols used at the application layer, which can be exploited for further attacks." + }, + { + "technique": "T1567 - Exfiltration Over Web Service", + "reason": "The data captured through traffic mirroring can be exfiltrated via web services, making it easier for attackers to move large amounts of data without detection." + }, + { + "technique": "T1571 - Non-Standard Port", + "reason": "Traffic mirroring can uncover the use of non-standard ports, which can then be targeted in later stages of the attack for covert command and control communications." + }, + { + "technique": "1590 - Gather Victim Network Information", + "reason": "The detailed information gathered from traffic mirroring helps attackers build a comprehensive profile of the victim's network." + }, + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "By analyzing the traffic within a cloud environment, adversaries can discover cloud infrastructure details and configurations, which can be critical for planning further attacks." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "Analysis of mirrored traffic can reveal information about system owners or users, which can be leveraged for further attacks." + }, + { + "technique": "T1005 - Data from Local System", + "reason": "Mirrored traffic can reveal sensitive data being transmitted within the network, which can be captured and analyzed." + }, + { + "technique": "T1020 - Automated Exfiltration", + "reason": "Traffic mirroring enables the continuous collection of network traffic, which can then be automatically exfiltrated for further analysis or exploitation." + } + ], + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "Abusing VPC Traffic Mirroring in AWS", + "link": "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/" + } + ], + "securityImplications": "Attackers might use CreateTrafficMirrorTarget to establish destinations for mirrored traffic, potentially facilitating the unauthorized observation or capture of sensitive information.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws ec2 create-traffic-mirror-target --description TrailDiscoverDescription --network-interface-id TrailDiscoverNetworkInterfaceId --network-load-balancer-arn TrailDiscoverNetworkLoadBalancerArn" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateTrafficMirrorTarget" + }, + { + "eventName": "CreateVolume", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Creates an EBS volume that can be attached to an instance in the same Availability Zone.", + "mitreAttackTactics": [ + "TA0008 - Lateral Movement" + ], + "mitreAttackTechniques": [ + "T1021 - Remote Services" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1003 - OS Credential Dumping", + "reason": "Attackers can create volumes and attach them to instances to access filesystems and potentially extract sensitive files such as /etc/passwd and /etc/shadow on Linux systems for credential dumping." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "By creating a volume from a snapshot that contains valid credentials or authentication tokens, attackers can gain persistent access to cloud resources." + }, + { + "technique": "T1202 - Indirect Command Execution", + "reason": "Attackers might use the creation of volumes and the data contained within them to execute commands indirectly by leveraging scripts or binaries stored in these volumes. Some of the commands could be called by methods like autorun scripts or similar" + }, + { + "technique": "T1496 - Resource Hijacking", + "reason": "Creating and using volumes for storing large amounts of data or for computational tasks can be a form of resource hijacking, impacting the cloud environment's availability and cost." + }, + { + "technique": "T1485 - Data Destruction", + "reason": "Attackers might use newly created volumes to overwrite sensitive data, effectively destroying it and causing a significant impact" + }, + { + "technique": "T1486 - Data Encrypted for Impact", + "reason": "Encrypted volumes can be used by attackers to encrypt data and then demand ransom for decryption keys, directly impacting data availability." + }, + { + "technique": "T1074 - Data Staged", + "reason": "Attackers can use created volumes to stage collected data locally before exfiltration, facilitating the organization and preparation of data for extraction." + }, + { + "technique": "T1036 - Masquerading", + "reason": "Attackers might create volumes that mimic legitimate snapshots or backups to evade detection and maintain persistent access by blending into normal operations." + }, + { + "technique": "T1537 - Transfer Data to Cloud Account", + "reason": "Attackers can create volumes to transfer and store exfiltrated data within a cloud account, enabling them to securely move sensitive information out of the victim's environment" + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Navigating the Cloud: Exploring Lateral Movement Techniques", + "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use CreateVolume to create a volume from a snapshot and mount it to an EC2 instance under their control.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws ec2 create-volume --size 80 --availability-zone us-east-1a" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateVolume" + }, + { + "eventName": "DeleteFlowLogs", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Deletes one or more flow logs.", + "mitreAttackTactics": [ + "TA0005 - Defense Evasion" + ], + "mitreAttackTechniques": [ + "T1089 - Disabling Security Tools" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "Deleting flow logs can remove indicators that were stored, making it harder to detect malicious activities" + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Disabling or deleting flow logs can impair defensive mechanisms by removing visibility into network traffic. It also supersedes T1089 since v7.1." + }, + { + "technique": "T1485 - Data Destruction", + "reason": "Deleting flow logs can be part of a broader data destruction strategy. By removing logs that track network activity, an attacker can ensure that no historical data remains to aid in the forensic investigation of their activities. This makes it significantly harder to trace malicious actions back to the perpetrator, thus effectively destroying critical evidence" + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Deleting flow logs can be part of account manipulation to hide tracks and activities conducted using compromised accounts." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" + } + ], + "researchLinks": [ + { + "description": "Removing VPC flow logs", + "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/removing-vpc-flow-logs/" + }, + { + "description": "AWS Incident Response", + "link": "https://github.com/easttimor/aws-incident-response" + }, + { + "description": "Proactive Cloud Security w/ AWS Organizations", + "link": "https://witoff.medium.com/proactive-cloud-security-w-aws-organizations-d58695bcae16" + } + ], + "securityImplications": "Attackers might use DeleteFlowLogs to remove records of network traffic within AWS.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws ec2 delete-flow-logs --flow-log-ids TrailDiscoverFlowLogId" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DeleteFlowLogs" + }, + { + "eventName": "DeleteNetworkAcl", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Deletes the specified network ACL.", + "mitreAttackTactics": [ + "TA0005 - Defense Evasion" + ], + "mitreAttackTechniques": [ + "T1562 - Impair Defenses" + ], + "mitreAttackSubTechniques": [ + "T1562.007 - Impair Defenses: Disable or Modify Cloud Firewall" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1485 - Data Destruction", + "reason": "Deleting a network ACL can be a form of data destruction as it disrupts the network configuration, potentially leading to data loss or service disruption" + }, + { + "technique": "T1489 - Service Stop", + "reason": "Removing network ACLs can stop or disrupt services by blocking legitimate network traffic, effectively causing denial of service conditions" + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "Deleting network ACLs can be part of a broader strategy to remove access to resources, making it difficult for legitimate users to access networked systems and services. For example, deleting a network ACL that allows SSH access." + } + ], + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "Ensure CloudWatch has an Alarm for Network ACL Changes", + "link": "https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-network-acl-change" + } + ], + "securityImplications": "Attackers might use DeleteNetworkAcl to remove network access control lists, potentially opening up network segments for unauthorized access.", + "alerting": [ + { + "type": "cloudwatchCISControls", + "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-11" + } + ], + "simulation": [ + { + "type": "commandLine", + "value": "aws ec2 delete-network-acl --network-acl-id TrailDiscoverNetworkAclId" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DeleteNetworkAcl" + }, + { + "eventName": "DeleteNetworkAclEntry", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Deletes the specified ingress or egress entry (rule) from the specified network ACL.", + "mitreAttackTactics": [ + "TA0005 - Defense Evasion" + ], + "mitreAttackTechniques": [ + "T1562 - Impair Defenses" + ], + "mitreAttackSubTechniques": [ + "T1562.001: Impair Defenses - Disable or Modify Tools", + "T1562.004: Impair Defenses - Disable or Modify System Firewall" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1098 - Account Manipulation", + "reason": "Attackers may manipulate network ACLs as part of account manipulation to remove or alter security controls. This can enable unauthorized access or disrupt normal operations within the cloud environment." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "Deleting network ACL entries could be part of an attack to disrupt services and remove access to accounts, affecting the availability of resources. For example, deleting a network ACL that allows SSH access." + }, + { + "technique": "T1489 - Service Stop", + "reason": "By deleting critical network ACL entries, an attacker can disrupt or stop essential services by either blocking required traffic or allowing malicious traffic, leading to a service interruption." + } + ], + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "Ensure CloudWatch has an Alarm for Network ACL Changes", + "link": "https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-network-acl-change" + } + ], + "securityImplications": "Attackers might use DeleteNetworkAclEntry to remove specific rules from network access control lists, potentially opening network paths for unauthorized access.", + "alerting": [ + { + "type": "cloudwatchCISControls", + "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-11" + } + ], + "simulation": [ + { + "type": "commandLine", + "value": "aws ec2 delete-network-acl-entry --network-acl-id acl-5fb85d36 --ingress --rule-number 100" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DeleteNetworkAclEntry" + }, + { + "eventName": "DeleteSnapshot", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Deletes the specified snapshot.", + "mitreAttackTactics": [ + "TA0040 - Impact" + ], + "mitreAttackTechniques": [ + "T1485 - Data Destruction" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "Deleting snapshots can be part of an effort to remove indicators of compromise or evidence of malicious activity." + }, + { + "technique": "T1486 - Data Encrypted for Impact", + "reason": "If the adversary has encrypted the data and then deletes snapshots, it makes recovery impossible without the decryption keys, thus increasing the impact." + }, + { + "technique": "T1565 - Data Manipulation", + "reason": "Deleting snapshots can be a form of manipulating stored data, particularly if snapshots are used for data recovery and the deletion disrupts normal recovery processes." + }, + { + "technique": "T1561 - Disk Wipe", + "reason": "Deleting snapshots can be considered a form of disk wipe if the snapshots contain the only copies of certain data, effectively wiping that data from existence." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Hacker Puts Hosting Service Code Spaces Out of Business", + "link": "https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use DeleteSnapshot to erase Amazon EBS snapshots, potentially destroying backup data and hampering recovery efforts after an attack.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws ec2 delete-snapshot --snapshot-id TrailDiscoverSnapshotId" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DeleteSnapshot" + }, + { + "eventName": "DeleteVolume", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Deletes the specified EBS volume. The volume must be in the available state (not attached to an instance).", + "mitreAttackTactics": [ + "TA0040 - Impact" + ], + "mitreAttackTechniques": [ + "T1485 - Data Destruction" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "Deleting an EBS volume can be used to remove evidence of malicious activity, such as log files or other data stored on the volume." + }, + { + "technique": "T1485 - Data Destruction", + "reason": "The deletion of an EBS volume results in the permanent loss of the data it contained, which is a form of data destruction." + }, + { + "technique": "T1561 - Disk Wipe", + "reason": "Deleting the volume ensures that all data on the volume is removed, which is similar to a disk wipe." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Hacker Puts Hosting Service Code Spaces Out of Business", + "link": "https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use DeleteVolume to remove Elastic Block Store (EBS) volumes, leading to data loss and potentially disrupting operations.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws ec2 delete-volume --volume-id TrailDiscoverVolumeId" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DeleteVolume" + }, + { + "eventName": "DescribeAccountAttributes", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Describes attributes of your AWS account.", + "mitreAttackTactics": [ + "TA0007 - Discovery" + ], + "mitreAttackTechniques": [ + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "By describing the account attributes, an adversary can gather information about the AWS environment, such as supported platforms, EC2 limitations, and default settings, which aids in understanding the overall cloud infrastructure." + }, + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "Understanding the maximum number of security groups that can be assigned to a network interface can help an adversary in identifying the possible scope and structure of permissions within the account." + }, + { + "technique": "T1526 - Cloud Service Discovery", + "reason": "his technique is relevant as it involves obtaining information about the cloud services and configurations, such as the maximum number of instances and Elastic IP addresses, supported platforms, and default VPC ID" + }, + { + "technique": "T1538 - Cloud Service Dashboard", + "reason": "Accessing the account attributes via the API is akin to viewing settings in the cloud service dashboard, providing a view into the configurations and limitations of the AWS environment." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use DescribeAccountAttributes to gather detailed information about AWS account configurations and limits.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws ec2 describe-account-attributes --attribute-names TrailDiscoverAttribute" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeAccountAttributes" + }, + { + "eventName": "DescribeAvailabilityZones", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Describes the Availability Zones, Local Zones, and Wavelength Zones that are available to you.", + "mitreAttackTactics": [ + "TA0007 - Discovery" + ], + "mitreAttackTechniques": [ + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "Knowing the availability zones is a part of system information that an attacker might want to know. This API call provides insights into the environment setup and operational state." + }, + { + "technique": "T1526 - Cloud Service Discovery", + "reason": "The DescribeAvailabilityZones API call provides information about the geographical distribution of cloud services, aiding in the identification of cloud services in use." + }, + { + "technique": "T1018 - Remote System Discovery", + "reason": "By knowing which availability zones are in use, attackers can identify the distribution of systems and services across the cloud environment. This helps in mapping the network architecture and planning subsequent lateral movement or targeted attacks." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use DescribeAvailabilityZones to map the deployment regions of an AWS environment.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws ec2 describe-availability-zones --filters Name=region-name,Values=TrailDiscoverRegion" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeAvailabilityZones" + }, + { + "eventName": "DescribeBundleTasks", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Describes the specified bundle tasks or all of your bundle tasks.", + "mitreAttackTactics": [ + "TA0007 - Discovery" + ], + "mitreAttackTechniques": [ + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "The DescribeBundleTasks API call can provide details about the instance, which can be used to gather information about the system's configuration and status. The description of what a Bundle Task is not even available on AWS anymore." + }, + { + "technique": "T1553.002 - Subvert Trust Controls: Code Signing", + "reason": "nsuring that the bundled data is from a legitimate source and not tampered with might involve code signing, particularly if the bundle is intended for deployment or transfer. The description of what a Bundle Task is not even available on AWS anymore." + }, + { + "technique": "T1074 - Data Staged", + "reason": "The bundling process involves staging data for bundling and transfer, which is a crucial step in the data management process. The description of what a Bundle Task is not even available on AWS anymore." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use DescribeBundleTasks to gain insights into the bundling tasks of EC2 instances.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws ec2 describe-bundle-tasks --bundle-ids TrailDiscoverBundleId" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeBundleTasks" + }, + { + "eventName": "DescribeCarrierGateways", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Describes one or more of your carrier gateways.", + "mitreAttackTactics": [ + "TA0007 - Discovery" + ], + "mitreAttackTechniques": [ + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1016 - System Network Configuration Discovery", + "reason": "This API call helps in discovering the network configuration, including the carrier gateway, which can provide insight into how traffic is routed" + }, + { + "technique": "T1049 - System Network Connections Discovery", + "reason": "Describing the carrier gateways can reveal details about network connections and traffic flow between Wavelength Zones and carrier networks." + }, + { + "technique": "T1090 - Proxy", + "reason": "Carrier gateways' NAT function can be leveraged to hide the source of attack traffic, aiding in defense evasion" + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "Identifying carrier gateways could be useful for attackers aiming to gain access to the network using valid accounts" + }, + { + "technique": "T1210 - Exploitation of Remote Services", + "reason": "Knowing the setup of carrier gateways can help in exploiting remote services that rely on this infrastructure" + }, + { + "technique": "T1482 - Domain Trust Discovery", + "reason": "Insights into carrier gateways might reveal trust relationships between different network segments and domains" + }, + { + "technique": "T1018 - Remote System Discovery", + "reason": "Information from the carrier gateway description can help identify other remote systems within the network." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use DescribeCarrierGateways to uncover details about carrier gateways in an AWS environment, which could reveal network configurations.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws ec2 describe-carrier-gateways --carrier-gateway-ids TrailDiscoverCarrierGatewayId" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeCarrierGateways" + }, + { + "eventName": "DescribeClientVpnRoutes", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Describes the routes for the specified Client VPN endpoint.", + "mitreAttackTactics": [ + "TA0007 - Discovery" + ], + "mitreAttackTechniques": [ + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1046 - Network Service Scanning", + "reason": "An adversary might use DescribeClientVpnRoutes to enumerate network routes within the VPN, identifying potential targets and pivot points within the network." + }, + { + "technique": "T1021- Remote Services", + "reason": "This API call can provide details on how to access different parts of the network remotely, which could facilitate lateral movement or remote execution of commands" + }, + { + "technique": "T1016 - System Network Configuration Discovery", + "reason": "Information from DescribeClientVpnRoutes can reveal internal network structures, including IP ranges and network topologies, which can be used for further discovery and evasion activities" + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use DescribeClientVpnRoutes to gather information about the routing configuration of an AWS Client VPN endpoint, potentially identifying routes that could be exploited for network access.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws ec2 describe-client-vpn-routes --client-vpn-endpoint-id cvpn-endpoint-123456789123abcde" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeClientVpnRoutes" + }, + { + "eventName": "DescribeDhcpOptions", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Describes one or more of your DHCP options sets.", + "mitreAttackTactics": [ + "TA0007 - Discovery" + ], + "mitreAttackTechniques": [ + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1049 - System Network Connections Discovery", + "reason": "Describing DHCP options is directly related to understanding network configurations and connections within the AWS environment" + }, + { + "technique": "T1590 - Gather Victim Network Information", + "reason": "The DHCP options can reveal information about DNS servers, domain names, NTP servers, and other network configurations, aiding in network discovery" + }, + { + "technique": "T1018 - Remote System Discovery", + "reason": "Describing DHCP options can help attackers discover remote systems within the network, providing a map of targets for lateral movement." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "Understanding DHCP options might reveal information about the system owners or users, helping attackers tailor their strategies for further exploitation." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use DescribeDhcpOptions to inspect DHCP configurations in an AWS VPC.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws ec2 describe-dhcp-options --dhcp-options-ids TrailDiscoverDhcpOptionsId" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeDhcpOptions" + }, + { + "eventName": "DescribeFlowLogs", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Describes one or more flow logs.", + "mitreAttackTactics": [ + "TA0007 - Discovery" + ], + "mitreAttackTechniques": [ + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "Describing flow logs can help attackers understand which users are accessing specific network resources." + }, + { + "technique": "T1016 - System Network Configuration Discovery", + "reason": "Flow logs can reveal network configurations, allowing attackers to map out the network layout" + }, + { + "technique": "T1040 - Network Sniffing", + "reason": "By analyzing flow logs, attackers can infer traffic patterns and potentially sensitive information about network communications" + }, + { + "technique": "T1020 - Automated Collection", + "reason": "Attackers can use the flow logs to automate the collection of network traffic data for further analysis" + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use DescribeFlowLogs to review VPC flow log configurations, aiming to understand what network traffic is being logged.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws ec2 describe-flow-logs --filter Name=resource-id,Values=TrailDiscoverResourceId" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeFlowLogs" + }, + { + "eventName": "DescribeImages", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Describes the specified images (AMIs, AKIs, and ARIs) available to you or all of the images available to you.", + "mitreAttackTactics": [ + "TA0007 - Discovery" + ], + "mitreAttackTechniques": [ + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "DescribeImages can be used to gather detailed information about the system images in use, which is critical for planning further attacks or understanding the environment." + }, + { + "technique": "T1202 - Indirect Command Execution", + "reason": "By using DescribeImages, attackers can identify images that may allow them to indirectly execute commands through specific software or configurations present in the images" + }, + { + "technique": "T1608 - Stage Capabilities", + "reason": "An attacker might use DescribeImages to find specific images to stage capabilities like installing digital certificates on chosen instances." + }, + { + "technique": "T1083 - File and Directory Discovery", + "reason": "DescribeImages can reveal the existence and properties of files and directories associated with specific AMIs, aiding in discovery efforts" + }, + { + "technique": "T1613 - Container and Resource Discovery", + "reason": "Attackers can use DescribeImages to identify available container images and resources in the environment. This helps them understand the infrastructure and identify potential targets for exploitation within containerized applications." + }, + { + "technique": "T1526 - Cloud Service Discovery", + "reason": "Using DescribeImages helps attackers discover available cloud services, their configurations, and associated resources." + }, + { + "technique": "T1195 - Supply Chain Compromise", + "reason": "Attackers can use DescribeImages to identify and exploit vulnerabilities in the software dependencies and development tools used within specific images, leading to a supply chain compromise." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use DescribeImages to identify AMIs (Amazon Machine Images) within AWS.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws ec2 describe-images --filters Name=name,Values=TrailDiscover" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeImages" + }, + { + "eventName": "DescribeInstanceAttribute", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Describes the specified attribute of the specified instance. You can specify only one attribute at a time.", + "mitreAttackTactics": [ + "TA0007 - Discovery" + ], + "mitreAttackTechniques": [ + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "Using DescribeInstanceAttribute can reveal information about the instance's configuration, such as instance type, which aids in understanding the system environment." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "Information about the instance attributes can be used to identify potential valid accounts associated with the instance, particularly if the attribute reveals details about the IAM roles or users associated with it." + }, + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "Describing instance attributes can provide details about the permissions and security groups associated with the instance, aiding in the discovery of network access control configurations." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "The attribute information might include details about the instance owner or users, helping to identify key individuals for potential targeted attacks" + }, + { + "technique": "T1074 - Data Staged", + "reason": "Information about storage attributes of an instance can help in planning the staging of data for exfiltration." + }, + { + "technique": "T1007 - System Service Discovery", + "reason": "Attributes related to the services running on the instance can be described, aiding in the discovery of available services for further exploitation." + }, + { + "technique": "T1018 - Remote System Discovery", + "reason": "Details about network interfaces and configurations discovered through instance attributes can assist in identifying other remote systems and services within the network." + }, + { + "technique": "T1518 - Software Discovery", + "reason": "Describing instance attributes may reveal information about the installed software and applications, assisting in software discovery efforts." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use DescribeInstanceAttribute to inspect detailed configurations of EC2 instances.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws ec2 describe-instance-attribute --instance-id TrailDiscoverInstanceId --attribute TrailDiscoverAttribute" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-download-user-data" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeInstanceAttribute" + }, + { + "eventName": "DescribeInstances", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Describes the specified instances or all instances.", + "mitreAttackTactics": [ + "TA0007 - Discovery" + ], + "mitreAttackTechniques": [ + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "The DescribeInstances call provides detailed information about the EC2 instances, including instance type, state, and configuration details. This information is essential for an adversary performing system information discovery to understand the environment." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "The DescribeInstances output can include tags and other metadata that may contain user information, helping adversaries to identify system owners and users." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Discovering the details of security configurations, such as security groups and network ACLs associated with instances, can help adversaries to plan how to impair or bypass defenses" + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Understanding the details of EC2 instances can enable an adversary to manipulate accounts associated with those instances, such as creating or deleting IAM roles attached to instances." + }, + { + "technique": "T1016 - System Network Configuration Discovery", + "reason": "DescribeInstances can reveal network configurations of instances, including VPC, subnet, and security group details, aiding in network discovery" + }, + { + "technique": "T1046 - Network Service Scanning", + "reason": "While DescribeInstances does not directly perform network service scanning, the information it provides about instance IP addresses and configurations can be used to facilitate subsequent network scanning activities." + }, + { + "technique": "T1210 - Exploitation of Remote Services", + "reason": "Detailed information about EC2 instances, such as their public IP addresses and running services, can be used to exploit remote services running on these instances." + }, + { + "technique": "T1135 - Network Share Discovery", + "reason": "Information from DescribeInstances can indicate the presence of network shares or attached storage, which may be targeted for further discovery or exploitation." + }, + { + "technique": "T1057 - Process Discovery", + "reason": "DescribeInstances can provide insights into the software and processes running on the instances, helping adversaries identify potential targets for process discovery and further exploitation." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", + "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" + } + ], + "researchLinks": [ + { + "description": "Abusing VPC Traffic Mirroring in AWS", + "link": "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/" + } + ], + "securityImplications": "Attackers might use DescribeInstances to inventory EC2 instances within an AWS environment.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws ec2 describe-instances --instance-ids TrailDiscoverInstanceID" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeInstances" + }, + { + "eventName": "DescribeInstanceTypes", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Describes the details of the instance types that are offered in a location.", + "mitreAttackTactics": [ + "TA0007 - Discovery" + ], + "mitreAttackTechniques": [ + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1590 - Gather Victim Network Information", + "reason": "By describing instance types, attackers can identify the network configurations and resources used in the target's AWS environment. This information aids in understanding the network structure and potential vulnerabilities that could be exploited." + }, + { + "technique": "T1082 - System Information Discovery", + "reason": "DescribeInstanceTypes provides detailed information about different instance types, including their capabilities and configurations, which can help an attacker understand the system architecture and capabilities." + }, + { + "technique": "T1213 - Data from Information Repositories", + "reason": "Knowing the types of instances helps in determining how data might be stored or managed in cloud repositories, aiding in planning data collection strategies." + }, + { + "technique": "T1592 - Gather Victim Host Information", + "reason": "DescribeInstanceTypes can provide details on the hardware and software configurations of the instances, helping attackers gather comprehensive information about the victim's host environment." + }, + { + "technique": "T1046 - Network Service Discovery", + "reason": "By knowing the instance types, attackers can infer what network services might be running, aiding in the discovery of network service configurations and potential vulnerabilities." + }, + { + "technique": "T1526 - Cloud Service Discovery", + "reason": "DescribeInstanceTypes helps attackers discover the available cloud services and their configurations, which is crucial for understanding the overall cloud environment and potential targets." + }, + { + "technique": "T1497 - Virtualization/Sandbox Evasion", + "reason": "Knowing the instance types can help attackers tailor their techniques to evade detection within virtualized environments specific to the cloud infrastructure in use." + }, + { + "technique": "T1482 - Domain Trust Discovery", + "reason": "DescribeInstanceTypes can provide insights into the types of instances and their configurations, which may include details relevant to domain trust relationships within the cloud infrastructure." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use DescribeInstanceTypes to assess the capabilities and resources of EC2 instance types.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws ec2 describe-instance-types --instance-types TrailDiscoverInstanceType" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeInstanceTypes" + }, + { + "eventName": "DescribeKeyPairs", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Describes the specified key pairs or all of your key pairs.", + "mitreAttackTactics": [ + "TA0007 - Discovery" + ], + "mitreAttackTechniques": [ + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1580 - Cloud Service Discovery", + "reason": "The DescribeKeyPairs API call can be used to enumerate key pairs associated with EC2 instances, which aids in discovering cloud resources and configurations." + }, + { + "technique": "T1528 - Steal Application Access Token", + "reason": "Key pairs can be used to steal application access tokens if they are used for application authentication mechanisms." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Behind the scenes in the Expel SOC: Alert-to-fix in AWS", + "link": "https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use DescribeKeyPairs to audit the SSH key pairs associated with EC2 instances", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws ec2 describe-key-pairs --key-names TrailDiscoverKeyPair" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeKeyPairs" + }, + { + "eventName": "DescribeRegions", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Describes the Regions that are enabled for your account, or all Regions.", + "mitreAttackTactics": [ + "TA0007 - Discovery" + ], + "mitreAttackTechniques": [ + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1590 - Gather Victim Network Information", + "reason": "Attackers can use the DescribeRegions API call to obtain information about the cloud regions where a victim's resources are deployed. This helps in mapping the network and understanding the potential attack surface." + }, + { + "technique": "T1082 - System Information Discovery", + "reason": "By utilizing DescribeRegions, attackers can gain insights into the geographical distribution of the victim's cloud infrastructure, contributing to the overall system information." + }, + { + "technique": "T1213 - Data from Information Repositories", + "reason": "DescribeRegions gives access to the regional metadata of AWS, which acts as an information repository. Attackers may exploit this data to gain insights into the structure and status of the cloud environment." + }, + { + "technique": "T1135 - Network Share Discovery", + "reason": "Although not directly relevant attackers can use DescribeRegions to understand the layout of network resources across different regions, which can aid in discovering network shares and how resources are distributed geographically." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + } + ], + "researchLinks": [ + { + "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", + "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" + } + ], + "securityImplications": "Attackers might use DescribeRegions to identify all available AWS regions, possibly to explore regional deployment patterns and target specific regions where defenses might be weaker.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws ec2 describe-regions" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeRegions" + }, + { + "eventName": "GetLaunchTemplateData", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Retrieves the configuration data of the specified instance. You can use this data to create a launch template.", + "mitreAttackTactics": [ + "TA0007 - Discovery" + ], + "mitreAttackTechniques": [ + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "The GetLaunchTemplateData API call retrieves configuration data of an instance, providing detailed information about the system, including its configurations and metadata." + }, + { + "technique": "T1046 - Network Service Scanning", + "reason": "Information about the instance's network configurations can aid in scanning for active services and identifying potential targets" + }, + { + "technique": "T1560 - Archive Collected Data", + "reason": "Adversaries might use the gathered configuration data to create archives for exfiltration purposes" + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "The GetLaunchTemplateData call may reveal information about the system owner or users associated with the instance." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use GetLaunchTemplateData to obtain configurations of EC2 launch templates, identifying predefined instance settings or network configuration.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws ec2 get-launch-template-data --instance-id TrailDiscoverInstanceId" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-GetLaunchTemplateData" + }, + { + "eventName": "DescribeSecurityGroups", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Describes the specified security groups or all of your security groups.", + "mitreAttackTactics": [ + "TA0007 - Discovery" + ], + "mitreAttackTechniques": [ + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1526 - Cloud Service Discovery", + "reason": "The DescribeSecurityGroups API call allows an adversary to gather information about security groups, which is crucial for understanding the security posture and configurations of the cloud environment" + }, + { + "technique": "T1087 - Account Discovery", + "reason": "By describing security groups, adversaries can infer the roles and privileges associated with different accounts and identify potential targets for further compromise." + }, + { + "technique": "T1046 - Network Service Scanning", + "reason": "Knowledge of security group configurations can help adversaries understand which network services are exposed, enabling them to scan for open ports and services" + }, + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "Security groups often define permissions for accessing various resources within the cloud environment. Understanding these groups can help adversaries identify critical permissions and exploit them." + }, + { + "technique": "T1105 - Ingress Tool Transfer", + "reason": "If an adversary identifies security groups that allow inbound access, they might transfer tools or malware into the environment through these entry points" + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "Understanding security group rules helps adversaries in crafting communication methods that can bypass security controls using allowed protocols." + }, + { + "technique": "T1040 - Network Sniffing", + "reason": "By knowing the security groups, adversaries can position themselves in a network segment where they can capture sensitive traffic." + }, + { + "technique": "T1021 - Remote Services", + "reason": "Knowledge of security group configurations that allow remote services access can be exploited to move laterally within the network using those services." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Case Study: Responding to an Attack in AWS", + "link": "https://www.cadosecurity.com/case-study-responding-to-an-attack-in-aws/" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use DescribeSecurityGroups to review AWS VPC security group configurations, seeking misconfigurations that could be exploited for unauthorized access or to bypass network security controls.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws ec2 describe-security-groups --group-names TrailDiscoverSecurityGroup" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeSecurityGroups" + }, + { + "eventName": "DescribeSnapshotAttribute", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Describes the specified attribute of the specified snapshot.", + "mitreAttackTactics": [ + "TA0007 - Discovery" + ], + "mitreAttackTechniques": [ + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087 - Account Discovery", + "reason": "By describing snapshot attributes, an adversary can discover accounts associated with specific snapshots, providing insight into user and service accounts in the environment." + }, + { + "technique": "T1530 - Data from Cloud Storage", + "reason": " Snapshots often contain data stored in the cloud, and describing their attributes is a step towards accessing and exploiting this data." + }, + { + "technique": "T1119 - Automated Collection", + "reason": "DescribeSnapshotAttribute can be used in scripts to automatically collect data on snapshots for further analysis or malicious use." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "By gathering detailed information about snapshots, an adversary can infer the system owner or user details, which is crucial for furthering their attack strategy." + }, + { + "technique": "T1602 - Data from Configuration Repository", + "reason": "Snapshot attributes may include configuration information that could be valuable for understanding the environment or identifying further targets for exfiltration or attack." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use DescribeSnapshotAttribute to inspect attributes of EBS snapshots, such as permissions, aiming to find snapshots shared publicly or with broad access.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws ec2 describe-snapshot-attribute --snapshot-id TrailDiscoverSnapshotId --attribute TrailDiscoverAttribute" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeSnapshotAttribute" + }, + { + "eventName": "DescribeSnapshotTierStatus", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Describes the storage tier status of one or more Amazon EBS snapshots.", "mitreAttackTactics": [ - "TA0040 - Impact" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1485 - Data Destruction" + "T1580 - Cloud Infrastructure Discovery" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "AWS EFS File System or Mount Deleted", - "link": "https://www.elastic.co/guide/en/security/7.17/aws-efs-file-system-or-mount-deleted.html" + "technique": "T1087 - Account Discovery", + "reason": "By analyzing the snapshot tier status, an attacker could infer which accounts have access to particular snapshots, thereby gaining insights into the account structures and permissions within the target environment." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "Information about the storage tier status of snapshots includes metadata that helps identify system owners or users associated with those snapshots, thus aiding in the discovery of target users within the environment." + }, + { + "technique": "T1213 - Data from Information Repositories", + "reason": "This API call provides detailed information about EBS snapshots, which are a form of cloud storage. An attacker can use this to identify and access sensitive data stored within these snapshots." } ], - "securityImplications": "Attackers might use DeleteMountTarget in AWS EFS to remove mount targets, disrupting access to file system and as a preliminary phase before data deletion.", - "alerting": [ + "usedInWild": true, + "incidents": [ { - "type": "sigma", - "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_efs_fileshare_mount_modified_or_deleted.yml" + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" } ], + "researchLinks": [], + "securityImplications": "Attackers might use DescribeSnapshotTierStatus to assess the tiering status and potential lifecycle transitions of EBS snapshots, seeking to identify snapshots that are less frequently accessed or potentially unmonitored.", + "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws efs delete-mount-target --mount-target-id fsmt-f9a14450" + "value": "aws ec2 describe-snapshot-tier-status" } ], - "permissions": "https://aws.permissions.cloud/iam/elasticfilesystem#elasticfilesystem-DeleteMountTarget" + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeSnapshotTierStatus" }, { - "eventName": "DeleteRule", - "eventSource": "events.amazonaws.com", - "awsService": "events", - "description": "Deletes the specified rule.", + "eventName": "DescribeTransitGatewayMulticastDomains", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Describes one or more transit gateway multicast domains.", "mitreAttackTactics": [ - "TA0040 - Impact", - "TA0005 - Defense Evasion" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1489 - Service Stop", - "T1578 - Modify Cloud Compute Infrastructure" + "T1580 - Cloud Infrastructure Discovery" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "AWS EventBridge Rule Disabled or Deleted", - "link": "https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html" + "technique": "T1590 - Gather Victim Network Information", + "reason": "This api call involves identifying details about the victim's network, such as the structure and topology, which can be aided by describing transit gateway multicast domains." }, { - "description": "AWS EventBridge rule disabled or deleted", - "link": "https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/" + "technique": "T1592 - Gather Victim Host Information", + "reason": "The information from the API call could help an attacker understand the hosts connected via the multicast domains." + }, + { + "technique": "T1087 - Account Discovery", + "reason": "Information from transit gateway multicast domains could include details about the accounts associated with them." + }, + { + "technique": "T1049 - System Network Connections Discovery", + "reason": "Describing multicast domains helps in mapping out system network connections." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "The API call may return information about the users or owners of the systems within the multicast domains." } ], - "securityImplications": "Attackers might use DeleteRule to disrupt automated security responses and event logging in AWS EventBridge, potentially masking unauthorized activities or compromising system integrity.", + "usedInWild": true, + "incidents": [ + { + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use DescribeTransitGatewayMulticastDomains to obtain details on multicast domains within AWS Transit Gateways, identifying network segments and multicast configurations.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws events delete-rule --name TrailDiscoverRule" + "value": "aws ec2 describe-transit-gateway-multicast-domains --transit-gateway-multicast-domain-ids TrailDiscoverTransitGatewayMulticastDomainId" } ], - "permissions": "https://aws.permissions.cloud/iam/events#events-DeleteRule" + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeTransitGatewayMulticastDomains" }, { - "eventName": "ListTargetsByRule", - "eventSource": "events.amazonaws.com", - "awsService": "events", - "description": "Lists the targets assigned to the specified rule.", + "eventName": "DescribeVolumes", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Describes the specified EBS volumes or all of your EBS volumes.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1526 - Cloud Service Discovery" + "T1580 - Cloud Infrastructure Discovery" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Modify GuardDuty Configuration", - "link": "https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/" + "technique": "T1087 - Account Discovery", + "reason": "The DescribeVolumes API call can reveal information about EBS volumes which might contain details about the accounts that created or use them." + }, + { + "technique": "T1526 - Cloud Service Discovery", + "reason": "DescribeVolumes allows attackers to list and understand the configuration of EBS volumes within a cloud environment. This information helps map out the storage resources, potentially revealing sensitive data or misconfigurations." + }, + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "By describing volumes, attackers can infer the permissions set on EBS volumes and potentially discover groups with access to these volumes" + }, + { + "technique": "T1613 - Container and Resource Discovery", + "reason": "Volumes can be linked to container storage. Discovering volumes helps in mapping container usage and dependencies" } ], - "securityImplications": "Attackers might use ListTargetsByRule in AWS EventBridge to enumerate the targets of specific rules, gaining insights into the architecture and response mechanisms of an environment.", + "usedInWild": true, + "incidents": [ + { + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use DescribeVolumes to enumerate EBS volumes in an AWS environment, identifying valuable data storage.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws events list-targets-by-rule --rule TrailDiscoverRule" + "value": "aws ec2 describe-volumes --volume-ids TrailDiscoverVolumeId" } ], - "permissions": "https://aws.permissions.cloud/iam/events#events-ListTargetsByRule" + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeVolumes" }, { - "eventName": "RemoveTargets", - "eventSource": "events.amazonaws.com", - "awsService": "events", - "description": "Removes the specified targets from the specified rule.", + "eventName": "DescribeVolumesModifications", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Describes the most recent volume modification request for the specified EBS volumes.", "mitreAttackTactics": [ - "TA0040 - Impact", - "TA0005 - Defense Evasion" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1489 - Service Stop", - "T1578 - Modify Cloud Compute Infrastructure" + "T1580 - Cloud Infrastructure Discovery" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Modify GuardDuty Configuration", - "link": "https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/" + "technique": "T1087 - Account Discovery", + "reason": "Viewing volume modifications might help attackers understand cloud account structures and usage patterns, aiding in discovering privileged accounts" } ], - "securityImplications": "Attackers might use RemoveTargets in AWS EventBridge to eliminate crucial targets from event rules, effectively disabling intended actions or notifications triggered by specific events.", + "usedInWild": true, + "incidents": [ + { + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use DescribeVolumesModifications to track changes in EBS volumes.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws events remove-targets --rule TrailDiscoverRule --ids TrailDiscoverTargetId" + "value": "aws ec2 describe-volumes-modifications --volume-ids TrailDiscoverVolumeId" } ], - "permissions": "https://aws.permissions.cloud/iam/events#events-RemoveTargets" + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeVolumesModifications" }, { - "eventName": "DisableRule", - "eventSource": "events.amazonaws.com", - "awsService": "events", - "description": "Disables the specified rule.", + "eventName": "DescribeVpcEndpointConnectionNotifications", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Describes the connection notifications for VPC endpoints and VPC endpoint services.", "mitreAttackTactics": [ - "TA0040 - Impact", - "TA0005 - Defense Evasion" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1489 - Service Stop", - "T1578 - Modify Cloud Compute Infrastructure" + "T1580 - Cloud Infrastructure Discovery" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "AWS EventBridge Rule Disabled or Deleted", - "link": "https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html" + "technique": "T1135 - Network Share Discovery", + "reason": "Describing VPC endpoint connection notifications can help identify shared resources within the VPC, providing information on the network structure and potential entry points." }, { - "description": "AWS EventBridge rule disabled or deleted", - "link": "https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/" + "technique": "T1049 - System Network Connections Discovery", + "reason": "By describing VPC endpoint connection notifications, an attacker can gather information about the network connections and endpoints configured in the VPC." + }, + { + "technique": "T1007 - Network Service Scanning", + "reason": "Describing VPC endpoint connection notifications can reveal details about network services in use, which can be leveraged for further network service scanning." } ], - "securityImplications": "Attackers might use DisableRule to deactivate AWS EventBridge rules, effectively silencing alarms and automated responses designed for incident detection and mitigation.", + "usedInWild": true, + "incidents": [ + { + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use DescribeVpcEndpointConnectionNotifications to monitor notification configurations for VPC endpoints.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws events disable-rule --name TrailDiscoverRule --event-bus-name TrailDiscoverBus" + "value": "aws ec2 describe-vpc-endpoint-connection-notifications --connection-notification-id TrailDiscoverConnectionNotificationId" } ], - "permissions": "https://aws.permissions.cloud/iam/events#events-DisableRule" + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeVpcEndpointConnectionNotifications" }, { - "eventName": "ListRules", - "eventSource": "events.amazonaws.com", - "awsService": "events", - "description": "Lists your Amazon EventBridge rules. You can either list all the rules or you can provide a prefix to match to the rule names.", + "eventName": "DescribeVpcs", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Describes one or more of your VPCs.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1526 - Cloud Service Discovery" + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1016 - System Network Configuration Discovery", + "reason": "Understanding the network configuration by querying VPCs helps an attacker identify the architecture, including subnets, route tables, and network ACLs. This information can reveal how the network is structured and potential points for further exploitation." + }, + { + "technique": "T1040 - Network Sniffing", + "reason": "By describing the VPCs, attackers can identify potential points of network sniffing to capture valuable information traversing the network." + }, + { + "technique": "T1087 - Account Discovery", + "reason": "Understanding the VPCs helps in mapping out the cloud environment, potentially identifying accounts that manage or are associated with those VPCs." + }, + { + "technique": "T1482 - Domain Trust Discovery", + "reason": "By describing VPCs, adversaries can identify trusts between different VPCs or between on-premises and cloud environments, aiding lateral movement and privilege escalation attempts." + }, + { + "technique": "T1590 - Gather Victim Network Information", + "reason": "Describing VPCs directly aligns with gathering information about cloud network configurations, including CIDR blocks, subnets, and associated components." + }, + { + "technique": "T1526 - Cloud Service Discovery", + "reason": "Discovering details about VPCs is part of a broader effort to map out cloud services and their configurations, providing a clearer picture of the cloud environment's landscape." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", + "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use DescribeVpcs to enumerate all Virtual Private Clouds (VPCs) within an AWS environment, aiming to map out network architectures.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws ec2 describe-vpcs --vpc-ids TrailDiscoverVpcId" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeVpcs" + }, + { + "eventName": "EnableSerialConsoleAccess", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Enables access to the EC2 serial console of all instances for your account.", + "mitreAttackTactics": [ + "TA0008 - Lateral Movement" + ], + "mitreAttackTechniques": [ + "T1021 - Remote Services" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "Enabling serial console access allows attackers to execute commands directly in the Unix shell of the EC2 instances." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Serial console access can be used to manipulate or create new accounts on the instance, ensuring persistent access." + }, + { + "technique": "T1037 - Boot or Logon Initialization Scripts", + "reason": "Attackers can use the console to modify initialization scripts, ensuring their scripts run on startup for persistence." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "Serial console access might be exploited using compromised credentials, allowing attackers to use valid accounts to access the console." + }, + { + "technique": "T1547 - Boot or Logon Autostart Execution", + "reason": "The serial console can be used to modify system configurations or add scripts to ensure code execution upon system start." + }, + { + "technique": "T1543 - Create or Modify System Process", + "reason": "If the instances are running Windows, attackers might use the serial console to create or modify services for persistence and privilege escalation." + }, + { + "technique": "T1055 - Process Injection", + "reason": "Serial console access could potentially be used for injecting code into running processes to evade defenses" + }, + { + "technique": "T1207 - Rogue Domain Controller", + "reason": "Attackers with console access could promote a compromised instance to a domain controller in an Active Directory environment, escalating privileges." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "The serial console allows attackers to directly interact with the system to delete logs and other indicators of their presence." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", + "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud" + } ], - "usedInWild": false, - "incidents": [], "researchLinks": [ { - "description": "Modify GuardDuty Configuration", - "link": "https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/" + "description": "How to detect EC2 Serial Console enabled", + "link": "https://sysdig.com/blog/ec2-serial-console-enabled/" + }, + { + "description": "Attack Paths Into VMs in the Cloud", + "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/" } ], - "securityImplications": "Attackers might use ListRules in AWS EventBridge to catalog active event rules, identifying critical automated security mechanisms or logging functions to target for disruption or evasion.", + "securityImplications": "Attackers might use EnableSerialConsoleAccess to enable the serial console access and bypass security group rules and gain access to EC2 instances.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws events list-rules --name-prefix TrailDiscover" + "value": "aws ec2 enable-serial-console-access" } ], - "permissions": "https://aws.permissions.cloud/iam/events#events-ListRules" + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-EnableSerialConsoleAccess" }, { - "eventName": "PutTargets", - "eventSource": "events.amazonaws.com", - "awsService": "events", - "description": "Adds the specified targets to the specified rule, or updates the targets if they are already associated with the rule.", + "eventName": "GetConsoleScreenshot", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Retrieve a JPG-format screenshot of a running instance to help with troubleshooting.", "mitreAttackTactics": [ - "TA0003 - Persistence" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1546 - Event Triggered Execution" + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1113 - Screen Capture", + "reason": "The GetConsoleScreenshot API call captures a screenshot of a running EC2 instance, providing a visual snapshot of the system's state. This can reveal sensitive information displayed on the screen, such as open applications, user activities, or visible credentials." + }, + { + "technique": "T1087 - Account Discovery", + "reason": "The screenshot can provide insights into user accounts and other details visible on the instance, aiding in account discovery." + }, + { + "technique": "T1057 - Process Discovery", + "reason": "The screenshot might reveal running processes or applications, helping in process discovery." + }, + { + "technique": "T1016 - System Network Configuration Discovery", + "reason": "Screenshots may reveal network configurations displayed on the system's desktop." + }, + { + "technique": "T1018 - Remote System Discovery", + "reason": "Information visible in the screenshot might provide details about other systems or network topology." + }, + { + "technique": "T1110 - Brute Force", + "reason": "If the screenshot shows login prompts or error messages related to login attempts, it can aid in brute force attempts." + } ], "usedInWild": true, "incidents": [ { - "description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", - "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/" + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" } ], "researchLinks": [], - "securityImplications": "Attackers might use PutTargets in AWS EventBridge to trigger a malicious Lambda function periodically.", + "securityImplications": "Attackers might use GetConsoleScreenshot to capture the current state of an EC2 instance's console, potentially revealing sensitive information displayed on the screen or identifying misconfigurations.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws events put-targets --rule TrailDiscoverLambdaFunction --targets \"Id\"=\"1\",\"Arn\"=\"arn:aws:lambda:us-east-1:123456789012:function:MyFunctionName\"" + "value": "aws ec2 get-console-screenshot --instance-id TrailDiscoverInstanceId" } ], - "permissions": "https://aws.permissions.cloud/iam/events#events-PutTargets" + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-GetConsoleScreenshot" }, { - "eventName": "PutRule", - "eventSource": "events.amazonaws.com", - "awsService": "events", - "description": "Creates or updates the specified rule.", + "eventName": "GetEbsDefaultKmsKeyId", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Describes the default AWS KMS key for EBS encryption by default for your account in this Region.", "mitreAttackTactics": [ - "TA0040 - Impact", - "TA0005 - Defense Evasion", - "TA0003 - Persistence" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1489 - Service Stop", - "T1578 - Modify Cloud Compute Infrastructure", - "T1546 - Event Triggered Execution" + "T1580 - Cloud Infrastructure Discovery" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", - "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/" + "technique": "T1082 - System Information Discovery", + "reason": "Retrieving the default KMS key provides information about the encryption settings of the EBS volumes in the account." + }, + { + "technique": "T1530 - Data from Cloud Storage Object", + "reason": "By knowing the KMS key, attackers could potentially access encrypted data if they manage to retrieve the corresponding encrypted volumes." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Attackers could use this information to modify or disable encryption settings, impacting defenses." + }, + { + "technique": "T1036 - Masquerading", + "reason": "Attackers might use the default KMS key information to create resources that appear legitimate but are malicious in nature." } ], - "researchLinks": [ + "usedInWild": true, + "incidents": [ { - "description": "Modify GuardDuty Configuration", - "link": "https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/" + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" } ], - "securityImplications": "Attackers might use PutRule in AWS EventBridge to create unauthorized event rules, potentially automating malicious actions to gain persistence or triggering unwarranted responses within the environment.", + "researchLinks": [], + "securityImplications": "Attackers might use GetEbsDefaultKmsKeyId to identify the default AWS Key Management Service (KMS) key used for encrypting new Amazon EBS volumes.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws events put-rule --name TrailDiscoverRule --schedule-expression 'rate(5 minutes)' --state ENABLED --description \"TrailDiscover rule\"" + "value": "aws ec2 get-ebs-default-kms-key-id" } ], - "permissions": "https://aws.permissions.cloud/iam/events#events-PutRule" + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-GetEbsDefaultKmsKeyId" }, { - "eventName": "GetInstances", - "eventSource": "lightsail.amazonaws.com", - "awsService": "LightSail", - "description": "Returns information about all Amazon Lightsail virtual private servers, or instances.", + "eventName": "GetEbsEncryptionByDefault", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Describes whether EBS encryption by default is enabled for your account in the current Region.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ - { - "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", - "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" - } - ], - "securityImplications": "Attackers might use GetInstances to gather information about running instances for potential exploitation.", - "alerting": [], - "simulation": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "type": "commandLine", - "value": "aws lightsail get-instances" + "technique": "T1538 - Cloud Service Dashboard", + "reason": "Accessing configuration information through API calls to understand settings." } ], - "permissions": "https://aws.permissions.cloud/iam/lightsail#lightsail-GetInstances" - }, - { - "eventName": "CreateInstances", - "eventSource": "lightsail.amazonaws.com", - "awsService": "Lightsail", - "description": "Creates one or more Amazon Lightsail instances.", - "mitreAttackTactics": [ - "TA0005 - Defense Evasion", - "TA0040 - Impact" - ], - "mitreAttackTechniques": [ - "T1578 - Modify Cloud Compute Infrastructure", - "T1496 - Resource Hijacking" - ], "usedInWild": true, "incidents": [ { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" } ], "researchLinks": [], - "securityImplications": "Attackers might use CreateInstances to rapidly deploy malicious instances, causing financial loss and resource exhaustion. The use of lightsail might not be monitored.", + "securityImplications": "Attackers might use GetEbsEncryptionByDefault to determine if new Amazon EBS volumes are encrypted by default, seeking to exploit unencrypted volumes.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws lightsail create-instances --instance-names Instance-1 --availability-zone us-west-2a --blueprint-id wordpress_5_1_1_2 --bundle-id nano_2_0" + "value": "aws ec2 get-ebs-encryption-by-default" } ], - "permissions": "https://aws.permissions.cloud/iam/lightsail#lightsail-CreateInstances" + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-GetEbsEncryptionByDefault" }, { - "eventName": "GetRegions", - "eventSource": "lightsail.amazonaws.com", - "awsService": "LightSail", - "description": "Returns a list of all valid regions for Amazon Lightsail.", + "eventName": "GetFlowLogsIntegrationTemplate", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Generates a CloudFormation template that streamlines and automates the integration of VPC flow logs with Amazon Athena.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", - "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" + "technique": "T1078 - Valid Accounts", + "reason": "By analyzing the resulting template, adversaries might identify configurations and permissions related to valid accounts" + }, + { + "technique": "T1203 - Exploitation for Client Execution", + "reason": "The template could potentially include commands or scripts that are executed in the cloud environment, exploiting existing vulnerabilities for execution." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "The template could include configurations that disable or alter logging, monitoring, or other security tools." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "The CloudFormation template could include obfuscated scripts or configurations to evade detection" + }, + { + "technique": "T1210 - Exploitation of Remote Services", + "reason": "The setup process defined in the template might interact with remote services, offering a vector for exploitation." + }, + { + "technique": "T1046 - Network Service Scanning", + "reason": "The information gleaned from the template can assist adversaries in understanding the network services in use, aiding in further network scanning and enumeration." + }, + { + "technique": "T1497 - Virtualization/Sandbox Evasion", + "reason": "The template could be designed to detect and avoid execution within certain virtualized environments or sandboxes, thereby evading analysis or detection." + }, + { + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "The CloudFormation template might include scripts executed via command and scripting interpreters, which can be leveraged for execution." + }, + { + "technique": "T1560 - Archive Collected Data", + "reason": "By using the CloudFormation template to configure the VPC flow logs integration, adversaries can automate the collection, archiving, and storage of flow logs data, potentially using S3 to archive collected logs before exfiltration or analysis." } ], - "securityImplications": "Attackers might use GetRegions to identify potential targets in different geographical locations on AWS LightSail.", + "usedInWild": true, + "incidents": [ + { + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use GetFlowLogsIntegrationTemplate to create templates for integrating VPC flow logs with external monitoring solutions, potentially to configure exfiltration pathways for gathered data or to understand security monitoring setups.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws lightsail get-regions" + "value": "aws ec2 get-flow-logs-integration-template --flow-log-id fl-1234567890abcdef0 --config-delivery-s3-destination-arn arn:aws:s3:::DOC-EXAMPLE-BUCKET --integrate-services AthenaIntegrations='[{IntegrationResultS3DestinationArn=arn:aws:s3:::DOC-EXAMPLE-BUCKET,PartitionLoadFrequency=none,PartitionStartDate=2021-07-21T00:40:00,PartitionEndDate=2021-07-21T00:42:00},{IntegrationResultS3DestinationArn=arn:aws:s3:::DOC-EXAMPLE-BUCKET,PartitionLoadFrequency=none,PartitionStartDate=2021-07-21T00:40:00,PartitionEndDate=2021-07-21T00:42:00}]'" } ], - "permissions": "https://aws.permissions.cloud/iam/lightsail#lightsail-GetRegions" + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-GetFlowLogsIntegrationTemplate" }, { - "eventName": "GetCostAndUsage", - "eventSource": "ce.amazonaws.com", - "awsService": "CostExplorer", - "description": "Retrieves cost and usage metrics for your account.", + "eventName": "GetLaunchTemplateData", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Retrieves the configuration data of the specified instance. You can use this data to create a launch template.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1526 - Cloud Service Discovery" + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "Retrieving the configuration data of instances can provide attackers with detailed system information that can be used for further reconnaissance and discovery of system characteristics." + }, + { + "technique": "T1135 - Network Share Discovery", + "reason": "Attackers might use this data to discover network shares and storage configurations, aiding in understanding the network topology and resources" + }, + { + "technique": "T1518 - Software Discovery", + "reason": "By accessing instance configuration data, attackers can determine what software is running on the instance, including security software, enabling them to plan further attacks." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "Information obtained can be used to identify valid accounts within the cloud environment, potentially leading to misuse of credentials." + }, + { + "technique": "T1195 - Supply Chain Compromise", + "reason": "Attackers can create a launch template based on the retrieved data, embedding malicious software or configurations, thus compromising the software supply chain." + }, + { + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "The configuration data may include scripts or commands that can be leveraged to gain further access or control over the instance" + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "By understanding the configuration and storage locations, attackers can delete logs or files to evade detection" + }, + { + "technique": "T1496 - Resource Hijacking", + "reason": "Attackers might use the launch template to spin up instances for resource hijacking, such as cryptocurrency mining." + } ], "usedInWild": true, "incidents": [ { - "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", - "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" } ], "researchLinks": [], - "securityImplications": "Attackers might use GetCostAndUsage to determine how active an account is by understanding the cost within a cloud account.", + "securityImplications": "Attackers might use GetLaunchTemplateData to obtain configurations of EC2 launch templates, identifying predefined instance settings, network configurations.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ce get-cost-and-usage --time-period Start=2017-09-01,End=2017-10-01 --granularity MONTHLY --metrics 'BlendedCost' 'UnblendedCost' 'UsageQuantity' --group-by Type=DIMENSION,Key=SERVICE Type=TAG,Key=Environment" + "value": "aws ec2 get-launch-template-data --instance-id TrailDiscoverInstanceId" } ], - "permissions": "https://aws.permissions.cloud/iam/ce#ce-GetCostAndUsage" + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-GetLaunchTemplateData" }, { - "eventName": "DeleteMembers", - "eventSource": "securityhub.amazonaws.com", - "awsService": "SecurityHub", - "description": "Deletes the specified member accounts from Security Hub.", + "eventName": "GetPasswordData", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Retrieves the encrypted administrator password for a running Windows instance.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0006 - Credential Access" ], "mitreAttackTechniques": [ - "T1562 - Impair Defenses" + "T1555 - Credentials from Password Stores" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "AWS CloudTrail cheat sheet", - "link": "https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet" + "technique": "T1078 - Valid Accounts", + "reason": "By decrypting the administrator password with the key pair, an attacker can obtain valid credentials for the Windows instance, allowing them to log in with legitimate access. z If the Windows instance is part of a domain, obtaining the administrator password could provide domain-level access, enabling further exploitation within the domain. The password retrieved is for the local administrator account, giving full access to the instance's local resources and potentially allowing further escalation." }, { - "description": "AWS Incident Response", - "link": "https://easttimor.github.io/aws-incident-response/" + "technique": "T1098 - Account Manipulation", + "reason": "Attackers can use the retrieved administrator credentials to create new accounts or manipulate existing ones to ensure continued access to the instance." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "With the administrator password, an attacker can remove access to existing accounts, locking out legitimate users and maintaining control over the instance." + }, + { + "technique": "T1548.002 - Abuse Elevation Control Mechanism", + "reason": "Once an attacker has the administrator password, they can bypass User Account Control (UAC) on the instance to elevate privileges without user consent." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "An attacker with administrator access might delete logs and other files to cover their tracks and ensure persistent access without detection." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", + "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + }, + { + "description": "Behind the scenes in the Expel SOC: Alert-to-fix in AWS", + "link": "https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/" + }, + { + "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", + "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" + }, + { + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" } ], - "securityImplications": "Attackers might use DeleteMembers to remove specific members from the SecurityHub, disrupting security management and monitoring.", + "researchLinks": [], + "securityImplications": "Attackers might use GetPasswordData to retrieve the password data for Windows instances, allowing unauthorized access.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws securityhub delete-members --account-ids TrailDiscoverAccountIds" + "value": "aws ec2 get-password-data --instance-id TrailDiscoverInstanceId" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data" } ], - "permissions": "https://aws.permissions.cloud/iam/securityhub#securityhub-DeleteMembers" + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-GetPasswordData" }, { - "eventName": "ListGroupsForUser", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Lists the IAM groups that the specified IAM user belongs to.", + "eventName": "GetTransitGatewayRouteTableAssociations", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Gets information about the associations for the specified transit gateway route table.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1087 - Account Discovery" + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1018 - Remote System Discovery", + "reason": "The API call provides information about the transit gateway route table associations, which can be used to identify and map remote systems within the network." + }, + { + "technique": "T1423 - Network Service Scanning", + "reason": "Understanding route table associations helps in scanning and identifying active services and their routing paths, facilitating network service discovery." + }, + { + "technique": "T1133 - External Remote Services", + "reason": "By analyzing transit gateway associations, attackers can identify potential external services that can be targeted for initial access or further exploitation" + }, + { + "technique": "T1219 - Remote Access Software", + "reason": "Knowledge of network routes and associations is crucial for deploying and managing remote access tools within the network" + }, + { + "technique": "T1570 - Lateral Tool Transfer", + "reason": "Route table information can be used to facilitate the transfer of tools across different segments of the network, aiding lateral movement." + }, + { + "technique": "T1021 - Remote Services", + "reason": "The information obtained from the API call can be used to identify and exploit remote services for lateral movement or persistence" + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "Attackers can use knowledge of network routing to communicate using application layer protocols that traverse the transit gateway routes" + }, + { + "technique": "T1590 - Gather Victim Network Information", + "reason": "The transit gateway route table associations provide valuable insights into the network's structure and configuration, useful for gathering detailed network information" + } ], "usedInWild": true, "incidents": [ { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" } ], "researchLinks": [], - "securityImplications": "Attackers might use ListGroupsForUser to identify privileged groups and target specific users for access escalation.", + "securityImplications": "Attackers might use GetTransitGatewayRouteTableAssociations to examine the associations between transit gateway route tables and attached resources, potentially to understand network routing policies.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam list-groups-for-user --user-name TrailDiscover" + "value": "aws ec2 get-transit-gateway-route-table-associations --transit-gateway-route-table-id tgw-rtb-0a823edbdeEXAMPLE" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListGroupsForUser" + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-GetTransitGatewayRouteTableAssociations" }, { - "eventName": "CreateSAMLProvider", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0.", + "eventName": "ImportKeyPair", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Imports the public key from an RSA or ED25519 key pair that you created with a third-party tool.", "mitreAttackTactics": [ "TA0003 - Persistence" ], "mitreAttackTechniques": [ - "T1136 - Create Account" + "T1098 - Account Manipulation" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "An attacker can import their own key pair to gain initial access to the AWS environment using a compromised or newly created account. The imported key can also be used to maintain persistent access. This can be applied to both cloud and domain accounts in the cloud, ensuring access across different services." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "Attackers may delete logs or evidence after importing the keypair." + } ], "usedInWild": true, "incidents": [ { - "description": "New tactics and techniques for proactive threat detection", - "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", + "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + }, + { + "description": "Behind the scenes in the Expel SOC: Alert-to-fix in AWS", + "link": "https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/" + }, + { + "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", + "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" } ], - "researchLinks": [], - "securityImplications": "Attackers use CreateSAMLProvider to establish persistent footholds.", + "researchLinks": [ + { + "description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", + "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide" + } + ], + "securityImplications": "Attackers might use ImportKeyPair to upload malicious SSH keys to AWS EC2 instances, granting unauthorized access.", "alerting": [], "simulation": [ { @@ -2289,354 +5401,492 @@ "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-CreateSAMLProvider" + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-ImportKeyPair" }, { - "eventName": "ListAccessKeys", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Returns information about the access key IDs associated with the specified IAM user.", + "eventName": "ModifyImageAttribute", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Modifies the specified attribute of the specified AMI.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0010 - Exfiltration" ], "mitreAttackTechniques": [ - "T1087 - Account Discovery" + "T1537 - Transfer Data to Cloud Account" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Ransomware in the cloud", - "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud" - } - ], - "researchLinks": [], - "securityImplications": "Attackers might use ListAccessKeys to identify and exploit unused or unmonitored AWS IAM access keys.", - "alerting": [], - "simulation": [ + "technique": "T1098 - Account Manipulation", + "reason": "Modifying AMI launch permissions could allow an attacker to grant additional cloud accounts the ability to launch instances with the compromised AMI." + }, { - "type": "commandLine", - "value": "aws iam list-access-keys --user-name TrailDiscover" + "technique": "T1078 - Valid Accounts", + "reason": "Modifying launchPermission can be used to grant access to valid accounts or remove access, effectively controlling which accounts can launch instances from the AMI." + }, + { + "technique": "T1003 - OS Credential Dumping", + "reason": "Changing launch permissions to launch the AMI in an attacker AWS account might grant attackers access to instances where they can execute credential dumping tools." + }, + { + "technique": "T1021 - Remote Services", + "reason": "If the AMI is launched by specific users, it could enable the attacker to move laterally by exploiting remote services and admin privileges." + }, + { + "technique": "T1036 - Masquerading", + "reason": "By modifying the AMI description, attackers can disguise malicious activities under benign-sounding descriptions to evade detection." } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListAccessKeys" - }, - { - "eventName": "DeleteRolePolicy", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Deletes the specified inline policy that is embedded in the specified IAM role.", - "mitreAttackTactics": [ - "TA0004 - Privilege Escalation" - ], - "mitreAttackTechniques": [ - "T1098 - Account Manipulation" - ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "AWS IAM Privilege Escalation Techniques", - "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" - } - ], - "securityImplications": "Attackers might use DeleteRolePolicy to remove security policies, potentially escalating their privileges.", - "alerting": [ - { - "type": "cloudwatchCISControls", - "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4" + "description": "AWS AMI Atttribute Modification for Exfiltration", + "link": "https://research.splunk.com/cloud/f2132d74-cf81-4c5e-8799-ab069e67dc9f/" } ], + "securityImplications": "Attackers might use ModifyImageAttribute to alter permissions or settings of Amazon Machine Images (AMIs), potentially exposing them to unauthorized users or making them public.", + "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam delete-role-policy --role-name TrailDiscover-Role --policy-name TrailDiscover" + "value": "aws ec2 modify-image-attribute --image-id TrailDiscoverImageId --attribute TrailDiscoverAttribute --value TrailDiscoverValue" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-DeleteRolePolicy" + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-ModifyImageAttribute" }, { - "eventName": "DetachRolePolicy", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Removes the specified managed policy from the specified role.", + "eventName": "ModifyInstanceAttribute", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Modifies the specified attribute of the specified instance.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion", "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1578 - Modify Cloud Compute Infrastructure", "T1098 - Account Manipulation" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + "technique": "T1078 - Valid Accounts", + "reason": "Modifying instance attributes can involve, via modifications of the UserData, changing account settings to maintain access to the instance, including the use or creation of default, local, or cloud accounts." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Via modifications of the UserData an attacker could disable or modify security tools and defenses on the instance, impairing the system's ability to detect or respond to threats" + }, + { + "technique": "T1496 - Resource Hijacking", + "reason": "Modifying instance attributes could allow the hijacking of resources for unauthorized uses such as cryptocurrency mining. You could also increase the size of CPU or RAM" + }, + { + "technique": "T1485 - Data Destruction", + "reason": "Changes in instance attributes could be used to facilitate the destruction of data on the instance, impacting the integrity and availability of information." } ], + "usedInWild": false, + "incidents": [], "researchLinks": [ { - "description": "AWS IAM Privilege Escalation Techniques", - "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + "description": "Executing commands through EC2 user data", + "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/" + }, + { + "description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", + "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide" + }, + { + "description": "EC2 Privilege Escalation Through User Data", + "link": "https://hackingthe.cloud/aws/exploitation/local_ec2_priv_esc_through_user_data/" + }, + { + "description": "User Data Script Persistence", + "link": "https://hackingthe.cloud/aws/post_exploitation/user_data_script_persistence/" + }, + { + "description": "Attack Paths Into VMs in the Cloud", + "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/" } ], - "securityImplications": "Attackers might use DetachRolePolicy to remove crucial permissions from IAM roles, disrupting AWS services.", + "securityImplications": "Attackers might use ModifyInstanceAttribute to change configurations of EC2 instances or overwrite the user data of an EC2 instance to have it execute malicious commands when the instance starts.", "alerting": [ { - "type": "cloudwatchCISControls", - "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4" + "type": "sigma", + "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_ec2_startup_script_change.yml" } ], "simulation": [ { "type": "commandLine", - "value": "aws iam detach-role-policy --role-name TrailDiscover --policy-arn arn:aws:iam::123456789012:policy/FederatedTesterAccessPolicy" + "value": "aws ec2 modify-instance-attribute --instance-id TrailDiscoverInstanceId --attribute TrailDiscoverAttribute --value TrailDiscoverValue" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ec2-user-data" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-DetachRolePolicy" + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-ModifyInstanceAttribute" }, { - "eventName": "UpdateLoginProfile", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Changes the password for the specified IAM user. You can use the AWS CLI, the AWS API, or the Users page in the IAM console to change the password for any IAM user.", + "eventName": "ModifySnapshotAttribute", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Adds or removes permission settings for the specified snapshot.", "mitreAttackTactics": [ - "TA0003 - Persistence", - "TA0004 - Privilege Escalation" + "TA0010 - Exfiltration" ], "mitreAttackTechniques": [ - "T1098 - Account Manipulation" + "T1537 - Transfer Data to Cloud Account" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + "technique": "T1078 - Valid Accounts", + "reason": "By adding permissions to a snapshot, attackers can grant access to unauthorized cloud accounts or default accounts, which can be used for persistence and privilege escalation." }, { - "description": "Incident report: From CLI to console, chasing an attacker in AWS", - "link": "https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/" + "technique": "T1552 - Unsecured Credentials", + "reason": "Adding permissions to a snapshot might expose sensitive files that contain credentials, aiding in credential access." }, { - "description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", - "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud" - } - ], - "researchLinks": [ + "technique": "T1070 - Indicator Removal", + "reason": "Removing permissions from a snapshot can be used to hide or delete evidence of unauthorized access, aiding in defense evasion." + }, { - "description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", - "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide" + "technique": "T1530 - Data from Cloud Storage", + "reason": "By modifying snapshot permissions, attackers can gain access to sensitive data stored within snapshots, aiding in data collection and exfiltration." }, { - "description": "AWS IAM Privilege Escalation Techniques", - "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + "technique": "T1562 - Impair Defenses", + "reason": "Modifying permissions could impair security controls or defenses by granting unauthorized access to the snapshots, potentially containing security-related configurations, backups, or tools." + }, + { + "technique": "T1087 - Account Discovery", + "reason": "Modifying snapshot permissions could help attackers discover cloud accounts with access to the snapshot, aiding in further attacks." + }, + { + "technique": "T1003 - OS Credential Dumping", + "reason": "If a snapshot contains OS-level files, attackers can use it to extract credentials, aiding in credential access." + }, + { + "technique": "T1074 - Data Staged", + "reason": "Snapshots can be used to stage data locally for later exfiltration, aiding in data collection and exfiltration" } ], - "securityImplications": "Attackers might use UpdateLoginProfile to change the password of an IAM user, gaining unauthorized access to it.", + "usedInWild": true, + "incidents": [ + { + "description": "CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight", + "link": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use ModifySnapshotAttribute to change permissions on Amazon EBS snapshots, potentially making them accessible to unauthorized users or public.", "alerting": [ { "type": "sigma", - "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_update_login_profile.yml" + "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_snapshot_backup_exfiltration.yml" } ], "simulation": [ { "type": "commandLine", - "value": "aws iam update-login-profile --user-name TrailDiscover --password TrailDiscover" + "value": "aws ec2 modify-snapshot-attribute --snapshot-id snap-046281ab24d756c50 --attribute createVolumePermission --operation-type remove --user-ids 123456789012" }, { "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-user-login-profile" + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-UpdateLoginProfile" + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-ModifySnapshotAttribute" }, { - "eventName": "SimulatePrincipalPolicy", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Simulate how a set of IAM policies attached to an IAM entity works with a list of API operations and AWS resources to determine the policies' effective permissions.", + "eventName": "ReplaceIamInstanceProfileAssociation", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Replaces an IAM instance profile for the specified running instance.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1087 - Account Discovery" + "T1098 - Account Manipulation" + ], + "mitreAttackSubTechniques": [ + "T1098.003 - Account Manipulation: Additional Cloud Roles" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1548 - Abuse Elevation Control Mechanism", + "reason": "By changing the IAM instance profile, an attacker can elevate the privileges of the EC2 instance, allowing it to perform actions that require higher permissions. This abuse of the role mechanism can be used to execute privileged commands." + }, + { + "technique": "T1556 - Modify Authentication Process", + "reason": "By altering the IAM instance profile, an attacker can modify the authentication process. This change could allow the instance to authenticate as a different role with different permissions, potentially bypassing security controls." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "An attacker might replace an IAM instance profile to remove certain access controls or permissions temporarily to perform specific actions without triggering alerts or restrictions. Additionally they might remove the instances from the contol of certain accounts to maybe evade detection. AN example would be to remove access from known cloud security tools." + } ], "usedInWild": true, "incidents": [ { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + "description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", + "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud" } ], "researchLinks": [], - "securityImplications": "Attackers might use SimulatePrincipalPolicy to understand the permissions of a principal, to later potentially exploiting any over-permissive policies. Using this technique might allow attackers to evade defenses while enumerating permissions.", + "securityImplications": "Attackers might use ReplaceIamInstanceProfileAssociation to replace the IAM instance profile on an instance they control with one that has higher privileges.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::123456789012:user/TrailDiscover --action-names codecommit:ListRepositories" + "value": "aws ec2 replace-iam-instance-profile-association --iam-instance-profile Name=TrailDiscoverAdminRole --association-id iip-assoc-060bae234aac2e7fa" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-SimulatePrincipalPolicy" + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-ReplaceIamInstanceProfileAssociation" }, { - "eventName": "GetAccountAuthorizationDetails", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Retrieves information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another.", + "eventName": "RunInstances", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Launches the specified number of instances using an AMI for which you have permissions.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0003 - Persistence", + "TA0040 - Impact", + "TA0008 - Lateral Movement" ], "mitreAttackTechniques": [ - "T1087 - Account Discovery" + "T1098 - Account Manipulation", + "T1496 - Resource Hijacking", + "T1021 - Remote Services" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "AWS - IAM Enum", - "link": "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum" + "technique": "T1133 - External Remote Services", + "reason": "Adversaries can launch EC2 instances that can be remotely accessed via SSH, RDP, or other protocols, gaining an initial access point into the AWS environment or maintaining persistence." + }, + { + "technique": "T1578 - Modify Cloud Compute Infrastructure", + "reason": "Launching instances directly modifies the cloud compute infrastructure, which can be leveraged by adversaries to create a foothold, evade defenses, or escalate privileges." + }, + { + "technique": "T1105 - Ingress Tool Transfer", + "reason": "Instances launched can be used to transfer malicious tools into the cloud environment, supporting various attack strategies. This is especally true if the instance is initiated with an malicious image." + }, + { + "technique": "T1570 - Lateral Tool Transfer", + "reason": "New instances can facilitate the lateral movement of tools and malware across the cloud infrastructure, aiding in broader attack campaigns." } ], - "securityImplications": "Attackers might use GetAccountAuthorizationDetails to gather information about IAM users, groups, roles, and policies in a targeted AWS account.", - "alerting": [], - "simulation": [ + "usedInWild": true, + "incidents": [ { - "type": "commandLine", - "value": "aws iam get-account-authorization-details" + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" }, { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance" + "description": "DXC spills AWS private keys on public GitHub", + "link": "https://www.theregister.com/2017/11/14/dxc_github_aws_keys_leaked/" + }, + { + "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", + "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + }, + { + "description": "Behind the scenes in the Expel SOC: Alert-to-fix in AWS", + "link": "https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/" + }, + { + "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", + "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" + }, + { + "description": "SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto", + "link": "https://sysdig.com/blog/scarleteel-2-0/" + }, + { + "description": "ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING", + "link": "https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/" + }, + { + "description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", + "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/" + }, + { + "description": "Clear and Uncommon Story About Overcoming Issues With AWS", + "link": "https://topdigital.agency/clear-and-uncommon-story-about-overcoming-issues-with-aws/" + }, + { + "description": "onelogin 2017 Security Incident", + "link": "https://web.archive.org/web/20210620180614/https://www.onelogin.com/blog/may-31-2017-security-incident" + }, + { + "description": "BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability", + "link": "https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/" + }, + { + "description": "Navigating the Cloud: Exploring Lateral Movement Techniques", + "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/" + }, + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-GetAccountAuthorizationDetails" - }, - { - "eventName": "AddUserToGroup", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Adds the specified user to the specified group.", - "mitreAttackTactics": [ - "TA0004 - Privilege Escalation" - ], - "mitreAttackTechniques": [ - "T1098 - Account Manipulation" - ], - "usedInWild": false, - "incidents": [], "researchLinks": [ + { + "description": "Launching EC2 instances", + "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/launching-ec2-instances/" + }, + { + "description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", + "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide" + }, { "description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + }, + { + "description": "Abusing VPC Traffic Mirroring in AWS", + "link": "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/" } ], - "securityImplications": "Attackers might use AddUserToGroup to add unauthorized users to privileged groups, gaining unauthorized access or escalating privileges.", + "securityImplications": "Attackers might use RunInstances to programmatically launch unauthorized EC2 instances for crypto mining or to create a foothold within the AWS environment for further exploitation.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam add-user-to-group --user-name TrailDiscover --group-name TrailDiscover" + "value": "aws ec2 run-instances --image-id ami-0b98a32b1c5e0d105 --instance-type t2.micro --key-name MyKeyPair" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ec2-launch-unusual-instances" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-AddUserToGroup" + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-RunInstances" }, { - "eventName": "ListGroups", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Lists the IAM groups that have the specified path prefix.", + "eventName": "SendSerialConsoleSSHPublicKey", + "eventSource": "ec2-instance-connect.amazonaws.com", + "awsService": "EC2InstanceConnect", + "description": "Pushes an SSH public key to the specified EC2 instance.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0008 - Lateral Movement" ], "mitreAttackTechniques": [ - "T1087 - Account Discovery" + "T1021 - Remote Services" ], - "usedInWild": true, - "incidents": [ - { - "description": "Muddled Libra\u2019s Evolution to the Cloud", - "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" - } + "mitreAttackSubTechniques": [ + "T1021.004 - Remote Services: SSH" ], - "researchLinks": [ + "unverifiedMitreAttackTechniques": [ { - "description": "AWS - IAM Enum", - "link": "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum" - } - ], - "securityImplications": "Attackers might use ListGroups to identify potential targets by gathering information about IAM groups and their permissions.", - "alerting": [], - "simulation": [ + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "Once access is established, attackers can use the command and scripting interpreter to execute commands on the instance." + }, { - "type": "commandLine", - "value": "aws iam list-groups" + "technique": "T1098 - Account Manipulation", + "reason": "Attackers may push their own SSH keys to the EC2 instances, effectively manipulating access control." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "After gaining access, attackers could disable security tools or logs to evade detection." + }, + { + "technique": "T1036 - Masquerading", + "reason": "Attackers may use legitimate commands and tools to mask their activities within the compromised instance" + }, + { + "technique": "T1203 - Exploitation for Client Execution", + "reason": "Exploiting the SSH access to execute further malicious code or scripts within the EC2 instance." + }, + { + "technique": "T1219 - Remote Access Software", + "reason": "Using SSH as a remote access tool to maintain control over the compromised EC2 instance." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "Attackers may use or create local accounts on the EC2 instance to facilitate further access and actions." } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListGroups" - }, - { - "eventName": "UpdateAccessKey", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Changes the status of the specified access key from Active to Inactive, or vice versa.", - "mitreAttackTactics": [ - "TA0003 - Persistence" - ], - "mitreAttackTechniques": [ - "T1098 - Account Manipulation" - ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "usedInWild": true, + "incidents": [ { - "description": "AWS - IAM Privesc", - "link": "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc" + "description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", + "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud" + }, + { + "description": "Navigating the Cloud: Exploring Lateral Movement Techniques", + "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/" + }, + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" } ], - "securityImplications": "Attackers might use UpdateAccessKey to modify existing IAM user access keys, potentially gaining unauthorized access to AWS services.", + "researchLinks": [], + "securityImplications": "Attackers might use SendSerialConsoleSSHPublicKey to inject unauthorized SSH keys into EC2 instances, granting them access for remote control.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam update-access-key --access-key-id AKIAIOSFODNN7EXAMPLE --status Inactive --user-name TrailDiscover" + "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-UpdateAccessKey" + "permissions": "https://aws.permissions.cloud/iam/ec2-instance-connect#ec2-instance-connect-SendSerialConsoleSSHPublicKey" }, { - "eventName": "ListUsers", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Lists the IAM users that have the specified path prefix. If no path prefix is specified, the operation returns all users in the AWS account.", + "eventName": "SendSSHPublicKey", + "eventSource": "ec2-instance-connect.amazonaws.com", + "awsService": "EC2InstanceConnect", + "description": "Pushes an SSH public key to the specified EC2 instance for use by the specified user.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0008 - Lateral Movement" ], "mitreAttackTechniques": [ - "T1087 - Account Discovery" + "T1021 - Remote Services" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [ + "T1021.004 - Remote Services: SSH" + ], + "unverifiedMitreAttackTechniques": [ { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + "technique": "T1021 - Remote Services", + "reason": "Pushing an SSH public key to an EC2 instance allows remote access to the system over SSH. This API call enables secure communication and command execution on the instance, potentially giving adversaries the ability to interact with and control the system remotely." }, { - "description": "Ransomware in the cloud", - "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud" + "technique": "T1136 - Create Account", + "reason": "Pushing a new SSH key can be seen as creating a new means of access for a specific user, akin to account creation." }, { - "description": "Incident report: From CLI to console, chasing an attacker in AWS", - "link": "https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/" + "technique": "T1578 - Modify Cloud Compute Infrastructure", + "reason": "The API call modifies the authentication state of an EC2 instance, part of cloud compute infrastructure." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Pushing a new key could be used to temporarily bypass defenses or monitoring on the instance." }, + { + "technique": "T1210 - Exploitation of Remote Services", + "reason": "An adversary can misuse the SendSSHPublicKey API to gain unauthorized access to an EC2 instance by injecting their SSH key. This allows them to control the instance remotely, leveraging legitimate remote services for malicious purposes." + } + ], + "usedInWild": true, + "incidents": [ { "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" }, { - "description": "Muddled Libra\u2019s Evolution to the Cloud", - "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" + "description": "Navigating the Cloud: Exploring Lateral Movement Techniques", + "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/" }, { "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", @@ -2645,1323 +5895,1479 @@ ], "researchLinks": [ { - "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", - "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" + "description": "Attack Paths Into VMs in the Cloud", + "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/" } ], - "securityImplications": "Attackers might use ListUsers to enumerate IAM users for further attacks, such as adding keys or creating a login profile for persistence.", + "securityImplications": "Attackers might use SendSSHPublicKey to inject unauthorized SSH keys into EC2 instances, granting them access for remote control.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam list-users" + "value": "N/A" }, { "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance" + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.lateral-movement.ec2-instance-connect" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListUsers" + "permissions": "https://aws.permissions.cloud/iam/ec2-instance-connect#ec2-instance-connect-SendSSHPublicKey" }, { - "eventName": "UpdateAssumeRolePolicy", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Updates the policy that grants an IAM entity permission to assume a role.", + "eventName": "SharedSnapshotCopyInitiated", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Modifies the specified attribute of the specified instance.", "mitreAttackTactics": [ - "TA0003 - Persistence", - "TA0004 - Privilege Escalation" + "TA0010 - Exfiltration" ], "mitreAttackTechniques": [ - "T1098 - Account Manipulation" + "T1537 - Transfer Data to Cloud Account" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "AWS IAM Privilege Escalation Techniques", - "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + "technique": "T1530 - Data from Cloud Storage Object", + "reason": "Snapshots can contain data stored in cloud environments which may be exfiltrated. Attackers can access sensitive information stored within these snapshots, which can include configuration data, database contents, or other critical data." }, { - "description": "AWS IAM Persistence Methods", - "link": "https://hackingthe.cloud/aws/post_exploitation/iam_persistence/" + "technique": "T1027 - Obfuscated Files or Information", + "reason": "Adversaries might obfuscate the data within snapshots to avoid detection during transfer. This can involve encrypting the contents of a snapshot or otherwise making the data less recognizable to automated defense mechanisms" + }, + { + "technique": "T1567 - Exfiltration Over Web Service", + "reason": "Copying a snapshot to another region or account over AWS services can be a form of exfiltration. Attackers can exploit this API call to move large volumes of data seamlessly across AWS infrastructure, avoiding some traditional network-based exfiltration detection mechanisms." + }, + { + "technique": "T1074 - Data Staged", + "reason": "Creating a shared snapshot can be used to stage data before exfiltration, preparing it for easy transfer or download." } ], - "securityImplications": "Attackers might use UpdateAssumeRolePolicy to modify the assume role policy allowing access from an attacker compromised account.", + "usedInWild": true, + "incidents": [ + { + "description": "M-Trends Report - 2020", + "link": "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf" + }, + { + "description": "Democratic National Committee hack", + "link": "https://www.politico.com/f/?id=00000168-6161-de11-af7d-ef7327ea0000" + } + ], + "researchLinks": [ + { + "description": "Detecting exfiltration of EBS snapshots in AWS", + "link": "https://twitter.com/christophetd/status/1574681313218506753" + } + ], + "securityImplications": "SharedSnapshotCopyInitiated might be a signal of an attacker copying a snapshot to their account.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam update-assume-role-policy --role-name TrailDiscover-Role --policy-document {}" + "value": "N/A" }, { "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-backdoor-role" + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-UpdateAssumeRolePolicy" + "permissions": "N/A" }, { - "eventName": "CreateAccessKey", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active.", + "eventName": "SharedSnapshotVolumeCreated", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Modifies the specified attribute of the specified instance.", "mitreAttackTactics": [ - "TA0003 - Persistence", - "TA0004 - Privilege Escalation" + "TA0010 - Exfiltration" ], "mitreAttackTechniques": [ - "T1136 - Create Account", - "T1078 - Valid Accounts" + "T1537 - Transfer Data to Cloud Account" ], - "usedInWild": true, - "incidents": [ - { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" - }, - { - "description": "Incident report: From CLI to console, chasing an attacker in AWS", - "link": "https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/" - }, - { - "description": "SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto", - "link": "https://sysdig.com/blog/scarleteel-2-0/" - }, + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING", - "link": "https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/" + "technique": "T1530 - Data from Cloud Storage Object", + "reason": "Snapshots can contain data stored in cloud environments which may be exfiltrated. Attackers can access sensitive information stored within these snapshots, which can include configuration data, database contents, or other critical data." }, { - "description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", - "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/" + "technique": "T1027 - Obfuscated Files or Information", + "reason": "Adversaries might obfuscate the data within snapshots to avoid detection during transfer. This can involve encrypting the contents of a snapshot or otherwise making the data less recognizable to automated defense mechanisms" }, { - "description": "BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability", - "link": "https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/" + "technique": "T1567 - Exfiltration Over Web Service", + "reason": "Copying a snapshot to another region or account over AWS services can be a form of exfiltration. Attackers can exploit this API call to move large volumes of data seamlessly across AWS infrastructure, avoiding some traditional network-based exfiltration detection mechanisms." }, { - "description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", - "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud" + "technique": "T1074 - Data Staged", + "reason": "Creating a shared snapshot can be used to stage data before exfiltration, preparing it for easy transfer or download." } ], - "researchLinks": [ - { - "description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", - "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide" - }, + "usedInWild": true, + "incidents": [ { - "description": "AWS IAM Privilege Escalation Techniques", - "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + "description": "M-Trends Report - 2020", + "link": "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf" }, { - "description": "AWS IAM Persistence Methods", - "link": "https://hackingthe.cloud/aws/post_exploitation/iam_persistence/" + "description": "Democratic National Committee hack", + "link": "https://www.politico.com/f/?id=00000168-6161-de11-af7d-ef7327ea0000" } ], - "securityImplications": "Attackers might use CreateAccessKey to generate unauthorized access keys, enabling them to gain illicit access to AWS services and resources.", - "alerting": [ - { - "type": "sigma", - "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml" - }, + "researchLinks": [ { - "type": "sigma", - "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml" + "description": "Detecting exfiltration of EBS snapshots in AWS", + "link": "https://twitter.com/christophetd/status/1574681313218506753" } ], + "securityImplications": "SharedSnapshotVolumeCreated might be a signal of an attacker copying a snapshot to their account.", + "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam create-access-key --user-name TrailDiscover" - }, - { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-admin-user" + "value": "N/A" }, { "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-backdoor-user" + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-CreateAccessKey" + "permissions": "N/A" }, { - "eventName": "CreatePolicyVersion", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Creates a new version of the specified managed policy.", + "eventName": "StartInstances", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Starts an Amazon EBS-backed instance that you've previously stopped.", "mitreAttackTactics": [ - "TA0004 - Privilege Escalation" + "TA0003 - Persistence", + "TA0040 - Impact" ], "mitreAttackTechniques": [ - "T1098 - Account Manipulation" + "T1098 - Account Manipulation", + "T1496 - Resource Hijacking" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "AWS IAM Privilege Escalation Techniques", - "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" - } - ], - "securityImplications": "Attackers might use CreatePolicyVersion to modify IAM policies, potentially granting themselves elevated permissions.", - "alerting": [ + "technique": "T1036 - Masquerading", + "reason": "Adversaries could rename stopped instances to appear legitimate and start them without raising alarms." + }, { - "type": "cloudwatchCISControls", - "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4" - } - ], - "simulation": [ + "technique": "T1053 - Scheduled Task/Job", + "reason": "Attackers might schedule tasks to automatically start stopped instances at certain times to execute malicious actions" + }, { - "type": "commandLine", - "value": "aws iam create-policy-version --policy-arn arn:aws:iam::123456789012:policy/TrailDiscover --policy-document {}" + "technique": "T1105 - Ingress Tool Transfer", + "reason": "Once the instance is started, adversaries could transfer tools and malware to the instance for execution" + }, + { + "technique": "T1219 - Remote Access Software", + "reason": "Adversaries might start instances that have remote access tools installed to regain control over the environment." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Starting instances can impair defenses by creating new workloads that may not be monitored by existing security tools, enabling attackers to perform malicious activities without detection." + }, + { + "technique": "T1578 - Modify Cloud Compute Infrastructure", + "reason": "Attackers can directly use the StartInstances API call to manipulate the state of instances, aiding in persistence and execution of tasks." + }, + { + "technique": "T1074 - Data Staged", + "reason": "Starting an instance can be used to stage data locally before exfiltration." } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-CreatePolicyVersion" - }, - { - "eventName": "DeleteUserPolicy", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Deletes the specified inline policy that is embedded in the specified IAM user.", - "mitreAttackTactics": [ - "TA0005 - Defense Evasion", - "TA0004 - Privilege Escalation" - ], - "mitreAttackTechniques": [ - "T1578 - Modify Cloud Compute Infrastructure", - "T1098 - Account Manipulation" - ], "usedInWild": true, "incidents": [ { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" - }, - { - "description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", - "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/" + "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", + "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" } ], "researchLinks": [ { - "description": "AWS IAM Privilege Escalation Techniques", - "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" - } - ], - "securityImplications": "Attackers might use DeleteUserPolicy to remove security policies and gain unauthorized access to AWS resources.", - "alerting": [ + "description": "Executing commands through EC2 user data", + "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/" + }, { - "type": "cloudwatchCISControls", - "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4" + "description": "Attack Paths Into VMs in the Cloud", + "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/" } ], + "securityImplications": "Attackers might use StartInstances to reactivate dormant EC2 instances or after having modified the user data for execution of commands.", + "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam delete-user-policy --user-name TrailDiscover --policy-name TrailDiscover" + "value": "aws ec2 start-instances --instance-ids TrailDiscoverInstanceID" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-DeleteUserPolicy" + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-StartInstances" }, { - "eventName": "ListRoles", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Lists the IAM roles that have the specified path prefix. ", + "eventName": "StopInstances", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Stops an Amazon EBS-backed instance.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0040 - Impact", + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1087 - Account Discovery" + "T1499 - Endpoint Denial of Service", + "T1578 - Modify Cloud Compute Infrastructure" + ], + "mitreAttackSubTechniques": [ + "T1578.003 - Modify Cloud Compute Infrastructure: Delete Cloud Instance" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1565 - Data Manipulation", + "reason": "Stopping an instance can be a precursor to manipulating the stored data, especially if the instance is hibernated and the memory contents are preserved but the disk is later modified." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Stopping instances can disable security monitoring tools and defenses running on those instances, hindering their ability to detect malicious activities." + }, + { + "technique": "T1489 - Service Stop", + "reason": "Stopping an instance directly impacts availability and can be used as part of a larger attack to disrupt services." + } ], "usedInWild": true, "incidents": [ { - "description": "Muddled Libra\u2019s Evolution to the Cloud", - "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" + "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", + "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" } ], "researchLinks": [ { - "description": "AWS - IAM Enum", - "link": "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum" + "description": "Executing commands through EC2 user data", + "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/" + }, + { + "description": "Attack Paths Into VMs in the Cloud", + "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/" } ], - "securityImplications": "Attackers might use ListRoles to identify potential targets for privilege escalation attacks in AWS.", + "securityImplications": "Attackers might use StopInstances to avoid being detected or to do changes that will be executed when the EC2 is started.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam list-roles" + "value": "aws ec2 stop-instances --instance-ids TrailDiscoverInstanceID" }, { "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance" + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ec2-user-data" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListRoles" + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-StopInstances" }, { - "eventName": "UpdateSAMLProvider", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Updates the metadata document for an existing SAML provider resource object.", + "eventName": "TerminateInstances", + "eventSource": "ec2.amazonaws.com", + "awsService": "EC2", + "description": "Shuts down the specified instances. This operation is idempotent; if you terminate an instance more than once, each call succeeds.", "mitreAttackTactics": [ - "TA0003 - Persistence", - "TA0004 - Privilege Escalation" + "TA0040 - Impact", + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1098 - Account Manipulation" + "T1485 - Data Destruction", + "T1070 - Indicator Removal" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ - { - "description": "Gaining AWS Persistence by Updating a SAML Identity Provider", - "link": "https://medium.com/@adan.alvarez/gaining-aws-persistence-by-updating-a-saml-identity-provider-ef57ebdc8db5" - } + "mitreAttackSubTechniques": [ + "T1070.004 - Indicator Removal: File Deletion" ], - "securityImplications": "Attackers might use UpdateSAMLProvider to change the metadata document from a SAML provider for latter being able to assume the roles that trust this provider.", - "alerting": [], - "simulation": [ + "unverifiedMitreAttackTechniques": [ { - "type": "commandLine", - "value": "aws iam update-saml-provider --saml-metadata-document file://TrailDiscoverSAMLMetaData.xml --saml-provider-arn arn:aws:iam::123456789012:saml-provider/traildiscover" + "technique": "T1489 - Service Stop", + "reason": "Terminating instances disrupts the availability of services hosted on those instances." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Terminating instances can remove defensive tools installed on those instances" + }, + { + "technique": "T1496 - Resource Hijacking", + "reason": "Attackers might terminate instances to free up resources for other malicious activities." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "The TerminateInstances API call can be a form of account manipulation when an attacker uses it to interfere with the normal operations of an account. By terminating instances, an attacker can disrupt services, remove evidence of their activities, and create obstacles for account recovery. This manipulation ensures that the attacker maintains control over the account\u00e2\u20ac\u2122s activities and resources." + }, + { + "technique": "T1499 - Endpoint Denial of Service", + "reason": "Terminating critical instances can be a form of denial of service against specific endpoints or applications." + }, + { + "technique": "T1565 - Data Manipulation", + "reason": "If instance termination leads to data loss or corruption, it can be considered a form of data manipulation." + }, + { + "technique": "T1488 - Disk Wipe", + "reason": "Terminating an instance with attached EBS volumes may result in wiping the data on those volumes if they are deleted as part of the termination process" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-UpdateSAMLProvider" - }, - { - "eventName": "PutRolePermissionsBoundary", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Adds or updates the policy that is specified as the IAM role's permissions boundary.", - "mitreAttackTactics": [ - "TA0004 - Privilege Escalation" - ], - "mitreAttackTechniques": [ - "T1098 - Account Manipulation" - ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "usedInWild": true, + "incidents": [ { - "description": "AWS IAM Privilege Escalation Techniques", - "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + }, + { + "description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", + "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/" + }, + { + "description": "Former Cisco engineer sentenced to prison for deleting 16k Webex accounts", + "link": "https://www.zdnet.com/article/former-cisco-engineer-sentenced-to-prison-for-deleting-16k-webex-accounts/" + }, + { + "description": "Hacker Puts Hosting Service Code Spaces Out of Business", + "link": "https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/" } ], - "securityImplications": "Attackers might use PutRolePermissionsBoundary to modify permissions boundaries, potentially escalating privileges or enabling unauthorized access.", + "researchLinks": [], + "securityImplications": "Attackers might use TerminateInstances to permanently delete EC2 instances, resulting in irreversible data loss and service disruption or for defense evasion.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam put-role-permissions-boundary --permissions-boundary arn:aws:iam::123456789012:policy/intern-boundary --role-name TrailDiscover" + "value": "aws ec2 terminate-instances --instance-ids TrailDiscoverInstanceID" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-PutRolePermissionsBoundary" + "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-TerminateInstances" }, { - "eventName": "StartSSO", - "eventSource": "sso.amazonaws.com", - "awsService": "SSO", - "description": "Initialize AWS IAM Identity Center", + "eventName": "CreateCluster", + "eventSource": "ecs.amazonaws.com", + "awsService": "ECS", + "description": "Creates a new Amazon ECS cluster.", "mitreAttackTactics": [ - "TA0003 - Persistence" + "TA0040 - Impact" ], "mitreAttackTechniques": [ - "T1136 - Create Account" + "T1496 - Resource Hijacking" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1098 - Account Manipulation", + "reason": "The creation of a new cluster could be part of manipulating accounts within AWS, enabling the attacker to maintain control or establish backdoor access." + }, + { + "technique": "T1053 - Scheduled Task/Job", + "reason": "New ECS clusters can be configured to run tasks at scheduled intervals, which can be used to execute malicious activities regularly." + }, + { + "technique": "T1090 - Proxy", + "reason": "An attacker might use the new ECS cluster to set up an external proxy, which can be used to relay commands and data, aiding in defense evasion and persistent access." + }, + { + "technique": "T1204 - User Execution", + "reason": "Creating an ECS cluster to run container images, which might be malicious, facilitating execution of malicious code in the environment." + }, + { + "technique": "T1583 - Acquire Infrastructure", + "reason": "Creating new ECS clusters is a form of acquiring infrastructure within AWS, which can be used to support further malicious activities." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "The cluster could be used to deploy obfuscated code or data, making it harder to detect malicious activities." + }, + { + "technique": "T1578 - Modify Cloud Compute Infrastructure", + "reason": "Creating a new ECS cluster modifies the cloud compute infrastructure, which can be leveraged for both execution and evasion purposes." + }, + { + "technique": "T1584 - Compromise Infrastructure", + "reason": "Compromising cloud infrastructure to create ECS clusters enables attackers to establish control over resources. This can support further malicious activities, such as launching attacks or maintaining persistence in the environment." + }, + { + "technique": "T1210 - Exploitation of Remote Services", + "reason": "An attacker might create a new ECS cluster to host services that exploit vulnerabilities in remote services for lateral movement or further attacks." + } ], "usedInWild": true, "incidents": [ + { + "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", + "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + }, { "description": "New tactics and techniques for proactive threat detection", "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" } ], "researchLinks": [], - "securityImplications": "Attackers use StartSSO to establish persistent footholds.", - "alerting": [], + "securityImplications": "Attackers might use CreateCluster to provision unauthorized cluster resources, aiming to deploy malicious workloads or use compute resources for cryptojacking", + "alerting": [ + { + "type": "sigma", + "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_eks_cluster_created_or_deleted.yml" + } + ], "simulation": [ { "type": "commandLine", - "value": "N/A" + "value": "aws ecs create-cluster --cluster-name TrailDiscoverCluster" } ], - "permissions": "https://aws.permissions.cloud/iam/sso#sso-StartSSO" + "permissions": "https://aws.permissions.cloud/iam/ecs#ecs-CreateCluster" }, { - "eventName": "PutUserPermissionsBoundary", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Adds or updates the policy that is specified as the IAM user's permissions boundary.", + "eventName": "CreateService", + "eventSource": "ecs.amazonaws.com", + "awsService": "ECS", + "description": "Runs and maintains your desired number of tasks from a specified task definition.", "mitreAttackTactics": [ - "TA0004 - Privilege Escalation" + "TA0040 - Impact" ], "mitreAttackTechniques": [ - "T1098 - Account Manipulation" + "T1496 - Resource Hijacking" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "AWS IAM Privilege Escalation Techniques", - "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" - } - ], - "securityImplications": "Attackers might use PutUserPermissionsBoundary to modify the permissions boundary for an IAM user, potentially escalating privileges or enabling unauthorized access.", - "alerting": [], - "simulation": [ + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "By creating ECS services, adversaries can execute commands or scripts in the context of containers that run on Unix-based systems" + }, { - "type": "commandLine", - "value": "aws iam put-user-permissions-boundary --permissions-boundary arn:aws:iam::123456789012:policy/intern-boundary --user-name TrailDiscover" + "technique": "T1556 - Modify Authentication Process", + "reason": "The AWS CreateService API call can be used to create tasks that modify authentication processes within a cloud environment." + }, + { + "technique": "T1036 - Masquerading", + "reason": "Match Legitimate Name or Location: An adversary could create services with names that mimic legitimate services to avoid detection." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "Malicious ECS tasks could communicate over common web protocols to blend in with normal network traffic." + }, + { + "technique": "T1090 - Proxy", + "reason": "Adversaries might set up a chain of ECS services to act as proxies, hiding their true location." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "Adversaries might create services that deploy obfuscated scripts or binaries to evade detection." + }, + { + "technique": "T1046 - Network Service Discovery", + "reason": "ECS tasks might be used to run discovery scripts to enumerate network services." + }, + { + "technique": "T1210 - Exploitation of Remote Services", + "reason": "Adversaries might create services that exploit vulnerabilities in other services or tasks within the ECS cluster to gain unauthorized access or escalate privileges" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-PutUserPermissionsBoundary" - }, - { - "eventName": "ListSAMLProviders", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Lists the SAML provider resource objects defined in IAM in the account.", - "mitreAttackTactics": [ - "TA0007 - Discovery" - ], - "mitreAttackTechniques": [ - "T1087 - Account Discovery" - ], "usedInWild": true, "incidents": [ { - "description": "Muddled Libra\u2019s Evolution to the Cloud", - "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" + "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", + "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" } ], "researchLinks": [], - "securityImplications": "Attackers might use ListSAMLProviders to discover if there are SAML providers configured.", + "securityImplications": "Attackers might use CreateService in AWS ECS to orchestrate and deploy unauthorized services, potentially for malicious activities such as resource hijacking.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam list-saml-providers" + "value": "aws ecs create-service --service-name TrailDiscoverService --task-definition TrailDiscoverTaskDefinition" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListSAMLProviders" + "permissions": "https://aws.permissions.cloud/iam/ecs#ecs-CreateService" }, { - "eventName": "DeleteUserPermissionsBoundary", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Deletes the permissions boundary for the specified IAM user.", + "eventName": "RegisterTaskDefinition", + "eventSource": "ecs.amazonaws.com", + "awsService": "ECS", + "description": "Registers a new task definition from the supplied family and containerDefinitions.", "mitreAttackTactics": [ - "TA0004 - Privilege Escalation" + "TA0040 - Impact" ], "mitreAttackTechniques": [ - "T1098 - Account Manipulation" + "T1496 - Resource Hijacking" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "AWS IAM Privilege Escalation Techniques", - "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" - } - ], - "securityImplications": "Attackers might use DeleteUserPermissionsBoundary to remove restrictions and gain unauthorized access to AWS resources.", - "alerting": [], - "simulation": [ + "technique": "T1053 - Scheduled Task/Job", + "reason": "Registering a task definition can be leveraged to create scheduled tasks within ECS, allowing for persistence and automated execution of malicious tasks." + }, { - "type": "commandLine", - "value": "aws iam delete-user-permissions-boundary --user-name TrailDiscover" + "technique": "T1105 - Ingress Tool Transfer", + "reason": "Task definitions could be used to download and execute additional tools or scripts from external sources" + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "ECS tasks can be configured to disable or modify security tools within the container environment, aiding in defense evasion." + }, + { + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "The task definitions can contain Unix shell commands, facilitating execution of malicious scripts or commands." + }, + { + "technique": "T1036 - Masquerading", + "reason": "Malicious task definitions can be disguised as legitimate ones to evade detection and blend in with normal operations" + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "Container definitions within ECS can include obfuscated or packed scripts and binaries, making detection harder." } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-DeleteUserPermissionsBoundary" - }, - { - "eventName": "GetUser", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN.", - "mitreAttackTactics": [ - "TA0007 - Discovery" - ], - "mitreAttackTechniques": [ - "T1087 - Account Discovery" - ], "usedInWild": true, "incidents": [ { - "description": "GotRoot! AWS root Account Takeover", - "link": "https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1" - }, + "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", + "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use RegisterTaskDefinition to deploy containers with malicious tasks in AWS ECS.", + "alerting": [ { - "description": "Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets", - "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/" + "type": "sigma", + "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml" } ], - "researchLinks": [], - "securityImplications": "Attackers might use GetUser to obtain user information.", - "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam get-user --user-name TrailDiscover" + "value": "aws ecs register-task-definition --family 'xtdb-bench-dev' --network-mode 'awsvpc' --container-definitions '[{\"name\":\"bench-container\", \"cpu\":2048, \"memory\":4092 }]'" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-GetUser" + "permissions": "https://aws.permissions.cloud/iam/ecs#ecs-RegisterTaskDefinition" }, { - "eventName": "DeleteAccessKey", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Deletes the access key pair associated with the specified IAM user.", + "eventName": "DeleteFileSystem", + "eventSource": "elasticfilesystem.amazonaws.com", + "awsService": "elasticfilesystem", + "description": "Deletes a file system, permanently severing access to its contents.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0040 - Impact" ], "mitreAttackTechniques": [ - "T1578 - Modify Cloud Compute Infrastructure", - "T1070 - Indicator Removal" + "T1485 - Data Destruction" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + "technique": "T1070 - Indicator Removal", + "reason": "Deleting an EFS file system removes all its contents, including logs and other forensic evidence, effectively erasing any indicators of malicious activity. This action helps attackers avoid detection by eliminating traces of their presence in the environment." }, { - "description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", - "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/" + "technique": "T1565 - Data Manipulation", + "reason": "Deleting an EFS file system alters the state of stored data by permanently removing it. This can disrupt operations and affect data integrity, making it a significant form of data manipulation." + }, + { + "technique": "T1107 - File Deletion", + "reason": "File deletion focuses on the removal of files to impact data availability or to hide malicious activity. Deleting a file system in AWS EFS results in the removal of all files and directories within that file system." + } + ], + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "AWS EFS File System or Mount Deleted", + "link": "https://www.elastic.co/guide/en/security/7.17/aws-efs-file-system-or-mount-deleted.html" + } + ], + "securityImplications": "Attackers might use DeleteFileSystem in AWS EFS to deliberately erase file systems, leading to data loss.", + "alerting": [ + { + "type": "sigma", + "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_efs_fileshare_modified_or_deleted.yml" } ], - "researchLinks": [], - "securityImplications": "Attackers might use DeleteAccessKey to revoke legitimate user access to AWS services. Also, it can be used to delete previously used keys to avoid detection.", - "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam delete-access-key --access-key-id AKIDPMS9RO4H3FEXAMPLE --user-name TrailDiscover" + "value": "aws efs delete-file-system --file-system-id fs-c7a0456e" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-DeleteAccessKey" + "permissions": "https://aws.permissions.cloud/iam/elasticfilesystem#elasticfilesystem-DeleteFileSystem" }, { - "eventName": "DeleteUser", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Deletes the specified IAM user.", + "eventName": "DeleteMountTarget", + "eventSource": "elasticfilesystem.amazonaws.com", + "awsService": "elasticfilesystem", + "description": "Deletes the specified mount target.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0040 - Impact" ], "mitreAttackTechniques": [ - "T1578 - Modify Cloud Compute Infrastructure", - "T1070 - Indicator Removal" + "T1485 - Data Destruction" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + "technique": "T1562 - Impair Defenses", + "reason": "Removing a mount target may disrupt monitoring or defense mechanisms that rely on the file system for logging or other security functions." }, { - "description": "Insider Threat Risks to Flat Environments", - "link": "https://www.mandiant.com/sites/default/files/2021-09/rpt-mtrends-2021-3.pdf" - }, + "technique": "T1070 - Indicator Removal", + "reason": "By deleting the mount target and the associated network interface, traces and logs of malicious activity stored on the file system may be removed, aiding in defense evasion." + } + ], + "usedInWild": false, + "incidents": [], + "researchLinks": [ { - "description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", - "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/" + "description": "AWS EFS File System or Mount Deleted", + "link": "https://www.elastic.co/guide/en/security/7.17/aws-efs-file-system-or-mount-deleted.html" + } + ], + "securityImplications": "Attackers might use DeleteMountTarget in AWS EFS to remove mount targets, disrupting access to file system and as a preliminary phase before data deletion.", + "alerting": [ + { + "type": "sigma", + "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_efs_fileshare_mount_modified_or_deleted.yml" } ], - "researchLinks": [], - "securityImplications": "Attackers might use DeleteUser to remove users and their permissions, disrupting access control in AWS. Also, it can be used to delete previously used users to avoid detection.", - "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam delete-user --user-name TrailDiscover" + "value": "aws efs delete-mount-target --mount-target-id fsmt-f9a14450" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-DeleteUser" + "permissions": "https://aws.permissions.cloud/iam/elasticfilesystem#elasticfilesystem-DeleteMountTarget" }, { - "eventName": "AttachRolePolicy", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Attaches the specified managed policy to the specified IAM role. When you attach a managed policy to a role, the managed policy becomes part of the role's permission (access) policy.", + "eventName": "AssociateAccessPolicy", + "eventSource": "eks.amazonaws.com", + "awsService": "EKS", + "description": "Associates an access policy and its scope to an access entry.", "mitreAttackTactics": [ "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" - } - ], - "researchLinks": [ + "technique": "T1078 - Valid Accounts", + "reason": "By associating an access policy, attackers can use legitimate credentials to access the system, either by modifying existing ones or changing permissions." + }, { - "description": "AWS IAM Privilege Escalation Techniques", - "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + "technique": "T1543 - Create or Modify System Process", + "reason": "Associating an access policy can be used to modify the permissions of processes within the EKS environment, ensuring the attacker retains control or gains elevated privileges for their processes." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "Associating access policies can assist attackers in evading detection by allowing them to remove or alter logs and other indicators that track account and permission changes, thereby obscuring their activities." + }, + { + "technique": "T1003 - OS Credential Dumping", + "reason": "Modifying access policies might allow attackers to gain access to sensitive areas of the system where they can extract credentials." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "Associating new access policies can help attackers use application layer protocols more effectively to communicate with compromised systems, especially if these policies grant access to necessary network services." } ], - "securityImplications": "Attackers use AttachRolePolicy to grant malicious policies to IAM roles, potentially escalating privileges or enabling unauthorized access to AWS resources.", - "alerting": [ + "usedInWild": false, + "incidents": [], + "researchLinks": [ { - "type": "cloudwatchCISControls", - "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4" + "description": "New attack vectors in EKS", + "link": "https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features" } ], + "securityImplications": "Attackers might use AssociateAccessPolicy to escalate privileges by linking access entries with highly privileged policies, allowing unauthorized control over clusters.", + "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/TrailDiscover --role-name TrailDiscover" - }, - { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-backdoor-role" + "value": "aws eks associate-access-policy --cluster-name beta-fish --principal-arn arn:aws:iam::111122223333:role/TrailDiscover --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy --access-scope type=cluster" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-AttachRolePolicy" + "permissions": "https://aws.permissions.cloud/iam/eks#eks-AssociateAccessPolicy" }, { - "eventName": "CreateOpenIDConnectProvider", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC)", + "eventName": "CreateAccessEntry", + "eventSource": "eks.amazonaws.com", + "awsService": "EKS", + "description": "Creates an access entry.", "mitreAttackTactics": [ - "TA0003 - Persistence" + "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1136 - Create Account" + "T1098 - Account Manipulation" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "New tactics and techniques for proactive threat detection", - "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + "technique": "T1078 - Valid Accounts", + "reason": "Creating an access entry for an IAM principal can establish valid credentials that can be used for access." } ], - "researchLinks": [], - "securityImplications": "Attackers use CreateOpenIDConnectProvider to establish persistent footholds.", + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "New attack vectors in EKS", + "link": "https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features" + } + ], + "securityImplications": "Attackers might use CreateAccessEntry to craft access entries that link to high-privileged policies, effectively granting themselves unauthorized admin-level access to clusters.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam create-open-id-connect-provider --cli-input-json '{\"Url\": \"https://server.example.com\",\"ClientIDList\": [\"example-application-ID\"],\"ThumbprintList\": [\"c3768084dfb3d2b68b7897bf5f565da8eEXAMPLE\"]}'" + "value": "aws eks create-access-entry --cluster-name beta-fish --principal-arn arn:aws:iam::111122223333:role/TrailDiscover" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-CreateOpenIDConnectProvider" + "permissions": "https://aws.permissions.cloud/iam/eks#eks-CreateAccessEntry" }, { - "eventName": "SetDefaultPolicyVersion", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Sets the specified version of the specified policy as the policy's default (operative) version.", + "eventName": "DescribeAccessEntry", + "eventSource": "eks.amazonaws.com", + "awsService": "EKS", + "description": "Describes an access entry.", "mitreAttackTactics": [ - "TA0004 - Privilege Escalation" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1098 - Account Manipulation" + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1526 - Cloud Service Discovery", + "reason": "The DescribeAccessEntry API call can be used to identify access permissions and configurations within the EKS service, revealing which cloud services are in use. This information helps attackers understand the cloud environment and potential targets." + }, + { + "technique": "T1587 - Develop Capabilities", + "reason": "Access information can aid in developing tailored malware that exploits specific permissions or configurations discovered within EKS." + } ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "AWS IAM Privilege Escalation Techniques", - "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + "description": "New attack vectors in EKS", + "link": "https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features" } ], - "securityImplications": "Attackers might use SetDefaultPolicyVersion to revert IAM policies to less secure versions, potentially exposing sensitive resources.", + "securityImplications": "Attackers might use DescribeAccessEntry for reconnaissance, gathering detailed information about access configurations within AWS EKS.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam set-default-policy-version --policy-arn arn:aws:iam::123456789012:policy/TrailDiscover --version-id v2" + "value": "aws eks describe-access-entry --cluster-name beta-fish --principal-arn arn:aws:iam::111122223333:role/TrailDiscover" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-SetDefaultPolicyVersion" + "permissions": "https://aws.permissions.cloud/iam/eks#eks-DescribeAccessEntry" }, { - "eventName": "AttachUserPolicy", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Attaches the specified managed policy to the specified user.", + "eventName": "DescribeCluster", + "eventSource": "eks.amazonaws.com", + "awsService": "EKS", + "description": "Describes an Amazon EKS cluster.", "mitreAttackTactics": [ - "TA0003 - Persistence", - "TA0004 - Privilege Escalation" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1098 - Account Manipulation" + "T1580 - Cloud Infrastructure Discovery" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + "technique": "T1087 - Account Discovery", + "reason": "Information from DescribeCluster can reveal IAM roles and identities associated with the cluster, aiding in the discovery of accounts." }, { - "description": "Incident report: From CLI to console, chasing an attacker in AWS", - "link": "https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/" + "technique": "T1069 - Permission Groups Discovery", + "reason": "The DescribeCluster call might include details about Kubernetes RBAC roles and permissions, helping to discover privilege groups." }, { - "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", - "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + "technique": "T1082 - System Information Discovery", + "reason": "The DescribeCluster API reveals extensive system information about the EKS cluster, such as Kubernetes version, endpoint, and VPC configuration, aiding in system information discovery." }, { - "description": "Detecting AI resource-hijacking with Composite Alerts", - "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + "technique": "T1482 - Domain Trust Discovery", + "reason": "The DescribeCluster call can provide insights into how the cluster is integrated with other AWS services and trust relationships, such as IAM roles and policies" } ], + "usedInWild": false, + "incidents": [], "researchLinks": [ { - "description": "AWS IAM Privilege Escalation Techniques", - "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" - } - ], - "securityImplications": "Attackers use AttachUserPolicy to grant malicious policies to IAM users, potentially escalating privileges or enabling unauthorized access to AWS resources.", - "alerting": [ - { - "type": "cloudwatchCISControls", - "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4" + "description": "New attack vectors in EKS", + "link": "https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features" } ], + "securityImplications": "Attackers might use DescribeCluster to gain insights into the configuration and status of AWS EKS clusters.", + "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --user-name TrailDiscover" - }, - { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-admin-user" + "value": "aws eks describe-cluster --name TrailDiscoverCluster" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-AttachUserPolicy" + "permissions": "https://aws.permissions.cloud/iam/eks#eks-DescribeCluster" }, { - "eventName": "CreateGroup", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Creates a new group.", + "eventName": "ListAssociatedAccessPolicies", + "eventSource": "eks.amazonaws.com", + "awsService": "EKS", + "description": "Lists the access policies associated with an access entry.", "mitreAttackTactics": [ - "TA0004 - Privilege Escalation" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1098 - Account Manipulation" + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087 - Account Discovery - Cloud Account", + "reason": "Listing associated access policies allows adversaries to discover the cloud accounts associated with those policies, identifying potential targets" + }, + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "By listing the access policies, adversaries can discern the permission groups within the EKS cluster, aiding in understanding the permissions and roles configured." + }, + { + "technique": "T1046 - Network Service Scanning", + "reason": "Listing access policies helps map out the services and permissions in use, aiding in reconnaissance efforts to identify potential targets and vulnerabilities." + }, + { + "technique": "T1552 - Unsecured Credentials", + "reason": "By listing associated access policies, adversaries might identify misconfigurations or unsecured credentials that can be exploited to gain further access." + } ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "AWS IAM Group Creation", - "link": "https://www.elastic.co/guide/en/security/current/aws-iam-group-creation.html" + "description": "New attack vectors in EKS", + "link": "https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features" } ], - "securityImplications": "Attackers use CreateGroup to create a group that they can use to escalate privileges.", + "securityImplications": "Attackers might use ListAssociatedAccessPolicies to enumerate policies associated with resources in AWS services, identifying overly permissive access that can be exploited to escalate privileges.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam create-group --group-name TrailDiscover" + "value": "aws eks list-associated-access-policies --cluster-name beta-fish --principal-arn arn:aws:iam::111122223333:role/TrailDiscover" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-CreateGroup" + "permissions": "https://aws.permissions.cloud/iam/eks#eks-ListAssociatedAccessPolicies" }, { - "eventName": "ListAttachedRolePolicies", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Lists all managed policies that are attached to the specified IAM role.", + "eventName": "ListClusters", + "eventSource": "eks.amazonaws.com", + "awsService": "EKS", + "description": "Lists the Amazon EKS clusters in your AWS account in the specified AWS Region.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1087 - Account Discovery" + "T1580 - Cloud Infrastructure Discovery" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + "technique": "T1526 - Cloud Service Discovery", + "reason": "Listing EKS clusters helps adversaries understand the cloud services being used and their configurations." + }, + { + "technique": "T1087 - Account Discovery", + "reason": "By listing clusters, attackers can infer the structure and number of accounts that manage these resources." + }, + { + "technique": "T1135 - Network Share Discovery", + "reason": "Knowing the clusters can help adversaries understand shared network resources within the EKS environment." + }, + { + "technique": "T1007 - Network Service Scanning", + "reason": "Identifying clusters can help adversaries in mapping the network services exposed by these clusters." + }, + { + "technique": "T1590 - Gather Victim Network Information", + "reason": "Identifying clusters helps in understanding the internal network architecture and relationships." } ], - "researchLinks": [], - "securityImplications": "Attackers might use ListAttachedRolePolicies to identify and exploit permissions associated with various roles in AWS.", + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "New attack vectors in EKS", + "link": "https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features" + } + ], + "securityImplications": "Attackers might use ListClusters to inventory AWS EKS clusters, identifying active clusters for further exploration or to pinpoint potential targets for subsequent attacks.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam list-attached-role-policies --role-name TrailDiscover" + "value": "aws eks list-clusters" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListAttachedRolePolicies" + "permissions": "https://aws.permissions.cloud/iam/eks#eks-ListClusters" }, { - "eventName": "PutUserPolicy", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Adds or updates an inline policy document that is embedded in the specified IAM user.", + "eventName": "CreateRule", + "eventSource": "elasticloadbalancing.amazonaws.com", + "awsService": "ELBv2", + "description": "Creates a rule for the specified listener.", "mitreAttackTactics": [ - "TA0003 - Persistence", - "TA0004 - Privilege Escalation" + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1098 - Account Manipulation" + "T1578 - Modify Cloud Compute Infrastructure" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + "technique": "T1203 - Exploitation for Client Execution", + "reason": "By creating a malicious rule that directs traffic to a compromised endpoint, an attacker could exploit vulnerabilities in client applications to execute malicious code." }, { - "description": "ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING", - "link": "https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/" + "technique": "T1190 - Exploit Public-Facing Application", + "reason": "By modifying or creating new rules, an attacker could exploit vulnerabilities in the public-facing application load balancer to gain initial access." }, { - "description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", - "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/" - } - ], - "researchLinks": [ + "technique": "T1071 - Application Layer Protocol", + "reason": "Creating rules that redirect traffic to malicious servers using HTTP/S or mail protocols for command and control communication." + }, { - "description": "AWS IAM Privilege Escalation Techniques", - "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" - } - ], - "securityImplications": "Attackers use PutUserPolicy to grant an inline policy to IAM users, potentially escalating privileges or enabling unauthorized access to AWS resources.", - "alerting": [ + "technique": "T1562 - Impair Defenses", + "reason": "Rules could be used to disable security controls or modify traffic patterns to evade detection tools and logs." + }, { - "type": "cloudwatchCISControls", - "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4" + "technique": "T1105 - Ingress Tool Transfer", + "reason": "Rules can be set to allow the transfer of malicious tools or payloads through the load balancer to a compromised system." }, { - "type": "sigma", - "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml" - } - ], - "simulation": [ + "technique": "T1027 - Obfuscated Files or Information", + "reason": "Attackers can create rules that handle or route traffic in a manner that uses encoded or obfuscated data. This can include routing traffic to endpoints that encrypt the data payloads or encode commands to be less conspicuous" + }, { - "type": "commandLine", - "value": "aws iam put-user-policy --user-name TrailDiscover --policy-name TrailDiscover --policy-document {}" + "technique": "T1070 - Indicator Removal", + "reason": "Rules could be used to route traffic in ways that delete or bypass log files to avoid detection." + }, + { + "technique": "T1496 - Resource Hijacking", + "reason": "Creating rules that direct traffic to perform unauthorized actions like cryptocurrency mining or other forms of resource hijacking." } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-PutUserPolicy" - }, - { - "eventName": "ListServiceSpecificCredentials", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Returns information about the service-specific credentials associated with the specified IAM user.", - "mitreAttackTactics": [ - "TA0007 - Discovery" - ], - "mitreAttackTechniques": [ - "T1087 - Account Discovery" - ], - "usedInWild": true, - "incidents": [ + "usedInWild": false, + "incidents": [], + "researchLinks": [ { - "description": "Muddled Libra\u2019s Evolution to the Cloud", - "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" + "description": "Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data", + "link": "https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994" } ], - "researchLinks": [], - "securityImplications": "Attackers might use ListServiceSpecificCredentials to get information about the relationship about users and services and gather CredentialIds.", + "securityImplications": "Attackers might use CreateRule to add rules that allow them access bypassing potential restrictions such as authentication.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam list-service-specific-credentials --user-name traildiscover --service-name codecommit.amazonaws.com" + "value": "aws elbv2 create-rule --listener-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:listener/app/my-load-balancer/50dc6c495c0c9188/f2f7dc8efc522ab2 --priority 5 --actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-west-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 --conditions '[{}]'" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListServiceSpecificCredentials" + "permissions": "https://aws.permissions.cloud/iam/elasticloadbalancing#elasticloadbalancing-CreateRule" }, { - "eventName": "DeleteRolePermissionsBoundary", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Deletes the permissions boundary for the specified IAM role.", + "eventName": "DescribeListeners", + "eventSource": "elasticloadbalancing.amazonaws.com", + "awsService": "ELBv2", + "description": "Describes the specified listeners or the listeners for the specified Application Load Balancer, Network Load Balancer, or Gateway Load Balancer.", "mitreAttackTactics": [ - "TA0004 - Privilege Escalation" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1098 - Account Manipulation" + "T1526 - Cloud Service Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087 - Account Discovery", + "reason": "By describing listeners, an adversary could identify configurations and attributes related to the load balancer, which may include discovering IAM roles or users with specific permissions." + }, + { + "technique": "T1046 - Network Service Scanning", + "reason": "Describing listeners provides details about the services exposed by the load balancer, which helps in scanning and understanding the network topology." + }, + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "Querying listener details can reveal information about the permissions and roles associated with the load balancer, providing insight into group policies." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "Load balancers typically handle various application layer protocols, and knowing listener configurations can assist in crafting command and control channels over allowed protocols." + } ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "AWS IAM Privilege Escalation Techniques", - "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + "description": "Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data", + "link": "https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994" } ], - "securityImplications": "Attackers might use DeleteRolePermissionsBoundary to remove restrictions and gain unauthorized access to AWS resources.", + "securityImplications": "Attackers might use DescribeListeners to get information about the load balancers listeners for potential future modifications.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam delete-role-permissions-boundary --role-name trail-discover" + "value": "aws elbv2 describe-listeners" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-DeleteRolePermissionsBoundary" + "permissions": "https://aws.permissions.cloud/iam/elasticloadbalancing#elasticloadbalancing-DescribeListeners" }, { - "eventName": "ListRolePolicies", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Lists the names of the inline policies that are embedded in the specified IAM role.", + "eventName": "DescribeLoadBalancers", + "eventSource": "elasticloadbalancing.amazonaws.com", + "awsService": "ELBv2", + "description": "Describes the specified load balancers or all of your load balancers.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1087 - Account Discovery" + "T1526 - Cloud Service Discovery" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "The DescribeLoadBalancers API call directly provides information about the cloud infrastructure, specifically the load balancers, which can be used to understand the deployment and configurations of network resources in the cloud." + }, + { + "technique": "T1590 - Gather Victim Network Information", + "reason": "Describing load balancers allows an adversary to obtain details on how network traffic is managed and routed within the cloud environment. This information can reveal critical network components and their configurations." + }, + { + "technique": "T1046 - Network Service Discovery", + "reason": "Describing load balancers can reveal the network services that are being managed by these load balancers, including ports, protocols, and the IP ranges used, which are crucial for understanding the network service layout." + }, + { + "technique": "T1133 - External Remote Services", + "reason": "Load balancers often manage external access to services. By describing them, an adversary can identify the external endpoints and understand how remote services are being accessed and managed." + }, + { + "technique": "T1482 - Domain Trust Discovery", + "reason": "The DescribeLoadBalancers API call can provide information on how load balancers are configured across different domains, revealing trust relationships and how traffic is managed between different parts of the network." } ], - "researchLinks": [], - "securityImplications": "Attackers might use ListRolePolicies to identify permissions associated with various roles in AWS.", + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data", + "link": "https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994" + } + ], + "securityImplications": "Attackers might use DescribeLoadBalancers to get information about the load balancers for potential future attacks.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam list-role-policies --role-name TrailDiscover" + "value": "aws elbv2 describe-load-balancers --names TrailDiscoverLoadBalancer" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListRolePolicies" + "permissions": "https://aws.permissions.cloud/iam/elasticloadbalancing#elasticloadbalancing-DescribeLoadBalancers" }, { - "eventName": "PutGroupPolicy", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Adds or updates an inline policy document that is embedded in the specified IAM group.", + "eventName": "DeleteRule", + "eventSource": "events.amazonaws.com", + "awsService": "events", + "description": "Deletes the specified rule.", "mitreAttackTactics": [ - "TA0004 - Privilege Escalation" + "TA0040 - Impact", + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1098 - Account Manipulation" + "T1489 - Service Stop", + "T1578 - Modify Cloud Compute Infrastructure" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "By deleting a rule, attackers can remove evidence of malicious activity." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Attackers might delete rules to alter the behavior of scheduled tasks, maintaining persistence. By manipulating accounts and associated rules, they ensure their malicious processes can run without interruption or detection." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Deleting rules can weaken security monitoring by removing triggers that would generate alerts, effectively blinding security teams to ongoing malicious activities. This action allows attackers to operate with reduced risk of detection, making further exploitation easier." + } ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "AWS IAM Privilege Escalation Techniques", - "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" - } - ], - "securityImplications": "Attackers might use PutGroupPolicy to modify permissions of a group, potentially granting unauthorized access to sensitive resources.", - "alerting": [ + "description": "AWS EventBridge Rule Disabled or Deleted", + "link": "https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html" + }, { - "type": "cloudwatchCISControls", - "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4" + "description": "AWS EventBridge rule disabled or deleted", + "link": "https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/" } ], + "securityImplications": "Attackers might use DeleteRule to disrupt automated security responses and event logging in AWS EventBridge, potentially masking unauthorized activities or compromising system integrity.", + "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam put-group-policy --group-name TrailDiscover --policy-document {} --policy-name TrailDiscover" + "value": "aws events delete-rule --name TrailDiscoverRule" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-PutGroupPolicy" + "permissions": "https://aws.permissions.cloud/iam/events#events-DeleteRule" }, { - "eventName": "ChangePassword", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Changes the password of the IAM user who is calling this operation.", + "eventName": "DisableRule", + "eventSource": "events.amazonaws.com", + "awsService": "events", + "description": "Disables the specified rule.", "mitreAttackTactics": [ - "TA0003 - Persistence", - "TA0004 - Privilege Escalation" + "TA0040 - Impact", + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1136 - Create Account", - "T1078 - Valid Accounts" + "T1489 - Service Stop", + "T1578 - Modify Cloud Compute Infrastructure" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1562 - Impair Defenses", + "reason": "Disabling a rule can be used to impair defenses by preventing the triggering of certain automated responses or detections." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "T1531 - Account Access Removal" + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "Disabling a rule can be a part of removing evidence of the attack by stopping logging and monitoring for certain activities, which helps in evading detection." + } ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "AWS CloudTrail cheat sheet", - "link": "https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet" + "description": "AWS EventBridge Rule Disabled or Deleted", + "link": "https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html" }, { - "description": "IAM User Changes Alarm", - "link": "https://asecure.cloud/a/cwalarm_iam_user_changes/" + "description": "AWS EventBridge rule disabled or deleted", + "link": "https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/" } ], - "securityImplications": "Attackers might use ChangePassword to alter user credentials.", + "securityImplications": "Attackers might use DisableRule to deactivate AWS EventBridge rules, effectively silencing alarms and automated responses designed for incident detection and mitigation.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam change-password --old-password TrailDiscover --new-password TrailDiscover" + "value": "aws events disable-rule --name TrailDiscoverRule --event-bus-name TrailDiscoverBus" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-ChangePassword" + "permissions": "https://aws.permissions.cloud/iam/events#events-DisableRule" }, { - "eventName": "CreateLoginProfile", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Creates a password for the specified IAM user. A password allows an IAM user to access AWS services through the AWS Management Console.", + "eventName": "ListRules", + "eventSource": "events.amazonaws.com", + "awsService": "events", + "description": "Lists your Amazon EventBridge rules. You can either list all the rules or you can provide a prefix to match to the rule names.", "mitreAttackTactics": [ - "TA0003 - Persistence", - "TA0004 - Privilege Escalation" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1098 - Account Manipulation", - "T1078 - Valid Accounts" + "T1526 - Cloud Service Discovery" ], - "usedInWild": true, - "incidents": [ - { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" - }, + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Incident report: From CLI to console, chasing an attacker in AWS", - "link": "https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/" + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "By using ListRules to view the configuration of EventBridge rules, an adversary gains understanding of the event-driven workflows and integrations within the target's AWS environment. This can reveal insights into operational processes and potential areas for deeper exploration or exploitation." }, { - "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", - "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + "technique": "T1082 - System Information Discovery", + "reason": "Listing rules helps attackers understand what events are being monitored, giving insight into the environment." }, { - "description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", - "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/" + "technique": "T1069 - Permission Groups Discovery", + "reason": "By examining the conditions and targets of EventBridge rules, attackers can infer the roles and permissions required to trigger these rules, which might provide insights into permission configurations and potential privilege escalation paths." }, { - "description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", - "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud" + "technique": "T1018 - Remote System Discovery", + "reason": "Identifying EventBridge rules can help attackers understand the configuration and interconnectivity of remote systems and services in the environment." }, { - "description": "Detecting AI resource-hijacking with Composite Alerts", - "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + "technique": "T1482 - Domain Trust Discovery", + "reason": "Listing rules may reveal integrations and trust relationships with other domains or AWS accounts, aiding in the mapping of domain trust paths." } ], + "usedInWild": false, + "incidents": [], "researchLinks": [ { - "description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", - "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide" - }, - { - "description": "AWS IAM Privilege Escalation Techniques", - "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" - }, - { - "description": "AWS IAM Persistence Methods", - "link": "https://hackingthe.cloud/aws/post_exploitation/iam_persistence/" - } - ], - "securityImplications": "Attackers use CreateLoginProfile to create login credentials for IAM users, allowing them access to the user via the AWS console.", - "alerting": [ - { - "type": "sigma", - "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml" + "description": "Modify GuardDuty Configuration", + "link": "https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/" } ], + "securityImplications": "Attackers might use ListRules in AWS EventBridge to catalog active event rules, identifying critical automated security mechanisms or logging functions to target for disruption or evasion.", + "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam create-login-profile --user-name TrailDiscover --password TrailDiscover" - }, - { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-user-login-profile" + "value": "aws events list-rules --name-prefix TrailDiscover" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-CreateLoginProfile" + "permissions": "https://aws.permissions.cloud/iam/events#events-ListRules" }, { - "eventName": "CreateUser", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Creates a new IAM user for your AWS account.", + "eventName": "ListTargetsByRule", + "eventSource": "events.amazonaws.com", + "awsService": "events", + "description": "Lists the targets assigned to the specified rule.", "mitreAttackTactics": [ - "TA0003 - Persistence" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1136 - Create Account" + "T1526 - Cloud Service Discovery" ], - "usedInWild": true, - "incidents": [ - { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" - }, - { - "description": "Ransomware in the cloud", - "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud" - }, - { - "description": "Responding to an attack in AWS", - "link": "https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac" - }, - { - "description": "Incident report: From CLI to console, chasing an attacker in AWS", - "link": "https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/" - }, - { - "description": "ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING", - "link": "https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/" - }, - { - "description": "Trouble in Paradise", - "link": "https://blog.darklab.hk/2021/07/06/trouble-in-paradise/" - }, - { - "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", - "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" - }, - { - "description": "Exposed long-lived access key resulted in unauthorized access", - "link": "https://twitter.com/jhencinski/status/1578371249792724992?t=6oYeGYgGZq1B-LXFZzIqhQ" - }, + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto", - "link": "https://sysdig.com/blog/scarleteel-2-0/" + "technique": "T1007 - System Service Discovery", + "reason": "Attackers can use this API call to discover information about targets assigned to specific rules within the AWS EventBridge service, providing insights into potentially vulnerable or interesting systems." }, { - "description": "Insider Threat Risks to Flat Environments", - "link": "https://www.mandiant.com/sites/default/files/2021-09/rpt-mtrends-2021-3.pdf" + "technique": "T1087 - Account Discovery", + "reason": "By listing targets assigned to rules, an attacker can gather information about AWS accounts and their configurations, aiding in understanding the environment and potential attack paths." }, { - "description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", - "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/" + "technique": "T1046 - Network Service Scanning", + "reason": "Understanding the targets associated with EventBridge rules allows an attacker to potentially identify network services that could be targeted for further exploration or exploitation." }, { - "description": "Sendtech Pte. Ltd", - "link": "https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Sendtech-Pte-Ltd---220721.ashx?la=en" + "technique": "T1018 - Remote System Discovery", + "reason": "The API call provides information about remote systems (AWS resources) that are targeted by specific rules, aiding attackers in identifying potential entry points into the environment." }, { - "description": "BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability", - "link": "https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/" + "technique": "T1033 - System Owner/User Discovery", + "reason": "Listing targets by rule in EventBridge can reveal details about the users or roles associated with those resources. This information helps attackers identify key personnel or accounts with access, aiding in targeted attacks or privilege escalation efforts." }, { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + "technique": "T1057 - Process Discovery", + "reason": "The ListTargetsByRule call can be used to discover the targets (potentially processes or functions) that are triggered by specific CloudWatch rules, helping attackers understand what processes might be running in the environment." }, { - "description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", - "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud" + "technique": "T1087 - Account Discovery", + "reason": "By understanding the targets associated with specific rules, attackers might infer the existence of certain IAM roles or accounts that have the permissions to execute these targets." }, { - "description": "Detecting AI resource-hijacking with Composite Alerts", - "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + "technique": "T1069 - Permission Groups Discovery", + "reason": "By listing the targets of rules, attackers can identify which resources and permissions are associated with specific rules, aiding in understanding the permission structures." } ], + "usedInWild": false, + "incidents": [], "researchLinks": [ { - "description": "Creating a new IAM user", - "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/creating-new-iam-user/" - }, - { - "description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", - "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide" - }, - { - "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", - "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" - } - ], - "securityImplications": "Attackers use CreateUser to establish persistent footholds or in some cases, escalate privileges within AWS environments by creating new IAM users with strategic permissions.", - "alerting": [ - { - "type": "sigma", - "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml" + "description": "Modify GuardDuty Configuration", + "link": "https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/" } ], + "securityImplications": "Attackers might use ListTargetsByRule in AWS EventBridge to enumerate the targets of specific rules, gaining insights into the architecture and response mechanisms of an environment.", + "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam create-user --user-name TrailDiscover" - }, - { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-admin-user" + "value": "aws events list-targets-by-rule --rule TrailDiscoverRule" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-CreateUser" + "permissions": "https://aws.permissions.cloud/iam/events#events-ListTargetsByRule" }, { - "eventName": "ListSigningCertificates", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Returns information about the signing certificates associated with the specified IAM user.", + "eventName": "PutRule", + "eventSource": "events.amazonaws.com", + "awsService": "events", + "description": "Creates or updates the specified rule.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0040 - Impact", + "TA0005 - Defense Evasion", + "TA0003 - Persistence" ], "mitreAttackTechniques": [ - "T1087 - Account Discovery" + "T1489 - Service Stop", + "T1578 - Modify Cloud Compute Infrastructure", + "T1546 - Event Triggered Execution" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Muddled Libra\u2019s Evolution to the Cloud", - "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" - } - ], - "researchLinks": [], - "securityImplications": "Attackers might use ListSigningCertificates to review which users have active certificates", - "alerting": [], - "simulation": [ + "technique": "T1205 - Traffic Signaling", + "reason": "EventBridge rules can be configured to trigger signals that facilitate command and control communication, masking malicious traffic as legitimate event triggers." + }, { - "type": "commandLine", - "value": "aws iam list-signing-certificates --user-name traildiscover" - } - ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListSigningCertificates" - }, - { - "eventName": "ListInstanceProfiles", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Lists the instance profiles that have the specified path prefix. If there are none, the operation returns an empty list.", - "mitreAttackTactics": [ - "TA0007 - Discovery" - ], - "mitreAttackTechniques": [ - "T1087 - Account Discovery" - ], - "usedInWild": true, - "incidents": [ + "technique": "T1053 - Scheduled Task/Job: Scheduled Task", + "reason": "Creating or updating EventBridge rules can schedule tasks or jobs that perform malicious activities without user intervention." + }, { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" - } - ], - "researchLinks": [], - "securityImplications": "Attackers might use ListInstanceProfiles to identify potential targets for privilege escalation attacks in AWS.", - "alerting": [], - "simulation": [ + "technique": "T1070 - Indicator Removal", + "reason": "By manipulating EventBridge rules, attackers can potentially alter the flow of logs and events to hide their activities." + }, { - "type": "commandLine", - "value": "aws iam list-instance-profiles" + "technique": "T1562 - Impair Defenses", + "reason": "By updating EventBridge rules, attackers can disable or modify security tools and alerts, impairing defenses and ensuring continued access." } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListInstanceProfiles" - }, - { - "eventName": "DetachUserPolicy", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Removes the specified managed policy from the specified user.", - "mitreAttackTactics": [ - "TA0005 - Defense Evasion", - "TA0004 - Privilege Escalation" - ], - "mitreAttackTechniques": [ - "T1578 - Modify Cloud Compute Infrastructure", - "T1098 - Account Manipulation" - ], "usedInWild": true, "incidents": [ { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + "description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", + "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/" } ], "researchLinks": [ { - "description": "AWS IAM Privilege Escalation Techniques", - "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" - } - ], - "securityImplications": "Attackers might use DetachUserPolicy to remove security policies and gain unauthorized access to AWS resources.", - "alerting": [ - { - "type": "cloudwatchCISControls", - "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4" + "description": "Modify GuardDuty Configuration", + "link": "https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/" } ], + "securityImplications": "Attackers might use PutRule in AWS EventBridge to create unauthorized event rules, potentially automating malicious actions to gain persistence or triggering unwarranted responses within the environment.", + "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam detach-user-policy --user-name TrailDiscover --policy-arn arn:aws:iam::123456789012:policy/TesterPolicy" + "value": "aws events put-rule --name TrailDiscoverRule --schedule-expression 'rate(5 minutes)' --state ENABLED --description \"TrailDiscover rule\"" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-DetachUserPolicy" + "permissions": "https://aws.permissions.cloud/iam/events#events-PutRule" }, { - "eventName": "ListSSHPublicKeys", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Returns information about the SSH public keys associated with the specified IAM user.", + "eventName": "PutTargets", + "eventSource": "events.amazonaws.com", + "awsService": "events", + "description": "Adds the specified targets to the specified rule, or updates the targets if they are already associated with the rule.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0003 - Persistence" ], "mitreAttackTechniques": [ - "T1087 - Account Discovery" + "T1546 - Event Triggered Execution" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "An attacker could add a target that executes a script or command interpreter, allowing for arbitrary command execution" }, { - "description": "Muddled Libra\u2019s Evolution to the Cloud", - "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" + "technique": "T1098 - Account Manipulation", + "reason": "An attacker could add a target that executes a script or command interpreter, allowing for arbitrary command execution" + }, + { + "technique": "T1105 - Ingress Tool Transfer", + "reason": "The attacker could configure targets that download and execute malicious tools, facilitating further exploitation." + }, + { + "technique": "T1560 - Archive Collected Data", + "reason": "If targets are added to an event rule to trigger actions like archiving (e.g., invoking a Lambda function to zip and store data in an S3 bucket), this can be used to collect and prepare data for later exfiltration." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "The attacker could configure targets to delete logs or other indicators of compromise upon execution, aiding in defense evasion" + }, + { + "technique": "T1203 - Exploitation for Client Execution", + "reason": "An attacker could create or modify a target to execute a particular payload or exploit code on services that are automatically triggered by the event, which might lead to exploiting client applications or services." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", + "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/" } ], "researchLinks": [], - "securityImplications": "Attackers might use ListSSHPublicKeys to get information about the user and the potential use of CodeCommit.", + "securityImplications": "Attackers might use PutTargets in AWS EventBridge to trigger a malicious Lambda function periodically.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam list-ssh-public-keys --user-name TrailDiscover" + "value": "aws events put-targets --rule TrailDiscoverLambdaFunction --targets \"Id\"=\"1\",\"Arn\"=\"arn:aws:lambda:us-east-1:123456789012:function:MyFunctionName\"" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListSSHPublicKeys" + "permissions": "https://aws.permissions.cloud/iam/events#events-PutTargets" }, { - "eventName": "ListOpenIDConnectProviders", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Lists information about the IAM OpenID Connect (OIDC) provider resource objects defined in the AWS account.", + "eventName": "RemoveTargets", + "eventSource": "events.amazonaws.com", + "awsService": "events", + "description": "Removes the specified targets from the specified rule.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0040 - Impact", + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1087 - Account Discovery" + "T1489 - Service Stop", + "T1578 - Modify Cloud Compute Infrastructure" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Muddled Libra\u2019s Evolution to the Cloud", - "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" + "technique": "T1098 - Account Manipulation", + "reason": "Manipulating EventBridge rules by removing targets can alter the capabilities and behaviors of accounts without directly deleting them." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Removing security monitoring targets from EventBridge rules can impair defenses by preventing certain security actions from being triggered." } ], - "researchLinks": [], - "securityImplications": "Attackers might use ListOpenIDConnectProviders to discover if there are OIDC providers configured.", + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "Modify GuardDuty Configuration", + "link": "https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/" + } + ], + "securityImplications": "Attackers might use RemoveTargets in AWS EventBridge to eliminate crucial targets from event rules, effectively disabling intended actions or notifications triggered by specific events.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam list-open-id-connect-providers" + "value": "aws events remove-targets --rule TrailDiscoverRule --ids TrailDiscoverTargetId" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListOpenIDConnectProviders" + "permissions": "https://aws.permissions.cloud/iam/events#events-RemoveTargets" }, { - "eventName": "PutRolePolicy", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Adds or updates an inline policy document that is embedded in the specified IAM role.", + "eventName": "CreateDevEndpoint", + "eventSource": "glue.amazonaws.com", + "awsService": "Glue", + "description": "Creates a new development endpoint.", "mitreAttackTactics": [ "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1133 - External Remote Services", + "reason": "Development endpoints can be accessed remotely, providing a vector for persistent remote access by attackers." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ @@ -3970,1197 +7376,1564 @@ "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" } ], - "securityImplications": "Attackers might use PutRolePolicy to modify permissions of IAM roles, potentially granting unauthorized access to AWS resources.", + "securityImplications": "Attackers might use CreateDevEndpoint in AWS Glue to escalate privileges or provision development endpoints, potentially exploiting them.", "alerting": [ { - "type": "cloudwatchCISControls", - "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4" + "type": "sigma", + "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml" } ], "simulation": [ { "type": "commandLine", - "value": "aws iam put-role-policy --role-name TrailDiscover-Role --policy-name TrailDiscover --policy-document {}" + "value": "aws glue create-dev-endpoint --endpoint-name TrailDiscover --role-arn arn:aws:iam::111122223333:role/TrailDiscover" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-PutRolePolicy" + "permissions": "https://aws.permissions.cloud/iam/glue#glue-CreateDevEndpoint" }, { - "eventName": "CreateRole", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Creates a new role for your AWS account.", + "eventName": "CreateJob", + "eventSource": "glue.amazonaws.com", + "awsService": "Glue", + "description": "Creates a new job definition.", "mitreAttackTactics": [ - "TA0003 - Persistence" + "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1136 - Create Account" + "T1098 - Account Manipulation" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Attack Scenario 2: From Misconfigured Firewall to Cryptojacking Botnet", - "link": "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/unit42-cloud-threat-report-volume7.pdf" + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "Glue jobs can be defined to execute Python scripts for various data manipulation tasks." }, { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + "technique": "T1560 - Archive Collected Data", + "reason": "Glue jobs can be used to collect, compress, and store large datasets, which can later be exfiltrated." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "Job definitions may include obfuscated scripts or commands to avoid detection." + }, + { + "technique": "T1074 - Data Staged", + "reason": "Glue jobs can be configured to stage data in S3 buckets, making it easier for exfiltration." + }, + { + "technique": "T1083 - File and Directory Discovery", + "reason": "Glue jobs can be scripted to discover and list files and directories in S3 or other storage services." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "Glue jobs might be used to exfiltrate data using DNS queries, a method that can bypass some network monitoring tools. Python or Java jobs are extremely likely to do this. Glue jobs can send data over HTTP/S, facilitating communication with external servers for command and control or exfiltration" + }, + { + "technique": "T1105 - Ingress Tool Transfer", + "reason": "Glue jobs can be created to download and execute additional scripts or tools from external sources." + }, + { + "technique": "T1567 - Exfiltration Over Web Service", + "reason": "Data processed by Glue jobs can be moved to external cloud storage for exfiltration purposes." + }, + { + "technique": "T1552 - Unsecured Credentials", + "reason": "Glue jobs might access files containing credentials, which can then be exfiltrated." } ], - "researchLinks": [], - "securityImplications": "Attackers use CreateRole to create roles with trust policies that allow principals from an attacker-controlled AWS account, establishing persistent unauthorized access.", + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "AWS IAM Privilege Escalation Techniques", + "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + } + ], + "securityImplications": "Attackers might use CreateJob to create a glue job with a role with higer privileges to gain these privileges.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam create-role --role-name TrailDiscover --assume-role-policy-document {}" - }, - { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-backdoor-role" + "value": "aws glue create-job --name TrailDiscoverJob --role TrailDiscoverRole --command Name=pythonshell,ScriptLocation=s3://TrailDiscoverBucket/TrailDiscoverScript.py --default-arguments '{\"--job-language\": \"python\"}'" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-CreateRole" + "permissions": "https://aws.permissions.cloud/iam/glue#glue-CreateJob" }, { - "eventName": "DeleteLoginProfile", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Deletes the password for the specified IAM user.", + "eventName": "UpdateDevEndpoint", + "eventSource": "glue.amazonaws.com", + "awsService": "Glue", + "description": "Updates a specified development endpoint.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1578 - Modify Cloud Compute Infrastructure", - "T1070 - Indicator Removal" + "T1098 - Account Manipulation" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", - "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/" + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "Glue allows the use of Python scripts - updating the endpoint could change the scripts to execute arbitrary code directly in the development environment." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "Adversaries may update the endpoint to include scripts that delete logs or other files, helping to evade detection." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "Updates could involve obfuscated scripts or configurations to hide malicious code and evade detection mechanisms" + }, + { + "technique": "T1036 - Masquerading", + "reason": "Adversaries could update the endpoint to masquerade malicious activities as legitimate by matching names or locations." + } + ], + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "AWS IAM Privilege Escalation Techniques", + "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + } + ], + "securityImplications": "Attackers might use UpdateDevEndpoint to modify the settings of a development endpoint, potentially disrupting data processing tasks or gaining unauthorized access to data.", + "alerting": [ + { + "type": "sigma", + "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml" } ], - "researchLinks": [], - "securityImplications": "Attackers might use DeleteLoginProfile to remove user's login credentials, preventing legitimate access to AWS services. Also, it might be used to delete a previously added profile to avoid detection.", - "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam delete-login-profile --user-name TrailDiscover" + "value": "aws glue update-dev-endpoint --endpoint-name TrailDiscover" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-DeleteLoginProfile" + "permissions": "https://aws.permissions.cloud/iam/glue#glue-UpdateDevEndpoint" }, { - "eventName": "AddRoleToInstanceProfile", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Adds the specified IAM role to the specified instance profile.", + "eventName": "UpdateJob", + "eventSource": "glue.amazonaws.com", + "awsService": "Glue", + "description": "Updates an existing job definition.", "mitreAttackTactics": [ "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1036 - Masquerading", + "reason": "Adversaries can modify the job definition to make the job appear legitimate, effectively hiding malicious activities within a seemingly benign job." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "Updating a job definition can include instructions to remove or alter logs and other artifacts, helping adversaries evade detection." + }, + { + "technique": "T1480 - Execution Guardrails", + "reason": "Adversaries can update the job definition to include specific conditions or constraints, ensuring the job only executes under certain circumstances, which helps in evading detection." + }, + { + "technique": "T1565 - Data Manipulation", + "reason": "Adversaries can alter the job definition to manipulate data processed by the Glue job, affecting the integrity and outcome of the data workflows." + }, + { + "technique": "T1496 - Resource Hijacking", + "reason": "By altering job definitions, adversaries can repurpose AWS Glue jobs for their own computational needs, impacting the resource allocation of the environment." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "Cloudgoat AWS CTF solution- Scenerio 5 (iam_privesc_by_attachment)", - "link": "https://pswalia2u.medium.com/cloudgoat-aws-ctf-solution-scenerio-5-iam-privesc-by-attachment-22145650f5f5" + "description": "AWS IAM Privilege Escalation Techniques", + "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" } ], - "securityImplications": "Attackers might use AddRoleToInstanceProfile to escalate privileges or gain unauthorized access to AWS resources.", + "securityImplications": "Attackers might use UpdateJob to modify Glue job parameters, potentially disrupting data processing or injecting malicious code.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam add-role-to-instance-profile --role-name TrailDiscover --instance-profile-name TrailDiscover" + "value": "aws glue update-job --job-name TrailDiscoverJob --job-update '{\"Role\": \"TrailDiscoverRole\", \"Command\": {\"Name\": \"glueetl\", \"ScriptLocation\": \"s3://mybucket/myscript.py\"}}'" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-AddRoleToInstanceProfile" + "permissions": "https://aws.permissions.cloud/iam/glue#glue-UpdateJob" }, { - "eventName": "DeactivateMFADevice", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Deactivates the specified MFA device and removes it from association with the user name for which it was originally enabled.", + "eventName": "CreateFilter", + "eventSource": "guardduty.amazonaws.com", + "awsService": "GuardDuty", + "description": "Creates a filter using the specified finding criteria.", "mitreAttackTactics": [ "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "AWS IAM Deactivation of MFA Device", - "link": "https://www.elastic.co/guide/en/security/current/aws-iam-deactivation-of-mfa-device.html" + "description": "Modify GuardDuty Configuration", + "link": "https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/" } ], - "securityImplications": "Attackers might use DeactivateMFADevice to disable multi-factor authentication, potentially weakening account security.", + "securityImplications": "Attackers might use CreateFilter to manipulate GuardDuty settings, potentially allowing malicious activity to go undetected.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam deactivate-mfa-device --user-name TrailDiscover --serial-number arn:aws:iam::210987654321:mfa/BobsMFADevice" + "value": "aws guardduty create-filter --detector-id TrailDiscoverDetectorId --name TrailDiscoverFilterName --finding-criteria '{\"Criterion\": {\"service.action.actionType\": {\"Eq\": [\"TrailDiscover\"]}}}' --action NOOP" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-DeactivateMFADevice" + "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-CreateFilter" }, { - "eventName": "AttachGroupPolicy", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Attaches the specified managed policy to the specified IAM group.", + "eventName": "CreateIPSet", + "eventSource": "guardduty.amazonaws.com", + "awsService": "GuardDuty", + "description": "Creates a new IPSet, which is called a trusted IP list in the console user interface.", "mitreAttackTactics": [ - "TA0004 - Privilege Escalation" + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1098 - Account Manipulation" + "T1562 - Impair Defenses" + ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "Adding an IP address to a trusted list effectively removes the monitoring of network traffic and activities associated with that IP, making it undetectable by GuardDuty, similar to how indicator removal hides evidence of malicious activity." + }, + { + "technique": "T1090 - Proxy", + "reason": "Adversaries may use a proxy to route their traffic through trusted IP addresses added to the IPSet, thereby evading detection and maintaining persistence." + } ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "AWS IAM Privilege Escalation Techniques", - "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + "description": "Modify GuardDuty Configuration", + "link": "https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/" } ], - "securityImplications": "Attackers might use AttachGroupPolicy to assign malicious policies to a group, escalating privileges or enabling unauthorized access.", + "securityImplications": "Attackers might use CreateIPSet to add malicious IP addresses to the GuardDuty whitelist, bypassing security measures.", "alerting": [ { - "type": "cloudwatchCISControls", - "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4" + "type": "sigma", + "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_guardduty_disruption.yml" } ], "simulation": [ { "type": "commandLine", - "value": "aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/TrailDiscover --group-name TrailDiscover" + "value": "aws guardduty create-ip-set --detector-id 12abc34d567e8fa901bc2d34eexample --name new-ip-set --format TXT --location s3://traildiscover/traildiscover.csv --activate" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-AttachGroupPolicy" + "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-CreateIPSet" }, { - "eventName": "GetLoginProfile", - "eventSource": "iam.amazonaws.com", - "awsService": "IAM", - "description": "Retrieves the user name for the specified IAM user.", + "eventName": "DeleteDetector", + "eventSource": "guardduty.amazonaws.com", + "awsService": "GuardDuty", + "description": "Deletes an Amazon GuardDuty detector that is specified by the detector ID.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1087 - Account Discovery" + "T1562 - Impair Defenses" + ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1485 - Data Destruction", + "reason": "Deleting the GuardDuty detector can be part of a larger strategy to destroy or manipulate security configurations and logs, impacting the integrity of the security monitoring system." + } ], "usedInWild": true, "incidents": [ { - "description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", - "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/" + "description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", + "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud" } ], - "researchLinks": [], - "securityImplications": "Attackers might use GetLoginProfile to know if the account has a login profile or to get its user name.", - "alerting": [ + "researchLinks": [ { - "type": "sigma", - "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml" + "description": "AWS GuardDuty detector deleted", + "link": "https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-guardduty-detector-deleted/" + }, + { + "description": "AWS GuardDuty Evasion", + "link": "https://medium.com/@cloud_tips/aws-guardduty-evasion-c181e55f3af1" + }, + { + "description": "Threat Hunting with CloudTrail and GuardDuty in Splunk", + "link": "https://www.chrisfarris.com/post/reinforce-threat-hunting/" + }, + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" } ], + "securityImplications": "Attackers might use DeleteDetector to disable GuardDuty, thereby evading detection of malicious activity.", + "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws iam get-login-profile --user-name TrailDiscover" + "value": "aws guardduty delete-detector --detector-id TrailDiscoverDetectorId" } ], - "permissions": "https://aws.permissions.cloud/iam/iam#iam-GetLoginProfile" + "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-DeleteDetector" }, { - "eventName": "GetSecretValue", - "eventSource": "secretsmanager.amazonaws.com", - "awsService": "SecretsManager", - "description": "Retrieves the contents of the encrypted fields SecretString or SecretBinary from the specified version of a secret, whichever contains content.", + "eventName": "DeleteInvitations", + "eventSource": "guardduty.amazonaws.com", + "awsService": "GuardDuty", + "description": "Deletes invitations sent to the current member account by AWS accounts specified by their account IDs.", "mitreAttackTactics": [ - "TA0006 - Credential Access" + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1555 - Credentials from Password Stores" + "T1562 - Impair Defenses" + ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools", + "T1562.006 - Impair Defenses: Indicator Blocking" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "Deleting GuardDuty invitations can be seen as a form of defense evasion by removing traces of an invitation that might otherwise be used for investigative purposes. Invitations could be used by security teams to track and verify legitimate connections between AWS accounts. By removing these invitations, the adversary might prevent the detection of unauthorized or suspicious account activities." + } ], "usedInWild": true, "incidents": [ { "description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud" - }, - { - "description": "Muddled Libra\u2019s Evolution to the Cloud", - "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" - }, - { - "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", - "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" } ], "researchLinks": [], - "securityImplications": "Attackers might use GetSecretValue to illicitly access sensitive information stored in the SecretsManager.", + "securityImplications": "Attackers might use DeleteInvitations to avoid the use of GuardDuty, thereby evading detection of malicious activity.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws secretsmanager get-secret-value --secret-id TrailDiscoverSecretId" + "value": "aws guardduty delete-invitations --account-ids 111222333444" + } + ], + "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-DeleteInvitations" + }, + { + "eventName": "DeleteMembers", + "eventSource": "guardduty.amazonaws.com", + "awsService": "GuardDuty", + "description": "Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.", + "mitreAttackTactics": [ + "TA0005 - Defense Evasion" + ], + "mitreAttackTechniques": [ + "T1562 - Impair Defenses" + ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1531 - Account Access Removal", + "reason": "Deleting GuardDuty member accounts can prevent legitimate accounts from getting data from member accounts, thus disrupting monitoring and security alerts." }, { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.secretsmanager-batch-retrieve-secrets" + "technique": "T1070 - Indicator Removal", + "reason": "By deleting member accounts, logs and other related files might be purged or altered, aiding in hiding the malicious activities." }, { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets" + "technique": "T1098 - Account Manipulation", + "reason": "Deleting GuardDuty member accounts involves altering account configurations, potentially changing access controls or permissions. This action can disrupt security monitoring and allow unauthorized activities to go undetected." } ], - "permissions": "https://aws.permissions.cloud/iam/secretsmanager#secretsmanager-GetSecretValue" + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "Threat Hunting with CloudTrail and GuardDuty in Splunk", + "link": "https://www.chrisfarris.com/post/reinforce-threat-hunting/" + } + ], + "securityImplications": "Attackers might use DeleteMembers to remove members from a GuardDuty detector, disrupting threat detection and security analysis.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws guardduty delete-members --account-ids TrailDiscoverAccountIds --detector-id TrailDiscoverDetectorId" + } + ], + "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-DeleteMembers" }, { - "eventName": "DescribeSecret", - "eventSource": "secretsmanager.amazonaws.com", - "awsService": "SecretsManager", - "description": "Retrieves the details of a secret.", + "eventName": "DeletePublishingDestination", + "eventSource": "guardduty.amazonaws.com", + "awsService": "GuardDuty", + "description": "Deletes the publishing definition with the specified destinationId.", "mitreAttackTactics": [ - "TA0006 - Credential Access" + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1555 - Credentials from Password Stores" + "T1562 - Impair Defenses" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ { - "description": "Muddled Libra\u2019s Evolution to the Cloud", - "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" + "technique": "T1565 - Data Manipulation", + "reason": "By deleting the publishing destination, critical security findings are not reported, which can be seen as manipulating the availability of security data and hindering incident response efforts." } ], - "researchLinks": [], - "securityImplications": "Attackers might use DescribeSecret to get more information about the secrets that are stored in Secrets Manager.", + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "Modify GuardDuty Configuration", + "link": "https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/" + } + ], + "securityImplications": "Attackers might use DeletePublishingDestination to disrupt the security monitoring and incident response process in AWS GuardDuty.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws secretsmanager describe-secret --secret-id TrailDiscover" + "value": "aws guardduty delete-publishing-destination --detector-id TrailDiscoverDetectorId --destination-id TrailDiscoverDestinationId" } ], - "permissions": "https://aws.permissions.cloud/iam/secretsmanager#secretsmanager-DescribeSecret" + "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-DeletePublishingDestination" }, { - "eventName": "ListSecrets", - "eventSource": "secretsmanager.amazonaws.com", - "awsService": "SecretsManager", - "description": "Lists the secrets that are stored by Secrets Manager in the AWS account, not including secrets that are marked for deletion.", + "eventName": "DisassociateFromMasterAccount", + "eventSource": "guardduty.amazonaws.com", + "awsService": "GuardDuty", + "description": "Disassociates the current GuardDuty member account from its administrator account.", "mitreAttackTactics": [ - "TA0006 - Credential Access" + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1555 - Credentials from Password Stores" + "T1562 - Impair Defenses" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ { - "description": "Muddled Libra\u2019s Evolution to the Cloud", - "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" + "technique": "T1098 - Account Manipulation", + "reason": "This involves actions taken to manipulate accounts to maintain access or evade detection. Disassociating the GuardDuty member account from its master account can be seen as a form of account manipulation to avoid centralized logging and monitoring." }, { - "description": "Detecting AI resource-hijacking with Composite Alerts", - "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" - }, + "technique": "T1531 - Account Access Removal", + "reason": "Disassociating from the master account effectively removes the centralized management and monitoring capabilities, making it harder to regain control or visibility over the account." + } + ], + "usedInWild": true, + "incidents": [ { - "description": "Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets", - "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/" - }, + "description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", + "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud" + } + ], + "researchLinks": [ { - "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", - "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" + "description": "Threat Hunting with CloudTrail and GuardDuty in Splunk", + "link": "https://www.chrisfarris.com/post/reinforce-threat-hunting/" } ], - "researchLinks": [], - "securityImplications": "Attackers might use ListSecrets to list all the secrets and potentially access to them later.", + "securityImplications": "Attackers might use DisassociateFromMasterAccount to remove the link to the master GuardDuty account, disrupting centralized security monitoring and analysis.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws secretsmanager list-secrets" - }, - { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets" + "value": "aws guardduty disassociate-from-master-account --detector-id TrailDiscoverDetectorId" } ], - "permissions": "https://aws.permissions.cloud/iam/secretsmanager#secretsmanager-ListSecrets" + "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-DisassociateFromMasterAccount" }, { - "eventName": "CreateUser", - "eventSource": "transfer.amazonaws.com", - "awsService": "TransferFamily", - "description": "Creates a user and associates them with an existing file transfer protocol-enabled server.", + "eventName": "DisassociateMembers", + "eventSource": "guardduty.amazonaws.com", + "awsService": "GuardDuty", + "description": "Disassociates GuardDuty member accounts (from the current administrator account) specified by the account IDs.", "mitreAttackTactics": [ - "TA0010 - Exfiltration" + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1537 - Transfer Data to Cloud Account" + "T1562 - Impair Defenses" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ { - "description": "Muddled Libra\u2019s Evolution to the Cloud", - "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" + "technique": "T1531 - Account Access Removal", + "reason": "By disassociating member accounts, an adversary could remove access to GuardDuty for specific accounts, reducing the ability to detect and respond to malicious activities." + }, + { + "technique": "T1489 - Service Stop", + "reason": "Disassociating member accounts might effectively stop the GuardDuty service from monitoring those accounts, similar to stopping a security service to avoid detection." } ], - "researchLinks": [], - "securityImplications": "Attackers might use CreateUser to use the Transfer Family service.", + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "Threat Hunting with CloudTrail and GuardDuty in Splunk", + "link": "https://www.chrisfarris.com/post/reinforce-threat-hunting/" + } + ], + "securityImplications": "Attackers might use DisassociateMembers to remove members from a GuardDuty detector, disrupting threat detection and security analysis.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws transfer create-user --server-id s-1234567890abcdef0 --user-name TrailDiscover --role arn:aws:iam::123456789012:role/TrailDiscover --home-directory /TrailDiscover" + "value": "aws guardduty disassociate-members --detector-id TrailDiscoverDetectorId --account-ids TrailDiscoverAccountIds" } ], - "permissions": "https://aws.permissions.cloud/iam/transfer#transfer-CreateUser" + "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-DisassociateMembers" }, - { - "eventName": "CreateServer", - "eventSource": "transfer.amazonaws.com", - "awsService": "TransferFamily", - "description": "Instantiates an auto-scaling virtual server based on the selected file transfer protocol in AWS.", + { + "eventName": "GetDetector", + "eventSource": "guardduty.amazonaws.com", + "awsService": "GuardDuty", + "description": "Retrieves an Amazon GuardDuty detector specified by the detectorId.", "mitreAttackTactics": [ - "TA0010 - Exfiltration" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1537 - Transfer Data to Cloud Account" + "T1526 - Cloud Service Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "Retrieving a GuardDuty detector provides information about the security monitoring and configurations in the AWS environment." + }, + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "Accessing the GuardDuty detector can give insights into the cloud infrastructure setup and the security measures in place." + } ], "usedInWild": true, "incidents": [ { - "description": "Muddled Libra\u2019s Evolution to the Cloud", - "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" } ], "researchLinks": [], - "securityImplications": "Attackers might use CreateServer to create a server that allows to transfer files into and out of AWS storage services.", + "securityImplications": "Attackers might use GetDetector to identify active threat detection systems in AWS GuardDuty.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws transfer create-server --protocols SFTP --endpoint-type PUBLIC --identity-provider-type SERVICE_MANAGED" + "value": "aws guardduty get-detector --detector-id TrailDiscoverDetectorId" } ], - "permissions": "https://aws.permissions.cloud/iam/transfer#transfer-CreateServer" + "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-GetDetector" }, { - "eventName": "DescribeLoadBalancers", - "eventSource": "elasticloadbalancing.amazonaws.com", - "awsService": "ELBv2", - "description": "Describes the specified load balancers or all of your load balancers.", + "eventName": "GetFindings", + "eventSource": "guardduty.amazonaws.com", + "awsService": "GuardDuty", + "description": "Returns a list of findings that match the specified criteria.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ "T1526 - Cloud Service Discovery" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data", - "link": "https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994" + "technique": "T1057 - Process Discovery", + "reason": "Adversaries can use the findings to discover details about processes running on compromised instances, aiding them in identifying and targeting specific processes for further exploitation." + }, + { + "technique": "T1020 - Automated Exfiltration", + "reason": "An adversary can identify findings that indicate automated data exfiltration activities, allowing them to understand what methods were detected and possibly refine their tactics." + }, + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "Analyzing findings can help adversaries discover details about the cloud infrastructure, such as the types of resources and their configurations, aiding in planning further attacks." } ], - "securityImplications": "Attackers might use DescribeLoadBalancers to get information about the load balancers for potential future attacks.", + "usedInWild": true, + "incidents": [ + { + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use GetFindings to identify if previous actions generated alerts.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws elbv2 describe-load-balancers --names TrailDiscoverLoadBalancer" + "value": "aws guardduty get-findings --detector-id TrailDiscoverDetectorId --finding-ids TrailDiscoverFindingIds" } ], - "permissions": "https://aws.permissions.cloud/iam/elasticloadbalancing#elasticloadbalancing-DescribeLoadBalancers" + "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-GetFindings" }, { - "eventName": "DescribeListeners", - "eventSource": "elasticloadbalancing.amazonaws.com", - "awsService": "ELBv2", - "description": "Describes the specified listeners or the listeners for the specified Application Load Balancer, Network Load Balancer, or Gateway Load Balancer.", + "eventName": "ListDetectors", + "eventSource": "guardduty.amazonaws.com", + "awsService": "GuardDuty", + "description": "Lists detectorIds of all the existing Amazon GuardDuty detector resources.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ "T1526 - Cloud Service Discovery" ], - "usedInWild": false, - "incidents": [], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "Knowledge of detector IDs can guide attackers in identifying monitored versus unmonitored cloud assets, facilitating targeted reconnaissance on less protected resources." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + } + ], "researchLinks": [ { - "description": "Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data", - "link": "https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994" + "description": "Modify GuardDuty Configuration", + "link": "https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/" } ], - "securityImplications": "Attackers might use DescribeListeners to get information about the load balancers listeners for potential future modifications.", + "securityImplications": "Attackers might use ListDetectors to identify active threat detection systems in AWS GuardDuty.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws elbv2 describe-listeners" + "value": "aws guardduty list-detectors" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance" } ], - "permissions": "https://aws.permissions.cloud/iam/elasticloadbalancing#elasticloadbalancing-DescribeListeners" + "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-ListDetectors" }, { - "eventName": "CreateRule", - "eventSource": "elasticloadbalancing.amazonaws.com", - "awsService": "ELBv2", - "description": "Creates a rule for the specified listener.", + "eventName": "ListFindings", + "eventSource": "guardduty.amazonaws.com", + "awsService": "GuardDuty", + "description": "Lists GuardDuty findings for the specified detector ID.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1578 - Modify Cloud Compute Infrastructure" + "T1526 - Cloud Service Discovery" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data", - "link": "https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994" + "technique": "T1057 - Process Discovery", + "reason": "By retrieving and analyzing finding IDs, attackers can discover details about processes associated with GuardDuty findings, helping them understand which processes were flagged and why." } ], - "securityImplications": "Attackers might use CreateRule to add rules that allow them access bypassing potential restrictions such as authentication.", + "usedInWild": true, + "incidents": [ + { + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use ListFindings to identify if previous actions generated alerts.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws elbv2 create-rule --listener-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:listener/app/my-load-balancer/50dc6c495c0c9188/f2f7dc8efc522ab2 --priority 5 --actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-west-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 --conditions '[{}]'" + "value": "aws guardduty list-findings --detector-id TrailDiscoverDetectorId" } ], - "permissions": "https://aws.permissions.cloud/iam/elasticloadbalancing#elasticloadbalancing-CreateRule" + "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-ListFindings" }, { - "eventName": "AssociateAccessPolicy", - "eventSource": "eks.amazonaws.com", - "awsService": "EKS", - "description": "Associates an access policy and its scope to an access entry.", + "eventName": "ListIPSets", + "eventSource": "guardduty.amazonaws.com", + "awsService": "GuardDuty", + "description": "Lists the IPSets of the GuardDuty service specified by the detector ID.", "mitreAttackTactics": [ - "TA0004 - Privilege Escalation" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1098 - Account Manipulation" + "T1526 - Cloud Service Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1590 - Gather Victim Network Information", + "reason": "Listing IPSets provides insights into the network's structure and the external IPs that are considered trusted or monitored. This information is crucial for attackers to map out the network and plan their actions accordingly." + }, + { + "technique": "T1016 - System Network Configuration Discovery", + "reason": "By accessing the list of IPSets, attackers can understand the network configuration, including which IP addresses are allowed or blocked. This helps in identifying potential weak points or entry points into the network." + } ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "New attack vectors in EKS", - "link": "https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features" + "description": "Modify GuardDuty Configuration", + "link": "https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/" } ], - "securityImplications": "Attackers might use AssociateAccessPolicy to escalate privileges by linking access entries with highly privileged policies, allowing unauthorized control over clusters.", + "securityImplications": "Attackers might use ListIPSets to identify what IPs won't generate an alert.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws eks associate-access-policy --cluster-name beta-fish --principal-arn arn:aws:iam::111122223333:role/TrailDiscover --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy --access-scope type=cluster" + "value": "aws guardduty list-ip-sets --detector-id TrailDiscoverDetectorId" } ], - "permissions": "https://aws.permissions.cloud/iam/eks#eks-AssociateAccessPolicy" + "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-ListIPSets" }, { - "eventName": "ListAssociatedAccessPolicies", - "eventSource": "eks.amazonaws.com", - "awsService": "EKS", - "description": "Lists the access policies associated with an access entry.", + "eventName": "StopMonitoringMembers", + "eventSource": "guardduty.amazonaws.com", + "awsService": "GuardDuty", + "description": "Stops GuardDuty monitoring for the specified member accounts.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1562 - Impair Defenses" + ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1489 - Service Stop", + "reason": "Stopping GuardDuty monitoring is an example of halting a service, which can impact the overall security monitoring and incident response capabilities." + } ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "New attack vectors in EKS", - "link": "https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features" + "description": "Threat Hunting with CloudTrail and GuardDuty in Splunk", + "link": "https://www.chrisfarris.com/post/reinforce-threat-hunting/" } ], - "securityImplications": "Attackers might use ListAssociatedAccessPolicies to enumerate policies associated with resources in AWS services, identifying overly permissive access that can be exploited to escalate privileges.", + "securityImplications": "Attackers might use StopMonitoringMembers to halt the surveillance of specific AWS accounts, reducing security visibility.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws eks list-associated-access-policies --cluster-name beta-fish --principal-arn arn:aws:iam::111122223333:role/TrailDiscover" + "value": "aws guardduty stop-monitoring-members --account-ids TrailDiscoverAccountIds --detector-id TrailDiscoverDetectorId" } ], - "permissions": "https://aws.permissions.cloud/iam/eks#eks-ListAssociatedAccessPolicies" + "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-StopMonitoringMembers" }, { - "eventName": "ListClusters", - "eventSource": "eks.amazonaws.com", - "awsService": "EKS", - "description": "Lists the Amazon EKS clusters in your AWS account in the specified AWS Region.", + "eventName": "UpdateDetector", + "eventSource": "guardduty.amazonaws.com", + "awsService": "GuardDuty", + "description": "Updates the GuardDuty detector specified by the detectorId.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1562 - Impair Defenses" + ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "An attacker may update the GuardDuty detector to avoid detection by altering or hiding security logs and alarms" + } ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "New attack vectors in EKS", - "link": "https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features" + "description": "Modify GuardDuty Configuration", + "link": "https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/" } ], - "securityImplications": "Attackers might use ListClusters to inventory AWS EKS clusters, identifying active clusters for further exploration or to pinpoint potential targets for subsequent attacks.", + "securityImplications": "Attackers might use UpdateDetector to modify the settings of GuardDuty, potentially disabling or weakening security monitoring.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws eks list-clusters" + "value": "aws guardduty update-detector --detector-id TrailDiscoverDetectorId --enable --finding-publishing-frequency TrailDiscoverFrequency" } ], - "permissions": "https://aws.permissions.cloud/iam/eks#eks-ListClusters" + "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-UpdateDetector" }, { - "eventName": "DescribeAccessEntry", - "eventSource": "eks.amazonaws.com", - "awsService": "EKS", - "description": "Describes an access entry.", + "eventName": "UpdateIPSet", + "eventSource": "guardduty.amazonaws.com", + "awsService": "GuardDuty", + "description": "Updates the IPSet specified by the IPSet ID.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1562 - Impair Defenses" + ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070.004 - Indicator Removal", + "reason": "Modifying an IPSet can remove IPs that would otherwise generate security findings, thus evading detection." + } ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "New attack vectors in EKS", - "link": "https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features" + "description": "Modify GuardDuty Configuration", + "link": "https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/" } ], - "securityImplications": "Attackers might use DescribeAccessEntry for reconnaissance, gathering detailed information about access configurations within AWS EKS.", + "securityImplications": "Attackers might use UpdateIPSet to modify the IP address filters, potentially allowing malicious traffic to bypass detection.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws eks describe-access-entry --cluster-name beta-fish --principal-arn arn:aws:iam::111122223333:role/TrailDiscover" + "value": "aws wafv2 update-ip-set --name testip --scope REGIONAL --id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 --addresses 198.51.100.0/16 --lock-token 447e55ac-2396-4c6d-b9f9-86b67c17f8b5" } ], - "permissions": "https://aws.permissions.cloud/iam/eks#eks-DescribeAccessEntry" + "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-UpdateIPSet" }, { - "eventName": "DescribeCluster", - "eventSource": "eks.amazonaws.com", - "awsService": "EKS", - "description": "Describes an Amazon EKS cluster.", + "eventName": "AddRoleToInstanceProfile", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Adds the specified IAM role to the specified instance profile.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1098 - Account Manipulation" + ], + "mitreAttackSubTechniques": [ + "T1098.001 - Account Manipulation: Additional Cloud Credentials" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1068 - Exploitation for Privilege Escalation", + "reason": " - Exploitation for Privilege Escalation" + } ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "New attack vectors in EKS", - "link": "https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features" + "description": "Cloudgoat AWS CTF solution- Scenerio 5 (iam_privesc_by_attachment)", + "link": "https://pswalia2u.medium.com/cloudgoat-aws-ctf-solution-scenerio-5-iam-privesc-by-attachment-22145650f5f5" } ], - "securityImplications": "Attackers might use DescribeCluster to gain insights into the configuration and status of AWS EKS clusters.", + "securityImplications": "Attackers might use AddRoleToInstanceProfile to escalate privileges or gain unauthorized access to AWS resources.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws eks describe-cluster --name TrailDiscoverCluster" + "value": "aws iam add-role-to-instance-profile --role-name TrailDiscover --instance-profile-name TrailDiscover" } ], - "permissions": "https://aws.permissions.cloud/iam/eks#eks-DescribeCluster" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-AddRoleToInstanceProfile" }, { - "eventName": "CreateAccessEntry", - "eventSource": "eks.amazonaws.com", - "awsService": "EKS", - "description": "Creates an access entry.", + "eventName": "AddUserToGroup", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Adds the specified user to the specified group.", "mitreAttackTactics": [ "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "Adding a user to a group with elevated permissions can allow the user to maintain access to the AWS environment with legitimate credentials." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "New attack vectors in EKS", - "link": "https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features" + "description": "AWS IAM Privilege Escalation Techniques", + "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" } ], - "securityImplications": "Attackers might use CreateAccessEntry to craft access entries that link to high-privileged policies, effectively granting themselves unauthorized admin-level access to clusters.", + "securityImplications": "Attackers might use AddUserToGroup to add unauthorized users to privileged groups, gaining unauthorized access or escalating privileges.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws eks create-access-entry --cluster-name beta-fish --principal-arn arn:aws:iam::111122223333:role/TrailDiscover" + "value": "aws iam add-user-to-group --user-name TrailDiscover --group-name TrailDiscover" } ], - "permissions": "https://aws.permissions.cloud/iam/eks#eks-CreateAccessEntry" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-AddUserToGroup" }, { - "eventName": "Search", - "eventSource": "resource-explorer-2.amazonaws.com", - "awsService": "ResourceExplorer", - "description": "Searches for resources and displays details about all resources that match the specified criteria.", + "eventName": "AttachGroupPolicy", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Attaches the specified managed policy to the specified IAM group.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1087 - Account Discovery" + "T1098 - Account Manipulation" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", - "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + "technique": "T1078 - Valid Accounts", + "reason": "By attaching a policy to a group, an adversary can ensure that even if certain accounts are revoked, the group as a whole still retains the permissions." } ], - "researchLinks": [], - "securityImplications": "Attackers might use Search to list resorces.", - "alerting": [], - "simulation": [ + "usedInWild": false, + "incidents": [], + "researchLinks": [ { - "type": "commandLine", - "value": "aws resource-explorer-2 search --query-string 'service:iam'" + "description": "AWS IAM Privilege Escalation Techniques", + "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" } ], - "permissions": "https://aws.permissions.cloud/iam/resource-explorer-2#resource-explorer-2-Search" - }, - { - "eventName": "GenerateDataKeyWithoutPlaintext", - "eventSource": "kms.amazonaws.com", - "awsService": "KMS", - "description": "Returns a unique symmetric data key for use outside of AWS KMS.", - "mitreAttackTactics": [ - "TA0040 - Impact" - ], - "mitreAttackTechniques": [ - "T1486 - Data Encrypted for Impact" - ], - "usedInWild": true, - "incidents": [ + "securityImplications": "Attackers might use AttachGroupPolicy to assign malicious policies to a group, escalating privileges or enabling unauthorized access.", + "alerting": [ { - "description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", - "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/" + "type": "cloudwatchCISControls", + "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4" } ], - "researchLinks": [], - "securityImplications": "Attackers might use GenerateDataKeyWithoutPlaintext to generate encryption keys that can decrypt data in a ransom.", - "alerting": [], "simulation": [ { "type": "commandLine", - "value": "N/A" + "value": "aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/TrailDiscover --group-name TrailDiscover" } ], - "permissions": "https://aws.permissions.cloud/iam/kms#kms-GenerateDataKeyWithoutPlaintext" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-AttachGroupPolicy" }, { - "eventName": "ScheduleKeyDeletion", - "eventSource": "kms.amazonaws.com", - "awsService": "KMS", - "description": "Schedules the deletion of a KMS key.", + "eventName": "AttachRolePolicy", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Attaches the specified managed policy to the specified IAM role. When you attach a managed policy to a role, the managed policy becomes part of the role's permission (access) policy.", "mitreAttackTactics": [ - "TA0040 - Impact" + "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1485 - Data Destruction" + "T1098 - Account Manipulation" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1562 - Impair Defenses", + "reason": "Attaching policies with permissions that affect logging or monitoring tools can be used to evade detection by modifying the environment to reduce visibility." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + } ], - "usedInWild": false, - "incidents": [], "researchLinks": [ { - "description": " Threat Hunting with CloudTrail and GuardDuty in Splunk", - "link": "https://www.chrisfarris.com/post/reinforce-threat-hunting/" + "description": "AWS IAM Privilege Escalation Techniques", + "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" } ], - "securityImplications": "Attackers might use ScheduleKeyDeletion to schedule the deletion of crucial encryption keys, disrupting data security and access.", + "securityImplications": "Attackers use AttachRolePolicy to grant malicious policies to IAM roles, potentially escalating privileges or enabling unauthorized access to AWS resources.", "alerting": [ { "type": "cloudwatchCISControls", - "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-7" + "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4" } ], "simulation": [ { "type": "commandLine", - "value": "N/A" + "value": "aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/TrailDiscover --role-name TrailDiscover" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-backdoor-role" } ], - "permissions": "https://aws.permissions.cloud/iam/kms#kms-ScheduleKeyDeletion" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-AttachRolePolicy" }, { - "eventName": "Encrypt", - "eventSource": "kms.amazonaws.com", - "awsService": "KMS", - "description": "Encrypts plaintext of up to 4,096 bytes using a KMS key. ", + "eventName": "AttachUserPolicy", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Attaches the specified managed policy to the specified user.", "mitreAttackTactics": [ - "TA0040 - Impact" + "TA0003 - Persistence", + "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1486 - Data Encrypted for Impact" + "T1098 - Account Manipulation" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1556 - Modify Authentication Process", + "reason": "By attaching a policy, an adversary can alter the authentication process, potentially bypassing multi-factor authentication (MFA) or other security measures." + } ], "usedInWild": true, "incidents": [ { - "description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", - "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/" + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + }, + { + "description": "Incident report: From CLI to console, chasing an attacker in AWS", + "link": "https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/" + }, + { + "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", + "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + }, + { + "description": "Detecting AI resource-hijacking with Composite Alerts", + "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + } + ], + "researchLinks": [ + { + "description": "AWS IAM Privilege Escalation Techniques", + "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + } + ], + "securityImplications": "Attackers use AttachUserPolicy to grant malicious policies to IAM users, potentially escalating privileges or enabling unauthorized access to AWS resources.", + "alerting": [ + { + "type": "cloudwatchCISControls", + "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4" } ], - "researchLinks": [], - "securityImplications": "Attackers might use Encrypt to encrypt data for ransom.", - "alerting": [], "simulation": [ { "type": "commandLine", - "value": "N/A" + "value": "aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --user-name TrailDiscover" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-admin-user" } ], - "permissions": "https://aws.permissions.cloud/iam/kms#kms-Encrypt" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-AttachUserPolicy" }, { - "eventName": "LookupEvents", - "eventSource": "cloudtrail.amazonaws.com", - "awsService": "CloudTrail", - "description": "Looks up management events or CloudTrail Insights events that are captured by CloudTrail.", + "eventName": "ChangePassword", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Changes the password of the IAM user who is calling this operation.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0003 - Persistence", + "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1654 - Log Enumeration" + "T1136 - Create Account", + "T1078 - Valid Accounts" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", - "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/" + "technique": "T1098 - Account Manipulation", + "reason": "Changing the password of an IAM user can be used to maintain access to an account, thus manipulating account credentials." + }, + { + "technique": "T1556 - Modify Authentication Process", + "reason": "Changing the password modifies the authentication process for the IAM user, which can be a method to evade detection." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "An attacker might change a password to lock out the legitimate user, removing their access." } ], - "researchLinks": [], - "securityImplications": "Attackers might use LookupEvents to monitoring CloudTrail logs for changes that might affect the attack.", + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "AWS CloudTrail cheat sheet", + "link": "https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet" + }, + { + "description": "IAM User Changes Alarm", + "link": "https://asecure.cloud/a/cwalarm_iam_user_changes/" + } + ], + "securityImplications": "Attackers might use ChangePassword to alter user credentials.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=TrailDiscover" + "value": "aws iam change-password --old-password TrailDiscover --new-password TrailDiscover" } ], - "permissions": "https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-LookupEvents" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-ChangePassword" }, { - "eventName": "StopLogging", - "eventSource": "cloudtrail.amazonaws.com", - "awsService": "CloudTrail", - "description": "Suspends the recording of AWS API calls and log file delivery for the specified trail.", + "eventName": "CreateAccessKey", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0003 - Persistence", + "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1562 - Impair Defenses" + "T1136 - Create Account", + "T1078 - Valid Accounts" ], - "usedInWild": false, - "incidents": [ + "mitreAttackSubTechniques": [ + "T1078.004 - Valid Accounts: Cloud Accounts", + "T1136.003 - Create Account: Cloud Account" + ], + "unverifiedMitreAttackTechniques": [ { - "description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", - "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud" + "technique": "T1098 - Account Manipulation", + "reason": "New keys can be used for account manipulation activities, providing additional or unauthorized access." } ], - "researchLinks": [ + "usedInWild": true, + "incidents": [ { - "description": "Stopping a CloudTrail trail", - "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/stopping-cloudtrail-trail/" + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" }, { - "description": "AWS Defense Evasion Stop Logging Cloudtrail", - "link": "https://research.splunk.com/cloud/8a2f3ca2-4eb5-4389-a549-14063882e537/" + "description": "Incident report: From CLI to console, chasing an attacker in AWS", + "link": "https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/" + }, + { + "description": "SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto", + "link": "https://sysdig.com/blog/scarleteel-2-0/" + }, + { + "description": "ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING", + "link": "https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/" + }, + { + "description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", + "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/" + }, + { + "description": "BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability", + "link": "https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/" }, { - "description": "AWS Defense Evasion and Centralized Multi-Account Logging", - "link": "https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/" + "description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", + "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud" + } + ], + "researchLinks": [ + { + "description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", + "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide" }, { - "description": "Disrupting AWS logging", - "link": "https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594" + "description": "AWS IAM Privilege Escalation Techniques", + "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" }, { - "description": "Enhancing Your Security Visibility and DetectionResponse Operations in AWS", - "link": "https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf" + "description": "AWS IAM Persistence Methods", + "link": "https://hackingthe.cloud/aws/post_exploitation/iam_persistence/" } ], - "securityImplications": "Attackers might use StopLogging to disrupting AWS logging.", + "securityImplications": "Attackers might use CreateAccessKey to generate unauthorized access keys, enabling them to gain illicit access to AWS services and resources.", "alerting": [ { - "type": "cloudwatchCISControls", - "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-5" + "type": "sigma", + "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml" }, { "type": "sigma", - "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml" + "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml" } ], "simulation": [ { "type": "commandLine", - "value": "aws cloudtrail stop-logging --name TrailDiscover" + "value": "aws iam create-access-key --user-name TrailDiscover" }, { "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-stop" + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-admin-user" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-backdoor-user" } ], - "permissions": "https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-StopLogging" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-CreateAccessKey" }, { - "eventName": "UpdateTrail", - "eventSource": "cloudtrail.amazonaws.com", - "awsService": "CloudTrail", - "description": "Updates trail settings that control what events you are logging, and how to handle log files.", + "eventName": "CreateGroup", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Creates a new group.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1562 - Impair Defenses" + "T1098 - Account Manipulation" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", - "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" + "technique": "T1036 - Masquerading", + "reason": "Creating a new group with a name similar to existing groups can help attackers blend in and avoid detection" } ], + "usedInWild": false, + "incidents": [], "researchLinks": [ { - "description": "AWS Defense Evasion and Centralized Multi-Account Logging", - "link": "https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/" - }, - { - "description": "Disrupting AWS logging", - "link": "https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594" - } - ], - "securityImplications": "Attackers might use UpdateTrail to disrupting AWS logging.", - "alerting": [ - { - "type": "cloudwatchCISControls", - "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-5" - }, - { - "type": "sigma", - "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml" + "description": "AWS IAM Group Creation", + "link": "https://www.elastic.co/guide/en/security/current/aws-iam-group-creation.html" } ], + "securityImplications": "Attackers use CreateGroup to create a group that they can use to escalate privileges.", + "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws cloudtrail update-trail --name TrailDiscoverName --s3-bucket-name TrailDiscoverBucketName" + "value": "aws iam create-group --group-name TrailDiscover" } ], - "permissions": "https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-UpdateTrail" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-CreateGroup" }, { - "eventName": "DeleteTrail", - "eventSource": "cloudtrail.amazonaws.com", - "awsService": "CloudTrail", - "description": "Deletes a trail.", + "eventName": "CreateLoginProfile", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Creates a password for the specified IAM user. A password allows an IAM user to access AWS services through the AWS Management Console.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0003 - Persistence", + "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1562 - Impair Defenses" + "T1098 - Account Manipulation", + "T1078 - Valid Accounts" + ], + "mitreAttackSubTechniques": [ + "T1078.004 - Valid Accounts: Cloud Accounts", + "T1078.001 - Valid Accounts: Local Accounts" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1556 - Modify Authentication Process", + "reason": "The CreateLoginProfile API call can be used to set a new password for an existing IAM user, effectively modifying the authentication process for that user." + } ], "usedInWild": true, "incidents": [ + { + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + }, + { + "description": "Incident report: From CLI to console, chasing an attacker in AWS", + "link": "https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/" + }, + { + "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", + "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + }, + { + "description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", + "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/" + }, { "description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud" }, { - "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", - "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" + "description": "Detecting AI resource-hijacking with Composite Alerts", + "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" } ], "researchLinks": [ { - "description": "AWS Defense Evasion Delete Cloudtrail", - "link": "https://research.splunk.com/cloud/82092925-9ca1-4e06-98b8-85a2d3889552/" + "description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", + "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide" }, { - "description": "Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail", - "link": "https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/" + "description": "AWS IAM Privilege Escalation Techniques", + "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" }, { - "description": "Disrupting AWS logging", - "link": "https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594" + "description": "AWS IAM Persistence Methods", + "link": "https://hackingthe.cloud/aws/post_exploitation/iam_persistence/" } ], - "securityImplications": "Attackers might use DeleteTrail to disrupting AWS logging.", + "securityImplications": "Attackers use CreateLoginProfile to create login credentials for IAM users, allowing them access to the user via the AWS console.", "alerting": [ - { - "type": "cloudwatchCISControls", - "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-5" - }, { "type": "sigma", - "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml" + "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml" } ], "simulation": [ { "type": "commandLine", - "value": "aws cloudtrail delete-trail --name TrailDiscoverTrailName" + "value": "aws iam create-login-profile --user-name TrailDiscover --password TrailDiscover" }, { "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-delete" + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-user-login-profile" } ], - "permissions": "https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-DeleteTrail" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-CreateLoginProfile" }, { - "eventName": "PutEventSelectors", - "eventSource": "cloudtrail.amazonaws.com", - "awsService": "CloudTrail", - "description": "Configures an event selector or advanced event selectors for your trail.", + "eventName": "CreateOpenIDConnectProvider", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC)", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0003 - Persistence" ], "mitreAttackTechniques": [ - "T1562 - Impair Defenses" - ], - "usedInWild": true, - "incidents": [ - { - "description": "New tactics and techniques for proactive threat detection", - "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" - } + "T1136 - Create Account" ], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "cloudtrail_guardduty_bypass", - "link": "https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/cloudtrail_guardduty_bypass" + "technique": "T1078 - Valid Accounts", + "reason": "Creating an OpenID Connect Provider can be used to generate valid credentials that can be exploited for persistent access" }, { - "description": "Detecting and removing risky actions out of your IAM security policies", - "link": "https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/" - } - ], - "securityImplications": "Attackers might use PutEventSelectors to disrupting AWS logging.", - "alerting": [], - "simulation": [ + "technique": "T1136 - Create Account", + "reason": "Establishing new accounts or providers in the IAM can assist in maintaining access over time" + }, { - "type": "commandLine", - "value": "aws cloudtrail put-event-selectors --trail-name TrailDiscover --event-selectors '[{\"ReadWriteType\": \"All\", \"IncludeManagementEvents\":true, \"DataResources\": [{\"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3\"]}] }]'" + "technique": "T1556 - Modify Authentication Process", + "reason": "Adjusting authentication settings to include a new provider can bypass certain security measures." }, { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors" + "technique": "T1098 - Account Manipulation", + "reason": "Creating and managing new accounts or providers can lead to manipulation of permissions and roles." } ], - "permissions": "https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-PutEventSelectors" - }, - { - "eventName": "UpdateGraphqlApi", - "eventSource": "appsync.amazonaws.com", - "awsService": "AppSync", - "description": "Updates a GraphqlApi object.", - "mitreAttackTactics": [ - "TA0005 - Defense Evasion", - "TA0003 - Persistence" - ], - "mitreAttackTechniques": [ - "T1578 - Modify Cloud Compute Infrastructure", - "T1556 - Modify Authentication Process" - ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "usedInWild": true, + "incidents": [ { - "description": "Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor", - "link": "https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8" + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" } ], - "securityImplications": "Attackers might use UpdateGraphqlApi to add additional authentications options. Bypassing current authentication and potentially allowing persistent access to data.", + "researchLinks": [], + "securityImplications": "Attackers use CreateOpenIDConnectProvider to establish persistent footholds.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws appsync update-graphql-api --api-id TrailDiscoverApiId --name TrailDiscoverName --log-config cloudWatchLogsRoleArn=TrailDiscoverRoleArn,fieldLogLevel=TrailDiscoverLogLevel" + "value": "aws iam create-open-id-connect-provider --cli-input-json '{\"Url\": \"https://server.example.com\",\"ClientIDList\": [\"example-application-ID\"],\"ThumbprintList\": [\"c3768084dfb3d2b68b7897bf5f565da8eEXAMPLE\"]}'" } ], - "permissions": "https://aws.permissions.cloud/iam/appsync#appsync-UpdateGraphqlApi" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-CreateOpenIDConnectProvider" }, { - "eventName": "CreateApiKey", - "eventSource": "appsync.amazonaws.com", - "awsService": "AppSync", - "description": "Creates a unique key that you can distribute to clients who invoke your API.", + "eventName": "CreatePolicyVersion", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Creates a new version of the specified managed policy.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion", - "TA0003 - Persistence" + "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1578 - Modify Cloud Compute Infrastructure", - "T1556 - Modify Authentication Process" + "T1098 - Account Manipulation" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor", - "link": "https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8" - } - ], - "securityImplications": "Attackers might use CreateApiKey to add a key they control for authentication. Bypassing current authentication and potentially allowing persistent access to data.", - "alerting": [], - "simulation": [ + "technique": "T1531 - Account Access Removal", + "reason": "By altering IAM policies, attackers can remove access for legitimate users, ensuring only malicious actors maintain control." + }, { - "type": "commandLine", - "value": "aws appsync create-api-key --api-id TrailDiscoverApiId" + "technique": "T1489 - Service Stop", + "reason": "By altering permissions with a new policy version, an attacker could restrict or stop critical services within an AWS environment." } ], - "permissions": "https://aws.permissions.cloud/iam/appsync#appsync-CreateApiKey" - }, - { - "eventName": "GetIntrospectionSchema", - "eventSource": "appsync.amazonaws.com", - "awsService": "AppSync", - "description": "Retrieves the introspection schema for a GraphQL API.", - "mitreAttackTactics": [ - "TA0007 - Discovery" - ], - "mitreAttackTechniques": [ - "T1526 - Cloud Service Discovery" - ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor", - "link": "https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8" + "description": "AWS IAM Privilege Escalation Techniques", + "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + } + ], + "securityImplications": "Attackers might use CreatePolicyVersion to modify IAM policies, potentially granting themselves elevated permissions.", + "alerting": [ + { + "type": "cloudwatchCISControls", + "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4" } ], - "securityImplications": "Attackers might use GetIntrospectionSchema to understand the API for future attacks or use the configuration for future modifications.", - "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws appsync get-introspection-schema --api-id TrailDiscover --format json output" + "value": "aws iam create-policy-version --policy-arn arn:aws:iam::123456789012:policy/TrailDiscover --policy-document {}" } ], - "permissions": "https://aws.permissions.cloud/iam/appsync#appsync-GetIntrospectionSchema" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-CreatePolicyVersion" }, { - "eventName": "UpdateResolver", - "eventSource": "appsync.amazonaws.com", - "awsService": "AppSync", - "description": "Updates a Resolver object.", + "eventName": "CreateRole", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Creates a new role for your AWS account.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion", "TA0003 - Persistence" ], "mitreAttackTechniques": [ - "T1578 - Modify Cloud Compute Infrastructure", - "T1556 - Modify Authentication Process" + "T1136 - Create Account" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor", - "link": "https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8" + "technique": "T1098 - Account Manipulation", + "reason": "Attackers might create a new role to maintain access or elevate privileges within the environment." } ], - "securityImplications": "Attackers might use UpdateResolver to execute custom code that could allow potential access to data and bypass protections.", + "usedInWild": true, + "incidents": [ + { + "description": "Attack Scenario 2: From Misconfigured Firewall to Cryptojacking Botnet", + "link": "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/unit42-cloud-threat-report-volume7.pdf" + }, + { + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + } + ], + "researchLinks": [], + "securityImplications": "Attackers use CreateRole to create roles with trust policies that allow principals from an attacker-controlled AWS account, establishing persistent unauthorized access.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws appsync update-resolver --api-id TrailDiscoverApiId --type-name TrailDiscoverTypeName --field-name TrailDiscoverFieldName --pipeline-config functions=TrailDiscoverFunctions --request-mapping-template TrailDiscoverRequestMappingTemplate --response-mapping-template TrailDiscoverResponseMappingTemplate" + "value": "aws iam create-role --role-name TrailDiscover --assume-role-policy-document {}" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-backdoor-role" } ], - "permissions": "https://aws.permissions.cloud/iam/appsync#appsync-UpdateResolver" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-CreateRole" }, { - "eventName": "PutBucketPolicy", - "eventSource": "s3.amazonaws.com", - "awsService": "S3", - "description": "Applies an Amazon S3 bucket policy to an Amazon S3 bucket.", + "eventName": "CreateSAMLProvider", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0.", "mitreAttackTactics": [ - "TA0010 - Exfiltration" + "TA0003 - Persistence" ], "mitreAttackTechniques": [ - "T1048 - Exfiltration Over Alternative Protocol" + "T1136 - Create Account" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Detecting and removing risky actions out of your IAM security policies", - "link": "https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/" + "technique": "T1078 - Valid Accounts", + "reason": " Creating a SAML provider can lead to the creation and use of valid credentials, allowing the adversary to maintain persistence." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "The creation of a SAML provider involves the manipulation of account settings to allow federated authentication, which can be used by adversaries to maintain access and evade detection." + }, + { + "technique": "T1556 - Modify Authentication Process", + "reason": "The creation of a SAML provider could be used to modify the authentication process, allowing adversaries to authenticate as different users within the AWS environment." } ], - "securityImplications": "Attackers might use PutBucketPolicy to modify bucket permissions, potentially allowing unauthorized access to sensitive data.", - "alerting": [ + "usedInWild": true, + "incidents": [ { - "type": "cloudwatchCISControls", - "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8" + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" } ], + "researchLinks": [], + "securityImplications": "Attackers use CreateSAMLProvider to establish persistent footholds.", + "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws s3api put-bucket-policy --bucket TrailDiscover --policy {}" - }, - { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.s3-backdoor-bucket-policy" + "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/s3#s3-PutBucketPolicy" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-CreateSAMLProvider" }, { - "eventName": "PutObject", - "eventSource": "s3.amazonaws.com", - "awsService": "S3", - "description": "Adds an object to a bucket.", + "eventName": "StartSSO", + "eventSource": "sso.amazonaws.com", + "awsService": "SSO", + "description": "Initialize AWS IAM Identity Center", "mitreAttackTactics": [ - "TA0040 - Impact" + "TA0003 - Persistence" ], "mitreAttackTechniques": [ - "T1565 - Data Manipulation" + "T1136 - Create Account" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Incident Report: TaskRouter JS SDK Security Incident - July 19, 2020", - "link": "https://www.twilio.com/en-us/blog/incident-report-taskrouter-js-sdk-july-2020" + "technique": "T1098 - Account Manipulation", + "reason": "By starting SSO, an adversary can manipulate IAM user accounts, adding or modifying permissions to maintain persistent access." }, { - "description": "LA Times homicide website throttles cryptojacking attack", - "link": "https://www.tripwire.com/state-of-security/la-times-website-cryptojacking-attack" + "technique": "T1078 - Valid Accounts", + "reason": "Use of valid SSO credentials can help adversaries gain access to various services and resources without raising alarms." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" } ], "researchLinks": [], - "securityImplications": "Attackers might use PutObject to upload malicious content or overwrite existing files in S3 buckets.", + "securityImplications": "Attackers use StartSSO to establish persistent footholds.", "alerting": [], "simulation": [ { @@ -5168,226 +8941,359 @@ "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/s3#s3-PutObject" + "permissions": "https://aws.permissions.cloud/iam/sso#sso-StartSSO" }, { - "eventName": "GetBucketVersioning", - "eventSource": "s3.amazonaws.com", - "awsService": "S3", - "description": "Returns the versioning state of a bucket.", + "eventName": "CreateUser", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Creates a new IAM user for your AWS account.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0003 - Persistence" ], "mitreAttackTechniques": [ - "T1526 - Cloud Service Discovery" + "T1136 - Create Account" + ], + "mitreAttackSubTechniques": [ + "T1136.001 - Create Account: Local Account" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1098 - Account Manipulation", + "reason": "Adversaries may create new IAM users to manipulate accounts for continuous access or privilege escalation." + } ], "usedInWild": true, "incidents": [ + { + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + }, { "description": "Ransomware in the cloud", "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud" }, { - "description": "Muddled Libra\u2019s Evolution to the Cloud", - "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" + "description": "Responding to an attack in AWS", + "link": "https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac" + }, + { + "description": "Incident report: From CLI to console, chasing an attacker in AWS", + "link": "https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/" + }, + { + "description": "ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING", + "link": "https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/" + }, + { + "description": "Trouble in Paradise", + "link": "https://blog.darklab.hk/2021/07/06/trouble-in-paradise/" + }, + { + "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", + "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + }, + { + "description": "Exposed long-lived access key resulted in unauthorized access", + "link": "https://twitter.com/jhencinski/status/1578371249792724992?t=6oYeGYgGZq1B-LXFZzIqhQ" + }, + { + "description": "SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto", + "link": "https://sysdig.com/blog/scarleteel-2-0/" + }, + { + "description": "Insider Threat Risks to Flat Environments", + "link": "https://www.mandiant.com/sites/default/files/2021-09/rpt-mtrends-2021-3.pdf" + }, + { + "description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", + "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/" + }, + { + "description": "Sendtech Pte. Ltd", + "link": "https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Sendtech-Pte-Ltd---220721.ashx?la=en" + }, + { + "description": "BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability", + "link": "https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/" + }, + { + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + }, + { + "description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", + "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud" + }, + { + "description": "Detecting AI resource-hijacking with Composite Alerts", + "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + } + ], + "researchLinks": [ + { + "description": "Creating a new IAM user", + "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/creating-new-iam-user/" + }, + { + "description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", + "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide" + }, + { + "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", + "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" + } + ], + "securityImplications": "Attackers use CreateUser to establish persistent footholds or in some cases, escalate privileges within AWS environments by creating new IAM users with strategic permissions.", + "alerting": [ + { + "type": "sigma", + "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml" } ], - "researchLinks": [], - "securityImplications": "Attackers might use GetBucketVersioning to identify unsecured S3 buckets with versioning disabled, making it easier to manipulate or delete data.", - "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws s3api get-bucket-versioning --bucket TrailDiscoverBucket" + "value": "aws iam create-user --user-name TrailDiscover" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-admin-user" } ], - "permissions": "https://aws.permissions.cloud/iam/s3#s3-GetBucketVersioning" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-CreateUser" }, { - "eventName": "PutBucketAcl", - "eventSource": "s3.amazonaws.com", - "awsService": "S3", - "description": "Sets the permissions on an existing bucket using access control lists (ACL).", + "eventName": "DeactivateMFADevice", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Deactivates the specified MFA device and removes it from association with the user name for which it was originally enabled.", "mitreAttackTactics": [ - "TA0010 - Exfiltration" + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1048 - Exfiltration Over Alternative Protocol" + "T1562 - Impair Defenses" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ { - "description": "AWS S3 Bucket ACL made public", - "link": "https://docs.datadoghq.com/security/default_rules/aws-bucket-acl-made-public/" + "technique": "T1586 - Compromise Accounts", + "reason": "Deactivating MFA might be part of an account compromise if the attacker knows the password but has no access to the MFA. By disabling the MFA the attacker will be able to compromise the account." } ], - "securityImplications": "Attackers might use SetBucketAccessControlPolicy to modify access control lists, potentially granting unauthorized access to S3 buckets.", - "alerting": [ + "usedInWild": false, + "incidents": [], + "researchLinks": [ { - "type": "cloudwatchCISControls", - "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8" + "description": "AWS IAM Deactivation of MFA Device", + "link": "https://www.elastic.co/guide/en/security/current/aws-iam-deactivation-of-mfa-device.html" } ], + "securityImplications": "Attackers might use DeactivateMFADevice to disable multi-factor authentication, potentially weakening account security.", + "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws s3api put-bucket-acl --bucket TrailDiscoverBucket --acl TrailDiscoverAcl" + "value": "aws iam deactivate-mfa-device --user-name TrailDiscover --serial-number arn:aws:iam::210987654321:mfa/BobsMFADevice" } ], - "permissions": "https://aws.permissions.cloud/iam/s3#s3-PutBucketAcl" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-DeactivateMFADevice" }, { - "eventName": "PutBucketVersioning", - "eventSource": "s3.amazonaws.com", - "awsService": "S3", - "description": "Sets the versioning state of an existing bucket.", + "eventName": "DeleteAccessKey", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Deletes the access key pair associated with the specified IAM user.", "mitreAttackTactics": [ - "TA0040 - Impact", - "TA0010 - Exfiltration" + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1490 - Inhibit System Recovery", - "T1537 - Transfer Data to Cloud Account" + "T1578 - Modify Cloud Compute Infrastructure", + "T1070 - Indicator Removal" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Ransomware in the cloud", - "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud" + "technique": "T1531 - Account Access Removal", + "reason": "Deleting the access key pair is a direct method to remove access credentials, which aligns with the technique of account access removal." } ], - "researchLinks": [ + "usedInWild": true, + "incidents": [ { - "description": "Exfiltrating S3 Data with Bucket Replication Policies", - "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" - } - ], - "securityImplications": "Attackers might set the versioning to 'Suspended' before deleting data. Attackers might enable versioning to add bucket replication to exfiltrate data.", - "alerting": [ + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + }, { - "type": "sigma", - "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml" + "description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", + "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/" } ], + "researchLinks": [], + "securityImplications": "Attackers might use DeleteAccessKey to revoke legitimate user access to AWS services. Also, it can be used to delete previously used keys to avoid detection.", + "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws s3api put-bucket-versioning --bucket TrailDiscoverBucket --versioning-configuration Status=Enabled" + "value": "aws iam delete-access-key --access-key-id AKIDPMS9RO4H3FEXAMPLE --user-name TrailDiscover" } ], - "permissions": "https://aws.permissions.cloud/iam/s3#s3-PutBucketVersioning" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-DeleteAccessKey" }, { - "eventName": "GetBucketLogging", - "eventSource": "s3.amazonaws.com", - "awsService": "S3", - "description": "Returns the logging status of a bucket and the permissions users have to view and modify that status.", + "eventName": "DeleteLoginProfile", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Deletes the password for the specified IAM user.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1526 - Cloud Service Discovery" + "T1578 - Modify Cloud Compute Infrastructure", + "T1070 - Indicator Removal" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + "technique": "T1098 - Account Manipulation", + "reason": "The deletion of a login profile is a form of account manipulation, altering the state of an IAM user account to possibly favor continued unauthorized access through other means like access keys or roles" }, { - "description": "Muddled Libra\u2019s Evolution to the Cloud", - "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" + "technique": "T1531 - Account Access Removal", + "reason": "By deleting the login profile, an attacker can remove a user's ability to log in with a password, thus removing an access method that might be used for legitimate purposes or incident response, aiding in persistence and defense evasion." + }, + { + "technique": "T1556 - Modify Authentication Process", + "reason": "Removing the password of an IAM user modifies the way that user can authenticate, potentially replacing it with a method controlled by the attacker, facilitating unauthorized access while evading detection." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", + "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/" } ], "researchLinks": [], - "securityImplications": "Attackers might use GetBucketLoggingStatus to identify if logging is enabled, potentially helping them avoid detection during unauthorized activities.", + "securityImplications": "Attackers might use DeleteLoginProfile to remove user's login credentials, preventing legitimate access to AWS services. Also, it might be used to delete a previously added profile to avoid detection.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws s3api get-bucket-logging --bucket TrailDiscoverBucket" + "value": "aws iam delete-login-profile --user-name TrailDiscover" } ], - "permissions": "https://aws.permissions.cloud/iam/s3#s3-GetBucketLogging" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-DeleteLoginProfile" }, { - "eventName": "GetBucketPolicy", - "eventSource": "s3.amazonaws.com", - "awsService": "S3", - "description": "Returns the policy of a specified bucket.", + "eventName": "DeleteRolePermissionsBoundary", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Deletes the permissions boundary for the specified IAM role.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1526 - Cloud Service Discovery" + "T1098 - Account Manipulation" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + "technique": "T1562 - Impair Defenses", + "reason": "Removing permissions boundaries can weaken the security posture by reducing the effectiveness of policies designed to limit role actions." }, { - "description": "Muddled Libra\u2019s Evolution to the Cloud", - "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" + "technique": "T1068 - Exploitation for Privilege Escalation", + "reason": "Removing permissions boundaries may be used as part of exploiting a misconfiguration to gain elevated privileges." } ], - "researchLinks": [], - "securityImplications": "Attackers might use GetBucketPolicy to identify weak security policies and exploit them for unauthorized access to S3 buckets.", + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "AWS IAM Privilege Escalation Techniques", + "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + } + ], + "securityImplications": "Attackers might use DeleteRolePermissionsBoundary to remove restrictions and gain unauthorized access to AWS resources.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws s3api get-bucket-policy --bucket TrailDiscoverBucket" + "value": "aws iam delete-role-permissions-boundary --role-name trail-discover" } ], - "permissions": "https://aws.permissions.cloud/iam/s3#s3-GetBucketPolicy" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-DeleteRolePermissionsBoundary" }, { - "eventName": "PutBucketReplication", - "eventSource": "s3.amazonaws.com", - "awsService": "S3", - "description": "Creates a replication configuration or replaces an existing one.", + "eventName": "DeleteRolePolicy", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Deletes the specified inline policy that is embedded in the specified IAM role.", "mitreAttackTactics": [ - "TA0010 - Exfiltration" + "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1537 - Transfer Data to Cloud Account" + "T1098 - Account Manipulation" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1531 - Account Access Removal", + "reason": "Deleting inline policies from IAM roles can remove critical permissions, effectively locking out legitimate users or restricting their access. This action can hinder incident response and obscure the attacker's presence in the environment." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "By deleting IAM role policies, an attacker could impair security tools that rely on those policies for correct operation, effectively reducing the efficacy of security defenses." + } ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "Exfiltrating S3 Data with Bucket Replication Policies", - "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + "description": "AWS IAM Privilege Escalation Techniques", + "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" } ], - "securityImplications": "Attackers might use PutBucketReplication to replicate sensitive data to unauthorized S3 buckets controlled by the attacker.", + "securityImplications": "Attackers might use DeleteRolePolicy to remove security policies, potentially escalating their privileges.", "alerting": [ { "type": "cloudwatchCISControls", - "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8" + "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4" } ], "simulation": [ { "type": "commandLine", - "value": "aws s3api put-bucket-replication --bucket AWSDOC-EXAMPLE-BUCKET1 --replication-configuration '{\"Role\":\"\",\"Rules\":[]}'" + "value": "aws iam delete-role-policy --role-name TrailDiscover-Role --policy-name TrailDiscover" } ], - "permissions": "N/A" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-DeleteRolePolicy" }, { - "eventName": "ListBuckets", - "eventSource": "s3.amazonaws.com", - "awsService": "S3", - "description": "Returns a list of all buckets owned by the authenticated sender of the request.", + "eventName": "DeleteUser", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Deletes the specified IAM user.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1526 - Cloud Service Discovery" + "T1578 - Modify Cloud Compute Infrastructure", + "T1070 - Indicator Removal" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1531 - Account Access Removal", + "reason": "Deleting a user account immediately revokes all permissions and access rights associated with that IAM user, disrupting access to critical resources. This action can prevent legitimate users from performing essential tasks, effectively halting operations and response efforts." + }, + { + "technique": "T1485 - Data Destruction", + "reason": " The deletion of an IAM user can be part of a deliberate attempt to destroy data or disrupt normal operations. Users often have associated data, policies, and access controls that, when removed, can result in data loss or corruption. " + } ], "usedInWild": true, "incidents": [ @@ -5396,3959 +9302,5183 @@ "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" }, { - "description": "Ransomware in the cloud", - "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud" - }, - { - "description": "ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING", - "link": "https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/" + "description": "Insider Threat Risks to Flat Environments", + "link": "https://www.mandiant.com/sites/default/files/2021-09/rpt-mtrends-2021-3.pdf" }, { "description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/" - }, - { - "description": "A Technical Analysis of the Capital One Cloud Misconfiguration Breach", - "link": "https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach" - }, - { - "description": "Enumerate AWS Account ID from a Public S3 Bucket", - "link": "https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/" - }, + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use DeleteUser to remove users and their permissions, disrupting access control in AWS. Also, it can be used to delete previously used users to avoid detection.", + "alerting": [], + "simulation": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" - }, + "type": "commandLine", + "value": "aws iam delete-user --user-name TrailDiscover" + } + ], + "permissions": "https://aws.permissions.cloud/iam/iam#iam-DeleteUser" + }, + { + "eventName": "DeleteUserPermissionsBoundary", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Deletes the permissions boundary for the specified IAM user.", + "mitreAttackTactics": [ + "TA0004 - Privilege Escalation" + ], + "mitreAttackTechniques": [ + "T1098 - Account Manipulation" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Muddled Libra\u2019s Evolution to the Cloud", - "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" + "technique": "T1078 - Valid Accounts", + "reason": "Compromised cloud accounts can be manipulated by deleting permissions boundaries, giving adversaries increased permissions to execute further malicious activities." }, { - "description": "Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets", - "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/" + "technique": "T1562 - Impair Defenses", + "reason": "Deleting the permissions boundary could be part of a broader strategy to disable or modify security tools or settings to avoid detection." } ], + "usedInWild": false, + "incidents": [], "researchLinks": [ { - "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", - "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" - } - ], - "securityImplications": "Attackers might use ListAllMyBuckets to identify potential targets for data breaches or unauthorized access.", - "alerting": [ - { - "type": "sigma", - "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml" + "description": "AWS IAM Privilege Escalation Techniques", + "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" } ], + "securityImplications": "Attackers might use DeleteUserPermissionsBoundary to remove restrictions and gain unauthorized access to AWS resources.", + "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws s3api list-buckets --query \"Buckets[].Name\"" - }, - { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance" + "value": "aws iam delete-user-permissions-boundary --user-name TrailDiscover" } ], - "permissions": "N/A" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-DeleteUserPermissionsBoundary" }, { - "eventName": "GetBucketReplication", - "eventSource": "s3.amazonaws.com", - "awsService": "S3", - "description": "Returns the replication configuration of a bucket.", + "eventName": "DeleteUserPolicy", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Deletes the specified inline policy that is embedded in the specified IAM user.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0005 - Defense Evasion", + "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1526 - Cloud Service Discovery" + "T1578 - Modify Cloud Compute Infrastructure", + "T1098 - Account Manipulation" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1531 - Account Access Removal", + "reason": "Removing a policy from an IAM user could be a step to disable access for an account, which aligns with tactics for impact." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "Removing policies can help adversaries to evade detection and persist in the environment by modifying account permissions." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + }, + { + "description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", + "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/" + } ], - "usedInWild": true, - "incidents": [ + "researchLinks": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" - }, + "description": "AWS IAM Privilege Escalation Techniques", + "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + } + ], + "securityImplications": "Attackers might use DeleteUserPolicy to remove security policies and gain unauthorized access to AWS resources.", + "alerting": [ { - "description": "Muddled Libra\u2019s Evolution to the Cloud", - "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" + "type": "cloudwatchCISControls", + "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4" } ], - "researchLinks": [], - "securityImplications": "Attackers might use GetBucketReplication to identify replication configurations and target specific data for theft or corruption.", - "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws s3api get-bucket-replication --bucket TrailDiscoverBucket" + "value": "aws iam delete-user-policy --user-name TrailDiscover --policy-name TrailDiscover" } ], - "permissions": "N/A" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-DeleteUserPolicy" }, { - "eventName": "GetObject", - "eventSource": "s3.amazonaws.com", - "awsService": "S3", - "description": "Retrieves an object from Amazon S3.", + "eventName": "DetachRolePolicy", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Removes the specified managed policy from the specified role.", "mitreAttackTactics": [ - "TA0010 - Exfiltration" + "TA0005 - Defense Evasion", + "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1048 - Exfiltration Over Alternative Protocol" + "T1578 - Modify Cloud Compute Infrastructure", + "T1098 - Account Manipulation" ], - "usedInWild": true, - "incidents": [ - { - "description": "Ransomware in the cloud", - "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud" - }, - { - "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", - "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" - }, - { - "description": "Incident 2 - Additional details of the attack", - "link": "https://support.lastpass.com/s/document-item?language=en_US&bundleId=lastpass&topicId=LastPass/incident-2-details.html&_LANG=enus" - }, - { - "description": "Aruba Central Security Incident", - "link": "https://www.arubanetworks.com/support-services/security-bulletins/central-incident-faq/" - }, - { - "description": "Sendtech Pte. Ltd", - "link": "https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Sendtech-Pte-Ltd---220721.ashx?la=en" - }, - { - "description": "GotRoot! AWS root Account Takeover", - "link": "https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1" - }, + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "A Technical Analysis of the Capital One Cloud Misconfiguration Breach", - "link": "https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach" + "technique": "T1078 - Valid Accounts", + "reason": "By detaching policies from roles, attackers can invalidate certain permissions, reducing the risk of detection while using compromised accounts." }, { - "description": "Chegg, Inc", - "link": "https://www.ftc.gov/system/files/ftc_gov/pdf/2023151-Chegg-Complaint.pdf" + "technique": "T1531 - Account Access Removal", + "reason": "By detaching policies, attackers can remove access permissions, disrupting legitimate user operations and evading detection." }, { - "description": "Scattered Spider Attack Analysis", - "link": "https://www.reliaquest.com/blog/scattered-spider-attack-analysis-account-compromise/" + "technique": "T1070 - Indicator Removal", + "reason": "Removing policies can be part of a strategy to clean up indicators of malicious activity on the account, aiding in defense evasion." }, { - "description": "Enumerate AWS Account ID from a Public S3 Bucket", - "link": "https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/" - }, + "technique": "T1562 - Impair Defenses", + "reason": "Detaching policies may impair security configurations, reducing the ability of the environment to detect or prevent further malicious activities." + } + ], + "usedInWild": true, + "incidents": [ { - "description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", - "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/" + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" } ], "researchLinks": [ { - "description": "Data Exfiltration through S3 Server Access Logs", - "link": "https://hackingthe.cloud/aws/exploitation/s3_server_access_logs/" - }, + "description": "AWS IAM Privilege Escalation Techniques", + "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + } + ], + "securityImplications": "Attackers might use DetachRolePolicy to remove crucial permissions from IAM roles, disrupting AWS services.", + "alerting": [ { - "description": "S3 Streaming Copy", - "link": "https://hackingthe.cloud/aws/exploitation/s3_streaming_copy/" + "type": "cloudwatchCISControls", + "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4" } ], - "securityImplications": "Attackers might use GetObject to download data from S3 buckets.", - "alerting": [], "simulation": [ { "type": "commandLine", - "value": "N/A" - }, - { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-client-side-encryption" - }, - { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion" - }, - { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-individual-deletion" + "value": "aws iam detach-role-policy --role-name TrailDiscover --policy-arn arn:aws:iam::123456789012:policy/FederatedTesterAccessPolicy" } ], - "permissions": "https://aws.permissions.cloud/iam/s3#s3-GetObject" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-DetachRolePolicy" }, { - "eventName": "PutBucketLifecycle", - "eventSource": "s3.amazonaws.com", - "awsService": "S3", - "description": "Creates a new lifecycle configuration for the bucket or replaces an existing lifecycle configuration.", + "eventName": "DetachUserPolicy", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Removes the specified managed policy from the specified user.", "mitreAttackTactics": [ - "TA0040 - Impact" + "TA0005 - Defense Evasion", + "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1485 - Data Destruction" + "T1578 - Modify Cloud Compute Infrastructure", + "T1098 - Account Manipulation" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "USA VS Nickolas Sharp", - "link": "https://www.justice.gov/usao-sdny/press-release/file/1452706/dl" + "technique": "T1531 - Account Access Removal", + "reason": "Detaching a policy can be used as a way to remove or limit access to critical accounts, impacting operational capabilities." }, { - "description": "New tactics and techniques for proactive threat detection", - "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + "technique": "T1562 - Impair Defenses", + "reason": "Security controls relying on certain policies may be disabled or impaired when those policies are detached." + }, + { + "technique": "T1499 - Endpoint Denial of Service", + "reason": "By removing critical policies, the attacker can cause a denial of service for endpoints relying on those permissions to function properly." } ], - "researchLinks": [], - "securityImplications": "Attackers might use PutBucketLifecycle to add a lifecycle that deletes data after one day.", - "alerting": [ + "usedInWild": true, + "incidents": [ { - "type": "cloudwatchCISControls", - "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8" + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" } ], - "simulation": [ - { - "type": "commandLine", - "value": "aws s3api put-bucket-lifecycle --bucket my-bucket --lifecycle-configuration '{\"Rules\":[{\"ID\":\"\",\"Status\": \"Enabled\", \"Prefix\": \"TrailDiscover/\"}]}'" - }, + "researchLinks": [ { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule" + "description": "AWS IAM Privilege Escalation Techniques", + "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" } ], - "permissions": "N/A" - }, - { - "eventName": "DeleteBucket", - "eventSource": "s3.amazonaws.com", - "awsService": "S3", - "description": "Deletes the S3 bucket.", - "mitreAttackTactics": [ - "TA0040 - Impact" - ], - "mitreAttackTechniques": [ - "T1485 - Data Destruction" - ], - "usedInWild": true, - "incidents": [ + "securityImplications": "Attackers might use DetachUserPolicy to remove security policies and gain unauthorized access to AWS resources.", + "alerting": [ { - "description": "New tactics and techniques for proactive threat detection", - "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + "type": "cloudwatchCISControls", + "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4" } ], - "researchLinks": [], - "securityImplications": "Attackers might use DeleteBucket to delete resources.", - "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws s3api delete-bucket --bucket my-traildiscover-bucket --region us-east-1" + "value": "aws iam detach-user-policy --user-name TrailDiscover --policy-arn arn:aws:iam::123456789012:policy/TesterPolicy" } ], - "permissions": "https://aws.permissions.cloud/iam/s3#s3-DeleteBucket" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-DetachUserPolicy" }, { - "eventName": "GetBucketAcl", - "eventSource": "s3.amazonaws.com", - "awsService": "S3", - "description": "This implementation of the GET action uses the acl subresource to return the access control list (ACL) of a bucket.", + "eventName": "GetAccountAuthorizationDetails", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Retrieves information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1526 - Cloud Service Discovery" + "T1087 - Account Discovery" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [ + "T1087.004 - Account Discovery: Cloud Account" + ], + "unverifiedMitreAttackTechniques": [ { - "description": "Muddled Libra\u2019s Evolution to the Cloud", - "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" + "technique": "T1069 - Permission Groups Discovery", + "reason": "By retrieving information on IAM groups and their policies, attackers can understand the permissions associated with each group. This information is useful for identifying which groups have elevated privileges." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "If an adversary gains access to this information, they can identify valid accounts within the AWS environment, aiding in furthering access or compromising specific accounts." + }, + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "By gathering detailed information on IAM roles and policies, attackers can map out the cloud infrastructure, understand the hierarchy and relationships between resources, and identify potential weaknesses or entry points." } ], + "usedInWild": false, + "incidents": [], "researchLinks": [ { - "description": "Public S3 bucket through bucket ACL", - "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/s3-bucket-public-acl/" + "description": "AWS - IAM Enum", + "link": "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum" } ], - "securityImplications": "Attackers might use GetBucketAccessControlPolicy to gain unauthorized access to sensitive data stored in S3 buckets.", + "securityImplications": "Attackers might use GetAccountAuthorizationDetails to gather information about IAM users, groups, roles, and policies in a targeted AWS account.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws s3api get-bucket-acl --bucket TrailDiscoverBucket" + "value": "aws iam get-account-authorization-details" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance" } ], - "permissions": "https://aws.permissions.cloud/iam/s3#s3-GetBucketAcl" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-GetAccountAuthorizationDetails" }, { - "eventName": "DeleteBucketPolicy", - "eventSource": "s3.amazonaws.com", - "awsService": "S3", - "description": "Deletes the policy of a specified bucket.", + "eventName": "GetLoginProfile", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Retrieves the user name for the specified IAM user.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1578 - Modify Cloud Compute Infrastructure" + "T1087 - Account Discovery" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "AWS S3 Bucket Configuration Deletion", - "link": "https://www.elastic.co/guide/en/security/7.17/aws-s3-bucket-configuration-deletion.html" + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "Retrieving IAM user details can help attackers understand the structure and users within the cloud infrastructure." } ], - "securityImplications": "Attackers might use DeleteBucketPolicy to remove security policies and gain unauthorized access to S3 buckets.", + "usedInWild": true, + "incidents": [ + { + "description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", + "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use GetLoginProfile to know if the account has a login profile or to get its user name.", "alerting": [ { - "type": "cloudwatchCISControls", - "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8" + "type": "sigma", + "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml" } ], "simulation": [ { "type": "commandLine", - "value": "aws s3api delete-bucket-policy --bucket TrailDiscoverBucketName" + "value": "aws iam get-login-profile --user-name TrailDiscover" } ], - "permissions": "https://aws.permissions.cloud/iam/s3#s3-DeleteBucketPolicy" - }, - { - "eventName": "HeadObject", - "eventSource": "s3.amazonaws.com", - "awsService": "S3", - "description": "The HEAD operation retrieves metadata from an object without returning the object itself.", + "permissions": "https://aws.permissions.cloud/iam/iam#iam-GetLoginProfile" + }, + { + "eventName": "GetUser", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1619 - Cloud Storage Object Discovery" + "T1087 - Account Discovery" + ], + "mitreAttackSubTechniques": [ + "T1087.004 - Account Discovery: Cloud Account" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "Adversaries use existing cloud accounts to gain access to cloud services. The GetUser API call can reveal information useful for identifying valid accounts." + }, + { + "technique": "T1082 - System Information Discovery", + "reason": "By retrieving information about IAM users, adversaries can gather details about the system environment and user configurations." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "Adversaries may enumerate existing IAM users to identify which accounts can be targeted for access removal in order to evade detection and maintain access." + } ], "usedInWild": true, "incidents": [ { - "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", - "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + "description": "GotRoot! AWS root Account Takeover", + "link": "https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1" + }, + { + "description": "Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets", + "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/" } ], "researchLinks": [], - "securityImplications": "Attackers might use HeadObject to gather metadata about sensitive files stored in S3.", + "securityImplications": "Attackers might use GetUser to obtain user information.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "N/A" + "value": "aws iam get-user --user-name TrailDiscover" } ], - "permissions": "N/A" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-GetUser" }, { - "eventName": "ListVaults", - "eventSource": "glacier.amazonaws.com", - "awsService": "S3", - "description": "This operation lists all vaults owned by the calling user\u2019s account.", + "eventName": "ListAccessKeys", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Returns information about the access key IDs associated with the specified IAM user.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1619 - Cloud Storage Object Discovery" + "T1087 - Account Discovery" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Detecting AI resource-hijacking with Composite Alerts", - "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + "technique": "T1589 - Gather Victim Identity Information", + "reason": "Access key information can reveal details about the IAM user's identity, such as their role and permissions, which can be valuable for planning further attacks." }, { - "description": "Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets", - "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/" + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "By listing access keys, attackers can identify existing cloud infrastructure accounts and keys, revealing how the cloud environment is structured." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Ransomware in the cloud", + "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud" } ], "researchLinks": [], - "securityImplications": "Attackers might use ListVaults to identify data such as archived training data or related datasets.", + "securityImplications": "Attackers might use ListAccessKeys to identify and exploit unused or unmonitored AWS IAM access keys.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws glacier list-vaults --account-id -" + "value": "aws iam list-access-keys --user-name TrailDiscover" } ], - "permissions": "https://aws.permissions.cloud/iam/glacier#glacier-ListVaults" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListAccessKeys" }, { - "eventName": "GetPublicAccessBlock", - "eventSource": "s3.amazonaws.com", - "awsService": "S3", - "description": "Retrieves the PublicAccessBlock configuration for an Amazon S3 bucket.", + "eventName": "ListAttachedRolePolicies", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Lists all managed policies that are attached to the specified IAM role.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1526 - Cloud Service Discovery" + "T1087 - Account Discovery" + ], + "mitreAttackSubTechniques": [ + "T1087.004 - Account Discovery: Cloud Account" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "By listing attached role policies, attackers can understand the permissions associated with specific roles, which is essential for discovering permission groups within a cloud environment." + }, + { + "technique": "T1526 - Cloud Service Discovery", + "reason": "Listing attached role policies reveals the configuration and permissions of cloud services tied to specific roles. This information helps attackers map out the cloud environment and identify potential targets for further exploitation." + } ], "usedInWild": true, "incidents": [ { "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" - }, - { - "description": "Muddled Libra\u2019s Evolution to the Cloud", - "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" } ], "researchLinks": [], - "securityImplications": "Attackers might use GetPublicAccessBlock to identify S3 buckets with public access for potential data breaches.", + "securityImplications": "Attackers might use ListAttachedRolePolicies to identify and exploit permissions associated with various roles in AWS.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "N/A" + "value": "aws iam list-attached-role-policies --role-name TrailDiscover" } ], - "permissions": "N/A" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListAttachedRolePolicies" }, { - "eventName": "GetBucketTagging", - "eventSource": "s3.amazonaws.com", - "awsService": "S3", - "description": "Returns the tag set associated with the bucket.", + "eventName": "ListGroups", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Lists the IAM groups that have the specified path prefix.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1526 - Cloud Service Discovery" + "T1087 - Account Discovery" + ], + "mitreAttackSubTechniques": [ + "T1087.004 - Account Discovery: Cloud Account" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "Listing IAM groups helps identify the permission groups within an AWS environment, which is crucial for understanding the access levels and privileges assigned to different users." + } ], "usedInWild": true, "incidents": [ { - "description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", - "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/" + "description": "Muddled Libra\u2019s Evolution to the Cloud", + "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" } ], - "researchLinks": [], - "securityImplications": "Attackers might use GetBucketTagging to look for tags reminiscent of PII or confidential data.", + "researchLinks": [ + { + "description": "AWS - IAM Enum", + "link": "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum" + } + ], + "securityImplications": "Attackers might use ListGroups to identify potential targets by gathering information about IAM groups and their permissions.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws s3api get-bucket-tagging --bucket TrailDiscoverBucket" + "value": "aws iam list-groups" } ], - "permissions": "https://aws.permissions.cloud/iam/s3#s3-GetBucketTagging" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListGroups" }, { - "eventName": "DeleteObject", - "eventSource": "s3.amazonaws.com", - "awsService": "S3", - "description": "Removes an object from a bucket. The behavior depends on the bucket's versioning state.", + "eventName": "ListGroupsForUser", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Lists the IAM groups that the specified IAM user belongs to.", "mitreAttackTactics": [ - "TA0040 - Impact" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1485 - Data Destruction" + "T1087 - Account Discovery" ], - "usedInWild": true, - "incidents": [ - { - "description": "Ransomware in the cloud", - "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud" - }, - { - "description": "The attack on ONUS \u2013 A real-life case of the Log4Shell vulnerability", - "link": "https://cystack.net/research/the-attack-on-onus-a-real-life-case-of-the-log4shell-vulnerability" - }, + "mitreAttackSubTechniques": [ + "T1087.004 - Account Discovery: Cloud Account" + ], + "unverifiedMitreAttackTechniques": [ { - "description": "20/20 Eye Care Network and Hearing Care Network notify 3,253,822 health plan members of breach that deleted contents of AWS buckets", - "link": "https://www.databreaches.net/20-20-eye-care-network-and-hearing-care-network-notify-3253822-health-plan-members-of-breach-that-deleted-contents-of-aws-buckets/" + "technique": "T1069 - Permission Group Discovery", + "reason": "By listing the groups for a user, adversaries can identify the permissions associated with different IAM groups and plan further actions based on the discovered roles and policies." }, { - "description": "Hacker Puts Hosting Service Code Spaces Out of Business", - "link": "https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/" - }, + "technique": "T1057 - Process Discovery", + "reason": "Information about user groups can be utilized by adversaries to infer the types of processes and operations a user can perform, aiding in planning subsequent steps of an attack." + } + ], + "usedInWild": true, + "incidents": [ { - "description": "New tactics and techniques for proactive threat detection", - "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" } ], "researchLinks": [], - "securityImplications": "Attackers might use DeleteObject to erase crucial data from S3 buckets.", + "securityImplications": "Attackers might use ListGroupsForUser to identify privileged groups and target specific users for access escalation.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "N/A" - }, - { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-client-side-encryption" - }, - { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion" - }, - { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-individual-deletion" + "value": "aws iam list-groups-for-user --user-name TrailDiscover" } ], - "permissions": "https://aws.permissions.cloud/iam/s3#s3-DeleteObject" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListGroupsForUser" }, { - "eventName": "JobCreated", - "eventSource": "s3.amazonaws.com", - "awsService": "S3", - "description": "When a Batch Operations job is created, it is recorded as a JobCreated event in CloudTrail.", + "eventName": "ListInstanceProfiles", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Lists the instance profiles that have the specified path prefix. If there are none, the operation returns an empty list.", "mitreAttackTactics": [ - "TA0010 - Exfiltration" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1537 - Transfer Data to Cloud Account" + "T1087 - Account Discovery" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [ + "T1087.004 - Account Discovery: Cloud Account" + ], + "unverifiedMitreAttackTechniques": [ { - "description": "Exfiltrating S3 Data with Bucket Replication Policies", - "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "The ListInstanceProfiles API call provides details about instance profiles and their associated IAM roles, helping an attacker map out the cloud infrastructure. Understanding the roles in use aids in identifying potential targets for further exploitation or privilege escalation." + }, + { + "technique": "T1589 - Gather Victim Identity Information", + "reason": "The API call can help gather information about the identities and roles within the AWS environment, which could be used for further attacks or social engineering." } ], - "securityImplications": "Attackers might use Batch Operations jobs to initiate unauthorized data transfer or manipulation tasks in S3.", + "usedInWild": true, + "incidents": [ + { + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use ListInstanceProfiles to identify potential targets for privilege escalation attacks in AWS.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "N/A" + "value": "aws iam list-instance-profiles" } ], - "permissions": "N/A" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListInstanceProfiles" }, { - "eventName": "ListObjects", - "eventSource": "s3.amazonaws.com", - "awsService": "S3", - "description": "Returns some or all (up to 1,000) of the objects in a bucket.", + "eventName": "ListOpenIDConnectProviders", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Lists information about the IAM OpenID Connect (OIDC) provider resource objects defined in the AWS account.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1619 - Cloud Storage Object Discovery" + "T1087 - Account Discovery" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", - "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "Identifying OIDC providers gives attackers insights into the cloud infrastructure, revealing the different third-party services and platforms integrated with the AWS environment." }, { - "description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", - "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/" - }, + "technique": "T1082 - System Information Discovery", + "reason": "Listing OIDC providers provides details about the system's authentication setup, contributing to the overall system information an attacker can gather." + } + ], + "usedInWild": true, + "incidents": [ { - "description": "Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets", - "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/" + "description": "Muddled Libra\u2019s Evolution to the Cloud", + "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" } ], "researchLinks": [], - "securityImplications": "Attackers might use ListObjects to identify potentially sensitive objects stored in S3 buckets.", + "securityImplications": "Attackers might use ListOpenIDConnectProviders to discover if there are OIDC providers configured.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "N/A" + "value": "aws iam list-open-id-connect-providers" } ], - "permissions": "N/A" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListOpenIDConnectProviders" }, { - "eventName": "InvokeModel", - "eventSource": "bedrock.amazonaws.com", - "awsService": "Bedrock", - "description": "Invokes the specified Amazon Bedrock model to run inference using the prompt and inference parameters provided in the request body.", + "eventName": "ListRolePolicies", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Lists the names of the inline policies that are embedded in the specified IAM role.", "mitreAttackTactics": [ - "TA0007 - Discovery", - "TA0040 - Impact" - ], - "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery", - "T1496 - Resource Hijacking" - ], - "usedInWild": true, - "incidents": [ - { - "description": "LLMjacking: Stolen Cloud Credentials Used in New AI Attack", - "link": "https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/" - }, + "TA0007 - Discovery" + ], + "mitreAttackTechniques": [ + "T1087 - Account Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Detecting AI resource-hijacking with Composite Alerts", - "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + "technique": "T1484 - Domain Policy Discovery", + "reason": "Inline policies may reveal roles with the ability to discover or enumerate domain policies, which can be used to further understand the security posture and potential attack paths within the environment." }, { - "description": "New tactics and techniques for proactive threat detection", - "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" - }, + "technique": "T1057 - Process Discovery", + "reason": "Inline policies may help identify roles with permissions to discover running processes, aiding in reconnaissance activities." + } + ], + "usedInWild": true, + "incidents": [ { - "description": "When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying", - "link": "https://permiso.io/blog/exploiting-hosted-models" + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" } ], "researchLinks": [], - "securityImplications": "Attackers might use InvokeModel to check if the credentials have access to the LLMs and they have been enabled and invoke the model for resource hijacking.", + "securityImplications": "Attackers might use ListRolePolicies to identify permissions associated with various roles in AWS.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "N/A" + "value": "aws iam list-role-policies --role-name TrailDiscover" } ], - "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-InvokeModel" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListRolePolicies" }, { - "eventName": "GetUseCaseForModelAccess", - "eventSource": "bedrock.amazonaws.com", - "awsService": "Bedrock", - "description": "Grants permission to retrieve a use case for model access.", + "eventName": "ListRoles", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Lists the IAM roles that have the specified path prefix. ", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1087 - Account Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "Discovering IAM roles helps adversaries understand their permissions and group memberships, enabling them to identify roles with excessive privileges that can be misused for unauthorized activities." + }, + { + "technique": "T1518 - Software Discovery", + "reason": "Listing IAM roles can reveal roles associated with various software applications, including security, administrative, and operational tools." + } ], "usedInWild": true, "incidents": [ { - "description": "Detecting AI resource-hijacking with Composite Alerts", - "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" - }, + "description": "Muddled Libra\u2019s Evolution to the Cloud", + "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" + } + ], + "researchLinks": [ { - "description": "When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying", - "link": "https://permiso.io/blog/exploiting-hosted-models" + "description": "AWS - IAM Enum", + "link": "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum" } ], - "researchLinks": [], - "securityImplications": "Attackers might use GetUseCaseForModelAccess to enumerate accessible models.", + "securityImplications": "Attackers might use ListRoles to identify potential targets for privilege escalation attacks in AWS.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "N/A" + "value": "aws iam list-roles" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance" } ], - "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-GetUseCaseForModelAccess" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListRoles" }, { - "eventName": "ListProvisionedModelThroughputs", - "eventSource": "bedrock.amazonaws.com", - "awsService": "Bedrock", - "description": "Grants permission to list provisioned model throughputs that you created earlier.", + "eventName": "ListSAMLProviders", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Lists the SAML provider resource objects defined in IAM in the account.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1087 - Account Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "Listing SAML providers can help attackers map out the cloud infrastructure and understand how identity federation is being handled within the account." + }, + { + "technique": "T1592 - Gather Victim Host Information", + "reason": "Identifying SAML providers can reveal details about the host environment and configurations, which may be used to further map the attack surface." + }, + { + "technique": "T1589 - Gather Victim Identity Information", + "reason": "Listing SAML providers can help attackers collect information about identities and roles within the target environment, aiding in crafting more targeted attacks" + } ], "usedInWild": true, "incidents": [ { - "description": "Detecting AI resource-hijacking with Composite Alerts", - "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + "description": "Muddled Libra\u2019s Evolution to the Cloud", + "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" } ], "researchLinks": [], - "securityImplications": "Attackers might use ListProvisionedModelThroughputs to gather information on existing inputs and outputs for models in use.", + "securityImplications": "Attackers might use ListSAMLProviders to discover if there are SAML providers configured.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "N/A" + "value": "aws iam list-saml-providers" } ], - "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-ListProvisionedModelThroughputs" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListSAMLProviders" }, { - "eventName": "PutFoundationModelEntitlement", - "eventSource": "bedrock.amazonaws.com", - "awsService": "Bedrock", - "description": "Grants permission to put entitlement to access a foundation model.", + "eventName": "ListServiceSpecificCredentials", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Returns information about the service-specific credentials associated with the specified IAM user.", "mitreAttackTactics": [ - "TA0040 - Impact" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1496 - Resource Hijacking" + "T1087 - Account Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "Adversaries may enumerate cloud infrastructure to understand the environment better, and listing service-specific credentials provides information about the associated IAM users" + } ], "usedInWild": true, "incidents": [ { - "description": "Detecting AI resource-hijacking with Composite Alerts", - "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" - }, - { - "description": "When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying", - "link": "https://permiso.io/blog/exploiting-hosted-models" + "description": "Muddled Libra\u2019s Evolution to the Cloud", + "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" } ], "researchLinks": [], - "securityImplications": "Attackers might use PutFoundationModelEntitlement to prepare for using foundation models for resource hijacking.", + "securityImplications": "Attackers might use ListServiceSpecificCredentials to get information about the relationship about users and services and gather CredentialIds.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "N/A" + "value": "aws iam list-service-specific-credentials --user-name traildiscover --service-name codecommit.amazonaws.com" } ], - "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-PutFoundationModelEntitlement" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListServiceSpecificCredentials" }, { - "eventName": "InvokeModelWithResponseStream", - "eventSource": "bedrock.amazonaws.com", - "awsService": "Bedrock", - "description": "Grants permission to invoke the specified Bedrock model to run inference using the input provided in the request body with streaming response.", + "eventName": "ListSigningCertificates", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Returns information about the signing certificates associated with the specified IAM user.", "mitreAttackTactics": [ - "TA0040 - Impact" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1496 - Resource Hijacking" + "T1087 - Account Discovery" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Detecting AI resource-hijacking with Composite Alerts", - "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + "technique": "T1550 - Use Alternate Authentication Material", + "reason": "Identifying signing certificates shows which users have configured alternate authentication mechanisms, revealing potential entry points that do not rely on passwords." }, { - "description": "New tactics and techniques for proactive threat detection", - "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "Gaining information about signing certificates aids in mapping the IAM infrastructure, helping to understand the authentication methods and structure of the cloud environment." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "Listing signing certificates assists in discovering the primary users and owners of the accounts, which aids in planning targeted attacks." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Muddled Libra\u2019s Evolution to the Cloud", + "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" } ], "researchLinks": [], - "securityImplications": "Attackers might use InvokeModelWithResponseStream to invoke the model for resource hijacking.", + "securityImplications": "Attackers might use ListSigningCertificates to review which users have active certificates", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "N/A" + "value": "aws iam list-signing-certificates --user-name traildiscover" } ], - "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-InvokeModelWithResponseStream" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListSigningCertificates" }, { - "eventName": "PutUseCaseForModelAccess", - "eventSource": "bedrock.amazonaws.com", - "awsService": "Bedrock", - "description": "Grants permission to put a use case for model access.", + "eventName": "ListSSHPublicKeys", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Returns information about the SSH public keys associated with the specified IAM user.", "mitreAttackTactics": [ - "TA0040 - Impact" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1496 - Resource Hijacking" + "T1087 - Account Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078. - Valid Accounts", + "reason": "If attackers can associate public keys with user accounts, they might leverage this information to attempt to use stolen or weak credentials elsewhere." + } ], "usedInWild": true, "incidents": [ { - "description": "Detecting AI resource-hijacking with Composite Alerts", - "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" }, { - "description": "When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying", - "link": "https://permiso.io/blog/exploiting-hosted-models" + "description": "Muddled Libra\u2019s Evolution to the Cloud", + "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" } ], "researchLinks": [], - "securityImplications": "Attackers might use PutUseCaseForModelAccess to prepare for using foundation models for resource hijacking.", + "securityImplications": "Attackers might use ListSSHPublicKeys to get information about the user and the potential use of CodeCommit.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "N/A" + "value": "aws iam list-ssh-public-keys --user-name TrailDiscover" } ], - "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-PutUseCaseForModelAccess" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListSSHPublicKeys" }, { - "eventName": "GetFoundationModelAvailability", - "eventSource": "bedrock.amazonaws.com", - "awsService": "Bedrock", - "description": "Grants permission to get the availability of a foundation model.", + "eventName": "ListUsers", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Lists the IAM users that have the specified path prefix. If no path prefix is specified, the operation returns all users in the AWS account.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1087 - Account Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "Attackers may use the ListUsers API call to discover valid user accounts within an AWS environment. Knowledge of valid accounts can help in attempts to compromise or leverage these accounts." + }, + { + "technique": "T1057 - Process Discovery", + "reason": "Knowledge of IAM users can help an attacker identify which processes might be running under specific user accounts, assisting in further exploitation or lateral movement within the cloud environment." + } ], "usedInWild": true, "incidents": [ { - "description": "Detecting AI resource-hijacking with Composite Alerts", - "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" }, { - "description": "When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying", - "link": "https://permiso.io/blog/exploiting-hosted-models" + "description": "Ransomware in the cloud", + "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud" + }, + { + "description": "Incident report: From CLI to console, chasing an attacker in AWS", + "link": "https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/" + }, + { + "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", + "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + }, + { + "description": "Muddled Libra\u2019s Evolution to the Cloud", + "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" + }, + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" } ], - "researchLinks": [], - "securityImplications": "Attackers might use GetFoundationModelAvailability to enumerate accessible models", + "researchLinks": [ + { + "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", + "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" + } + ], + "securityImplications": "Attackers might use ListUsers to enumerate IAM users for further attacks, such as adding keys or creating a login profile for persistence.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "N/A" + "value": "aws iam list-users" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance" } ], - "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-GetFoundationModelAvailability" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListUsers" }, { - "eventName": "ListFoundationModels", - "eventSource": "bedrock.amazonaws.com", - "awsService": "Bedrock", - "description": "Grants permission to list Bedrock foundation models that you can use.", + "eventName": "PutGroupPolicy", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Adds or updates an inline policy document that is embedded in the specified IAM group.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1098 - Account Manipulation" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1562 - Impair Defenses", + "reason": "Inline policies can be altered to disable or impair security features such as monitoring and alerting." + }, + { + "technique": "T1556 - Modify Authentication Process", + "reason": "Inline policies can be modified to change authentication processes, making it easier to bypass existing security controls." + } + ], + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "AWS IAM Privilege Escalation Techniques", + "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + } ], - "usedInWild": true, - "incidents": [ + "securityImplications": "Attackers might use PutGroupPolicy to modify permissions of a group, potentially granting unauthorized access to sensitive resources.", + "alerting": [ { - "description": "Detecting AI resource-hijacking with Composite Alerts", - "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + "type": "cloudwatchCISControls", + "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4" } ], - "researchLinks": [], - "securityImplications": "Attackers might use ListFoundationModels to enumerate accessible models.", - "alerting": [], "simulation": [ { "type": "commandLine", - "value": "N/A" + "value": "aws iam put-group-policy --group-name TrailDiscover --policy-document {} --policy-name TrailDiscover" } ], - "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-ListFoundationModels" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-PutGroupPolicy" }, { - "eventName": "ListFoundationModelAgreementOffers", - "eventSource": "bedrock.amazonaws.com", - "awsService": "Bedrock", - "description": "Grants permission to get a list of foundation model agreement offers.", + "eventName": "PutRolePermissionsBoundary", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Adds or updates the policy that is specified as the IAM role's permissions boundary.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1098 - Account Manipulation" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Detecting AI resource-hijacking with Composite Alerts", - "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + "technique": "T1212 - Exploitation for Privilege Escalation", + "reason": "Modifying permissions boundaries can be used to elevate the privileges of the role, enabling actions that would otherwise be restricted." + }, + { + "technique": "T1556 - Modify Authentication Process", + "reason": "By altering the permissions boundary, attackers can change the authentication process for the role to grant themselves higher privileges." } ], - "researchLinks": [], - "securityImplications": "Attackers might use ListFoundationModelAgreementOffers to enumerate accessible models.", + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "AWS IAM Privilege Escalation Techniques", + "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + } + ], + "securityImplications": "Attackers might use PutRolePermissionsBoundary to modify permissions boundaries, potentially escalating privileges or enabling unauthorized access.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "N/A" + "value": "aws iam put-role-permissions-boundary --permissions-boundary arn:aws:iam::123456789012:policy/intern-boundary --role-name TrailDiscover" } ], - "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-ListFoundationModelAgreementOffers" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-PutRolePermissionsBoundary" }, { - "eventName": "GetModelInvocationLoggingConfiguration", - "eventSource": "bedrock.amazonaws.com", - "awsService": "Bedrock", - "description": "Get the current configuration values for model invocation logging.", + "eventName": "PutRolePolicy", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Adds or updates an inline policy document that is embedded in the specified IAM role.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1098 - Account Manipulation" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "LLMjacking: Stolen Cloud Credentials Used in New AI Attack", - "link": "https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/" + "technique": "T1531 - Account Access Removal", + "reason": "Modifying IAM role policies can be used to restrict or remove access to certain users or roles, aiding in defense evasion." + } + ], + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "AWS IAM Privilege Escalation Techniques", + "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + } + ], + "securityImplications": "Attackers might use PutRolePolicy to modify permissions of IAM roles, potentially granting unauthorized access to AWS resources.", + "alerting": [ + { + "type": "cloudwatchCISControls", + "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4" } ], - "researchLinks": [], - "securityImplications": "Attackers might use GetModelInvocationLoggingConfiguration to check S3 and Cloudwatch logging configuration.", - "alerting": [], "simulation": [ { "type": "commandLine", - "value": "N/A" + "value": "aws iam put-role-policy --role-name TrailDiscover-Role --policy-name TrailDiscover --policy-document {}" } ], - "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-GetModelInvocationLoggingConfiguration" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-PutRolePolicy" }, { - "eventName": "CreateFoundationModelAgreement", - "eventSource": "bedrock.amazonaws.com", - "awsService": "Bedrock", - "description": "Grants permission to create a new foundation model agreement.", + "eventName": "PutUserPermissionsBoundary", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Adds or updates the policy that is specified as the IAM user's permissions boundary.", "mitreAttackTactics": [ - "TA0040 - Impact" + "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1496 - Resource Hijacking" + "T1098 - Account Manipulation" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Detecting AI resource-hijacking with Composite Alerts", - "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + "technique": "T1531 - Account Access Removal", + "reason": "Setting a permissions boundary might be part of a strategy to later remove access to certain resources or actions, effectively controlling or limiting account capabilities." }, { - "description": "When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying", - "link": "https://permiso.io/blog/exploiting-hosted-models" + "technique": "T1556 - Modify Authentication Process", + "reason": "Attackers may modify permissions boundaries to ensure their access is maintained across cloud accounts, preventing account lockout or access removal." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Changing the permissions boundary might be used to impact security settings or access, impairing the effectiveness of security tools and preventing detection or response to malicious activity." } ], - "researchLinks": [], - "securityImplications": "Attackers might use CreateFoundationModelAgreement to prepare for using foundation models for resource hijacking.", + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "AWS IAM Privilege Escalation Techniques", + "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + } + ], + "securityImplications": "Attackers might use PutUserPermissionsBoundary to modify the permissions boundary for an IAM user, potentially escalating privileges or enabling unauthorized access.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "N/A" + "value": "aws iam put-user-permissions-boundary --permissions-boundary arn:aws:iam::123456789012:policy/intern-boundary --user-name TrailDiscover" } ], - "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-CreateFoundationModelAgreement" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-PutUserPermissionsBoundary" }, { - "eventName": "CreateInstanceExportTask", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Exports a running or stopped instance to an Amazon S3 bucket.", + "eventName": "PutUserPolicy", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Adds or updates an inline policy document that is embedded in the specified IAM user.", "mitreAttackTactics": [ - "TA0009 - Collection" + "TA0003 - Persistence", + "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1005 - Data from Local System" + "T1098 - Account Manipulation" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1562 - Impair Defenses", + "reason": "By embedding policies that allow for disabling or bypassing security controls, adversaries can impair defense mechanisms." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "Adversaries may use PutUserPolicy to remove access rights for legitimate users, causing disruption." + }, + { + "technique": "T1068 - Exploitation for Privilege Escalation", + "reason": "If an adversary can modify policies to grant administrative privileges, they effectively escalate their privileges." + }, + { + "technique": "T1556 - Modify Authentication Process", + "reason": "Inline policies can be changed to weaken authentication requirements, making it easier for adversaries to access the account." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + }, + { + "description": "ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING", + "link": "https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/" + }, + { + "description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", + "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/" + } ], - "usedInWild": false, - "incidents": [], "researchLinks": [ { - "description": "AWS EC2 VM Export Failure", - "link": "https://www.elastic.co/guide/en/security/current/aws-ec2-vm-export-failure.html" + "description": "AWS IAM Privilege Escalation Techniques", + "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" } ], - "securityImplications": "Attackers might use CreateInstanceExportTask to extract or exfiltrate information", + "securityImplications": "Attackers use PutUserPolicy to grant an inline policy to IAM users, potentially escalating privileges or enabling unauthorized access to AWS resources.", "alerting": [ + { + "type": "cloudwatchCISControls", + "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4" + }, { "type": "sigma", - "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_ec2_vm_export_failure.yml" + "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml" } ], "simulation": [ { "type": "commandLine", - "value": "aws ec2 create-instance-export-task --instance-id TrailDiscoverInstanceId --target-environment TrailDiscoverTargetEnvironment --export-to-s3-task DiskImageFormat=TrailDiscoverDiskImageFormat,ContainerFormat=TrailDiscoverContainerFormat,S3Bucket=TrailDiscoverS3Bucket,S3Prefix=TrailDiscoverS3Prefix" + "value": "aws iam put-user-policy --user-name TrailDiscover --policy-name TrailDiscover --policy-document {}" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateInstanceExportTask" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-PutUserPolicy" }, { - "eventName": "GetConsoleScreenshot", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Retrieve a JPG-format screenshot of a running instance to help with troubleshooting.", + "eventName": "SetDefaultPolicyVersion", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Sets the specified version of the specified policy as the policy's default (operative) version.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1098 - Account Manipulation" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + "technique": "T1070 - Indicator Removal", + "reason": "Modifying the policy's default version can be used to evade detection by setting the policy version that was in place before the attack." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "Attackers can use this API call to update policies in a way that prevents legitimate users from accessing resources, ensuring continued control over the compromised environment." } ], - "researchLinks": [], - "securityImplications": "Attackers might use GetConsoleScreenshot to capture the current state of an EC2 instance's console, potentially revealing sensitive information displayed on the screen or identifying misconfigurations.", + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "AWS IAM Privilege Escalation Techniques", + "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + } + ], + "securityImplications": "Attackers might use SetDefaultPolicyVersion to revert IAM policies to less secure versions, potentially exposing sensitive resources.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 get-console-screenshot --instance-id TrailDiscoverInstanceId" + "value": "aws iam set-default-policy-version --policy-arn arn:aws:iam::123456789012:policy/TrailDiscover --version-id v2" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-GetConsoleScreenshot" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-SetDefaultPolicyVersion" }, { - "eventName": "DeleteVolume", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Deletes the specified EBS volume. The volume must be in the available state (not attached to an instance).", + "eventName": "SimulatePrincipalPolicy", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Simulate how a set of IAM policies attached to an IAM entity works with a list of API operations and AWS resources to determine the policies' effective permissions.", "mitreAttackTactics": [ - "TA0040 - Impact" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1485 - Data Destruction" + "T1087 - Account Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1069 - Permission Groups Discovery", + "reason": " Using this API, attackers can determine the permissions associated with specific IAM roles or users, aiding in privilege escalation planning." + }, + { + "technique": "T1615 - Group Policy Discovery", + "reason": "By simulating principal policies, attackers can identify the group policies and their impact on IAM roles and entities." + } ], "usedInWild": true, "incidents": [ { - "description": "Hacker Puts Hosting Service Code Spaces Out of Business", - "link": "https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/" + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" } ], "researchLinks": [], - "securityImplications": "Attackers might use DeleteVolume to remove Elastic Block Store (EBS) volumes, leading to data loss and potentially disrupting operations.", + "securityImplications": "Attackers might use SimulatePrincipalPolicy to understand the permissions of a principal, to later potentially exploiting any over-permissive policies. Using this technique might allow attackers to evade defenses while enumerating permissions.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 delete-volume --volume-id TrailDiscoverVolumeId" + "value": "aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::123456789012:user/TrailDiscover --action-names codecommit:ListRepositories" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DeleteVolume" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-SimulatePrincipalPolicy" }, { - "eventName": "DescribeSnapshotTierStatus", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Describes the storage tier status of one or more Amazon EBS snapshots.", + "eventName": "UpdateAccessKey", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Changes the status of the specified access key from Active to Inactive, or vice versa.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0003 - Persistence" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1098 - Account Manipulation" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070. - Indicator Removal", + "reason": "Disabling keys can be a tactic to remove indicators of compromise, because keys need to be disabled before deletion, preventing detection and forensic analysis." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "Temporarily deactivating keys to remove access can help adversaries evade detection while they perform malicious activities." + } ], - "usedInWild": true, - "incidents": [ + "usedInWild": false, + "incidents": [], + "researchLinks": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + "description": "AWS - IAM Privesc", + "link": "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc" } ], - "researchLinks": [], - "securityImplications": "Attackers might use DescribeSnapshotTierStatus to assess the tiering status and potential lifecycle transitions of EBS snapshots, seeking to identify snapshots that are less frequently accessed or potentially unmonitored.", + "securityImplications": "Attackers might use UpdateAccessKey to modify existing IAM user access keys, potentially gaining unauthorized access to AWS services.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 describe-snapshot-tier-status" + "value": "aws iam update-access-key --access-key-id AKIAIOSFODNN7EXAMPLE --status Inactive --user-name TrailDiscover" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeSnapshotTierStatus" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-UpdateAccessKey" }, { - "eventName": "DescribeImages", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Describes the specified images (AMIs, AKIs, and ARIs) available to you or all of the images available to you.", + "eventName": "UpdateAssumeRolePolicy", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Updates the policy that grants an IAM entity permission to assume a role.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0003 - Persistence", + "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1098 - Account Manipulation" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + "technique": "T1078 - Valid Accounts", + "reason": "Updating the assume role policy can allow attackers to use valid IAM roles to maintain access." + }, + { + "technique": "T1036 - Masquerading", + "reason": "Attackers can allow access from an account they control to assume a valid role that is used in the organization making the access appear legitimate" } ], - "researchLinks": [], - "securityImplications": "Attackers might use DescribeImages to identify AMIs (Amazon Machine Images) within AWS.", + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "AWS IAM Privilege Escalation Techniques", + "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + }, + { + "description": "AWS IAM Persistence Methods", + "link": "https://hackingthe.cloud/aws/post_exploitation/iam_persistence/" + } + ], + "securityImplications": "Attackers might use UpdateAssumeRolePolicy to modify the assume role policy allowing access from an attacker compromised account.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 describe-images --filters Name=name,Values=TrailDiscover" + "value": "aws iam update-assume-role-policy --role-name TrailDiscover-Role --policy-document {}" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-backdoor-role" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeImages" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-UpdateAssumeRolePolicy" }, { - "eventName": "ModifyInstanceAttribute", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Modifies the specified attribute of the specified instance.", + "eventName": "UpdateLoginProfile", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Changes the password for the specified IAM user. You can use the AWS CLI, the AWS API, or the Users page in the IAM console to change the password for any IAM user.", "mitreAttackTactics": [ + "TA0003 - Persistence", "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Executing commands through EC2 user data", - "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/" + "technique": "T1078 - Valid Accounts", + "reason": "Changing an IAM user's password allows an attacker to maintain access using a legitimate account." }, { - "description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", - "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide" + "technique": "T1556 - Modify Authentication Process", + "reason": "Changing the password directly impacts the authentication process, potentially locking out legitimate users and ensuring only the attacker has access." }, { - "description": "EC2 Privilege Escalation Through User Data", - "link": "https://hackingthe.cloud/aws/exploitation/local_ec2_priv_esc_through_user_data/" + "technique": "T1531 - Account Access Removal", + "reason": "Changing the password of an IAM user can also serve as a means to remove legitimate account access for the rightful user, ensuring only the attacker can access the account." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" }, { - "description": "User Data Script Persistence", - "link": "https://hackingthe.cloud/aws/post_exploitation/user_data_script_persistence/" + "description": "Incident report: From CLI to console, chasing an attacker in AWS", + "link": "https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/" }, { - "description": "Attack Paths Into VMs in the Cloud", - "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/" + "description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", + "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud" } ], - "securityImplications": "Attackers might use ModifyInstanceAttribute to change configurations of EC2 instances or overwrite the user data of an EC2 instance to have it execute malicious commands when the instance starts.", + "researchLinks": [ + { + "description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", + "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide" + }, + { + "description": "AWS IAM Privilege Escalation Techniques", + "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + } + ], + "securityImplications": "Attackers might use UpdateLoginProfile to change the password of an IAM user, gaining unauthorized access to it.", "alerting": [ { "type": "sigma", - "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_ec2_startup_script_change.yml" + "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_update_login_profile.yml" } ], "simulation": [ { "type": "commandLine", - "value": "aws ec2 modify-instance-attribute --instance-id TrailDiscoverInstanceId --attribute TrailDiscoverAttribute --value TrailDiscoverValue" + "value": "aws iam update-login-profile --user-name TrailDiscover --password TrailDiscover" }, { "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ec2-user-data" + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-user-login-profile" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-ModifyInstanceAttribute" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-UpdateLoginProfile" }, { - "eventName": "GetEbsDefaultKmsKeyId", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Describes the default AWS KMS key for EBS encryption by default for your account in this Region.", + "eventName": "UpdateSAMLProvider", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Updates the metadata document for an existing SAML provider resource object.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0003 - Persistence", + "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1098 - Account Manipulation" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + "technique": "T1556 - Modify Authentication Process", + "reason": "The UpdateSAMLProvider API call allows changing the SAML metadata document, directly affecting how AWS handles authentication through SAML assertions. This can enable an attacker to alter authentication mechanisms or potentially introduce unauthorized access methods." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "By changing the SAML metadata document, an attacker could gain access to valid accounts. The new or altered assertions in the SAML metadata can be used to authenticate as legitimate AWS users or roles." + }, + { + "technique": "T1550 - Use Alternate Authentication Material", + "reason": "Altering the SAML metadata document provides an opportunity to use different authentication material. An attacker could insert alternate cryptographic keys or certificates into the SAML assertions, allowing them to authenticate to AWS resources as a trusted user or entity." } ], - "researchLinks": [], - "securityImplications": "Attackers might use GetEbsDefaultKmsKeyId to identify the default AWS Key Management Service (KMS) key used for encrypting new Amazon EBS volumes.", + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "Gaining AWS Persistence by Updating a SAML Identity Provider", + "link": "https://medium.com/@adan.alvarez/gaining-aws-persistence-by-updating-a-saml-identity-provider-ef57ebdc8db5" + } + ], + "securityImplications": "Attackers might use UpdateSAMLProvider to change the metadata document from a SAML provider for latter being able to assume the roles that trust this provider.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 get-ebs-default-kms-key-id" + "value": "aws iam update-saml-provider --saml-metadata-document file://TrailDiscoverSAMLMetaData.xml --saml-provider-arn arn:aws:iam::123456789012:saml-provider/traildiscover" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-GetEbsDefaultKmsKeyId" + "permissions": "https://aws.permissions.cloud/iam/iam#iam-UpdateSAMLProvider" }, { - "eventName": "EnableSerialConsoleAccess", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Enables access to the EC2 serial console of all instances for your account.", + "eventName": "Encrypt", + "eventSource": "kms.amazonaws.com", + "awsService": "KMS", + "description": "Encrypts plaintext of up to 4,096 bytes using a KMS key. ", "mitreAttackTactics": [ - "TA0008 - Lateral Movement" + "TA0040 - Impact" ], "mitreAttackTechniques": [ - "T1021 - Remote Services" + "T1486 - Data Encrypted for Impact" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", - "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud" + "technique": "T1560 - Archive Collected Data", + "reason": "Encrypting data before exfiltration can help to evade detection and bypass certain security controls, however this would be quite noisy." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "Encrypting information can make it harder for security tools to analyze the content of the data, aiding in evasion. This could be used for things like other keys to avoid suspicion." } ], - "researchLinks": [ - { - "description": "How to detect EC2 Serial Console enabled", - "link": "https://sysdig.com/blog/ec2-serial-console-enabled/" - }, + "usedInWild": true, + "incidents": [ { - "description": "Attack Paths Into VMs in the Cloud", - "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/" + "description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", + "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/" } ], - "securityImplications": "Attackers might use EnableSerialConsoleAccess to enable the serial console access and bypass security group rules and gain access to EC2 instances.", + "researchLinks": [], + "securityImplications": "Attackers might use Encrypt to encrypt data for ransom.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 enable-serial-console-access" + "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-EnableSerialConsoleAccess" + "permissions": "https://aws.permissions.cloud/iam/kms#kms-Encrypt" }, { - "eventName": "DescribeAvailabilityZones", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Describes the Availability Zones, Local Zones, and Wavelength Zones that are available to you.", + "eventName": "GenerateDataKeyWithoutPlaintext", + "eventSource": "kms.amazonaws.com", + "awsService": "KMS", + "description": "Returns a unique symmetric data key for use outside of AWS KMS.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0040 - Impact" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1486 - Data Encrypted for Impact" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1485 - Data Destruction", + "reason": "The symmetric data key can be used to encrypt or delete critical data, rendering it useless and causing operational disruptions." + }, + { + "technique": "T1560 - Archive Collected Data", + "reason": "The data key can facilitate the encryption of collected data before exfiltration to avoid detection." + } ], "usedInWild": true, "incidents": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + "description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", + "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/" } ], "researchLinks": [], - "securityImplications": "Attackers might use DescribeAvailabilityZones to map the deployment regions of an AWS environment.", + "securityImplications": "Attackers might use GenerateDataKeyWithoutPlaintext to generate encryption keys that can decrypt data in a ransom.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 describe-availability-zones --filters Name=region-name,Values=TrailDiscoverRegion" + "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeAvailabilityZones" + "permissions": "https://aws.permissions.cloud/iam/kms#kms-GenerateDataKeyWithoutPlaintext" + }, + { + "eventName": "ScheduleKeyDeletion", + "eventSource": "kms.amazonaws.com", + "awsService": "KMS", + "description": "Schedules the deletion of a KMS key.", + "mitreAttackTactics": [ + "TA0040 - Impact" + ], + "mitreAttackTechniques": [ + "T1485 - Data Destruction" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1561 - Disk Wipe", + "reason": "By scheduling the deletion of a KMS key, the adversary could render encrypted data useless, effectively wiping the disk content indirectly." + }, + { + "technique": "T1499 - Endpoint Denial of Service", + "reason": "Deleting a KMS key can disrupt the availability of data, causing a denial of service on the applications relying on the encrypted data." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "The scheduling of a key deletion might involve manipulating existing KMS permissions or roles to gain the necessary rights to perform the action." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Deleting a KMS key can impair security defenses by making logs or other critical data inaccessible if they are encrypted with the deleted key." + }, + { + "technique": "T1486 - Data Encrypted for Impact", + "reason": "By deleting the encryption key, the adversary ensures that the encrypted data is rendered unusable, impacting the integrity and availability of the data." + } + ], + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": " Threat Hunting with CloudTrail and GuardDuty in Splunk", + "link": "https://www.chrisfarris.com/post/reinforce-threat-hunting/" + } + ], + "securityImplications": "Attackers might use ScheduleKeyDeletion to schedule the deletion of crucial encryption keys, disrupting data security and access.", + "alerting": [ + { + "type": "cloudwatchCISControls", + "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-7" + } + ], + "simulation": [ + { + "type": "commandLine", + "value": "N/A" + } + ], + "permissions": "https://aws.permissions.cloud/iam/kms#kms-ScheduleKeyDeletion" }, { - "eventName": "GetPasswordData", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Retrieves the encrypted administrator password for a running Windows instance.", + "eventName": "AddPermission20150331v2", + "eventSource": "lambda.amazonaws.com", + "awsService": "Lambda", + "description": "Grants an AWS service, AWS account, or AWS organization permission to use a function.", "mitreAttackTactics": [ - "TA0006 - Credential Access" + "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1555 - Credentials from Password Stores" + "T1098 - Account Manipulation" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", - "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + "technique": "T1098 - Account Manipulation", + "reason": "The AddPermission API call can be used to alter permissions, effectively manipulating accounts to maintain access or escalate privileges." }, { - "description": "Behind the scenes in the Expel SOC: Alert-to-fix in AWS", - "link": "https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/" + "technique": "T1090 - Proxy", + "reason": "Permissions granted via AddPermission could enable an attacker to set up functions that act as proxies, helping to evade defenses." }, { - "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", - "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" + "technique": "T1087 - Account Discovery", + "reason": "Attackers could use the AddPermission call to discover additional accounts that have access to specific Lambda functions, aiding in lateral movement." }, { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + "technique": "T1071 - Application Layer Protocol", + "reason": "Permissions can be used to manipulate Lambda functions to communicate over various application layer protocols, aiding in command and control." } ], - "researchLinks": [], - "securityImplications": "Attackers might use GetPasswordData to retrieve the password data for Windows instances, allowing unauthorized access.", + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "AWS IAM Privilege Escalation Techniques", + "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + } + ], + "securityImplications": "Attackers might use AddPermission to grant unauthorized access to sensitive Lambda functions and then perform Privilege Escalation.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 get-password-data --instance-id TrailDiscoverInstanceId" + "value": "aws lambda add-permission --function-name my-function --action lambda:InvokeFunction --statement-id sns --principal sns.amazonaws.com" }, { "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data" + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-backdoor-function" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-GetPasswordData" + "permissions": "https://aws.permissions.cloud/iam/lambda#lambda-AddPermission" }, { - "eventName": "CreateTrafficMirrorTarget", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Creates a target for your Traffic Mirror session.", + "eventName": "CreateEventSourceMapping20150331", + "eventSource": "lambda.amazonaws.com", + "awsService": "Lambda", + "description": "Creates a mapping between an event source and an AWS Lambda function.", "mitreAttackTactics": [ - "TA0009 - Collection" + "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1074 - Data Staged" + "T1098 - Account Manipulation" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Abusing VPC Traffic Mirroring in AWS", - "link": "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/" - } - ], - "securityImplications": "Attackers might use CreateTrafficMirrorTarget to establish destinations for mirrored traffic, potentially facilitating the unauthorized observation or capture of sensitive information.", - "alerting": [], - "simulation": [ + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "The Lambda function might execute code based on the event source data, potentially running JavaScript if included in the payload." + }, { - "type": "commandLine", - "value": "aws ec2 create-traffic-mirror-target --description TrailDiscoverDescription --network-interface-id TrailDiscoverNetworkInterfaceId --network-load-balancer-arn TrailDiscoverNetworkLoadBalancerArn" + "technique": "T1071 - Application Layer Protocol", + "reason": "Lambda functions can communicate over web protocols, enabling command and control through event source triggers." + }, + { + "technique": "T1546 - Event Triggered Execution", + "reason": "Event source mappings can be used to trigger Lambda functions, executing code in response to specific events or data." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Modifying the event source mappings can change the behavior of Lambda functions, possibly to escalate privileges or persist in the environment." } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateTrafficMirrorTarget" - }, - { - "eventName": "CreateVolume", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Creates an EBS volume that can be attached to an instance in the same Availability Zone.", - "mitreAttackTactics": [ - "TA0008 - Lateral Movement" - ], - "mitreAttackTechniques": [ - "T1021 - Remote Services" - ], - "usedInWild": true, - "incidents": [ + "usedInWild": false, + "incidents": [], + "researchLinks": [ { - "description": "Navigating the Cloud: Exploring Lateral Movement Techniques", - "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/" + "description": "AWS IAM Privilege Escalation Techniques", + "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" } ], - "researchLinks": [], - "securityImplications": "Attackers might use CreateVolume to create a volume from a snapshot and mount it to an EC2 instance under their control.", + "securityImplications": "Attackers might use CreateEventSourceMapping to trigger unauthorized Lambda functions with malicious code.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 create-volume --size 80 --availability-zone us-east-1a" + "value": "aws lambda create-event-source-mapping --function-name my-function --batch-size 5 --event-source-arn arn:aws:sqs:us-west-2:123456789012:mySQSqueue" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateVolume" + "permissions": "https://aws.permissions.cloud/iam/lambda#lambda-CreateEventSourceMapping" }, { - "eventName": "StartInstances", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Starts an Amazon EBS-backed instance that you've previously stopped.", + "eventName": "CreateFunction20150331", + "eventSource": "lambda.amazonaws.com", + "awsService": "Lambda", + "description": "Creates a Lambda function.", "mitreAttackTactics": [ "TA0003 - Persistence", + "TA0004 - Privilege Escalation", "TA0040 - Impact" ], "mitreAttackTechniques": [ "T1098 - Account Manipulation", "T1496 - Resource Hijacking" ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "The Lambda function can be configured to execute JavaScript code, enabling attackers to run malicious scripts." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": " By using Lambda, attackers can delete logs or files to evade detection." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Attackers might create Lambda functions designed to disable security monitoring tools or alerts." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "Lambda functions can communicate over standard web protocols, enabling Command and Control communication that blends with regular traffic." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "If attackers use code-signing configurations and different deployment packaging (e.g., obfuscated container images or encrypted .zip archives), it can help evade detection by concealing the true nature of the function code." + }, + { + "technique": "T1053 - Scheduled Task/Job", + "reason": "Attackers might schedule Lambda functions to execute at specific intervals, providing a means of persistence or delayed execution." + } + ], "usedInWild": true, "incidents": [ { - "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", - "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" + "description": "Mining Crypto", + "link": "https://twitter.com/jonnyplatt/status/1471453527390277638" + }, + { + "description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", + "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/" } ], "researchLinks": [ { - "description": "Executing commands through EC2 user data", - "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/" + "description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", + "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide" }, { - "description": "Attack Paths Into VMs in the Cloud", - "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/" + "description": "AWS IAM Privilege Escalation Techniques", + "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" } ], - "securityImplications": "Attackers might use StartInstances to reactivate dormant EC2 instances or after having modified the user data for execution of commands.", + "securityImplications": "Attackers might use CreateFunction to deploy malicious code or functions, depending on the scenario this might allow the attacker to gain persistence, escalate privileges, or hijack resources.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 start-instances --instance-ids TrailDiscoverInstanceID" + "value": "aws lambda create-function --function-name my-function --runtime nodejs18.x --code S3Bucket=string --role arn:aws:iam::123456789012:role/service-role/MyTestFunction-role-tges6bf4" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-StartInstances" + "permissions": "https://aws.permissions.cloud/iam/lambda#lambda-CreateFunction" }, { - "eventName": "CreateSecurityGroup", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Creates a security group.", + "eventName": "Invoke", + "eventSource": "lambda.amazonaws.com", + "awsService": "Lambda", + "description": "Invokes a Lambda function.", "mitreAttackTactics": [ - "TA0003 - Persistence", - "TA0008 - Lateral Movement" + "TA0040 - Impact", + "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1098 - Account Manipulation", - "T1021 - Remote Services" + "T1496 - Resource Hijacking" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "Lambda functions can be used to execute scripts and commands, allowing attackers to run arbitrary code within the AWS environment." }, { - "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", - "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + "technique": "T1071 - Application Layer Protocol", + "reason": "The Invoke API call can be used to establish communication channels over various application layer protocols for command and control purposes." }, { - "description": "Behind the scenes in the Expel SOC: Alert-to-fix in AWS", - "link": "https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/" + "technique": "T1036 - Masquerading", + "reason": "Attackers can invoke Lambda functions under the guise of legitimate requests to evade detection." }, { - "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", - "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" + "technique": "T1105 - Ingress Tool Transfer", + "reason": "An attacker can use Lambda functions to download or transfer malicious tools into the environment." }, { - "description": "ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING", - "link": "https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/" - } - ], - "researchLinks": [ + "technique": "T1074 - Data Staged", + "reason": "Lambda functions can be used to stage data for exfiltration, storing collected information temporarily." + }, { - "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", - "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" + "technique": "T1219 - Remote Access Software", + "reason": "Attackers can use Lambda functions as a form of remote access to maintain control over compromised systems." }, { - "description": "Abusing VPC Traffic Mirroring in AWS", - "link": "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/" - } - ], - "securityImplications": "Attackers might use CreateSecurityGroup to establish new security groups with lax rules, facilitating unauthorized access or resource exploitation within AWS environments.", - "alerting": [ + "technique": "T1190 - Exploit Public-Facing Application", + "reason": "If the Lambda function is triggered via a public-facing API endpoint, it could be exploited to gain unauthorized access. Attackers may abuse vulnerable API configurations or input validation flaws to invoke the function, thus compromising the environment." + }, { - "type": "cloudwatchCISControls", - "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-10" - } - ], - "simulation": [ + "technique": "T1053 - Scheduled Task/Job", + "reason": "Lambda functions can be scheduled to execute tasks periodically, allowing persistent execution of malicious code." + }, { - "type": "commandLine", - "value": "aws ec2 create-security-group --group-name TrailDiscoverGroupName --description \"TrailDiscoverDescription\"" + "technique": "T1648 - Serverless Execution", + "reason": "By invoking a Lambda function, an attacker can leverage the serverless environment to run malicious code, perform lateral movement, or conduct other post-exploitation activities while taking advantage of the scalability and ephemeral nature of serverless computing to evade detection and persist within the environment." } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateSecurityGroup" - }, - { - "eventName": "DescribeInstances", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Describes the specified instances or all instances.", - "mitreAttackTactics": [ - "TA0007 - Discovery" - ], - "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" - ], "usedInWild": true, "incidents": [ { - "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", - "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" - } - ], - "researchLinks": [ - { - "description": "Abusing VPC Traffic Mirroring in AWS", - "link": "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/" - } - ], - "securityImplications": "Attackers might use DescribeInstances to inventory EC2 instances within an AWS environment.", - "alerting": [], - "simulation": [ - { - "type": "commandLine", - "value": "aws ec2 describe-instances --instance-ids TrailDiscoverInstanceID" + "description": "Mining Crypto", + "link": "https://twitter.com/jonnyplatt/status/1471453527390277638" }, { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials" + "description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", + "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeInstances" - }, - { - "eventName": "GetTransitGatewayRouteTableAssociations", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Gets information about the associations for the specified transit gateway route table.", - "mitreAttackTactics": [ - "TA0007 - Discovery" - ], - "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" - ], - "usedInWild": true, - "incidents": [ + "researchLinks": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + "description": "AWS IAM Privilege Escalation Techniques", + "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" } ], - "researchLinks": [], - "securityImplications": "Attackers might use GetTransitGatewayRouteTableAssociations to examine the associations between transit gateway route tables and attached resources, potentially to understand network routing policies.", + "securityImplications": "Attackers might use Invoke to execute previously modified functions in AWS Lambda.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 get-transit-gateway-route-table-associations --transit-gateway-route-table-id tgw-rtb-0a823edbdeEXAMPLE" + "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-GetTransitGatewayRouteTableAssociations" + "permissions": "https://aws.permissions.cloud/iam/lambda#lambda-InvokeFunction" }, { - "eventName": "ModifySnapshotAttribute", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Adds or removes permission settings for the specified snapshot.", + "eventName": "UpdateEventSourceMapping20150331", + "eventSource": "lambda.amazonaws.com", + "awsService": "Lambda", + "description": "Updates an event source mapping. You can change the function that AWS Lambda invokes, or pause invocation and resume later from the same location.", "mitreAttackTactics": [ - "TA0010 - Exfiltration" + "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1537 - Transfer Data to Cloud Account" + "T1098 - Account Manipulation" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight", - "link": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" + "technique": "T1071 - Application Layer Protocol", + "reason": "Changing the event source mapping can be used to invoke a function via HTTP/S requests, which aligns with utilizing web protocols for execution." + }, + { + "technique": "T1053 - Scheduled Task/Job", + "reason": "Adversaries can use this API call to set up or alter scheduled tasks or jobs, such as Lambda functions, to achieve persistence by ensuring repeated or delayed execution." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Adversaries can pause the invocation of a Lambda function to impair or disable security tools or monitoring functions, thereby evading detection or preventing logging." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "Adversaries can obfuscate their actions by frequently changing the event source mapping, making it harder to trace the function invocations." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Changing the event source mapping can also be used to manipulate which account or function is invoked, potentially changing the permissions context." + }, + { + "technique": "T1578 - Modify Cloud Compute Infrastructure", + "reason": "Updating the event source mapping involves modifying the cloud infrastructure to change how functions are executed, which is a form of altering cloud resources for persistence or evasion." } ], - "researchLinks": [], - "securityImplications": "Attackers might use ModifySnapshotAttribute to change permissions on Amazon EBS snapshots, potentially making them accessible to unauthorized users or public.", - "alerting": [ + "usedInWild": false, + "incidents": [], + "researchLinks": [ { - "type": "sigma", - "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_snapshot_backup_exfiltration.yml" + "description": "Enhancing Your Security Visibility and DetectionResponse Operations in AWS", + "link": "https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf" } ], + "securityImplications": "Attackers might use UpdateEventSourceMapping to pull data from a different source, leading to incorrect function results.", + "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 modify-snapshot-attribute --snapshot-id snap-046281ab24d756c50 --attribute createVolumePermission --operation-type remove --user-ids 123456789012" - }, - { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot" + "value": "aws lambda update-event-source-mapping --uuid 'a1b2c3d4-5678-90ab-cdef-11111EXAMPLE' --batch-size 8" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-ModifySnapshotAttribute" + "permissions": "https://aws.permissions.cloud/iam/lambda#lambda-UpdateEventSourceMapping" }, { - "eventName": "CreateDefaultVpc", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Creates a default VPC with a size /16 IPv4 CIDR block and a default subnet in each Availability Zone.", + "eventName": "UpdateFunctionCode20150331v2", + "eventSource": "lambda.amazonaws.com", + "awsService": "Lambda", + "description": "Updates a Lambda function's code. If code signing is enabled for the function, the code package must be signed by a trusted publisher.", "mitreAttackTactics": [ "TA0003 - Persistence", - "TA0040 - Impact" + "TA0040 - Impact", + "TA0009 - Collection" ], "mitreAttackTechniques": [ "T1098 - Account Manipulation", - "T1496 - Resource Hijacking" + "T1496 - Resource Hijacking", + "T1119 - Automated Collection" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "Adversaries can use AWS Lambda to execute commands or scripts by updating the function code to include the desired commands or scripts." + }, + { + "technique": "T1648 - Serverless Execution", + "reason": "Attackers may maintain persistence in a target environment by continually updating Lambda function code in serverless environments." + }, + { + "technique": "T1074 - Data Staged", + "reason": "Staging data in cloud storage services can be facilitated by updating the Lambda function code to interact with these storage resources." + }, + { + "technique": "T1560 - Archive Collected Data", + "reason": "Updating Lambda function code to access metadata services enables the function to collect and archive data." + }, + { + "technique": "T1578 - Modify Cloud Compute Infrastructure", + "reason": "Attackers can modify cloud compute infrastructure to execute malicious activities by updating the Lambda function." + }, + { + "technique": "T1056 - Input Capture", + "reason": "By updating the Lambda function code to capture inputs, such as keystrokes or API inputs, adversaries can collect sensitive information." } ], - "researchLinks": [], - "securityImplications": "Attackers might use CreateDefaultVpc to create a VPC and lauch EC2 instances.", + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", + "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide" + }, + { + "description": "AWS IAM Privilege Escalation Techniques", + "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + }, + { + "description": "Enhancing Your Security Visibility and DetectionResponse Operations in AWS", + "link": "https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf" + }, + { + "description": "How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies", + "link": "https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c" + } + ], + "securityImplications": "Attackers might use UpdateFunctionCode to modify the code of a Lambda function, potentially injecting malicious code.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 create-default-vpc" + "value": "aws lambda update-function-code --function-name my-function" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-overwrite-code" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateDefaultVpc" + "permissions": "https://aws.permissions.cloud/iam/lambda#lambda-UpdateFunctionCode" }, { - "eventName": "DeleteFlowLogs", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Deletes one or more flow logs.", + "eventName": "UpdateFunctionConfiguration20150331v2", + "eventSource": "lambda.amazonaws.com", + "awsService": "Lambda", + "description": "Modify the version-specific settings of a Lambda function.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0003 - Persistence" ], "mitreAttackTechniques": [ - "T1089 - Disabling Security Tools" + "T1098 - Account Manipulation" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", - "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "Modifying Lambda function configurations allows execution of scripts or commands in the runtime environment." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Attackers might modify configurations like logging settings or environment variables to prevent detection efforts." } ], + "usedInWild": false, + "incidents": [], "researchLinks": [ { - "description": "Removing VPC flow logs", - "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/removing-vpc-flow-logs/" + "description": "AWS IAM Privilege Escalation Techniques", + "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" }, { - "description": "AWS Incident Response", - "link": "https://github.com/easttimor/aws-incident-response" + "description": "Enhancing Your Security Visibility and DetectionResponse Operations in AWS", + "link": "https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf" }, { - "description": "Proactive Cloud Security w/ AWS Organizations", - "link": "https://witoff.medium.com/proactive-cloud-security-w-aws-organizations-d58695bcae16" + "description": "LambdaSpy - Implanting the Lambda execution environment (Part two)", + "link": "https://www.clearvector.com/blog/lambda-spy/" } ], - "securityImplications": "Attackers might use DeleteFlowLogs to remove records of network traffic within AWS.", + "securityImplications": "Attackers might use UpdateFunctionConfiguration to modify the behavior of Lambda functions, adding a layer that can allow persistence and/or data exfiltration.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 delete-flow-logs --flow-log-ids TrailDiscoverFlowLogId" + "value": "aws lambda update-function-configuration --function-name my-function --memory-size 256" }, { "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs" + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-layer-extension" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DeleteFlowLogs" + "permissions": "https://aws.permissions.cloud/iam/lambda#lambda-UpdateFunctionConfiguration" }, { - "eventName": "GetLaunchTemplateData", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Retrieves the configuration data of the specified instance. You can use this data to create a launch template.", + "eventName": "CreateInstances", + "eventSource": "lightsail.amazonaws.com", + "awsService": "Lightsail", + "description": "Creates one or more Amazon Lightsail instances.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0005 - Defense Evasion", + "TA0040 - Impact" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1578 - Modify Cloud Compute Infrastructure", + "T1496 - Resource Hijacking" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1583 - Acquire Infrastructure", + "reason": "CreateInstances can be used by adversaries to acquire infrastructure for future operations by provisioning new instances." + }, + { + "technique": "T1090 - Proxy", + "reason": "Instances could act as proxies to route malicious traffic and hide the true source of the attack." + }, + { + "technique": "T1102 - Web Services", + "reason": "Instances may be used to communicate with web services to facilitate command and control or data exfiltration." + }, + { + "technique": "T1036 - Masquerading", + "reason": "Instances may be named or configured to masquerade as legitimate services or systems." + }, + { + "technique": "T1074 - Data Staged", + "reason": "Instances can be used to stage data before exfiltration, serving as temporary storage points." + } ], "usedInWild": true, "incidents": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" } ], "researchLinks": [], - "securityImplications": "Attackers might use GetLaunchTemplateData to obtain configurations of EC2 launch templates, identifying predefined instance settings, network configurations.", + "securityImplications": "Attackers might use CreateInstances to rapidly deploy malicious instances, causing financial loss and resource exhaustion. The use of lightsail might not be monitored.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 get-launch-template-data --instance-id TrailDiscoverInstanceId" + "value": "aws lightsail create-instances --instance-names Instance-1 --availability-zone us-west-2a --blueprint-id wordpress_5_1_1_2 --bundle-id nano_2_0" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-GetLaunchTemplateData" + "permissions": "https://aws.permissions.cloud/iam/lightsail#lightsail-CreateInstances" }, { - "eventName": "CreateNetworkAclEntry", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Creates an entry (a rule) in a network ACL with the specified rule number.", + "eventName": "GetInstances", + "eventSource": "lightsail.amazonaws.com", + "awsService": "LightSail", + "description": "Returns information about all Amazon Lightsail virtual private servers, or instances.", "mitreAttackTactics": [ - "TA0003 - Persistence" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1098 - Account Manipulation" + "T1580 - Cloud Infrastructure Discovery" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "AWS EC2 Network Access Control List Creation", - "link": "https://www.elastic.co/guide/en/security/current/aws-ec2-network-access-control-list-creation.html" + "technique": "T1082 - System Information Discovery", + "reason": "Using GetInstances, attackers can retrieve detailed information about the instances, such as instance IDs, names, and states, providing insight into the system's configuration." }, { - "description": "Enhancing Your Security Visibility and DetectionResponse Operations in AWS", - "link": "https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf" + "technique": "T1057 - Process Discovery", + "reason": "Although indirect, details about instances can hint at the types of processes and services running within those instances." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "Instance metadata often includes user or owner information, which can be used to identify who is responsible for the instances." } ], - "securityImplications": "Attackers might use CreateNetworkAclEntry to allow traffic to the network from an IP they control.", - "alerting": [ + "usedInWild": false, + "incidents": [], + "researchLinks": [ { - "type": "cloudwatchCISControls", - "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-11" + "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", + "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" } ], + "securityImplications": "Attackers might use GetInstances to gather information about running instances for potential exploitation.", + "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 create-network-acl-entry --network-acl-id acl-5fb85d36 --ingress --rule-number 100 --protocol udp --port-range From=53,To=53 --cidr-block 0.0.0.0/0 --rule-action allow" + "value": "aws lightsail get-instances" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateNetworkAclEntry" + "permissions": "https://aws.permissions.cloud/iam/lightsail#lightsail-GetInstances" }, { - "eventName": "DescribeKeyPairs", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Describes the specified key pairs or all of your key pairs.", + "eventName": "GetRegions", + "eventSource": "lightsail.amazonaws.com", + "awsService": "LightSail", + "description": "Returns a list of all valid regions for Amazon Lightsail.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Behind the scenes in the Expel SOC: Alert-to-fix in AWS", - "link": "https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/" + "technique": "T1082 - System Information Discovery", + "reason": "The GetRegions API call can provide information about the geographical distribution of LightSail resources, which is useful for understanding the environment." } ], - "researchLinks": [], - "securityImplications": "Attackers might use DescribeKeyPairs to audit the SSH key pairs associated with EC2 instances", + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", + "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" + } + ], + "securityImplications": "Attackers might use GetRegions to identify potential targets in different geographical locations on AWS LightSail.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 describe-key-pairs --key-names TrailDiscoverKeyPair" + "value": "aws lightsail get-regions" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeKeyPairs" + "permissions": "https://aws.permissions.cloud/iam/lightsail#lightsail-GetRegions" }, { - "eventName": "DeleteNetworkAcl", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Deletes the specified network ACL.", + "eventName": "DescribeOrganization", + "eventSource": "organizations.amazonaws.com", + "awsService": "Organizations", + "description": "Retrieves information about the organization that the user's account belongs to.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1562 - Impair Defenses" + "T1526 - Cloud Service Discovery" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087 - Account Discovery", + "reason": "DescribeOrganization can be used to discover details about accounts within the organization, including account IDs and email addresses." + }, { - "description": "Ensure CloudWatch has an Alarm for Network ACL Changes", - "link": "https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-network-acl-change" + "technique": "T1078 - Valid Accounts", + "reason": "Information gathered can assist in identifying valid accounts within the organization, aiding further actions that require valid credentials." } ], - "securityImplications": "Attackers might use DeleteNetworkAcl to remove network access control lists, potentially opening up network segments for unauthorized access.", - "alerting": [ + "usedInWild": true, + "incidents": [ { - "type": "cloudwatchCISControls", - "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-11" + "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", + "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" } ], + "researchLinks": [], + "securityImplications": "Attackers might use DescribeOrganization to gather information about the structure and details of an AWS organization.", + "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 delete-network-acl --network-acl-id TrailDiscoverNetworkAclId" + "value": "aws organizations describe-organization" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DeleteNetworkAcl" + "permissions": "https://aws.permissions.cloud/iam/organizations#organizations-DescribeOrganization" }, { - "eventName": "CreateTrafficMirrorSession", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Creates a Traffic Mirror session.", + "eventName": "CreateAccount", + "eventSource": "organizations.amazonaws.com", + "awsService": "Organizations", + "description": "Creates an AWS account that is automatically a member of the organization whose credentials made the request.", "mitreAttackTactics": [ - "TA0009 - Collection" + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1074 - Data Staged" + "T1535 - Unused/Unsupported Cloud Regions" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Abusing VPC Traffic Mirroring in AWS", - "link": "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/" + "technique": "T1078 - Valid Accounts", + "reason": "By creating a new AWS account within the organization, attackers can obtain valid cloud credentials for future access and operations." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Creating a new account can be used to manipulate and manage user accounts, potentially hiding malicious activities under a legitimate-looking account." + }, + { + "technique": "T1136 - Create Account", + "reason": "Creating a new account can establish persistence, allowing an attacker to maintain access even if the initially compromised account is detected and removed." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Attackers can use the new account to disable or modify security tools and configurations within the cloud environment to avoid detection." } ], - "securityImplications": "Attackers might use CreateTrafficMirrorSession to initiate a session for mirroring network traffic, potentially for malicious monitoring or data exfiltration.", + "usedInWild": true, + "incidents": [ + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use CreateAccount to add a new account for defense evasion, resource hijacking.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 create-traffic-mirror-session --description TrailDiscoverDescription --traffic-mirror-target-id tmt-07f75d8feeEXAMPLE --network-interface-id eni-070203f901EXAMPLE --session-number 1 --packet-length 25 --traffic-mirror-filter-id tmf-04812ff784EXAMPLE" + "value": "aws organizations create-account --email traildiscover@example.com --account-name \"TrailDiscover Account\"" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateTrafficMirrorSession" + "permissions": "https://aws.permissions.cloud/iam/organizations#organizations-CreateAccount" }, { - "eventName": "GetEbsEncryptionByDefault", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Describes whether EBS encryption by default is enabled for your account in the current Region.", + "eventName": "InviteAccountToOrganization", + "eventSource": "organizations.amazonaws.com", + "awsService": "Organizations", + "description": "Sends an invitation to another account to join your organization as a member account.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1535 - Unused/Unsupported Cloud Regions" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1098 - Account Manipulation", + "reason": "Adding accounts to the organization can be used to manipulate account permissions and roles for persistence or escalation of privileges." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "By adding new accounts, an attacker might impair the existing security defenses, such as monitoring and logging configurations, by creating noise or adding trusted accounts." + }, + { + "technique": "T1199 - Trusted Relationship", + "reason": "Inviting an account creates a trusted relationship that can be exploited for initial access or lateral movement within the organization." + } ], "usedInWild": true, "incidents": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" } ], "researchLinks": [], - "securityImplications": "Attackers might use GetEbsEncryptionByDefault to determine if new Amazon EBS volumes are encrypted by default, seeking to exploit unencrypted volumes.", + "securityImplications": "Attackers might use InviteAccountToOrganization to add an account they control for defense evasion, resource hijacking.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 get-ebs-encryption-by-default" + "value": "aws organizations invite-account-to-organization --target '{\"Type\": \"EMAIL\", \"Id\": \"traildiscover@example.com\"}'" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-GetEbsEncryptionByDefault" + "permissions": "https://aws.permissions.cloud/iam/organizations#organizations-InviteAccountToOrganization" }, { - "eventName": "CreateKeyPair", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Creates an ED25519 or 2048-bit RSA key pair with the specified name and in the specified PEM or PPK format.", + "eventName": "LeaveOrganization", + "eventSource": "organizations.amazonaws.com", + "awsService": "Organizations", + "description": "Removes a member account from its parent organization.", "mitreAttackTactics": [ - "TA0003 - Persistence" + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1098 - Account Manipulation" + "T1070 - Indicator Removal" ], - "usedInWild": true, - "incidents": [ - { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" - }, + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING", - "link": "https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/" - }, + "technique": "T1562 - Impair Defenses", + "reason": "Leaving the organization can be used to evade security controls and monitoring that are applied at the organization level, reducing the chances of detection." + } + ], + "usedInWild": false, + "incidents": [ { - "description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", - "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/" + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" } ], "researchLinks": [ { - "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", - "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" + "description": "An AWS account attempted to leave the AWS Organization", + "link": "https://docs.datadoghq.com/security/default_rules/aws-organizations-leave-organization/" } ], - "securityImplications": "Attackers might use CreateKeyPair to generate keys that can latter be used to access EC2s.", + "securityImplications": "Attackers might use LeaveOrganization to disassociate resources and disrupt the structure of AWS organizations.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 create-key-pair --key-name TrailDiscoverKeyPair" + "value": "aws organizations leave-organization" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.organizations-leave" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateKeyPair" + "permissions": "https://aws.permissions.cloud/iam/organizations#organizations-LeaveOrganization" }, { - "eventName": "SharedSnapshotCopyInitiated", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Modifies the specified attribute of the specified instance.", + "eventName": "ListAccounts", + "eventSource": "organizations.amazonaws.com", + "awsService": "Organizations", + "description": "Lists all the accounts in the organization.", "mitreAttackTactics": [ - "TA0010 - Exfiltration" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1537 - Transfer Data to Cloud Account" + "T1526 - Cloud Service Discovery" ], - "usedInWild": true, - "incidents": [ - { - "description": "M-Trends Report - 2020", - "link": "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf" - }, + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Democratic National Committee hack", - "link": "https://www.politico.com/f/?id=00000168-6161-de11-af7d-ef7327ea0000" + "technique": "T1087 - Account Discovery", + "reason": "Using the ListAccounts API call, an attacker can enumerate all accounts within the AWS organization, gaining insight into the structure and scope of the organization's AWS environment." } ], - "researchLinks": [ + "usedInWild": true, + "incidents": [ { - "description": "Detecting exfiltration of EBS snapshots in AWS", - "link": "https://twitter.com/christophetd/status/1574681313218506753" + "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", + "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" } ], - "securityImplications": "SharedSnapshotCopyInitiated might be a signal of an attacker copying a snapshot to their account.", + "researchLinks": [], + "securityImplications": "Attackers might use ListAccounts to gather information about the structure and resources of an organization's AWS environment.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "N/A" - }, - { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot" + "value": "aws organizations list-accounts" } ], - "permissions": "N/A" + "permissions": "https://aws.permissions.cloud/iam/organizations#organizations-ListAccounts" }, { - "eventName": "DescribeCarrierGateways", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Describes one or more of your carrier gateways.", + "eventName": "ListOrganizationalUnitsForParent", + "eventSource": "organizations.amazonaws.com", + "awsService": "Organizations", + "description": "Lists the organizational units (OUs) in a parent organizational unit or root.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1526 - Cloud Service Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1482 - Domain Trust Discovery", + "reason": "By listing the organizational units, an adversary can identify relationships and trust boundaries between different parts of the organization, gaining insight into the hierarchical structure that may be exploited later." + }, + { + "technique": "T1018 - Remote System Discovery", + "reason": "Knowledge of the organizational units can inform an adversary about different parts of the cloud infrastructure, helping to discover systems or accounts that can be targeted for further actions." + }, + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "The API can reveal different organizational units that might correspond to permission groupings or roles within the AWS environment, which is crucial for understanding how access is managed across the organization." + }, + { + "technique": "T1590 - Gather Victim Network Information", + "reason": "By understanding the organizational units, an adversary can piece together information about the internal network structure, which can be critical for furthering internal reconnaissance efforts." + } ], "usedInWild": true, "incidents": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", + "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" } ], "researchLinks": [], - "securityImplications": "Attackers might use DescribeCarrierGateways to uncover details about carrier gateways in an AWS environment, which could reveal network configurations.", + "securityImplications": "Attackers might use ListOrganizationalUnitsForParent to map the structure of an organization's AWS environment for potential vulnerabilities.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 describe-carrier-gateways --carrier-gateway-ids TrailDiscoverCarrierGatewayId" + "value": "aws organizations list-organizational-units-for-parent --parent-id r-traildiscover" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeCarrierGateways" + "permissions": "https://aws.permissions.cloud/iam/organizations#organizations-ListOrganizationalUnitsForParent" }, { - "eventName": "TerminateInstances", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Shuts down the specified instances. This operation is idempotent; if you terminate an instance more than once, each call succeeds.", + "eventName": "AuthorizeDBSecurityGroupIngress", + "eventSource": "rds.amazonaws.com", + "awsService": "RDS", + "description": "Enables ingress to a DBSecurityGroup using one of two forms of authorization.", "mitreAttackTactics": [ - "TA0040 - Impact", "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1485 - Data Destruction", - "T1070 - Indicator Removal" + "T1578 - Modify Cloud Compute Infrastructure" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + "technique": "T1021 - Remote Services", + "reason": "By authorizing specific IP ranges or security groups, this API call can enable remote access to the database from specified instances or IP addresses, potentially allowing attackers to establish unauthorized access directly." }, { - "description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", - "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/" + "technique": "T1071 - Application Layer Protocol", + "reason": "The authorization of ingress rules through this API call may enable attackers to use common web protocols (HTTP/S) to interact with the database, facilitating access over application-layer protocols." }, { - "description": "Former Cisco engineer sentenced to prison for deleting 16k Webex accounts", - "link": "https://www.zdnet.com/article/former-cisco-engineer-sentenced-to-prison-for-deleting-16k-webex-accounts/" + "technique": "T1090 - Proxy", + "reason": "Attackers might exploit the authorized IP range through this API call by routing their traffic via an external proxy, masking their true origin and evading detection." }, { - "description": "Hacker Puts Hosting Service Code Spaces Out of Business", - "link": "https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/" + "technique": "T1133 - External Remote Services", + "reason": "The API call directly allows the configuration of external access to cloud-based database services, which could be exploited by attackers to bypass internal network protections by directly accessing the database." + }, + { + "technique": "T1036 - Masquerading", + "reason": "Attackers might use the API call to authorize ingress for IP addresses or security groups that appear legitimate or benign, thus evading detection by security monitoring tools that rely on expected network traffic patterns." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "By carefully selecting which IPs or security groups to authorize, attackers can effectively impair or avoid network-based defenses, such as firewalls or intrusion detection systems (IDS), that rely on stricter ingress rules to protect the database." } ], - "researchLinks": [], - "securityImplications": "Attackers might use TerminateInstances to permanently delete EC2 instances, resulting in irreversible data loss and service disruption or for defense evasion.", + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "Enhancing Your Security Visibility and DetectionResponse Operations in AWS", + "link": "https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf" + }, + { + "description": "Hunting AWS RDS security events with Sysdig", + "link": "https://sysdig.com/blog/aws-rds-security-events-sysdig/" + } + ], + "securityImplications": "Attackers might use AuthorizeDBSecurityGroupIngress to allow unauthorized access to the database by modifying security group rules.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 terminate-instances --instance-ids TrailDiscoverInstanceID" + "value": "aws rds authorize-db-security-group-ingress --db-security-group-name TrailDiscoverDBSecurityGroupName --cidrip TrailDiscoverCIDRIP" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-TerminateInstances" + "permissions": "https://aws.permissions.cloud/iam/rds#rds-AuthorizeDBSecurityGroupIngress" }, { - "eventName": "DeleteNetworkAclEntry", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Deletes the specified ingress or egress entry (rule) from the specified network ACL.", + "eventName": "CreateDBSecurityGroup", + "eventSource": "rds.amazonaws.com", + "awsService": "RDS", + "description": "Creates a new DB security group. DB security groups control access to a DB instance.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0010 - Exfiltration" ], "mitreAttackTechniques": [ - "T1562 - Impair Defenses" + "T1537 - Transfer Data to Cloud Account" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1071 - Application Layer Protocol", + "reason": "The security group settings can be configured to allow specific protocols or applications to communicate with the DB instance, facilitating control or exfiltration methods." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Modifying or creating a security group that permits broader access to the DB instance could serve as a form of defense evasion by bypassing firewall rules set to protect the database." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Creating or modifying a security group could be a method to manipulate access controls and permissions, thereby escalating privileges or creating a backdoor for persistent access." + }, + { + "technique": "T1036 - Masquerading", + "reason": "An attacker could create or name a DB security group to resemble legitimate or existing groups to avoid detection. This can deceive administrators or monitoring systems, allowing malicious actions to go unnoticed." + } ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "Ensure CloudWatch has an Alarm for Network ACL Changes", - "link": "https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-network-acl-change" - } - ], - "securityImplications": "Attackers might use DeleteNetworkAclEntry to remove specific rules from network access control lists, potentially opening network paths for unauthorized access.", - "alerting": [ + "description": "Enhancing Your Security Visibility and DetectionResponse Operations in AWS", + "link": "https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf" + }, { - "type": "cloudwatchCISControls", - "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-11" + "description": "Hunting AWS RDS security events with Sysdig", + "link": "https://sysdig.com/blog/aws-rds-security-events-sysdig/" } ], + "securityImplications": "Attackers might use CreateDBSecurityGroup to create new security groups with lax rules, potentially allowing unauthorized access to the database.", + "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 delete-network-acl-entry --network-acl-id acl-5fb85d36 --ingress --rule-number 100" + "value": "aws rds create-db-security-group --db-security-group-name TrailDiscoverSecurityGroupName --db-security-group-description TrailDiscoverDescription" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DeleteNetworkAclEntry" + "permissions": "https://aws.permissions.cloud/iam/rds#rds-CreateDBSecurityGroup" }, { - "eventName": "CreateRoute", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Creates a route in a route table within a VPC.", + "eventName": "CreateDBSnapshot", + "eventSource": "rds.amazonaws.com", + "awsService": "RDS", + "description": "Creates a snapshot of a DB instance.", "mitreAttackTactics": [ - "TA0009 - Collection" + "TA0010 - Exfiltration" ], "mitreAttackTechniques": [ - "T1074 - Data Staged" + "T1537 - Transfer Data to Cloud Account" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Ensure CloudWatch has an Alarm for Route Table Changes", - "link": "https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-route-table-change" + "technique": "T1003 - OS Credential Dumping", + "reason": "Snapshots could contain credentials or other sensitive information that can be extracted and exploited by an attacker." }, { - "description": "AWS Incident Response", - "link": "https://easttimor.github.io/aws-incident-response/" + "technique": "T1078 - Valid Accounts", + "reason": "Snapshots containing authentication data or API keys can be used by attackers to maintain unauthorized access to cloud environments." + }, + { + "technique": "T1530 - Data from Cloud Storage Object", + "reason": "Snapshots stored in cloud storage can be accessed by attackers to extract sensitive information." + }, + { + "technique": "T1005 - Data from Local System", + "reason": "The snapshot may contain data from the local system of the database instance that attackers could extract." + }, + { + "technique": "T1020 - Automated Exfiltration", + "reason": "The snapshot could be automatically transferred out of the environment to an external location, facilitating data exfiltration without manual intervention." } ], - "securityImplications": "Attackers might use CreateRoute to redirect network traffic within AWS VPCs to eavesdrop or exfiltrate data.", - "alerting": [ + "usedInWild": true, + "incidents": [ { - "type": "cloudwatchCISControls", - "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-13" + "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", + "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" + }, + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + } + ], + "researchLinks": [ + { + "description": "Stealing an RDS database by creating a snapshot and sharing it", + "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-rds-snapshot/" } ], + "securityImplications": "Attackers might use CreateDBSnapshot to create unauthorized backups of sensitive databases for data theft.", + "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 create-route --route-table-id TrailDiscoverRouteTableId --destination-cidr-block TrailDiscoverDestinationCidrBlock --gateway-id TrailDiscoverGatewayId" + "value": "aws rds create-db-snapshot --db-instance-identifier TrailDiscoverDBInstance --db-snapshot-identifier TrailDiscoverDBSnapshot" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateRoute" + "permissions": "https://aws.permissions.cloud/iam/rds#rds-CreateDBSnapshot" }, { - "eventName": "GetFlowLogsIntegrationTemplate", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Generates a CloudFormation template that streamlines and automates the integration of VPC flow logs with Amazon Athena.", + "eventName": "DeleteDBCluster", + "eventSource": "rds.amazonaws.com", + "awsService": "RDS", + "description": "The DeleteDBCluster action deletes a previously provisioned DB cluster.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0040 - Impact" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1485 - Data Destruction" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1562 - Impair Defenses", + "reason": "By deleting the DB cluster, an attacker could disable or remove a crucial part of an organization\u00e2\u20ac\u2122s monitoring or logging setup if these were hosted on the RDS instance." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "Deleting a DB cluster could also serve to remove access to critical data and services, thereby disrupting operations and hindering incident response." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "Deleting the DB cluster may remove evidence of previous activities, such as logs or data that could be used to investigate the attack, serving as a method to evade detection." + }, + { + "technique": "T1489 - Service Stop", + "reason": "The deletion of a DB cluster directly results in stopping the associated service, causing disruption to any applications or services relying on that database." + }, + { + "technique": "T1499 - Endpoint Denial of Service", + "reason": "By deleting the DB cluster, the attacker effectively denies access to the endpoint associated with the database, preventing legitimate users from interacting with the data and services hosted on the DB cluster." + }, + { + "technique": "T1490 - Inhibit System Recovery", + "reason": "Deleting a DB cluster can prevent data recovery if backups are also targeted or if the deletion is part of a strategy to ensure that data cannot be restored." + } ], "usedInWild": true, "incidents": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" } ], - "researchLinks": [], - "securityImplications": "Attackers might use GetFlowLogsIntegrationTemplate to create templates for integrating VPC flow logs with external monitoring solutions, potentially to configure exfiltration pathways for gathered data or to understand security monitoring setups.", + "researchLinks": [ + { + "description": "Hunting AWS RDS security events with Sysdig", + "link": "https://sysdig.com/blog/aws-rds-security-events-sysdig/" + }, + { + "description": "AWS Deletion of RDS Instance or Cluster", + "link": "https://www.elastic.co/guide/en/security/current/aws-deletion-of-rds-instance-or-cluster.html" + } + ], + "securityImplications": "Attackers might use DeleteDBCluster to delete crucial databases, causing data loss and service disruption.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 get-flow-logs-integration-template --flow-log-id fl-1234567890abcdef0 --config-delivery-s3-destination-arn arn:aws:s3:::DOC-EXAMPLE-BUCKET --integrate-services AthenaIntegrations='[{IntegrationResultS3DestinationArn=arn:aws:s3:::DOC-EXAMPLE-BUCKET,PartitionLoadFrequency=none,PartitionStartDate=2021-07-21T00:40:00,PartitionEndDate=2021-07-21T00:42:00},{IntegrationResultS3DestinationArn=arn:aws:s3:::DOC-EXAMPLE-BUCKET,PartitionLoadFrequency=none,PartitionStartDate=2021-07-21T00:40:00,PartitionEndDate=2021-07-21T00:42:00}]'" + "value": "aws rds delete-db-cluster --db-cluster-identifier TrailDiscoverDBCluster" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-GetFlowLogsIntegrationTemplate" + "permissions": "https://aws.permissions.cloud/iam/rds#rds-DeleteDBCluster" }, { - "eventName": "DescribeTransitGatewayMulticastDomains", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Describes one or more transit gateway multicast domains.", + "eventName": "DeleteDBInstance", + "eventSource": "rds.amazonaws.com", + "awsService": "RDS", + "description": "Deletes a previously provisioned DB instance.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0040 - Impact" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1485 - Data Destruction" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "Removing a DB instance can help an adversary eliminate logs or traces of malicious activity by erasing the entire database where logs might be stored." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "If an attacker deletes a DB instance, it could be a part of denying access to legitimate users by removing the resource they need." + }, + { + "technique": "T1489 - Service Stop", + "reason": "Deleting a DB instance can effectively stop a critical service, rendering the associated application or service unavailable." + }, + { + "technique": "T1499 - Endpoint Denial of Service", + "reason": "By deleting a DB instance, an attacker can cause a denial of service by removing the endpoint that the application or users rely on for database services." + }, + { + "technique": "T1565 - Data Manipulation", + "reason": "While not strictly altering data, deleting a DB instance can result in the loss of data integrity, as the sudden removal can lead to incomplete data or service disruptions." + } ], "usedInWild": true, "incidents": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" } ], "researchLinks": [], - "securityImplications": "Attackers might use DescribeTransitGatewayMulticastDomains to obtain details on multicast domains within AWS Transit Gateways, identifying network segments and multicast configurations.", + "securityImplications": "Attackers might use DeleteDBInstance to delete crucial databases, causing data loss and service disruption.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 describe-transit-gateway-multicast-domains --transit-gateway-multicast-domain-ids TrailDiscoverTransitGatewayMulticastDomainId" + "value": "aws rds delete-db-instance --db-instance-identifier TrailDiscoverDB" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeTransitGatewayMulticastDomains" + "permissions": "https://aws.permissions.cloud/iam/rds#rds-DeleteDBInstance" }, { - "eventName": "StopInstances", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Stops an Amazon EBS-backed instance.", + "eventName": "DeleteGlobalCluster", + "eventSource": "rds.amazonaws.com", + "awsService": "RDS", + "description": "Deletes a global database cluster. The primary and secondary clusters must already be detached or destroyed first.", "mitreAttackTactics": [ - "TA0040 - Impact", - "TA0005 - Defense Evasion" + "TA0040 - Impact" ], "mitreAttackTechniques": [ - "T1499 - Endpoint Denial of Service", - "T1578 - Modify Cloud Compute Infrastructure" + "T1485 - Data Destruction" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", - "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" - } - ], - "researchLinks": [ + "technique": "T1499 - Endpoint Denial of Service", + "reason": "Deleting a global database cluster can cause an application or system to become unavailable, effectively denying service to legitimate users." + }, { - "description": "Executing commands through EC2 user data", - "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/" + "technique": "T1561 - Disk Wipe", + "reason": "The deletion of a global database cluster can be seen as a form of storage deletion, where critical data is irreversibly destroyed." }, { - "description": "Attack Paths Into VMs in the Cloud", - "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/" - } - ], - "securityImplications": "Attackers might use StopInstances to avoid being detected or to do changes that will be executed when the EC2 is started.", - "alerting": [], - "simulation": [ + "technique": "T1070 - Indicator Removal", + "reason": "By deleting the global database cluster, an attacker can remove evidence of the existence of that cluster, potentially hindering forensic investigations." + }, { - "type": "commandLine", - "value": "aws ec2 stop-instances --instance-ids TrailDiscoverInstanceID" + "technique": "T1489 - Service Stop", + "reason": "Deleting a global database cluster will stop associated services, disrupting operations and causing an impact on availability." }, { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ec2-user-data" + "technique": "T1562 - Impair Defenses", + "reason": "Deleting the database cluster can disable monitoring or logging capabilities, thus impairing defenses by making it harder to detect malicious activity." + }, + { + "technique": "T1490 - Inhibit System Recovery", + "reason": "By deleting a global database cluster, an attacker may prevent system recovery by ensuring that critical data or configurations cannot be restored." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "If the global database cluster contains authentication information or is tied to account access mechanisms, deleting it can effectively remove or disrupt account access." } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-StopInstances" - }, - { - "eventName": "DescribeInstanceAttribute", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Describes the specified attribute of the specified instance. You can specify only one attribute at a time.", - "mitreAttackTactics": [ - "TA0007 - Discovery" - ], - "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" - ], - "usedInWild": true, - "incidents": [ + "usedInWild": false, + "incidents": [], + "researchLinks": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + "description": "AWS Deletion of RDS Instance or Cluster", + "link": "https://www.elastic.co/guide/en/security/current/aws-deletion-of-rds-instance-or-cluster.html" } ], - "researchLinks": [], - "securityImplications": "Attackers might use DescribeInstanceAttribute to inspect detailed configurations of EC2 instances.", + "securityImplications": "Attackers might use DeleteGlobalCluster to disrupt database services by deleting global clusters in AWS RDS.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 describe-instance-attribute --instance-id TrailDiscoverInstanceId --attribute TrailDiscoverAttribute" - }, - { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-download-user-data" + "value": "aws rds delete-global-cluster --global-cluster-identifier TrailDiscoverGlobalClusterIdentifier" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeInstanceAttribute" + "permissions": "https://aws.permissions.cloud/iam/rds#rds-DeleteGlobalCluster" }, { - "eventName": "DescribeDhcpOptions", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Describes one or more of your DHCP options sets.", + "eventName": "ModifyActivityStream", + "eventSource": "rds.amazonaws.com", + "awsService": "RDS", + "description": "Changes the audit policy state of a database activity stream to either locked (default) or unlocked.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1578 - Modify Cloud Compute Infrastructure" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1562 - Impair Defenses", + "reason": "Modifying the database activity stream to an unlocked state could impair logging and monitoring, effectively evading defenses." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "Attackers might reconfigure the audit policy state to the original state to avoid an investigation." + } ], "usedInWild": true, "incidents": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + "description": "Uncovering Hybrid Cloud Attacks Through Intelligence-Driven Incident Response: Part 3 \u2013 The Response", + "link": "https://www.gem.security/post/uncovering-hybrid-cloud-attacks-through-intelligence-driven-incident-response-part-3-the-response" } ], "researchLinks": [], - "securityImplications": "Attackers might use DescribeDhcpOptions to inspect DHCP configurations in an AWS VPC.", + "securityImplications": "Attackers might use ModifyActivityStream to alter the configuration of the activity stream, potentially hiding malicious activities or causing disruptions in the database operations.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 describe-dhcp-options --dhcp-options-ids TrailDiscoverDhcpOptionsId" + "value": "aws rds modify-activity-stream" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeDhcpOptions" - }, - { - "eventName": "AuthorizeSecurityGroupIngress", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Adds the specified inbound (ingress) rules to a security group.", + "permissions": "https://aws.permissions.cloud/iam/rds#rds-ModifyActivityStream" + }, + { + "eventName": "ModifyDBSnapshotAttribute", + "eventSource": "rds.amazonaws.com", + "awsService": "RDS", + "description": "Adds an attribute and values to, or removes an attribute and values from, a manual DB snapshot.", "mitreAttackTactics": [ - "TA0003 - Persistence", - "TA0008 - Lateral Movement" + "TA0010 - Exfiltration" ], "mitreAttackTechniques": [ - "T1098 - Account Manipulation", - "T1021 - Remote Services" + "T1537 - Transfer Data to Cloud Account" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + "technique": "T1078 - Valid Accounts", + "reason": "By adding specific AWS account IDs to the ValuesToAdd parameter, an attacker can ensure persistent access to a DB snapshot by authorized accounts." }, { - "description": "Finding evil in AWS", - "link": "https://expel.com/blog/finding-evil-in-aws/" + "technique": "T1562 - Impair Defenses", + "reason": "Modifying the snapshot to make it public or share it with specific accounts might bypass certain security controls, aiding in defense evasion." }, { - "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", - "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + "technique": "T1537 - Transfer Data to Cloud Account", + "reason": "Making a DB snapshot public or sharing it with specific accounts allows unauthorized access, facilitating the exfiltration of sensitive data to an attacker-controlled AWS account." }, { - "description": "Behind the scenes in the Expel SOC: Alert-to-fix in AWS", - "link": "https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/" + "technique": "T1070 - Indicator Removal", + "reason": "Removing attributes or specific account IDs from the ValuesToAdd parameter can be used to cover tracks by eliminating evidence of unauthorized access." }, { - "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", - "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" + "technique": "T1087 - Account Manipulation", + "reason": "Modifying the attributes to include or exclude certain account IDs is a form of account manipulation, impacting who can access the snapshot." }, { - "description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", - "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/" + "technique": "T1531 - Account Access Removal", + "reason": "By removing access to certain AWS accounts from the ValuesToAdd parameter, legitimate users may be denied access, contributing to account access removal tactics." }, { - "description": "BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability", - "link": "https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/" - }, + "technique": "T1071 - Application Layer Protocol", + "reason": "The API call itself operates over an application layer protocol (typically HTTPS) and can be part of a communication channel used by the attacker to modify and transfer data within the cloud." + } + ], + "usedInWild": true, + "incidents": [ { - "description": "Navigating the Cloud: Exploring Lateral Movement Techniques", - "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/" + "description": "Imperva Security Update", + "link": "https://www.imperva.com/blog/ceoblog/" }, { - "description": "New tactics and techniques for proactive threat detection", - "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", + "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" } ], "researchLinks": [ { - "description": "Opening a security group to the Internet", - "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/opening-security-group-port/" - } - ], - "securityImplications": "Attackers might use AuthorizeSecurityGroupIngress to allow access to resources to gain persistence or move laterally.", - "alerting": [ + "description": "Stealing an RDS database by creating a snapshot and sharing it", + "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-rds-snapshot/" + }, { - "type": "cloudwatchCISControls", - "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-10" + "description": "Hunting AWS RDS security events with Sysdig", + "link": "https://sysdig.com/blog/aws-rds-security-events-sysdig/" } ], + "securityImplications": "Attackers might use ModifyDBSnapshotAttribute to alter database snapshot permissions, potentially gaining unauthorized access to sensitive data via sharing it.", + "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 authorize-security-group-ingress --group-id sg-0683fcf7a41c82593 --protocol tcp --port 22 --cidr 203.0.113.0/24" + "value": "aws rds modify-db-snapshot-attribute --db-snapshot-identifier TrailDiscoverDBSnapshotIdentifier --attribute-name TrailDiscoverAttributeName --values-to-add TrailDiscoverValuesToAdd" }, { "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-security-group-open-port-22-ingress" + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.rds-share-snapshot" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-AuthorizeSecurityGroupIngress" + "permissions": "https://aws.permissions.cloud/iam/rds#rds-ModifyDBSnapshotAttribute" }, { - "eventName": "DescribeVpcEndpointConnectionNotifications", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Describes the connection notifications for VPC endpoints and VPC endpoint services.", + "eventName": "StartExportTask", + "eventSource": "rds.amazonaws.com", + "awsService": "RDS", + "description": "Starts an export of DB snapshot or DB cluster data to Amazon S3.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0010 - Exfiltration" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1537 - Transfer Data to Cloud Account" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + "technique": "T1567 - Exfiltration Over Web Service", + "reason": "By exporting data to an S3 bucket, adversaries can use cloud services as a method to exfiltrate data without direct interaction with the database." + }, + { + "technique": "T1530 - Data from Cloud Storage Object", + "reason": "After exporting snapshot data to S3, an adversary can retrieve and analyze the data from the S3 bucket, provided they maintain access to the cloud storage." + }, + { + "technique": "T1213 - Data from Information Repositories", + "reason": "By exporting the RDS snapshot, an adversary gains access to a repository of information stored within the database, which they can then access through the S3 bucket." + }, + { + "technique": "T1078 - Cloud Accounts", + "reason": "Adversaries may leverage compromised cloud accounts to persist within the environment, using cloud-native functionality like the StartExportTask to maintain access to sensitive data over time." } ], - "researchLinks": [], - "securityImplications": "Attackers might use DescribeVpcEndpointConnectionNotifications to monitor notification configurations for VPC endpoints.", + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "AWS - RDS Post Exploitation", + "link": "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation" + } + ], + "securityImplications": "Attackers might use StartExportTask to export database snapshots to an S3 they control and gain access to the data.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 describe-vpc-endpoint-connection-notifications --connection-notification-id TrailDiscoverConnectionNotificationId" + "value": "aws rds start-export-task --export-task-identifier my-s3-export --source-arn arn:aws:rds:us-west-2:123456789012:snapshot:db5-snapshot-test --s3-bucket-name mybucket --iam-role-arn arn:aws:iam::123456789012:role/service-role/TrailDiscover --kms-key-id arn:aws:kms:us-west-2:123456789012:key/abcd0000-7fca-4128-82f2-aabbccddeeff" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeVpcEndpointConnectionNotifications" + "permissions": "https://aws.permissions.cloud/iam/rds#rds-StartExportTask" }, { - "eventName": "DescribeFlowLogs", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Describes one or more flow logs.", + "eventName": "Search", + "eventSource": "resource-explorer-2.amazonaws.com", + "awsService": "ResourceExplorer", + "description": "Searches for resources and displays details about all resources that match the specified criteria.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1087 - Account Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "Attackers can create queries to discover permission groups, roles, and policies within the AWS environment, which might aid in understanding access levels across different resources." + }, + { + "technique": "T1538 - Cloud Service Discovery", + "reason": "By specifying queries related to cloud services, attackers can discover details about various services in use, aiding in the mapping of the environment." + }, + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "The search results can reveal information about infrastructure components like EC2 instances, S3 buckets, and databases, providing attackers with critical data about the cloud architecture." + }, + { + "technique": "T1201 - Password Policy Discovery", + "reason": "Queries can be tailored to discover password policies related to IAM users, assisting attackers in crafting password-based attacks." + }, + { + "technique": "T1552 - Unsecured Credentials", + "reason": "If the search results reveal IAM roles or users with associated access keys, attackers might identify unsecured credentials that could be exploited for unauthorized access." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "Searches might return details about valid accounts that could be targeted for unauthorized access, particularly if accounts are not adequately secured." + } ], "usedInWild": true, "incidents": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", + "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" } ], "researchLinks": [], - "securityImplications": "Attackers might use DescribeFlowLogs to review VPC flow log configurations, aiming to understand what network traffic is being logged.", + "securityImplications": "Attackers might use Search to list resorces.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 describe-flow-logs --filter Name=resource-id,Values=TrailDiscoverResourceId" + "value": "aws resource-explorer-2 search --query-string 'service:iam'" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeFlowLogs" + "permissions": "https://aws.permissions.cloud/iam/resource-explorer-2#resource-explorer-2-Search" }, { - "eventName": "SendSSHPublicKey", - "eventSource": "ec2-instance-connect.amazonaws.com", - "awsService": "EC2InstanceConnect", - "description": "Pushes an SSH public key to the specified EC2 instance for use by the specified user.", + "eventName": "ChangeResourceRecordSets", + "eventSource": "route53.amazonaws.com", + "awsService": "Route53", + "description": "Creates, changes, or deletes a resource record set, which contains authoritative DNS information for a specified domain name or subdomain name.", "mitreAttackTactics": [ - "TA0008 - Lateral Movement" + "TA0040 - Impact" ], "mitreAttackTechniques": [ - "T1021 - Remote Services" + "T1496 - Resource Hijacking" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", - "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + "technique": "T1071 - Application Layer Protocol", + "reason": "The ChangeResourceRecordSets API can be used to modify DNS records, allowing attackers to establish command and control channels using DNS or other application-layer protocols like HTTP/HTTPS." }, { - "description": "Navigating the Cloud: Exploring Lateral Movement Techniques", - "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/" + "technique": "T1070 - Indicator Removal", + "reason": "By altering DNS records, attackers can hide or modify evidence of their activities, such as tampering with or removing logs associated with DNS queries to avoid detection by security systems." }, { - "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", - "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" + "technique": "T1090 - Proxy", + "reason": "Attackers may use this API to redirect network traffic through external or internal proxies by changing DNS records, which helps conceal the true destination of the traffic and evade monitoring tools." + }, + { + "technique": "T1565 - Data Manipulation", + "reason": "Altering DNS records can mislead or redirect users and systems, potentially sending them to malicious IP addresses or disrupting the normal operation of services by providing false information." + }, + { + "technique": "T1568 - Dynamic Resolution", + "reason": "Attackers can frequently update DNS entries using this API to maintain control over compromised systems or to evade detection by constantly altering the destination of command and control traffic." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "By modifying or deleting DNS records, attackers can effectively deny legitimate users access to services, redirecting traffic to incorrect or malicious servers, thereby locking out authorized access." + }, + { + "technique": "T1499 - Endpoint Denial of Service", + "reason": "Changing or deleting essential DNS records can lead to a denial of service, where users are unable to access critical resources because DNS queries resolve to incorrect addresses." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "Constant manipulation of DNS records may be used to obscure the attacker's activities, making it more challenging for defenders to trace or understand the methods used for command and control or data exfiltration." + }, + { + "technique": "T1213 - Data from Information Repositories", + "reason": "By redirecting traffic from legitimate information repositories to a malicious destination through altered DNS records, attackers can collect sensitive data under the guise of normal operations" + }, + { + "technique": "T1557 - Man-in-the-Middle", + "reason": "Modifying DNS records to reroute traffic to malicious sites can facilitate man-in-the-middle attacks, allowing attackers to intercept or manipulate communications between users and services." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" } ], "researchLinks": [ { - "description": "Attack Paths Into VMs in the Cloud", - "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/" + "description": "AWS API Call Hijacking via ACM-PCA", + "link": "https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/" } ], - "securityImplications": "Attackers might use SendSSHPublicKey to inject unauthorized SSH keys into EC2 instances, granting them access for remote control.", + "securityImplications": "Attackers might use ChangeResourceRecordSets to redirect traffic to malicious websites.", "alerting": [], "simulation": [ { "type": "commandLine", "value": "N/A" - }, - { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.lateral-movement.ec2-instance-connect" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2-instance-connect#ec2-instance-connect-SendSSHPublicKey" + "permissions": "https://aws.permissions.cloud/iam/route53#route53-ChangeResourceRecordSets" }, { - "eventName": "DescribeSnapshotAttribute", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Describes the specified attribute of the specified snapshot.", + "eventName": "CreateHostedZone", + "eventSource": "route53.amazonaws.com", + "awsService": "Route53", + "description": "Creates a new public or private hosted zone. You create records in a public hosted zone to define how you want to route traffic on the internet for a domain, such as example.com, and its subdomains.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0040 - Impact" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1496 - Resource Hijacking" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1071 - Application Layer Protocol", + "reason": "Creating a hosted zone allows attackers to use DNS or web protocols for communication between compromised systems and attacker-controlled infrastructure, facilitating covert command and control operations." + }, + { + "technique": "T1090 - Proxy", + "reason": "The hosted zone can be configured to route traffic through multiple proxies, aiding in defense evasion by obscuring the true source or destination of the traffic." + }, + { + "technique": "T1568 - Dynamic Resolution", + "reason": "Attackers may use dynamically generated domains within the hosted zone to maintain command and control, making it difficult for defenders to track or block these communications." + }, + { + "technique": "T1036 - Masquerading", + "reason": "Attackers might create a hosted zone with a domain or subdomain that closely mimics a legitimate one, aiding in phishing or other forms of deception to mislead users or systems." + } ], "usedInWild": true, "incidents": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" } ], - "researchLinks": [], - "securityImplications": "Attackers might use DescribeSnapshotAttribute to inspect attributes of EBS snapshots, such as permissions, aiming to find snapshots shared publicly or with broad access.", + "researchLinks": [ + { + "description": "AWS API Call Hijacking via ACM-PCA", + "link": "https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/" + } + ], + "securityImplications": "Attackers might use CreateHostedZone to create malicious DNS zones for phishing or redirecting traffic.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 describe-snapshot-attribute --snapshot-id TrailDiscoverSnapshotId --attribute TrailDiscoverAttribute" + "value": "aws route53 create-hosted-zone --name traildiscover.cloud --caller-reference 2014-04-01-18:47 --hosted-zone-config Comment='traildiscover'" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeSnapshotAttribute" + "permissions": "https://aws.permissions.cloud/iam/route53#route53-CreateHostedZone" }, { - "eventName": "DescribeVolumesModifications", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Describes the most recent volume modification request for the specified EBS volumes.", + "eventName": "GetHostedZoneCount", + "eventSource": "route53.amazonaws.com", + "awsService": "Route53", + "description": "Retrieves the number of hosted zones that are associated with the current AWS account.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + "technique": "T1087 - Account Discovery", + "reason": "The GetHostedZoneCount API call can be used to enumerate the number of DNS zones hosted in a cloud environment, which reveals information about the cloud account's resources." + }, + { + "technique": "T1526 - Cloud Service Discovery", + "reason": "The GetHostedZoneCount API call reveals the presence and scale of Route 53 DNS services within the cloud environment. This information helps adversaries understand the cloud infrastructure and identify potential targets for further actions." } ], - "researchLinks": [], - "securityImplications": "Attackers might use DescribeVolumesModifications to track changes in EBS volumes.", + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", + "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" + } + ], + "securityImplications": "Attackers might use GetHostedZoneCount to gather information about the number of hosted zones, potentially identifying targets for DNS attacks.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 describe-volumes-modifications --volume-ids TrailDiscoverVolumeId" + "value": "aws route53 get-hosted-zone-count" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeVolumesModifications" + "permissions": "https://aws.permissions.cloud/iam/route53#route53-GetHostedZoneCount" }, { - "eventName": "DescribeRegions", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Describes the Regions that are enabled for your account, or all Regions.", + "eventName": "ListDomains", + "eventSource": "route53domains.amazonaws.com", + "awsService": "route53domains", + "description": "This operation returns all the domain names registered with Amazon Route 53 for the current AWS account if no filtering conditions are used.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + "technique": "T1526 - Cloud Service Discovery", + "reason": "The ListDomains API call allows an adversary to discover domain names associated with the AWS account, providing insights into the cloud infrastructure." + }, + { + "technique": "T1590 - Gather Victim Network Information", + "reason": "The ListDomains API call can be used to gather DNS information, which may reveal the structure of the victim\u00e2\u20ac\u2122s network and other valuable network details." + }, + { + "technique": "T1087 - Account Discovery", + "reason": "Knowing the domains registered within the AWS account can help identify associated cloud resources and potential attack vectors within the cloud environment." + }, + { + "technique": "T1046 - Network Service Scanning", + "reason": "The ListDomains API call could assist an adversary in identifying network services associated with the domain names, contributing to their reconnaissance efforts." } ], + "usedInWild": false, + "incidents": [], "researchLinks": [ { "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" } ], - "securityImplications": "Attackers might use DescribeRegions to identify all available AWS regions, possibly to explore regional deployment patterns and target specific regions where defenses might be weaker.", + "securityImplications": "Attackers might use ListDomains to identify potential targets for DNS hijacking or DDoS attacks.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 describe-regions" + "value": "aws route53domains list-domains --region us-east-1" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeRegions" + "permissions": "https://aws.permissions.cloud/iam/route53domains#route53domains-ListDomains" }, { - "eventName": "DeleteSnapshot", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Deletes the specified snapshot.", + "eventName": "RegisterDomain", + "eventSource": "route53domains.amazonaws.com", + "awsService": "route53domains", + "description": "This operation registers a domain. For some top-level domains (TLDs), this operation requires extra parameters.", "mitreAttackTactics": [ "TA0040 - Impact" ], "mitreAttackTechniques": [ - "T1485 - Data Destruction" + "T1496 - Resource Hijacking" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1583 - Acquire Infrastructure", + "reason": "The RegisterDomain API call is used to acquire a new domain, which can be leveraged to set up malicious infrastructure, such as phishing sites or command and control servers." + }, + { + "technique": "T1584 - Compromise Infrastructure", + "reason": "Registering a domain and creating a corresponding hosted zone allows attackers to establish and control an infrastructure that supports malicious activities." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "By creating a hosted zone and assigning name servers, the domain can be used to facilitate communication via DNS, a common method for establishing command and control channels." + } ], "usedInWild": true, "incidents": [ { - "description": "Hacker Puts Hosting Service Code Spaces Out of Business", - "link": "https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/" + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" } ], "researchLinks": [], - "securityImplications": "Attackers might use DeleteSnapshot to erase Amazon EBS snapshots, potentially destroying backup data and hampering recovery efforts after an attack.", + "securityImplications": "Attackers might use RegisterDomain to register malicious domains for phishing or malware distribution.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 delete-snapshot --snapshot-id TrailDiscoverSnapshotId" + "value": "aws route53domains register-domain --region us-east-1 --cli-input-json '{\"DomainName\": \"\", \"DurationInYears\": 1, \"AdminContact\": { \"FirstName\": \"\", \"LastName\": \"\"}, \"RegistrantContact\": {\"FirstName\": \"\", \"LastName\": \"\" }, \"TechContact\": {\"FirstName\": \"\", \"LastName\": \"\"}}'" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DeleteSnapshot" + "permissions": "https://aws.permissions.cloud/iam/route53domains#route53domains-RegisterDomain" }, { - "eventName": "SharedSnapshotVolumeCreated", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Modifies the specified attribute of the specified instance.", + "eventName": "DeleteBucket", + "eventSource": "s3.amazonaws.com", + "awsService": "S3", + "description": "Deletes the S3 bucket.", "mitreAttackTactics": [ - "TA0010 - Exfiltration" + "TA0040 - Impact" ], "mitreAttackTechniques": [ - "T1537 - Transfer Data to Cloud Account" + "T1485 - Data Destruction" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "M-Trends Report - 2020", - "link": "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf" + "technique": "T1485 - Data Destruction", + "reason": "Permanently deleting objects or versions from S3 can result in the loss of critical data, affecting the availability and integrity of information. This action can disrupt business operations by removing essential files, leading to significant data loss and operational downtime." }, { - "description": "Democratic National Committee hack", - "link": "https://www.politico.com/f/?id=00000168-6161-de11-af7d-ef7327ea0000" + "technique": "T1070 - Indicator Removal", + "reason": "Deleting an S3 bucket can serve as a method of removing evidence or logs that may be stored within the bucket, helping to evade detection." + }, + { + "technique": "T1499 - Endpoint Denial of Service", + "reason": "Deleting an S3 bucket could result in a denial of service if critical data or services that rely on that bucket become unavailable." + }, + { + "technique": "T1489 - Service Stop", + "reason": "Deleting key objects or configuration files from S3 can cause critical services to stop functioning. This disruption can lead to downtime and loss of access to essential systems, impacting business operations." } ], - "researchLinks": [ + "usedInWild": true, + "incidents": [ { - "description": "Detecting exfiltration of EBS snapshots in AWS", - "link": "https://twitter.com/christophetd/status/1574681313218506753" + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" } ], - "securityImplications": "SharedSnapshotVolumeCreated might be a signal of an attacker copying a snapshot to their account.", + "researchLinks": [], + "securityImplications": "Attackers might use DeleteBucket to delete resources.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "N/A" - }, - { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot" + "value": "aws s3api delete-bucket --bucket my-traildiscover-bucket --region us-east-1" } ], - "permissions": "N/A" + "permissions": "https://aws.permissions.cloud/iam/s3#s3-DeleteBucket" }, { - "eventName": "CreateSnapshot", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Creates a snapshot of an EBS volume and stores it in Amazon S3.", + "eventName": "DeleteBucketPolicy", + "eventSource": "s3.amazonaws.com", + "awsService": "S3", + "description": "Deletes the policy of a specified bucket.", "mitreAttackTactics": [ - "TA0008 - Lateral Movement", - "TA0010 - Exfiltration" + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1537 - Transfer Data to Cloud Account", - "T1021 - Remote Services" + "T1578 - Modify Cloud Compute Infrastructure" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight", - "link": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" + "technique": "T1531 - Account Access Removal", + "reason": "Deleting a bucket policy can remove specific account or role permissions, effectively locking out other identities from accessing the bucket, which supports account access removal." }, { - "description": "Navigating the Cloud: Exploring Lateral Movement Techniques", - "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/" - } - ], - "researchLinks": [ + "technique": "T1562 - Impair Defenses", + "reason": "By deleting a bucket policy, an attacker could disable or weaken security controls that were enforced by the policy, making it easier to execute subsequent malicious actions." + }, { - "description": "Stealing an EBS snapshot by creating a snapshot and sharing it", - "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-ebs-snapshot/" + "technique": "T1098 - Account Manipulation", + "reason": "If an attacker deletes the bucket policy, they can manipulate access controls to further their persistence or impede legitimate access, which could be considered a form of account manipulation." }, { - "description": "Exfiltrate EBS Snapshot by Sharing It", - "link": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/" + "technique": "T1070 - Indicator Removal", + "reason": "Deleting the bucket policy can remove key indicators of unauthorized access or changes. Since the policy itself might contain logging configurations or access control rules, its removal could make it harder to detect and track the attacker's actions, thereby aiding in evasion of detection." + }, + { + "technique": "T1499 - Endpoint Denial of Service", + "reason": "Deleting the bucket policy can lead to denial of service for legitimate users who rely on the policy to access the bucket, especially if the policy enforced critical access controls." + }, + { + "technique": "T1489 - Service Stop", + "reason": "By deleting the bucket policy, an attacker might indirectly cause services depending on that policy to stop functioning correctly, thereby achieving a form of service stop." } ], - "securityImplications": "Attackers might use ModifySnapshotAttribute to alter permissions on EBS snapshots, potentially exposing sensitive data to unauthorized parties.", - "alerting": [], - "simulation": [ + "usedInWild": false, + "incidents": [], + "researchLinks": [ { - "type": "commandLine", - "value": "aws ec2 modify-snapshot-attribute --snapshot-id snap-1234567890abcdef0 --attribute createVolumePermission --operation-type remove --user-ids 123456789012" + "description": "AWS S3 Bucket Configuration Deletion", + "link": "https://www.elastic.co/guide/en/security/7.17/aws-s3-bucket-configuration-deletion.html" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-ModifySnapshotAttribute" - }, - { - "eventName": "ReplaceIamInstanceProfileAssociation", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Replaces an IAM instance profile for the specified running instance.", - "mitreAttackTactics": [ - "TA0004 - Privilege Escalation" - ], - "mitreAttackTechniques": [ - "T1098 - Account Manipulation" - ], - "usedInWild": true, - "incidents": [ + "securityImplications": "Attackers might use DeleteBucketPolicy to remove security policies and gain unauthorized access to S3 buckets.", + "alerting": [ { - "description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", - "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud" + "type": "cloudwatchCISControls", + "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8" } ], - "researchLinks": [], - "securityImplications": "Attackers might use ReplaceIamInstanceProfileAssociation to replace the IAM instance profile on an instance they control with one that has higher privileges.", - "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 replace-iam-instance-profile-association --iam-instance-profile Name=TrailDiscoverAdminRole --association-id iip-assoc-060bae234aac2e7fa" + "value": "aws s3api delete-bucket-policy --bucket TrailDiscoverBucketName" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-ReplaceIamInstanceProfileAssociation" + "permissions": "https://aws.permissions.cloud/iam/s3#s3-DeleteBucketPolicy" }, { - "eventName": "RunInstances", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Launches the specified number of instances using an AMI for which you have permissions.", + "eventName": "DeleteObject", + "eventSource": "s3.amazonaws.com", + "awsService": "S3", + "description": "Removes an object from a bucket. The behavior depends on the bucket's versioning state.", "mitreAttackTactics": [ - "TA0003 - Persistence", - "TA0040 - Impact", - "TA0008 - Lateral Movement" + "TA0040 - Impact" ], "mitreAttackTechniques": [ - "T1098 - Account Manipulation", - "T1496 - Resource Hijacking", - "T1021 - Remote Services" + "T1485 - Data Destruction" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + "technique": "T1070 - Indicator Removal", + "reason": "Deleting an object can be used to remove evidence of prior activity, aiding in evasion of detection and analysis." }, { - "description": "DXC spills AWS private keys on public GitHub", - "link": "https://www.theregister.com/2017/11/14/dxc_github_aws_keys_leaked/" + "technique": "T1562 - Impair Defenses", + "reason": "By deleting logs, configurations, or security-related data stored in S3, attackers can impair defensive mechanisms, reducing the effectiveness of monitoring and alerting systems." }, { - "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", - "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + "technique": "T1490 - Inhibit System Recovery", + "reason": "By deleting critical backups or data versions in S3, an attacker can inhibit recovery processes, making it difficult to restore systems to their pre-attack state." }, { - "description": "Behind the scenes in the Expel SOC: Alert-to-fix in AWS", - "link": "https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/" + "technique": "T1499 - Endpoint Denial of Service", + "reason": "Deleting important objects required for system functionality or application performance could result in a denial of service, preventing users from accessing necessary resources or causing system disruptions." }, { - "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", - "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" + "technique": "T1489 - Service Stop", + "reason": "Deleting configuration files or objects critical to the operation of a service hosted in AWS can lead to a service stop, effectively disrupting operations and causing downtime." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Ransomware in the cloud", + "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud" }, { - "description": "SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto", - "link": "https://sysdig.com/blog/scarleteel-2-0/" + "description": "The attack on ONUS \u2013 A real-life case of the Log4Shell vulnerability", + "link": "https://cystack.net/research/the-attack-on-onus-a-real-life-case-of-the-log4shell-vulnerability" }, { - "description": "ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING", - "link": "https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/" + "description": "20/20 Eye Care Network and Hearing Care Network notify 3,253,822 health plan members of breach that deleted contents of AWS buckets", + "link": "https://www.databreaches.net/20-20-eye-care-network-and-hearing-care-network-notify-3253822-health-plan-members-of-breach-that-deleted-contents-of-aws-buckets/" }, { - "description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", - "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/" + "description": "Hacker Puts Hosting Service Code Spaces Out of Business", + "link": "https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/" }, { - "description": "Clear and Uncommon Story About Overcoming Issues With AWS", - "link": "https://topdigital.agency/clear-and-uncommon-story-about-overcoming-issues-with-aws/" + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use DeleteObject to erase crucial data from S3 buckets.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "N/A" }, { - "description": "onelogin 2017 Security Incident", - "link": "https://web.archive.org/web/20210620180614/https://www.onelogin.com/blog/may-31-2017-security-incident" + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-client-side-encryption" }, { - "description": "BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability", - "link": "https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/" + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion" }, { - "description": "Navigating the Cloud: Exploring Lateral Movement Techniques", - "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/" + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-individual-deletion" + } + ], + "permissions": "https://aws.permissions.cloud/iam/s3#s3-DeleteObject" + }, + { + "eventName": "GetBucketAcl", + "eventSource": "s3.amazonaws.com", + "awsService": "S3", + "description": "This implementation of the GET action uses the acl subresource to return the access control list (ACL) of a bucket.", + "mitreAttackTactics": [ + "TA0007 - Discovery" + ], + "mitreAttackTechniques": [ + "T1526 - Cloud Service Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "By examining the ACL, an attacker can identify accounts or roles that have access to the bucket, which can then be used to gain unauthorized access through valid credentials." }, { - "description": "New tactics and techniques for proactive threat detection", - "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + "technique": "T1589 - Gather Victim Identity Information", + "reason": "By examining the ACL, an attacker could gather information about the identities (users, roles, or accounts) that have access to the bucket, which can be useful in planning further attacks." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Muddled Libra\u2019s Evolution to the Cloud", + "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" } ], "researchLinks": [ { - "description": "Launching EC2 instances", - "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/launching-ec2-instances/" - }, + "description": "Public S3 bucket through bucket ACL", + "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/s3-bucket-public-acl/" + } + ], + "securityImplications": "Attackers might use GetBucketAccessControlPolicy to gain unauthorized access to sensitive data stored in S3 buckets.", + "alerting": [], + "simulation": [ { - "description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", - "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide" - }, + "type": "commandLine", + "value": "aws s3api get-bucket-acl --bucket TrailDiscoverBucket" + } + ], + "permissions": "https://aws.permissions.cloud/iam/s3#s3-GetBucketAcl" + }, + { + "eventName": "GetBucketLogging", + "eventSource": "s3.amazonaws.com", + "awsService": "S3", + "description": "Returns the logging status of a bucket and the permissions users have to view and modify that status.", + "mitreAttackTactics": [ + "TA0007 - Discovery" + ], + "mitreAttackTechniques": [ + "T1526 - Cloud Service Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "AWS IAM Privilege Escalation Techniques", - "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + "technique": "T1087 - Account Discovery", + "reason": "The API call provides insights into which IAM accounts have permissions to view or modify bucket logging, aiding an attacker in identifying accounts with specific privileges." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" }, { - "description": "Abusing VPC Traffic Mirroring in AWS", - "link": "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/" + "description": "Muddled Libra\u2019s Evolution to the Cloud", + "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" } ], - "securityImplications": "Attackers might use RunInstances to programmatically launch unauthorized EC2 instances for crypto mining or to create a foothold within the AWS environment for further exploitation.", + "researchLinks": [], + "securityImplications": "Attackers might use GetBucketLoggingStatus to identify if logging is enabled, potentially helping them avoid detection during unauthorized activities.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 run-instances --image-id ami-0b98a32b1c5e0d105 --instance-type t2.micro --key-name MyKeyPair" - }, - { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ec2-launch-unusual-instances" + "value": "aws s3api get-bucket-logging --bucket TrailDiscoverBucket" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-RunInstances" + "permissions": "https://aws.permissions.cloud/iam/s3#s3-GetBucketLogging" }, { - "eventName": "CreateTrafficMirrorFilter", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Creates a Traffic Mirror filter.", + "eventName": "GetBucketPolicy", + "eventSource": "s3.amazonaws.com", + "awsService": "S3", + "description": "Returns the policy of a specified bucket.", "mitreAttackTactics": [ - "TA0009 - Collection" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1074 - Data Staged" + "T1526 - Cloud Service Discovery" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Abusing VPC Traffic Mirroring in AWS", - "link": "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/" + "technique": "T1078 - Valid Accounts", + "reason": "If an adversary can access a bucket policy, it may provide insights into valid accounts or roles that can be exploited for further access." + }, + { + "technique": "T1087 - Account Discovery", + "reason": "By analyzing the bucket policy, an attacker can discover accounts or IAM roles that have access to the S3 bucket, which may help in escalating privileges within the environment." } ], - "securityImplications": "Attackers might use CreateTrafficMirrorFilter to clandestinely mirror network traffic for analysis or exfiltration.", + "usedInWild": true, + "incidents": [ + { + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + }, + { + "description": "Muddled Libra\u2019s Evolution to the Cloud", + "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use GetBucketPolicy to identify weak security policies and exploit them for unauthorized access to S3 buckets.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 create-traffic-mirror-filter --description 'TCP Filter'" + "value": "aws s3api get-bucket-policy --bucket TrailDiscoverBucket" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateTrafficMirrorFilter" + "permissions": "https://aws.permissions.cloud/iam/s3#s3-GetBucketPolicy" }, { - "eventName": "DescribeSecurityGroups", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Describes the specified security groups or all of your security groups.", + "eventName": "GetPublicAccessBlock", + "eventSource": "s3.amazonaws.com", + "awsService": "S3", + "description": "Retrieves the PublicAccessBlock configuration for an Amazon S3 bucket.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1526 - Cloud Service Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "Adversaries might use the GetPublicAccessBlock API call to check for misconfigurations or overly permissive settings in S3 buckets, potentially leading to unauthorized access and exploitation of valid cloud accounts." + }, + { + "technique": "T1530 - Data from Cloud Storage", + "reason": "Retrieving the PublicAccessBlock configuration can assist attackers in identifying S3 buckets that are misconfigured to allow public access, which may lead to unauthorized access and potential exfiltration of data from cloud storage." + } ], "usedInWild": true, "incidents": [ { - "description": "Case Study: Responding to an Attack in AWS", - "link": "https://www.cadosecurity.com/case-study-responding-to-an-attack-in-aws/" + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + }, + { + "description": "Muddled Libra\u2019s Evolution to the Cloud", + "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" } ], "researchLinks": [], - "securityImplications": "Attackers might use DescribeSecurityGroups to review AWS VPC security group configurations, seeking misconfigurations that could be exploited for unauthorized access or to bypass network security controls.", + "securityImplications": "Attackers might use GetPublicAccessBlock to identify S3 buckets with public access for potential data breaches.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 describe-security-groups --group-names TrailDiscoverSecurityGroup" + "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeSecurityGroups" + "permissions": "N/A" }, { - "eventName": "CreateTrafficMirrorFilterRule", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Creates a Traffic Mirror filter rule.", + "eventName": "GetBucketReplication", + "eventSource": "s3.amazonaws.com", + "awsService": "S3", + "description": "Returns the replication configuration of a bucket.", "mitreAttackTactics": [ - "TA0009 - Collection" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1074 - Data Staged" + "T1526 - Cloud Service Discovery" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Abusing VPC Traffic Mirroring in AWS", - "link": "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/" + "technique": "T1078 - Valid Accounts", + "reason": "Accessing replication configuration details could help an adversary identify which accounts or roles have permissions related to replication, enabling targeted attacks on these accounts for unauthorized access." + }, + { + "technique": "T1036 - Masquerading", + "reason": "With knowledge of the replication setup, an adversary can craft actions that closely mimic legitimate activities, such as modifying replication settings, which helps them evade detection by blending in with normal operations." } ], - "securityImplications": "Attackers might use CreateTrafficMirrorFilterRule to fine-tune traffic mirroring for selective interception.", + "usedInWild": true, + "incidents": [ + { + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + }, + { + "description": "Muddled Libra\u2019s Evolution to the Cloud", + "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use GetBucketReplication to identify replication configurations and target specific data for theft or corruption.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 create-traffic-mirror-filter-rule --description 'TCP Rule' --destination-cidr-block 0.0.0.0/0 --protocol 6 --rule-action accept --rule-number 1 --source-cidr-block 0.0.0.0/0 --traffic-direction ingress --traffic-mirror-filter-id tmf-04812ff784b25ae67" + "value": "aws s3api get-bucket-replication --bucket TrailDiscoverBucket" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateTrafficMirrorFilterRule" + "permissions": "N/A" }, { - "eventName": "DescribeVpcs", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Describes one or more of your VPCs.", + "eventName": "GetBucketTagging", + "eventSource": "s3.amazonaws.com", + "awsService": "S3", + "description": "Returns the tag set associated with the bucket.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1526 - Cloud Service Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1482 - Domain Trust Discovery", + "reason": "The GetBucketTagging API call can reveal tag information that may indicate domain or organizational trust relationships within AWS, helping adversaries understand the trust boundaries of the bucket." + }, + { + "technique": "T1530 - Data from Cloud Storage Object", + "reason": "Tags may include sensitive information or classifications about the data stored in the S3 bucket, aiding attackers in prioritizing which data to exfiltrate or further target." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "ags retrieved from the bucket may contain information about the AWS accounts, IAM roles, or user groups with permissions, which can be used to identify potential targets for credential theft or account takeover." + }, + { + "technique": "T1087 - Account Discovery", + "reason": "The API call might provide insights into user or service accounts associated with the bucket through tags, allowing adversaries to identify accounts that have access to critical resources." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "Tags could provide information about the owner of the bucket or associated resources, which could help attackers in social engineering or in targeting specific individuals or roles within the organization." + }, + { + "technique": "T1484 - Group Policy Discovery", + "reason": "Tags could indicate group-like configurations or policies associated with buckets, such as those related to access control or data management, offering insights into how resources are managed or accessed." + } ], "usedInWild": true, "incidents": [ { - "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", - "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" + "description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", + "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/" } ], "researchLinks": [], - "securityImplications": "Attackers might use DescribeVpcs to enumerate all Virtual Private Clouds (VPCs) within an AWS environment, aiming to map out network architectures.", + "securityImplications": "Attackers might use GetBucketTagging to look for tags reminiscent of PII or confidential data.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 describe-vpcs --vpc-ids TrailDiscoverVpcId" + "value": "aws s3api get-bucket-tagging --bucket TrailDiscoverBucket" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeVpcs" + "permissions": "https://aws.permissions.cloud/iam/s3#s3-GetBucketTagging" }, { - "eventName": "AttachVolume", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Attaches an EBS volume to a running or stopped instance and exposes it to the instance with the specified device name.", + "eventName": "GetBucketVersioning", + "eventSource": "s3.amazonaws.com", + "awsService": "S3", + "description": "Returns the versioning state of a bucket.", "mitreAttackTactics": [ - "TA0008 - Lateral Movement" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1021 - Remote Services" + "T1526 - Cloud Service Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1530 - Data from Cloud Storage Object", + "reason": "Understanding the versioning and MFA Delete status allows attackers to potentially collect older or deleted versions of data, which might not be available in a non-versioned setup." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "Attackers with valid accounts (e.g., those who have compromised credentials) may use this API call to gather information that could further their goals, such as determining the best method to evade detection or exfiltrate data." + }, + { + "technique": "T1213 - Data from Information Repositories", + "reason": "The versioning status of a bucket might indicate the presence of multiple versions of stored data, which attackers could access and collect as part of their broader objective of gathering information from cloud storage." + } ], "usedInWild": true, "incidents": [ { - "description": "Navigating the Cloud: Exploring Lateral Movement Techniques", - "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/" + "description": "Ransomware in the cloud", + "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud" + }, + { + "description": "Muddled Libra\u2019s Evolution to the Cloud", + "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" } ], "researchLinks": [], - "securityImplications": "Attackers might use AttachVolume to mount a volume to an EC2 instance under their control.", + "securityImplications": "Attackers might use GetBucketVersioning to identify unsecured S3 buckets with versioning disabled, making it easier to manipulate or delete data.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 attach-volume --volume-id TrailDiscoverVolumeId --instance-id TrailDiscoverInstanceId --device TrailDiscoverDeviceName" + "value": "aws s3api get-bucket-versioning --bucket TrailDiscoverBucket" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-AttachVolume" + "permissions": "https://aws.permissions.cloud/iam/s3#s3-GetBucketVersioning" }, { - "eventName": "ImportKeyPair", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Imports the public key from an RSA or ED25519 key pair that you created with a third-party tool.", + "eventName": "GetObject", + "eventSource": "s3.amazonaws.com", + "awsService": "S3", + "description": "Retrieves an object from Amazon S3.", "mitreAttackTactics": [ - "TA0003 - Persistence" + "TA0010 - Exfiltration" ], "mitreAttackTechniques": [ - "T1098 - Account Manipulation" + "T1048 - Exfiltration Over Alternative Protocol" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1530 - Data from Cloud Storage Object", + "reason": "The GetObject API call is used to retrieve data from specific objects within S3 buckets, making it essential for adversaries collecting data from cloud storage." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "The GetObject operation can be invoked over HTTPS, which is a common method for communicating with AWS services and could be used to exfiltrate data covertly." + }, + { + "technique": "T1074 - Data Staged", + "reason": "The GetObject operation might be part of a process where data is retrieved and temporarily stored (staged) before further processing or exfiltration." + }, + { + "technique": "T1570 - Lateral Tool Transfer", + "reason": "Retrieving an object that contains tools or scripts via GetObject can be part of a lateral movement strategy, where tools are transferred between compromised systems." + } ], "usedInWild": true, "incidents": [ { - "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", - "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + "description": "Ransomware in the cloud", + "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud" + }, + { + "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", + "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + }, + { + "description": "Incident 2 - Additional details of the attack", + "link": "https://support.lastpass.com/s/document-item?language=en_US&bundleId=lastpass&topicId=LastPass/incident-2-details.html&_LANG=enus" + }, + { + "description": "Aruba Central Security Incident", + "link": "https://www.arubanetworks.com/support-services/security-bulletins/central-incident-faq/" }, { - "description": "Behind the scenes in the Expel SOC: Alert-to-fix in AWS", - "link": "https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/" + "description": "Sendtech Pte. Ltd", + "link": "https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Sendtech-Pte-Ltd---220721.ashx?la=en" }, { - "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", - "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" + "description": "GotRoot! AWS root Account Takeover", + "link": "https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1" + }, + { + "description": "A Technical Analysis of the Capital One Cloud Misconfiguration Breach", + "link": "https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach" + }, + { + "description": "Chegg, Inc", + "link": "https://www.ftc.gov/system/files/ftc_gov/pdf/2023151-Chegg-Complaint.pdf" + }, + { + "description": "Scattered Spider Attack Analysis", + "link": "https://www.reliaquest.com/blog/scattered-spider-attack-analysis-account-compromise/" + }, + { + "description": "Enumerate AWS Account ID from a Public S3 Bucket", + "link": "https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/" + }, + { + "description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", + "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/" } ], "researchLinks": [ { - "description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", - "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide" + "description": "Data Exfiltration through S3 Server Access Logs", + "link": "https://hackingthe.cloud/aws/exploitation/s3_server_access_logs/" + }, + { + "description": "S3 Streaming Copy", + "link": "https://hackingthe.cloud/aws/exploitation/s3_streaming_copy/" } ], - "securityImplications": "Attackers might use ImportKeyPair to upload malicious SSH keys to AWS EC2 instances, granting unauthorized access.", + "securityImplications": "Attackers might use GetObject to download data from S3 buckets.", "alerting": [], "simulation": [ { "type": "commandLine", "value": "N/A" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-client-side-encryption" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-individual-deletion" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-ImportKeyPair" + "permissions": "https://aws.permissions.cloud/iam/s3#s3-GetObject" }, { - "eventName": "DescribeBundleTasks", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Describes the specified bundle tasks or all of your bundle tasks.", + "eventName": "HeadObject", + "eventSource": "s3.amazonaws.com", + "awsService": "S3", + "description": "The HEAD operation retrieves metadata from an object without returning the object itself.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1619 - Cloud Storage Object Discovery" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" - } - ], - "researchLinks": [], - "securityImplications": "Attackers might use DescribeBundleTasks to gain insights into the bundling tasks of EC2 instances.", - "alerting": [], - "simulation": [ + "technique": "T1537 - Transfer Data to Cloud Account", + "reason": "The HeadObject API call helps verify the existence of data in S3 buckets, allowing attackers to understand what data is available for transfer or collection." + }, { - "type": "commandLine", - "value": "aws ec2 describe-bundle-tasks --bundle-ids TrailDiscoverBundleId" + "technique": "T1087 - Account Discovery", + "reason": "Attackers may use HeadObject to discover information about objects in S3 buckets, which can help identify sensitive accounts or resources within a cloud environment." + }, + { + "technique": "T1083 - File and Directory Discovery", + "reason": "This API call provides metadata about objects, helping attackers discover the organization and structure of files stored in S3, facilitating further actions." + }, + { + "technique": "T1530 - Data from Cloud Storage Object", + "reason": "The operation assists in identifying which specific cloud storage objects might contain valuable data for exfiltration." + }, + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "By accessing metadata, attackers can infer details about the cloud infrastructure, such as object creation dates, storage classes, and more, providing insights into the environment's configuration." + }, + { + "technique": "T1557 - Service Discovery", + "reason": "The ability to query metadata from S3 objects can help attackers gather information about the usage and configuration of cloud services, potentially revealing misconfigurations or security weaknesses." } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeBundleTasks" - }, - { - "eventName": "DescribeAccountAttributes", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Describes attributes of your AWS account.", - "mitreAttackTactics": [ - "TA0007 - Discovery" - ], - "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" - ], "usedInWild": true, "incidents": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", + "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" } ], "researchLinks": [], - "securityImplications": "Attackers might use DescribeAccountAttributes to gather detailed information about AWS account configurations and limits.", + "securityImplications": "Attackers might use HeadObject to gather metadata about sensitive files stored in S3.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 describe-account-attributes --attribute-names TrailDiscoverAttribute" + "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeAccountAttributes" + "permissions": "N/A" }, { - "eventName": "DescribeVolumes", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Describes the specified EBS volumes or all of your EBS volumes.", + "eventName": "JobCreated", + "eventSource": "s3.amazonaws.com", + "awsService": "S3", + "description": "When a Batch Operations job is created, it is recorded as a JobCreated event in CloudTrail.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0010 - Exfiltration" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1537 - Transfer Data to Cloud Account" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" - } - ], - "researchLinks": [], - "securityImplications": "Attackers might use DescribeVolumes to enumerate EBS volumes in an AWS environment, identifying valuable data storage.", - "alerting": [], - "simulation": [ + "technique": "T1560 - Archive Collected Data", + "reason": "An attacker could use the S3 Batch Operations to aggregate and compress large amounts of data for exfiltration, creating a job that is recorded as a JobCreated event." + }, { - "type": "commandLine", - "value": "aws ec2 describe-volumes --volume-ids TrailDiscoverVolumeId" + "technique": "T1074 - Data Staged", + "reason": "The JobCreated event indicates that data could be staged in an S3 bucket, possibly in preparation for further actions such as exfiltration." + }, + { + "technique": "T1020 - Automated Exfiltration", + "reason": "The job creation could be part of an automated process designed to move data out of the environment, with minimal manual intervention required once set up." + }, + { + "technique": "T1105 - Ingress Tool Transfer", + "reason": "A JobCreated event could be used to transfer tools or scripts into the environment, using S3 as a storage mechanism before execution." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "The Batch Operations job may involve communication over standard protocols (like HTTPS) for command and control, making it harder to detect malicious activity." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Attackers may manipulate or create new accounts with the necessary permissions to execute Batch Operations jobs, facilitating unauthorized data access or exfiltration." } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeVolumes" - }, - { - "eventName": "DescribeInstanceTypes", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Describes the details of the instance types that are offered in a location.", - "mitreAttackTactics": [ - "TA0007 - Discovery" - ], - "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" - ], - "usedInWild": true, - "incidents": [ + "usedInWild": false, + "incidents": [], + "researchLinks": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + "description": "Exfiltrating S3 Data with Bucket Replication Policies", + "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" } ], - "researchLinks": [], - "securityImplications": "Attackers might use DescribeInstanceTypes to assess the capabilities and resources of EC2 instance types.", + "securityImplications": "Attackers might use Batch Operations jobs to initiate unauthorized data transfer or manipulation tasks in S3.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 describe-instance-types --instance-types TrailDiscoverInstanceType" + "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeInstanceTypes" + "permissions": "N/A" }, { - "eventName": "DescribeClientVpnRoutes", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Describes the routes for the specified Client VPN endpoint.", + "eventName": "ListBuckets", + "eventSource": "s3.amazonaws.com", + "awsService": "S3", + "description": "Returns a list of all buckets owned by the authenticated sender of the request.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1526 - Cloud Service Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087 - Account Discovery", + "reason": "he ListBuckets API call helps identify the scope of an AWS account by revealing all S3 buckets owned by the account, giving insight into the account's cloud resources." + }, + { + "technique": "T1530 - Data from Cloud Storage Object", + "reason": "Once buckets are listed, attackers can target specific buckets for data extraction, which is critical for both understanding and potentially exfiltrating data stored in the cloud." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "The ability to list buckets verifies that the credentials used have sufficient permissions, which can inform the attacker about the level of access they have and what actions they can perform." + }, + { + "technique": "T1082 - System Information Discovery", + "reason": "By listing buckets, attackers can gather information about the organization of data and system configurations within the cloud environment, indirectly giving insight into how the cloud infrastructure is managed." + } ], "usedInWild": true, "incidents": [ + { + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + }, + { + "description": "Ransomware in the cloud", + "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud" + }, + { + "description": "ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING", + "link": "https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/" + }, + { + "description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", + "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/" + }, + { + "description": "A Technical Analysis of the Capital One Cloud Misconfiguration Breach", + "link": "https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach" + }, + { + "description": "Enumerate AWS Account ID from a Public S3 Bucket", + "link": "https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/" + }, { "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + }, + { + "description": "Muddled Libra\u2019s Evolution to the Cloud", + "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" + }, + { + "description": "Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets", + "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/" } ], - "researchLinks": [], - "securityImplications": "Attackers might use DescribeClientVpnRoutes to gather information about the routing configuration of an AWS Client VPN endpoint, potentially identifying routes that could be exploited for network access.", - "alerting": [], - "simulation": [ + "researchLinks": [ { - "type": "commandLine", - "value": "aws ec2 describe-client-vpn-routes --client-vpn-endpoint-id cvpn-endpoint-123456789123abcde" + "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", + "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeClientVpnRoutes" - }, - { - "eventName": "GetLaunchTemplateData", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Retrieves the configuration data of the specified instance. You can use this data to create a launch template.", - "mitreAttackTactics": [ - "TA0007 - Discovery" - ], - "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" - ], - "usedInWild": true, - "incidents": [ + "securityImplications": "Attackers might use ListAllMyBuckets to identify potential targets for data breaches or unauthorized access.", + "alerting": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + "type": "sigma", + "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml" } ], - "researchLinks": [], - "securityImplications": "Attackers might use GetLaunchTemplateData to obtain configurations of EC2 launch templates, identifying predefined instance settings or network configuration.", - "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 get-launch-template-data --instance-id TrailDiscoverInstanceId" + "value": "aws s3api list-buckets --query \"Buckets[].Name\"" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-GetLaunchTemplateData" + "permissions": "N/A" }, { - "eventName": "CreateImage", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Creates an Amazon EBS-backed AMI from an Amazon EBS-backed instance that is either running or stopped.", + "eventName": "ListObjects", + "eventSource": "s3.amazonaws.com", + "awsService": "S3", + "description": "Returns some or all (up to 1,000) of the objects in a bucket.", "mitreAttackTactics": [ - "TA0010 - Exfiltration" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1537 - Transfer Data to Cloud Account" + "T1619 - Cloud Storage Object Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1083 - File and Directory Discovery", + "reason": "Even though directory buckets are not supported, ListObjects allows an attacker to discover the contents and structure of an S3 bucket by listing objects." + }, + { + "technique": "T1213 - Data from Information Repositories", + "reason": "The ListObjects call enables the retrieval of data stored within S3 buckets, which are often utilized as information repositories." + } ], "usedInWild": true, "incidents": [ { - "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", - "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" + "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", + "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + }, + { + "description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", + "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/" + }, + { + "description": "Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets", + "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/" } ], "researchLinks": [], - "securityImplications": "Attackers might use CreateImage to create images from running EC2s and use them after adding their own keys", + "securityImplications": "Attackers might use ListObjects to identify potentially sensitive objects stored in S3 buckets.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 create-image --instance-id TrailDiscoverInstanceId --name \"TrailDiscoverImageName\" --description \"TrailDiscoverImageDescription\"" + "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateImage" + "permissions": "N/A" }, { - "eventName": "AuthorizeSecurityGroupEgress", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Adds the specified outbound (egress) rules to a security group.", + "eventName": "ListVaults", + "eventSource": "glacier.amazonaws.com", + "awsService": "S3", + "description": "This operation lists all vaults owned by the calling user\u2019s account.", "mitreAttackTactics": [ - "TA0010 - Exfiltration" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1048 - Exfiltration Over Alternative Protocol" + "T1619 - Cloud Storage Object Discovery" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Trouble in Paradise", - "link": "https://blog.darklab.hk/2021/07/06/trouble-in-paradise/" - } - ], - "researchLinks": [], - "securityImplications": "Attackers might use AuthorizeSecurityGroupEgress to allow exfiltration.", - "alerting": [ + "technique": "T1530 - Data from Cloud Storage Object", + "reason": "The ListVaults API call is used to enumerate all vaults within S3 Glacier, which could help an attacker identify potential storage locations for exfiltration." + }, { - "type": "cloudwatchCISControls", - "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-10" - } - ], - "simulation": [ + "technique": "T1087 - Account Discovery", + "reason": "Listing vaults provides insight into the structure and ownership of cloud storage resources, which can be useful for discovering cloud accounts and identifying valuable targets." + }, { - "type": "commandLine", - "value": "aws ec2 authorize-security-group-egress --group-id sg-1a2b3c4d --ip-permissions IpProtocol=tcp,FromPort=80,ToPort=80,IpRanges='[{CidrIp=10.0.0.0/16}]'" + "technique": "T1213 - Data from Information Repositories", + "reason": "The API call can be used to list and access data stored in vaults, which may be part of broader data collection or exfiltration efforts." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "Understanding the vaults associated with an account can inform attackers about which accounts manage sensitive data, potentially guiding further credential access attempts." } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-AuthorizeSecurityGroupEgress" - }, - { - "eventName": "SendSerialConsoleSSHPublicKey", - "eventSource": "ec2-instance-connect.amazonaws.com", - "awsService": "EC2InstanceConnect", - "description": "Pushes an SSH public key to the specified EC2 instance.", - "mitreAttackTactics": [ - "TA0008 - Lateral Movement" - ], - "mitreAttackTechniques": [ - "T1021 - Remote Services" - ], "usedInWild": true, "incidents": [ { - "description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", - "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud" - }, - { - "description": "Navigating the Cloud: Exploring Lateral Movement Techniques", - "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/" + "description": "Detecting AI resource-hijacking with Composite Alerts", + "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" }, { - "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", - "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" + "description": "Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets", + "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/" } ], "researchLinks": [], - "securityImplications": "Attackers might use SendSerialConsoleSSHPublicKey to inject unauthorized SSH keys into EC2 instances, granting them access for remote control.", + "securityImplications": "Attackers might use ListVaults to identify data such as archived training data or related datasets.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "N/A" + "value": "aws glacier list-vaults --account-id -" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2-instance-connect#ec2-instance-connect-SendSerialConsoleSSHPublicKey" + "permissions": "https://aws.permissions.cloud/iam/glacier#glacier-ListVaults" }, { - "eventName": "ModifyImageAttribute", - "eventSource": "ec2.amazonaws.com", - "awsService": "EC2", - "description": "Modifies the specified attribute of the specified AMI.", + "eventName": "PutBucketAcl", + "eventSource": "s3.amazonaws.com", + "awsService": "S3", + "description": "Sets the permissions on an existing bucket using access control lists (ACL).", "mitreAttackTactics": [ "TA0010 - Exfiltration" ], "mitreAttackTechniques": [ - "T1537 - Transfer Data to Cloud Account" + "T1048 - Exfiltration Over Alternative Protocol" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "Adjusting the ACL to include additional accounts or groups can provide persistent access to unauthorized entities, allowing the adversary to maintain control over the resource." + }, + { + "technique": "T1548 - Abuse Elevation Control Mechanism", + "reason": "By setting the ACL with more permissive controls, an attacker could elevate their access privileges, gaining the ability to perform actions beyond their intended scope." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Modifying ACLs can be used to prevent security tools or monitoring from detecting malicious actions by restricting access to logging or alerting services." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "Changing ACLs can serve to obscure evidence of unauthorized access or changes by modifying who has visibility into the bucket, thereby evading detection." + }, + { + "technique": "T1036 - Masquerading", + "reason": "An attacker can alter the ACL to make unauthorized access appear as legitimate traffic, thus avoiding suspicion and detection." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "Adjusting the ACL could be used to remove legitimate access to a bucket, effectively denying access to authorized users while maintaining control over the resource." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "The ability to modify ACLs directly correlates with manipulating which accounts have what level of access to a resource, aligning with broader account manipulation strategies." + }, + { + "technique": "T1199 - Trusted Relationship", + "reason": "If an attacker modifies ACLs to include entities that are typically trusted, this can facilitate initial access through a trusted relationship, leveraging the trust model to gain unauthorized access." + } ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "AWS AMI Atttribute Modification for Exfiltration", - "link": "https://research.splunk.com/cloud/f2132d74-cf81-4c5e-8799-ab069e67dc9f/" + "description": "AWS S3 Bucket ACL made public", + "link": "https://docs.datadoghq.com/security/default_rules/aws-bucket-acl-made-public/" + } + ], + "securityImplications": "Attackers might use SetBucketAccessControlPolicy to modify access control lists, potentially granting unauthorized access to S3 buckets.", + "alerting": [ + { + "type": "cloudwatchCISControls", + "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8" } ], - "securityImplications": "Attackers might use ModifyImageAttribute to alter permissions or settings of Amazon Machine Images (AMIs), potentially exposing them to unauthorized users or making them public.", - "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ec2 modify-image-attribute --image-id TrailDiscoverImageId --attribute TrailDiscoverAttribute --value TrailDiscoverValue" - }, - { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami" + "value": "aws s3api put-bucket-acl --bucket TrailDiscoverBucket --acl TrailDiscoverAcl" } ], - "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-ModifyImageAttribute" + "permissions": "https://aws.permissions.cloud/iam/s3#s3-PutBucketAcl" }, { - "eventName": "ModifyDBSnapshotAttribute", - "eventSource": "rds.amazonaws.com", - "awsService": "RDS", - "description": "Adds an attribute and values to, or removes an attribute and values from, a manual DB snapshot.", + "eventName": "PutBucketLifecycle", + "eventSource": "s3.amazonaws.com", + "awsService": "S3", + "description": "Creates a new lifecycle configuration for the bucket or replaces an existing lifecycle configuration.", "mitreAttackTactics": [ - "TA0010 - Exfiltration" + "TA0040 - Impact" ], "mitreAttackTechniques": [ - "T1537 - Transfer Data to Cloud Account" + "T1485 - Data Destruction" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Imperva Security Update", - "link": "https://www.imperva.com/blog/ceoblog/" + "technique": "T1562 - Impair Defenses", + "reason": "An attacker could manipulate lifecycle configurations to delete, transition, or obscure data, effectively impairing defensive mechanisms by reducing the visibility or availability of critical data." }, { - "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", - "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" + "technique": "T1537 - Transfer Data to Cloud Account", + "reason": "Manipulating lifecycle configurations could facilitate the movement of data to different storage locations or accounts, enabling data exfiltration or staging of information." + }, + { + "technique": "T1486 - Data Encrypted for Impact", + "reason": "Lifecycle configurations could be altered to move data into encrypted storage, rendering it inaccessible as a form of impact, effectively denying access to the legitimate users." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "An attacker might adjust lifecycle configurations to archive or obscure files, making them harder to detect or stage them for later exfiltration, thus evading detection." } ], - "researchLinks": [ + "usedInWild": true, + "incidents": [ { - "description": "Stealing an RDS database by creating a snapshot and sharing it", - "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-rds-snapshot/" + "description": "USA VS Nickolas Sharp", + "link": "https://www.justice.gov/usao-sdny/press-release/file/1452706/dl" }, { - "description": "Hunting AWS RDS security events with Sysdig", - "link": "https://sysdig.com/blog/aws-rds-security-events-sysdig/" + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use PutBucketLifecycle to add a lifecycle that deletes data after one day.", + "alerting": [ + { + "type": "cloudwatchCISControls", + "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8" } ], - "securityImplications": "Attackers might use ModifyDBSnapshotAttribute to alter database snapshot permissions, potentially gaining unauthorized access to sensitive data via sharing it.", - "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws rds modify-db-snapshot-attribute --db-snapshot-identifier TrailDiscoverDBSnapshotIdentifier --attribute-name TrailDiscoverAttributeName --values-to-add TrailDiscoverValuesToAdd" + "value": "aws s3api put-bucket-lifecycle --bucket my-bucket --lifecycle-configuration '{\"Rules\":[{\"ID\":\"\",\"Status\": \"Enabled\", \"Prefix\": \"TrailDiscover/\"}]}'" }, { "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.rds-share-snapshot" + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule" } ], - "permissions": "https://aws.permissions.cloud/iam/rds#rds-ModifyDBSnapshotAttribute" + "permissions": "N/A" }, { - "eventName": "AuthorizeDBSecurityGroupIngress", - "eventSource": "rds.amazonaws.com", - "awsService": "RDS", - "description": "Enables ingress to a DBSecurityGroup using one of two forms of authorization.", + "eventName": "PutBucketPolicy", + "eventSource": "s3.amazonaws.com", + "awsService": "S3", + "description": "Applies an Amazon S3 bucket policy to an Amazon S3 bucket.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0010 - Exfiltration" ], "mitreAttackTechniques": [ - "T1578 - Modify Cloud Compute Infrastructure" + "T1048 - Exfiltration Over Alternative Protocol" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Enhancing Your Security Visibility and DetectionResponse Operations in AWS", - "link": "https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf" + "technique": "T1567 - Exfiltration Over Web Service", + "reason": "A malicious policy could allow an attacker to exfiltrate data from an S3 bucket to an external location." }, { - "description": "Hunting AWS RDS security events with Sysdig", - "link": "https://sysdig.com/blog/aws-rds-security-events-sysdig/" - } - ], - "securityImplications": "Attackers might use AuthorizeDBSecurityGroupIngress to allow unauthorized access to the database by modifying security group rules.", - "alerting": [], - "simulation": [ + "technique": "T1550 - Use Alternate Authentication Material", + "reason": "An attacker might leverage the modified bucket policy to maintain access via alternate authentication methods, such as session tokens or identity federation mechanisms." + }, { - "type": "commandLine", - "value": "aws rds authorize-db-security-group-ingress --db-security-group-name TrailDiscoverDBSecurityGroupName --cidrip TrailDiscoverCIDRIP" + "technique": "T1531 - Account Access Removal", + "reason": "Attackers can modify a bucket policy to revoke access from certain users or roles, making it difficult for legitimate users to regain control over the resource." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Modifying the bucket policy can directly alter the permissions and access rights of various accounts, effectively manipulating who has control over the S3 resources." } ], - "permissions": "https://aws.permissions.cloud/iam/rds#rds-AuthorizeDBSecurityGroupIngress" - }, - { - "eventName": "DeleteGlobalCluster", - "eventSource": "rds.amazonaws.com", - "awsService": "RDS", - "description": "Deletes a global database cluster. The primary and secondary clusters must already be detached or destroyed first.", - "mitreAttackTactics": [ - "TA0040 - Impact" - ], - "mitreAttackTechniques": [ - "T1485 - Data Destruction" - ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "AWS Deletion of RDS Instance or Cluster", - "link": "https://www.elastic.co/guide/en/security/current/aws-deletion-of-rds-instance-or-cluster.html" + "description": "Detecting and removing risky actions out of your IAM security policies", + "link": "https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/" + } + ], + "securityImplications": "Attackers might use PutBucketPolicy to modify bucket permissions, potentially allowing unauthorized access to sensitive data.", + "alerting": [ + { + "type": "cloudwatchCISControls", + "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8" } ], - "securityImplications": "Attackers might use DeleteGlobalCluster to disrupt database services by deleting global clusters in AWS RDS.", - "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws rds delete-global-cluster --global-cluster-identifier TrailDiscoverGlobalClusterIdentifier" + "value": "aws s3api put-bucket-policy --bucket TrailDiscover --policy {}" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.s3-backdoor-bucket-policy" } ], - "permissions": "https://aws.permissions.cloud/iam/rds#rds-DeleteGlobalCluster" + "permissions": "https://aws.permissions.cloud/iam/s3#s3-PutBucketPolicy" }, { - "eventName": "DeleteDBCluster", - "eventSource": "rds.amazonaws.com", - "awsService": "RDS", - "description": "The DeleteDBCluster action deletes a previously provisioned DB cluster.", + "eventName": "PutBucketReplication", + "eventSource": "s3.amazonaws.com", + "awsService": "S3", + "description": "Creates a replication configuration or replaces an existing one.", "mitreAttackTactics": [ - "TA0040 - Impact" + "TA0010 - Exfiltration" ], "mitreAttackTechniques": [ - "T1485 - Data Destruction" + "T1537 - Transfer Data to Cloud Account" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "New tactics and techniques for proactive threat detection", - "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + "technique": "T1098 - Account Manipulation", + "reason": "The ability to modify or create replication configurations can be used to ensure that critical data is continuously replicated to an attacker-controlled bucket, maintaining persistence even if access controls are modified or removed." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "An attacker could misuse the replication configuration to redirect logs or other monitoring data away from security tools, effectively evading detection and disabling defenses." + }, + { + "technique": "T1020 - Automated Exfiltration", + "reason": "By setting up replication to an external or unauthorized S3 bucket, an attacker can automatically exfiltrate data, transferring large volumes without direct manual intervention." } ], + "usedInWild": false, + "incidents": [], "researchLinks": [ { - "description": "Hunting AWS RDS security events with Sysdig", - "link": "https://sysdig.com/blog/aws-rds-security-events-sysdig/" - }, + "description": "Exfiltrating S3 Data with Bucket Replication Policies", + "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + } + ], + "securityImplications": "Attackers might use PutBucketReplication to replicate sensitive data to unauthorized S3 buckets controlled by the attacker.", + "alerting": [ { - "description": "AWS Deletion of RDS Instance or Cluster", - "link": "https://www.elastic.co/guide/en/security/current/aws-deletion-of-rds-instance-or-cluster.html" + "type": "cloudwatchCISControls", + "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8" } ], - "securityImplications": "Attackers might use DeleteDBCluster to delete crucial databases, causing data loss and service disruption.", - "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws rds delete-db-cluster --db-cluster-identifier TrailDiscoverDBCluster" + "value": "aws s3api put-bucket-replication --bucket AWSDOC-EXAMPLE-BUCKET1 --replication-configuration '{\"Role\":\"\",\"Rules\":[]}'" } ], - "permissions": "https://aws.permissions.cloud/iam/rds#rds-DeleteDBCluster" + "permissions": "N/A" }, { - "eventName": "StartExportTask", - "eventSource": "rds.amazonaws.com", - "awsService": "RDS", - "description": "Starts an export of DB snapshot or DB cluster data to Amazon S3.", + "eventName": "PutBucketVersioning", + "eventSource": "s3.amazonaws.com", + "awsService": "S3", + "description": "Sets the versioning state of an existing bucket.", "mitreAttackTactics": [ + "TA0040 - Impact", "TA0010 - Exfiltration" ], "mitreAttackTechniques": [ + "T1490 - Inhibit System Recovery", "T1537 - Transfer Data to Cloud Account" ], - "usedInWild": false, - "incidents": [], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1531 - Account Access Removal", + "reason": "If an attacker suspends versioning, they could delete IAM policies or credentials stored in S3, making recovery of previous versions impossible, thereby preventing account recovery." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "An attacker might disable versioning or enable it without MFA Delete, which allows them to delete or overwrite objects in a way that removes evidence of their activity, complicating forensic investigation." + }, + { + "technique": "T1488 - Data Destruction", + "reason": "If an attacker sets an object expiration lifecycle in a version-enabled bucket and suspends versioning, they could effectively destroy all noncurrent object versions over time, leading to the loss of data." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Ransomware in the cloud", + "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud" + } + ], "researchLinks": [ { - "description": "AWS - RDS Post Exploitation", - "link": "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation" + "description": "Exfiltrating S3 Data with Bucket Replication Policies", + "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + } + ], + "securityImplications": "Attackers might set the versioning to 'Suspended' before deleting data. Attackers might enable versioning to add bucket replication to exfiltrate data.", + "alerting": [ + { + "type": "sigma", + "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml" } ], - "securityImplications": "Attackers might use StartExportTask to export database snapshots to an S3 they control and gain access to the data.", - "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws rds start-export-task --export-task-identifier my-s3-export --source-arn arn:aws:rds:us-west-2:123456789012:snapshot:db5-snapshot-test --s3-bucket-name mybucket --iam-role-arn arn:aws:iam::123456789012:role/service-role/TrailDiscover --kms-key-id arn:aws:kms:us-west-2:123456789012:key/abcd0000-7fca-4128-82f2-aabbccddeeff" + "value": "aws s3api put-bucket-versioning --bucket TrailDiscoverBucket --versioning-configuration Status=Enabled" } ], - "permissions": "https://aws.permissions.cloud/iam/rds#rds-StartExportTask" + "permissions": "https://aws.permissions.cloud/iam/s3#s3-PutBucketVersioning" }, { - "eventName": "DeleteDBInstance", - "eventSource": "rds.amazonaws.com", - "awsService": "RDS", - "description": "Deletes a previously provisioned DB instance.", + "eventName": "PutObject", + "eventSource": "s3.amazonaws.com", + "awsService": "S3", + "description": "Adds an object to a bucket.", "mitreAttackTactics": [ "TA0040 - Impact" ], "mitreAttackTechniques": [ - "T1485 - Data Destruction" + "T1565 - Data Manipulation" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1074 - Data Staged", + "reason": "The PutObject API call can be used to store objects in S3 as a staging area for data that might be collected or processed before exfiltration or further use." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "Attackers can use PutObject to overwrite existing objects with benign data or to modify metadata, helping to conceal malicious activity by removing indicators of compromise within cloud storage." + }, + { + "technique": "T1105 - Ingress Tool Transfer", + "reason": "The PutObject API can be used to transfer tools or malicious binaries into an S3 bucket, facilitating their retrieval and execution elsewhere in the environment." + }, + { + "technique": "T1036 - Masquerading", + "reason": "Attackers could upload objects with names or metadata that mimic legitimate files using the PutObject API, making malicious content harder to detect." + }, + { + "technique": "T1485 - Data Destruction", + "reason": "The PutObject API could be used to overwrite critical objects, leading to data loss or destruction, particularly if previous versions are not preserved." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "Attackers can use PutObject to upload files containing hidden or obfuscated data (e.g., within images), supporting defense evasion." + }, + { + "technique": "T1570 - Lateral Tool Transfer", + "reason": "Objects added to an S3 bucket via PutObject can be used to transfer tools or payloads across different cloud environments, supporting lateral movement within compromised infrastructure." + } ], "usedInWild": true, "incidents": [ { - "description": "New tactics and techniques for proactive threat detection", - "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + "description": "Incident Report: TaskRouter JS SDK Security Incident - July 19, 2020", + "link": "https://www.twilio.com/en-us/blog/incident-report-taskrouter-js-sdk-july-2020" + }, + { + "description": "LA Times homicide website throttles cryptojacking attack", + "link": "https://www.tripwire.com/state-of-security/la-times-website-cryptojacking-attack" } ], "researchLinks": [], - "securityImplications": "Attackers might use DeleteDBInstance to delete crucial databases, causing data loss and service disruption.", + "securityImplications": "Attackers might use PutObject to upload malicious content or overwrite existing files in S3 buckets.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws rds delete-db-instance --db-instance-identifier TrailDiscoverDB" + "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/rds#rds-DeleteDBInstance" + "permissions": "https://aws.permissions.cloud/iam/s3#s3-PutObject" }, { - "eventName": "CreateDBSecurityGroup", - "eventSource": "rds.amazonaws.com", - "awsService": "RDS", - "description": "Creates a new DB security group. DB security groups control access to a DB instance.", + "eventName": "DescribeSecret", + "eventSource": "secretsmanager.amazonaws.com", + "awsService": "SecretsManager", + "description": "Retrieves the details of a secret.", "mitreAttackTactics": [ - "TA0010 - Exfiltration" + "TA0006 - Credential Access" ], "mitreAttackTechniques": [ - "T1537 - Transfer Data to Cloud Account" + "T1555 - Credentials from Password Stores" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Enhancing Your Security Visibility and DetectionResponse Operations in AWS", - "link": "https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf" + "technique": "T1087 - Account Discovery", + "reason": "The API call could reveal metadata about the secret, including associated AWS accounts or services, contributing to account discovery." }, { - "description": "Hunting AWS RDS security events with Sysdig", - "link": "https://sysdig.com/blog/aws-rds-security-events-sysdig/" + "technique": "T1552 - Unsecured Credentials", + "reason": "Although the secret value is not retrieved, the API may still provide information about the existence and purpose of certain credentials, which could be used to find unsecured credentials elsewhere" + }, + { + "technique": "T1580 - Cloud Storage Object Discovery", + "reason": "Information revealed by the API could point to cloud storage objects associated with the secret, helping to identify and potentially target cloud resources." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "Metadata obtained might give clues about the existence of valid accounts, which could be useful in further attempts to gain unauthorized access." + }, + { + "technique": "T1213 - Data from Information Repositories", + "reason": "Even without the secret value, information from the API could reveal details about data repositories or services that are secured by the secret, which could be exploited in further attacks." } ], - "securityImplications": "Attackers might use CreateDBSecurityGroup to create new security groups with lax rules, potentially allowing unauthorized access to the database.", + "usedInWild": true, + "incidents": [ + { + "description": "Muddled Libra\u2019s Evolution to the Cloud", + "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use DescribeSecret to get more information about the secrets that are stored in Secrets Manager.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws rds create-db-security-group --db-security-group-name TrailDiscoverSecurityGroupName --db-security-group-description TrailDiscoverDescription" + "value": "aws secretsmanager describe-secret --secret-id TrailDiscover" } ], - "permissions": "https://aws.permissions.cloud/iam/rds#rds-CreateDBSecurityGroup" + "permissions": "https://aws.permissions.cloud/iam/secretsmanager#secretsmanager-DescribeSecret" }, { - "eventName": "CreateDBSnapshot", - "eventSource": "rds.amazonaws.com", - "awsService": "RDS", - "description": "Creates a snapshot of a DB instance.", + "eventName": "GetSecretValue", + "eventSource": "secretsmanager.amazonaws.com", + "awsService": "SecretsManager", + "description": "Retrieves the contents of the encrypted fields SecretString or SecretBinary from the specified version of a secret, whichever contains content.", "mitreAttackTactics": [ - "TA0010 - Exfiltration" + "TA0006 - Credential Access" ], "mitreAttackTechniques": [ - "T1537 - Transfer Data to Cloud Account" + "T1555 - Credentials from Password Stores" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", - "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" + "technique": "T1078 - Valid Accounts", + "reason": "Attackers can use retrieved secrets to log into cloud accounts or services, expanding their control over the cloud environment." }, { - "description": "New tactics and techniques for proactive threat detection", - "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "Accessing secrets via GetSecretValue provides insights into cloud resource configurations and other details useful for discovering and mapping the cloud infrastructure." + }, + { + "technique": "T1082 - System Information Discovery", + "reason": "Retrieving secrets may give attackers information about the system, such as environment configurations, which helps them understand the environment they are targeting." } ], - "researchLinks": [ + "usedInWild": true, + "incidents": [ { - "description": "Stealing an RDS database by creating a snapshot and sharing it", - "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-rds-snapshot/" + "description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", + "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud" + }, + { + "description": "Muddled Libra\u2019s Evolution to the Cloud", + "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" + }, + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" } ], - "securityImplications": "Attackers might use CreateDBSnapshot to create unauthorized backups of sensitive databases for data theft.", + "researchLinks": [], + "securityImplications": "Attackers might use GetSecretValue to illicitly access sensitive information stored in the SecretsManager.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws rds create-db-snapshot --db-instance-identifier TrailDiscoverDBInstance --db-snapshot-identifier TrailDiscoverDBSnapshot" + "value": "aws secretsmanager get-secret-value --secret-id TrailDiscoverSecretId" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.secretsmanager-batch-retrieve-secrets" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets" } ], - "permissions": "https://aws.permissions.cloud/iam/rds#rds-CreateDBSnapshot" + "permissions": "https://aws.permissions.cloud/iam/secretsmanager#secretsmanager-GetSecretValue" }, { - "eventName": "ModifyActivityStream", - "eventSource": "rds.amazonaws.com", - "awsService": "RDS", - "description": "Changes the audit policy state of a database activity stream to either locked (default) or unlocked.", + "eventName": "ListSecrets", + "eventSource": "secretsmanager.amazonaws.com", + "awsService": "SecretsManager", + "description": "Lists the secrets that are stored by Secrets Manager in the AWS account, not including secrets that are marked for deletion.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0006 - Credential Access" ], "mitreAttackTechniques": [ - "T1578 - Modify Cloud Compute Infrastructure" + "T1555 - Credentials from Password Stores" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1526 - Cloud Service Discovery", + "reason": "The ListSecrets API call allows an attacker to enumerate stored secrets within the AWS environment, facilitating discovery of sensitive information or configurations." + }, + { + "technique": "T1552 - Unsecured Credentials", + "reason": "An attacker listing secrets might identify credentials stored within Secrets Manager, which could lead to unauthorized access if those credentials are not properly secured or rotated." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "By listing secrets, an attacker could discover credentials for valid accounts stored in Secrets Manager, which could then be used to gain unauthorized access to services or resources." + }, + { + "technique": "T1036 - Masquerading", + "reason": "An attacker could use discovered secrets to masquerade as legitimate tasks or services, blending in with normal operations to avoid detection." + } ], "usedInWild": true, "incidents": [ { - "description": "Uncovering Hybrid Cloud Attacks Through Intelligence-Driven Incident Response: Part 3 \u2013 The Response", - "link": "https://www.gem.security/post/uncovering-hybrid-cloud-attacks-through-intelligence-driven-incident-response-part-3-the-response" + "description": "Muddled Libra\u2019s Evolution to the Cloud", + "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" + }, + { + "description": "Detecting AI resource-hijacking with Composite Alerts", + "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + }, + { + "description": "Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets", + "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/" + }, + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" } ], "researchLinks": [], - "securityImplications": "Attackers might use ModifyActivityStream to alter the configuration of the activity stream, potentially hiding malicious activities or causing disruptions in the database operations.", + "securityImplications": "Attackers might use ListSecrets to list all the secrets and potentially access to them later.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws rds modify-activity-stream" + "value": "aws secretsmanager list-secrets" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets" } ], - "permissions": "https://aws.permissions.cloud/iam/rds#rds-ModifyActivityStream" + "permissions": "https://aws.permissions.cloud/iam/secretsmanager#secretsmanager-ListSecrets" }, { - "eventName": "CreateDevEndpoint", - "eventSource": "glue.amazonaws.com", - "awsService": "Glue", - "description": "Creates a new development endpoint.", + "eventName": "DeleteMembers", + "eventSource": "securityhub.amazonaws.com", + "awsService": "SecurityHub", + "description": "Deletes the specified member accounts from Security Hub.", "mitreAttackTactics": [ - "TA0004 - Privilege Escalation" + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1098 - Account Manipulation" - ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ - { - "description": "AWS IAM Privilege Escalation Techniques", - "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" - } + "T1562 - Impair Defenses" ], - "securityImplications": "Attackers might use CreateDevEndpoint in AWS Glue to escalate privileges or provision development endpoints, potentially exploiting them.", - "alerting": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "type": "sigma", - "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml" - } - ], - "simulation": [ + "technique": "T1070 - Indicator Removal", + "reason": "Deleting invited member accounts might be used to cover tracks by eliminating evidence of prior monitoring or alerts associated with those accounts." + }, { - "type": "commandLine", - "value": "aws glue create-dev-endpoint --endpoint-name TrailDiscover --role-arn arn:aws:iam::111122223333:role/TrailDiscover" + "technique": "T1531 - Account Access Removal", + "reason": "Deleting member accounts can serve as a way to remove or prevent access to security services and monitoring, effectively denying those accounts access to critical security insights." } ], - "permissions": "https://aws.permissions.cloud/iam/glue#glue-CreateDevEndpoint" - }, - { - "eventName": "UpdateJob", - "eventSource": "glue.amazonaws.com", - "awsService": "Glue", - "description": "Updates an existing job definition.", - "mitreAttackTactics": [ - "TA0004 - Privilege Escalation" - ], - "mitreAttackTechniques": [ - "T1098 - Account Manipulation" - ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "AWS IAM Privilege Escalation Techniques", - "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + "description": "AWS CloudTrail cheat sheet", + "link": "https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet" + }, + { + "description": "AWS Incident Response", + "link": "https://easttimor.github.io/aws-incident-response/" } ], - "securityImplications": "Attackers might use UpdateJob to modify Glue job parameters, potentially disrupting data processing or injecting malicious code.", + "securityImplications": "Attackers might use DeleteMembers to remove specific members from the SecurityHub, disrupting security management and monitoring.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws glue update-job --job-name TrailDiscoverJob --job-update '{\"Role\": \"TrailDiscoverRole\", \"Command\": {\"Name\": \"glueetl\", \"ScriptLocation\": \"s3://mybucket/myscript.py\"}}'" + "value": "aws securityhub delete-members --account-ids TrailDiscoverAccountIds" } ], - "permissions": "https://aws.permissions.cloud/iam/glue#glue-UpdateJob" + "permissions": "https://aws.permissions.cloud/iam/securityhub#securityhub-DeleteMembers" }, { - "eventName": "CreateJob", - "eventSource": "glue.amazonaws.com", - "awsService": "Glue", - "description": "Creates a new job definition.", + "eventName": "AssumeRole", + "eventSource": "sts.amazonaws.com", + "awsService": "STS", + "description": "Returns a set of temporary security credentials that you can use to access AWS resources.", "mitreAttackTactics": [ + "TA0001 - Initial Access", + "TA0003 - Persistence", "TA0004 - Privilege Escalation" ], "mitreAttackTechniques": [ - "T1098 - Account Manipulation" + "T1199 - Trusted Relationship", + "T1078 - Valid Accounts" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [], + "usedInWild": true, + "incidents": [ + { + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + }, + { + "description": "Trouble in Paradise", + "link": "https://blog.darklab.hk/2021/07/06/trouble-in-paradise/" + } ], - "usedInWild": false, - "incidents": [], "researchLinks": [ { - "description": "AWS IAM Privilege Escalation Techniques", - "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + "description": "Role Chain Juggling", + "link": "https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/" + }, + { + "description": "Detecting and removing risky actions out of your IAM security policies", + "link": "https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/" } ], - "securityImplications": "Attackers might use CreateJob to create a glue job with a role with higer privileges to gain these privileges.", + "securityImplications": "Attackers might use AssumeRole to gain unauthorized access to an AWS role. This might allow them to gain initial access, escalate privileges or in specific scenarios gain persistence.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws glue create-job --name TrailDiscoverJob --role TrailDiscoverRole --command Name=pythonshell,ScriptLocation=s3://TrailDiscoverBucket/TrailDiscoverScript.py --default-arguments '{\"--job-language\": \"python\"}'" + "value": "aws sts assume-role --role-arn arn:aws:iam::123456789012:role/TrailDiscover --role-session-name TrailDiscover" } ], - "permissions": "https://aws.permissions.cloud/iam/glue#glue-CreateJob" + "permissions": "https://aws.permissions.cloud/iam/sts#sts-AssumeRole" }, { - "eventName": "UpdateDevEndpoint", - "eventSource": "glue.amazonaws.com", - "awsService": "Glue", - "description": "Updates a specified development endpoint.", + "eventName": "AssumeRoleWithSAML", + "eventSource": "sts.amazonaws.com", + "awsService": "STS", + "description": "Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response.", "mitreAttackTactics": [ - "TA0004 - Privilege Escalation" + "TA0001 - Initial Access" ], "mitreAttackTechniques": [ - "T1098 - Account Manipulation" + "T1199 - Trusted Relationship" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "The AssumeRoleWithSAML API call allows attackers to use valid SAML assertions to gain temporary access to AWS resources, enabling them to gain initial access, maintain persistence, or escalate privileges." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "Since SAML authentication typically uses web-based protocols, attackers can use the AssumeRoleWithSAML API call to blend in with legitimate web traffic, making their actions harder to detect." + }, + { + "technique": "T1550 - Use Alternate Authentication Material", + "reason": "By using SAML tokens via the AssumeRoleWithSAML API, attackers can authenticate to AWS services without traditional credentials, assisting in defense evasion." + } ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "AWS IAM Privilege Escalation Techniques", - "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/" + "description": "AWS - STS Privesc", + "link": "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc" } ], - "securityImplications": "Attackers might use UpdateDevEndpoint to modify the settings of a development endpoint, potentially disrupting data processing tasks or gaining unauthorized access to data.", + "securityImplications": "Attackers might use AssumeRoleWithSAML to impersonate legitimate users and gain unauthorized access to an AWS role.", "alerting": [ { "type": "sigma", - "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml" + "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml" } ], "simulation": [ { "type": "commandLine", - "value": "aws glue update-dev-endpoint --endpoint-name TrailDiscover" + "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/glue#glue-UpdateDevEndpoint" + "permissions": "https://aws.permissions.cloud/iam/sts#sts-AssumeRoleWithSAML" }, { - "eventName": "SendCommand", - "eventSource": "ssm.amazonaws.com", - "awsService": "SSM", - "description": "Runs commands on one or more managed nodes.", + "eventName": "AssumeRoleWithWebIdentity", + "eventSource": "sts.amazonaws.com", + "awsService": "STS", + "description": "Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider.", "mitreAttackTactics": [ - "TA0008 - Lateral Movement", - "TA0002 - Execution" + "TA0001 - Initial Access", + "TA0008 - Lateral Movement" ], "mitreAttackTechniques": [ - "T1021 - Remote Services", - "T1651 - Cloud Administration Command" + "T1199 - Trusted Relationship", + "T1550 - Use Alternate Authentication Material" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Navigating the Cloud: Exploring Lateral Movement Techniques", - "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/" + "technique": "T1078 - Valid Accounts", + "reason": "The AssumeRoleWithWebIdentity API allows an attacker to gain valid temporary AWS credentials through a web identity provider, enabling them to access AWS services with authenticated permissions." }, { - "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", - "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" + "technique": "T1505 - Server Software Component", + "reason": "If an attacker has compromised a web application, they can use the AssumeRoleWithWebIdentity API to escalate privileges or maintain persistence by obtaining temporary credentials." } ], + "usedInWild": false, + "incidents": [], "researchLinks": [ { - "description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", - "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide" - }, - { - "description": "Run Shell Commands on EC2 with Send Command or Session Manager", - "link": "https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/" - }, - { - "description": "Attack Paths Into VMs in the Cloud", - "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/" + "description": "From GitHub To Account Takeover: Misconfigured Actions Place GCP & AWS Accounts At Risk", + "link": "https://www.rezonate.io/blog/github-misconfigurations-put-gcp-aws-in-account-takeover-risk/" } ], - "securityImplications": "Attackers might use SendCommand to execute malicious commands on managed instances.", + "securityImplications": "Attackers might use AssumeRoleWithWebIdentity to impersonate legitimate users and gain unauthorized access to an AWS role.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ssm send-command --instance-ids \"TrailDiscoverInstanceID\" --document-name \"AWS-RunShellScript\" --parameters commands=ls --output text" - }, - { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ssm-send-command" + "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/ssm#ssm-SendCommand" + "permissions": "https://aws.permissions.cloud/iam/sts#sts-AssumeRoleWithWebIdentity" }, { - "eventName": "GetParameters", - "eventSource": "ssm.amazonaws.com", - "awsService": "SSM", - "description": "Get information about one or more parameters by specifying multiple parameter names.", + "eventName": "GetCallerIdentity", + "eventSource": "sts.amazonaws.com", + "awsService": "STS", + "description": "Returns details about the IAM user or role whose credentials are used to call the operation.", "mitreAttackTactics": [ - "TA0007 - Discovery", - "TA0006 - Credential Access" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1526 - Cloud Service Discovery", - "T1552 - Unsecured Credentials" + "T1087 - Account Discovery" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Detecting and removing risky actions out of your IAM security policies", - "link": "https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/" - } - ], - "securityImplications": "Attackers might use GetParameters to gather sensitive information such as api keys or other secrets.", - "alerting": [], - "simulation": [ + "technique": "T1082 - System Information Discovery", + "reason": "The GetCallerIdentity API call provides detailed information about the IAM user or role making the request, enabling an attacker to understand the current access context and tailor subsequent actions based on available permissions." + }, { - "type": "commandLine", - "value": "aws ssm get-parameters --names TrailDiscoverParameters" + "technique": "T1078 - Valid Accounts", + "reason": "By successfully calling GetCallerIdentity, an attacker can confirm that a set of credentials is valid and active, which is essential for leveraging these credentials to access additional resources within the AWS environment." }, { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ssm-retrieve-securestring-parameters" + "technique": "T1550 - Use Alternate Authentication Material", + "reason": "Attackers can use stolen or compromised credentials to invoke GetCallerIdentity, verifying the legitimacy and scope of these credentials without needing specific permissions, aiding in maintaining unauthorized access." + }, + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "The information retrieved can help map out aspects of the cloud environment, such as account numbers and associated roles, providing insight necessary for further reconnaissance and targeted attacks." } ], - "permissions": "https://aws.permissions.cloud/iam/ssm#ssm-GetParameters" - }, - { - "eventName": "StartSession", - "eventSource": "ssm.amazonaws.com", - "awsService": "SSM", - "description": "Initiates a connection to a target (for example, a managed node) for a Session Manager session.", - "mitreAttackTactics": [ - "TA0008 - Lateral Movement", - "TA0002 - Execution" - ], - "mitreAttackTechniques": [ - "T1021 - Remote Services", - "T1651 - Cloud Administration Command" - ], "usedInWild": true, "incidents": [ { - "description": "Navigating the Cloud: Exploring Lateral Movement Techniques", - "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/" + "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", + "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" + }, + { + "description": "GotRoot! AWS root Account Takeover", + "link": "https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1" + }, + { + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + }, + { + "description": "Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns", + "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/" + }, + { + "description": "Detecting AI resource-hijacking with Composite Alerts", + "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + }, + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" } ], "researchLinks": [ { - "description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", - "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide" + "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", + "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" }, { - "description": "Run Shell Commands on EC2 with Send Command or Session Manager", - "link": "https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/" + "description": "New attack vectors in EKS", + "link": "https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features" + }, + { + "description": "Enumerate AWS Account ID from an EC2 Instance", + "link": "https://hackingthe.cloud/aws/enumeration/account_id_from_ec2/" } ], - "securityImplications": "Attackers might use StartSession to gain unauthorized access to managed instances.", + "securityImplications": "Attackers might use GetCallerIdentity to know what user or role are they using. This request does not need any permission.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ssm start-session --target TrailDiscoverTarget" + "value": "aws sts get-caller-identity" }, { "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ssm-start-session" + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials" } ], - "permissions": "https://aws.permissions.cloud/iam/ssm#ssm-StartSession" + "permissions": "https://aws.permissions.cloud/iam/sts#sts-GetCallerIdentity" }, { - "eventName": "DescribeInstanceInformation", - "eventSource": "ssm.amazonaws.com", - "awsService": "SSM", - "description": "Provides information about one or more of your managed nodes, including the operating system platform, SSM Agent version, association status, and IP address.", + "eventName": "GetFederationToken", + "eventSource": "sts.amazonaws.com", + "awsService": "STS", + "description": "Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a user.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0003 - Persistence" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1078 - Valid Accounts" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + "technique": "T1550 - Use Alternate Authentication Material", + "reason": "The temporary credentials provided by GetFederationToken can serve as alternate authentication tokens, enabling access to various AWS services without relying on long-term credentials, thereby aiding in defense evasion." + }, + { + "technique": "T1212 - Exploitation for Credential Access", + "reason": "An attacker with access to the credentials of an IAM user could exploit GetFederationToken to generate new credentials, which can be used to escalate their privileges or access other resources." + }, + { + "technique": "T1134 - Access Token Manipulation", + "reason": "Similar to manipulating access tokens, attackers can use GetFederationToken to create temporary sessions that spoof legitimate access patterns, aiding in evasion and unauthorized access." } ], - "researchLinks": [], - "securityImplications": "Attackers might use DescribeInstanceInformation to gather sensitive information about the instances, potentially leading to unauthorized access.", - "alerting": [], - "simulation": [ + "usedInWild": true, + "incidents": [ { - "type": "commandLine", - "value": "aws ssm describe-instance-information --instance-information-filter-list key=InstanceIds,valueSet=TrailDiscoverInstanceIds" + "description": "How Adversaries Can Persist with AWS User Federation", + "link": "https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/" + }, + { + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + }, + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" } ], - "permissions": "https://aws.permissions.cloud/iam/ssm#ssm-DescribeInstanceInformation" - }, - { - "eventName": "ResumeSession", - "eventSource": "ssm.amazonaws.com", - "awsService": "SSM", - "description": "Reconnects a session to a managed node after it has been disconnected.", - "mitreAttackTactics": [ - "TA0008 - Lateral Movement", - "TA0002 - Execution" - ], - "mitreAttackTechniques": [ - "T1021 - Remote Services", - "T1651 - Cloud Administration Command" - ], - "usedInWild": false, - "incidents": [], "researchLinks": [ { - "description": "Attack Paths Into VMs in the Cloud", - "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/" + "description": "Create a Console Session from IAM Credentials", + "link": "https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/" + }, + { + "description": "Survive Access Key Deletion with sts:GetFederationToken", + "link": "https://hackingthe.cloud/aws/post_exploitation/survive_access_key_deletion_with_sts_getfederationtoken/" } ], - "securityImplications": "Attackers might use ResumeSession to gain unauthorized access to managed instances.", + "securityImplications": "Attackers might use GetFederationToken to gain temporary access credentials.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ssm resume-session --session-id TrailDiscoverTarget" + "value": "aws sts get-federation-token --name TrailDiscover --policy TrailDiscoverPolicy" } ], - "permissions": "https://aws.permissions.cloud/iam/ssm#ssm-ResumeSession" + "permissions": "https://aws.permissions.cloud/iam/sts#sts-GetFederationToken" }, { - "eventName": "CreateEmailIdentity", - "eventSource": "ses.amazonaws.com", - "awsService": "SES", - "description": "Starts the process of verifying an email identity. An identity is an email address or domain that you use when you send email.", + "eventName": "GetSessionToken", + "eventSource": "sts.amazonaws.com", + "awsService": "STS", + "description": "Returns a set of temporary credentials for an AWS account or IAM user.", "mitreAttackTactics": [ - "TA0040 - Impact" + "TA0001 - Initial Access" ], "mitreAttackTechniques": [ - "T1496 - Resource Hijacking" + "T1199 - Trusted Relationship" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "The GetSessionToken API call generates temporary credentials that can be used as valid accounts, allowing an adversary to bypass certain security measures by leveraging these temporary credentials." + }, + { + "technique": "T1550 - Use Alternate Authentication Material", + "reason": "The temporary credentials from GetSessionToken can act as alternative authentication material, enabling attackers to maintain access without the need to use the compromised long-term credentials again, thus evading certain detection mechanisms." + } ], "usedInWild": true, "incidents": [ { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + "description": "New tactics and techniques for proactive threat detection", + "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" } ], - "researchLinks": [], - "securityImplications": "Attackers use CreateEmailIdentity to create its own identity for sending spam or phishing emails later.", - "alerting": [], - "simulation": [ + "researchLinks": [ { - "type": "commandLine", - "value": "aws sesv2 create-email-identity --email-identity cloudtrail.cloud" + "description": "AWS STS GetSessionToken Abuse", + "link": "https://www.elastic.co/guide/en/security/7.17/aws-sts-getsessiontoken-abuse.html" } ], - "permissions": "https://aws.permissions.cloud/iam/ses#ses-CreateEmailIdentity" - }, - { - "eventName": "GetIdentityVerificationAttributes", - "eventSource": "ses.amazonaws.com", - "awsService": "SES", - "description": "Given a list of identities (email addresses and/or domains), returns the verification status and (for domain identities) the verification token for each identity.", - "mitreAttackTactics": [ - "TA0007 - Discovery" - ], - "mitreAttackTechniques": [ - "T1526 - Cloud Service Discovery" - ], - "usedInWild": true, - "incidents": [ + "securityImplications": "Attackers might use GetSessionToken to obtain temporary access credentials.", + "alerting": [ { - "description": "SES-PIONAGE", - "link": "https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/" + "type": "sigma", + "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml" } ], - "researchLinks": [], - "securityImplications": "Attackers might use GetIdentityVerificationAttributes to gather sensitive information about the verification status of email addresses and domains.", - "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ses get-identity-verification-attributes --identities TrailDiscoverIdentity" + "value": "aws sts get-session-token --duration-seconds 900 --serial-number 'YourMFADeviceSerialNumber' --token-code 123456" } ], - "permissions": "https://aws.permissions.cloud/iam/ses#ses-GetIdentityVerificationAttributes" + "permissions": "https://aws.permissions.cloud/iam/sts#sts-GetSessionToken" }, { - "eventName": "UpdateAccountSendingEnabled", - "eventSource": "ses.amazonaws.com", - "awsService": "SES", - "description": "Enables or disables email sending across your entire Amazon SES account in the current AWS Region.", + "eventName": "ListServiceQuotas", + "eventSource": "servicequotas.amazonaws.com", + "awsService": "ServiceQuotas", + "description": "Lists the applied quota values for the specified AWS service.", "mitreAttackTactics": [ - "TA0040 - Impact" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1496 - Resource Hijacking" + "T1087 - Account Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "Listing service quotas provides detailed information about the configuration and resource limits within an AWS environment. This information helps attackers understand the system's structure, enabling them to identify potential areas for exploitation or further reconnaissance." + }, + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "Filtering by account or resource level when retrieving quotas may expose details about which permissions are associated with different accounts or roles." + }, + { + "technique": "T1007 - System Service Discovery", + "reason": "Listing quotas can reveal which AWS services are in use and their configurations, helping attackers map out the environment and understand what services are available." + } ], "usedInWild": true, "incidents": [ { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + "description": "Ransomware in the cloud", + "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud" }, { "description": "SES-PIONAGE", "link": "https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/" } ], - "researchLinks": [], - "securityImplications": "Attackers might use UpdateAccountSendingEnabled to enable sending from compromised AWS accounts, facilitating spam or phishing campaigns.", - "alerting": [], - "simulation": [ - { - "type": "commandLine", - "value": "aws ses update-account-sending-enabled" - } - ], - "permissions": "https://aws.permissions.cloud/iam/ses#ses-UpdateAccountSendingEnabled" - }, - { - "eventName": "GetAccountSendingEnabled", - "eventSource": "ses.amazonaws.com", - "awsService": "SES", - "description": "Returns the email sending status of the Amazon SES account for the current Region.", - "mitreAttackTactics": [ - "TA0007 - Discovery" - ], - "mitreAttackTechniques": [ - "T1087 - Account Discovery" - ], - "usedInWild": false, - "incidents": [], "researchLinks": [ { - "description": "SES-PIONAGE", - "link": "https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/" + "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", + "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" } ], - "securityImplications": "Attackers might use GetAccountSendingEnabled to identify if an AWS account's email sending capabilities are enabled, potentially exploiting it for spamming or phishing activities.", + "securityImplications": "Attackers might use ListServiceQuotas to identify potential services to exploit by understanding their usage limits.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ses get-account-sending-enabled" + "value": "aws service-quotas list-service-quotas --service-code TrailDiscoverServiceCode" } ], - "permissions": "https://aws.permissions.cloud/iam/ses#ses-GetAccountSendingEnabled" + "permissions": "https://aws.permissions.cloud/iam/servicequotas#servicequotas-ListServiceQuotas" }, { - "eventName": "ListIdentities", - "eventSource": "ses.amazonaws.com", - "awsService": "SES", - "description": "Returns a list containing all of the identities (email addresses and domains) for your AWS account in the current AWS Region, regardless of verification status.", + "eventName": "RequestServiceQuotaIncrease", + "eventSource": "servicequotas.amazonaws.com", + "awsService": "ServiceQuotas", + "description": "Submits a quota increase request for the specified quota at the account or resource level.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0040 - Impact" ], "mitreAttackTechniques": [ - "T1087 - Account Discovery" + "T1496 - Resource Hijacking" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1583 - Acquire Infrastructure", + "reason": "The API allows for requesting additional resources, enabling the attacker to develop infrastructure needed for further malicious activities." + } ], "usedInWild": true, "incidents": [ @@ -9357,94 +14487,91 @@ "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" }, { - "description": "Ransomware in the cloud", - "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud" - }, - { - "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", - "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" - }, - { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" - }, - { - "description": "SES-PIONAGE", - "link": "https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/" - } - ], - "researchLinks": [ - { - "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", - "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" + "description": "Incident report: From CLI to console, chasing an attacker in AWS", + "link": "https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/" } ], - "securityImplications": "Attackers use ListIdentities from SES to enumerate email addresses or domains verified under the AWS account.", + "researchLinks": [], + "securityImplications": "Attackers might use RequestServiceQuotaIncrease to increase the quotas and so resource hijacking will have a bigger impact.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ses list-identities --identity-type \"EmailAddress\"" + "value": "aws service-quotas request-service-quota-increase --service-code ec2 --quota-code L-20F13EBD --desired-value 2" } ], - "permissions": "https://aws.permissions.cloud/iam/ses#ses-ListIdentities" + "permissions": "https://aws.permissions.cloud/iam/servicequotas#servicequotas-RequestServiceQuotaIncrease" }, { - "eventName": "GetSendQuota", + "eventName": "CreateEmailIdentity", "eventSource": "ses.amazonaws.com", "awsService": "SES", - "description": "Provides the sending limits for the Amazon SES account.", + "description": "Starts the process of verifying an email identity. An identity is an email address or domain that you use when you send email.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0040 - Impact" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1496 - Resource Hijacking" ], - "usedInWild": true, - "incidents": [ - { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" - }, + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Ransomware in the cloud", - "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud" + "technique": "T1583 - Acquire Infrastructure", + "reason": "Verifying an email identity or domain is part of acquiring the necessary infrastructure for sending emails, which could be used for malicious activities such as phishing or command and control." }, { - "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", - "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + "technique": "T1078 - Valid Accounts", + "reason": "The verification of an email identity, especially when using DKIM, helps establish a legitimate-looking account or service that can be exploited for malicious purposes." }, { - "description": "SES-PIONAGE", - "link": "https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/" + "technique": "T1566 - Phishing", + "reason": "The verified email identity or domain can be utilized to send phishing emails, leveraging the trust established by a verified and legitimate-looking sender address or domain." } ], - "researchLinks": [ + "usedInWild": true, + "incidents": [ { - "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", - "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" } ], - "securityImplications": "Attackers use GetSendQuota to assess the email sending capacity of an AWS account, potentially planning persistent spam or phishing campaigns by identifying limits they can exploit or escalate.", + "researchLinks": [], + "securityImplications": "Attackers use CreateEmailIdentity to create its own identity for sending spam or phishing emails later.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ses get-send-quota" + "value": "aws sesv2 create-email-identity --email-identity cloudtrail.cloud" } ], - "permissions": "https://aws.permissions.cloud/iam/ses#ses-GetSendQuota" + "permissions": "https://aws.permissions.cloud/iam/ses#ses-CreateEmailIdentity" }, { - "eventName": "VerifyEmailIdentity", + "eventName": "DeleteIdentity", "eventSource": "ses.amazonaws.com", "awsService": "SES", - "description": "Adds an email address to the list of identities for your Amazon SES account in the current AWS Region and attempts to verify it.", + "description": "Deletes the specified identity (an email address or a domain) from the list of verified identities.", "mitreAttackTactics": [ - "TA0040 - Impact" + "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ - "T1496 - Resource Hijacking" + "T1578 - Modify Cloud Compute Infrastructure", + "T1070 - Indicator Removal" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1531 - Account Access Removal", + "reason": "Deleting an email address or domain from the list of verified identities can remove access for legitimate users, thereby evading detection by disrupting normal email flows and alert mechanisms that rely on these identities." + }, + { + "technique": "T1485 - Data Destruction", + "reason": "Deleting a verified identity can disrupt communication channels, especially if the identity is tied to critical email systems, effectively leading to the destruction of necessary operational data." + }, + { + "technique": "T1499 - Endpoint Denial of Service", + "reason": "This operation could contribute to a denial of service by removing a critical identity that is required for sending emails, thus halting communication or alerting capabilities within the affected system." + } ], "usedInWild": true, "incidents": [ @@ -9454,27 +14581,43 @@ } ], "researchLinks": [], - "securityImplications": "Attackers might use VerifyEmailIdentity to send phishing emails or spam from a verified email address.", - "alerting": [], + "securityImplications": "Attackers might use DeleteIdentity to disrupt email sending capabilities or delete an identity previously used attackers.", + "alerting": [ + { + "type": "sigma", + "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_delete_identity.yml" + } + ], "simulation": [ { "type": "commandLine", - "value": "aws ses verify-email-identity --email-address TrailDiscoverEmail" + "value": "aws ses delete-identity --identity TrailDiscoverIdentity" } ], - "permissions": "https://aws.permissions.cloud/iam/ses#ses-VerifyEmailIdentity" + "permissions": "https://aws.permissions.cloud/iam/ses#ses-DeleteIdentity" }, { "eventName": "GetAccount", "eventSource": "ses.amazonaws.com", "awsService": "SES", - "description": "Lists the applied quota values for the specified AWS service.", + "description": "Obtain information about the email-sending status and capabilities of your Amazon SES account in the current AWS Region.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ "T1087 - Account Discovery" ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "By obtaining information about the SES account, attackers can identify if an account is enabled for sending emails, aiding in the identification of valid accounts for unauthorized access." + }, + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "The GetAccount API call allows an attacker to gather information related to the cloud infrastructure's email capabilities, essential for understanding the cloud environment and planning further malicious activities." + } + ], "usedInWild": true, "incidents": [ { @@ -9507,861 +14650,1103 @@ "permissions": "https://aws.permissions.cloud/iam/ses#ses-GetAccount" }, { - "eventName": "DeleteIdentity", + "eventName": "GetAccountSendingEnabled", "eventSource": "ses.amazonaws.com", "awsService": "SES", - "description": "Deletes the specified identity (an email address or a domain) from the list of verified identities.", + "description": "Returns the email sending status of the Amazon SES account for the current Region.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1578 - Modify Cloud Compute Infrastructure", - "T1070 - Indicator Removal" - ], - "usedInWild": true, - "incidents": [ - { - "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", - "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" - } + "T1087 - Account Discovery" ], - "researchLinks": [], - "securityImplications": "Attackers might use DeleteIdentity to disrupt email sending capabilities or delete an identity previously used attackers.", - "alerting": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "type": "sigma", - "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_delete_identity.yml" - } - ], - "simulation": [ + "technique": "T1082 - System Information Discovery", + "reason": "By querying the SES email sending status, attackers can learn whether the service is configured and operational, revealing critical details about the cloud environment's setup." + }, { - "type": "commandLine", - "value": "aws ses delete-identity --identity TrailDiscoverIdentity" + "technique": "T1590 - Gather Victim Identity Information", + "reason": "Understanding the email sending status through GetAccountSendingEnabled may provide insights into associated email addresses or domains, which can be used for further reconnaissance activities." } ], - "permissions": "https://aws.permissions.cloud/iam/ses#ses-DeleteIdentity" - }, - { - "eventName": "UpdateIPSet", - "eventSource": "guardduty.amazonaws.com", - "awsService": "GuardDuty", - "description": "Updates the IPSet specified by the IPSet ID.", - "mitreAttackTactics": [ - "TA0005 - Defense Evasion" - ], - "mitreAttackTechniques": [ - "T1562 - Impair Defenses" - ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "Modify GuardDuty Configuration", - "link": "https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/" + "description": "SES-PIONAGE", + "link": "https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/" } ], - "securityImplications": "Attackers might use UpdateIPSet to modify the IP address filters, potentially allowing malicious traffic to bypass detection.", + "securityImplications": "Attackers might use GetAccountSendingEnabled to identify if an AWS account's email sending capabilities are enabled, potentially exploiting it for spamming or phishing activities.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws wafv2 update-ip-set --name testip --scope REGIONAL --id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 --addresses 198.51.100.0/16 --lock-token 447e55ac-2396-4c6d-b9f9-86b67c17f8b5" + "value": "aws ses get-account-sending-enabled" } ], - "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-UpdateIPSet" + "permissions": "https://aws.permissions.cloud/iam/ses#ses-GetAccountSendingEnabled" }, { - "eventName": "DeleteInvitations", - "eventSource": "guardduty.amazonaws.com", - "awsService": "GuardDuty", - "description": "Deletes invitations sent to the current member account by AWS accounts specified by their account IDs.", + "eventName": "GetIdentityVerificationAttributes", + "eventSource": "ses.amazonaws.com", + "awsService": "SES", + "description": "Given a list of identities (email addresses and/or domains), returns the verification status and (for domain identities) the verification token for each identity.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1562 - Impair Defenses" + "T1526 - Cloud Service Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1589 - Gather Victim Identity Information", + "reason": "The API can be used to verify the status of email addresses, enabling attackers to identify active and valid email addresses that may be targeted for social engineering or phishing attacks." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "Access to this API could indicate that an attacker has compromised cloud credentials, allowing them to monitor or manipulate email verification statuses, potentially leading to further unauthorized access." + } ], "usedInWild": true, "incidents": [ { - "description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", - "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud" + "description": "SES-PIONAGE", + "link": "https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/" } ], "researchLinks": [], - "securityImplications": "Attackers might use DeleteInvitations to avoid the use of GuardDuty, thereby evading detection of malicious activity.", + "securityImplications": "Attackers might use GetIdentityVerificationAttributes to gather sensitive information about the verification status of email addresses and domains.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws guardduty delete-invitations --account-ids 111222333444" + "value": "aws ses get-identity-verification-attributes --identities TrailDiscoverIdentity" } ], - "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-DeleteInvitations" + "permissions": "https://aws.permissions.cloud/iam/ses#ses-GetIdentityVerificationAttributes" }, { - "eventName": "UpdateDetector", - "eventSource": "guardduty.amazonaws.com", - "awsService": "GuardDuty", - "description": "Updates the GuardDuty detector specified by the detectorId.", + "eventName": "GetSendQuota", + "eventSource": "ses.amazonaws.com", + "awsService": "SES", + "description": "Provides the sending limits for the Amazon SES account.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1562 - Impair Defenses" + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "The GetSendQuota API call can be used to determine the current email sending limits of an account, which is a form of system information that could help an adversary understand the operational capabilities of the target environment." + }, + { + "technique": "T1602 - Gather Victim Host Information", + "reason": "By using GetSendQuota, an attacker could gather details about the SES service's capacity and limitations, which is part of understanding the victim's resources." + }, + { + "technique": "T1580 - Cloud Service Discovery", + "reason": "This API call allows adversaries to discover details about the cloud services in use (SES in this case), contributing to broader cloud service reconnaissance." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + }, + { + "description": "Ransomware in the cloud", + "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud" + }, + { + "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", + "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + }, + { + "description": "SES-PIONAGE", + "link": "https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/" + } ], - "usedInWild": false, - "incidents": [], "researchLinks": [ { - "description": "Modify GuardDuty Configuration", - "link": "https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/" + "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", + "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" } ], - "securityImplications": "Attackers might use UpdateDetector to modify the settings of GuardDuty, potentially disabling or weakening security monitoring.", + "securityImplications": "Attackers use GetSendQuota to assess the email sending capacity of an AWS account, potentially planning persistent spam or phishing campaigns by identifying limits they can exploit or escalate.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws guardduty update-detector --detector-id TrailDiscoverDetectorId --enable --finding-publishing-frequency TrailDiscoverFrequency" + "value": "aws ses get-send-quota" } ], - "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-UpdateDetector" + "permissions": "https://aws.permissions.cloud/iam/ses#ses-GetSendQuota" }, { - "eventName": "GetFindings", - "eventSource": "guardduty.amazonaws.com", - "awsService": "GuardDuty", - "description": "Returns a list of findings that match the specified criteria.", + "eventName": "ListIdentities", + "eventSource": "ses.amazonaws.com", + "awsService": "SES", + "description": "Returns a list containing all of the identities (email addresses and domains) for your AWS account in the current AWS Region, regardless of verification status.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1526 - Cloud Service Discovery" + "T1087 - Account Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "The ListIdentities API might help an attacker identify valid cloud accounts or identities to target for subsequent attacks, such as trying to access these accounts using stolen or guessed credentials." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "Identifying system owners or users based on the listed identities can help attackers target specific accounts or tailor attacks based on the roles of those users." + } ], "usedInWild": true, "incidents": [ { "description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + }, + { + "description": "Ransomware in the cloud", + "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud" + }, + { + "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", + "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + }, + { + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + }, + { + "description": "SES-PIONAGE", + "link": "https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/" } ], - "researchLinks": [], - "securityImplications": "Attackers might use GetFindings to identify if previous actions generated alerts.", + "researchLinks": [ + { + "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", + "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" + } + ], + "securityImplications": "Attackers use ListIdentities from SES to enumerate email addresses or domains verified under the AWS account.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws guardduty get-findings --detector-id TrailDiscoverDetectorId --finding-ids TrailDiscoverFindingIds" + "value": "aws ses list-identities --identity-type \"EmailAddress\"" } ], - "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-GetFindings" + "permissions": "https://aws.permissions.cloud/iam/ses#ses-ListIdentities" }, { - "eventName": "ListFindings", - "eventSource": "guardduty.amazonaws.com", - "awsService": "GuardDuty", - "description": "Lists GuardDuty findings for the specified detector ID.", + "eventName": "UpdateAccountSendingEnabled", + "eventSource": "ses.amazonaws.com", + "awsService": "SES", + "description": "Enables or disables email sending across your entire Amazon SES account in the current AWS Region.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0040 - Impact" ], "mitreAttackTechniques": [ - "T1526 - Cloud Service Discovery" + "T1496 - Resource Hijacking" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "Disabling email sending can help evade detection by preventing the generation of SES-based alerts or logs that might indicate malicious activities." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "An attacker could use this API call to disable email sending, potentially preventing security teams from receiving critical alerts and impairing the defenses of the environment." + } ], "usedInWild": true, "incidents": [ { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + }, + { + "description": "SES-PIONAGE", + "link": "https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/" } ], "researchLinks": [], - "securityImplications": "Attackers might use ListFindings to identify if previous actions generated alerts.", + "securityImplications": "Attackers might use UpdateAccountSendingEnabled to enable sending from compromised AWS accounts, facilitating spam or phishing campaigns.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws guardduty list-findings --detector-id TrailDiscoverDetectorId" + "value": "aws ses update-account-sending-enabled" } ], - "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-ListFindings" + "permissions": "https://aws.permissions.cloud/iam/ses#ses-UpdateAccountSendingEnabled" }, { - "eventName": "ListDetectors", - "eventSource": "guardduty.amazonaws.com", - "awsService": "GuardDuty", - "description": "Lists detectorIds of all the existing Amazon GuardDuty detector resources.", + "eventName": "VerifyEmailIdentity", + "eventSource": "ses.amazonaws.com", + "awsService": "SES", + "description": "Adds an email address to the list of identities for your Amazon SES account in the current AWS Region and attempts to verify it.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0040 - Impact" ], "mitreAttackTechniques": [ - "T1526 - Cloud Service Discovery" + "T1496 - Resource Hijacking" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + "technique": "T1078 - Valid Accounts", + "reason": " By verifying an email address, an adversary might create a valid cloud account identity that could be used in subsequent malicious activities, making it appear as if actions are being carried out by a legitimate user." + }, + { + "technique": "T1588 - Obtain Capabilities", + "reason": "Adversaries could use the API to validate an email identity, thereby acquiring a tool or resource that can be utilized in future phishing or spamming campaigns." } ], - "researchLinks": [ + "usedInWild": true, + "incidents": [ { - "description": "Modify GuardDuty Configuration", - "link": "https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/" + "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", + "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" } ], - "securityImplications": "Attackers might use ListDetectors to identify active threat detection systems in AWS GuardDuty.", + "researchLinks": [], + "securityImplications": "Attackers might use VerifyEmailIdentity to send phishing emails or spam from a verified email address.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws guardduty list-detectors" - }, - { - "type": "stratusRedTeam", - "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance" + "value": "aws ses verify-email-identity --email-address TrailDiscoverEmail" } ], - "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-ListDetectors" + "permissions": "https://aws.permissions.cloud/iam/ses#ses-VerifyEmailIdentity" }, { - "eventName": "DeleteDetector", - "eventSource": "guardduty.amazonaws.com", - "awsService": "GuardDuty", - "description": "Deletes an Amazon GuardDuty detector that is specified by the detector ID.", + "eventName": "ConsoleLogin", + "eventSource": "signin.amazonaws.com", + "awsService": "SignIn", + "description": "This is the CloudTrail event generated when you sign-in.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0001 - Initial Access" ], "mitreAttackTechniques": [ - "T1562 - Impair Defenses" + "T1078 - Valid Accounts" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1199 - Trusted Relationship", + "reason": "An attacker might exploit trusted relationships between accounts, leading to a console login that can be traced back to an initial access attempt." + } ], "usedInWild": true, "incidents": [ { - "description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", - "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud" + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + }, + { + "description": "Responding to an attack in AWS", + "link": "https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac" + }, + { + "description": "Credential Phishing", + "link": "https://ramimac.me/aws-phishing#credential-phishing" + }, + { + "description": "Incident report: From CLI to console, chasing an attacker in AWS", + "link": "https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/" + }, + { + "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", + "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + }, + { + "description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", + "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/" + }, + { + "description": "Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies", + "link": "https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/" } ], "researchLinks": [ { - "description": "AWS GuardDuty detector deleted", - "link": "https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-guardduty-detector-deleted/" + "description": "Compromising AWS Console credentials", + "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/compromising-aws-console-credentials/" }, { - "description": "AWS GuardDuty Evasion", - "link": "https://medium.com/@cloud_tips/aws-guardduty-evasion-c181e55f3af1" + "description": "Create a Console Session from IAM Credentials", + "link": "https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/" }, { - "description": "Threat Hunting with CloudTrail and GuardDuty in Splunk", - "link": "https://www.chrisfarris.com/post/reinforce-threat-hunting/" + "description": "Enhancing Your Security Visibility and DetectionResponse Operations in AWS", + "link": "https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf" + } + ], + "securityImplications": "Attackers might access via AWS console (generating a ConsoleLogin event).", + "alerting": [ + { + "type": "cloudwatchCISControls", + "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-6" }, { - "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", - "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" + "type": "cloudwatchCISControls", + "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-3" } ], - "securityImplications": "Attackers might use DeleteDetector to disable GuardDuty, thereby evading detection of malicious activity.", - "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws guardduty delete-detector --detector-id TrailDiscoverDetectorId" + "value": "N/A" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.initial-access.console-login-without-mfa" } ], - "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-DeleteDetector" + "permissions": "N/A" }, { - "eventName": "GetDetector", - "eventSource": "guardduty.amazonaws.com", - "awsService": "GuardDuty", - "description": "Retrieves an Amazon GuardDuty detector specified by the detectorId.", + "eventName": "GetSigninToken", + "eventSource": "signin.amazonaws.com", + "awsService": "SignIn", + "description": "Generate a SigninToken that can be used to login to the the AWS Management Console.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0001 - Initial Access" ], "mitreAttackTechniques": [ - "T1526 - Cloud Service Discovery" + "T1078 - Valid Accounts" ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [], "usedInWild": true, "incidents": [ { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" } ], "researchLinks": [], - "securityImplications": "Attackers might use GetDetector to identify active threat detection systems in AWS GuardDuty.", + "securityImplications": "Attackers might access via a Federated identity (such as AWS SSO) to the Management Console.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws guardduty get-detector --detector-id TrailDiscoverDetectorId" + "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-GetDetector" + "permissions": "N/A" }, { - "eventName": "DeletePublishingDestination", - "eventSource": "guardduty.amazonaws.com", - "awsService": "GuardDuty", - "description": "Deletes the publishing definition with the specified destinationId.", + "eventName": "PasswordRecoveryRequested", + "eventSource": "signin.amazonaws.com", + "awsService": "SignIn", + "description": "This is the CloudTrail event generated when you request a password recovery.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0001 - Initial Access" ], "mitreAttackTechniques": [ - "T1562 - Impair Defenses" + "T1078 - Valid Accounts" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Modify GuardDuty Configuration", - "link": "https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/" + "technique": "T1212 - Exploitation for Credential Access", + "reason": "The password recovery process could be manipulated or exploited to gain access to credentials, especially if the attacker can intercept or redirect the recovery process." } ], - "securityImplications": "Attackers might use DeletePublishingDestination to disrupt the security monitoring and incident response process in AWS GuardDuty.", - "alerting": [], - "simulation": [ + "usedInWild": true, + "incidents": [ { - "type": "commandLine", - "value": "aws guardduty delete-publishing-destination --detector-id TrailDiscoverDetectorId --destination-id TrailDiscoverDestinationId" - } - ], - "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-DeletePublishingDestination" - }, - { - "eventName": "ListIPSets", - "eventSource": "guardduty.amazonaws.com", - "awsService": "GuardDuty", - "description": "Lists the IPSets of the GuardDuty service specified by the detector ID.", - "mitreAttackTactics": [ - "TA0007 - Discovery" - ], - "mitreAttackTechniques": [ - "T1526 - Cloud Service Discovery" - ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "description": "An Ongoing AWS Phishing Campaign", + "link": "https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/" + }, { - "description": "Modify GuardDuty Configuration", - "link": "https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/" + "description": "Disclosure of Security Incidents on imToken", + "link": "https://support.token.im/hc/en-us/articles/360005681954-Disclosure-of-Security-Incidents-on-imToken" } ], - "securityImplications": "Attackers might use ListIPSets to identify what IPs won't generate an alert.", + "researchLinks": [], + "securityImplications": "Attackers might start a password recovery process to steal AWS access if they have compromised the email of the user.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws guardduty list-ip-sets --detector-id TrailDiscoverDetectorId" + "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-ListIPSets" + "permissions": "N/A" }, { - "eventName": "DisassociateMembers", - "eventSource": "guardduty.amazonaws.com", - "awsService": "GuardDuty", - "description": "Disassociates GuardDuty member accounts (from the current administrator account) specified by the account IDs.", + "eventName": "SwitchRole", + "eventSource": "signin.amazonaws.com", + "awsService": "SignIn", + "description": "This event is recorded when a user manually switches to a different IAM role within the AWS Management Console.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0008 - Lateral Movement" ], "mitreAttackTechniques": [ - "T1562 - Impair Defenses" + "T1021 - Remote Services" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "The SwitchRole API call indicates that a user is leveraging valid credentials to access different roles, which could be used for maintaining persistence, evading detection, or moving laterally within the AWS environment." + }, + { + "technique": "T1068 - Exploitation for Privilege Escalation", + "reason": "Switching to a role with higher privileges could be an attempt to escalate privileges within the AWS environment." + }, + { + "technique": "T1036 - Masquerading", + "reason": "The API call might be used to masquerade as a different user or role, enabling an attacker to carry out malicious activities under the guise of a legitimate user." + } ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "Threat Hunting with CloudTrail and GuardDuty in Splunk", - "link": "https://www.chrisfarris.com/post/reinforce-threat-hunting/" + "description": "AWS CloudTrail cheat sheet", + "link": "https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet" } ], - "securityImplications": "Attackers might use DisassociateMembers to remove members from a GuardDuty detector, disrupting threat detection and security analysis.", + "securityImplications": "Attackers might use SwitchRole when using the console to escalate privileges and gain unauthorized access to AWS resources.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws guardduty disassociate-members --detector-id TrailDiscoverDetectorId --account-ids TrailDiscoverAccountIds" + "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-DisassociateMembers" + "permissions": "N/A" }, { - "eventName": "DisassociateFromMasterAccount", - "eventSource": "guardduty.amazonaws.com", - "awsService": "GuardDuty", - "description": "Disassociates the current GuardDuty member account from its administrator account.", + "eventName": "GetSMSAttributes", + "eventSource": "sns.amazonaws.com", + "awsService": "SNS", + "description": "Returns the settings for sending SMS messages from your AWS account.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1562 - Impair Defenses" + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "The GetSMSAttributes call can reveal details about the SMS configuration, including regions, usage patterns, and sender IDs, providing an attacker with valuable information about the environment." + } ], "usedInWild": true, "incidents": [ { - "description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", - "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud" + "description": "NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS", + "link": "https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/" + }, + { + "description": "Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns", + "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/" } ], "researchLinks": [ - { - "description": "Threat Hunting with CloudTrail and GuardDuty in Splunk", - "link": "https://www.chrisfarris.com/post/reinforce-threat-hunting/" + { + "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", + "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" } ], - "securityImplications": "Attackers might use DisassociateFromMasterAccount to remove the link to the master GuardDuty account, disrupting centralized security monitoring and analysis.", + "securityImplications": "Attackers might use GetSMSAttributes to retrieve sensitive SMS configuration details for potential usage for smishing.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws guardduty disassociate-from-master-account --detector-id TrailDiscoverDetectorId" + "value": "aws sns get-sms-attributes --attributes TrailDiscoverAttributes" } ], - "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-DisassociateFromMasterAccount" + "permissions": "https://aws.permissions.cloud/iam/sns#sns-GetSMSAttributes" }, { - "eventName": "StopMonitoringMembers", - "eventSource": "guardduty.amazonaws.com", - "awsService": "GuardDuty", - "description": "Stops GuardDuty monitoring for the specified member accounts.", + "eventName": "GetSMSSandboxAccountStatus", + "eventSource": "sns.amazonaws.com", + "awsService": "SNS", + "description": "Retrieves the SMS sandbox status for the calling AWS account in the target AWS Region.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1562 - Impair Defenses" + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087 - Account Discovery", + "reason": "This API call allows an adversary to determine the SMS sandbox status, which can reveal if an AWS account is still in a test phase or if it's been moved to production, indicating how the account might be used or targeted." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns", + "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/" + } ], - "usedInWild": false, - "incidents": [], "researchLinks": [ { - "description": "Threat Hunting with CloudTrail and GuardDuty in Splunk", - "link": "https://www.chrisfarris.com/post/reinforce-threat-hunting/" + "description": "NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS", + "link": "https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/" } ], - "securityImplications": "Attackers might use StopMonitoringMembers to halt the surveillance of specific AWS accounts, reducing security visibility.", + "securityImplications": "Attackers might use GetSMSSandboxAccountStatus to monitor the status of a target's AWS SNS sandbox account for potential usage for smishing.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws guardduty stop-monitoring-members --account-ids TrailDiscoverAccountIds --detector-id TrailDiscoverDetectorId" + "value": "aws sns get-sms-sandbox-account-status" } ], - "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-StopMonitoringMembers" + "permissions": "https://aws.permissions.cloud/iam/sns#sns-GetSMSSandboxAccountStatus" }, { - "eventName": "CreateIPSet", - "eventSource": "guardduty.amazonaws.com", - "awsService": "GuardDuty", - "description": "Creates a new IPSet, which is called a trusted IP list in the console user interface.", + "eventName": "ListOriginationNumbers", + "eventSource": "sns.amazonaws.com", + "awsService": "SNS", + "description": "Lists the calling AWS account's dedicated origination numbers and their metadata.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1562 - Impair Defenses" + "T1580 - Cloud Infrastructure Discovery" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Modify GuardDuty Configuration", - "link": "https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/" + "technique": "T1087 - Account Discovery", + "reason": "The ListOriginationNumbers API call provides information on the account's SMS origination numbers, which could help an adversary discover and map out cloud resources associated with the account." } ], - "securityImplications": "Attackers might use CreateIPSet to add malicious IP addresses to the GuardDuty whitelist, bypassing security measures.", - "alerting": [ + "usedInWild": false, + "incidents": [], + "researchLinks": [ { - "type": "sigma", - "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_guardduty_disruption.yml" + "description": "NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS", + "link": "https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/" } ], + "securityImplications": "Attackers might use ListOriginationNumbers to identify origination numbers for potential smishing campaings.", + "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws guardduty create-ip-set --detector-id 12abc34d567e8fa901bc2d34eexample --name new-ip-set --format TXT --location s3://traildiscover/traildiscover.csv --activate" + "value": "aws sns list-origination-numbers" } ], - "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-CreateIPSet" + "permissions": "https://aws.permissions.cloud/iam/sns#sns-ListOriginationNumbers" }, { - "eventName": "CreateFilter", - "eventSource": "guardduty.amazonaws.com", - "awsService": "GuardDuty", - "description": "Creates a filter using the specified finding criteria.", + "eventName": "ListSubscriptions", + "eventSource": "sns.amazonaws.com", + "awsService": "SNS", + "description": "Lists the calling AWS account's dedicated origination numbers and their metadata.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1562 - Impair Defenses" + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087 - Account Discovery", + "reason": "An attacker could use ListSubscriptions to enumerate all subscriptions associated with SNS topics, providing insight into the AWS environment and identifying active accounts." + }, + { + "technique": "T1007 - System Service Discovery", + "reason": "The information retrieved via ListSubscriptions can reveal details about services in the AWS environment, helping an attacker understand available resources and configurations." + } ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "Modify GuardDuty Configuration", - "link": "https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/" + "description": "NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS", + "link": "https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/" } ], - "securityImplications": "Attackers might use CreateFilter to manipulate GuardDuty settings, potentially allowing malicious activity to go undetected.", + "securityImplications": "Attackers might use ListSubscriptions to identify origination numbers for potential smishing campaings.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws guardduty create-filter --detector-id TrailDiscoverDetectorId --name TrailDiscoverFilterName --finding-criteria '{\"Criterion\": {\"service.action.actionType\": {\"Eq\": [\"TrailDiscover\"]}}}' --action NOOP" + "value": "aws sns list-subscriptions" } ], - "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-CreateFilter" + "permissions": "https://aws.permissions.cloud/iam/sns#sns-ListSubscriptions" }, { - "eventName": "DeleteMembers", - "eventSource": "guardduty.amazonaws.com", - "awsService": "GuardDuty", - "description": "Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.", + "eventName": "ListTopics", + "eventSource": "sns.amazonaws.com", + "awsService": "SNS", + "description": "Returns a list of the requester's topics.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1562 - Impair Defenses" + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087 - Account Discovery", + "reason": "An attacker could use ListSubscriptions to enumerate all subscriptions associated with SNS topics, providing insight into the AWS environment and identifying active accounts." + }, + { + "technique": "T1007 - System Service Discovery", + "reason": "The information retrieved via ListSubscriptions can reveal details about services in the AWS environment, helping an attacker understand available resources and configurations." + } ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "Threat Hunting with CloudTrail and GuardDuty in Splunk", - "link": "https://www.chrisfarris.com/post/reinforce-threat-hunting/" + "description": "NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS", + "link": "https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/" } ], - "securityImplications": "Attackers might use DeleteMembers to remove members from a GuardDuty detector, disrupting threat detection and security analysis.", + "securityImplications": "Attackers might use ListTopics to identify potential SNS topics for unauthorized access or disruption.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws guardduty delete-members --account-ids TrailDiscoverAccountIds --detector-id TrailDiscoverDetectorId" + "value": "aws sns list-topics" } ], - "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-DeleteMembers" + "permissions": "https://aws.permissions.cloud/iam/sns#sns-ListTopics" }, { - "eventName": "RegisterTaskDefinition", - "eventSource": "ecs.amazonaws.com", - "awsService": "ECS", - "description": "Registers a new task definition from the supplied family and containerDefinitions.", + "eventName": "Publish", + "eventSource": "sns.amazonaws.com", + "awsService": "SNS", + "description": "Sends a message to an Amazon SNS topic, a text message (SMS message) directly to a phone number, or a message to a mobile platform endpoint (when you specify the TargetArn).", "mitreAttackTactics": [ "TA0040 - Impact" ], "mitreAttackTechniques": [ "T1496 - Resource Hijacking" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", - "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + "technique": "T1071 - Application Layer Protocol", + "reason": "The SNS Publish API can send messages using common application layer protocols such as HTTPS. This can be used for command and control communication by sending instructions or payloads to subscribed endpoints in a covert manner." + }, + { + "technique": "T1537 - Transfer Data to Cloud Account", + "reason": "Attackers can use SNS to exfiltrate data by sending it as a message to a subscribed endpoint, which may belong to an external cloud account controlled by the adversary." + }, + { + "technique": "T1090 - Proxy", + "reason": "The SNS service can act as a relay for communications, allowing attackers to hide the true source and destination of their messages by using SNS as an intermediary, which can evade detection mechanisms." + }, + { + "technique": "T1020 - Automated Exfiltration", + "reason": "By automating the use of SNS Publish to regularly send messages containing exfiltrated data to external endpoints, attackers can maintain a consistent and automated exfiltration channel." } ], - "researchLinks": [], - "securityImplications": "Attackers might use RegisterTaskDefinition to deploy containers with malicious tasks in AWS ECS.", - "alerting": [ + "usedInWild": true, + "incidents": [ { - "type": "sigma", - "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml" + "description": "Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns", + "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/" + }, + { + "description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", + "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/" } ], + "researchLinks": [], + "securityImplications": "Attackers might use Publish for smishing campaigns.", + "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ecs register-task-definition --family 'xtdb-bench-dev' --network-mode 'awsvpc' --container-definitions '[{\"name\":\"bench-container\", \"cpu\":2048, \"memory\":4092 }]'" + "value": "N/A" } ], - "permissions": "https://aws.permissions.cloud/iam/ecs#ecs-RegisterTaskDefinition" + "permissions": "https://aws.permissions.cloud/iam/sns#sns-Publish" }, { - "eventName": "CreateService", - "eventSource": "ecs.amazonaws.com", - "awsService": "ECS", - "description": "Runs and maintains your desired number of tasks from a specified task definition.", + "eventName": "DescribeInstanceInformation", + "eventSource": "ssm.amazonaws.com", + "awsService": "SSM", + "description": "Provides information about one or more of your managed nodes, including the operating system platform, SSM Agent version, association status, and IP address.", "mitreAttackTactics": [ - "TA0040 - Impact" + "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1496 - Resource Hijacking" + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "The API retrieves comprehensive details about the managed nodes, including platform name, version, and agent status, which helps in understanding the target system." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "The IAM role associated with each managed node can be analyzed to identify and potentially exploit valid credentials, leading to unauthorized access." + }, + { + "technique": "T1018 - Remote System Discovery", + "reason": "IP addresses and system information can be used to discover and map out other systems within the network environment." + } ], "usedInWild": true, "incidents": [ { - "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", - "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + "description": "The curious case of DangerDev@protonmail.me", + "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" } ], "researchLinks": [], - "securityImplications": "Attackers might use CreateService in AWS ECS to orchestrate and deploy unauthorized services, potentially for malicious activities such as resource hijacking.", + "securityImplications": "Attackers might use DescribeInstanceInformation to gather sensitive information about the instances, potentially leading to unauthorized access.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ecs create-service --service-name TrailDiscoverService --task-definition TrailDiscoverTaskDefinition" + "value": "aws ssm describe-instance-information --instance-information-filter-list key=InstanceIds,valueSet=TrailDiscoverInstanceIds" } ], - "permissions": "https://aws.permissions.cloud/iam/ecs#ecs-CreateService" + "permissions": "https://aws.permissions.cloud/iam/ssm#ssm-DescribeInstanceInformation" }, { - "eventName": "CreateCluster", - "eventSource": "ecs.amazonaws.com", - "awsService": "ECS", - "description": "Creates a new Amazon ECS cluster.", + "eventName": "GetParameters", + "eventSource": "ssm.amazonaws.com", + "awsService": "SSM", + "description": "Get information about one or more parameters by specifying multiple parameter names.", "mitreAttackTactics": [ - "TA0040 - Impact" + "TA0007 - Discovery", + "TA0006 - Credential Access" ], "mitreAttackTechniques": [ - "T1496 - Resource Hijacking" + "T1526 - Cloud Service Discovery", + "T1552 - Unsecured Credentials" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", - "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/" + "technique": "T1552 - Unsecured Credentials", + "reason": "The GetParameters API, particularly with decryption enabled, can be used to retrieve sensitive credentials if they are stored in the SSM Parameter Store. This can expose API keys, passwords, or other authentication materials." }, { - "description": "New tactics and techniques for proactive threat detection", - "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + "technique": "T1082 - System Information Discovery", + "reason": "By using GetParameters, an attacker can gather configuration and environment details stored in the parameters, aiding in system information discovery." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "If parameter values include credentials or tokens, the attacker could use them to access valid accounts, facilitating further malicious activity." } ], - "researchLinks": [], - "securityImplications": "Attackers might use CreateCluster to provision unauthorized cluster resources, aiming to deploy malicious workloads or use compute resources for cryptojacking", - "alerting": [ + "usedInWild": false, + "incidents": [], + "researchLinks": [ { - "type": "sigma", - "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_eks_cluster_created_or_deleted.yml" + "description": "Detecting and removing risky actions out of your IAM security policies", + "link": "https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/" } ], + "securityImplications": "Attackers might use GetParameters to gather sensitive information such as api keys or other secrets.", + "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws ecs create-cluster --cluster-name TrailDiscoverCluster" + "value": "aws ssm get-parameters --names TrailDiscoverParameters" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ssm-retrieve-securestring-parameters" } ], - "permissions": "https://aws.permissions.cloud/iam/ecs#ecs-CreateCluster" + "permissions": "https://aws.permissions.cloud/iam/ssm#ssm-GetParameters" }, { - "eventName": "DeleteConfigurationRecorder", - "eventSource": "config.amazonaws.com", - "awsService": "Config", - "description": "Deletes the configuration recorder.", + "eventName": "ResumeSession", + "eventSource": "ssm.amazonaws.com", + "awsService": "SSM", + "description": "Reconnects a session to a managed node after it has been disconnected.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0008 - Lateral Movement", + "TA0002 - Execution" ], "mitreAttackTechniques": [ - "T1562 - Impair Defenses" + "T1021 - Remote Services", + "T1651 - Cloud Administration Command" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "Attackers can use valid credentials to reconnect to a previously disconnected session, allowing them to maintain persistent access to a system without re-authenticating." + }, + { + "technique": "T1105 - Ingress Tool Transfer", + "reason": "By reconnecting to an active session, attackers can continue to upload malicious tools or scripts to the managed node without needing to initiate a new session, facilitating ongoing exploitation." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "The reconnection process uses HTTPS, allowing attackers to maintain an encrypted communication channel, which could be used for executing commands or transferring data during the resumed session." + } ], "usedInWild": false, "incidents": [], "researchLinks": [ { - "description": "AWS Config Resource Deletion", - "link": "https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion" + "description": "Attack Paths Into VMs in the Cloud", + "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/" } ], - "securityImplications": "Attackers might use DeleteConfigurationRecorder to disrupt AWS configuration auditing.", + "securityImplications": "Attackers might use ResumeSession to gain unauthorized access to managed instances.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws configservice delete-configuration-recorder --configuration-recorder-name TrailDiscoverRecorder" + "value": "aws ssm resume-session --session-id TrailDiscoverTarget" } ], - "permissions": "https://aws.permissions.cloud/iam/config#config-DeleteConfigurationRecorder" + "permissions": "https://aws.permissions.cloud/iam/ssm#ssm-ResumeSession" }, { - "eventName": "DeleteDeliveryChannel", - "eventSource": "config.amazonaws.com", - "awsService": "Config", - "description": "Deletes the delivery channel.", + "eventName": "SendCommand", + "eventSource": "ssm.amazonaws.com", + "awsService": "SSM", + "description": "Runs commands on one or more managed nodes.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0008 - Lateral Movement", + "TA0002 - Execution" ], "mitreAttackTechniques": [ - "T1562 - Impair Defenses" + "T1021 - Remote Services", + "T1651 - Cloud Administration Command" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "AWS Config Resource Deletion", - "link": "https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion" + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "The SendCommand API is designed to execute commands on managed nodes, which directly involves the use of command and scripting interpreters to run scripts or commands." }, { - "description": "AWS Config modified", - "link": "https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-config-disabled/" + "technique": "T1053 - Scheduled Task/Job", + "reason": "The SendCommand API can be used to create or modify scheduled tasks on managed nodes, enabling the execution of commands at specified times, which is essential for maintaining persistence." }, { - "description": "Threat Hunting with CloudTrail and GuardDuty in Splunk", - "link": "https://www.chrisfarris.com/post/reinforce-threat-hunting/" + "technique": "T1105 - Ingress Tool Transfer", + "reason": "Attackers can use SendCommand to download and execute additional tools or payloads on the managed nodes, which is directly relevant to executing commands that facilitate further compromise." + }, + { + "technique": "T1569 - System Services", + "reason": "The SendCommand API can start, stop, or restart system services on managed nodes, allowing for the execution of commands that may serve various purposes, including persistence or privilege escalation." } ], - "securityImplications": "Attackers might use DeleteDeliveryChannel to disrupt the flow of configuration history and compliance data in AWS.", - "alerting": [ + "usedInWild": true, + "incidents": [ { - "type": "cloudwatchCISControls", - "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-9" + "description": "Navigating the Cloud: Exploring Lateral Movement Techniques", + "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/" }, { - "type": "sigma", - "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml" + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" + } + ], + "researchLinks": [ + { + "description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", + "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide" + }, + { + "description": "Run Shell Commands on EC2 with Send Command or Session Manager", + "link": "https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/" + }, + { + "description": "Attack Paths Into VMs in the Cloud", + "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/" } ], + "securityImplications": "Attackers might use SendCommand to execute malicious commands on managed instances.", + "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws configservice delete-delivery-channel --delivery-channel-name TrailDiscoverDeliveryChannel" + "value": "aws ssm send-command --instance-ids \"TrailDiscoverInstanceID\" --document-name \"AWS-RunShellScript\" --parameters commands=ls --output text" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ssm-send-command" } ], - "permissions": "https://aws.permissions.cloud/iam/config#config-DeleteDeliveryChannel" + "permissions": "https://aws.permissions.cloud/iam/ssm#ssm-SendCommand" }, { - "eventName": "StopConfigurationRecorder", - "eventSource": "config.amazonaws.com", - "awsService": "Config", - "description": "Stops recording configurations of the AWS resources you have selected to record in your AWS account.", + "eventName": "StartSession", + "eventSource": "ssm.amazonaws.com", + "awsService": "SSM", + "description": "Initiates a connection to a target (for example, a managed node) for a Session Manager session.", "mitreAttackTactics": [ - "TA0005 - Defense Evasion" + "TA0008 - Lateral Movement", + "TA0002 - Execution" ], "mitreAttackTechniques": [ - "T1562 - Impair Defenses" + "T1021 - Remote Services", + "T1651 - Cloud Administration Command" ], - "usedInWild": false, - "incidents": [], - "researchLinks": [ - { - "description": "AWS Configuration Recorder Stopped", - "link": "https://www.elastic.co/guide/en/security/current/prebuilt-rule-8-2-1-aws-configuration-recorder-stopped.html#prebuilt-rule-8-2-1-aws-configuration-recorder-stopped" - }, + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "AWS Config modified", - "link": "https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-config-disabled/" + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "The StartSession API allows for establishing a session where commands can be executed on the managed node through a command-line interface. This enables direct interaction with the system, facilitating the execution of scripts or commands remotely." }, { - "description": "Threat Hunting with CloudTrail and GuardDuty in Splunk", - "link": "https://www.chrisfarris.com/post/reinforce-threat-hunting/" - } - ], - "securityImplications": "Attackers might use StopConfigurationRecorder to halt the recording of AWS resource configurations, hindering audit trails.", - "alerting": [ - { - "type": "cloudwatchCISControls", - "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-9" + "technique": "T1078 - Valid Accounts", + "reason": "The StartSession API requires valid credentials and an authenticated token to initiate a session, allowing access to managed nodes. Attackers with compromised credentials can exploit this to gain unauthorized access to systems." }, { - "type": "sigma", - "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml" + "technique": "T1071 - Application Layer Protocol", + "reason": "The StartSession API uses WebSocket connections over HTTPS, enabling communication with the managed node. This can be leveraged to disguise command and control traffic within regular web traffic, making detection more challenging." } ], - "simulation": [ + "usedInWild": true, + "incidents": [ { - "type": "commandLine", - "value": "aws configservice stop-configuration-recorder --configuration-recorder-name TrailDiscoverRecorder" + "description": "Navigating the Cloud: Exploring Lateral Movement Techniques", + "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/" } ], - "permissions": "https://aws.permissions.cloud/iam/config#config-StopConfigurationRecorder" - }, - { - "eventName": "DeleteConfigRule", - "eventSource": "config.amazonaws.com", - "awsService": "Config", - "description": "Deletes the specified AWS Config rule and all of its evaluation results.", - "mitreAttackTactics": [ - "TA0005 - Defense Evasion" - ], - "mitreAttackTechniques": [ - "T1562 - Impair Defenses" - ], - "usedInWild": false, - "incidents": [], "researchLinks": [ { - "description": "AWS Config Resource Deletion", - "link": "https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion" + "description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", + "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide" + }, + { + "description": "Run Shell Commands on EC2 with Send Command or Session Manager", + "link": "https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/" } ], - "securityImplications": "Attackers might use DeleteConfigRule to remove compliance rules, potentially affecting the response plan.", + "securityImplications": "Attackers might use StartSession to gain unauthorized access to managed instances.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws configservice delete-config-rule --config-rule-name TrailDiscoverConfigRule" + "value": "aws ssm start-session --target TrailDiscoverTarget" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ssm-start-session" } ], - "permissions": "https://aws.permissions.cloud/iam/config#config-DeleteConfigRule" + "permissions": "https://aws.permissions.cloud/iam/ssm#ssm-StartSession" }, { - "eventName": "ListServiceQuotas", - "eventSource": "servicequotas.amazonaws.com", - "awsService": "ServiceQuotas", - "description": "Lists the applied quota values for the specified AWS service.", + "eventName": "CreateServer", + "eventSource": "transfer.amazonaws.com", + "awsService": "TransferFamily", + "description": "Instantiates an auto-scaling virtual server based on the selected file transfer protocol in AWS.", "mitreAttackTactics": [ - "TA0007 - Discovery" + "TA0010 - Exfiltration" ], "mitreAttackTechniques": [ - "T1087 - Account Discovery" + "T1537 - Transfer Data to Cloud Account" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "Ransomware in the cloud", - "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud" + "technique": "T1078 - Valid Accounts", + "reason": "The server creation process may involve generating or utilizing valid credentials, which can be leveraged by attackers to gain unauthorized access to the system." }, { - "description": "SES-PIONAGE", - "link": "https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/" + "technique": "T1071 - Application Layer Protocol", + "reason": "The server can be used to facilitate command and control communications using standard file transfer protocols (e.g., SFTP, FTPS), which are application layer protocols." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Attackers could configure the server to allow them to access from the internet to S3 files." } ], - "researchLinks": [ + "usedInWild": true, + "incidents": [ { - "description": "Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild", - "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/" + "description": "Muddled Libra\u2019s Evolution to the Cloud", + "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" } ], - "securityImplications": "Attackers might use ListServiceQuotas to identify potential services to exploit by understanding their usage limits.", + "researchLinks": [], + "securityImplications": "Attackers might use CreateServer to create a server that allows to transfer files into and out of AWS storage services.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws service-quotas list-service-quotas --service-code TrailDiscoverServiceCode" + "value": "aws transfer create-server --protocols SFTP --endpoint-type PUBLIC --identity-provider-type SERVICE_MANAGED" } ], - "permissions": "https://aws.permissions.cloud/iam/servicequotas#servicequotas-ListServiceQuotas" + "permissions": "https://aws.permissions.cloud/iam/transfer#transfer-CreateServer" }, { - "eventName": "RequestServiceQuotaIncrease", - "eventSource": "servicequotas.amazonaws.com", - "awsService": "ServiceQuotas", - "description": "Submits a quota increase request for the specified quota at the account or resource level.", + "eventName": "CreateUser", + "eventSource": "transfer.amazonaws.com", + "awsService": "TransferFamily", + "description": "Creates a user and associates them with an existing file transfer protocol-enabled server.", "mitreAttackTactics": [ - "TA0040 - Impact" + "TA0010 - Exfiltration" ], "mitreAttackTechniques": [ - "T1496 - Resource Hijacking" + "T1537 - Transfer Data to Cloud Account" ], - "usedInWild": true, - "incidents": [ + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ { - "description": "The curious case of DangerDev@protonmail.me", - "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me" + "technique": "T1078 - Valid Accounts", + "reason": "Creating a user in the Transfer Family service results in valid credentials that could be exploited for unauthorized access." }, { - "description": "Incident report: From CLI to console, chasing an attacker in AWS", - "link": "https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/" + "technique": "T1136 - Create Account", + "reason": "The CreateUser API call involves the creation of a new account, which can be used by attackers to establish persistence in the environment." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "The creation of a new user account allows for the potential manipulation of user roles or permissions, enabling privilege escalation." + } + ], + "usedInWild": true, + "incidents": [ + { + "description": "Muddled Libra\u2019s Evolution to the Cloud", + "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" } ], "researchLinks": [], - "securityImplications": "Attackers might use RequestServiceQuotaIncrease to increase the quotas and so resource hijacking will have a bigger impact.", + "securityImplications": "Attackers might use CreateUser to use the Transfer Family service.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws service-quotas request-service-quota-increase --service-code ec2 --quota-code L-20F13EBD --desired-value 2" + "value": "aws transfer create-user --server-id s-1234567890abcdef0 --user-name TrailDiscover --role arn:aws:iam::123456789012:role/TrailDiscover --home-directory /TrailDiscover" } ], - "permissions": "https://aws.permissions.cloud/iam/servicequotas#servicequotas-RequestServiceQuotaIncrease" + "permissions": "https://aws.permissions.cloud/iam/transfer#transfer-CreateUser" }, { "eventName": "DeleteRuleGroup", @@ -10374,6 +15759,21 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1098 - Account Manipulation", + "reason": "By deleting a RuleGroup that is crucial for access management, an attacker could manipulate accounts or credentials to bypass security controls." + }, + { + "technique": "T1499 - Endpoint Denial of Service", + "reason": "Removing critical firewall rules could lead to a Denial of Service (DoS) by allowing malicious traffic to overwhelm the system or service endpoints." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "The deletion of a RuleGroup can be used to eliminate logs or indicators of malicious activity by disabling the mechanisms that detect and log those activities." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ @@ -10397,16 +15797,31 @@ "permissions": "https://aws.permissions.cloud/iam/wafv2#wafv2-DeleteRuleGroup" }, { - "eventName": "UpdateIPSet", + "eventName": "DeleteWebACL", "eventSource": "wafv2.amazonaws.com", "awsService": "WAFV2", - "description": "Updates the specified IPSet.", + "description": "Deletes the specified WebACL.", "mitreAttackTactics": [ "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "Deleting the WebACL after disassociating it from resources could be used to remove evidence of previous configurations that could have logged or blocked malicious activity." + }, + { + "technique": "T1036 - Masquerading", + "reason": "By deleting the WebACL, an attacker could attempt to make malicious traffic appear legitimate by removing the security policies that would identify or block it." + }, + { + "technique": "T1499 - Endpoint Denial of Service", + "reason": "Deleting critical WebACL protections, especially after disassociating them from resources, may increase the likelihood of successful DoS attacks against those now-unprotected resources, affecting service availability." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ @@ -10415,27 +15830,42 @@ "link": "https://easttimor.github.io/aws-incident-response/" } ], - "securityImplications": "Attackers might use UpdateIPSet to modify IP address rules, potentially allowing unauthorized access from IPs they control.", + "securityImplications": "Attackers might use DeleteWebACL to remove web access control lists, thereby disrupting web application firewall protections.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws wafv2 update-ip-set --name testip --scope REGIONAL --id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 --addresses 198.51.100.0/16 --lock-token 447e55ac-2396-4c6d-b9f9-86b67c17f8b5" + "value": "aws wafv2 delete-web-acl --name TrailDiscoverWebACL --scope REGIONAL --id TrailDiscoverId --lock-token TrailDiscoverLockToken" } ], - "permissions": "https://aws.permissions.cloud/iam/wafv2#wafv2-UpdateIPSet" + "permissions": "https://aws.permissions.cloud/iam/wafv2#wafv2-DeleteWebACL" }, { - "eventName": "DeleteWebACL", + "eventName": "UpdateIPSet", "eventSource": "wafv2.amazonaws.com", "awsService": "WAFV2", - "description": "Deletes the specified WebACL.", + "description": "Updates the specified IPSet.", "mitreAttackTactics": [ "TA0005 - Defense Evasion" ], "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1071 - Application Layer Protocol", + "reason": "By updating an IPSet to allow or block specific IP addresses, an attacker can manipulate web traffic to facilitate or evade detection during Command and Control activities." + }, + { + "technique": "T1489 - Service Stop", + "reason": "An attacker could update the IPSet to block access to critical services, effectively stopping them by denying network access. This is relevant because the API call can alter IP address permissions, potentially disrupting service availability." + }, + { + "technique": "T1499 - Endpoint Denial of Service", + "reason": "By modifying the IPSet to block or allow certain IP addresses, an attacker could cause a Denial of Service (DoS) attack by either overwhelming a service with traffic or cutting off access to legitimate users." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ @@ -10444,14 +15874,14 @@ "link": "https://easttimor.github.io/aws-incident-response/" } ], - "securityImplications": "Attackers might use DeleteWebACL to remove web access control lists, thereby disrupting web application firewall protections.", + "securityImplications": "Attackers might use UpdateIPSet to modify IP address rules, potentially allowing unauthorized access from IPs they control.", "alerting": [], "simulation": [ { "type": "commandLine", - "value": "aws wafv2 delete-web-acl --name TrailDiscoverWebACL --scope REGIONAL --id TrailDiscoverId --lock-token TrailDiscoverLockToken" + "value": "aws wafv2 update-ip-set --name testip --scope REGIONAL --id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 --addresses 198.51.100.0/16 --lock-token 447e55ac-2396-4c6d-b9f9-86b67c17f8b5" } ], - "permissions": "https://aws.permissions.cloud/iam/wafv2#wafv2-DeleteWebACL" + "permissions": "https://aws.permissions.cloud/iam/wafv2#wafv2-UpdateIPSet" } ] \ No newline at end of file diff --git a/events/ACMPCA/GetCertificate.json b/events/ACMPCA/GetCertificate.json index 0468ea6..87f190b 100644 --- a/events/ACMPCA/GetCertificate.json +++ b/events/ACMPCA/GetCertificate.json @@ -9,6 +9,47 @@ "mitreAttackTechniques": [ "T1040- Network Sniffing" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1119 - Automated Collection", + "reason": "An attacker could write a script that continiously calls GetCertificate to get all certificates" + }, + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "Using GetCertificate, adversaries can discover details about the cloud infrastructure, including how certificates are managed and issued within the environment." + }, + { + "technique": "TT1589 - Gather Victim Identity Information", + "reason": "Often times victim information is present in the certificate, f.e. email adresses." + }, + { + "technique": "T1526 - Cloud Service Discovery", + "reason": "Often times certificates are issued for single cloud services. " + }, + { + "technique": "T1530 - Data from Cloud Storage", + "reason": "One could label the ACMPCA as a cloud storage, because the certificates are stored in there." + }, + { + "technique": "T1021.007 - Remote Services: Cloud Services", + "reason": "The GetCertificate API call retrieves certificates from a private CA or one that has been shared, which can then be used to authenticate access to various cloud services. Adversaries can use these certificates to authenticate themselves to cloud services remotely, leveraging the trust established by the certificate. This enables the adversary to move laterally within the cloud environment, access additional resources, or establish persistence by maintaining authenticated sessions with the compromised certificates" + }, + { + "technique": "T1212 - Exploitation for Credential Access", + "reason": "Certificates can be exploited to gain credential access, especially if they include sensitive authentication details" + }, + { + "technique": "T1557 - Adversary-in-the-Middle", + "reason": "Certificates retrieved can be used in Man-in-the-Middle (MitM) attacks to intercept and decrypt secure communications." + }, + { + "technique": "T1021 - Remote Services", + "reason": "Certificates are often used as an authetication material, especially in enterprise environments and can be therefore used to move laterally." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/ACMPCA/IssueCertificate.json b/events/ACMPCA/IssueCertificate.json index b840a8b..97a23c9 100644 --- a/events/ACMPCA/IssueCertificate.json +++ b/events/ACMPCA/IssueCertificate.json @@ -9,6 +9,47 @@ "mitreAttackTechniques": [ "T1040- Network Sniffing" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078- Valid Accounts", + "reason": "Issuing a certificate can create a valid cloud account credential. This certificate could be used to authenticate against various services. Issued certificates could be used to create or access local accounts within the cloud infrastructure. " + }, + { + "technique": "T1212- Exploitation for Credential Access", + "reason": "Certificates can be exploited to gain credential access, especially if they include sensitive authentication details or are from a trustd CA." + }, + { + "technique": "T1136- Create Account", + "reason": "An adversary might use a certificate to create new cloud accounts or gain access to existing ones under the guise of legitimate credentials." + }, + { + "technique": "T1588- Obtain Capabilities", + "reason": "By using this API call an adversary has successfully gained the capability to create digital certificates." + }, + { + "technique": "T1550- Use Alternate Authentication Material", + "reason": "Issued certificates can be used as alternative authentication material in place of traditional credentials like web cookies, aiding in Credential Access and Defense Evasion." + }, + { + "technique": "T1586.003- Compromise Accounts", + "reason": "By issuing certificates through the IssueCertificate API call, adversaries can compromise cloud accounts by creating legitimate credentials for accessing cloud services. These certificates can be used to authenticate and gain control over cloud accounts, facilitating Initial Access and Persistence. The adversary can then maintain access by leveraging these certificates, bypassing traditional authentication mechanisms and evading detection." + }, + { + "technique": "T1027- Obfuscated Files or Information", + "reason": "Certificates issued via this API call can be used to obfuscate the true nature of communication and data, aiding in Defense Evasion." + }, + { + "technique": "T1553- Subvert Trust Controls", + "reason": "By issuing a certificate, an adversary can sign malicious binaries, making them appear legitimate and trusted, aiding in Defense Evasion." + }, + { + "technique": "T1071.001- Application Layer Protocol - Web Protocols", + "reason": "Issued certificates can be used to secure communication over web protocols, potentially aiding in Defense Evasion and Credential Access by making malicious traffic appear legitimate." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/AppSync/CreateApiKey.json b/events/AppSync/CreateApiKey.json index 21edb37..d0ce39f 100644 --- a/events/AppSync/CreateApiKey.json +++ b/events/AppSync/CreateApiKey.json @@ -11,6 +11,31 @@ "T1578 - Modify Cloud Compute Infrastructure", "T1556 - Modify Authentication Process" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "API keys are a form of credentials that attackers can use to gain and maintain access to cloud services." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Attackers may manipulate API keys to alter account permissions and settings, maintaining persistence and access." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "API keys can be used to remove legitimate accounts, thereby maintaining persistence and disrupting normal operations." + }, + { + "technique": "T1550.001 - Use Alternate Authentication Material: Application Access Token", + "reason": "API keys serve as alternate authentication material, in this case as application access tokens to access AppSync APIs." + }, + { + "technique": "T1090 - Proxy", + "reason": "Attackers can use API keys to route their malicious traffic through a AppSync, which acts here as a proxy, hiding their true origin and bypassing security measures." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/AppSync/GetIntrospectionSchema.json b/events/AppSync/GetIntrospectionSchema.json index 7d721e0..d0ddc81 100644 --- a/events/AppSync/GetIntrospectionSchema.json +++ b/events/AppSync/GetIntrospectionSchema.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1526 - Cloud Service Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087 - Account Discovery", + "reason": "The GetIntrospectionSchema API call can be used to gather detailed information about the structure of an AWS AppSync GraphQL schema. This can help in identifying user roles, permissions, and accounts associated with the schema in this AWS account." + }, + { + "technique": "T1590: Gather Victim Network Information", + "reason": "Through the introspection schema, an attacker can identify dependencies and integrations with other network services or external APIs, revealing trust relationships and potential attack vectors. By retrieving the introspection schema, an attacker can map out the network structure as exposed by the GraphQL API, including services, endpoints, and connections within the AWS environment." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/AppSync/UpdateGraphqlApi.json b/events/AppSync/UpdateGraphqlApi.json index 530b755..4b5c7a7 100644 --- a/events/AppSync/UpdateGraphqlApi.json +++ b/events/AppSync/UpdateGraphqlApi.json @@ -11,6 +11,35 @@ "T1578 - Modify Cloud Compute Infrastructure", "T1556 - Modify Authentication Process" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1136 - Create Account", + "reason": "An attacker might use UpdateGraphqlApi to update settings in a way that allows creating new user accounts with elevated privileges." + }, + { + "technique": "T1212 - Exploitation for Credential Dumping", + "reason": "Updating GraphQL API could be abused to alter application behavior to facilitate credential dumping." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "An attacker could use the API call to modify existing configurations to maintain access through valid cloud accounts." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "The API call could allow manipulation of user accounts or roles to maintain access or escalate privileges." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "The API call might be used to modify or obfuscate logs and configurations to avoid detection." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "By updating the API, attackers might ensure they can access privileged accounts for persistent access." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/AppSync/UpdateResolver.json b/events/AppSync/UpdateResolver.json index 72d72c3..2ab2449 100644 --- a/events/AppSync/UpdateResolver.json +++ b/events/AppSync/UpdateResolver.json @@ -11,6 +11,43 @@ "T1578 - Modify Cloud Compute Infrastructure", "T1556 - Modify Authentication Process" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1136 - Create Account", + "reason": "Using the UpdateResolver API, an adversary can manipulate the AppSync resolver to create new user accounts with specific roles or permissions, enabling persistent access to the AWS environment." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "By updating the resolver, adversaries can utilize valid credentials to access AppSync and maintain persistence." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "Adversaries can update resolvers to manipulate logs or delete records, evading detection by altering or concealing their tracks." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "Adversaries can use the UpdateResolver API to revoke access for legitimate users, thereby preventing them from detecting the adversarial activities." + }, + { + "technique": "T1003 - Credential Dumping", + "reason": "By updating the resolver to capture sensitive data passed through AppSync, adversaries could dump credentials for further exploitation." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "Modifying the resolver might allow adversaries to covertly communicate using AppSync's standard protocols, blending in with normal traffic and evading network defenses." + }, + { + "technique": "T1562.001 - Impair Defenses: Disable or Modify Tools", + "reason": "An adversary might update the resolver to disable security tools or modify their behavior, thereby evading detection and maintaining access." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "By updating resolvers, adversaries can obfuscate the information passed through AppSync, making it difficult to detect malicious activities within the data flow." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/Athena/GetQueryResults.json b/events/Athena/GetQueryResults.json index cdf0cbc..613c165 100644 --- a/events/Athena/GetQueryResults.json +++ b/events/Athena/GetQueryResults.json @@ -7,7 +7,28 @@ "TA0007 - Discovery" ], "mitreAttackTechniques": [ - "T1580 - Cloud Infrastructure Discovery" + "T1580 - Cloud Infrastructure Discovery" + ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "GetQueryResults can be used to gather information about the Athena environment, such as the metadata of the queries and databases. This can reveal insights about the system configuration and the types of data stored." + }, + { + "technique": "T1213 - Data from Information Repositories", + "reason": "Athena queries can access and retrieve data from various repositories like S3. GetQueryResults is used to obtain this data, making it a critical step in extracting information from these repositories." + }, + { + "technique": "T1039 - Data from Network Shared Drive", + "reason": " If Athena queries target data stored in network shared drives (like those mounted on EC2 instances and accessible via S3), the GetQueryResults API will be used to collect this data." + }, + { + "technique": "T1074 - Data Staged", + "reason": "Attackers may stage data in a specific location after retrieving it with GetQueryResults before exfiltration. This staging is a preparatory step for further data handling or analysis." + } ], "usedInWild": true, "incidents": [ diff --git a/events/Bedrock/CreateFoundationModelAgreement.json b/events/Bedrock/CreateFoundationModelAgreement.json index 6584907..c81d7ea 100644 --- a/events/Bedrock/CreateFoundationModelAgreement.json +++ b/events/Bedrock/CreateFoundationModelAgreement.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1496 - Resource Hijacking" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1098 - Account Manipulation", + "reason": "The CreateFoundationModelAgreement API call allows users to create or modify agreements, which can be used to manipulate account permissions. Attackers can create agreements with elevated privileges or modify existing ones to gain unauthorized access or escalate privileges." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/Bedrock/GetFoundationModelAvailability.json b/events/Bedrock/GetFoundationModelAvailability.json index bdda084..1fbf0a6 100644 --- a/events/Bedrock/GetFoundationModelAvailability.json +++ b/events/Bedrock/GetFoundationModelAvailability.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "Querying the availability of foundation models is a form of system information discovery, as it provides insight into the operational aspects of the system." + }, + { + "technique": "T1590 - Gather Victim Network Information", + "reason": "The GetFoundationModelAvailability call can be used to determine the state and availability of foundation models, which is valuable host information." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/Bedrock/GetModelInvocationLoggingConfiguration.json b/events/Bedrock/GetModelInvocationLoggingConfiguration.json index 89656b6..d974a08 100644 --- a/events/Bedrock/GetModelInvocationLoggingConfiguration.json +++ b/events/Bedrock/GetModelInvocationLoggingConfiguration.json @@ -9,6 +9,35 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "Knowing the logging setup allows attackers to delete or alter logs to avoid detection and cover their tracks." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "Attackers may use knowledge of logging configurations to craft their actions in ways that avoid triggering specific logging mechanisms." + }, + { + "technique": "T1518.001 - Software Discovery", + "reason": "Understanding how model invocation is logged can reveal what security software is in use." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Knowing the logging configuration can help attackers understand how to disable or evade defensive logging." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "Attackers might tailor their command and control communication methods based on the logging configurations discovered." + }, + { + "technique": "T1212 - Exploitation for Credential Access", + "reason": "If the option textDataDeliveryEnabled is activated there could be credentials in it which attackers can exploit. If the option imageDataDeliveryEnabled is activated there could be sensitive information in the images which are delivered in the logs." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/Bedrock/GetUseCaseForModelAccess.json b/events/Bedrock/GetUseCaseForModelAccess.json index 3cecb18..27c902c 100644 --- a/events/Bedrock/GetUseCaseForModelAccess.json +++ b/events/Bedrock/GetUseCaseForModelAccess.json @@ -9,6 +9,35 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts: Cloud Accounts", + "reason": "If an attacker obtains credentials to use the GetUseCaseForModelAccess API call, they can gather sensitive information about model access use cases, which may aid further malicious activity." + }, + { + "technique": "T1082 - System Information Discovery", + "reason": "The GetUseCaseForModelAccess API call can be used to collect details about model access, revealing important information about the environment and configurations, which is a form of system discovery." + }, + { + "technique": "T1005 - Data from Local System", + "reason": "The API call can potentially be used to extract detailed data regarding model use cases, equivalent to gathering sensitive data from the local cloud environment." + }, + { + "technique": "T1530 - Data from Cloud Storage", + "reason": "If the GetUseCaseForModelAccess API provides links or references to data stored in cloud storage, an attacker could use it to access and exfiltrate sensitive data." + }, + { + "technique": "T1020 - Automated Exfiltration", + "reason": "An attacker could script the API call to automatically extract and exfiltrate information about model use cases over time." + }, + { + "technique": "T1074 - Data Staged", + "reason": "Step-by-step explanation: The results from the GetUseCaseForModelAccess call could be staged locally in the attacker's environment for later exfiltration or use." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/Bedrock/InvokeModel.json b/events/Bedrock/InvokeModel.json index 8a3f8c6..600765a 100644 --- a/events/Bedrock/InvokeModel.json +++ b/events/Bedrock/InvokeModel.json @@ -11,6 +11,23 @@ "T1580 - Cloud Infrastructure Discovery", "T1496 - Resource Hijacking" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1020 - Automated Exfiltration", + "reason": "The InvokeModel API call can be scripted to run repeatedly, allowing for the continuous extraction of data. For example, an attacker could automate requests to the API, each time providing new or varied prompts that extract different pieces of sensitive information" + }, + { + "technique": "T1567 - Exfiltration Over Web Service", + "reason": "An attacker who has access to AWS credentials can set up a process where InvokeModel API calls are made to generate sensitive information in small chunks. Each chunk of data, once generated, can be immediately sent to an S3 bucket or another cloud storage service controlled by the attacker. This method ensures that data is consistently moved out of the compromised environment without raising alarms associated with large data transfers." + }, + { + "technique": "T1203 - Exploitation for Client Execution", + "reason": "Exploiting vulnerabilities in a model's interface could trigger unintended code execution through the InvokeModel API." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/Bedrock/InvokeModelWithResponseStream.json b/events/Bedrock/InvokeModelWithResponseStream.json index cb69009..f681645 100644 --- a/events/Bedrock/InvokeModelWithResponseStream.json +++ b/events/Bedrock/InvokeModelWithResponseStream.json @@ -9,6 +9,31 @@ "mitreAttackTechniques": [ "T1496 - Resource Hijacking" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "Attackers could potentially exploit the model invocation process to execute arbitrary commands or scripts, depending on how the input data to the model is handled and interpreted." + }, + { + "technique": "T1020 - Automated Exfiltration", + "reason": "The streaming response can be used to automatically exfiltrate data as it is processed by the model." + }, + { + "technique": "T1041 - Exfiltration Over C2 Channel", + "reason": "The streaming response feature can be exploited to send sensitive data back to an attacker over an established C2 channel." + }, + { + "technique": "T1005 - Data from Local System", + "reason": "If the Bedrock model has access to and processes local system data, attackers could leverage the API call to collect sensitive information. This scenario assumes that the model's processing involves data that might include confidential or proprietary information." + }, + { + "technique": "T1071.004 - Application Layer Protocol: DNS", + "reason": "DNS can be used for exfiltration or command and control if the model's streaming response can be encoded into DNS queries/responses." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/Bedrock/ListFoundationModelAgreementOffers.json b/events/Bedrock/ListFoundationModelAgreementOffers.json index df45190..68ee97c 100644 --- a/events/Bedrock/ListFoundationModelAgreementOffers.json +++ b/events/Bedrock/ListFoundationModelAgreementOffers.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1591.002 - Gather Victim Org Information: Business Relationships", + "reason": "The list of foundation model agreement offers can provide insights into the organization's partnerships and agreements with other entities, revealing valuable business relationship details." + }, + { + "technique": "T1591 - Gather Victim Org Information", + "reason": "This API call might yield information about the internal structure of the organization, such as departments or teams involved with foundation models, contributing to a broader understanding of the target's organizational setup." + }, + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "The information retrieved from this API call could indicate which groups or roles within the AWS account have permissions to access these foundation models, helping to understand the permission hierarchy and potential targets for privilege escalation or further discovery." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/Bedrock/ListFoundationModels.json b/events/Bedrock/ListFoundationModels.json index c5c8a61..5ae3422 100644 --- a/events/Bedrock/ListFoundationModels.json +++ b/events/Bedrock/ListFoundationModels.json @@ -9,6 +9,31 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087 - Account Discovery", + "reason": "Listing foundation models can help an adversary understand what cloud resources are available and their configurations" + }, + { + "technique": "T1057 - Process Discovery", + "reason": "Listing foundation models can be a step towards understanding the processes and operations running within the cloud environment." + }, + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "Identifying which models are accessible can reveal information about permission groups and roles within the cloud environment" + }, + { + "technique": "T1082 - System Information Discovery", + "reason": "Listing foundation models helps in gathering detailed system information." + }, + { + "technique": "T1482 - Domain Trust Discovery", + "reason": "Adversaries may list foundation models to understand the trust relationships and dependencies between different cloud resources." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/Bedrock/ListProvisionedModelThroughputs.json b/events/Bedrock/ListProvisionedModelThroughputs.json index f63d699..052acbe 100644 --- a/events/Bedrock/ListProvisionedModelThroughputs.json +++ b/events/Bedrock/ListProvisionedModelThroughputs.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087.004 - Cloud Account", + "reason": "The ListProvisionedModelThroughputs API call can help an attacker identify active cloud accounts and associated resources by listing the provisioned models, providing insight into the resources allocated in the cloud environment." + }, + { + "technique": "T1082 - System Information Discovery", + "reason": "This API call can be used to gather information about the configuration and state of the provisioned model throughputs, which contributes to understanding the system's current setup and operational status." + }, + { + "technique": "T1530 - Data from Cloud Storage Object", + "reason": "By listing provisioned model throughputs, an attacker can potentially identify models and associated data stored in cloud storage, enabling them to target specific data repositories." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "Legitimate cloud accounts with access to this API call can be used to gather information on provisioned models. If an attacker gains control of such an account, they can enumerate resources to assess what data and services are available within the cloud environment." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/Bedrock/PutFoundationModelEntitlement.json b/events/Bedrock/PutFoundationModelEntitlement.json index 5230214..207d20e 100644 --- a/events/Bedrock/PutFoundationModelEntitlement.json +++ b/events/Bedrock/PutFoundationModelEntitlement.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1496 - Resource Hijacking" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1098 - Account Manipulation", + "reason": "" + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "Authorized accounts might be modified or managed to maintain persistent access to foundational models. Cloud accounts could be granted additional entitlements, leading to unauthorized access or privileges within the cloud environment. Access might be granted to default accounts, which could be exploited if not properly managed. Local accounts could be granted access, potentially leading to unauthorized activities within the environment." + }, + { + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "The granted entitlements may include permissions that enable the execution of scripts or code, potentially facilitating the execution of malicious scripts under legitimate operations within a controlled environment." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Adjusting entitlements could be used to weaken security controls and mechanisms, aiding in defense evasion." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/Bedrock/PutUseCaseForModelAccess.json b/events/Bedrock/PutUseCaseForModelAccess.json index ddc3c64..945f4f9 100644 --- a/events/Bedrock/PutUseCaseForModelAccess.json +++ b/events/Bedrock/PutUseCaseForModelAccess.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1496 - Resource Hijacking" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "Although not creating new users, it enables valid accounts to access models, which can be exploited for continued access." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "This API call allows manipulation of permissions related to model access, which can be leveraged for privilege escalation or maintaining access." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/CloudFormation/CreateStack.json b/events/CloudFormation/CreateStack.json index 9cc8a6f..70f412f 100644 --- a/events/CloudFormation/CreateStack.json +++ b/events/CloudFormation/CreateStack.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1496 - Resource Hijacking" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1136 - Create Account", + "reason": "The CreateStack API call can be used to set up new accounts within the cloud environment as part of deploying a CloudFormation stack, which aids in gaining and maintaining access." + }, + { + "technique": "T1578 - Modify Cloud Compute Infrastructure", + "reason": "The creation of new stacks can be used to modify or add cloud compute infrastructure, which can be part of defense evasion by creating resources that blend into the existing environment." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Creating new stacks could involve setting up new accounts or roles that can be used later, contributing to persistence within the environment." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/CloudFront/CreateFunction2020_05_31.json b/events/CloudFront/CreateFunction2020_05_31.json index 7292fd6..854a293 100644 --- a/events/CloudFront/CreateFunction2020_05_31.json +++ b/events/CloudFront/CreateFunction2020_05_31.json @@ -9,6 +9,47 @@ "mitreAttackTechniques": [ "T1119 - Automated Collection" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "CloudFront functions are written in JavaScript, enabling the execution of scripts." + }, + { + "technique": "T1546 - Event Triggered Execution", + "reason": "A CloudFront function can be set to trigger on specific events, establishing persistence." + }, + { + "technique": "T1562.001 - Impair Defenses", + "reason": "CloudFront functions can modify requests and responses, which can be used to evade detection tools." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "The JavaScript code within CloudFront functions can be obfuscated to hide malicious intent." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "CloudFront functions can communicate using web protocols, facilitating command and control." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "Functions can be used to remove or alter log files, helping in defense evasion." + }, + { + "technique": "T1574 - Hijack Execution Flow", + "reason": "CloudFront functions manipulate the flow of requests, which can be seen as hijacking the execution flow within the cloud infrastructure." + }, + { + "technique": "T1008 - Fallback Channels", + "reason": "CloudFront functions can be designed to use fallback channels for command and control if the primary method is disrupted." + }, + { + "technique": "T1499 - Endpoint Denial of Service", + "reason": "Improperly configured or malicious CloudFront functions can cause application exhaustion, leading to denial-of-service attacks." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/CloudFront/PublishFunction2020_05_31.json b/events/CloudFront/PublishFunction2020_05_31.json index 59bb1c7..dc78d97 100644 --- a/events/CloudFront/PublishFunction2020_05_31.json +++ b/events/CloudFront/PublishFunction2020_05_31.json @@ -9,6 +9,47 @@ "mitreAttackTechniques": [ "T1119 - Automated Collection" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1560 - Archive Collected Data", + "reason": "A published CloudFront function could aggregate and compress data, preparing it for exfiltration." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "A function can be programmed to clean up or remove indicators of compromise, aiding in evasion of detection" + }, + { + "technique": "T1036 - Masquerading", + "reason": "Malicious functions can be disguised as legitimate CloudFront functions, hiding malicious activities within seemingly normal operations." + }, + { + "technique": "T1090 - Proxy", + "reason": "A CloudFront function could redirect traffic through CloudFront, acting as a proxy and obscuring the origin of command and control traffic." + }, + { + "technique": "T1102 - Web Service", + "reason": "Leveraging CloudFront functions to interact with web services, enabling command and control via HTTP or HTTPS, blending with regular web traffic" + }, + { + "technique": "T1204 - User Execution", + "reason": "If the published function requires user interaction or specific conditions to trigger, it aligns with techniques requiring user execution." + }, + { + "technique": "T1048 - Exfiltration Over Alternative Protocol", + "reason": "A CloudFront function could use alternative protocols for data exfiltration, bypassing standard monitoring tools." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "The function may use application layer protocols (HTTP/S) for communication, facilitating command and control or data exfiltration." + }, + { + "technique": "T1574 - Hijack Execution Flow", + "reason": "The PublishFunction API can be used to modify how CloudFront handles requests, potentially hijacking the execution flow to achieve malicious objectives" + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/CloudFront/UpdateDistribution2020_05_31.json b/events/CloudFront/UpdateDistribution2020_05_31.json index b2e83f6..88e0038 100644 --- a/events/CloudFront/UpdateDistribution2020_05_31.json +++ b/events/CloudFront/UpdateDistribution2020_05_31.json @@ -9,6 +9,51 @@ "mitreAttackTechniques": [ "T1119 - Automated Collection" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "An attacker could modify CloudFront distribution settings to remove or alter logging configurations, thus deleting or hiding evidence of malicious activities." + }, + { + "technique": "T1090 - Proxy", + "reason": "By updating CloudFront distribution, an attacker can route traffic through CloudFront, effectively hiding the origin of malicious traffic and obfuscating command and control communications." + }, + { + "technique": "T1567 - Exfiltration Over Web Service", + "reason": "An attacker might reconfigure CloudFront to redirect sensitive data to an external endpoint under their control, facilitating data exfiltration over a web service." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Modifying CloudFront distribution settings can be used to impair security monitoring and defense mechanisms by disabling or altering configurations that are critical for security monitoring." + }, + { + "technique": "T1560 - Archive Collected Data", + "reason": "An attacker might modify the CloudFront distribution to use cloud storage as a method to archive and exfiltrate collected data." + }, + { + "technique": "T1497 - Virtualization/Sandbox Evasion", + "reason": "CloudFront configurations can be updated to delay or slow responses, making detection and analysis more difficult, effectively evading automated analysis systems." + }, + { + "technique": "T1568 - Dynamic Resolution", + "reason": "By updating CloudFront distributions, an attacker can implement domain generation algorithms to dynamically change domain names for command and control, evading detection." + }, + { + "technique": "T1095 - Non-Application Layer Protocol", + "reason": "By configuring CloudFront to use non-standard protocols for data transmission, an attacker can exfiltrate data or communicate with compromised assets using non-application layer protocols." + }, + { + "technique": "T1071.001 - Application Layer Protocol: Web Protocols", + "reason": "loudFront can be configured to use common web protocols (HTTP/HTTPS) for malicious command and control communications, blending in with normal traffic and avoiding detection." + }, + { + "technique": "T1565.002 - Data Manipulation: Transmitted Data Manipulation", + "reason": "Attackers can update CloudFront distribution settings to manipulate data as it transits through CloudFront, altering its content for malicious purposes or exfiltrating manipulated data." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/CloudTrail/DeleteTrail.json b/events/CloudTrail/DeleteTrail.json index a03533d..7eadc14 100644 --- a/events/CloudTrail/DeleteTrail.json +++ b/events/CloudTrail/DeleteTrail.json @@ -9,6 +9,20 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools", + "T1562.008 - Impair Defenses: Disable or Modify Cloud Logs" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "Deleting a CloudTrail trail can be seen as an attempt to remove logs that could be used to detect malicious activity, thereby evading detection." + }, + { + "technique": "T1485 - Data Destruction", + "reason": "Deleting the CloudTrail trail results in the destruction of important log data, which can impact the ability to investigate and respond to incidents." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/CloudTrail/LookupEvents.json b/events/CloudTrail/LookupEvents.json index d207c5e..e0c4841 100644 --- a/events/CloudTrail/LookupEvents.json +++ b/events/CloudTrail/LookupEvents.json @@ -9,6 +9,39 @@ "mitreAttackTechniques": [ "T1654 - Log Enumeration" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087 - Account Discovery", + "reason": "The LookupEvents API call can be used to identify information about AWS cloud accounts, potentially revealing new or unused accounts that can be targeted." + }, + { + "technique": "T1530 - Data from Cloud Storage", + "reason": "By looking up events, attackers can identify access patterns or sensitive data locations within cloud storage, facilitating data collection or exfiltration." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": " If attackers are trying to access accounts, LookupEvents can help them discover which accounts are being used, aiding in the identification of valid credentials. By using LookupEvents, attackers can gain insights into which accounts have been accessed, helping them target specific accounts for compromise." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "Discovering user activities and patterns can help attackers understand who owns or uses specific systems, making it easier to target high-value accounts." + }, + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "LookupEvents can reveal information about the cloud infrastructure, including services and resources used within the environment." + }, + { + "technique": "T1020 - Automated Exfiltration", + "reason": " By understanding event patterns and data flows, attackers can automate the exfiltration of data from the cloud environment." + }, + { + "technique": "T1057 - Process Discovery", + "reason": "Attackers can use LookupEvents to see which processes or applications are being invoked, gaining insight into the operational environment." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/CloudTrail/PutEventSelectors.json b/events/CloudTrail/PutEventSelectors.json index f0684f6..789d2a3 100644 --- a/events/CloudTrail/PutEventSelectors.json +++ b/events/CloudTrail/PutEventSelectors.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + "T1562.001: Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "By configuring event selectors, adversaries can exclude certain activities from being logged, effectively removing traces of their presence and actions, which hinders detection and forensic analysis." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/CloudTrail/StopLogging.json b/events/CloudTrail/StopLogging.json index ed63c13..bc032f2 100644 --- a/events/CloudTrail/StopLogging.json +++ b/events/CloudTrail/StopLogging.json @@ -9,6 +9,16 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools", + "T1562.008 - Impair Defenses: Disable or Modify Cloud Logs" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "By stopping the logging, the adversary prevents the creation of future log entries, effectively removing indicators that would otherwise be generated, thus evading detection and hindering incident response efforts." + } + ], "usedInWild": false, "incidents": [ { diff --git a/events/CloudTrail/UpdateTrail.json b/events/CloudTrail/UpdateTrail.json index 05d84ad..d9abaac 100644 --- a/events/CloudTrail/UpdateTrail.json +++ b/events/CloudTrail/UpdateTrail.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "Modifying CloudTrail settings can involve stopping log generation or deleting logs, removing evidence of activities." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Changing CloudTrail settings might require manipulating account permissions or configurations to control logging." + }, + { + "technique": "T1537 - Transfer Data to Cloud Account", + "reason" : "Updating trail settings could facilitate the transfer of logs or sensitive data to an attacker-controlled cloud account for exfiltration." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/CloudWatch/CreateLogStream copy.json b/events/CloudWatch/CreateLogStream copy.json index 1616690..b5d0a75 100644 --- a/events/CloudWatch/CreateLogStream copy.json +++ b/events/CloudWatch/CreateLogStream copy.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1567 - Exfiltration Over Web Service", + "reason": "The attacker leverages CloudWatchLogs as an AWS web service to exfiltrate data, making it blend in with legitimate service use." + }, + { + "technique": "T1102 - Web Service", + "reason": "The attacker uses PutLogEvents to upload sensitive data to CloudWatchLogs, which can then be accessed remotely as part of their command and control strategy." + }, + { + "technique": "T1074 - Data Staged", + "reason": "The attacker stages collected data on the local system and then uses PutLogEvents to upload it to CloudWatchLogs for further use or exfiltration." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/CloudWatch/CreateLogStream.json b/events/CloudWatch/CreateLogStream.json index 444708a..de2d7d7 100644 --- a/events/CloudWatch/CreateLogStream.json +++ b/events/CloudWatch/CreateLogStream.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + "T1562.001 Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1036 - Masquerading", + "reason": "Creating log streams with names that mimic legitimate applications or services helps attackers blend in with normal operations and evade detection." + }, + { + "technique": "T1119 - Automated Collection", + "reason": "Log streams can be used to automate the collection of log data from various sources within the cloud environment, aiding attackers in data aggregation." + }, + { + "technique": "T1074 - Data Staged", + "reason": "Using log streams to stage data before it is exfiltrated, organizing it for easy access and transfer." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/CloudWatch/DeleteAlarms.json b/events/CloudWatch/DeleteAlarms.json index 9fae105..13a8e7a 100644 --- a/events/CloudWatch/DeleteAlarms.json +++ b/events/CloudWatch/DeleteAlarms.json @@ -9,6 +9,24 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools", + "T1562.006 - Impair Defenses: Indicator Blocking" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1485 - Data Destruction", + "reason": "Deleting alarms can be part of a broader strategy to destroy or disrupt data by removing key monitoring and alert mechanisms." + }, + { + "technique": "T1489 - Service Stop", + "reason": "By deleting alarms, an attacker can effectively stop the alerting service from functioning as expected, similar to stopping a service" + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "Deleting alarms can be seen as removing indicators of potential issues or past activities, which is a broader form of indicator removal than just file deletion." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/CloudWatch/DeleteLogGroup.json b/events/CloudWatch/DeleteLogGroup.json index afd433f..1ab9176 100644 --- a/events/CloudWatch/DeleteLogGroup.json +++ b/events/CloudWatch/DeleteLogGroup.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "Deleting log groups removes evidence of activities from log files, thus covering tracks and aiding in evading detection." + }, + { + "technique": "T1485 - Data Destruction", + "reason": "Deleting log groups leads to the permanent removal of critical log data, effectively erasing records that could be used for forensic analysis or troubleshooting. This action disrupts the availability of essential logs, potentially causing significant operational impact and hindering incident response efforts." + }, + { + "technique": "T1565.001 - Data Manipulation: Stored Data Manipulation", + "reason": "The deletion of log groups can be considered a form of data manipulation, as it involves removing stored data, impacting its integrity and availability." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/CloudWatch/DeleteLogStream.json b/events/CloudWatch/DeleteLogStream.json index 8109ae9..5f3a962 100644 --- a/events/CloudWatch/DeleteLogStream.json +++ b/events/CloudWatch/DeleteLogStream.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "Deleting log streams removes critical log data, effectively erasing evidence of activities that could be used to detect or investigate malicious behavior. This action makes it difficult for defenders to trace the attacker's steps or identify potential indicators of compromise." + }, + { + "technique": "T1485 - Data Destruction", + "reason": "The permanent deletion of archived log events constitutes data destruction, impacting the organization’s ability to conduct forensic analysis and understand the scope of an attack." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/CloudWatch/DescribeLogGroups.json b/events/CloudWatch/DescribeLogGroups.json index 350b0a6..d39efaa 100644 --- a/events/CloudWatch/DescribeLogGroups.json +++ b/events/CloudWatch/DescribeLogGroups.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1007 - System Service Discovery", + "reason": "Listing log groups can provide insights into the services and activities running within the AWS environment, aiding in identifying active services and their configurations." + }, + { + "technique": "T1018 - Remote System Discovery", + "reason": "Describing log groups can reveal information about the systems and their operations, helping in mapping out remote systems within the cloud infrastructure." + }, + { + "technique": "T1046 - Network Service Discovery", + "reason": "By examining log groups, attackers can understand the network services being utilized and their respective configurations, which is crucial for further discovery and potential exploitation." + }, + { + "technique": "T1087 - Account Discovery", + "reason": "Log groups often include data about different user activities and roles, which can be used to discover account details and permissions within the cloud environment." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/CloudWatch/DescribeLogStreams.json b/events/CloudWatch/DescribeLogStreams.json index 488e25a..7ae76b7 100644 --- a/events/CloudWatch/DescribeLogStreams.json +++ b/events/CloudWatch/DescribeLogStreams.json @@ -9,6 +9,39 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087 - Account Discovery", + "reason": "Listing log streams can help identify different cloud accounts or services that are being logged." + }, + { + "technique": "T1119 - Automated Collection", + "reason": "Automating the listing of log streams is a part of setting up a system for automated data collection." + }, + { + "technique": "T1057 - Process Discovery", + "reason": "Log streams may include process logs that reveal information about running processes in the environment." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "Log streams can help in identifying which users or systems are generating logs, aiding in system owner/user discovery." + }, + { + "technique": "T1018 - Remote System Discovery", + "reason": "By listing log streams, one can determine the existence of remote systems being logged." + }, + { + "technique": "T1082 - System Information Discovery", + "reason": "Logs may contain information about system configurations, operating systems, and other details relevant for system information discovery." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "Identifying log streams can help in discovering the usage of valid accounts, potentially indicating compromised or misused accounts." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/CloudWatch/DescribeSubscriptionFilters.json b/events/CloudWatch/DescribeSubscriptionFilters.json index afe1ef3..0b1ac77 100644 --- a/events/CloudWatch/DescribeSubscriptionFilters.json +++ b/events/CloudWatch/DescribeSubscriptionFilters.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087 - Account Discovery", + "reason": "Attackers might use DescribeSubscriptionFilters to identify log groups and their associated subscription filters, which can provide insight into monitoring and logging configurations specific to cloud infrastructure. This information helps attackers understand the cloud environment and its accounts." + }, + { + "technique": "T1046 - Network Service Scanning", + "reason": "By listing subscription filters, attackers can determine what types of network services and activities are being monitored. This can help them identify potential targets or services that are not being adequately monitored." + }, + { + "technique": "T1007 - System Service Discovery", + "reason": "DescribeSubscriptionFilters can reveal details about the log group's configuration, helping attackers discover how system services are being logged and monitored. This can aid in understanding the security posture and identifying potential weaknesses." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/CloudWatch/GetLogRecord.json b/events/CloudWatch/GetLogRecord.json index d428638..9243e11 100644 --- a/events/CloudWatch/GetLogRecord.json +++ b/events/CloudWatch/GetLogRecord.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087.004 - Account Discovery: Cloud Account", + "reason": "Retrieving log records can help identify details about cloud accounts in use, such as who accessed certain services and when." + }, + { + "technique": "T1057 - Process Discovery", + "reason": "Logs may contain information about processes running in the cloud environment, which can help in identifying active processes and their behavior." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "Log records can reveal information about system owners or users who are interacting with the cloud environment, such as user activity logs and access patterns." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/CloudWatch/PutLogEvents.json b/events/CloudWatch/PutLogEvents.json index 1616690..3be9cf0 100644 --- a/events/CloudWatch/PutLogEvents.json +++ b/events/CloudWatch/PutLogEvents.json @@ -9,6 +9,39 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "Attackers may obfuscate the content of logs or include obfuscated commands in logs to avoid detection and analysis." + }, + { + "technique": "T1074 - Data Staged", + "reason": "Logs might be staged in a certain format before being uploaded, allowing attackers to organize and structure the data for further analysis or exfiltration." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "The use of AWS APIs like PutLogEvents to communicate can serve as a method to transfer data stealthily." + }, + { + "technique": "T1119 - Automated Collection", + "reason": "Automated tools or scripts could be used to collect and upload log data regularly to CloudWatchLogs for monitoring or further use." + }, + { + "technique": "T1213 - Data from Information Repositories", + "reason": "Logs from various information repositories might be collected and uploaded to CloudWatchLogs to facilitate data aggregation and analysis." + }, + { + "technique": "T1029 - Scheduled Transfer", + "reason": "Log uploads could be scheduled at specific intervals to CloudWatchLogs to ensure consistent data transfer." + }, + { + "technique": "T1036.004 - Masquerading", + "reason": "An attacker might disguise malicious activities or uploads as legitimate CloudWatch log entries to evade detection." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/Cognito/GetCredentialsForIdentity.json b/events/Cognito/GetCredentialsForIdentity.json index f5587dc..23880b2 100644 --- a/events/Cognito/GetCredentialsForIdentity.json +++ b/events/Cognito/GetCredentialsForIdentity.json @@ -9,6 +9,30 @@ "mitreAttackTechniques": [ "T1078 - Valid Accounts" ], + "mitreAttackSubTechniques": [ + "T1078.004: Valid Accounts: Cloud Accounts", + "T1078.001: Valid Accounts: Default Accounts", + "T1078.003: Valid Accounts: Local Accounts", + "T1078.002: Valid Accounts: Domain Accounts" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1550.004: Use Alternate Authentication Material: Web Session Cookie", + "reason": "Attackers may use credentials obtained from this API to generate session tokens or cookies for web sessions." + }, + { + "technique": "T1212: Exploitation for Credential Access", + "reason": "Exploiting the GetCredentialsForIdentity API call can be a direct method to gain credentials." + }, + { + "technique": "T1528: Steal Application Access Token", + "reason": "The credentials obtained from the API call could include tokens that grant access to applications, allowing attackers to impersonate legitimate users or services." + }, + { + "technique": "T1098: Account Manipulation", + "reason": "With the credentials returned by this API call, attackers might manipulate account settings or permissions to maintain access or escalate privileges." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/Cognito/GetId.json b/events/Cognito/GetId.json index 54f2e4b..da365db 100644 --- a/events/Cognito/GetId.json +++ b/events/Cognito/GetId.json @@ -9,6 +9,25 @@ "mitreAttackTechniques": [ "T1078 - Valid Accounts" ], + "mitreAttackSubTechniques": [ + "T1078.004 - Valid Accounts: Cloud Accounts", + "T1078.002 - Valid Accounts: Domain Accounts", + "T1078.001 - Valid Accounts: Default Accounts" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1110 - Brute Force", + "reason": "Attackers might attempt to generate or retrieve multiple IdentityIDs through brute force, seeking unauthorized access." + }, + { + "technique": "T1589 - Gather Victim Identity Information", + "reason": "The Logins parameter allows attackers to gather or brute-force information tied to identity providers (e.g., linked Google or Facebook accounts), which might reveal valuable identity information." + }, + { + "technique": "T1087 - Account Discovery", + "reason": "By retrieving an IdentityId, attackers could discover cloud accounts linked to multiple identity providers, which might give them further access or knowledge about an organization's cloud infrastructure." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/Config/DeleteConfigRule.json b/events/Config/DeleteConfigRule.json index 9501fc6..6747d81 100644 --- a/events/Config/DeleteConfigRule.json +++ b/events/Config/DeleteConfigRule.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1485 - Data Destruction", + "reason": "By deleting configuration rules and their results, an attacker could be aiming to destroy security data that would alert defenders to their activities." + }, + { + "technique": "T1499 - Endpoint Denial of Service", + "reason": "While not directly causing a denial of service, deleting config rules could indirectly contribute by removing mechanisms that ensure the stability and compliance of services." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/Config/DeleteConfigurationRecorder.json b/events/Config/DeleteConfigurationRecorder.json index ed0bc9f..8075447 100644 --- a/events/Config/DeleteConfigurationRecorder.json +++ b/events/Config/DeleteConfigurationRecorder.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "Deleting the configuration recorder aligns with the broader goal of eliminating records that could be used for forensic purposes, removing indicators of compromise." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Disabling the configuration recorder could be part of manipulating accounts or roles to evade detection and maintain control over the environment." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/Config/DeleteDeliveryChannel.json b/events/Config/DeleteDeliveryChannel.json index 86b3d2f..582a7ed 100644 --- a/events/Config/DeleteDeliveryChannel.json +++ b/events/Config/DeleteDeliveryChannel.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "By deleting the delivery channel, logs that might contain evidence of malicious activities are removed." + }, + { + "technique": "T1485 - Data Destruction", + "reason": "Deleting the delivery channel could be part of a broader tactic to destroy data, including configuration logs that are crucial for incident response and auditing." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/Config/StopConfigurationRecorder.json b/events/Config/StopConfigurationRecorder.json index d439996..03d45ed 100644 --- a/events/Config/StopConfigurationRecorder.json +++ b/events/Config/StopConfigurationRecorder.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1485 - Data Destruction", + "reason": "By stopping the configuration recorder, an attacker can effectively disrupt the ability to track and monitor changes, which can be a precursor to or part of a broader data destruction strategy." + }, + { + "technique": "T1489 - Service Stop", + "reason": "Stopping a critical service like the configuration recorder can be part of a larger strategy to disrupt services, resulting in a loss of visibility and monitoring, hence impacting the organization." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/CostExplorer/GetCostAndUsage.json b/events/CostExplorer/GetCostAndUsage.json index 98ab789..d0b26a1 100644 --- a/events/CostExplorer/GetCostAndUsage.json +++ b/events/CostExplorer/GetCostAndUsage.json @@ -9,6 +9,35 @@ "mitreAttackTechniques": [ "T1526 - Cloud Service Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "The attacker calls the GetCostAndUsage API to gather detailed usage information about the AWS resources being utilized. By analyzing the cost and usage data, the attacker can infer details about the types of services, their usage patterns, and potentially the structure of the environment." + }, + { + "technique": "T1518 - Software Discovery", + "reason": "By reviewing the cost and usage metrics, the attacker identifies expenditures related to security services (e.g., GuardDuty, CloudTrail). This information helps the attacker understand the security posture and tools in use, potentially avoiding or disabling them during an attack." + }, + { + "technique": "T1213 - Data from Information Repositories", + "reason": "The attacker uses the GetCostAndUsage API to access billing and usage metrics stored in the AWS CostExplorer service. This data is collected to understand the financial and resource allocation details of the target environment." + }, + { + "technique": "T1071.001 - Application Layer Protocol: Web Protocols", + "reason": "The attacker uses web protocols (e.g., HTTPS) to interact with the CostExplorer service and retrieve cost and usage metrics. The data collected is then sent over the web protocol to a remote server controlled by the attacker." + }, + { + "technique": "T1020 - Automated Exfiltration", + "reason": "The attacker scripts the retrieval of cost and usage metrics using the GetCostAndUsage API. This script regularly exfiltrates data, providing continuous updates to the attacker on the victim's cloud usage patterns." + }, + { + "technique": "T1530 - Data from Cloud Storage Object", + "reason": "The attacker stores the retrieved cost and usage data in a cloud storage object (e.g., S3 bucket). This stored data is later accessed or transferred to the attacker's own environment for further analysis or sale." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/AttachVolume.json b/events/EC2/AttachVolume.json index 70b3520..4372f51 100644 --- a/events/EC2/AttachVolume.json +++ b/events/EC2/AttachVolume.json @@ -9,6 +9,51 @@ "mitreAttackTechniques": [ "T1021 - Remote Services" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1098 - Account Manipulation", + "reason": "By attaching or detaching volumes, attackers can manipulate account settings or the environment to further their objectives, such as making specific data accessible or inaccessible." + }, + { + "technique": "T1036 - Masquerading", + "reason": "Attackers might attach volumes that appear legitimate or contain misleading data, thereby disguising their malicious activities." + }, + { + "technique": "T1074 - Data Staged", + "reason": "EBS volumes can be used to stage data for exfiltration or further manipulation by the attackers." + }, + { + "technique": "T1105 - Ingress Tool Transfer", + "reason": "Attackers can use attached volumes to transfer tools, scripts, or other malicious files into the target environment." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "Malicious actors can store obfuscated data or tools on an EBS volume to evade detection mechanisms." + }, + { + "technique": "T1560 - Archive Collected Data", + "reason": "Attackers may attach volumes to archive collected data for exfiltration or future use, leveraging the storage capacity of the EBS volumes." + }, + { + "technique": "T1213 - Data from Information Repositories", + "reason": "By attaching a volume that contains information repositories, attackers can access and extract sensitive data stored within these repositories" + }, + { + "technique": "T1530 - Data from Cloud Storage", + "reason": "Attackers can attach volumes that contain cloud storage objects, allowing them to access and manipulate the data stored within these objects." + }, + { + "technique": "T1030 - Data Transfer Size Limits", + "reason": "Attackers may attach EBS volumes to instances to handle large amounts of data transfer without triggering size-based detection mechanisms." + }, + { + "technique": "T1005 - Data from Local System", + "reason": "By attaching an EBS volume, attackers can access and extract data from the local file system of the EC2 instance." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/AuthorizeSecurityGroupEgress.json b/events/EC2/AuthorizeSecurityGroupEgress.json index c4bfd2e..7c6eae0 100644 --- a/events/EC2/AuthorizeSecurityGroupEgress.json +++ b/events/EC2/AuthorizeSecurityGroupEgress.json @@ -9,6 +9,39 @@ "mitreAttackTechniques": [ "T1048 - Exfiltration Over Alternative Protocol" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1040 - Network Sniffing", + "reason": "Outbound rules can be adjusted to send traffic to specific external destinations, which may allow attackers to capture or monitor network traffic for sensitive information." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "Attackers can use specific egress rules to allow communication over commonly used application layer protocols." + }, + { + "technique": "T1074 - Data Staged", + "reason": "Attackers can set up egress rules to exfiltrate staged data through approved channels." + }, + { + "technique": "T1021 - Remote Services", + "reason": "By setting egress rules, attackers can allow outbound traffic for remote desktop connections, facilitating lateral movement." + }, + { + "technique": "T1095 - Non-Application Layer Protocol", + "reason": "Attackers might configure rules to allow exfiltration using non-standard protocols." + }, + { + "technique": "T1571 - Non-Standard Port", + "reason": "By authorizing specific outbound ports, attackers can use non-standard ports for communication to evade defenses." + }, + { + "technique": "T1599 - Network Boundary Bridging", + "reason": "Attackers can use egress rules to bridge network boundaries, aiding lateral movement or exfiltration" + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/AuthorizeSecurityGroupIngress.json b/events/EC2/AuthorizeSecurityGroupIngress.json index 3cb6d61..b3e90ae 100644 --- a/events/EC2/AuthorizeSecurityGroupIngress.json +++ b/events/EC2/AuthorizeSecurityGroupIngress.json @@ -11,6 +11,35 @@ "T1098 - Account Manipulation", "T1021 - Remote Services" ], + "mitreAttackSubTechniques": [ + "T1021.004 - Remote Services: SSH" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1133 - External Remote Services", + "reason": "By adding or modifying ingress rules, attackers can enable remote access to the EC2 instances, which is a direct use of the AuthorizeSecurityGroupIngress API call to allow external services." + }, + { + "technique": "T1105 - Ingress Tool Transfer", + "reason": "Attackers can use the API call to allow inbound traffic, facilitating the transfer of tools or payloads directly into the compromised environment." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Modifying security group rules to disable defenses or monitoring directly involves the AuthorizeSecurityGroupIngress API call." + }, + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "Discovering which permission groups can modify security group rules is directly relevant as it informs the attacker's strategy to use the AuthorizeSecurityGroupIngress API call." + }, + { + "technique": "T1203 - Exploitation for Client Execution", + "reason": "If an attacker exploits a vulnerability and gains access to an AWS account, they might use the AuthorizeSecurityGroupIngress API call to allow them to exploit applications that were not previously reachable." + }, + { + "technique": "T1090 - Proxy", + "reason": "Attackers might modify ingress rules to allow traffic through a proxy, enabling them to route malicious traffic through the compromised environment." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/CreateDefaultVpc.json b/events/EC2/CreateDefaultVpc.json index 97b4ec8..216d449 100644 --- a/events/EC2/CreateDefaultVpc.json +++ b/events/EC2/CreateDefaultVpc.json @@ -11,6 +11,23 @@ "T1098 - Account Manipulation", "T1496 - Resource Hijacking" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1021 - Remote Services", + "reason": "With a default VPC in place, adversaries can use it to establish connections between various services, facilitating lateral movement across different instances and resources." + }, + { + "technique": "T1133 - External Remote Services", + "reason": "The VPC configuration can be exploited to set up remote access points, which adversaries can use to maintain command and control over compromised resources." + }, + { + "technique": "T1041 - Exfiltration Over C2 Channel", + "reason": "Once command and control is established within the VPC, data can be exfiltrated through these channels without raising immediate suspicion, leveraging the network infrastructure." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/CreateImage.json b/events/EC2/CreateImage.json index cd79f31..aeebbc7 100644 --- a/events/EC2/CreateImage.json +++ b/events/EC2/CreateImage.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1537 - Transfer Data to Cloud Account" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1003 - OS Credential Dumping", + "reason": "Attackers can create an AMI, then analyze the offline image to perform credential dumping, extracting sensitive information from the instance's filesystem" + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Attackers can create an AMI from an instance, disable or alter security tools and configurations within the AMI, and redeploy the compromised AMI to evade detection and maintain control." + }, + { + "technique": "T1578 - Modify Cloud Compute Infrastructure", + "reason": "Creating an AMI involves creating a snapshot of the instance's state. Attackers can use this snapshot to capture and analyze the data and configurations of the instance, which may include sensitive information or enable further attacks." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Attackers can use the CreateImage API to create an AMI from an instance they control. This AMI can then be used to deploy new instances with pre-configured settings, including backdoors or other malicious configurations, effectively manipulating accounts and resources within the cloud environment." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/CreateInstanceExportTask.json b/events/EC2/CreateInstanceExportTask.json index 394c8e4..5e64224 100644 --- a/events/EC2/CreateInstanceExportTask.json +++ b/events/EC2/CreateInstanceExportTask.json @@ -9,6 +9,31 @@ "mitreAttackTechniques": [ "T1005 - Data from Local System" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1567 - Exfiltration Over Web Service", + "reason": "Exporting an EC2 instance to an S3 bucket involves transferring data over a web service, which aligns with exfiltrating data through a web-based method." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "The export task utilizes application layer protocols for communication, relevant for exfiltrating data using such protocols." + }, + { + "technique": "T1537 - Transfer Data to Cloud Account", + "reason": "Exporting an EC2 instance to an S3 bucket involves moving data within the same cloud account and region, but it still represents a transfer of potentially sensitive data to another location within the cloud. " + }, + { + "technique": "T1496 - Resource Hijacking", + "reason": "The export task could be used in combination with other tactics to hijack the resource for further malicious activities or unauthorized access." + }, + { + "technique": "T1005 - Data from Local System", + "reason": "The instance's data being exported can be seen as collecting data from a local system before transferring it to another location." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/EC2/CreateKeyPair.json b/events/EC2/CreateKeyPair.json index e230878..17128a1 100644 --- a/events/EC2/CreateKeyPair.json +++ b/events/EC2/CreateKeyPair.json @@ -9,6 +9,35 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + "T1098.001 - Account Manipulation: Additional Cloud Credentials" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "The creation of a new key pair can facilitate unauthorized access to cloud accounts if an attacker obtains the private key, allowing them to log in and perform actions within the compromised account. By creating a new key pair, attackers can establish valid accounts that can be used to maintain access and evade detection, as the access looks legitimate. Similar to cloud accounts, valid local accounts can be exploited if the attacker uses the key pair to gain access to specific instances or services within the local environment. If the key pair is used to authenticate to domain accounts within the cloud environment, it can provide attackers with persistent access to those accounts, facilitating further malicious activities." + }, + { + "technique": "T1562 - Impair Defense", + "reason": "An attacker with a newly created key pair might use it to disable security tools or modify settings within the cloud environment to avoid detection and maintain persistence." + }, + { + "technique": "T1552 - Unsecured Credentials", + "reason": "The private key returned is unencrypted, which poses a risk if intercepted or improperly stored, leading to potential credential exposure. The private key might be stored in files within the cloud instances, which could be exploited by an attacker to gain unauthorized access." + }, + { + "technique": "T1040 - Network Sniffing", + "reason": "If the private key is transmitted over the network in plaintext, it can be intercepted by an attacker, leading to credential access." + }, + { + "technique": "T1530 - Data from Cloud Storage Object", + "reason": "If the EC2 instance has permissions to access Cloud storage, the key can be used to get this data via the EC2 permissions" + }, + { + "technique": "T1212 - Exploitation for Credential Access", + "reason": "An attacker might exploit the creation and handling of key pairs to gain access to credentials if there are vulnerabilities or misconfigurations in how the keys are managed and stored." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/CreateNetworkAclEntry.json b/events/EC2/CreateNetworkAclEntry.json index 0fa3dfb..532aaa2 100644 --- a/events/EC2/CreateNetworkAclEntry.json +++ b/events/EC2/CreateNetworkAclEntry.json @@ -9,6 +9,43 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1562 - Impair Defenses", + "reason": "Creating or modifying network ACLs can disable or alter firewall rules, thus impairing defenses. By modifying ACLs, attackers might disable security tools that rely on specific network configurations." + }, + { + "technique": "T1105 - Ingress Tool Transfer", + "reason": "Modifying network ACLs could allow malicious payloads to be transferred into the network." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "By changing ACL rules, an attacker might permit unauthorized web traffic for command and control. By modifying network ACLs, an attacker could allow unauthorized email traffic for exfiltration or command and control." + }, + { + "technique": "T1021 - Remote Services", + "reason": "Creating or modifying ACL entries can facilitate unauthorized RDP access, aiding lateral movement." + }, + { + "technique": "T1090 - Proxy", + "reason": "Attackers could create ACL rules that permit traffic to and from external proxies, aiding command and control operations" + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "By modifying network ACL rules, an attacker can enable access to specific ports used by services like SMB (TCP/445). SMB ports are often used for sharing files and resources within a network. Access to these ports can provide the attacker with the ability to query for system information, users, and groups (such as through NetSessionEnum or NetUserEnum calls), helping them to discover the system owner or logged-in users, which aids in understanding the target environment." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "An attacker might create ACL entries to allow traffic to sites or services where the attacker has valid accounts." + }, + { + "technique": "T1049 - System Network Connections Discovery", + "reason": "Creating specific ACL rules might help attackers map out network connections and understand the network layout." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/EC2/CreateRoute.json b/events/EC2/CreateRoute.json index a669992..7ddac1d 100644 --- a/events/EC2/CreateRoute.json +++ b/events/EC2/CreateRoute.json @@ -9,6 +9,31 @@ "mitreAttackTechniques": [ "T1074 - Data Staged" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1090 - Proxy", + "reason": "Creating a route can facilitate the use of external proxies by directing traffic through a specific intermediary node. Using the CreateRoute API can set up routing that utilizes proxies to hide the origin of network traffic." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "The creation of routes might involve the use of compromised cloud accounts to establish persistence within a network." + }, + { + "technique": "T1570 - Lateral Tool Transfer", + "reason": "Routes can be used to facilitate the transfer of tools across different segments of a network, aiding lateral movement." + }, + { + "technique": "T1070: Indicator Removal", + "reason": "Creating routes might assist in evading detection and preserving stealth by directing traffic in a way that avoids logging mechanisms, aiding in the removal or obfuscation of evidence." + }, + { + "technique": "T1046: Network Service Discovery", + "reason": "Adjusting routes can help in discovering network services by ensuring that specific network segments are reachable, aiding in reconnaissance." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/EC2/CreateSecurityGroup.json b/events/EC2/CreateSecurityGroup.json index b561289..eda1d29 100644 --- a/events/EC2/CreateSecurityGroup.json +++ b/events/EC2/CreateSecurityGroup.json @@ -11,6 +11,24 @@ "T1098 - Account Manipulation", "T1021 - Remote Services" ], + "mitreAttackSubTechniques": [ + "T1021.001 - Remote Services: Remote Desktop Protocol", + "T1021.004 - Remote Services: SSH" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1562 - Impair Defenses", + "reason": "By creating or modifying security group rules, adversaries can manipulate the flow of network traffic to bypass security monitoring tools, which aids in defense evasion." + }, + { + "technique": "T1036 - Masquerading", + "reason": "By configuring security groups under seemingly legitimate purposes while actually facilitating malicious activities, adversaries can use this to disguise their network traffic and actions." + }, + { + "technique": "T1499 - Endpoint Denial of Service", + "reason": "Adversaries may configure security groups to specifically allow traffic types that can cause application layer exhaustion, effectively using this method to flood systems with requests that exhaust resources and lead to service disruption." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/CreateSnapshot.json b/events/EC2/CreateSnapshot.json index 495899e..3e4386d 100644 --- a/events/EC2/CreateSnapshot.json +++ b/events/EC2/CreateSnapshot.json @@ -11,6 +11,47 @@ "T1537 - Transfer Data to Cloud Account", "T1021 - Remote Services" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1537 - Transfer Data to Cloud Account", + "reason": "Creating a snapshot and storing it in S3 can be used to exfiltrate data by transferring it to another account or region." + }, + { + "technique": "T1003 - OS Credential Dumping", + "reason": "If an adversary has access to an EBS volume containing credentials, creating a snapshot of that volume could allow them to extract those credentials." + }, + { + "technique": "T1485 - Data Destruction", + "reason": "An adversary could create a snapshot before deleting the original volume, ensuring they can still access the data" + }, + { + "technique": "T1567 - Exfiltration Over Web Service", + "reason": "The snapshot data can be exfiltrated using AWS APIs, moving it to S3 or other cloud storage." + }, + { + "technique": "T1030 - Data Transfer Size Limits", + "reason": "Creating multiple snapshots to evade detection mechanisms that monitor for large data transfers." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "By creating snapshots of EBS volumes, adversaries can hide data transfers under the guise of legitimate backup operations. This makes it harder to distinguish between regular snapshot activities and potential malicious data movements." + }, + { + "technique": "T1074 - Data Staged", + "reason": "Snapshots can serve as a stage for data before exfiltration" + }, + { + "technique": "T1550 - Use Alternate Authentication Material", + "reason": "Adversaries might use stolen keys or other credentials extracted from snapshots as authentication material." + }, + { + "technique": "T1496 - Resource Hijacking", + "reason": "Adversaries could create snapshots and use them in other environments, leveraging the stored resources for malicious purposes." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/CreateTrafficMirrorFilter.json b/events/EC2/CreateTrafficMirrorFilter.json index 2d41e38..23933c7 100644 --- a/events/EC2/CreateTrafficMirrorFilter.json +++ b/events/EC2/CreateTrafficMirrorFilter.json @@ -9,6 +9,35 @@ "mitreAttackTechniques": [ "T1074 - Data Staged" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1040 - Network Sniffing", + "reason": "By creating a Traffic Mirror filter, attackers can intercept and analyze network traffic to capture sensitive information. This directly relates to the ability to observe all mirrored network traffic." + }, + { + "technique": "T1046 - Network Service Scanning", + "reason": "raffic mirroring can be used to observe and scan network services and discover active services and devices on the network. By analyzing mirrored traffic, attackers can map the network and identify active services." + }, + { + "technique": "T1020 - Automated Exfiltration", + "reason": "Traffic mirroring can facilitate the automated exfiltration of data through observed network traffic. Mirrored traffic can be continuously collected and sent to an attacker's controlled server for automatic processing and exfiltration." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "Mirrored traffic can help attackers discover information about system owners or users by analyzing the traffic. For instance, login attempts, user credentials, and other user-related information might be observed." + }, + { + "technique": "T1518 - Software Discovery", + "reason": "Traffic mirroring can be used to identify security software and appliances by analyzing network traffic. Attackers can look for traffic patterns related to security software to understand the defenses in place." + }, + { + "technique": "T1005 - Data from Local System", + "reason": "By capturing mirrored traffic, attackers can collect data from local systems indirectly by observing network communications. This can include files being transferred over the network, credentials, and other sensitive information." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/EC2/CreateTrafficMirrorFilterRule.json b/events/EC2/CreateTrafficMirrorFilterRule.json index f75fb81..fe815a4 100644 --- a/events/EC2/CreateTrafficMirrorFilterRule.json +++ b/events/EC2/CreateTrafficMirrorFilterRule.json @@ -9,6 +9,43 @@ "mitreAttackTechniques": [ "T1074 - Data Staged" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1020 - Automated Collection", + "reason": "Traffic mirroring can automate the collection of network traffic, which can include sensitive data." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "By intercepting traffic, an attacker can discover information about the system owner or users based on network communications." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "Traffic mirroring can help attackers understand and manipulate application layer protocols by observing the traffic." + }, + { + "technique": "T1040: Network Sniffing", + "reason": "Traffic mirroring is essentially a form of network sniffing, capturing data in transit for further analysis" + }, + { + "technique": "T1567: Exfiltration Over Web Service", + "reason": "Intercepted traffic can be exfiltrated over web services if the mirrored data is sent to an external destination." + }, + { + "technique": "T1213: Data from Information Repositories", + "reason": "T1213: Data from Information Repositories" + }, + { + "technique": "T1005: Data from Local System", + "reason": "Traffic mirroring can capture data from the local system that is transmitted over the network." + }, + { + "technique": "T1083: File and Directory Discovery", + "reason": "Analysis of mirrored traffic can help in discovering files and directories being accessed and used on the network" + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/EC2/CreateTrafficMirrorSession.json b/events/EC2/CreateTrafficMirrorSession.json index 4a07e34..4475679 100644 --- a/events/EC2/CreateTrafficMirrorSession.json +++ b/events/EC2/CreateTrafficMirrorSession.json @@ -9,6 +9,51 @@ "mitreAttackTechniques": [ "T1074 - Data Staged" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1040 - Network Sniffing", + "reason": "By creating a Traffic Mirror session, an adversary can passively collect data on the network, capturing traffic to gather sensitive information." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "Traffic Mirror sessions can be used to monitor application layer protocols to understand communication patterns" + }, + { + "technique": "T1020 - Automated Exfiltration", + "reason": "The mirrored traffic could be sent to an external system for automated analysis and potential exfiltration of data." + }, + { + "technique": "T1036 - Masquerading", + "reason": "In the later stages of an attack, traffic mirrored sessions might help disguise malicious traffic by blending it with legitimate traffic, by using already learnt traffic patterns, aiding in evasion of detection" + }, + { + "technique": "T1018 - Remote System Discovery", + "reason": "Analyzing the mirrored traffic can provide information on remote systems, including their IP addresses and services, aiding in further discovery." + }, + { + "technique": "T1090 - Proxy", + "reason": "raffic Mirror can be utilized to capture and analyze traffic routed through proxy servers, identifying potential points of interest for further compromise." + }, + { + "technique": "T1119 - Automated Collection", + "reason": "Automating the creation of Traffic Mirror sessions allows for continuous data collection without manual intervention" + }, + { + "technique": "T1213 - Data from Information Repositories", + "reason": "Traffic Mirror sessions could capture data from repositories by monitoring traffic related to repository access" + }, + { + "technique": "T1560 - Archive Collected Data", + "reason": "Adversaries can use traffic mirroring to collect and then archive large amounts of network traffic for later analysis or exfiltration." + }, + { + "technique": "T1049 - System Network Connections Discovery", + "reason": "Monitoring mirrored traffic can reveal details about network connections on systems, such as active connections, protocols used, and the nature of the traffic." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/EC2/CreateTrafficMirrorTarget.json b/events/EC2/CreateTrafficMirrorTarget.json index a5ed2fa..9fe9265 100644 --- a/events/EC2/CreateTrafficMirrorTarget.json +++ b/events/EC2/CreateTrafficMirrorTarget.json @@ -9,6 +9,51 @@ "mitreAttackTechniques": [ "T1074 - Data Staged" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1016 - System Network Configuration Discovery", + "reason": "When a Traffic Mirror target is created, it enables the capture of network traffic, which can be analyzed to understand the network configuration, including IP addresses, subnets, and routing." + }, + { + "technique": "T1046 - Network Service Scanning", + "reason": "Mirrored traffic provides visibility into the types of services running on the network, allowing adversaries to map out the network services and identify potential vulnerabilities." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "By examining the mirrored traffic, attackers can identify and understand the protocols used at the application layer, which can be exploited for further attacks." + }, + { + "technique": "T1567 - Exfiltration Over Web Service", + "reason": "The data captured through traffic mirroring can be exfiltrated via web services, making it easier for attackers to move large amounts of data without detection." + }, + { + "technique": "T1571 - Non-Standard Port", + "reason": "Traffic mirroring can uncover the use of non-standard ports, which can then be targeted in later stages of the attack for covert command and control communications." + }, + { + "technique": "1590 - Gather Victim Network Information", + "reason": "The detailed information gathered from traffic mirroring helps attackers build a comprehensive profile of the victim's network." + }, + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "By analyzing the traffic within a cloud environment, adversaries can discover cloud infrastructure details and configurations, which can be critical for planning further attacks." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "Analysis of mirrored traffic can reveal information about system owners or users, which can be leveraged for further attacks." + }, + { + "technique": "T1005 - Data from Local System", + "reason": "Mirrored traffic can reveal sensitive data being transmitted within the network, which can be captured and analyzed." + }, + { + "technique": "T1020 - Automated Exfiltration", + "reason": "Traffic mirroring enables the continuous collection of network traffic, which can then be automatically exfiltrated for further analysis or exploitation." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/EC2/CreateVolume.json b/events/EC2/CreateVolume.json index e1d6140..ee50d4e 100644 --- a/events/EC2/CreateVolume.json +++ b/events/EC2/CreateVolume.json @@ -9,6 +9,47 @@ "mitreAttackTechniques": [ "T1021 - Remote Services" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1003 - OS Credential Dumping", + "reason": "Attackers can create volumes and attach them to instances to access filesystems and potentially extract sensitive files such as /etc/passwd and /etc/shadow on Linux systems for credential dumping." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "By creating a volume from a snapshot that contains valid credentials or authentication tokens, attackers can gain persistent access to cloud resources." + }, + { + "technique": "T1202 - Indirect Command Execution", + "reason": "Attackers might use the creation of volumes and the data contained within them to execute commands indirectly by leveraging scripts or binaries stored in these volumes. Some of the commands could be called by methods like autorun scripts or similar" + }, + { + "technique": "T1496 - Resource Hijacking", + "reason": "Creating and using volumes for storing large amounts of data or for computational tasks can be a form of resource hijacking, impacting the cloud environment's availability and cost." + }, + { + "technique": "T1485 - Data Destruction", + "reason": "Attackers might use newly created volumes to overwrite sensitive data, effectively destroying it and causing a significant impact" + }, + { + "technique": "T1486 - Data Encrypted for Impact", + "reason": "Encrypted volumes can be used by attackers to encrypt data and then demand ransom for decryption keys, directly impacting data availability." + }, + { + "technique": "T1074 - Data Staged", + "reason": "Attackers can use created volumes to stage collected data locally before exfiltration, facilitating the organization and preparation of data for extraction." + }, + { + "technique": "T1036 - Masquerading", + "reason": "Attackers might create volumes that mimic legitimate snapshots or backups to evade detection and maintain persistent access by blending into normal operations." + }, + { + "technique": "T1537 - Transfer Data to Cloud Account", + "reason": "Attackers can create volumes to transfer and store exfiltrated data within a cloud account, enabling them to securely move sensitive information out of the victim's environment" + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/DeleteFlowLogs.json b/events/EC2/DeleteFlowLogs.json index 8ed872b..eafa990 100644 --- a/events/EC2/DeleteFlowLogs.json +++ b/events/EC2/DeleteFlowLogs.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1089 - Disabling Security Tools" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "Deleting flow logs can remove indicators that were stored, making it harder to detect malicious activities" + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Disabling or deleting flow logs can impair defensive mechanisms by removing visibility into network traffic. It also supersedes T1089 since v7.1." + }, + { + "technique": "T1485 - Data Destruction", + "reason": "Deleting flow logs can be part of a broader data destruction strategy. By removing logs that track network activity, an attacker can ensure that no historical data remains to aid in the forensic investigation of their activities. This makes it significantly harder to trace malicious actions back to the perpetrator, thus effectively destroying critical evidence" + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Deleting flow logs can be part of account manipulation to hide tracks and activities conducted using compromised accounts." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/DeleteNetworkAcl.json b/events/EC2/DeleteNetworkAcl.json index 615d888..60a650b 100644 --- a/events/EC2/DeleteNetworkAcl.json +++ b/events/EC2/DeleteNetworkAcl.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + "T1562.007 - Impair Defenses: Disable or Modify Cloud Firewall" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1485 - Data Destruction", + "reason": "Deleting a network ACL can be a form of data destruction as it disrupts the network configuration, potentially leading to data loss or service disruption" + }, + { + "technique": "T1489 - Service Stop", + "reason": "Removing network ACLs can stop or disrupt services by blocking legitimate network traffic, effectively causing denial of service conditions" + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "Deleting network ACLs can be part of a broader strategy to remove access to resources, making it difficult for legitimate users to access networked systems and services. For example, deleting a network ACL that allows SSH access." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/EC2/DeleteNetworkAclEntry.json b/events/EC2/DeleteNetworkAclEntry.json index 2d6d549..bdbd55e 100644 --- a/events/EC2/DeleteNetworkAclEntry.json +++ b/events/EC2/DeleteNetworkAclEntry.json @@ -9,6 +9,24 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + "T1562.001: Impair Defenses - Disable or Modify Tools", + "T1562.004: Impair Defenses - Disable or Modify System Firewall" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1098 - Account Manipulation", + "reason": "Attackers may manipulate network ACLs as part of account manipulation to remove or alter security controls. This can enable unauthorized access or disrupt normal operations within the cloud environment." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "Deleting network ACL entries could be part of an attack to disrupt services and remove access to accounts, affecting the availability of resources. For example, deleting a network ACL that allows SSH access." + }, + { + "technique": "T1489 - Service Stop", + "reason": "By deleting critical network ACL entries, an attacker can disrupt or stop essential services by either blocking required traffic or allowing malicious traffic, leading to a service interruption." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/EC2/DeleteSnapshot.json b/events/EC2/DeleteSnapshot.json index ac168f0..fffc06a 100644 --- a/events/EC2/DeleteSnapshot.json +++ b/events/EC2/DeleteSnapshot.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1485 - Data Destruction" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "Deleting snapshots can be part of an effort to remove indicators of compromise or evidence of malicious activity." + }, + { + "technique": "T1486 - Data Encrypted for Impact", + "reason": "If the adversary has encrypted the data and then deletes snapshots, it makes recovery impossible without the decryption keys, thus increasing the impact." + }, + { + "technique": "T1565 - Data Manipulation", + "reason": "Deleting snapshots can be a form of manipulating stored data, particularly if snapshots are used for data recovery and the deletion disrupts normal recovery processes." + }, + { + "technique": "T1561 - Disk Wipe", + "reason": "Deleting snapshots can be considered a form of disk wipe if the snapshots contain the only copies of certain data, effectively wiping that data from existence." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/DeleteVolume.json b/events/EC2/DeleteVolume.json index b54c02b..fa84aa3 100644 --- a/events/EC2/DeleteVolume.json +++ b/events/EC2/DeleteVolume.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1485 - Data Destruction" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "Deleting an EBS volume can be used to remove evidence of malicious activity, such as log files or other data stored on the volume." + }, + { + "technique": "T1485 - Data Destruction", + "reason": "The deletion of an EBS volume results in the permanent loss of the data it contained, which is a form of data destruction." + }, + { + "technique": "T1561 - Disk Wipe", + "reason": "Deleting the volume ensures that all data on the volume is removed, which is similar to a disk wipe." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/DescribeAccountAttributes.json b/events/EC2/DescribeAccountAttributes.json index 3ebcd45..b2e6dbe 100644 --- a/events/EC2/DescribeAccountAttributes.json +++ b/events/EC2/DescribeAccountAttributes.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "By describing the account attributes, an adversary can gather information about the AWS environment, such as supported platforms, EC2 limitations, and default settings, which aids in understanding the overall cloud infrastructure." + }, + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "Understanding the maximum number of security groups that can be assigned to a network interface can help an adversary in identifying the possible scope and structure of permissions within the account." + }, + { + "technique": "T1526 - Cloud Service Discovery", + "reason": "his technique is relevant as it involves obtaining information about the cloud services and configurations, such as the maximum number of instances and Elastic IP addresses, supported platforms, and default VPC ID" + }, + { + "technique": "T1538 - Cloud Service Dashboard", + "reason": "Accessing the account attributes via the API is akin to viewing settings in the cloud service dashboard, providing a view into the configurations and limitations of the AWS environment." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/DescribeAvailabilityZones.json b/events/EC2/DescribeAvailabilityZones.json index fb92285..4bcd803 100644 --- a/events/EC2/DescribeAvailabilityZones.json +++ b/events/EC2/DescribeAvailabilityZones.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "Knowing the availability zones is a part of system information that an attacker might want to know. This API call provides insights into the environment setup and operational state." + }, + { + "technique": "T1526 - Cloud Service Discovery", + "reason": "The DescribeAvailabilityZones API call provides information about the geographical distribution of cloud services, aiding in the identification of cloud services in use." + }, + { + "technique": "T1018 - Remote System Discovery", + "reason": "By knowing which availability zones are in use, attackers can identify the distribution of systems and services across the cloud environment. This helps in mapping the network architecture and planning subsequent lateral movement or targeted attacks." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/DescribeBundleTasks.json b/events/EC2/DescribeBundleTasks.json index e19d56e..71f0595 100644 --- a/events/EC2/DescribeBundleTasks.json +++ b/events/EC2/DescribeBundleTasks.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "The DescribeBundleTasks API call can provide details about the instance, which can be used to gather information about the system's configuration and status. The description of what a Bundle Task is not even available on AWS anymore." + }, + { + "technique": "T1553.002 - Subvert Trust Controls: Code Signing", + "reason": "nsuring that the bundled data is from a legitimate source and not tampered with might involve code signing, particularly if the bundle is intended for deployment or transfer. The description of what a Bundle Task is not even available on AWS anymore." + }, + { + "technique": "T1074 - Data Staged", + "reason": "The bundling process involves staging data for bundling and transfer, which is a crucial step in the data management process. The description of what a Bundle Task is not even available on AWS anymore." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/DescribeCarrierGateways.json b/events/EC2/DescribeCarrierGateways.json index 228a22b..c00d299 100644 --- a/events/EC2/DescribeCarrierGateways.json +++ b/events/EC2/DescribeCarrierGateways.json @@ -9,6 +9,39 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1016 - System Network Configuration Discovery", + "reason": "This API call helps in discovering the network configuration, including the carrier gateway, which can provide insight into how traffic is routed" + }, + { + "technique": "T1049 - System Network Connections Discovery", + "reason": "Describing the carrier gateways can reveal details about network connections and traffic flow between Wavelength Zones and carrier networks." + }, + { + "technique": "T1090 - Proxy", + "reason": "Carrier gateways' NAT function can be leveraged to hide the source of attack traffic, aiding in defense evasion" + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "Identifying carrier gateways could be useful for attackers aiming to gain access to the network using valid accounts" + }, + { + "technique": "T1210 - Exploitation of Remote Services", + "reason": "Knowing the setup of carrier gateways can help in exploiting remote services that rely on this infrastructure" + }, + { + "technique": "T1482 - Domain Trust Discovery", + "reason": "Insights into carrier gateways might reveal trust relationships between different network segments and domains" + }, + { + "technique": "T1018 - Remote System Discovery", + "reason": "Information from the carrier gateway description can help identify other remote systems within the network." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/DescribeClientVpnRoutes.json b/events/EC2/DescribeClientVpnRoutes.json index e0ea43d..2fde227 100644 --- a/events/EC2/DescribeClientVpnRoutes.json +++ b/events/EC2/DescribeClientVpnRoutes.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1046 - Network Service Scanning", + "reason": "An adversary might use DescribeClientVpnRoutes to enumerate network routes within the VPN, identifying potential targets and pivot points within the network." + }, + { + "technique": "T1021- Remote Services", + "reason": "This API call can provide details on how to access different parts of the network remotely, which could facilitate lateral movement or remote execution of commands" + }, + { + "technique": "T1016 - System Network Configuration Discovery", + "reason": "Information from DescribeClientVpnRoutes can reveal internal network structures, including IP ranges and network topologies, which can be used for further discovery and evasion activities" + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/DescribeDhcpOptions.json b/events/EC2/DescribeDhcpOptions.json index de234b2..7cc6783 100644 --- a/events/EC2/DescribeDhcpOptions.json +++ b/events/EC2/DescribeDhcpOptions.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1049 - System Network Connections Discovery", + "reason": "Describing DHCP options is directly related to understanding network configurations and connections within the AWS environment" + }, + { + "technique": "T1590 - Gather Victim Network Information", + "reason": "The DHCP options can reveal information about DNS servers, domain names, NTP servers, and other network configurations, aiding in network discovery" + }, + { + "technique": "T1018 - Remote System Discovery", + "reason": "Describing DHCP options can help attackers discover remote systems within the network, providing a map of targets for lateral movement." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "Understanding DHCP options might reveal information about the system owners or users, helping attackers tailor their strategies for further exploitation." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/DescribeFlowLogs.json b/events/EC2/DescribeFlowLogs.json index c43cc0b..cdce6c3 100644 --- a/events/EC2/DescribeFlowLogs.json +++ b/events/EC2/DescribeFlowLogs.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "Describing flow logs can help attackers understand which users are accessing specific network resources." + }, + { + "technique": "T1016 - System Network Configuration Discovery", + "reason": "Flow logs can reveal network configurations, allowing attackers to map out the network layout" + }, + { + "technique": "T1040 - Network Sniffing", + "reason": "By analyzing flow logs, attackers can infer traffic patterns and potentially sensitive information about network communications" + }, + { + "technique": "T1020 - Automated Collection", + "reason": "Attackers can use the flow logs to automate the collection of network traffic data for further analysis" + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/DescribeImages.json b/events/EC2/DescribeImages.json index 44994c7..295cdcd 100644 --- a/events/EC2/DescribeImages.json +++ b/events/EC2/DescribeImages.json @@ -9,6 +9,39 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "DescribeImages can be used to gather detailed information about the system images in use, which is critical for planning further attacks or understanding the environment." + }, + { + "technique": "T1202 - Indirect Command Execution", + "reason": "By using DescribeImages, attackers can identify images that may allow them to indirectly execute commands through specific software or configurations present in the images" + }, + { + "technique": "T1608 - Stage Capabilities", + "reason": "An attacker might use DescribeImages to find specific images to stage capabilities like installing digital certificates on chosen instances." + }, + { + "technique": "T1083 - File and Directory Discovery", + "reason": "DescribeImages can reveal the existence and properties of files and directories associated with specific AMIs, aiding in discovery efforts" + }, + { + "technique": "T1613 - Container and Resource Discovery", + "reason": "Attackers can use DescribeImages to identify available container images and resources in the environment. This helps them understand the infrastructure and identify potential targets for exploitation within containerized applications." + }, + { + "technique": "T1526 - Cloud Service Discovery", + "reason": "Using DescribeImages helps attackers discover available cloud services, their configurations, and associated resources." + }, + { + "technique": "T1195 - Supply Chain Compromise", + "reason": "Attackers can use DescribeImages to identify and exploit vulnerabilities in the software dependencies and development tools used within specific images, leading to a supply chain compromise." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/DescribeInstanceAttribute.json b/events/EC2/DescribeInstanceAttribute.json index 515509c..63127be 100644 --- a/events/EC2/DescribeInstanceAttribute.json +++ b/events/EC2/DescribeInstanceAttribute.json @@ -9,6 +9,43 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "Using DescribeInstanceAttribute can reveal information about the instance's configuration, such as instance type, which aids in understanding the system environment." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "Information about the instance attributes can be used to identify potential valid accounts associated with the instance, particularly if the attribute reveals details about the IAM roles or users associated with it." + }, + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "Describing instance attributes can provide details about the permissions and security groups associated with the instance, aiding in the discovery of network access control configurations." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "The attribute information might include details about the instance owner or users, helping to identify key individuals for potential targeted attacks" + }, + { + "technique": "T1074 - Data Staged", + "reason": "Information about storage attributes of an instance can help in planning the staging of data for exfiltration." + }, + { + "technique": "T1007 - System Service Discovery", + "reason": "Attributes related to the services running on the instance can be described, aiding in the discovery of available services for further exploitation." + }, + { + "technique": "T1018 - Remote System Discovery", + "reason": "Details about network interfaces and configurations discovered through instance attributes can assist in identifying other remote systems and services within the network." + }, + { + "technique": "T1518 - Software Discovery", + "reason": "Describing instance attributes may reveal information about the installed software and applications, assisting in software discovery efforts." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/DescribeInstanceTypes.json b/events/EC2/DescribeInstanceTypes.json index b832ed9..a23e187 100644 --- a/events/EC2/DescribeInstanceTypes.json +++ b/events/EC2/DescribeInstanceTypes.json @@ -9,6 +9,43 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1590 - Gather Victim Network Information", + "reason": "By describing instance types, attackers can identify the network configurations and resources used in the target's AWS environment. This information aids in understanding the network structure and potential vulnerabilities that could be exploited." + }, + { + "technique": "T1082 - System Information Discovery", + "reason": "DescribeInstanceTypes provides detailed information about different instance types, including their capabilities and configurations, which can help an attacker understand the system architecture and capabilities." + }, + { + "technique": "T1213 - Data from Information Repositories", + "reason": "Knowing the types of instances helps in determining how data might be stored or managed in cloud repositories, aiding in planning data collection strategies." + }, + { + "technique": "T1592 - Gather Victim Host Information", + "reason": "DescribeInstanceTypes can provide details on the hardware and software configurations of the instances, helping attackers gather comprehensive information about the victim's host environment." + }, + { + "technique": "T1046 - Network Service Discovery", + "reason": "By knowing the instance types, attackers can infer what network services might be running, aiding in the discovery of network service configurations and potential vulnerabilities." + }, + { + "technique": "T1526 - Cloud Service Discovery", + "reason": "DescribeInstanceTypes helps attackers discover the available cloud services and their configurations, which is crucial for understanding the overall cloud environment and potential targets." + }, + { + "technique": "T1497 - Virtualization/Sandbox Evasion", + "reason": "Knowing the instance types can help attackers tailor their techniques to evade detection within virtualized environments specific to the cloud infrastructure in use." + }, + { + "technique": "T1482 - Domain Trust Discovery", + "reason": "DescribeInstanceTypes can provide insights into the types of instances and their configurations, which may include details relevant to domain trust relationships within the cloud infrastructure." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/DescribeInstances.json b/events/EC2/DescribeInstances.json index ac22547..7f606d4 100644 --- a/events/EC2/DescribeInstances.json +++ b/events/EC2/DescribeInstances.json @@ -9,6 +9,47 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "The DescribeInstances call provides detailed information about the EC2 instances, including instance type, state, and configuration details. This information is essential for an adversary performing system information discovery to understand the environment." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "The DescribeInstances output can include tags and other metadata that may contain user information, helping adversaries to identify system owners and users." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Discovering the details of security configurations, such as security groups and network ACLs associated with instances, can help adversaries to plan how to impair or bypass defenses" + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Understanding the details of EC2 instances can enable an adversary to manipulate accounts associated with those instances, such as creating or deleting IAM roles attached to instances." + }, + { + "technique": "T1016 - System Network Configuration Discovery", + "reason": "DescribeInstances can reveal network configurations of instances, including VPC, subnet, and security group details, aiding in network discovery" + }, + { + "technique": "T1046 - Network Service Scanning", + "reason": "While DescribeInstances does not directly perform network service scanning, the information it provides about instance IP addresses and configurations can be used to facilitate subsequent network scanning activities." + }, + { + "technique": "T1210 - Exploitation of Remote Services", + "reason": "Detailed information about EC2 instances, such as their public IP addresses and running services, can be used to exploit remote services running on these instances." + }, + { + "technique": "T1135 - Network Share Discovery", + "reason": "Information from DescribeInstances can indicate the presence of network shares or attached storage, which may be targeted for further discovery or exploitation." + }, + { + "technique": "T1057 - Process Discovery", + "reason": "DescribeInstances can provide insights into the software and processes running on the instances, helping adversaries identify potential targets for process discovery and further exploitation." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/DescribeKeyPairs.json b/events/EC2/DescribeKeyPairs.json index 81a1537..eb7228e 100644 --- a/events/EC2/DescribeKeyPairs.json +++ b/events/EC2/DescribeKeyPairs.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1580 - Cloud Service Discovery", + "reason": "The DescribeKeyPairs API call can be used to enumerate key pairs associated with EC2 instances, which aids in discovering cloud resources and configurations." + }, + { + "technique": "T1528 - Steal Application Access Token", + "reason": "Key pairs can be used to steal application access tokens if they are used for application authentication mechanisms." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/DescribeRegions.json b/events/EC2/DescribeRegions.json index e36c4b5..1a54ae8 100644 --- a/events/EC2/DescribeRegions.json +++ b/events/EC2/DescribeRegions.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1590 - Gather Victim Network Information", + "reason": "Attackers can use the DescribeRegions API call to obtain information about the cloud regions where a victim's resources are deployed. This helps in mapping the network and understanding the potential attack surface." + }, + { + "technique": "T1082 - System Information Discovery", + "reason": "By utilizing DescribeRegions, attackers can gain insights into the geographical distribution of the victim's cloud infrastructure, contributing to the overall system information." + }, + { + "technique": "T1213 - Data from Information Repositories", + "reason": "DescribeRegions gives access to the regional metadata of AWS, which acts as an information repository. Attackers may exploit this data to gain insights into the structure and status of the cloud environment." + }, + { + "technique": "T1135 - Network Share Discovery", + "reason": "Although not directly relevant attackers can use DescribeRegions to understand the layout of network resources across different regions, which can aid in discovering network shares and how resources are distributed geographically." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/DescribeReplaceRootVolumeTasks.json b/events/EC2/DescribeReplaceRootVolumeTasks.json index 092ccec..209fd75 100644 --- a/events/EC2/DescribeReplaceRootVolumeTasks.json +++ b/events/EC2/DescribeReplaceRootVolumeTasks.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "The GetLaunchTemplateData API call retrieves configuration data of an instance, providing detailed information about the system, including its configurations and metadata." + }, + { + "technique": "T1046 - Network Service Scanning", + "reason": "Information about the instance's network configurations can aid in scanning for active services and identifying potential targets" + }, + { + "technique": "T1560 - Archive Collected Data", + "reason": "Adversaries might use the gathered configuration data to create archives for exfiltration purposes" + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "The GetLaunchTemplateData call may reveal information about the system owner or users associated with the instance." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/DescribeSecurityGroups.json b/events/EC2/DescribeSecurityGroups.json index e3ff169..f388fa4 100644 --- a/events/EC2/DescribeSecurityGroups.json +++ b/events/EC2/DescribeSecurityGroups.json @@ -9,6 +9,43 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1526 - Cloud Service Discovery", + "reason": "The DescribeSecurityGroups API call allows an adversary to gather information about security groups, which is crucial for understanding the security posture and configurations of the cloud environment" + }, + { + "technique": "T1087 - Account Discovery", + "reason": "By describing security groups, adversaries can infer the roles and privileges associated with different accounts and identify potential targets for further compromise." + }, + { + "technique": "T1046 - Network Service Scanning", + "reason": "Knowledge of security group configurations can help adversaries understand which network services are exposed, enabling them to scan for open ports and services" + }, + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "Security groups often define permissions for accessing various resources within the cloud environment. Understanding these groups can help adversaries identify critical permissions and exploit them." + }, + { + "technique": "T1105 - Ingress Tool Transfer", + "reason": "If an adversary identifies security groups that allow inbound access, they might transfer tools or malware into the environment through these entry points" + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "Understanding security group rules helps adversaries in crafting communication methods that can bypass security controls using allowed protocols." + }, + { + "technique": "T1040 - Network Sniffing", + "reason": "By knowing the security groups, adversaries can position themselves in a network segment where they can capture sensitive traffic." + }, + { + "technique": "T1021 - Remote Services", + "reason": "Knowledge of security group configurations that allow remote services access can be exploited to move laterally within the network using those services." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/DescribeSnapshotAttribute.json b/events/EC2/DescribeSnapshotAttribute.json index 74c0ecf..5255574 100644 --- a/events/EC2/DescribeSnapshotAttribute.json +++ b/events/EC2/DescribeSnapshotAttribute.json @@ -9,6 +9,31 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087 - Account Discovery", + "reason": "By describing snapshot attributes, an adversary can discover accounts associated with specific snapshots, providing insight into user and service accounts in the environment." + }, + { + "technique": "T1530 - Data from Cloud Storage", + "reason": " Snapshots often contain data stored in the cloud, and describing their attributes is a step towards accessing and exploiting this data." + }, + { + "technique": "T1119 - Automated Collection", + "reason": "DescribeSnapshotAttribute can be used in scripts to automatically collect data on snapshots for further analysis or malicious use." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "By gathering detailed information about snapshots, an adversary can infer the system owner or user details, which is crucial for furthering their attack strategy." + }, + { + "technique": "T1602 - Data from Configuration Repository", + "reason": "Snapshot attributes may include configuration information that could be valuable for understanding the environment or identifying further targets for exfiltration or attack." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/DescribeSnapshotTierStatus.json b/events/EC2/DescribeSnapshotTierStatus.json index b761a56..4e0e77b 100644 --- a/events/EC2/DescribeSnapshotTierStatus.json +++ b/events/EC2/DescribeSnapshotTierStatus.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087 - Account Discovery", + "reason": "By analyzing the snapshot tier status, an attacker could infer which accounts have access to particular snapshots, thereby gaining insights into the account structures and permissions within the target environment." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "Information about the storage tier status of snapshots includes metadata that helps identify system owners or users associated with those snapshots, thus aiding in the discovery of target users within the environment." + }, + { + "technique": "T1213 - Data from Information Repositories", + "reason": "This API call provides detailed information about EBS snapshots, which are a form of cloud storage. An attacker can use this to identify and access sensitive data stored within these snapshots." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/DescribeTransitGatewayMulticastDomains.json b/events/EC2/DescribeTransitGatewayMulticastDomains.json index da0d6a7..cacc4e0 100644 --- a/events/EC2/DescribeTransitGatewayMulticastDomains.json +++ b/events/EC2/DescribeTransitGatewayMulticastDomains.json @@ -9,6 +9,31 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1590 - Gather Victim Network Information", + "reason": "This api call involves identifying details about the victim's network, such as the structure and topology, which can be aided by describing transit gateway multicast domains." + }, + { + "technique": "T1592 - Gather Victim Host Information", + "reason": "The information from the API call could help an attacker understand the hosts connected via the multicast domains." + }, + { + "technique": "T1087 - Account Discovery", + "reason": "Information from transit gateway multicast domains could include details about the accounts associated with them." + }, + { + "technique": "T1049 - System Network Connections Discovery", + "reason": "Describing multicast domains helps in mapping out system network connections." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "The API call may return information about the users or owners of the systems within the multicast domains." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/DescribeVolumes.json b/events/EC2/DescribeVolumes.json index 4115ad1..807c62c 100644 --- a/events/EC2/DescribeVolumes.json +++ b/events/EC2/DescribeVolumes.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087 - Account Discovery", + "reason": "The DescribeVolumes API call can reveal information about EBS volumes which might contain details about the accounts that created or use them." + }, + { + "technique": "T1526 - Cloud Service Discovery", + "reason": "DescribeVolumes allows attackers to list and understand the configuration of EBS volumes within a cloud environment. This information helps map out the storage resources, potentially revealing sensitive data or misconfigurations." + }, + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "By describing volumes, attackers can infer the permissions set on EBS volumes and potentially discover groups with access to these volumes" + }, + { + "technique": "T1613 - Container and Resource Discovery", + "reason": "Volumes can be linked to container storage. Discovering volumes helps in mapping container usage and dependencies" + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/DescribeVolumesModifications.json b/events/EC2/DescribeVolumesModifications.json index 27e5b3f..dc9ba17 100644 --- a/events/EC2/DescribeVolumesModifications.json +++ b/events/EC2/DescribeVolumesModifications.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087 - Account Discovery", + "reason": "Viewing volume modifications might help attackers understand cloud account structures and usage patterns, aiding in discovering privileged accounts" + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/DescribeVpcEndpointConnectionNotifications.json b/events/EC2/DescribeVpcEndpointConnectionNotifications.json index dd500fa..1fae504 100644 --- a/events/EC2/DescribeVpcEndpointConnectionNotifications.json +++ b/events/EC2/DescribeVpcEndpointConnectionNotifications.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1135 - Network Share Discovery", + "reason": "Describing VPC endpoint connection notifications can help identify shared resources within the VPC, providing information on the network structure and potential entry points." + }, + { + "technique": "T1049 - System Network Connections Discovery", + "reason": "By describing VPC endpoint connection notifications, an attacker can gather information about the network connections and endpoints configured in the VPC." + }, + { + "technique": "T1007 - Network Service Scanning", + "reason": "Describing VPC endpoint connection notifications can reveal details about network services in use, which can be leveraged for further network service scanning." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/DescribeVpcs.json b/events/EC2/DescribeVpcs.json index 465a64e..250962c 100644 --- a/events/EC2/DescribeVpcs.json +++ b/events/EC2/DescribeVpcs.json @@ -9,6 +9,35 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1016 - System Network Configuration Discovery", + "reason": "Understanding the network configuration by querying VPCs helps an attacker identify the architecture, including subnets, route tables, and network ACLs. This information can reveal how the network is structured and potential points for further exploitation." + }, + { + "technique": "T1040 - Network Sniffing", + "reason": "By describing the VPCs, attackers can identify potential points of network sniffing to capture valuable information traversing the network." + }, + { + "technique": "T1087 - Account Discovery", + "reason": "Understanding the VPCs helps in mapping out the cloud environment, potentially identifying accounts that manage or are associated with those VPCs." + }, + { + "technique": "T1482 - Domain Trust Discovery", + "reason": "By describing VPCs, adversaries can identify trusts between different VPCs or between on-premises and cloud environments, aiding lateral movement and privilege escalation attempts." + }, + { + "technique": "T1590 - Gather Victim Network Information", + "reason": "Describing VPCs directly aligns with gathering information about cloud network configurations, including CIDR blocks, subnets, and associated components." + }, + { + "technique": "T1526 - Cloud Service Discovery", + "reason": "Discovering details about VPCs is part of a broader effort to map out cloud services and their configurations, providing a clearer picture of the cloud environment's landscape." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/EnableSerialConsoleAccess.json b/events/EC2/EnableSerialConsoleAccess.json index 521a589..02c3565 100644 --- a/events/EC2/EnableSerialConsoleAccess.json +++ b/events/EC2/EnableSerialConsoleAccess.json @@ -9,6 +9,47 @@ "mitreAttackTechniques": [ "T1021 - Remote Services" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "Enabling serial console access allows attackers to execute commands directly in the Unix shell of the EC2 instances." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Serial console access can be used to manipulate or create new accounts on the instance, ensuring persistent access." + }, + { + "technique": "T1037 - Boot or Logon Initialization Scripts", + "reason": "Attackers can use the console to modify initialization scripts, ensuring their scripts run on startup for persistence." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "Serial console access might be exploited using compromised credentials, allowing attackers to use valid accounts to access the console." + }, + { + "technique": "T1547 - Boot or Logon Autostart Execution", + "reason": "The serial console can be used to modify system configurations or add scripts to ensure code execution upon system start." + }, + { + "technique": "T1543 - Create or Modify System Process", + "reason": "If the instances are running Windows, attackers might use the serial console to create or modify services for persistence and privilege escalation." + }, + { + "technique": "T1055 - Process Injection", + "reason": "Serial console access could potentially be used for injecting code into running processes to evade defenses" + }, + { + "technique": "T1207 - Rogue Domain Controller", + "reason": "Attackers with console access could promote a compromised instance to a domain controller in an Active Directory environment, escalating privileges." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "The serial console allows attackers to directly interact with the system to delete logs and other indicators of their presence." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/GetConsoleScreenshot.json b/events/EC2/GetConsoleScreenshot.json index a504de3..ecf158f 100644 --- a/events/EC2/GetConsoleScreenshot.json +++ b/events/EC2/GetConsoleScreenshot.json @@ -9,6 +9,35 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1113 - Screen Capture", + "reason": "The GetConsoleScreenshot API call captures a screenshot of a running EC2 instance, providing a visual snapshot of the system's state. This can reveal sensitive information displayed on the screen, such as open applications, user activities, or visible credentials." + }, + { + "technique": "T1087 - Account Discovery", + "reason": "The screenshot can provide insights into user accounts and other details visible on the instance, aiding in account discovery." + }, + { + "technique": "T1057 - Process Discovery", + "reason": "The screenshot might reveal running processes or applications, helping in process discovery." + }, + { + "technique": "T1016 - System Network Configuration Discovery", + "reason": "Screenshots may reveal network configurations displayed on the system's desktop." + }, + { + "technique": "T1018 - Remote System Discovery", + "reason": "Information visible in the screenshot might provide details about other systems or network topology." + }, + { + "technique": "T1110 - Brute Force", + "reason": "If the screenshot shows login prompts or error messages related to login attempts, it can aid in brute force attempts." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/GetEbsDefaultKmsKeyId.json b/events/EC2/GetEbsDefaultKmsKeyId.json index e30a340..b42d436 100644 --- a/events/EC2/GetEbsDefaultKmsKeyId.json +++ b/events/EC2/GetEbsDefaultKmsKeyId.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "Retrieving the default KMS key provides information about the encryption settings of the EBS volumes in the account." + }, + { + "technique": "T1530 - Data from Cloud Storage Object", + "reason": "By knowing the KMS key, attackers could potentially access encrypted data if they manage to retrieve the corresponding encrypted volumes." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Attackers could use this information to modify or disable encryption settings, impacting defenses." + }, + { + "technique": "T1036 - Masquerading", + "reason": "Attackers might use the default KMS key information to create resources that appear legitimate but are malicious in nature." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/GetEbsEncryptionByDefault.json b/events/EC2/GetEbsEncryptionByDefault.json index 3b44915..be81e8b 100644 --- a/events/EC2/GetEbsEncryptionByDefault.json +++ b/events/EC2/GetEbsEncryptionByDefault.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1538 - Cloud Service Dashboard", + "reason": "Accessing configuration information through API calls to understand settings." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/GetFlowLogsIntegrationTemplate.json b/events/EC2/GetFlowLogsIntegrationTemplate.json index 2ec3d39..2468722 100644 --- a/events/EC2/GetFlowLogsIntegrationTemplate.json +++ b/events/EC2/GetFlowLogsIntegrationTemplate.json @@ -9,6 +9,47 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "By analyzing the resulting template, adversaries might identify configurations and permissions related to valid accounts" + }, + { + "technique": "T1203 - Exploitation for Client Execution", + "reason": "The template could potentially include commands or scripts that are executed in the cloud environment, exploiting existing vulnerabilities for execution." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "The template could include configurations that disable or alter logging, monitoring, or other security tools." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "The CloudFormation template could include obfuscated scripts or configurations to evade detection" + }, + { + "technique": "T1210 - Exploitation of Remote Services", + "reason": "The setup process defined in the template might interact with remote services, offering a vector for exploitation." + }, + { + "technique": "T1046 - Network Service Scanning", + "reason": "The information gleaned from the template can assist adversaries in understanding the network services in use, aiding in further network scanning and enumeration." + }, + { + "technique": "T1497 - Virtualization/Sandbox Evasion", + "reason": "The template could be designed to detect and avoid execution within certain virtualized environments or sandboxes, thereby evading analysis or detection." + }, + { + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "The CloudFormation template might include scripts executed via command and scripting interpreters, which can be leveraged for execution." + }, + { + "technique": "T1560 - Archive Collected Data", + "reason": "By using the CloudFormation template to configure the VPC flow logs integration, adversaries can automate the collection, archiving, and storage of flow logs data, potentially using S3 to archive collected logs before exfiltration or analysis." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/GetLaunchTemplateData.json b/events/EC2/GetLaunchTemplateData.json index 6a1946a..4895e46 100644 --- a/events/EC2/GetLaunchTemplateData.json +++ b/events/EC2/GetLaunchTemplateData.json @@ -9,6 +9,43 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "Retrieving the configuration data of instances can provide attackers with detailed system information that can be used for further reconnaissance and discovery of system characteristics." + }, + { + "technique": "T1135 - Network Share Discovery", + "reason": "Attackers might use this data to discover network shares and storage configurations, aiding in understanding the network topology and resources" + }, + { + "technique": "T1518 - Software Discovery", + "reason": "By accessing instance configuration data, attackers can determine what software is running on the instance, including security software, enabling them to plan further attacks." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "Information obtained can be used to identify valid accounts within the cloud environment, potentially leading to misuse of credentials." + }, + { + "technique": "T1195 - Supply Chain Compromise", + "reason": "Attackers can create a launch template based on the retrieved data, embedding malicious software or configurations, thus compromising the software supply chain." + }, + { + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "The configuration data may include scripts or commands that can be leveraged to gain further access or control over the instance" + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "By understanding the configuration and storage locations, attackers can delete logs or files to evade detection" + }, + { + "technique": "T1496 - Resource Hijacking", + "reason": "Attackers might use the launch template to spin up instances for resource hijacking, such as cryptocurrency mining." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/GetPasswordData.json b/events/EC2/GetPasswordData.json index 8476245..b254c3d 100644 --- a/events/EC2/GetPasswordData.json +++ b/events/EC2/GetPasswordData.json @@ -9,6 +9,31 @@ "mitreAttackTechniques": [ "T1555 - Credentials from Password Stores" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "By decrypting the administrator password with the key pair, an attacker can obtain valid credentials for the Windows instance, allowing them to log in with legitimate access. z If the Windows instance is part of a domain, obtaining the administrator password could provide domain-level access, enabling further exploitation within the domain. The password retrieved is for the local administrator account, giving full access to the instance's local resources and potentially allowing further escalation." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Attackers can use the retrieved administrator credentials to create new accounts or manipulate existing ones to ensure continued access to the instance." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "With the administrator password, an attacker can remove access to existing accounts, locking out legitimate users and maintaining control over the instance." + }, + { + "technique": "T1548.002 - Abuse Elevation Control Mechanism", + "reason": "Once an attacker has the administrator password, they can bypass User Account Control (UAC) on the instance to elevate privileges without user consent." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "An attacker with administrator access might delete logs and other files to cover their tracks and ensure persistent access without detection." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/GetTransitGatewayRouteTableAssociations.json b/events/EC2/GetTransitGatewayRouteTableAssociations.json index 28bb9ef..d558004 100644 --- a/events/EC2/GetTransitGatewayRouteTableAssociations.json +++ b/events/EC2/GetTransitGatewayRouteTableAssociations.json @@ -9,6 +9,43 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1018 - Remote System Discovery", + "reason": "The API call provides information about the transit gateway route table associations, which can be used to identify and map remote systems within the network." + }, + { + "technique": "T1423 - Network Service Scanning", + "reason": "Understanding route table associations helps in scanning and identifying active services and their routing paths, facilitating network service discovery." + }, + { + "technique": "T1133 - External Remote Services", + "reason": "By analyzing transit gateway associations, attackers can identify potential external services that can be targeted for initial access or further exploitation" + }, + { + "technique": "T1219 - Remote Access Software", + "reason": "Knowledge of network routes and associations is crucial for deploying and managing remote access tools within the network" + }, + { + "technique": "T1570 - Lateral Tool Transfer", + "reason": "Route table information can be used to facilitate the transfer of tools across different segments of the network, aiding lateral movement." + }, + { + "technique": "T1021 - Remote Services", + "reason": "The information obtained from the API call can be used to identify and exploit remote services for lateral movement or persistence" + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "Attackers can use knowledge of network routing to communicate using application layer protocols that traverse the transit gateway routes" + }, + { + "technique": "T1590 - Gather Victim Network Information", + "reason": "The transit gateway route table associations provide valuable insights into the network's structure and configuration, useful for gathering detailed network information" + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/ImportKeyPair.json b/events/EC2/ImportKeyPair.json index 5d30d7c..247f5f2 100644 --- a/events/EC2/ImportKeyPair.json +++ b/events/EC2/ImportKeyPair.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "An attacker can import their own key pair to gain initial access to the AWS environment using a compromised or newly created account. The imported key can also be used to maintain persistent access. This can be applied to both cloud and domain accounts in the cloud, ensuring access across different services." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "Attackers may delete logs or evidence after importing the keypair." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/ModifyImageAttribute.json b/events/EC2/ModifyImageAttribute.json index f395434..ad99897 100644 --- a/events/EC2/ModifyImageAttribute.json +++ b/events/EC2/ModifyImageAttribute.json @@ -9,6 +9,31 @@ "mitreAttackTechniques": [ "T1537 - Transfer Data to Cloud Account" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1098 - Account Manipulation", + "reason": "Modifying AMI launch permissions could allow an attacker to grant additional cloud accounts the ability to launch instances with the compromised AMI." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "Modifying launchPermission can be used to grant access to valid accounts or remove access, effectively controlling which accounts can launch instances from the AMI." + }, + { + "technique": "T1003 - OS Credential Dumping", + "reason": "Changing launch permissions to launch the AMI in an attacker AWS account might grant attackers access to instances where they can execute credential dumping tools." + }, + { + "technique": "T1021 - Remote Services", + "reason": "If the AMI is launched by specific users, it could enable the attacker to move laterally by exploiting remote services and admin privileges." + }, + { + "technique": "T1036 - Masquerading", + "reason": "By modifying the AMI description, attackers can disguise malicious activities under benign-sounding descriptions to evade detection." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/EC2/ModifyInstanceAttribute.json b/events/EC2/ModifyInstanceAttribute.json index 2fbeebb..73ec8c4 100644 --- a/events/EC2/ModifyInstanceAttribute.json +++ b/events/EC2/ModifyInstanceAttribute.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "Modifying instance attributes can involve, via modifications of the UserData, changing account settings to maintain access to the instance, including the use or creation of default, local, or cloud accounts." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Via modifications of the UserData an attacker could disable or modify security tools and defenses on the instance, impairing the system's ability to detect or respond to threats" + }, + { + "technique": "T1496 - Resource Hijacking", + "reason": "Modifying instance attributes could allow the hijacking of resources for unauthorized uses such as cryptocurrency mining. You could also increase the size of CPU or RAM" + }, + { + "technique": "T1485 - Data Destruction", + "reason": "Changes in instance attributes could be used to facilitate the destruction of data on the instance, impacting the integrity and availability of information." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/EC2/ModifySnapshotAttribute.json b/events/EC2/ModifySnapshotAttribute.json index a5aa8e3..673ce06 100644 --- a/events/EC2/ModifySnapshotAttribute.json +++ b/events/EC2/ModifySnapshotAttribute.json @@ -9,6 +9,43 @@ "mitreAttackTechniques": [ "T1537 - Transfer Data to Cloud Account" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "By adding permissions to a snapshot, attackers can grant access to unauthorized cloud accounts or default accounts, which can be used for persistence and privilege escalation." + }, + { + "technique": "T1552 - Unsecured Credentials", + "reason": "Adding permissions to a snapshot might expose sensitive files that contain credentials, aiding in credential access." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "Removing permissions from a snapshot can be used to hide or delete evidence of unauthorized access, aiding in defense evasion." + }, + { + "technique": "T1530 - Data from Cloud Storage", + "reason": "By modifying snapshot permissions, attackers can gain access to sensitive data stored within snapshots, aiding in data collection and exfiltration." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Modifying permissions could impair security controls or defenses by granting unauthorized access to the snapshots, potentially containing security-related configurations, backups, or tools." + }, + { + "technique": "T1087 - Account Discovery", + "reason": "Modifying snapshot permissions could help attackers discover cloud accounts with access to the snapshot, aiding in further attacks." + }, + { + "technique": "T1003 - OS Credential Dumping", + "reason": "If a snapshot contains OS-level files, attackers can use it to extract credentials, aiding in credential access." + }, + { + "technique": "T1074 - Data Staged", + "reason": "Snapshots can be used to stage data locally for later exfiltration, aiding in data collection and exfiltration" + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/ReplaceIamInstanceProfileAssociation.json b/events/EC2/ReplaceIamInstanceProfileAssociation.json index 2df0ec1..f285865 100644 --- a/events/EC2/ReplaceIamInstanceProfileAssociation.json +++ b/events/EC2/ReplaceIamInstanceProfileAssociation.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + "T1098.003 - Account Manipulation: Additional Cloud Roles" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1548 - Abuse Elevation Control Mechanism", + "reason": "By changing the IAM instance profile, an attacker can elevate the privileges of the EC2 instance, allowing it to perform actions that require higher permissions. This abuse of the role mechanism can be used to execute privileged commands." + }, + { + "technique": "T1556 - Modify Authentication Process", + "reason": "By altering the IAM instance profile, an attacker can modify the authentication process. This change could allow the instance to authenticate as a different role with different permissions, potentially bypassing security controls." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "An attacker might replace an IAM instance profile to remove certain access controls or permissions temporarily to perform specific actions without triggering alerts or restrictions. Additionally they might remove the instances from the contol of certain accounts to maybe evade detection. AN example would be to remove access from known cloud security tools." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/RunInstances.json b/events/EC2/RunInstances.json index 9c464aa..b4482dc 100644 --- a/events/EC2/RunInstances.json +++ b/events/EC2/RunInstances.json @@ -13,6 +13,27 @@ "T1496 - Resource Hijacking", "T1021 - Remote Services" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1133 - External Remote Services", + "reason": "Adversaries can launch EC2 instances that can be remotely accessed via SSH, RDP, or other protocols, gaining an initial access point into the AWS environment or maintaining persistence." + }, + { + "technique": "T1578 - Modify Cloud Compute Infrastructure", + "reason": "Launching instances directly modifies the cloud compute infrastructure, which can be leveraged by adversaries to create a foothold, evade defenses, or escalate privileges." + }, + { + "technique": "T1105 - Ingress Tool Transfer", + "reason": "Instances launched can be used to transfer malicious tools into the cloud environment, supporting various attack strategies. This is especally true if the instance is initiated with an malicious image." + }, + { + "technique": "T1570 - Lateral Tool Transfer", + "reason": "New instances can facilitate the lateral movement of tools and malware across the cloud infrastructure, aiding in broader attack campaigns." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/SendSSHPublicKey.json b/events/EC2/SendSSHPublicKey.json index aca3075..ca939ae 100644 --- a/events/EC2/SendSSHPublicKey.json +++ b/events/EC2/SendSSHPublicKey.json @@ -9,6 +9,31 @@ "mitreAttackTechniques": [ "T1021 - Remote Services" ], + "mitreAttackSubTechniques": [ + "T1021.004 - Remote Services: SSH" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1021 - Remote Services", + "reason": "Pushing an SSH public key to an EC2 instance allows remote access to the system over SSH. This API call enables secure communication and command execution on the instance, potentially giving adversaries the ability to interact with and control the system remotely." + }, + { + "technique": "T1136 - Create Account", + "reason": "Pushing a new SSH key can be seen as creating a new means of access for a specific user, akin to account creation." + }, + { + "technique": "T1578 - Modify Cloud Compute Infrastructure", + "reason": "The API call modifies the authentication state of an EC2 instance, part of cloud compute infrastructure." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Pushing a new key could be used to temporarily bypass defenses or monitoring on the instance." + }, + { + "technique": "T1210 - Exploitation of Remote Services", + "reason": "An adversary can misuse the SendSSHPublicKey API to gain unauthorized access to an EC2 instance by injecting their SSH key. This allows them to control the instance remotely, leveraging legitimate remote services for malicious purposes." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/SendSerialConsoleSSHPublicKey.json b/events/EC2/SendSerialConsoleSSHPublicKey.json index 49f5d9d..c10072a 100644 --- a/events/EC2/SendSerialConsoleSSHPublicKey.json +++ b/events/EC2/SendSerialConsoleSSHPublicKey.json @@ -9,6 +9,39 @@ "mitreAttackTechniques": [ "T1021 - Remote Services" ], + "mitreAttackSubTechniques": [ + "T1021.004 - Remote Services: SSH" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "Once access is established, attackers can use the command and scripting interpreter to execute commands on the instance." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Attackers may push their own SSH keys to the EC2 instances, effectively manipulating access control." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "After gaining access, attackers could disable security tools or logs to evade detection." + }, + { + "technique": "T1036 - Masquerading", + "reason": "Attackers may use legitimate commands and tools to mask their activities within the compromised instance" + }, + { + "technique": "T1203 - Exploitation for Client Execution", + "reason": "Exploiting the SSH access to execute further malicious code or scripts within the EC2 instance." + }, + { + "technique": "T1219 - Remote Access Software", + "reason": "Using SSH as a remote access tool to maintain control over the compromised EC2 instance." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "Attackers may use or create local accounts on the EC2 instance to facilitate further access and actions." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/SharedSnapshotCopyInitiated.json b/events/EC2/SharedSnapshotCopyInitiated.json index d27cbd3..e54fa05 100644 --- a/events/EC2/SharedSnapshotCopyInitiated.json +++ b/events/EC2/SharedSnapshotCopyInitiated.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1537 - Transfer Data to Cloud Account" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1530 - Data from Cloud Storage Object", + "reason": "Snapshots can contain data stored in cloud environments which may be exfiltrated. Attackers can access sensitive information stored within these snapshots, which can include configuration data, database contents, or other critical data." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "Adversaries might obfuscate the data within snapshots to avoid detection during transfer. This can involve encrypting the contents of a snapshot or otherwise making the data less recognizable to automated defense mechanisms" + }, + { + "technique": "T1567 - Exfiltration Over Web Service", + "reason": "Copying a snapshot to another region or account over AWS services can be a form of exfiltration. Attackers can exploit this API call to move large volumes of data seamlessly across AWS infrastructure, avoiding some traditional network-based exfiltration detection mechanisms." + }, + { + "technique": "T1074 - Data Staged", + "reason": "Creating a shared snapshot can be used to stage data before exfiltration, preparing it for easy transfer or download." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/SharedSnapshotVolumeCreated.json b/events/EC2/SharedSnapshotVolumeCreated.json index 9c23fc8..f4ac9fe 100644 --- a/events/EC2/SharedSnapshotVolumeCreated.json +++ b/events/EC2/SharedSnapshotVolumeCreated.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1537 - Transfer Data to Cloud Account" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1530 - Data from Cloud Storage Object", + "reason": "Snapshots can contain data stored in cloud environments which may be exfiltrated. Attackers can access sensitive information stored within these snapshots, which can include configuration data, database contents, or other critical data." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "Adversaries might obfuscate the data within snapshots to avoid detection during transfer. This can involve encrypting the contents of a snapshot or otherwise making the data less recognizable to automated defense mechanisms" + }, + { + "technique": "T1567 - Exfiltration Over Web Service", + "reason": "Copying a snapshot to another region or account over AWS services can be a form of exfiltration. Attackers can exploit this API call to move large volumes of data seamlessly across AWS infrastructure, avoiding some traditional network-based exfiltration detection mechanisms." + }, + { + "technique": "T1074 - Data Staged", + "reason": "Creating a shared snapshot can be used to stage data before exfiltration, preparing it for easy transfer or download." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/StartInstances.json b/events/EC2/StartInstances.json index 7f6f39c..9e0c937 100644 --- a/events/EC2/StartInstances.json +++ b/events/EC2/StartInstances.json @@ -11,6 +11,39 @@ "T1098 - Account Manipulation", "T1496 - Resource Hijacking" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1036 - Masquerading", + "reason": "Adversaries could rename stopped instances to appear legitimate and start them without raising alarms." + }, + { + "technique": "T1053 - Scheduled Task/Job", + "reason": "Attackers might schedule tasks to automatically start stopped instances at certain times to execute malicious actions" + }, + { + "technique": "T1105 - Ingress Tool Transfer", + "reason": "Once the instance is started, adversaries could transfer tools and malware to the instance for execution" + }, + { + "technique": "T1219 - Remote Access Software", + "reason": "Adversaries might start instances that have remote access tools installed to regain control over the environment." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Starting instances can impair defenses by creating new workloads that may not be monitored by existing security tools, enabling attackers to perform malicious activities without detection." + }, + { + "technique": "T1578 - Modify Cloud Compute Infrastructure", + "reason": "Attackers can directly use the StartInstances API call to manipulate the state of instances, aiding in persistence and execution of tasks." + }, + { + "technique": "T1074 - Data Staged", + "reason": "Starting an instance can be used to stage data locally before exfiltration." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/StopInstances.json b/events/EC2/StopInstances.json index 46fbc7b..34120eb 100644 --- a/events/EC2/StopInstances.json +++ b/events/EC2/StopInstances.json @@ -11,6 +11,23 @@ "T1499 - Endpoint Denial of Service", "T1578 - Modify Cloud Compute Infrastructure" ], + "mitreAttackSubTechniques": [ + "T1578.003 - Modify Cloud Compute Infrastructure: Delete Cloud Instance" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1565 - Data Manipulation", + "reason": "Stopping an instance can be a precursor to manipulating the stored data, especially if the instance is hibernated and the memory contents are preserved but the disk is later modified." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Stopping instances can disable security monitoring tools and defenses running on those instances, hindering their ability to detect malicious activities." + }, + { + "technique": "T1489 - Service Stop", + "reason": "Stopping an instance directly impacts availability and can be used as part of a larger attack to disrupt services." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EC2/TerminateInstances.json b/events/EC2/TerminateInstances.json index 054b104..12ef749 100644 --- a/events/EC2/TerminateInstances.json +++ b/events/EC2/TerminateInstances.json @@ -11,6 +11,39 @@ "T1485 - Data Destruction", "T1070 - Indicator Removal" ], + "mitreAttackSubTechniques": [ + "T1070.004 - Indicator Removal: File Deletion" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1489 - Service Stop", + "reason": "Terminating instances disrupts the availability of services hosted on those instances." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Terminating instances can remove defensive tools installed on those instances" + }, + { + "technique": "T1496 - Resource Hijacking", + "reason": "Attackers might terminate instances to free up resources for other malicious activities." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "The TerminateInstances API call can be a form of account manipulation when an attacker uses it to interfere with the normal operations of an account. By terminating instances, an attacker can disrupt services, remove evidence of their activities, and create obstacles for account recovery. This manipulation ensures that the attacker maintains control over the account’s activities and resources." + }, + { + "technique": "T1499 - Endpoint Denial of Service", + "reason": "Terminating critical instances can be a form of denial of service against specific endpoints or applications." + }, + { + "technique": "T1565 - Data Manipulation", + "reason": "If instance termination leads to data loss or corruption, it can be considered a form of data manipulation." + }, + { + "technique": "T1488 - Disk Wipe", + "reason": "Terminating an instance with attached EBS volumes may result in wiping the data on those volumes if they are deleted as part of the termination process" + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/ECS/CreateCluster.json b/events/ECS/CreateCluster.json index 744ed69..2741ea1 100644 --- a/events/ECS/CreateCluster.json +++ b/events/ECS/CreateCluster.json @@ -9,6 +9,47 @@ "mitreAttackTechniques": [ "T1496 - Resource Hijacking" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1098 - Account Manipulation", + "reason": "The creation of a new cluster could be part of manipulating accounts within AWS, enabling the attacker to maintain control or establish backdoor access." + }, + { + "technique": "T1053 - Scheduled Task/Job", + "reason": "New ECS clusters can be configured to run tasks at scheduled intervals, which can be used to execute malicious activities regularly." + }, + { + "technique": "T1090 - Proxy", + "reason": "An attacker might use the new ECS cluster to set up an external proxy, which can be used to relay commands and data, aiding in defense evasion and persistent access." + }, + { + "technique": "T1204 - User Execution", + "reason": "Creating an ECS cluster to run container images, which might be malicious, facilitating execution of malicious code in the environment." + }, + { + "technique": "T1583 - Acquire Infrastructure", + "reason": "Creating new ECS clusters is a form of acquiring infrastructure within AWS, which can be used to support further malicious activities." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "The cluster could be used to deploy obfuscated code or data, making it harder to detect malicious activities." + }, + { + "technique": "T1578 - Modify Cloud Compute Infrastructure", + "reason": "Creating a new ECS cluster modifies the cloud compute infrastructure, which can be leveraged for both execution and evasion purposes." + }, + { + "technique": "T1584 - Compromise Infrastructure", + "reason": "Compromising cloud infrastructure to create ECS clusters enables attackers to establish control over resources. This can support further malicious activities, such as launching attacks or maintaining persistence in the environment." + }, + { + "technique": "T1210 - Exploitation of Remote Services", + "reason": "An attacker might create a new ECS cluster to host services that exploit vulnerabilities in remote services for lateral movement or further attacks." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/ECS/CreateService.json b/events/ECS/CreateService.json index c4b6e2d..1f68b5f 100644 --- a/events/ECS/CreateService.json +++ b/events/ECS/CreateService.json @@ -9,6 +9,43 @@ "mitreAttackTechniques": [ "T1496 - Resource Hijacking" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "By creating ECS services, adversaries can execute commands or scripts in the context of containers that run on Unix-based systems" + }, + { + "technique": "T1556 - Modify Authentication Process", + "reason": "The AWS CreateService API call can be used to create tasks that modify authentication processes within a cloud environment." + }, + { + "technique": "T1036 - Masquerading", + "reason": "Match Legitimate Name or Location: An adversary could create services with names that mimic legitimate services to avoid detection." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "Malicious ECS tasks could communicate over common web protocols to blend in with normal network traffic." + }, + { + "technique": "T1090 - Proxy", + "reason": "Adversaries might set up a chain of ECS services to act as proxies, hiding their true location." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "Adversaries might create services that deploy obfuscated scripts or binaries to evade detection." + }, + { + "technique": "T1046 - Network Service Discovery", + "reason": "ECS tasks might be used to run discovery scripts to enumerate network services." + }, + { + "technique": "T1210 - Exploitation of Remote Services", + "reason": "Adversaries might create services that exploit vulnerabilities in other services or tasks within the ECS cluster to gain unauthorized access or escalate privileges" + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/ECS/RegisterTaskDefinition.json b/events/ECS/RegisterTaskDefinition.json index 1d2ab65..3c3980b 100644 --- a/events/ECS/RegisterTaskDefinition.json +++ b/events/ECS/RegisterTaskDefinition.json @@ -9,6 +9,35 @@ "mitreAttackTechniques": [ "T1496 - Resource Hijacking" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1053 - Scheduled Task/Job", + "reason": "Registering a task definition can be leveraged to create scheduled tasks within ECS, allowing for persistence and automated execution of malicious tasks." + }, + { + "technique": "T1105 - Ingress Tool Transfer", + "reason": "Task definitions could be used to download and execute additional tools or scripts from external sources" + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "ECS tasks can be configured to disable or modify security tools within the container environment, aiding in defense evasion." + }, + { + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "The task definitions can contain Unix shell commands, facilitating execution of malicious scripts or commands." + }, + { + "technique": "T1036 - Masquerading", + "reason": "Malicious task definitions can be disguised as legitimate ones to evade detection and blend in with normal operations" + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "Container definitions within ECS can include obfuscated or packed scripts and binaries, making detection harder." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EFS/DeleteFileSystem.json b/events/EFS/DeleteFileSystem.json index 183e94e..cc48bf4 100644 --- a/events/EFS/DeleteFileSystem.json +++ b/events/EFS/DeleteFileSystem.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1485 - Data Destruction" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "Deleting an EFS file system removes all its contents, including logs and other forensic evidence, effectively erasing any indicators of malicious activity. This action helps attackers avoid detection by eliminating traces of their presence in the environment." + }, + { + "technique": "T1565 - Data Manipulation", + "reason": "Deleting an EFS file system alters the state of stored data by permanently removing it. This can disrupt operations and affect data integrity, making it a significant form of data manipulation." + }, + { + "technique": "T1107 - File Deletion", + "reason": "File deletion focuses on the removal of files to impact data availability or to hide malicious activity. Deleting a file system in AWS EFS results in the removal of all files and directories within that file system." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/EFS/DeleteMountTarget.json b/events/EFS/DeleteMountTarget.json index 5684735..ea78bae 100644 --- a/events/EFS/DeleteMountTarget.json +++ b/events/EFS/DeleteMountTarget.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1485 - Data Destruction" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1562 - Impair Defenses", + "reason": "Removing a mount target may disrupt monitoring or defense mechanisms that rely on the file system for logging or other security functions." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "By deleting the mount target and the associated network interface, traces and logs of malicious activity stored on the file system may be removed, aiding in defense evasion." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/EKS/AssociateAccessPolicy.json b/events/EKS/AssociateAccessPolicy.json index 3daafc4..244abb0 100644 --- a/events/EKS/AssociateAccessPolicy.json +++ b/events/EKS/AssociateAccessPolicy.json @@ -9,6 +9,31 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "By associating an access policy, attackers can use legitimate credentials to access the system, either by modifying existing ones or changing permissions." + }, + { + "technique": "T1543 - Create or Modify System Process", + "reason": "Associating an access policy can be used to modify the permissions of processes within the EKS environment, ensuring the attacker retains control or gains elevated privileges for their processes." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "Associating access policies can assist attackers in evading detection by allowing them to remove or alter logs and other indicators that track account and permission changes, thereby obscuring their activities." + }, + { + "technique": "T1003 - OS Credential Dumping", + "reason": "Modifying access policies might allow attackers to gain access to sensitive areas of the system where they can extract credentials." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "Associating new access policies can help attackers use application layer protocols more effectively to communicate with compromised systems, especially if these policies grant access to necessary network services." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/EKS/CreateAccessEntry.json b/events/EKS/CreateAccessEntry.json index 49ee346..71e6671 100644 --- a/events/EKS/CreateAccessEntry.json +++ b/events/EKS/CreateAccessEntry.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "Creating an access entry for an IAM principal can establish valid credentials that can be used for access." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/EKS/DescribeAccessEntry.json b/events/EKS/DescribeAccessEntry.json index cc3c63e..e85bfe0 100644 --- a/events/EKS/DescribeAccessEntry.json +++ b/events/EKS/DescribeAccessEntry.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1526 - Cloud Service Discovery", + "reason": "The DescribeAccessEntry API call can be used to identify access permissions and configurations within the EKS service, revealing which cloud services are in use. This information helps attackers understand the cloud environment and potential targets." + }, + { + "technique": "T1587 - Develop Capabilities", + "reason": "Access information can aid in developing tailored malware that exploits specific permissions or configurations discovered within EKS." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/EKS/DescribeCluster.json b/events/EKS/DescribeCluster.json index 82df964..34ff9d7 100644 --- a/events/EKS/DescribeCluster.json +++ b/events/EKS/DescribeCluster.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087 - Account Discovery", + "reason": "Information from DescribeCluster can reveal IAM roles and identities associated with the cluster, aiding in the discovery of accounts." + }, + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "The DescribeCluster call might include details about Kubernetes RBAC roles and permissions, helping to discover privilege groups." + }, + { + "technique": "T1082 - System Information Discovery", + "reason": "The DescribeCluster API reveals extensive system information about the EKS cluster, such as Kubernetes version, endpoint, and VPC configuration, aiding in system information discovery." + }, + { + "technique": "T1482 - Domain Trust Discovery", + "reason": "The DescribeCluster call can provide insights into how the cluster is integrated with other AWS services and trust relationships, such as IAM roles and policies" + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/EKS/ListAssociatedAccessPolicies.json b/events/EKS/ListAssociatedAccessPolicies.json index 5f3802a..dee0f1b 100644 --- a/events/EKS/ListAssociatedAccessPolicies.json +++ b/events/EKS/ListAssociatedAccessPolicies.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087 - Account Discovery - Cloud Account", + "reason": "Listing associated access policies allows adversaries to discover the cloud accounts associated with those policies, identifying potential targets" + }, + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "By listing the access policies, adversaries can discern the permission groups within the EKS cluster, aiding in understanding the permissions and roles configured." + }, + { + "technique": "T1046 - Network Service Scanning", + "reason": "Listing access policies helps map out the services and permissions in use, aiding in reconnaissance efforts to identify potential targets and vulnerabilities." + }, + { + "technique": "T1552 - Unsecured Credentials", + "reason": "By listing associated access policies, adversaries might identify misconfigurations or unsecured credentials that can be exploited to gain further access." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/EKS/ListClusters.json b/events/EKS/ListClusters.json index 53b9a93..a21438e 100644 --- a/events/EKS/ListClusters.json +++ b/events/EKS/ListClusters.json @@ -9,6 +9,31 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1526 - Cloud Service Discovery", + "reason": "Listing EKS clusters helps adversaries understand the cloud services being used and their configurations." + }, + { + "technique": "T1087 - Account Discovery", + "reason": "By listing clusters, attackers can infer the structure and number of accounts that manage these resources." + }, + { + "technique": "T1135 - Network Share Discovery", + "reason": "Knowing the clusters can help adversaries understand shared network resources within the EKS environment." + }, + { + "technique": "T1007 - Network Service Scanning", + "reason": "Identifying clusters can help adversaries in mapping the network services exposed by these clusters." + }, + { + "technique": "T1590 - Gather Victim Network Information", + "reason": "Identifying clusters helps in understanding the internal network architecture and relationships." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/ELB/CreateRule.json b/events/ELB/CreateRule.json index 8e8a6df..6977584 100644 --- a/events/ELB/CreateRule.json +++ b/events/ELB/CreateRule.json @@ -9,6 +9,43 @@ "mitreAttackTechniques": [ "T1578 - Modify Cloud Compute Infrastructure" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1203 - Exploitation for Client Execution", + "reason": "By creating a malicious rule that directs traffic to a compromised endpoint, an attacker could exploit vulnerabilities in client applications to execute malicious code." + }, + { + "technique": "T1190 - Exploit Public-Facing Application", + "reason": "By modifying or creating new rules, an attacker could exploit vulnerabilities in the public-facing application load balancer to gain initial access." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "Creating rules that redirect traffic to malicious servers using HTTP/S or mail protocols for command and control communication." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Rules could be used to disable security controls or modify traffic patterns to evade detection tools and logs." + }, + { + "technique": "T1105 - Ingress Tool Transfer", + "reason": "Rules can be set to allow the transfer of malicious tools or payloads through the load balancer to a compromised system." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "Attackers can create rules that handle or route traffic in a manner that uses encoded or obfuscated data. This can include routing traffic to endpoints that encrypt the data payloads or encode commands to be less conspicuous" + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "Rules could be used to route traffic in ways that delete or bypass log files to avoid detection." + }, + { + "technique": "T1496 - Resource Hijacking", + "reason": "Creating rules that direct traffic to perform unauthorized actions like cryptocurrency mining or other forms of resource hijacking." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/ELB/DescribeListeners.json b/events/ELB/DescribeListeners.json index 6a54379..f494fed 100644 --- a/events/ELB/DescribeListeners.json +++ b/events/ELB/DescribeListeners.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1526 - Cloud Service Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087 - Account Discovery", + "reason": "By describing listeners, an adversary could identify configurations and attributes related to the load balancer, which may include discovering IAM roles or users with specific permissions." + }, + { + "technique": "T1046 - Network Service Scanning", + "reason": "Describing listeners provides details about the services exposed by the load balancer, which helps in scanning and understanding the network topology." + }, + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "Querying listener details can reveal information about the permissions and roles associated with the load balancer, providing insight into group policies." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "Load balancers typically handle various application layer protocols, and knowing listener configurations can assist in crafting command and control channels over allowed protocols." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/ELB/DescribeLoadBalancers.json b/events/ELB/DescribeLoadBalancers.json index 685f148..1d530be 100644 --- a/events/ELB/DescribeLoadBalancers.json +++ b/events/ELB/DescribeLoadBalancers.json @@ -9,6 +9,31 @@ "mitreAttackTechniques": [ "T1526 - Cloud Service Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "The DescribeLoadBalancers API call directly provides information about the cloud infrastructure, specifically the load balancers, which can be used to understand the deployment and configurations of network resources in the cloud." + }, + { + "technique": "T1590 - Gather Victim Network Information", + "reason": "Describing load balancers allows an adversary to obtain details on how network traffic is managed and routed within the cloud environment. This information can reveal critical network components and their configurations." + }, + { + "technique": "T1046 - Network Service Discovery", + "reason": "Describing load balancers can reveal the network services that are being managed by these load balancers, including ports, protocols, and the IP ranges used, which are crucial for understanding the network service layout." + }, + { + "technique": "T1133 - External Remote Services", + "reason": "Load balancers often manage external access to services. By describing them, an adversary can identify the external endpoints and understand how remote services are being accessed and managed." + }, + { + "technique": "T1482 - Domain Trust Discovery", + "reason": "The DescribeLoadBalancers API call can provide information on how load balancers are configured across different domains, revealing trust relationships and how traffic is managed between different parts of the network." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/EventBridge/DeleteRule.json b/events/EventBridge/DeleteRule.json index d4855c2..204d18f 100644 --- a/events/EventBridge/DeleteRule.json +++ b/events/EventBridge/DeleteRule.json @@ -11,6 +11,23 @@ "T1489 - Service Stop", "T1578 - Modify Cloud Compute Infrastructure" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "By deleting a rule, attackers can remove evidence of malicious activity." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Attackers might delete rules to alter the behavior of scheduled tasks, maintaining persistence. By manipulating accounts and associated rules, they ensure their malicious processes can run without interruption or detection." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Deleting rules can weaken security monitoring by removing triggers that would generate alerts, effectively blinding security teams to ongoing malicious activities. This action allows attackers to operate with reduced risk of detection, making further exploitation easier." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/EventBridge/DisableRule.json b/events/EventBridge/DisableRule.json index 74fa5ba..1af3798 100644 --- a/events/EventBridge/DisableRule.json +++ b/events/EventBridge/DisableRule.json @@ -11,6 +11,23 @@ "T1489 - Service Stop", "T1578 - Modify Cloud Compute Infrastructure" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1562 - Impair Defenses", + "reason": "Disabling a rule can be used to impair defenses by preventing the triggering of certain automated responses or detections." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "T1531 - Account Access Removal" + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "Disabling a rule can be a part of removing evidence of the attack by stopping logging and monitoring for certain activities, which helps in evading detection." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/EventBridge/ListRules.json b/events/EventBridge/ListRules.json index 42488d9..1da3e0b 100644 --- a/events/EventBridge/ListRules.json +++ b/events/EventBridge/ListRules.json @@ -9,6 +9,31 @@ "mitreAttackTechniques": [ "T1526 - Cloud Service Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "By using ListRules to view the configuration of EventBridge rules, an adversary gains understanding of the event-driven workflows and integrations within the target's AWS environment. This can reveal insights into operational processes and potential areas for deeper exploration or exploitation." + }, + { + "technique": "T1082 - System Information Discovery", + "reason": "Listing rules helps attackers understand what events are being monitored, giving insight into the environment." + }, + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "By examining the conditions and targets of EventBridge rules, attackers can infer the roles and permissions required to trigger these rules, which might provide insights into permission configurations and potential privilege escalation paths." + }, + { + "technique": "T1018 - Remote System Discovery", + "reason": "Identifying EventBridge rules can help attackers understand the configuration and interconnectivity of remote systems and services in the environment." + }, + { + "technique": "T1482 - Domain Trust Discovery", + "reason": "Listing rules may reveal integrations and trust relationships with other domains or AWS accounts, aiding in the mapping of domain trust paths." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/EventBridge/ListTargetsByRule.json b/events/EventBridge/ListTargetsByRule.json index 339e079..dc0fa62 100644 --- a/events/EventBridge/ListTargetsByRule.json +++ b/events/EventBridge/ListTargetsByRule.json @@ -9,6 +9,43 @@ "mitreAttackTechniques": [ "T1526 - Cloud Service Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1007 - System Service Discovery", + "reason": "Attackers can use this API call to discover information about targets assigned to specific rules within the AWS EventBridge service, providing insights into potentially vulnerable or interesting systems." + }, + { + "technique": "T1087 - Account Discovery", + "reason": "By listing targets assigned to rules, an attacker can gather information about AWS accounts and their configurations, aiding in understanding the environment and potential attack paths." + }, + { + "technique": "T1046 - Network Service Scanning", + "reason": "Understanding the targets associated with EventBridge rules allows an attacker to potentially identify network services that could be targeted for further exploration or exploitation." + }, + { + "technique": "T1018 - Remote System Discovery", + "reason": "The API call provides information about remote systems (AWS resources) that are targeted by specific rules, aiding attackers in identifying potential entry points into the environment." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "Listing targets by rule in EventBridge can reveal details about the users or roles associated with those resources. This information helps attackers identify key personnel or accounts with access, aiding in targeted attacks or privilege escalation efforts." + }, + { + "technique": "T1057 - Process Discovery", + "reason": "The ListTargetsByRule call can be used to discover the targets (potentially processes or functions) that are triggered by specific CloudWatch rules, helping attackers understand what processes might be running in the environment." + }, + { + "technique": "T1087 - Account Discovery", + "reason": "By understanding the targets associated with specific rules, attackers might infer the existence of certain IAM roles or accounts that have the permissions to execute these targets." + }, + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "By listing the targets of rules, attackers can identify which resources and permissions are associated with specific rules, aiding in understanding the permission structures." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/EventBridge/PutRule.json b/events/EventBridge/PutRule.json index c1c6d44..a136b53 100644 --- a/events/EventBridge/PutRule.json +++ b/events/EventBridge/PutRule.json @@ -13,6 +13,27 @@ "T1578 - Modify Cloud Compute Infrastructure", "T1546 - Event Triggered Execution" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1205 - Traffic Signaling", + "reason": "EventBridge rules can be configured to trigger signals that facilitate command and control communication, masking malicious traffic as legitimate event triggers." + }, + { + "technique": "T1053 - Scheduled Task/Job: Scheduled Task", + "reason": "Creating or updating EventBridge rules can schedule tasks or jobs that perform malicious activities without user intervention." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "By manipulating EventBridge rules, attackers can potentially alter the flow of logs and events to hide their activities." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "By updating EventBridge rules, attackers can disable or modify security tools and alerts, impairing defenses and ensuring continued access." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EventBridge/PutTargets.json b/events/EventBridge/PutTargets.json index 8a2c3cb..bbc1229 100644 --- a/events/EventBridge/PutTargets.json +++ b/events/EventBridge/PutTargets.json @@ -9,6 +9,35 @@ "mitreAttackTechniques": [ "T1546 - Event Triggered Execution" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "An attacker could add a target that executes a script or command interpreter, allowing for arbitrary command execution" + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "An attacker could add a target that executes a script or command interpreter, allowing for arbitrary command execution" + }, + { + "technique": "T1105 - Ingress Tool Transfer", + "reason": "The attacker could configure targets that download and execute malicious tools, facilitating further exploitation." + }, + { + "technique": "T1560 - Archive Collected Data", + "reason": "If targets are added to an event rule to trigger actions like archiving (e.g., invoking a Lambda function to zip and store data in an S3 bucket), this can be used to collect and prepare data for later exfiltration." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "The attacker could configure targets to delete logs or other indicators of compromise upon execution, aiding in defense evasion" + }, + { + "technique": "T1203 - Exploitation for Client Execution", + "reason": "An attacker could create or modify a target to execute a particular payload or exploit code on services that are automatically triggered by the event, which might lead to exploiting client applications or services." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/EventBridge/RemoveTargets.json b/events/EventBridge/RemoveTargets.json index ba9fc66..717ebf0 100644 --- a/events/EventBridge/RemoveTargets.json +++ b/events/EventBridge/RemoveTargets.json @@ -11,6 +11,19 @@ "T1489 - Service Stop", "T1578 - Modify Cloud Compute Infrastructure" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1098 - Account Manipulation", + "reason": "Manipulating EventBridge rules by removing targets can alter the capabilities and behaviors of accounts without directly deleting them." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Removing security monitoring targets from EventBridge rules can impair defenses by preventing certain security actions from being triggered." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/Glue/CreateDevEndpoint.json b/events/Glue/CreateDevEndpoint.json index 650114f..25ac955 100644 --- a/events/Glue/CreateDevEndpoint.json +++ b/events/Glue/CreateDevEndpoint.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1133 - External Remote Services", + "reason": "Development endpoints can be accessed remotely, providing a vector for persistent remote access by attackers." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/Glue/CreateJob.json b/events/Glue/CreateJob.json index b98ca5a..0193888 100644 --- a/events/Glue/CreateJob.json +++ b/events/Glue/CreateJob.json @@ -9,6 +9,47 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "Glue jobs can be defined to execute Python scripts for various data manipulation tasks." + }, + { + "technique": "T1560 - Archive Collected Data", + "reason": "Glue jobs can be used to collect, compress, and store large datasets, which can later be exfiltrated." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "Job definitions may include obfuscated scripts or commands to avoid detection." + }, + { + "technique": "T1074 - Data Staged", + "reason": "Glue jobs can be configured to stage data in S3 buckets, making it easier for exfiltration." + }, + { + "technique": "T1083 - File and Directory Discovery", + "reason": "Glue jobs can be scripted to discover and list files and directories in S3 or other storage services." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "Glue jobs might be used to exfiltrate data using DNS queries, a method that can bypass some network monitoring tools. Python or Java jobs are extremely likely to do this. Glue jobs can send data over HTTP/S, facilitating communication with external servers for command and control or exfiltration" + }, + { + "technique": "T1105 - Ingress Tool Transfer", + "reason": "Glue jobs can be created to download and execute additional scripts or tools from external sources." + }, + { + "technique": "T1567 - Exfiltration Over Web Service", + "reason": "Data processed by Glue jobs can be moved to external cloud storage for exfiltration purposes." + }, + { + "technique": "T1552 - Unsecured Credentials", + "reason": "Glue jobs might access files containing credentials, which can then be exfiltrated." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/Glue/UpdateDevEndpoint.json b/events/Glue/UpdateDevEndpoint.json index 838a165..f1e9b34 100644 --- a/events/Glue/UpdateDevEndpoint.json +++ b/events/Glue/UpdateDevEndpoint.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "Glue allows the use of Python scripts - updating the endpoint could change the scripts to execute arbitrary code directly in the development environment." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "Adversaries may update the endpoint to include scripts that delete logs or other files, helping to evade detection." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "Updates could involve obfuscated scripts or configurations to hide malicious code and evade detection mechanisms" + }, + { + "technique": "T1036 - Masquerading", + "reason": "Adversaries could update the endpoint to masquerade malicious activities as legitimate by matching names or locations." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/Glue/UpdateJob.json b/events/Glue/UpdateJob.json index fc18b66..de6b504 100644 --- a/events/Glue/UpdateJob.json +++ b/events/Glue/UpdateJob.json @@ -9,6 +9,31 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1036 - Masquerading", + "reason": "Adversaries can modify the job definition to make the job appear legitimate, effectively hiding malicious activities within a seemingly benign job." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "Updating a job definition can include instructions to remove or alter logs and other artifacts, helping adversaries evade detection." + }, + { + "technique": "T1480 - Execution Guardrails", + "reason": "Adversaries can update the job definition to include specific conditions or constraints, ensuring the job only executes under certain circumstances, which helps in evading detection." + }, + { + "technique": "T1565 - Data Manipulation", + "reason": "Adversaries can alter the job definition to manipulate data processed by the Glue job, affecting the integrity and outcome of the data workflows." + }, + { + "technique": "T1496 - Resource Hijacking", + "reason": "By altering job definitions, adversaries can repurpose AWS Glue jobs for their own computational needs, impacting the resource allocation of the environment." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/GuardDuty/CreateFilter.json b/events/GuardDuty/CreateFilter.json index b92b584..79eccb5 100644 --- a/events/GuardDuty/CreateFilter.json +++ b/events/GuardDuty/CreateFilter.json @@ -9,6 +9,10 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/GuardDuty/CreateIPSet.json b/events/GuardDuty/CreateIPSet.json index d22e05e..6e1ac2c 100644 --- a/events/GuardDuty/CreateIPSet.json +++ b/events/GuardDuty/CreateIPSet.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "Adding an IP address to a trusted list effectively removes the monitoring of network traffic and activities associated with that IP, making it undetectable by GuardDuty, similar to how indicator removal hides evidence of malicious activity." + }, + { + "technique": "T1090 - Proxy", + "reason": "Adversaries may use a proxy to route their traffic through trusted IP addresses added to the IPSet, thereby evading detection and maintaining persistence." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/GuardDuty/DeleteDetector.json b/events/GuardDuty/DeleteDetector.json index efacc01..e12f53b 100644 --- a/events/GuardDuty/DeleteDetector.json +++ b/events/GuardDuty/DeleteDetector.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1485 - Data Destruction", + "reason": "Deleting the GuardDuty detector can be part of a larger strategy to destroy or manipulate security configurations and logs, impacting the integrity of the security monitoring system." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/GuardDuty/DeleteInvitations.json b/events/GuardDuty/DeleteInvitations.json index c465140..e14b224 100644 --- a/events/GuardDuty/DeleteInvitations.json +++ b/events/GuardDuty/DeleteInvitations.json @@ -9,6 +9,16 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools", + "T1562.006 - Impair Defenses: Indicator Blocking" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "Deleting GuardDuty invitations can be seen as a form of defense evasion by removing traces of an invitation that might otherwise be used for investigative purposes. Invitations could be used by security teams to track and verify legitimate connections between AWS accounts. By removing these invitations, the adversary might prevent the detection of unauthorized or suspicious account activities." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/GuardDuty/DeleteMembers.json b/events/GuardDuty/DeleteMembers.json index ebd98bc..c3703d1 100644 --- a/events/GuardDuty/DeleteMembers.json +++ b/events/GuardDuty/DeleteMembers.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1531 - Account Access Removal", + "reason": "Deleting GuardDuty member accounts can prevent legitimate accounts from getting data from member accounts, thus disrupting monitoring and security alerts." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "By deleting member accounts, logs and other related files might be purged or altered, aiding in hiding the malicious activities." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Deleting GuardDuty member accounts involves altering account configurations, potentially changing access controls or permissions. This action can disrupt security monitoring and allow unauthorized activities to go undetected." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/GuardDuty/DeletePublishingDestination.json b/events/GuardDuty/DeletePublishingDestination.json index 59e7e08..beb7a9e 100644 --- a/events/GuardDuty/DeletePublishingDestination.json +++ b/events/GuardDuty/DeletePublishingDestination.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1565 - Data Manipulation", + "reason": "By deleting the publishing destination, critical security findings are not reported, which can be seen as manipulating the availability of security data and hindering incident response efforts." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/GuardDuty/DisassociateFromMasterAccount.json b/events/GuardDuty/DisassociateFromMasterAccount.json index 9e67fc1..487d78e 100644 --- a/events/GuardDuty/DisassociateFromMasterAccount.json +++ b/events/GuardDuty/DisassociateFromMasterAccount.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1098 - Account Manipulation", + "reason": "This involves actions taken to manipulate accounts to maintain access or evade detection. Disassociating the GuardDuty member account from its master account can be seen as a form of account manipulation to avoid centralized logging and monitoring." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "Disassociating from the master account effectively removes the centralized management and monitoring capabilities, making it harder to regain control or visibility over the account." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/GuardDuty/DisassociateMembers.json b/events/GuardDuty/DisassociateMembers.json index f817954..61b2721 100644 --- a/events/GuardDuty/DisassociateMembers.json +++ b/events/GuardDuty/DisassociateMembers.json @@ -9,6 +9,20 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1531 - Account Access Removal", + "reason": "By disassociating member accounts, an adversary could remove access to GuardDuty for specific accounts, reducing the ability to detect and respond to malicious activities." + }, + { + "technique": "T1489 - Service Stop", + "reason": "Disassociating member accounts might effectively stop the GuardDuty service from monitoring those accounts, similar to stopping a security service to avoid detection." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/GuardDuty/GetDetector.json b/events/GuardDuty/GetDetector.json index 83ea494..9ced2de 100644 --- a/events/GuardDuty/GetDetector.json +++ b/events/GuardDuty/GetDetector.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1526 - Cloud Service Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "Retrieving a GuardDuty detector provides information about the security monitoring and configurations in the AWS environment." + }, + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "Accessing the GuardDuty detector can give insights into the cloud infrastructure setup and the security measures in place." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/GuardDuty/GetFindings.json b/events/GuardDuty/GetFindings.json index 8698c59..af3cad0 100644 --- a/events/GuardDuty/GetFindings.json +++ b/events/GuardDuty/GetFindings.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1526 - Cloud Service Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1057 - Process Discovery", + "reason": "Adversaries can use the findings to discover details about processes running on compromised instances, aiding them in identifying and targeting specific processes for further exploitation." + }, + { + "technique": "T1020 - Automated Exfiltration", + "reason": "An adversary can identify findings that indicate automated data exfiltration activities, allowing them to understand what methods were detected and possibly refine their tactics." + }, + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "Analyzing findings can help adversaries discover details about the cloud infrastructure, such as the types of resources and their configurations, aiding in planning further attacks." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/GuardDuty/ListDetectors.json b/events/GuardDuty/ListDetectors.json index 2c89c7a..f1c1a05 100644 --- a/events/GuardDuty/ListDetectors.json +++ b/events/GuardDuty/ListDetectors.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1526 - Cloud Service Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "Knowledge of detector IDs can guide attackers in identifying monitored versus unmonitored cloud assets, facilitating targeted reconnaissance on less protected resources." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/GuardDuty/ListFindings.json b/events/GuardDuty/ListFindings.json index 4a1f519..ce1fb8f 100644 --- a/events/GuardDuty/ListFindings.json +++ b/events/GuardDuty/ListFindings.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1526 - Cloud Service Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1057 - Process Discovery", + "reason": "By retrieving and analyzing finding IDs, attackers can discover details about processes associated with GuardDuty findings, helping them understand which processes were flagged and why." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/GuardDuty/ListIPSets.json b/events/GuardDuty/ListIPSets.json index be6afa2..e5c7b69 100644 --- a/events/GuardDuty/ListIPSets.json +++ b/events/GuardDuty/ListIPSets.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1526 - Cloud Service Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1590 - Gather Victim Network Information", + "reason": "Listing IPSets provides insights into the network's structure and the external IPs that are considered trusted or monitored. This information is crucial for attackers to map out the network and plan their actions accordingly." + }, + { + "technique": "T1016 - System Network Configuration Discovery", + "reason": "By accessing the list of IPSets, attackers can understand the network configuration, including which IP addresses are allowed or blocked. This helps in identifying potential weak points or entry points into the network." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/GuardDuty/StopMonitoringMembers.json b/events/GuardDuty/StopMonitoringMembers.json index 7a2b856..cefcd87 100644 --- a/events/GuardDuty/StopMonitoringMembers.json +++ b/events/GuardDuty/StopMonitoringMembers.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1489 - Service Stop", + "reason": "Stopping GuardDuty monitoring is an example of halting a service, which can impact the overall security monitoring and incident response capabilities." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/GuardDuty/UpdateDetector.json b/events/GuardDuty/UpdateDetector.json index 7017b10..4be5db6 100644 --- a/events/GuardDuty/UpdateDetector.json +++ b/events/GuardDuty/UpdateDetector.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "An attacker may update the GuardDuty detector to avoid detection by altering or hiding security logs and alarms" + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/GuardDuty/UpdateIPSet.json b/events/GuardDuty/UpdateIPSet.json index 57b3080..73064dd 100644 --- a/events/GuardDuty/UpdateIPSet.json +++ b/events/GuardDuty/UpdateIPSet.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070.004 - Indicator Removal", + "reason": "Modifying an IPSet can remove IPs that would otherwise generate security findings, thus evading detection." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/IAM/AddRoleToInstanceProfile.json b/events/IAM/AddRoleToInstanceProfile.json index 78899d5..940a01f 100644 --- a/events/IAM/AddRoleToInstanceProfile.json +++ b/events/IAM/AddRoleToInstanceProfile.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + "T1098.001 - Account Manipulation: Additional Cloud Credentials" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1068 - Exploitation for Privilege Escalation", + "reason": " - Exploitation for Privilege Escalation" + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/IAM/AddUserToGroup.json b/events/IAM/AddUserToGroup.json index 144fb7d..8b17fe6 100644 --- a/events/IAM/AddUserToGroup.json +++ b/events/IAM/AddUserToGroup.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "Adding a user to a group with elevated permissions can allow the user to maintain access to the AWS environment with legitimate credentials." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/IAM/AttachGroupPolicy.json b/events/IAM/AttachGroupPolicy.json index 3b12bf9..aef7927 100644 --- a/events/IAM/AttachGroupPolicy.json +++ b/events/IAM/AttachGroupPolicy.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "By attaching a policy to a group, an adversary can ensure that even if certain accounts are revoked, the group as a whole still retains the permissions." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/IAM/AttachRolePolicy.json b/events/IAM/AttachRolePolicy.json index 5bc264b..7cd7d80 100644 --- a/events/IAM/AttachRolePolicy.json +++ b/events/IAM/AttachRolePolicy.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1562 - Impair Defenses", + "reason": "Attaching policies with permissions that affect logging or monitoring tools can be used to evade detection by modifying the environment to reduce visibility." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/AttachUserPolicy.json b/events/IAM/AttachUserPolicy.json index 9545b3c..1a1b691 100644 --- a/events/IAM/AttachUserPolicy.json +++ b/events/IAM/AttachUserPolicy.json @@ -10,6 +10,15 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1556 - Modify Authentication Process", + "reason": "By attaching a policy, an adversary can alter the authentication process, potentially bypassing multi-factor authentication (MFA) or other security measures." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/ChangePassword.json b/events/IAM/ChangePassword.json index 056b1d7..0ca63ea 100644 --- a/events/IAM/ChangePassword.json +++ b/events/IAM/ChangePassword.json @@ -11,6 +11,23 @@ "T1136 - Create Account", "T1078 - Valid Accounts" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1098 - Account Manipulation", + "reason": "Changing the password of an IAM user can be used to maintain access to an account, thus manipulating account credentials." + }, + { + "technique": "T1556 - Modify Authentication Process", + "reason": "Changing the password modifies the authentication process for the IAM user, which can be a method to evade detection." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "An attacker might change a password to lock out the legitimate user, removing their access." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/IAM/CreateAccessKey.json b/events/IAM/CreateAccessKey.json index c34700a..09cc727 100644 --- a/events/IAM/CreateAccessKey.json +++ b/events/IAM/CreateAccessKey.json @@ -11,6 +11,16 @@ "T1136 - Create Account", "T1078 - Valid Accounts" ], + "mitreAttackSubTechniques": [ + "T1078.004 - Valid Accounts: Cloud Accounts", + "T1136.003 - Create Account: Cloud Account" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1098 - Account Manipulation", + "reason": "New keys can be used for account manipulation activities, providing additional or unauthorized access." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/CreateGroup.json b/events/IAM/CreateGroup.json index 640dcd1..cdb8552 100644 --- a/events/IAM/CreateGroup.json +++ b/events/IAM/CreateGroup.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1036 - Masquerading", + "reason": "Creating a new group with a name similar to existing groups can help attackers blend in and avoid detection" + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/IAM/CreateLoginProfile.json b/events/IAM/CreateLoginProfile.json index 6247cc1..8a7e901 100644 --- a/events/IAM/CreateLoginProfile.json +++ b/events/IAM/CreateLoginProfile.json @@ -11,6 +11,16 @@ "T1098 - Account Manipulation", "T1078 - Valid Accounts" ], + "mitreAttackSubTechniques": [ + "T1078.004 - Valid Accounts: Cloud Accounts", + "T1078.001 - Valid Accounts: Local Accounts" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1556 - Modify Authentication Process", + "reason": "The CreateLoginProfile API call can be used to set a new password for an existing IAM user, effectively modifying the authentication process for that user." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/CreateOpenIDConnectProvider.json b/events/IAM/CreateOpenIDConnectProvider.json index b8b0c10..009f0de 100644 --- a/events/IAM/CreateOpenIDConnectProvider.json +++ b/events/IAM/CreateOpenIDConnectProvider.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1136 - Create Account" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "Creating an OpenID Connect Provider can be used to generate valid credentials that can be exploited for persistent access" + }, + { + "technique": "T1136 - Create Account", + "reason": "Establishing new accounts or providers in the IAM can assist in maintaining access over time" + }, + { + "technique": "T1556 - Modify Authentication Process", + "reason": "Adjusting authentication settings to include a new provider can bypass certain security measures." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Creating and managing new accounts or providers can lead to manipulation of permissions and roles." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/CreatePolicyVersion.json b/events/IAM/CreatePolicyVersion.json index e80779b..6675bc0 100644 --- a/events/IAM/CreatePolicyVersion.json +++ b/events/IAM/CreatePolicyVersion.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1531 - Account Access Removal", + "reason": "By altering IAM policies, attackers can remove access for legitimate users, ensuring only malicious actors maintain control." + }, + { + "technique": "T1489 - Service Stop", + "reason": "By altering permissions with a new policy version, an attacker could restrict or stop critical services within an AWS environment." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/IAM/CreateRole.json b/events/IAM/CreateRole.json index 5186319..82c5ab6 100644 --- a/events/IAM/CreateRole.json +++ b/events/IAM/CreateRole.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1136 - Create Account" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1098 - Account Manipulation", + "reason": "Attackers might create a new role to maintain access or elevate privileges within the environment." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/CreateSAMLProvider copy.json b/events/IAM/CreateSAMLProvider copy.json index 4b98793..8bc758b 100644 --- a/events/IAM/CreateSAMLProvider copy.json +++ b/events/IAM/CreateSAMLProvider copy.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1136 - Create Account" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": " Creating a SAML provider can lead to the creation and use of valid credentials, allowing the adversary to maintain persistence." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "The creation of a SAML provider involves the manipulation of account settings to allow federated authentication, which can be used by adversaries to maintain access and evade detection." + }, + { + "technique": "T1556 - Modify Authentication Process", + "reason": "The creation of a SAML provider could be used to modify the authentication process, allowing adversaries to authenticate as different users within the AWS environment." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/CreateSAMLProvider.json b/events/IAM/CreateSAMLProvider.json index b65ae08..3eca459 100644 --- a/events/IAM/CreateSAMLProvider.json +++ b/events/IAM/CreateSAMLProvider.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1136 - Create Account" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1098 - Account Manipulation", + "reason": "By starting SSO, an adversary can manipulate IAM user accounts, adding or modifying permissions to maintain persistent access." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "Use of valid SSO credentials can help adversaries gain access to various services and resources without raising alarms." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/CreateUser.json b/events/IAM/CreateUser.json index 592058f..a9ae886 100644 --- a/events/IAM/CreateUser.json +++ b/events/IAM/CreateUser.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1136 - Create Account" ], + "mitreAttackSubTechniques": [ + "T1136.001 - Create Account: Local Account" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1098 - Account Manipulation", + "reason": "Adversaries may create new IAM users to manipulate accounts for continuous access or privilege escalation." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/DeactivateMFADevice.json b/events/IAM/DeactivateMFADevice.json index 9d4ceb6..3eaff1a 100644 --- a/events/IAM/DeactivateMFADevice.json +++ b/events/IAM/DeactivateMFADevice.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + "T1562.001 - Impair Defenses: Disable or Modify Tools" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1586 - Compromise Accounts", + "reason": "Deactivating MFA might be part of an account compromise if the attacker knows the password but has no access to the MFA. By disabling the MFA the attacker will be able to compromise the account." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/IAM/DeleteAccessKey.json b/events/IAM/DeleteAccessKey.json index 065b303..99bb622 100644 --- a/events/IAM/DeleteAccessKey.json +++ b/events/IAM/DeleteAccessKey.json @@ -10,6 +10,15 @@ "T1578 - Modify Cloud Compute Infrastructure", "T1070 - Indicator Removal" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1531 - Account Access Removal", + "reason": "Deleting the access key pair is a direct method to remove access credentials, which aligns with the technique of account access removal." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/DeleteLoginProfile.json b/events/IAM/DeleteLoginProfile.json index 690d10e..dcc5c8c 100644 --- a/events/IAM/DeleteLoginProfile.json +++ b/events/IAM/DeleteLoginProfile.json @@ -10,6 +10,23 @@ "T1578 - Modify Cloud Compute Infrastructure", "T1070 - Indicator Removal" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1098 - Account Manipulation", + "reason": "The deletion of a login profile is a form of account manipulation, altering the state of an IAM user account to possibly favor continued unauthorized access through other means like access keys or roles" + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "By deleting the login profile, an attacker can remove a user's ability to log in with a password, thus removing an access method that might be used for legitimate purposes or incident response, aiding in persistence and defense evasion." + }, + { + "technique": "T1556 - Modify Authentication Process", + "reason": "Removing the password of an IAM user modifies the way that user can authenticate, potentially replacing it with a method controlled by the attacker, facilitating unauthorized access while evading detection." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/DeleteRolePermissionsBoundary.json b/events/IAM/DeleteRolePermissionsBoundary.json index eeffacf..b5d7266 100644 --- a/events/IAM/DeleteRolePermissionsBoundary.json +++ b/events/IAM/DeleteRolePermissionsBoundary.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1562 - Impair Defenses", + "reason": "Removing permissions boundaries can weaken the security posture by reducing the effectiveness of policies designed to limit role actions." + }, + { + "technique": "T1068 - Exploitation for Privilege Escalation", + "reason": "Removing permissions boundaries may be used as part of exploiting a misconfiguration to gain elevated privileges." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/IAM/DeleteRolePolicy.json b/events/IAM/DeleteRolePolicy.json index a8a8308..e4f0249 100644 --- a/events/IAM/DeleteRolePolicy.json +++ b/events/IAM/DeleteRolePolicy.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1531 - Account Access Removal", + "reason": "Deleting inline policies from IAM roles can remove critical permissions, effectively locking out legitimate users or restricting their access. This action can hinder incident response and obscure the attacker's presence in the environment." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "By deleting IAM role policies, an attacker could impair security tools that rely on those policies for correct operation, effectively reducing the efficacy of security defenses." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/IAM/DeleteUser.json b/events/IAM/DeleteUser.json index 50d5ba6..709ea1c 100644 --- a/events/IAM/DeleteUser.json +++ b/events/IAM/DeleteUser.json @@ -10,6 +10,19 @@ "T1578 - Modify Cloud Compute Infrastructure", "T1070 - Indicator Removal" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1531 - Account Access Removal", + "reason": "Deleting a user account immediately revokes all permissions and access rights associated with that IAM user, disrupting access to critical resources. This action can prevent legitimate users from performing essential tasks, effectively halting operations and response efforts." + }, + { + "technique": "T1485 - Data Destruction", + "reason": " The deletion of an IAM user can be part of a deliberate attempt to destroy data or disrupt normal operations. Users often have associated data, policies, and access controls that, when removed, can result in data loss or corruption. " + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/DeleteUserPermissionsBoundary.json b/events/IAM/DeleteUserPermissionsBoundary.json index 0ff2dad..66c8f10 100644 --- a/events/IAM/DeleteUserPermissionsBoundary.json +++ b/events/IAM/DeleteUserPermissionsBoundary.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "Compromised cloud accounts can be manipulated by deleting permissions boundaries, giving adversaries increased permissions to execute further malicious activities." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Deleting the permissions boundary could be part of a broader strategy to disable or modify security tools or settings to avoid detection." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/IAM/DeleteUserPolicy.json b/events/IAM/DeleteUserPolicy.json index 6239d52..0e02e3b 100644 --- a/events/IAM/DeleteUserPolicy.json +++ b/events/IAM/DeleteUserPolicy.json @@ -11,6 +11,19 @@ "T1578 - Modify Cloud Compute Infrastructure", "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1531 - Account Access Removal", + "reason": "Removing a policy from an IAM user could be a step to disable access for an account, which aligns with tactics for impact." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "Removing policies can help adversaries to evade detection and persist in the environment by modifying account permissions." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/DetachRolePolicy.json b/events/IAM/DetachRolePolicy.json index 151d806..51547c8 100644 --- a/events/IAM/DetachRolePolicy.json +++ b/events/IAM/DetachRolePolicy.json @@ -11,6 +11,27 @@ "T1578 - Modify Cloud Compute Infrastructure", "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "By detaching policies from roles, attackers can invalidate certain permissions, reducing the risk of detection while using compromised accounts." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "By detaching policies, attackers can remove access permissions, disrupting legitimate user operations and evading detection." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "Removing policies can be part of a strategy to clean up indicators of malicious activity on the account, aiding in defense evasion." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Detaching policies may impair security configurations, reducing the ability of the environment to detect or prevent further malicious activities." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/DetachUserPolicy.json b/events/IAM/DetachUserPolicy.json index c1edddd..761fe6f 100644 --- a/events/IAM/DetachUserPolicy.json +++ b/events/IAM/DetachUserPolicy.json @@ -11,6 +11,23 @@ "T1578 - Modify Cloud Compute Infrastructure", "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1531 - Account Access Removal", + "reason": "Detaching a policy can be used as a way to remove or limit access to critical accounts, impacting operational capabilities." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Security controls relying on certain policies may be disabled or impaired when those policies are detached." + }, + { + "technique": "T1499 - Endpoint Denial of Service", + "reason": "By removing critical policies, the attacker can cause a denial of service for endpoints relying on those permissions to function properly." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/GetAccountAuthorizationDetails.json b/events/IAM/GetAccountAuthorizationDetails.json index 159853c..2fb8367 100644 --- a/events/IAM/GetAccountAuthorizationDetails.json +++ b/events/IAM/GetAccountAuthorizationDetails.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1087 - Account Discovery" ], + "mitreAttackSubTechniques": [ + "T1087.004 - Account Discovery: Cloud Account" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "By retrieving information on IAM groups and their policies, attackers can understand the permissions associated with each group. This information is useful for identifying which groups have elevated privileges." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "If an adversary gains access to this information, they can identify valid accounts within the AWS environment, aiding in furthering access or compromising specific accounts." + }, + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "By gathering detailed information on IAM roles and policies, attackers can map out the cloud infrastructure, understand the hierarchy and relationships between resources, and identify potential weaknesses or entry points." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/IAM/GetLoginProfile.json b/events/IAM/GetLoginProfile.json index 656e5c6..a87e622 100644 --- a/events/IAM/GetLoginProfile.json +++ b/events/IAM/GetLoginProfile.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1087 - Account Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "Retrieving IAM user details can help attackers understand the structure and users within the cloud infrastructure." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/GetUser.json b/events/IAM/GetUser.json index 30ed124..0dddcab 100644 --- a/events/IAM/GetUser.json +++ b/events/IAM/GetUser.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1087 - Account Discovery" ], + "mitreAttackSubTechniques": [ + "T1087.004 - Account Discovery: Cloud Account" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "Adversaries use existing cloud accounts to gain access to cloud services. The GetUser API call can reveal information useful for identifying valid accounts." + }, + { + "technique": "T1082 - System Information Discovery", + "reason": "By retrieving information about IAM users, adversaries can gather details about the system environment and user configurations." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "Adversaries may enumerate existing IAM users to identify which accounts can be targeted for access removal in order to evade detection and maintain access." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/ListAccessKeys.json b/events/IAM/ListAccessKeys.json index 16a1bf0..618009f 100644 --- a/events/IAM/ListAccessKeys.json +++ b/events/IAM/ListAccessKeys.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1087 - Account Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1589 - Gather Victim Identity Information", + "reason": "Access key information can reveal details about the IAM user's identity, such as their role and permissions, which can be valuable for planning further attacks." + }, + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "By listing access keys, attackers can identify existing cloud infrastructure accounts and keys, revealing how the cloud environment is structured." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/ListAttachedRolePolicies.json b/events/IAM/ListAttachedRolePolicies.json index 7263e9c..d897e20 100644 --- a/events/IAM/ListAttachedRolePolicies.json +++ b/events/IAM/ListAttachedRolePolicies.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1087 - Account Discovery" ], + "mitreAttackSubTechniques": [ + "T1087.004 - Account Discovery: Cloud Account" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "By listing attached role policies, attackers can understand the permissions associated with specific roles, which is essential for discovering permission groups within a cloud environment." + }, + { + "technique": "T1526 - Cloud Service Discovery", + "reason": "Listing attached role policies reveals the configuration and permissions of cloud services tied to specific roles. This information helps attackers map out the cloud environment and identify potential targets for further exploitation." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/ListGroups.json b/events/IAM/ListGroups.json index 532e6b6..63a6d1d 100644 --- a/events/IAM/ListGroups.json +++ b/events/IAM/ListGroups.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1087 - Account Discovery" ], + "mitreAttackSubTechniques": [ + "T1087.004 - Account Discovery: Cloud Account" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "Listing IAM groups helps identify the permission groups within an AWS environment, which is crucial for understanding the access levels and privileges assigned to different users." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/ListGroupsForUser.json b/events/IAM/ListGroupsForUser.json index ccd9029..b61aa50 100644 --- a/events/IAM/ListGroupsForUser.json +++ b/events/IAM/ListGroupsForUser.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1087 - Account Discovery" ], + "mitreAttackSubTechniques": [ + "T1087.004 - Account Discovery: Cloud Account" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1069 - Permission Group Discovery", + "reason": "By listing the groups for a user, adversaries can identify the permissions associated with different IAM groups and plan further actions based on the discovered roles and policies." + }, + { + "technique": "T1057 - Process Discovery", + "reason": "Information about user groups can be utilized by adversaries to infer the types of processes and operations a user can perform, aiding in planning subsequent steps of an attack." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/ListInstanceProfiles.json b/events/IAM/ListInstanceProfiles.json index 303a2e0..a8abb88 100644 --- a/events/IAM/ListInstanceProfiles.json +++ b/events/IAM/ListInstanceProfiles.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1087 - Account Discovery" ], + "mitreAttackSubTechniques": [ + "T1087.004 - Account Discovery: Cloud Account" + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "The ListInstanceProfiles API call provides details about instance profiles and their associated IAM roles, helping an attacker map out the cloud infrastructure. Understanding the roles in use aids in identifying potential targets for further exploitation or privilege escalation." + }, + { + "technique": "T1589 - Gather Victim Identity Information", + "reason": "The API call can help gather information about the identities and roles within the AWS environment, which could be used for further attacks or social engineering." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/ListOpenIDConnectProviders.json b/events/IAM/ListOpenIDConnectProviders.json index a756c31..bf5fcd4 100644 --- a/events/IAM/ListOpenIDConnectProviders.json +++ b/events/IAM/ListOpenIDConnectProviders.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1087 - Account Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "Identifying OIDC providers gives attackers insights into the cloud infrastructure, revealing the different third-party services and platforms integrated with the AWS environment." + }, + { + "technique": "T1082 - System Information Discovery", + "reason": "Listing OIDC providers provides details about the system's authentication setup, contributing to the overall system information an attacker can gather." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/ListRolePolicies.json b/events/IAM/ListRolePolicies.json index 01a93ca..d2960ba 100644 --- a/events/IAM/ListRolePolicies.json +++ b/events/IAM/ListRolePolicies.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1087 - Account Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1484 - Domain Policy Discovery", + "reason": "Inline policies may reveal roles with the ability to discover or enumerate domain policies, which can be used to further understand the security posture and potential attack paths within the environment." + }, + { + "technique": "T1057 - Process Discovery", + "reason": "Inline policies may help identify roles with permissions to discover running processes, aiding in reconnaissance activities." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/ListRoles.json b/events/IAM/ListRoles.json index 69f2902..4a1ee14 100644 --- a/events/IAM/ListRoles.json +++ b/events/IAM/ListRoles.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1087 - Account Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "Discovering IAM roles helps adversaries understand their permissions and group memberships, enabling them to identify roles with excessive privileges that can be misused for unauthorized activities." + }, + { + "technique": "T1518 - Software Discovery", + "reason": "Listing IAM roles can reveal roles associated with various software applications, including security, administrative, and operational tools." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/ListSAMLProviders.json b/events/IAM/ListSAMLProviders.json index 99be2cf..e8b11da 100644 --- a/events/IAM/ListSAMLProviders.json +++ b/events/IAM/ListSAMLProviders.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1087 - Account Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "Listing SAML providers can help attackers map out the cloud infrastructure and understand how identity federation is being handled within the account." + }, + { + "technique": "T1592 - Gather Victim Host Information", + "reason": "Identifying SAML providers can reveal details about the host environment and configurations, which may be used to further map the attack surface." + }, + { + "technique": "T1589 - Gather Victim Identity Information", + "reason": "Listing SAML providers can help attackers collect information about identities and roles within the target environment, aiding in crafting more targeted attacks" + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/ListSSHPublicKeys.json b/events/IAM/ListSSHPublicKeys.json index 60117bb..ce6e04e 100644 --- a/events/IAM/ListSSHPublicKeys.json +++ b/events/IAM/ListSSHPublicKeys.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1087 - Account Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078. - Valid Accounts", + "reason": "If attackers can associate public keys with user accounts, they might leverage this information to attempt to use stolen or weak credentials elsewhere." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/ListServiceSpecificCredentials.json b/events/IAM/ListServiceSpecificCredentials.json index b204148..69bb8ba 100644 --- a/events/IAM/ListServiceSpecificCredentials.json +++ b/events/IAM/ListServiceSpecificCredentials.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1087 - Account Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "Adversaries may enumerate cloud infrastructure to understand the environment better, and listing service-specific credentials provides information about the associated IAM users" + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/ListSigningCertificates.json b/events/IAM/ListSigningCertificates.json index c520092..a67f153 100644 --- a/events/IAM/ListSigningCertificates.json +++ b/events/IAM/ListSigningCertificates.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1087 - Account Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1550 - Use Alternate Authentication Material", + "reason": "Identifying signing certificates shows which users have configured alternate authentication mechanisms, revealing potential entry points that do not rely on passwords." + }, + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "Gaining information about signing certificates aids in mapping the IAM infrastructure, helping to understand the authentication methods and structure of the cloud environment." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "Listing signing certificates assists in discovering the primary users and owners of the accounts, which aids in planning targeted attacks." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/ListUsers.json b/events/IAM/ListUsers.json index 2384fbc..3d17295 100644 --- a/events/IAM/ListUsers.json +++ b/events/IAM/ListUsers.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1087 - Account Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "Attackers may use the ListUsers API call to discover valid user accounts within an AWS environment. Knowledge of valid accounts can help in attempts to compromise or leverage these accounts." + }, + { + "technique": "T1057 - Process Discovery", + "reason": "Knowledge of IAM users can help an attacker identify which processes might be running under specific user accounts, assisting in further exploitation or lateral movement within the cloud environment." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/PutGroupPolicy.json b/events/IAM/PutGroupPolicy.json index 6021ddc..9d0d4d5 100644 --- a/events/IAM/PutGroupPolicy.json +++ b/events/IAM/PutGroupPolicy.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1562 - Impair Defenses", + "reason": "Inline policies can be altered to disable or impair security features such as monitoring and alerting." + }, + { + "technique": "T1556 - Modify Authentication Process", + "reason": "Inline policies can be modified to change authentication processes, making it easier to bypass existing security controls." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/IAM/PutRolePermissionsBoundary.json b/events/IAM/PutRolePermissionsBoundary.json index e1b5a18..5635744 100644 --- a/events/IAM/PutRolePermissionsBoundary.json +++ b/events/IAM/PutRolePermissionsBoundary.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1212 - Exploitation for Privilege Escalation", + "reason": "Modifying permissions boundaries can be used to elevate the privileges of the role, enabling actions that would otherwise be restricted." + }, + { + "technique": "T1556 - Modify Authentication Process", + "reason": "By altering the permissions boundary, attackers can change the authentication process for the role to grant themselves higher privileges." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/IAM/PutRolePolicy.json b/events/IAM/PutRolePolicy.json index 5ee102e..ad4bb3b 100644 --- a/events/IAM/PutRolePolicy.json +++ b/events/IAM/PutRolePolicy.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1531 - Account Access Removal", + "reason": "Modifying IAM role policies can be used to restrict or remove access to certain users or roles, aiding in defense evasion." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/IAM/PutUserPermissionsBoundary.json b/events/IAM/PutUserPermissionsBoundary.json index 5901a1b..d4c140a 100644 --- a/events/IAM/PutUserPermissionsBoundary.json +++ b/events/IAM/PutUserPermissionsBoundary.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1531 - Account Access Removal", + "reason": "Setting a permissions boundary might be part of a strategy to later remove access to certain resources or actions, effectively controlling or limiting account capabilities." + }, + { + "technique": "T1556 - Modify Authentication Process", + "reason": "Attackers may modify permissions boundaries to ensure their access is maintained across cloud accounts, preventing account lockout or access removal." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Changing the permissions boundary might be used to impact security settings or access, impairing the effectiveness of security tools and preventing detection or response to malicious activity." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/IAM/PutUserPolicy.json b/events/IAM/PutUserPolicy.json index 31da19d..897d6e4 100644 --- a/events/IAM/PutUserPolicy.json +++ b/events/IAM/PutUserPolicy.json @@ -10,6 +10,27 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1562 - Impair Defenses", + "reason": "By embedding policies that allow for disabling or bypassing security controls, adversaries can impair defense mechanisms." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "Adversaries may use PutUserPolicy to remove access rights for legitimate users, causing disruption." + }, + { + "technique": "T1068 - Exploitation for Privilege Escalation", + "reason": "If an adversary can modify policies to grant administrative privileges, they effectively escalate their privileges." + }, + { + "technique": "T1556 - Modify Authentication Process", + "reason": "Inline policies can be changed to weaken authentication requirements, making it easier for adversaries to access the account." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/SetDefaultPolicyVersion.json b/events/IAM/SetDefaultPolicyVersion.json index c52c3b5..111ee6a 100644 --- a/events/IAM/SetDefaultPolicyVersion.json +++ b/events/IAM/SetDefaultPolicyVersion.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "Modifying the policy's default version can be used to evade detection by setting the policy version that was in place before the attack." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "Attackers can use this API call to update policies in a way that prevents legitimate users from accessing resources, ensuring continued control over the compromised environment." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/IAM/SimulatePrincipalPolicy.json b/events/IAM/SimulatePrincipalPolicy.json index 45dc77d..ede713f 100644 --- a/events/IAM/SimulatePrincipalPolicy.json +++ b/events/IAM/SimulatePrincipalPolicy.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1087 - Account Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1069 - Permission Groups Discovery", + "reason": " Using this API, attackers can determine the permissions associated with specific IAM roles or users, aiding in privilege escalation planning." + }, + { + "technique": "T1615 - Group Policy Discovery", + "reason": "By simulating principal policies, attackers can identify the group policies and their impact on IAM roles and entities." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/UpdateAccessKey.json b/events/IAM/UpdateAccessKey.json index fd40cc1..c0500fc 100644 --- a/events/IAM/UpdateAccessKey.json +++ b/events/IAM/UpdateAccessKey.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070. - Indicator Removal", + "reason": "Disabling keys can be a tactic to remove indicators of compromise, because keys need to be disabled before deletion, preventing detection and forensic analysis." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "Temporarily deactivating keys to remove access can help adversaries evade detection while they perform malicious activities." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/IAM/UpdateAssumeRolePolicy.json b/events/IAM/UpdateAssumeRolePolicy.json index c577532..4247e89 100644 --- a/events/IAM/UpdateAssumeRolePolicy.json +++ b/events/IAM/UpdateAssumeRolePolicy.json @@ -10,6 +10,19 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "Updating the assume role policy can allow attackers to use valid IAM roles to maintain access." + }, + { + "technique": "T1036 - Masquerading", + "reason": "Attackers can allow access from an account they control to assume a valid role that is used in the organization making the access appear legitimate" + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/IAM/UpdateLoginProfile.json b/events/IAM/UpdateLoginProfile.json index 205ba40..7dae92b 100644 --- a/events/IAM/UpdateLoginProfile.json +++ b/events/IAM/UpdateLoginProfile.json @@ -10,6 +10,23 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "Changing an IAM user's password allows an attacker to maintain access using a legitimate account." + }, + { + "technique": "T1556 - Modify Authentication Process", + "reason": "Changing the password directly impacts the authentication process, potentially locking out legitimate users and ensuring only the attacker has access." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "Changing the password of an IAM user can also serve as a means to remove legitimate account access for the rightful user, ensuring only the attacker can access the account." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/IAM/UpdateSAMLProvider.json b/events/IAM/UpdateSAMLProvider.json index ea535b2..d6491ac 100644 --- a/events/IAM/UpdateSAMLProvider.json +++ b/events/IAM/UpdateSAMLProvider.json @@ -10,6 +10,23 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1556 - Modify Authentication Process", + "reason": "The UpdateSAMLProvider API call allows changing the SAML metadata document, directly affecting how AWS handles authentication through SAML assertions. This can enable an attacker to alter authentication mechanisms or potentially introduce unauthorized access methods." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "By changing the SAML metadata document, an attacker could gain access to valid accounts. The new or altered assertions in the SAML metadata can be used to authenticate as legitimate AWS users or roles." + }, + { + "technique": "T1550 - Use Alternate Authentication Material", + "reason": "Altering the SAML metadata document provides an opportunity to use different authentication material. An attacker could insert alternate cryptographic keys or certificates into the SAML assertions, allowing them to authenticate to AWS resources as a trusted user or entity." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/KMS/Encrypt.json b/events/KMS/Encrypt.json index 81a9587..05c3a5f 100644 --- a/events/KMS/Encrypt.json +++ b/events/KMS/Encrypt.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1486 - Data Encrypted for Impact" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1560 - Archive Collected Data", + "reason": "Encrypting data before exfiltration can help to evade detection and bypass certain security controls, however this would be quite noisy." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "Encrypting information can make it harder for security tools to analyze the content of the data, aiding in evasion. This could be used for things like other keys to avoid suspicion." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/KMS/GenerateDataKeyWithoutPlaintext.json b/events/KMS/GenerateDataKeyWithoutPlaintext.json index 6b41175..c1d4882 100644 --- a/events/KMS/GenerateDataKeyWithoutPlaintext.json +++ b/events/KMS/GenerateDataKeyWithoutPlaintext.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1486 - Data Encrypted for Impact" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1485 - Data Destruction", + "reason": "The symmetric data key can be used to encrypt or delete critical data, rendering it useless and causing operational disruptions." + }, + { + "technique": "T1560 - Archive Collected Data", + "reason": "The data key can facilitate the encryption of collected data before exfiltration to avoid detection." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/KMS/ScheduleKeyDeletion.json b/events/KMS/ScheduleKeyDeletion.json index 1e568c1..39d6310 100644 --- a/events/KMS/ScheduleKeyDeletion.json +++ b/events/KMS/ScheduleKeyDeletion.json @@ -9,6 +9,31 @@ "mitreAttackTechniques": [ "T1485 - Data Destruction" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1561 - Disk Wipe", + "reason": "By scheduling the deletion of a KMS key, the adversary could render encrypted data useless, effectively wiping the disk content indirectly." + }, + { + "technique": "T1499 - Endpoint Denial of Service", + "reason": "Deleting a KMS key can disrupt the availability of data, causing a denial of service on the applications relying on the encrypted data." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "The scheduling of a key deletion might involve manipulating existing KMS permissions or roles to gain the necessary rights to perform the action." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Deleting a KMS key can impair security defenses by making logs or other critical data inaccessible if they are encrypted with the deleted key." + }, + { + "technique": "T1486 - Data Encrypted for Impact", + "reason": "By deleting the encryption key, the adversary ensures that the encrypted data is rendered unusable, impacting the integrity and availability of the data." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/Lambda/AddPermission20150331v2.json b/events/Lambda/AddPermission20150331v2.json index feb6f4d..e4b4a96 100644 --- a/events/Lambda/AddPermission20150331v2.json +++ b/events/Lambda/AddPermission20150331v2.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1098 - Account Manipulation", + "reason": "The AddPermission API call can be used to alter permissions, effectively manipulating accounts to maintain access or escalate privileges." + }, + { + "technique": "T1090 - Proxy", + "reason": "Permissions granted via AddPermission could enable an attacker to set up functions that act as proxies, helping to evade defenses." + }, + { + "technique": "T1087 - Account Discovery", + "reason": "Attackers could use the AddPermission call to discover additional accounts that have access to specific Lambda functions, aiding in lateral movement." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "Permissions can be used to manipulate Lambda functions to communicate over various application layer protocols, aiding in command and control." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/Lambda/CreateEventSourceMapping20150331.json b/events/Lambda/CreateEventSourceMapping20150331.json index f29e73b..2127cad 100644 --- a/events/Lambda/CreateEventSourceMapping20150331.json +++ b/events/Lambda/CreateEventSourceMapping20150331.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "The Lambda function might execute code based on the event source data, potentially running JavaScript if included in the payload." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "Lambda functions can communicate over web protocols, enabling command and control through event source triggers." + }, + { + "technique": "T1546 - Event Triggered Execution", + "reason": "Event source mappings can be used to trigger Lambda functions, executing code in response to specific events or data." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Modifying the event source mappings can change the behavior of Lambda functions, possibly to escalate privileges or persist in the environment." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/Lambda/CreateFunction20150331.json b/events/Lambda/CreateFunction20150331.json index a41071b..131849d 100644 --- a/events/Lambda/CreateFunction20150331.json +++ b/events/Lambda/CreateFunction20150331.json @@ -12,6 +12,35 @@ "T1098 - Account Manipulation", "T1496 - Resource Hijacking" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "The Lambda function can be configured to execute JavaScript code, enabling attackers to run malicious scripts." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": " By using Lambda, attackers can delete logs or files to evade detection." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Attackers might create Lambda functions designed to disable security monitoring tools or alerts." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "Lambda functions can communicate over standard web protocols, enabling Command and Control communication that blends with regular traffic." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "If attackers use code-signing configurations and different deployment packaging (e.g., obfuscated container images or encrypted .zip archives), it can help evade detection by concealing the true nature of the function code." + }, + { + "technique": "T1053 - Scheduled Task/Job", + "reason": "Attackers might schedule Lambda functions to execute at specific intervals, providing a means of persistence or delayed execution." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/Lambda/Invoke.json b/events/Lambda/Invoke.json index b0148d9..abc6f92 100644 --- a/events/Lambda/Invoke.json +++ b/events/Lambda/Invoke.json @@ -10,6 +10,47 @@ "mitreAttackTechniques": [ "T1496 - Resource Hijacking" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "Lambda functions can be used to execute scripts and commands, allowing attackers to run arbitrary code within the AWS environment." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "The Invoke API call can be used to establish communication channels over various application layer protocols for command and control purposes." + }, + { + "technique": "T1036 - Masquerading", + "reason": "Attackers can invoke Lambda functions under the guise of legitimate requests to evade detection." + }, + { + "technique": "T1105 - Ingress Tool Transfer", + "reason": "An attacker can use Lambda functions to download or transfer malicious tools into the environment." + }, + { + "technique": "T1074 - Data Staged", + "reason": "Lambda functions can be used to stage data for exfiltration, storing collected information temporarily." + }, + { + "technique": "T1219 - Remote Access Software", + "reason": "Attackers can use Lambda functions as a form of remote access to maintain control over compromised systems." + }, + { + "technique": "T1190 - Exploit Public-Facing Application", + "reason": "If the Lambda function is triggered via a public-facing API endpoint, it could be exploited to gain unauthorized access. Attackers may abuse vulnerable API configurations or input validation flaws to invoke the function, thus compromising the environment." + }, + { + "technique": "T1053 - Scheduled Task/Job", + "reason": "Lambda functions can be scheduled to execute tasks periodically, allowing persistent execution of malicious code." + }, + { + "technique": "T1648 - Serverless Execution", + "reason": "By invoking a Lambda function, an attacker can leverage the serverless environment to run malicious code, perform lateral movement, or conduct other post-exploitation activities while taking advantage of the scalability and ephemeral nature of serverless computing to evade detection and persist within the environment." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/Lambda/UpdateEventSourceMapping20150331.json b/events/Lambda/UpdateEventSourceMapping20150331.json index e83a76a..4b71fa2 100644 --- a/events/Lambda/UpdateEventSourceMapping20150331.json +++ b/events/Lambda/UpdateEventSourceMapping20150331.json @@ -9,6 +9,35 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1071 - Application Layer Protocol", + "reason": "Changing the event source mapping can be used to invoke a function via HTTP/S requests, which aligns with utilizing web protocols for execution." + }, + { + "technique": "T1053 - Scheduled Task/Job", + "reason": "Adversaries can use this API call to set up or alter scheduled tasks or jobs, such as Lambda functions, to achieve persistence by ensuring repeated or delayed execution." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Adversaries can pause the invocation of a Lambda function to impair or disable security tools or monitoring functions, thereby evading detection or preventing logging." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "Adversaries can obfuscate their actions by frequently changing the event source mapping, making it harder to trace the function invocations." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Changing the event source mapping can also be used to manipulate which account or function is invoked, potentially changing the permissions context." + }, + { + "technique": "T1578 - Modify Cloud Compute Infrastructure", + "reason": "Updating the event source mapping involves modifying the cloud infrastructure to change how functions are executed, which is a form of altering cloud resources for persistence or evasion." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/Lambda/UpdateFunctionCode20150331v2.json b/events/Lambda/UpdateFunctionCode20150331v2.json index f8cc266..7f416ad 100644 --- a/events/Lambda/UpdateFunctionCode20150331v2.json +++ b/events/Lambda/UpdateFunctionCode20150331v2.json @@ -13,6 +13,35 @@ "T1496 - Resource Hijacking", "T1119 - Automated Collection" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "Adversaries can use AWS Lambda to execute commands or scripts by updating the function code to include the desired commands or scripts." + }, + { + "technique": "T1648 - Serverless Execution", + "reason": "Attackers may maintain persistence in a target environment by continually updating Lambda function code in serverless environments." + }, + { + "technique": "T1074 - Data Staged", + "reason": "Staging data in cloud storage services can be facilitated by updating the Lambda function code to interact with these storage resources." + }, + { + "technique": "T1560 - Archive Collected Data", + "reason": "Updating Lambda function code to access metadata services enables the function to collect and archive data." + }, + { + "technique": "T1578 - Modify Cloud Compute Infrastructure", + "reason": "Attackers can modify cloud compute infrastructure to execute malicious activities by updating the Lambda function." + }, + { + "technique": "T1056 - Input Capture", + "reason": "By updating the Lambda function code to capture inputs, such as keystrokes or API inputs, adversaries can collect sensitive information." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/Lambda/UpdateFunctionConfiguration20150331v2.json b/events/Lambda/UpdateFunctionConfiguration20150331v2.json index 9ab4ccf..fcfbc8d 100644 --- a/events/Lambda/UpdateFunctionConfiguration20150331v2.json +++ b/events/Lambda/UpdateFunctionConfiguration20150331v2.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1098 - Account Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "Modifying Lambda function configurations allows execution of scripts or commands in the runtime environment." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Attackers might modify configurations like logging settings or environment variables to prevent detection efforts." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/LightSail/CreateInstances.json b/events/LightSail/CreateInstances.json index 34cd780..3bffd23 100644 --- a/events/LightSail/CreateInstances.json +++ b/events/LightSail/CreateInstances.json @@ -11,6 +11,31 @@ "T1578 - Modify Cloud Compute Infrastructure", "T1496 - Resource Hijacking" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1583 - Acquire Infrastructure", + "reason": "CreateInstances can be used by adversaries to acquire infrastructure for future operations by provisioning new instances." + }, + { + "technique": "T1090 - Proxy", + "reason": "Instances could act as proxies to route malicious traffic and hide the true source of the attack." + }, + { + "technique": "T1102 - Web Services", + "reason": "Instances may be used to communicate with web services to facilitate command and control or data exfiltration." + }, + { + "technique": "T1036 - Masquerading", + "reason": "Instances may be named or configured to masquerade as legitimate services or systems." + }, + { + "technique": "T1074 - Data Staged", + "reason": "Instances can be used to stage data before exfiltration, serving as temporary storage points." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/LightSail/GetInstances.json b/events/LightSail/GetInstances.json index 8655567..5b8e007 100644 --- a/events/LightSail/GetInstances.json +++ b/events/LightSail/GetInstances.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "Using GetInstances, attackers can retrieve detailed information about the instances, such as instance IDs, names, and states, providing insight into the system's configuration." + }, + { + "technique": "T1057 - Process Discovery", + "reason": "Although indirect, details about instances can hint at the types of processes and services running within those instances." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "Instance metadata often includes user or owner information, which can be used to identify who is responsible for the instances." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/LightSail/GetRegions.json b/events/LightSail/GetRegions.json index d9e467c..d90fc97 100644 --- a/events/LightSail/GetRegions.json +++ b/events/LightSail/GetRegions.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "The GetRegions API call can provide information about the geographical distribution of LightSail resources, which is useful for understanding the environment." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/Organizations/DescribeOrganization.json b/events/Organizations/DescribeOrganization.json index 1100968..98ae1a0 100644 --- a/events/Organizations/DescribeOrganization.json +++ b/events/Organizations/DescribeOrganization.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1526 - Cloud Service Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087 - Account Discovery", + "reason": "DescribeOrganization can be used to discover details about accounts within the organization, including account IDs and email addresses." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "Information gathered can assist in identifying valid accounts within the organization, aiding further actions that require valid credentials." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/Organizations/InviteAccountToOrganization copy.json b/events/Organizations/InviteAccountToOrganization copy.json index 3e66a30..4beeab2 100644 --- a/events/Organizations/InviteAccountToOrganization copy.json +++ b/events/Organizations/InviteAccountToOrganization copy.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1535 - Unused/Unsupported Cloud Regions" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "By creating a new AWS account within the organization, attackers can obtain valid cloud credentials for future access and operations." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Creating a new account can be used to manipulate and manage user accounts, potentially hiding malicious activities under a legitimate-looking account." + }, + { + "technique": "T1136 - Create Account", + "reason": "Creating a new account can establish persistence, allowing an attacker to maintain access even if the initially compromised account is detected and removed." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Attackers can use the new account to disable or modify security tools and configurations within the cloud environment to avoid detection." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/Organizations/InviteAccountToOrganization.json b/events/Organizations/InviteAccountToOrganization.json index a1f1de2..a52caa5 100644 --- a/events/Organizations/InviteAccountToOrganization.json +++ b/events/Organizations/InviteAccountToOrganization.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1535 - Unused/Unsupported Cloud Regions" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1098 - Account Manipulation", + "reason": "Adding accounts to the organization can be used to manipulate account permissions and roles for persistence or escalation of privileges." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "By adding new accounts, an attacker might impair the existing security defenses, such as monitoring and logging configurations, by creating noise or adding trusted accounts." + }, + { + "technique": "T1199 - Trusted Relationship", + "reason": "Inviting an account creates a trusted relationship that can be exploited for initial access or lateral movement within the organization." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/Organizations/LeaveOrganization.json b/events/Organizations/LeaveOrganization.json index d088f55..8cd7533 100644 --- a/events/Organizations/LeaveOrganization.json +++ b/events/Organizations/LeaveOrganization.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1070 - Indicator Removal" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1562 - Impair Defenses", + "reason": "Leaving the organization can be used to evade security controls and monitoring that are applied at the organization level, reducing the chances of detection." + } + ], "usedInWild": false, "incidents": [ { diff --git a/events/Organizations/ListAccounts.json b/events/Organizations/ListAccounts.json index 773b6c0..ef348bd 100644 --- a/events/Organizations/ListAccounts.json +++ b/events/Organizations/ListAccounts.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1526 - Cloud Service Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087 - Account Discovery", + "reason": "Using the ListAccounts API call, an attacker can enumerate all accounts within the AWS organization, gaining insight into the structure and scope of the organization's AWS environment." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/Organizations/ListOrganizationalUnitsForParent.json b/events/Organizations/ListOrganizationalUnitsForParent.json index c4543ab..2ae9890 100644 --- a/events/Organizations/ListOrganizationalUnitsForParent.json +++ b/events/Organizations/ListOrganizationalUnitsForParent.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1526 - Cloud Service Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1482 - Domain Trust Discovery", + "reason": "By listing the organizational units, an adversary can identify relationships and trust boundaries between different parts of the organization, gaining insight into the hierarchical structure that may be exploited later." + }, + { + "technique": "T1018 - Remote System Discovery", + "reason": "Knowledge of the organizational units can inform an adversary about different parts of the cloud infrastructure, helping to discover systems or accounts that can be targeted for further actions." + }, + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "The API can reveal different organizational units that might correspond to permission groupings or roles within the AWS environment, which is crucial for understanding how access is managed across the organization." + }, + { + "technique": "T1590 - Gather Victim Network Information", + "reason": "By understanding the organizational units, an adversary can piece together information about the internal network structure, which can be critical for furthering internal reconnaissance efforts." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/RDS/AuthorizeDBSecurityGroupIngress.json b/events/RDS/AuthorizeDBSecurityGroupIngress.json index 20f5902..707d412 100644 --- a/events/RDS/AuthorizeDBSecurityGroupIngress.json +++ b/events/RDS/AuthorizeDBSecurityGroupIngress.json @@ -9,6 +9,35 @@ "mitreAttackTechniques": [ "T1578 - Modify Cloud Compute Infrastructure" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1021 - Remote Services", + "reason": "By authorizing specific IP ranges or security groups, this API call can enable remote access to the database from specified instances or IP addresses, potentially allowing attackers to establish unauthorized access directly." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "The authorization of ingress rules through this API call may enable attackers to use common web protocols (HTTP/S) to interact with the database, facilitating access over application-layer protocols." + }, + { + "technique": "T1090 - Proxy", + "reason": "Attackers might exploit the authorized IP range through this API call by routing their traffic via an external proxy, masking their true origin and evading detection." + }, + { + "technique": "T1133 - External Remote Services", + "reason": "The API call directly allows the configuration of external access to cloud-based database services, which could be exploited by attackers to bypass internal network protections by directly accessing the database." + }, + { + "technique": "T1036 - Masquerading", + "reason": "Attackers might use the API call to authorize ingress for IP addresses or security groups that appear legitimate or benign, thus evading detection by security monitoring tools that rely on expected network traffic patterns." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "By carefully selecting which IPs or security groups to authorize, attackers can effectively impair or avoid network-based defenses, such as firewalls or intrusion detection systems (IDS), that rely on stricter ingress rules to protect the database." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/RDS/CreateDBSecurityGroup.json b/events/RDS/CreateDBSecurityGroup.json index e1d92ca..4503517 100644 --- a/events/RDS/CreateDBSecurityGroup.json +++ b/events/RDS/CreateDBSecurityGroup.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1537 - Transfer Data to Cloud Account" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1071 - Application Layer Protocol", + "reason": "The security group settings can be configured to allow specific protocols or applications to communicate with the DB instance, facilitating control or exfiltration methods." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Modifying or creating a security group that permits broader access to the DB instance could serve as a form of defense evasion by bypassing firewall rules set to protect the database." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Creating or modifying a security group could be a method to manipulate access controls and permissions, thereby escalating privileges or creating a backdoor for persistent access." + }, + { + "technique": "T1036 - Masquerading", + "reason": "An attacker could create or name a DB security group to resemble legitimate or existing groups to avoid detection. This can deceive administrators or monitoring systems, allowing malicious actions to go unnoticed." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/RDS/CreateDBSnapshot.json b/events/RDS/CreateDBSnapshot.json index 4f29771..f96ae6c 100644 --- a/events/RDS/CreateDBSnapshot.json +++ b/events/RDS/CreateDBSnapshot.json @@ -9,6 +9,31 @@ "mitreAttackTechniques": [ "T1537 - Transfer Data to Cloud Account" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1003 - OS Credential Dumping", + "reason": "Snapshots could contain credentials or other sensitive information that can be extracted and exploited by an attacker." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "Snapshots containing authentication data or API keys can be used by attackers to maintain unauthorized access to cloud environments." + }, + { + "technique": "T1530 - Data from Cloud Storage Object", + "reason": "Snapshots stored in cloud storage can be accessed by attackers to extract sensitive information." + }, + { + "technique": "T1005 - Data from Local System", + "reason": "The snapshot may contain data from the local system of the database instance that attackers could extract." + }, + { + "technique": "T1020 - Automated Exfiltration", + "reason": "The snapshot could be automatically transferred out of the environment to an external location, facilitating data exfiltration without manual intervention." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/RDS/DeleteDBCluster.json b/events/RDS/DeleteDBCluster.json index 50ff170..1b98c0e 100644 --- a/events/RDS/DeleteDBCluster.json +++ b/events/RDS/DeleteDBCluster.json @@ -9,6 +9,35 @@ "mitreAttackTechniques": [ "T1485 - Data Destruction" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1562 - Impair Defenses", + "reason": "By deleting the DB cluster, an attacker could disable or remove a crucial part of an organization’s monitoring or logging setup if these were hosted on the RDS instance." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "Deleting a DB cluster could also serve to remove access to critical data and services, thereby disrupting operations and hindering incident response." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "Deleting the DB cluster may remove evidence of previous activities, such as logs or data that could be used to investigate the attack, serving as a method to evade detection." + }, + { + "technique": "T1489 - Service Stop", + "reason": "The deletion of a DB cluster directly results in stopping the associated service, causing disruption to any applications or services relying on that database." + }, + { + "technique": "T1499 - Endpoint Denial of Service", + "reason": "By deleting the DB cluster, the attacker effectively denies access to the endpoint associated with the database, preventing legitimate users from interacting with the data and services hosted on the DB cluster." + }, + { + "technique": "T1490 - Inhibit System Recovery", + "reason": "Deleting a DB cluster can prevent data recovery if backups are also targeted or if the deletion is part of a strategy to ensure that data cannot be restored." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/RDS/DeleteDBInstance.json b/events/RDS/DeleteDBInstance.json index acc316a..2d61674 100644 --- a/events/RDS/DeleteDBInstance.json +++ b/events/RDS/DeleteDBInstance.json @@ -9,6 +9,31 @@ "mitreAttackTechniques": [ "T1485 - Data Destruction" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "Removing a DB instance can help an adversary eliminate logs or traces of malicious activity by erasing the entire database where logs might be stored." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "If an attacker deletes a DB instance, it could be a part of denying access to legitimate users by removing the resource they need." + }, + { + "technique": "T1489 - Service Stop", + "reason": "Deleting a DB instance can effectively stop a critical service, rendering the associated application or service unavailable." + }, + { + "technique": "T1499 - Endpoint Denial of Service", + "reason": "By deleting a DB instance, an attacker can cause a denial of service by removing the endpoint that the application or users rely on for database services." + }, + { + "technique": "T1565 - Data Manipulation", + "reason": "While not strictly altering data, deleting a DB instance can result in the loss of data integrity, as the sudden removal can lead to incomplete data or service disruptions." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/RDS/DeleteGlobalCluster.json b/events/RDS/DeleteGlobalCluster.json index 2800c4e..a2193fd 100644 --- a/events/RDS/DeleteGlobalCluster.json +++ b/events/RDS/DeleteGlobalCluster.json @@ -9,6 +9,39 @@ "mitreAttackTechniques": [ "T1485 - Data Destruction" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1499 - Endpoint Denial of Service", + "reason": "Deleting a global database cluster can cause an application or system to become unavailable, effectively denying service to legitimate users." + }, + { + "technique": "T1561 - Disk Wipe", + "reason": "The deletion of a global database cluster can be seen as a form of storage deletion, where critical data is irreversibly destroyed." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "By deleting the global database cluster, an attacker can remove evidence of the existence of that cluster, potentially hindering forensic investigations." + }, + { + "technique": "T1489 - Service Stop", + "reason": "Deleting a global database cluster will stop associated services, disrupting operations and causing an impact on availability." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Deleting the database cluster can disable monitoring or logging capabilities, thus impairing defenses by making it harder to detect malicious activity." + }, + { + "technique": "T1490 - Inhibit System Recovery", + "reason": "By deleting a global database cluster, an attacker may prevent system recovery by ensuring that critical data or configurations cannot be restored." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "If the global database cluster contains authentication information or is tied to account access mechanisms, deleting it can effectively remove or disrupt account access." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/RDS/ModifyActivityStream.json b/events/RDS/ModifyActivityStream.json index 741b143..1bff19b 100644 --- a/events/RDS/ModifyActivityStream.json +++ b/events/RDS/ModifyActivityStream.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1578 - Modify Cloud Compute Infrastructure" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1562 - Impair Defenses", + "reason": "Modifying the database activity stream to an unlocked state could impair logging and monitoring, effectively evading defenses." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "Attackers might reconfigure the audit policy state to the original state to avoid an investigation." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/RDS/ModifyDBSnapshotAttribute.json b/events/RDS/ModifyDBSnapshotAttribute.json index 19b3b84..b7f305f 100644 --- a/events/RDS/ModifyDBSnapshotAttribute.json +++ b/events/RDS/ModifyDBSnapshotAttribute.json @@ -9,6 +9,39 @@ "mitreAttackTechniques": [ "T1537 - Transfer Data to Cloud Account" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "By adding specific AWS account IDs to the ValuesToAdd parameter, an attacker can ensure persistent access to a DB snapshot by authorized accounts." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Modifying the snapshot to make it public or share it with specific accounts might bypass certain security controls, aiding in defense evasion." + }, + { + "technique": "T1537 - Transfer Data to Cloud Account", + "reason": "Making a DB snapshot public or sharing it with specific accounts allows unauthorized access, facilitating the exfiltration of sensitive data to an attacker-controlled AWS account." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "Removing attributes or specific account IDs from the ValuesToAdd parameter can be used to cover tracks by eliminating evidence of unauthorized access." + }, + { + "technique": "T1087 - Account Manipulation", + "reason": "Modifying the attributes to include or exclude certain account IDs is a form of account manipulation, impacting who can access the snapshot." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "By removing access to certain AWS accounts from the ValuesToAdd parameter, legitimate users may be denied access, contributing to account access removal tactics." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "The API call itself operates over an application layer protocol (typically HTTPS) and can be part of a communication channel used by the attacker to modify and transfer data within the cloud." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/RDS/StartExportTask.json b/events/RDS/StartExportTask.json index e8a668b..89249d4 100644 --- a/events/RDS/StartExportTask.json +++ b/events/RDS/StartExportTask.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1537 - Transfer Data to Cloud Account" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1567 - Exfiltration Over Web Service", + "reason": "By exporting data to an S3 bucket, adversaries can use cloud services as a method to exfiltrate data without direct interaction with the database." + }, + { + "technique": "T1530 - Data from Cloud Storage Object", + "reason": "After exporting snapshot data to S3, an adversary can retrieve and analyze the data from the S3 bucket, provided they maintain access to the cloud storage." + }, + { + "technique": "T1213 - Data from Information Repositories", + "reason": "By exporting the RDS snapshot, an adversary gains access to a repository of information stored within the database, which they can then access through the S3 bucket." + }, + { + "technique": "T1078 - Cloud Accounts", + "reason": "Adversaries may leverage compromised cloud accounts to persist within the environment, using cloud-native functionality like the StartExportTask to maintain access to sensitive data over time." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/ResourceExplorer/Search.json b/events/ResourceExplorer/Search.json index c836c76..fec166d 100644 --- a/events/ResourceExplorer/Search.json +++ b/events/ResourceExplorer/Search.json @@ -9,6 +9,35 @@ "mitreAttackTechniques": [ "T1087 - Account Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "Attackers can create queries to discover permission groups, roles, and policies within the AWS environment, which might aid in understanding access levels across different resources." + }, + { + "technique": "T1538 - Cloud Service Discovery", + "reason": "By specifying queries related to cloud services, attackers can discover details about various services in use, aiding in the mapping of the environment." + }, + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "The search results can reveal information about infrastructure components like EC2 instances, S3 buckets, and databases, providing attackers with critical data about the cloud architecture." + }, + { + "technique": "T1201 - Password Policy Discovery", + "reason": "Queries can be tailored to discover password policies related to IAM users, assisting attackers in crafting password-based attacks." + }, + { + "technique": "T1552 - Unsecured Credentials", + "reason": "If the search results reveal IAM roles or users with associated access keys, attackers might identify unsecured credentials that could be exploited for unauthorized access." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "Searches might return details about valid accounts that could be targeted for unauthorized access, particularly if accounts are not adequately secured." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/Route53/ChangeResourceRecordSets.json b/events/Route53/ChangeResourceRecordSets.json index 70a4f26..8633a62 100644 --- a/events/Route53/ChangeResourceRecordSets.json +++ b/events/Route53/ChangeResourceRecordSets.json @@ -9,6 +9,51 @@ "mitreAttackTechniques": [ "T1496 - Resource Hijacking" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1071 - Application Layer Protocol", + "reason": "The ChangeResourceRecordSets API can be used to modify DNS records, allowing attackers to establish command and control channels using DNS or other application-layer protocols like HTTP/HTTPS." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "By altering DNS records, attackers can hide or modify evidence of their activities, such as tampering with or removing logs associated with DNS queries to avoid detection by security systems." + }, + { + "technique": "T1090 - Proxy", + "reason": "Attackers may use this API to redirect network traffic through external or internal proxies by changing DNS records, which helps conceal the true destination of the traffic and evade monitoring tools." + }, + { + "technique": "T1565 - Data Manipulation", + "reason": "Altering DNS records can mislead or redirect users and systems, potentially sending them to malicious IP addresses or disrupting the normal operation of services by providing false information." + }, + { + "technique": "T1568 - Dynamic Resolution", + "reason": "Attackers can frequently update DNS entries using this API to maintain control over compromised systems or to evade detection by constantly altering the destination of command and control traffic." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "By modifying or deleting DNS records, attackers can effectively deny legitimate users access to services, redirecting traffic to incorrect or malicious servers, thereby locking out authorized access." + }, + { + "technique": "T1499 - Endpoint Denial of Service", + "reason": "Changing or deleting essential DNS records can lead to a denial of service, where users are unable to access critical resources because DNS queries resolve to incorrect addresses." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "Constant manipulation of DNS records may be used to obscure the attacker's activities, making it more challenging for defenders to trace or understand the methods used for command and control or data exfiltration." + }, + { + "technique": "T1213 - Data from Information Repositories", + "reason": "By redirecting traffic from legitimate information repositories to a malicious destination through altered DNS records, attackers can collect sensitive data under the guise of normal operations" + }, + { + "technique": "T1557 - Man-in-the-Middle", + "reason": "Modifying DNS records to reroute traffic to malicious sites can facilitate man-in-the-middle attacks, allowing attackers to intercept or manipulate communications between users and services." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/Route53/CreateHostedZone.json b/events/Route53/CreateHostedZone.json index 43e3231..5ddfaa0 100644 --- a/events/Route53/CreateHostedZone.json +++ b/events/Route53/CreateHostedZone.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1496 - Resource Hijacking" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1071 - Application Layer Protocol", + "reason": "Creating a hosted zone allows attackers to use DNS or web protocols for communication between compromised systems and attacker-controlled infrastructure, facilitating covert command and control operations." + }, + { + "technique": "T1090 - Proxy", + "reason": "The hosted zone can be configured to route traffic through multiple proxies, aiding in defense evasion by obscuring the true source or destination of the traffic." + }, + { + "technique": "T1568 - Dynamic Resolution", + "reason": "Attackers may use dynamically generated domains within the hosted zone to maintain command and control, making it difficult for defenders to track or block these communications." + }, + { + "technique": "T1036 - Masquerading", + "reason": "Attackers might create a hosted zone with a domain or subdomain that closely mimics a legitimate one, aiding in phishing or other forms of deception to mislead users or systems." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/Route53/GetHostedZoneCount.json b/events/Route53/GetHostedZoneCount.json index acedbdd..ab8a63f 100644 --- a/events/Route53/GetHostedZoneCount.json +++ b/events/Route53/GetHostedZoneCount.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087 - Account Discovery", + "reason": "The GetHostedZoneCount API call can be used to enumerate the number of DNS zones hosted in a cloud environment, which reveals information about the cloud account's resources." + }, + { + "technique": "T1526 - Cloud Service Discovery", + "reason": "The GetHostedZoneCount API call reveals the presence and scale of Route 53 DNS services within the cloud environment. This information helps adversaries understand the cloud infrastructure and identify potential targets for further actions." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/Route53/ListDomains.json b/events/Route53/ListDomains.json index 54acb1e..78d77d4 100644 --- a/events/Route53/ListDomains.json +++ b/events/Route53/ListDomains.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1526 - Cloud Service Discovery", + "reason": "The ListDomains API call allows an adversary to discover domain names associated with the AWS account, providing insights into the cloud infrastructure." + }, + { + "technique": "T1590 - Gather Victim Network Information", + "reason": "The ListDomains API call can be used to gather DNS information, which may reveal the structure of the victim’s network and other valuable network details." + }, + { + "technique": "T1087 - Account Discovery", + "reason": "Knowing the domains registered within the AWS account can help identify associated cloud resources and potential attack vectors within the cloud environment." + }, + { + "technique": "T1046 - Network Service Scanning", + "reason": "The ListDomains API call could assist an adversary in identifying network services associated with the domain names, contributing to their reconnaissance efforts." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/Route53/RegisterDomain.json b/events/Route53/RegisterDomain.json index 5dd114b..4546687 100644 --- a/events/Route53/RegisterDomain.json +++ b/events/Route53/RegisterDomain.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1496 - Resource Hijacking" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1583 - Acquire Infrastructure", + "reason": "The RegisterDomain API call is used to acquire a new domain, which can be leveraged to set up malicious infrastructure, such as phishing sites or command and control servers." + }, + { + "technique": "T1584 - Compromise Infrastructure", + "reason": "Registering a domain and creating a corresponding hosted zone allows attackers to establish and control an infrastructure that supports malicious activities." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "By creating a hosted zone and assigning name servers, the domain can be used to facilitate communication via DNS, a common method for establishing command and control channels." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/S3/DeleteBucket.json b/events/S3/DeleteBucket.json index 05f46a8..07c8d5d 100644 --- a/events/S3/DeleteBucket.json +++ b/events/S3/DeleteBucket.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1485 - Data Destruction" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1485 - Data Destruction", + "reason": "Permanently deleting objects or versions from S3 can result in the loss of critical data, affecting the availability and integrity of information. This action can disrupt business operations by removing essential files, leading to significant data loss and operational downtime." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "Deleting an S3 bucket can serve as a method of removing evidence or logs that may be stored within the bucket, helping to evade detection." + }, + { + "technique": "T1499 - Endpoint Denial of Service", + "reason": "Deleting an S3 bucket could result in a denial of service if critical data or services that rely on that bucket become unavailable." + }, + { + "technique": "T1489 - Service Stop", + "reason": "Deleting key objects or configuration files from S3 can cause critical services to stop functioning. This disruption can lead to downtime and loss of access to essential systems, impacting business operations." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/S3/DeleteBucketPolicy.json b/events/S3/DeleteBucketPolicy.json index 26975c7..44993ce 100644 --- a/events/S3/DeleteBucketPolicy.json +++ b/events/S3/DeleteBucketPolicy.json @@ -9,6 +9,35 @@ "mitreAttackTechniques": [ "T1578 - Modify Cloud Compute Infrastructure" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1531 - Account Access Removal", + "reason": "Deleting a bucket policy can remove specific account or role permissions, effectively locking out other identities from accessing the bucket, which supports account access removal." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "By deleting a bucket policy, an attacker could disable or weaken security controls that were enforced by the policy, making it easier to execute subsequent malicious actions." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "If an attacker deletes the bucket policy, they can manipulate access controls to further their persistence or impede legitimate access, which could be considered a form of account manipulation." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "Deleting the bucket policy can remove key indicators of unauthorized access or changes. Since the policy itself might contain logging configurations or access control rules, its removal could make it harder to detect and track the attacker's actions, thereby aiding in evasion of detection." + }, + { + "technique": "T1499 - Endpoint Denial of Service", + "reason": "Deleting the bucket policy can lead to denial of service for legitimate users who rely on the policy to access the bucket, especially if the policy enforced critical access controls." + }, + { + "technique": "T1489 - Service Stop", + "reason": "By deleting the bucket policy, an attacker might indirectly cause services depending on that policy to stop functioning correctly, thereby achieving a form of service stop." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/S3/DeleteObject.json b/events/S3/DeleteObject.json index b21cd12..218e870 100644 --- a/events/S3/DeleteObject.json +++ b/events/S3/DeleteObject.json @@ -9,6 +9,31 @@ "mitreAttackTechniques": [ "T1485 - Data Destruction" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "Deleting an object can be used to remove evidence of prior activity, aiding in evasion of detection and analysis." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "By deleting logs, configurations, or security-related data stored in S3, attackers can impair defensive mechanisms, reducing the effectiveness of monitoring and alerting systems." + }, + { + "technique": "T1490 - Inhibit System Recovery", + "reason": "By deleting critical backups or data versions in S3, an attacker can inhibit recovery processes, making it difficult to restore systems to their pre-attack state." + }, + { + "technique": "T1499 - Endpoint Denial of Service", + "reason": "Deleting important objects required for system functionality or application performance could result in a denial of service, preventing users from accessing necessary resources or causing system disruptions." + }, + { + "technique": "T1489 - Service Stop", + "reason": "Deleting configuration files or objects critical to the operation of a service hosted in AWS can lead to a service stop, effectively disrupting operations and causing downtime." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/S3/GetBucketAcl.json b/events/S3/GetBucketAcl.json index 0725650..fe5e75e 100644 --- a/events/S3/GetBucketAcl.json +++ b/events/S3/GetBucketAcl.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1526 - Cloud Service Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "By examining the ACL, an attacker can identify accounts or roles that have access to the bucket, which can then be used to gain unauthorized access through valid credentials." + }, + { + "technique": "T1589 - Gather Victim Identity Information", + "reason": "By examining the ACL, an attacker could gather information about the identities (users, roles, or accounts) that have access to the bucket, which can be useful in planning further attacks." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/S3/GetBucketLogging.json b/events/S3/GetBucketLogging.json index 857bf19..6ba72a3 100644 --- a/events/S3/GetBucketLogging.json +++ b/events/S3/GetBucketLogging.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1526 - Cloud Service Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087 - Account Discovery", + "reason": "The API call provides insights into which IAM accounts have permissions to view or modify bucket logging, aiding an attacker in identifying accounts with specific privileges." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/S3/GetBucketPolicy.json b/events/S3/GetBucketPolicy.json index 60fc7cd..c5accc8 100644 --- a/events/S3/GetBucketPolicy.json +++ b/events/S3/GetBucketPolicy.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1526 - Cloud Service Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "If an adversary can access a bucket policy, it may provide insights into valid accounts or roles that can be exploited for further access." + }, + { + "technique": "T1087 - Account Discovery", + "reason": "By analyzing the bucket policy, an attacker can discover accounts or IAM roles that have access to the S3 bucket, which may help in escalating privileges within the environment." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/S3/GetBucketPublicAccessBlock.json b/events/S3/GetBucketPublicAccessBlock.json index 3fea273..e306643 100644 --- a/events/S3/GetBucketPublicAccessBlock.json +++ b/events/S3/GetBucketPublicAccessBlock.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1526 - Cloud Service Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "Adversaries might use the GetPublicAccessBlock API call to check for misconfigurations or overly permissive settings in S3 buckets, potentially leading to unauthorized access and exploitation of valid cloud accounts." + }, + { + "technique": "T1530 - Data from Cloud Storage", + "reason": "Retrieving the PublicAccessBlock configuration can assist attackers in identifying S3 buckets that are misconfigured to allow public access, which may lead to unauthorized access and potential exfiltration of data from cloud storage." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/S3/GetBucketReplication.json b/events/S3/GetBucketReplication.json index 09368fe..9c42fa0 100644 --- a/events/S3/GetBucketReplication.json +++ b/events/S3/GetBucketReplication.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1526 - Cloud Service Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "Accessing replication configuration details could help an adversary identify which accounts or roles have permissions related to replication, enabling targeted attacks on these accounts for unauthorized access." + }, + { + "technique": "T1036 - Masquerading", + "reason": "With knowledge of the replication setup, an adversary can craft actions that closely mimic legitimate activities, such as modifying replication settings, which helps them evade detection by blending in with normal operations." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/S3/GetBucketTagging.json b/events/S3/GetBucketTagging.json index 2f11cc7..2125677 100644 --- a/events/S3/GetBucketTagging.json +++ b/events/S3/GetBucketTagging.json @@ -9,6 +9,35 @@ "mitreAttackTechniques": [ "T1526 - Cloud Service Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1482 - Domain Trust Discovery", + "reason": "The GetBucketTagging API call can reveal tag information that may indicate domain or organizational trust relationships within AWS, helping adversaries understand the trust boundaries of the bucket." + }, + { + "technique": "T1530 - Data from Cloud Storage Object", + "reason": "Tags may include sensitive information or classifications about the data stored in the S3 bucket, aiding attackers in prioritizing which data to exfiltrate or further target." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "ags retrieved from the bucket may contain information about the AWS accounts, IAM roles, or user groups with permissions, which can be used to identify potential targets for credential theft or account takeover." + }, + { + "technique": "T1087 - Account Discovery", + "reason": "The API call might provide insights into user or service accounts associated with the bucket through tags, allowing adversaries to identify accounts that have access to critical resources." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "Tags could provide information about the owner of the bucket or associated resources, which could help attackers in social engineering or in targeting specific individuals or roles within the organization." + }, + { + "technique": "T1484 - Group Policy Discovery", + "reason": "Tags could indicate group-like configurations or policies associated with buckets, such as those related to access control or data management, offering insights into how resources are managed or accessed." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/S3/GetBucketVersioning.json b/events/S3/GetBucketVersioning.json index 2baf5be..9769d18 100644 --- a/events/S3/GetBucketVersioning.json +++ b/events/S3/GetBucketVersioning.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1526 - Cloud Service Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1530 - Data from Cloud Storage Object", + "reason": "Understanding the versioning and MFA Delete status allows attackers to potentially collect older or deleted versions of data, which might not be available in a non-versioned setup." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "Attackers with valid accounts (e.g., those who have compromised credentials) may use this API call to gather information that could further their goals, such as determining the best method to evade detection or exfiltrate data." + }, + { + "technique": "T1213 - Data from Information Repositories", + "reason": "The versioning status of a bucket might indicate the presence of multiple versions of stored data, which attackers could access and collect as part of their broader objective of gathering information from cloud storage." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/S3/GetObject.json b/events/S3/GetObject.json index fb06090..fb9ab31 100644 --- a/events/S3/GetObject.json +++ b/events/S3/GetObject.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1048 - Exfiltration Over Alternative Protocol" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1530 - Data from Cloud Storage Object", + "reason": "The GetObject API call is used to retrieve data from specific objects within S3 buckets, making it essential for adversaries collecting data from cloud storage." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "The GetObject operation can be invoked over HTTPS, which is a common method for communicating with AWS services and could be used to exfiltrate data covertly." + }, + { + "technique": "T1074 - Data Staged", + "reason": "The GetObject operation might be part of a process where data is retrieved and temporarily stored (staged) before further processing or exfiltration." + }, + { + "technique": "T1570 - Lateral Tool Transfer", + "reason": "Retrieving an object that contains tools or scripts via GetObject can be part of a lateral movement strategy, where tools are transferred between compromised systems." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/S3/HeadObject.json b/events/S3/HeadObject.json index 397d7b7..e56f8cc 100644 --- a/events/S3/HeadObject.json +++ b/events/S3/HeadObject.json @@ -9,6 +9,35 @@ "mitreAttackTechniques": [ "T1619 - Cloud Storage Object Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1537 - Transfer Data to Cloud Account", + "reason": "The HeadObject API call helps verify the existence of data in S3 buckets, allowing attackers to understand what data is available for transfer or collection." + }, + { + "technique": "T1087 - Account Discovery", + "reason": "Attackers may use HeadObject to discover information about objects in S3 buckets, which can help identify sensitive accounts or resources within a cloud environment." + }, + { + "technique": "T1083 - File and Directory Discovery", + "reason": "This API call provides metadata about objects, helping attackers discover the organization and structure of files stored in S3, facilitating further actions." + }, + { + "technique": "T1530 - Data from Cloud Storage Object", + "reason": "The operation assists in identifying which specific cloud storage objects might contain valuable data for exfiltration." + }, + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "By accessing metadata, attackers can infer details about the cloud infrastructure, such as object creation dates, storage classes, and more, providing insights into the environment's configuration." + }, + { + "technique": "T1557 - Service Discovery", + "reason": "The ability to query metadata from S3 objects can help attackers gather information about the usage and configuration of cloud services, potentially revealing misconfigurations or security weaknesses." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/S3/JobCreated.json b/events/S3/JobCreated.json index 91b2f6f..beb7ddb 100644 --- a/events/S3/JobCreated.json +++ b/events/S3/JobCreated.json @@ -9,6 +9,35 @@ "mitreAttackTechniques": [ "T1537 - Transfer Data to Cloud Account" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1560 - Archive Collected Data", + "reason": "An attacker could use the S3 Batch Operations to aggregate and compress large amounts of data for exfiltration, creating a job that is recorded as a JobCreated event." + }, + { + "technique": "T1074 - Data Staged", + "reason": "The JobCreated event indicates that data could be staged in an S3 bucket, possibly in preparation for further actions such as exfiltration." + }, + { + "technique": "T1020 - Automated Exfiltration", + "reason": "The job creation could be part of an automated process designed to move data out of the environment, with minimal manual intervention required once set up." + }, + { + "technique": "T1105 - Ingress Tool Transfer", + "reason": "A JobCreated event could be used to transfer tools or scripts into the environment, using S3 as a storage mechanism before execution." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "The Batch Operations job may involve communication over standard protocols (like HTTPS) for command and control, making it harder to detect malicious activity." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Attackers may manipulate or create new accounts with the necessary permissions to execute Batch Operations jobs, facilitating unauthorized data access or exfiltration." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/S3/ListBuckets.json b/events/S3/ListBuckets.json index e5923f1..2e19381 100644 --- a/events/S3/ListBuckets.json +++ b/events/S3/ListBuckets.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1526 - Cloud Service Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087 - Account Discovery", + "reason": "he ListBuckets API call helps identify the scope of an AWS account by revealing all S3 buckets owned by the account, giving insight into the account's cloud resources." + }, + { + "technique": "T1530 - Data from Cloud Storage Object", + "reason": "Once buckets are listed, attackers can target specific buckets for data extraction, which is critical for both understanding and potentially exfiltrating data stored in the cloud." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "The ability to list buckets verifies that the credentials used have sufficient permissions, which can inform the attacker about the level of access they have and what actions they can perform." + }, + { + "technique": "T1082 - System Information Discovery", + "reason": "By listing buckets, attackers can gather information about the organization of data and system configurations within the cloud environment, indirectly giving insight into how the cloud infrastructure is managed." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/S3/ListObjects.json b/events/S3/ListObjects.json index 13beed3..57542a4 100644 --- a/events/S3/ListObjects.json +++ b/events/S3/ListObjects.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1619 - Cloud Storage Object Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1083 - File and Directory Discovery", + "reason": "Even though directory buckets are not supported, ListObjects allows an attacker to discover the contents and structure of an S3 bucket by listing objects." + }, + { + "technique": "T1213 - Data from Information Repositories", + "reason": "The ListObjects call enables the retrieval of data stored within S3 buckets, which are often utilized as information repositories." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/S3/ListVaults.json b/events/S3/ListVaults.json index 3c10f1e..ee0eb0f 100644 --- a/events/S3/ListVaults.json +++ b/events/S3/ListVaults.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1619 - Cloud Storage Object Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1530 - Data from Cloud Storage Object", + "reason": "The ListVaults API call is used to enumerate all vaults within S3 Glacier, which could help an attacker identify potential storage locations for exfiltration." + }, + { + "technique": "T1087 - Account Discovery", + "reason": "Listing vaults provides insight into the structure and ownership of cloud storage resources, which can be useful for discovering cloud accounts and identifying valuable targets." + }, + { + "technique": "T1213 - Data from Information Repositories", + "reason": "The API call can be used to list and access data stored in vaults, which may be part of broader data collection or exfiltration efforts." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "Understanding the vaults associated with an account can inform attackers about which accounts manage sensitive data, potentially guiding further credential access attempts." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/S3/PutBucketAcl.json b/events/S3/PutBucketAcl.json index a258c80..5548178 100644 --- a/events/S3/PutBucketAcl.json +++ b/events/S3/PutBucketAcl.json @@ -9,6 +9,43 @@ "mitreAttackTechniques": [ "T1048 - Exfiltration Over Alternative Protocol" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "Adjusting the ACL to include additional accounts or groups can provide persistent access to unauthorized entities, allowing the adversary to maintain control over the resource." + }, + { + "technique": "T1548 - Abuse Elevation Control Mechanism", + "reason": "By setting the ACL with more permissive controls, an attacker could elevate their access privileges, gaining the ability to perform actions beyond their intended scope." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Modifying ACLs can be used to prevent security tools or monitoring from detecting malicious actions by restricting access to logging or alerting services." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "Changing ACLs can serve to obscure evidence of unauthorized access or changes by modifying who has visibility into the bucket, thereby evading detection." + }, + { + "technique": "T1036 - Masquerading", + "reason": "An attacker can alter the ACL to make unauthorized access appear as legitimate traffic, thus avoiding suspicion and detection." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "Adjusting the ACL could be used to remove legitimate access to a bucket, effectively denying access to authorized users while maintaining control over the resource." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "The ability to modify ACLs directly correlates with manipulating which accounts have what level of access to a resource, aligning with broader account manipulation strategies." + }, + { + "technique": "T1199 - Trusted Relationship", + "reason": "If an attacker modifies ACLs to include entities that are typically trusted, this can facilitate initial access through a trusted relationship, leveraging the trust model to gain unauthorized access." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/S3/PutBucketLifecycle.json b/events/S3/PutBucketLifecycle.json index e6a1faa..b3116c6 100644 --- a/events/S3/PutBucketLifecycle.json +++ b/events/S3/PutBucketLifecycle.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1485 - Data Destruction" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1562 - Impair Defenses", + "reason": "An attacker could manipulate lifecycle configurations to delete, transition, or obscure data, effectively impairing defensive mechanisms by reducing the visibility or availability of critical data." + }, + { + "technique": "T1537 - Transfer Data to Cloud Account", + "reason": "Manipulating lifecycle configurations could facilitate the movement of data to different storage locations or accounts, enabling data exfiltration or staging of information." + }, + { + "technique": "T1486 - Data Encrypted for Impact", + "reason": "Lifecycle configurations could be altered to move data into encrypted storage, rendering it inaccessible as a form of impact, effectively denying access to the legitimate users." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "An attacker might adjust lifecycle configurations to archive or obscure files, making them harder to detect or stage them for later exfiltration, thus evading detection." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/S3/PutBucketPolicy.json b/events/S3/PutBucketPolicy.json index 7e2d8e8..cbfd1c6 100644 --- a/events/S3/PutBucketPolicy.json +++ b/events/S3/PutBucketPolicy.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1048 - Exfiltration Over Alternative Protocol" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1567 - Exfiltration Over Web Service", + "reason": "A malicious policy could allow an attacker to exfiltrate data from an S3 bucket to an external location." + }, + { + "technique": "T1550 - Use Alternate Authentication Material", + "reason": "An attacker might leverage the modified bucket policy to maintain access via alternate authentication methods, such as session tokens or identity federation mechanisms." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "Attackers can modify a bucket policy to revoke access from certain users or roles, making it difficult for legitimate users to regain control over the resource." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "Modifying the bucket policy can directly alter the permissions and access rights of various accounts, effectively manipulating who has control over the S3 resources." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/S3/PutBucketReplication.json b/events/S3/PutBucketReplication.json index 9c4bf45..60cfe8a 100644 --- a/events/S3/PutBucketReplication.json +++ b/events/S3/PutBucketReplication.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1537 - Transfer Data to Cloud Account" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1098 - Account Manipulation", + "reason": "The ability to modify or create replication configurations can be used to ensure that critical data is continuously replicated to an attacker-controlled bucket, maintaining persistence even if access controls are modified or removed." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "An attacker could misuse the replication configuration to redirect logs or other monitoring data away from security tools, effectively evading detection and disabling defenses." + }, + { + "technique": "T1020 - Automated Exfiltration", + "reason": "By setting up replication to an external or unauthorized S3 bucket, an attacker can automatically exfiltrate data, transferring large volumes without direct manual intervention." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/S3/PutBucketVersioning.json b/events/S3/PutBucketVersioning.json index b68b6b2..d188c93 100644 --- a/events/S3/PutBucketVersioning.json +++ b/events/S3/PutBucketVersioning.json @@ -11,6 +11,23 @@ "T1490 - Inhibit System Recovery", "T1537 - Transfer Data to Cloud Account" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1531 - Account Access Removal", + "reason": "If an attacker suspends versioning, they could delete IAM policies or credentials stored in S3, making recovery of previous versions impossible, thereby preventing account recovery." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "An attacker might disable versioning or enable it without MFA Delete, which allows them to delete or overwrite objects in a way that removes evidence of their activity, complicating forensic investigation." + }, + { + "technique": "T1488 - Data Destruction", + "reason": "If an attacker sets an object expiration lifecycle in a version-enabled bucket and suspends versioning, they could effectively destroy all noncurrent object versions over time, leading to the loss of data." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/S3/PutObject.json b/events/S3/PutObject.json index 4ae8303..4c155f9 100644 --- a/events/S3/PutObject.json +++ b/events/S3/PutObject.json @@ -9,6 +9,39 @@ "mitreAttackTechniques": [ "T1565 - Data Manipulation" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1074 - Data Staged", + "reason": "The PutObject API call can be used to store objects in S3 as a staging area for data that might be collected or processed before exfiltration or further use." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "Attackers can use PutObject to overwrite existing objects with benign data or to modify metadata, helping to conceal malicious activity by removing indicators of compromise within cloud storage." + }, + { + "technique": "T1105 - Ingress Tool Transfer", + "reason": "The PutObject API can be used to transfer tools or malicious binaries into an S3 bucket, facilitating their retrieval and execution elsewhere in the environment." + }, + { + "technique": "T1036 - Masquerading", + "reason": "Attackers could upload objects with names or metadata that mimic legitimate files using the PutObject API, making malicious content harder to detect." + }, + { + "technique": "T1485 - Data Destruction", + "reason": "The PutObject API could be used to overwrite critical objects, leading to data loss or destruction, particularly if previous versions are not preserved." + }, + { + "technique": "T1027 - Obfuscated Files or Information", + "reason": "Attackers can use PutObject to upload files containing hidden or obfuscated data (e.g., within images), supporting defense evasion." + }, + { + "technique": "T1570 - Lateral Tool Transfer", + "reason": "Objects added to an S3 bucket via PutObject can be used to transfer tools or payloads across different cloud environments, supporting lateral movement within compromised infrastructure." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/SES/CreateEmailIdentity.json b/events/SES/CreateEmailIdentity.json index 99d02f0..5dbf1d0 100644 --- a/events/SES/CreateEmailIdentity.json +++ b/events/SES/CreateEmailIdentity.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1496 - Resource Hijacking" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1583 - Acquire Infrastructure", + "reason": "Verifying an email identity or domain is part of acquiring the necessary infrastructure for sending emails, which could be used for malicious activities such as phishing or command and control." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "The verification of an email identity, especially when using DKIM, helps establish a legitimate-looking account or service that can be exploited for malicious purposes." + }, + { + "technique": "T1566 - Phishing", + "reason": "The verified email identity or domain can be utilized to send phishing emails, leveraging the trust established by a verified and legitimate-looking sender address or domain." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/SES/DeleteIdentity.json b/events/SES/DeleteIdentity.json index b79469c..552659d 100644 --- a/events/SES/DeleteIdentity.json +++ b/events/SES/DeleteIdentity.json @@ -10,6 +10,23 @@ "T1578 - Modify Cloud Compute Infrastructure", "T1070 - Indicator Removal" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1531 - Account Access Removal", + "reason": "Deleting an email address or domain from the list of verified identities can remove access for legitimate users, thereby evading detection by disrupting normal email flows and alert mechanisms that rely on these identities." + }, + { + "technique": "T1485 - Data Destruction", + "reason": "Deleting a verified identity can disrupt communication channels, especially if the identity is tied to critical email systems, effectively leading to the destruction of necessary operational data." + }, + { + "technique": "T1499 - Endpoint Denial of Service", + "reason": "This operation could contribute to a denial of service by removing a critical identity that is required for sending emails, thus halting communication or alerting capabilities within the affected system." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/SES/GetAccount.json b/events/SES/GetAccount.json index 02f50f0..6b17718 100644 --- a/events/SES/GetAccount.json +++ b/events/SES/GetAccount.json @@ -2,13 +2,26 @@ "eventName": "GetAccount", "eventSource": "ses.amazonaws.com", "awsService": "SES", - "description": "Lists the applied quota values for the specified AWS service.", + "description": "Obtain information about the email-sending status and capabilities of your Amazon SES account in the current AWS Region.", "mitreAttackTactics": [ "TA0007 - Discovery" ], "mitreAttackTechniques": [ "T1087 - Account Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "By obtaining information about the SES account, attackers can identify if an account is enabled for sending emails, aiding in the identification of valid accounts for unauthorized access." + }, + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "The GetAccount API call allows an attacker to gather information related to the cloud infrastructure's email capabilities, essential for understanding the cloud environment and planning further malicious activities." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/SES/GetAccountSendingEnabled.json b/events/SES/GetAccountSendingEnabled.json index bf7f471..96ce36b 100644 --- a/events/SES/GetAccountSendingEnabled.json +++ b/events/SES/GetAccountSendingEnabled.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1087 - Account Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "By querying the SES email sending status, attackers can learn whether the service is configured and operational, revealing critical details about the cloud environment's setup." + }, + { + "technique": "T1590 - Gather Victim Identity Information", + "reason": "Understanding the email sending status through GetAccountSendingEnabled may provide insights into associated email addresses or domains, which can be used for further reconnaissance activities." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/SES/GetIdentityVerificationAttributes.json b/events/SES/GetIdentityVerificationAttributes.json index 8ae6040..985daf9 100644 --- a/events/SES/GetIdentityVerificationAttributes.json +++ b/events/SES/GetIdentityVerificationAttributes.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1526 - Cloud Service Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1589 - Gather Victim Identity Information", + "reason": "The API can be used to verify the status of email addresses, enabling attackers to identify active and valid email addresses that may be targeted for social engineering or phishing attacks." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "Access to this API could indicate that an attacker has compromised cloud credentials, allowing them to monitor or manipulate email verification statuses, potentially leading to further unauthorized access." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/SES/GetSendQuota.json b/events/SES/GetSendQuota.json index ba6b1fa..e63747b 100644 --- a/events/SES/GetSendQuota.json +++ b/events/SES/GetSendQuota.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "The GetSendQuota API call can be used to determine the current email sending limits of an account, which is a form of system information that could help an adversary understand the operational capabilities of the target environment." + }, + { + "technique": "T1602 - Gather Victim Host Information", + "reason": "By using GetSendQuota, an attacker could gather details about the SES service's capacity and limitations, which is part of understanding the victim's resources." + }, + { + "technique": "T1580 - Cloud Service Discovery", + "reason": "This API call allows adversaries to discover details about the cloud services in use (SES in this case), contributing to broader cloud service reconnaissance." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/SES/ListIdentities.json b/events/SES/ListIdentities.json index c92dbb3..6d724f9 100644 --- a/events/SES/ListIdentities.json +++ b/events/SES/ListIdentities.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1087 - Account Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "The ListIdentities API might help an attacker identify valid cloud accounts or identities to target for subsequent attacks, such as trying to access these accounts using stolen or guessed credentials." + }, + { + "technique": "T1033 - System Owner/User Discovery", + "reason": "Identifying system owners or users based on the listed identities can help attackers target specific accounts or tailor attacks based on the roles of those users." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/SES/UpdateAccountSendingEnabled.json b/events/SES/UpdateAccountSendingEnabled.json index d9502ca..31f127d 100644 --- a/events/SES/UpdateAccountSendingEnabled.json +++ b/events/SES/UpdateAccountSendingEnabled.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1496 - Resource Hijacking" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "Disabling email sending can help evade detection by preventing the generation of SES-based alerts or logs that might indicate malicious activities." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "An attacker could use this API call to disable email sending, potentially preventing security teams from receiving critical alerts and impairing the defenses of the environment." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/SES/VerifyEmailIdentity.json b/events/SES/VerifyEmailIdentity.json index 3f5f91b..a891454 100644 --- a/events/SES/VerifyEmailIdentity.json +++ b/events/SES/VerifyEmailIdentity.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1496 - Resource Hijacking" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": " By verifying an email address, an adversary might create a valid cloud account identity that could be used in subsequent malicious activities, making it appear as if actions are being carried out by a legitimate user." + }, + { + "technique": "T1588 - Obtain Capabilities", + "reason": "Adversaries could use the API to validate an email identity, thereby acquiring a tool or resource that can be utilized in future phishing or spamming campaigns." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/SNS/GetSMSAttributes.json b/events/SNS/GetSMSAttributes.json index bfcc9d9..febd5b0 100644 --- a/events/SNS/GetSMSAttributes.json +++ b/events/SNS/GetSMSAttributes.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "The GetSMSAttributes call can reveal details about the SMS configuration, including regions, usage patterns, and sender IDs, providing an attacker with valuable information about the environment." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/SNS/GetSMSSandboxAccountStatus.json b/events/SNS/GetSMSSandboxAccountStatus.json index 0698047..b472d7d 100644 --- a/events/SNS/GetSMSSandboxAccountStatus.json +++ b/events/SNS/GetSMSSandboxAccountStatus.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087 - Account Discovery", + "reason": "This API call allows an adversary to determine the SMS sandbox status, which can reveal if an AWS account is still in a test phase or if it's been moved to production, indicating how the account might be used or targeted." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/SNS/ListOriginationNumbers.json b/events/SNS/ListOriginationNumbers.json index 8f0a90e..7dad52c 100644 --- a/events/SNS/ListOriginationNumbers.json +++ b/events/SNS/ListOriginationNumbers.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087 - Account Discovery", + "reason": "The ListOriginationNumbers API call provides information on the account's SMS origination numbers, which could help an adversary discover and map out cloud resources associated with the account." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/SNS/ListSubscriptions.json b/events/SNS/ListSubscriptions.json index a315a59..298a10c 100644 --- a/events/SNS/ListSubscriptions.json +++ b/events/SNS/ListSubscriptions.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087 - Account Discovery", + "reason": "An attacker could use ListSubscriptions to enumerate all subscriptions associated with SNS topics, providing insight into the AWS environment and identifying active accounts." + }, + { + "technique": "T1007 - System Service Discovery", + "reason": "The information retrieved via ListSubscriptions can reveal details about services in the AWS environment, helping an attacker understand available resources and configurations." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/SNS/ListTopics.json b/events/SNS/ListTopics.json index c57fc9c..265aa32 100644 --- a/events/SNS/ListTopics.json +++ b/events/SNS/ListTopics.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087 - Account Discovery", + "reason": "An attacker could use ListSubscriptions to enumerate all subscriptions associated with SNS topics, providing insight into the AWS environment and identifying active accounts." + }, + { + "technique": "T1007 - System Service Discovery", + "reason": "The information retrieved via ListSubscriptions can reveal details about services in the AWS environment, helping an attacker understand available resources and configurations." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/SNS/Publish.json b/events/SNS/Publish.json index 74f6fed..3b25bdf 100644 --- a/events/SNS/Publish.json +++ b/events/SNS/Publish.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1496 - Resource Hijacking" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1071 - Application Layer Protocol", + "reason": "The SNS Publish API can send messages using common application layer protocols such as HTTPS. This can be used for command and control communication by sending instructions or payloads to subscribed endpoints in a covert manner." + }, + { + "technique": "T1537 - Transfer Data to Cloud Account", + "reason": "Attackers can use SNS to exfiltrate data by sending it as a message to a subscribed endpoint, which may belong to an external cloud account controlled by the adversary." + }, + { + "technique": "T1090 - Proxy", + "reason": "The SNS service can act as a relay for communications, allowing attackers to hide the true source and destination of their messages by using SNS as an intermediary, which can evade detection mechanisms." + }, + { + "technique": "T1020 - Automated Exfiltration", + "reason": "By automating the use of SNS Publish to regularly send messages containing exfiltrated data to external endpoints, attackers can maintain a consistent and automated exfiltration channel." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/SSM/DescribeInstanceInformation.json b/events/SSM/DescribeInstanceInformation.json index 6f09404..2558b88 100644 --- a/events/SSM/DescribeInstanceInformation.json +++ b/events/SSM/DescribeInstanceInformation.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1580 - Cloud Infrastructure Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "The API retrieves comprehensive details about the managed nodes, including platform name, version, and agent status, which helps in understanding the target system." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "The IAM role associated with each managed node can be analyzed to identify and potentially exploit valid credentials, leading to unauthorized access." + }, + { + "technique": "T1018 - Remote System Discovery", + "reason": "IP addresses and system information can be used to discover and map out other systems within the network environment." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/SSM/GetParameters.json b/events/SSM/GetParameters.json index d351330..ca01303 100644 --- a/events/SSM/GetParameters.json +++ b/events/SSM/GetParameters.json @@ -11,6 +11,23 @@ "T1526 - Cloud Service Discovery", "T1552 - Unsecured Credentials" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1552 - Unsecured Credentials", + "reason": "The GetParameters API, particularly with decryption enabled, can be used to retrieve sensitive credentials if they are stored in the SSM Parameter Store. This can expose API keys, passwords, or other authentication materials." + }, + { + "technique": "T1082 - System Information Discovery", + "reason": "By using GetParameters, an attacker can gather configuration and environment details stored in the parameters, aiding in system information discovery." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "If parameter values include credentials or tokens, the attacker could use them to access valid accounts, facilitating further malicious activity." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/SSM/ResumeSession.json b/events/SSM/ResumeSession.json index c7d3da4..75913d7 100644 --- a/events/SSM/ResumeSession.json +++ b/events/SSM/ResumeSession.json @@ -11,6 +11,23 @@ "T1021 - Remote Services", "T1651 - Cloud Administration Command" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "Attackers can use valid credentials to reconnect to a previously disconnected session, allowing them to maintain persistent access to a system without re-authenticating." + }, + { + "technique": "T1105 - Ingress Tool Transfer", + "reason": "By reconnecting to an active session, attackers can continue to upload malicious tools or scripts to the managed node without needing to initiate a new session, facilitating ongoing exploitation." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "The reconnection process uses HTTPS, allowing attackers to maintain an encrypted communication channel, which could be used for executing commands or transferring data during the resumed session." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/SSM/SendCommand.json b/events/SSM/SendCommand.json index b33b872..11b1b09 100644 --- a/events/SSM/SendCommand.json +++ b/events/SSM/SendCommand.json @@ -11,6 +11,27 @@ "T1021 - Remote Services", "T1651 - Cloud Administration Command" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "The SendCommand API is designed to execute commands on managed nodes, which directly involves the use of command and scripting interpreters to run scripts or commands." + }, + { + "technique": "T1053 - Scheduled Task/Job", + "reason": "The SendCommand API can be used to create or modify scheduled tasks on managed nodes, enabling the execution of commands at specified times, which is essential for maintaining persistence." + }, + { + "technique": "T1105 - Ingress Tool Transfer", + "reason": "Attackers can use SendCommand to download and execute additional tools or payloads on the managed nodes, which is directly relevant to executing commands that facilitate further compromise." + }, + { + "technique": "T1569 - System Services", + "reason": "The SendCommand API can start, stop, or restart system services on managed nodes, allowing for the execution of commands that may serve various purposes, including persistence or privilege escalation." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/SSM/StartSession.json b/events/SSM/StartSession.json index d424fdb..fb64702 100644 --- a/events/SSM/StartSession.json +++ b/events/SSM/StartSession.json @@ -11,6 +11,23 @@ "T1021 - Remote Services", "T1651 - Cloud Administration Command" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1059 - Command and Scripting Interpreter", + "reason": "The StartSession API allows for establishing a session where commands can be executed on the managed node through a command-line interface. This enables direct interaction with the system, facilitating the execution of scripts or commands remotely." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "The StartSession API requires valid credentials and an authenticated token to initiate a session, allowing access to managed nodes. Attackers with compromised credentials can exploit this to gain unauthorized access to systems." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "The StartSession API uses WebSocket connections over HTTPS, enabling communication with the managed node. This can be leveraged to disguise command and control traffic within regular web traffic, making detection more challenging." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/SecretsManager/DescribeSecret.json b/events/SecretsManager/DescribeSecret.json index 0e27e9e..c65becf 100644 --- a/events/SecretsManager/DescribeSecret.json +++ b/events/SecretsManager/DescribeSecret.json @@ -9,6 +9,31 @@ "mitreAttackTechniques": [ "T1555 - Credentials from Password Stores" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1087 - Account Discovery", + "reason": "The API call could reveal metadata about the secret, including associated AWS accounts or services, contributing to account discovery." + }, + { + "technique": "T1552 - Unsecured Credentials", + "reason": "Although the secret value is not retrieved, the API may still provide information about the existence and purpose of certain credentials, which could be used to find unsecured credentials elsewhere" + }, + { + "technique": "T1580 - Cloud Storage Object Discovery", + "reason": "Information revealed by the API could point to cloud storage objects associated with the secret, helping to identify and potentially target cloud resources." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "Metadata obtained might give clues about the existence of valid accounts, which could be useful in further attempts to gain unauthorized access." + }, + { + "technique": "T1213 - Data from Information Repositories", + "reason": "Even without the secret value, information from the API could reveal details about data repositories or services that are secured by the secret, which could be exploited in further attacks." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/SecretsManager/GetSecretValue.json b/events/SecretsManager/GetSecretValue.json index 24ecd8e..3fbc023 100644 --- a/events/SecretsManager/GetSecretValue.json +++ b/events/SecretsManager/GetSecretValue.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1555 - Credentials from Password Stores" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "Attackers can use retrieved secrets to log into cloud accounts or services, expanding their control over the cloud environment." + }, + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "Accessing secrets via GetSecretValue provides insights into cloud resource configurations and other details useful for discovering and mapping the cloud infrastructure." + }, + { + "technique": "T1082 - System Information Discovery", + "reason": "Retrieving secrets may give attackers information about the system, such as environment configurations, which helps them understand the environment they are targeting." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/SecretsManager/ListSecrets.json b/events/SecretsManager/ListSecrets.json index 5b2b0fa..fe5bf33 100644 --- a/events/SecretsManager/ListSecrets.json +++ b/events/SecretsManager/ListSecrets.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1555 - Credentials from Password Stores" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1526 - Cloud Service Discovery", + "reason": "The ListSecrets API call allows an attacker to enumerate stored secrets within the AWS environment, facilitating discovery of sensitive information or configurations." + }, + { + "technique": "T1552 - Unsecured Credentials", + "reason": "An attacker listing secrets might identify credentials stored within Secrets Manager, which could lead to unauthorized access if those credentials are not properly secured or rotated." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "By listing secrets, an attacker could discover credentials for valid accounts stored in Secrets Manager, which could then be used to gain unauthorized access to services or resources." + }, + { + "technique": "T1036 - Masquerading", + "reason": "An attacker could use discovered secrets to masquerade as legitimate tasks or services, blending in with normal operations to avoid detection." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/SecurityHub/DeleteMembers.json b/events/SecurityHub/DeleteMembers.json index 5816c57..dfd9ddb 100644 --- a/events/SecurityHub/DeleteMembers.json +++ b/events/SecurityHub/DeleteMembers.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "Deleting invited member accounts might be used to cover tracks by eliminating evidence of prior monitoring or alerts associated with those accounts." + }, + { + "technique": "T1531 - Account Access Removal", + "reason": "Deleting member accounts can serve as a way to remove or prevent access to security services and monitoring, effectively denying those accounts access to critical security insights." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/SecurityTokenService/AssumeRole.json b/events/SecurityTokenService/AssumeRole.json index 3ca7cf9..960ddc7 100644 --- a/events/SecurityTokenService/AssumeRole.json +++ b/events/SecurityTokenService/AssumeRole.json @@ -11,6 +11,12 @@ "mitreAttackTechniques": [ "T1199 - Trusted Relationship", "T1078 - Valid Accounts" + ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + ], "usedInWild": true, "incidents": [ diff --git a/events/SecurityTokenService/AssumeRoleWithSAML.json b/events/SecurityTokenService/AssumeRoleWithSAML.json index f37b1da..7c2a9ac 100644 --- a/events/SecurityTokenService/AssumeRoleWithSAML.json +++ b/events/SecurityTokenService/AssumeRoleWithSAML.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1199 - Trusted Relationship" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "The AssumeRoleWithSAML API call allows attackers to use valid SAML assertions to gain temporary access to AWS resources, enabling them to gain initial access, maintain persistence, or escalate privileges." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "Since SAML authentication typically uses web-based protocols, attackers can use the AssumeRoleWithSAML API call to blend in with legitimate web traffic, making their actions harder to detect." + }, + { + "technique": "T1550 - Use Alternate Authentication Material", + "reason": "By using SAML tokens via the AssumeRoleWithSAML API, attackers can authenticate to AWS services without traditional credentials, assisting in defense evasion." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/SecurityTokenService/AssumeRoleWithWebIdentity.json b/events/SecurityTokenService/AssumeRoleWithWebIdentity.json index 42d1ff8..62cdb42 100644 --- a/events/SecurityTokenService/AssumeRoleWithWebIdentity.json +++ b/events/SecurityTokenService/AssumeRoleWithWebIdentity.json @@ -11,6 +11,19 @@ "T1199 - Trusted Relationship", "T1550 - Use Alternate Authentication Material" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "The AssumeRoleWithWebIdentity API allows an attacker to gain valid temporary AWS credentials through a web identity provider, enabling them to access AWS services with authenticated permissions." + }, + { + "technique": "T1505 - Server Software Component", + "reason": "If an attacker has compromised a web application, they can use the AssumeRoleWithWebIdentity API to escalate privileges or maintain persistence by obtaining temporary credentials." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/SecurityTokenService/GetCallerIdentity.json b/events/SecurityTokenService/GetCallerIdentity.json index b16b462..4cf5a23 100644 --- a/events/SecurityTokenService/GetCallerIdentity.json +++ b/events/SecurityTokenService/GetCallerIdentity.json @@ -9,6 +9,27 @@ "mitreAttackTechniques": [ "T1087 - Account Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "The GetCallerIdentity API call provides detailed information about the IAM user or role making the request, enabling an attacker to understand the current access context and tailor subsequent actions based on available permissions." + }, + { + "technique": "T1078 - Valid Accounts", + "reason": "By successfully calling GetCallerIdentity, an attacker can confirm that a set of credentials is valid and active, which is essential for leveraging these credentials to access additional resources within the AWS environment." + }, + { + "technique": "T1550 - Use Alternate Authentication Material", + "reason": "Attackers can use stolen or compromised credentials to invoke GetCallerIdentity, verifying the legitimacy and scope of these credentials without needing specific permissions, aiding in maintaining unauthorized access." + }, + { + "technique": "T1580 - Cloud Infrastructure Discovery", + "reason": "The information retrieved can help map out aspects of the cloud environment, such as account numbers and associated roles, providing insight necessary for further reconnaissance and targeted attacks." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/SecurityTokenService/GetFederationToken.json b/events/SecurityTokenService/GetFederationToken.json index f2c17e3..3525458 100644 --- a/events/SecurityTokenService/GetFederationToken.json +++ b/events/SecurityTokenService/GetFederationToken.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1078 - Valid Accounts" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1550 - Use Alternate Authentication Material", + "reason": "The temporary credentials provided by GetFederationToken can serve as alternate authentication tokens, enabling access to various AWS services without relying on long-term credentials, thereby aiding in defense evasion." + }, + { + "technique": "T1212 - Exploitation for Credential Access", + "reason": "An attacker with access to the credentials of an IAM user could exploit GetFederationToken to generate new credentials, which can be used to escalate their privileges or access other resources." + }, + { + "technique": "T1134 - Access Token Manipulation", + "reason": "Similar to manipulating access tokens, attackers can use GetFederationToken to create temporary sessions that spoof legitimate access patterns, aiding in evasion and unauthorized access." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/SecurityTokenService/GetSessionToken.json b/events/SecurityTokenService/GetSessionToken.json index 7202dcc..6ff1f58 100644 --- a/events/SecurityTokenService/GetSessionToken.json +++ b/events/SecurityTokenService/GetSessionToken.json @@ -9,6 +9,19 @@ "mitreAttackTechniques": [ "T1199 - Trusted Relationship" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "The GetSessionToken API call generates temporary credentials that can be used as valid accounts, allowing an adversary to bypass certain security measures by leveraging these temporary credentials." + }, + { + "technique": "T1550 - Use Alternate Authentication Material", + "reason": "The temporary credentials from GetSessionToken can act as alternative authentication material, enabling attackers to maintain access without the need to use the compromised long-term credentials again, thus evading certain detection mechanisms." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/ServiceQuotas/ListServiceQuotas.json b/events/ServiceQuotas/ListServiceQuotas.json index e909571..eb50f1e 100644 --- a/events/ServiceQuotas/ListServiceQuotas.json +++ b/events/ServiceQuotas/ListServiceQuotas.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1087 - Account Discovery" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1082 - System Information Discovery", + "reason": "Listing service quotas provides detailed information about the configuration and resource limits within an AWS environment. This information helps attackers understand the system's structure, enabling them to identify potential areas for exploitation or further reconnaissance." + }, + { + "technique": "T1069 - Permission Groups Discovery", + "reason": "Filtering by account or resource level when retrieving quotas may expose details about which permissions are associated with different accounts or roles." + }, + { + "technique": "T1007 - System Service Discovery", + "reason": "Listing quotas can reveal which AWS services are in use and their configurations, helping attackers map out the environment and understand what services are available." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/ServiceQuotas/RequestServiceQuotaIncrease.json b/events/ServiceQuotas/RequestServiceQuotaIncrease.json index 0ba7233..4abb1f2 100644 --- a/events/ServiceQuotas/RequestServiceQuotaIncrease.json +++ b/events/ServiceQuotas/RequestServiceQuotaIncrease.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1496 - Resource Hijacking" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1583 - Acquire Infrastructure", + "reason": "The API allows for requesting additional resources, enabling the attacker to develop infrastructure needed for further malicious activities." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/SignIn/ConsoleLogin.json b/events/SignIn/ConsoleLogin.json index f09baab..68cd1c2 100644 --- a/events/SignIn/ConsoleLogin.json +++ b/events/SignIn/ConsoleLogin.json @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1078 - Valid Accounts" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1199 - Trusted Relationship", + "reason": "An attacker might exploit trusted relationships between accounts, leading to a console login that can be traced back to an initial access attempt." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/SignIn/GetSigninToken.json b/events/SignIn/GetSigninToken.json index fe74861..6b7cab0 100644 --- a/events/SignIn/GetSigninToken.json +++ b/events/SignIn/GetSigninToken.json @@ -8,6 +8,12 @@ ], "mitreAttackTechniques": [ "T1078 - Valid Accounts" + ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + ], "usedInWild": true, "incidents": [ diff --git a/events/SignIn/PasswordRecoveryRequested .json b/events/SignIn/PasswordRecoveryRequested .json index bec753b..3ec5411 100644 --- a/events/SignIn/PasswordRecoveryRequested .json +++ b/events/SignIn/PasswordRecoveryRequested .json @@ -1,5 +1,5 @@ { - "eventName": "PasswordRecoveryRequested ", + "eventName": "PasswordRecoveryRequested", "eventSource": "signin.amazonaws.com", "awsService": "SignIn", "description": "This is the CloudTrail event generated when you request a password recovery.", @@ -9,6 +9,15 @@ "mitreAttackTechniques": [ "T1078 - Valid Accounts" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1212 - Exploitation for Credential Access", + "reason": "The password recovery process could be manipulated or exploited to gain access to credentials, especially if the attacker can intercept or redirect the recovery process." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/SignIn/SwitchRole.json b/events/SignIn/SwitchRole.json index 7f67558..63aee14 100644 --- a/events/SignIn/SwitchRole.json +++ b/events/SignIn/SwitchRole.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1021 - Remote Services" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "The SwitchRole API call indicates that a user is leveraging valid credentials to access different roles, which could be used for maintaining persistence, evading detection, or moving laterally within the AWS environment." + }, + { + "technique": "T1068 - Exploitation for Privilege Escalation", + "reason": "Switching to a role with higher privileges could be an attempt to escalate privileges within the AWS environment." + }, + { + "technique": "T1036 - Masquerading", + "reason": "The API call might be used to masquerade as a different user or role, enabling an attacker to carry out malicious activities under the guise of a legitimate user." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/TransferFamily/CreateServer.json b/events/TransferFamily/CreateServer.json index c6267b8..cc92eab 100644 --- a/events/TransferFamily/CreateServer.json +++ b/events/TransferFamily/CreateServer.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1537 - Transfer Data to Cloud Account" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "The server creation process may involve generating or utilizing valid credentials, which can be leveraged by attackers to gain unauthorized access to the system." + }, + { + "technique": "T1071 - Application Layer Protocol", + "reason": "The server can be used to facilitate command and control communications using standard file transfer protocols (e.g., SFTP, FTPS), which are application layer protocols." + }, + { + "technique": "T1562 - Impair Defenses", + "reason": "Attackers could configure the server to allow them to access from the internet to S3 files." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/TransferFamily/CreateUser.json b/events/TransferFamily/CreateUser.json index a459691..e36c443 100644 --- a/events/TransferFamily/CreateUser.json +++ b/events/TransferFamily/CreateUser.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1537 - Transfer Data to Cloud Account" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1078 - Valid Accounts", + "reason": "Creating a user in the Transfer Family service results in valid credentials that could be exploited for unauthorized access." + }, + { + "technique": "T1136 - Create Account", + "reason": "The CreateUser API call involves the creation of a new account, which can be used by attackers to establish persistence in the environment." + }, + { + "technique": "T1098 - Account Manipulation", + "reason": "The creation of a new user account allows for the potential manipulation of user roles or permissions, enabling privilege escalation." + } + ], "usedInWild": true, "incidents": [ { diff --git a/events/WAFV2/DeleteRuleGroup.json b/events/WAFV2/DeleteRuleGroup.json index 1255af4..a066a17 100644 --- a/events/WAFV2/DeleteRuleGroup.json +++ b/events/WAFV2/DeleteRuleGroup.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1098 - Account Manipulation", + "reason": "By deleting a RuleGroup that is crucial for access management, an attacker could manipulate accounts or credentials to bypass security controls." + }, + { + "technique": "T1499 - Endpoint Denial of Service", + "reason": "Removing critical firewall rules could lead to a Denial of Service (DoS) by allowing malicious traffic to overwhelm the system or service endpoints." + }, + { + "technique": "T1070 - Indicator Removal", + "reason": "The deletion of a RuleGroup can be used to eliminate logs or indicators of malicious activity by disabling the mechanisms that detect and log those activities." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/WAFV2/DeleteWebACL.json b/events/WAFV2/DeleteWebACL.json index 7a54b26..1eab229 100644 --- a/events/WAFV2/DeleteWebACL.json +++ b/events/WAFV2/DeleteWebACL.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1070 - Indicator Removal", + "reason": "Deleting the WebACL after disassociating it from resources could be used to remove evidence of previous configurations that could have logged or blocked malicious activity." + }, + { + "technique": "T1036 - Masquerading", + "reason": "By deleting the WebACL, an attacker could attempt to make malicious traffic appear legitimate by removing the security policies that would identify or block it." + }, + { + "technique": "T1499 - Endpoint Denial of Service", + "reason": "Deleting critical WebACL protections, especially after disassociating them from resources, may increase the likelihood of successful DoS attacks against those now-unprotected resources, affecting service availability." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/events/WAFV2/UpdateIPSet.json b/events/WAFV2/UpdateIPSet.json index 6d44547..06ca463 100644 --- a/events/WAFV2/UpdateIPSet.json +++ b/events/WAFV2/UpdateIPSet.json @@ -9,6 +9,23 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], + "mitreAttackSubTechniques": [ + + ], + "unverifiedMitreAttackTechniques": [ + { + "technique": "T1071 - Application Layer Protocol", + "reason": "By updating an IPSet to allow or block specific IP addresses, an attacker can manipulate web traffic to facilitate or evade detection during Command and Control activities." + }, + { + "technique": "T1489 - Service Stop", + "reason": "An attacker could update the IPSet to block access to critical services, effectively stopping them by denying network access. This is relevant because the API call can alter IP address permissions, potentially disrupting service availability." + }, + { + "technique": "T1499 - Endpoint Denial of Service", + "reason": "By modifying the IPSet to block or allow certain IP addresses, an attacker could cause a Denial of Service (DoS) attack by either overwhelming a service with traffic or cutting off access to legitimate users." + } + ], "usedInWild": false, "incidents": [], "researchLinks": [ diff --git a/tools/generateCSVfromEvents.py b/tools/generateCSVfromEvents.py index 3b8e36f..8ae60ba 100644 --- a/tools/generateCSVfromEvents.py +++ b/tools/generateCSVfromEvents.py @@ -24,7 +24,7 @@ def compile_events(directory): def generate_csv(): # Define CSV headers - headers = ["eventName", "eventSource", "awsService", "description", "mitreAttackTactics", "mitreAttackTechniques", "usedInWild", "incidents", "researchLinks", "securityImplications", "alerting", "simulation", "permissions"] + headers = ["eventName", "eventSource", "awsService", "description", "mitreAttackTactics", "mitreAttackTechniques","mitreAttackSubTechniques", "usedInWild", "incidents", "researchLinks", "securityImplications", "alerting", "simulation", "permissions", "unverifiedMitreAttackTechniques"] with open(csv_file, mode='w', newline='') as file: writer = csv.DictWriter(file, fieldnames=headers) @@ -34,10 +34,12 @@ def generate_csv(): # Flatten lists into strings event['mitreAttackTactics'] = ', '.join(event['mitreAttackTactics']) event['mitreAttackTechniques'] = ', '.join(event['mitreAttackTechniques']) + event['mitreAttackSubTechniques'] = ', '.join(event['mitreAttackSubTechniques']) event['incidents'] = json.dumps(event['incidents']) event['researchLinks'] = json.dumps(event['researchLinks']) event['alerting'] = json.dumps(event['alerting']) event['simulation'] = json.dumps(event['simulation']) + event['unverifiedMitreAttackTechniques'] = json.dumps(event['unverifiedMitreAttackTechniques']) # Write event data writer.writerow(event)