update TTPs for AWS Services #11
Conversation
starting wth A
|
I'm open for suggestions. :) |
Next is refactoring services from A-C
…nto improve-ATT&CK-mapping
to add skeleton
Next are services starting with E
All other services starting with E should not be that long.
Moving to AWS Services starting with G. Those should be Glue and GuardDuty.
Next is IAM
next is KMS
Next is the organizations service.
next is RDS and ResourceExplorer
Next is S3
Just a few more entries :)
…nto improve-ATT&CK-mapping
There was a problem hiding this comment.
I’m reviewing here approximately 70 files (I'll add more reviews in the next few days). The amount of work done here is incredible, THANKS a lot! This adds significant value, as the unverified sub-techniques provide a broader perspective on potential attacks involving specific API calls.
I’ve included some comments on certain techniques that, although they might match attack patterns, I believe could cause confusion due to the nature of the technique and how MITRE describes them. In some cases, I think it may be better to limit the number of techniques to avoid confusion, but that’s just my opinion.
events/AppSync/CreateApiKey.json
Outdated
| "technique": "T1056.004 - Credential API Hooking", | ||
| "reason": "Attackers may hook into the API key creation process to intercept and use these credentials for unauthorized access." |
There was a problem hiding this comment.
I belive this sub-technique is only windows focused and might cause confusion adding it here. Even if an attacker can intercept traffic to this API I wouldn't consider it hooking.
There was a problem hiding this comment.
Sure, will remove it. I had it included because "Unlike Keylogging, this technique focuses specifically on API functions that include parameters that reveal user credentials."
| "technique": "T1027 - Obfuscated Files or Information", | ||
| "reason": "The API call might be used to modify or obfuscate logs and configurations to avoid detection." |
There was a problem hiding this comment.
This technique is about making "an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit"
As this are not files from an operative system, I'm not sure if this applies.
There was a problem hiding this comment.
I am unsure why MITRE named it "Obfuscated Files or Information" and then did not have a reference on obfuscated information. The best I could find is
Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. [2] Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. [3]
I admit it may not be the best match, but I thought to give it a try.
There was a problem hiding this comment.
In some way, I can see adding obfuscated code in the configuration or creating an endpoint for doing this. I see it too complex for an attack but is true that can happen.
| "technique": "T1027 - Obfuscated Files or Information", | ||
| "reason": "Attackers may use knowledge of logging configurations to craft their actions in ways that avoid triggering specific logging mechanisms." |
There was a problem hiding this comment.
As in the previous comment about this technique, I think it is focused on files on a files system. I think even knowing the configuration, this technique won't happen as the files won't be in a filesystem.
There was a problem hiding this comment.
See my previous comment. If you think it should be removed I'll do it.
There was a problem hiding this comment.
I think I see your point, maybe knowing the configuration, you'll act in a way that logs won't contain enough information to be useful and this might be considered obfuscation. I have no strong opinion on removing or not, my comments in general are to raise questions on techniques that I have more problems seeing the relationship and because of this, I wonder if this is going to help or might generate confusion.
There was a problem hiding this comment.
I do appreciate your insights & comments. I do not have a strong opinion on it either.
| { | ||
| "technique": "T1106 - Native API", | ||
| "reason": "The creation of a CloudFront function involves direct interaction with AWS APIs, potentially leveraging native functionalities." |
There was a problem hiding this comment.
I think the native API technique focueses only on native OS application programming interface.
There was a problem hiding this comment.
You are right on that. My thought process was that inside AWS this is the native API. Maybe the framework needs to have something similar for cloud and container environments.
There was a problem hiding this comment.
I agree, I think there might be a lack of cloud-related techniques in MITRE framework but I think it is also because MITRE only has techniques that come from real-word observations, and cloud attacks are still "basic". So as with most of my other comments, I'm not saying is bad but it might generate confusion based on MITRE techniques description and scope.
There was a problem hiding this comment.
I will remove it for now. If it is still needed we can bring it back.
| "technique": "T1040 - Network Sniffing", | ||
| "reason": "By analyzing flow logs, attackers can infer traffic patterns and potentially sensitive information about network communications" |
There was a problem hiding this comment.
Not sure if this can be classified as network sniffing. But maybe in some scenarios by looking at the traffic and its IPs an attacker can know the webs/services being used.
There was a problem hiding this comment.
Not only that. One could also see what kind of activity is being done with the service. If you type in a command via hand over SSH it is transmitted not that fast compared to when a script is doing it. Such things are possible with a bit of traditional machine learning.
events/EC2/DescribeImages.json
Outdated
| { | ||
| "technique": "T1496 - Resource Hijacking", | ||
| "reason": "By understanding the available images, an attacker could hijack resources by creating instances using these images for malicious activities such as cryptocurrency mining." | ||
| }, | ||
| { | ||
| "technique": "T1027 - Obfuscated Files or Information", | ||
| "reason": "Attackers can use knowledge about available images to obfuscate their activities by using less monitored or unusual images" | ||
| }, | ||
| { | ||
| "technique": "T1562 - Impair Defenses", | ||
| "reason": "By identifying specific images that might have security tools, attackers can choose to avoid those images or disable the security tools present in them" | ||
| }, |
There was a problem hiding this comment.
I think even if the describeImages can provide some information for attackers to do any of these techniques, I don't see them as strictly related.
There was a problem hiding this comment.
Point taken. I will remove those.
| "technique": "T1202 - Indirect Command Execution", | ||
| "reason": "By using DescribeImages, attackers can identify images that may allow them to indirectly execute commands through specific software or configurations present in the images" |
There was a problem hiding this comment.
I don't see how the information provided by DescribeImages can allow for indirect command execution. At least, I see it as very difficult as the information provided by the API is limited.
There was a problem hiding this comment.
I will remove it. My thoughts were that one could select an AMI image where you have something like a command interpreter already exposed which one could use for command execution.
events/EC2/DescribeImages.json
Outdated
| "technique": "Using DescribeImages helps attackers discover available cloud services, their configurations, and associated resources.", | ||
| "reason": "Attackers can use DescribeImages to identify and exploit vulnerabilities in the software dependencies and development tools used within specific images, leading to a supply chain compromise" |
There was a problem hiding this comment.
The technique here is the reason from the previous tehcnique
There was a problem hiding this comment.
That was a copy/Paste error. Next push will fix this. It should have been T1195 - Supply Chain Compromise.
events/EC2/DescribeInstances.json
Outdated
| "technique": "T1078 - Valid Accounts", | ||
| "reason": "Information obtained from DescribeInstances can help an adversary identify valid user accounts and their associated permissions, especially if they are looking for accounts with elevated privileges." |
There was a problem hiding this comment.
I think the Valid Accounts technique focuses on the use of valid accounts. In this case, DescribeInstances does not help to get or use Valid accounts.
There was a problem hiding this comment.
Point taken. Removed.
and remove other erros - Part 1
|
I do think that is most cases you are right and i will delete the offending techniques. For me this is all a learning experience. Therefore I am glad about the feedback. |
…nto improve-ATT&CK-mapping
events/EC2/DescribeKeyPairs.json
Outdated
| "technique": "T1078 - Valid Accounts", | ||
| "reason": "Accessing key pairs allows attackers to use valid credentials to authenticate and access systems, leading to potential unauthorized use of valid accounts." |
There was a problem hiding this comment.
DescribeKeyPairs only gives you the fingerprint but nothing valuable that can be used for accessing the ec2.
There was a problem hiding this comment.
Good point. I will remove that.
events/EC2/DescribeKeyPairs.json
Outdated
| "technique": "T1530 - Data from Cloud Storage Object", | ||
| "reason": "If key pairs are stored in cloud storage, an attacker could retrieve these key pairs, potentially leading to unauthorized access." |
There was a problem hiding this comment.
DescribeKeyPairs only gives information that can't be used for authentication https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_KeyPairInfo.html
There was a problem hiding this comment.
Good point. Removed.
events/EC2/DescribeRegions.json
Outdated
| "technique": "T1213 - Data from Information Repositories", | ||
| "reason": "DescribeRegions provides metadata about regions, which can be seen as a form of information repository. Attackers may gather this data to understand the environment better." |
There was a problem hiding this comment.
I0m not sure I can see a region as a repository. I think a region is much more than a repository of information.
There was a problem hiding this comment.
It seems that I have written it in a poor way. My thought was that the regional metadata which is returned is an information repository.
| "technique": "T1106 - Native API", | ||
| "reason": "Utilizing native AWS APIs to gather configuration data is a method for defense evasion, blending in with regular activity." |
There was a problem hiding this comment.
T1106 refers to native IOS API so I believe this might cause confusion.
There was a problem hiding this comment.
Yeah I can see your point. My thought process that the API that AWS exposes is the native OS API for the cloud environment one is in.
| "technique": "T1190 - Exploit Public-Facing Application", | ||
| "reason": "" |
There was a problem hiding this comment.
I think you can gather information for later exploiting but with the describe you won't be able to exploit any app.
There was a problem hiding this comment.
Also I forgot to put in an explanation. My explanation I forgot to put in was
If security group rules expose public-facing applications or resources, adversaries may identify these applications as targets for exploitation. The DescribeSecurityGroups API call helps identify such applications by revealing permissive rules.
I will remove it.
| "technique": "T1531 - Account Access Removal", | ||
| "reason": "Modifying snapshot permissions could be used to remove legitimate access, disrupting recovery efforts, and aiding in defense evasion." |
There was a problem hiding this comment.
I don't see a way to prevent access to accounts to AWS. Even to this snapshot.
There was a problem hiding this comment.
I'll remove it for now.
events/EC2/RunInstances.json
Outdated
| "technique": "T1133 - External Remote Services", | ||
| "reason": "Instances can be accessed and controlled remotely, facilitating initial access and persistent control over the cloud environment through remote services." |
There was a problem hiding this comment.
Do you mean like, creating an EC2 that is a VPN and because of this getting persistence?
There was a problem hiding this comment.
Yeah. an EC2 that is acting as a kind of VPN.
| "technique": "T1053 - Scheduled Task/Job", | ||
| "reason": "Attackers could set up scheduled tasks or jobs on the EC2 instance to maintain persistence after gaining access." |
There was a problem hiding this comment.
I see this as something that will happen once an attacker has access to the EC2 and in this case all techniques related to the OS of the EC2 will be valid. So I don't see this one related to this API call.
There was a problem hiding this comment.
Point taken. I will remove it.
| "technique": "T1105 - Ingress Tool Transfer", | ||
| "reason": "Attackers may transfer additional tools to the EC2 instance to facilitate further actions." |
There was a problem hiding this comment.
Similar to T1053, I see this as something that happens after but not related to this API call.
There was a problem hiding this comment.
Point taken. I will remove it.
| }, | ||
| { | ||
| "technique": "T1027 - Obfuscated Files or Information", | ||
| "reason": "Adversaries might obfuscate the data within snapshots to avoid detection during transfer. This can involve encrypting the contents of a snapshot or otherwise making the data less recognizable to automated defense mechanisms" |
There was a problem hiding this comment.
The way you see this is all information is stored in an e2 and then exfiltrated via a snapshot?
There was a problem hiding this comment.
Yes. That is the way I thought.
| }, | ||
| { | ||
| "technique": "T1556 - Modify Authentication Process", | ||
| "reason": "The AWS CreateService API call can be used to create tasks that modify authentication processes within a cloud environment." |
There was a problem hiding this comment.
I'm not sure how the CreateService can help with this. If it is because the ECS has more privileges than the current user then I would go for a privilege scalation technique. If it is doing the change via the ECS just because of its IP, then probably the proxy that is already added here is enough.
There was a problem hiding this comment.
What do you think about creating a task that proxies or monitors user uthentication requests?
| "technique": "T1203 - Exploitation for Client Execution", | ||
| "reason": "Task definitions might be crafted to exploit vulnerabilities within the container runtime or application, leading to execution" |
There was a problem hiding this comment.
I think this technique is only aboud exploiting code for RCE
There was a problem hiding this comment.
Point taken. I will remove it.
events/EFS/DeleteFileSystem.json
Outdated
| "technique": "T1531 - Account Access Removal", | ||
| "reason": "Deleting an EFS file system cuts off access to the data for all users and systems that rely on it. This action effectively removes the ability to access critical resources, potentially disrupting operations." |
There was a problem hiding this comment.
I think the other mentioned techniques cover the deletion of data. In this case, I think AWS accounts will still be able to access just that the EFS won't be there
There was a problem hiding this comment.
Good point. I will remove that.
events/EFS/DeleteMountTarget.json
Outdated
| "technique": "T1496 - Resource Hijacking", | ||
| "reason": "Deleting mount targets can free up resources, potentially redirecting them to other malicious activities or hindering legitimate use, indirectly impacting operations." |
There was a problem hiding this comment.
Not sure about this one. I don't see how DeleteMountTarget can be abused for resource hijacking.
There was a problem hiding this comment.
It had something to do with quotas. After some thought I am going to remove that.
| "technique": "T1003 - OS Credential Dumping", | ||
| "reason": "Modifying access policies might allow attackers to gain access to sensitive areas of the system where they can extract credentials." |
There was a problem hiding this comment.
Not sure how the AssociateAccessPolicy can help attackers with OS credential dumping.
There was a problem hiding this comment.
Add a access policy that allows executing into pods and then grabbing their OS credentials would be one way to do it.
| "technique": "T1531 - Account Access Removal", | ||
| "reason": "Removing targets from EventBridge rules can prevent specific users or roles from being notified or triggered, effectively removing their access to critical information or actions." |
There was a problem hiding this comment.
Agree with the reason but this matches the impaired defenses. The accounts are still able to log in, the problem is that they won't receive a notification.
There was a problem hiding this comment.
I will remove it.
events/Glue/CreateDevEndpoint.json
Outdated
| "technique": "T1106 - Native API", | ||
| "reason": "Using the AWS Glue API to create development endpoints can facilitate malicious actions within the AWS environment by leveraging legitimate service functionalities." |
There was a problem hiding this comment.
This technique only applies to OS API not to API in general.
events/Glue/CreateDevEndpoint.json
Outdated
| "technique": "T1136 - Create Account", | ||
| "reason": "Attackers can create new accounts with permissions to create and use development endpoints, facilitating unauthorized access and persistence in the environment." | ||
| }, | ||
| { | ||
| "technique": "T1053 - Scheduled Task/Job", | ||
| "reason": "cheduling jobs on the development endpoint ensures that malicious payloads or scripts are executed at specific times, aiding in persistence and automated execution." |
There was a problem hiding this comment.
Not sure about these 2, CreateDevEndpoint does not help in the creation of new accounts and neither it can help to schedule tasks or jobs.
There was a problem hiding this comment.
Agreed. I will remove those two.
events/Glue/UpdateDevEndpoint.json
Outdated
| "technique": "T1106 - Native API", | ||
| "reason": "The development endpoint update might utilize native APIs for malicious purposes, including privilege escalation or evasion." | ||
| }, | ||
| { | ||
| "technique": "T1053 - Scheduled Task/Job", | ||
| "reason": "UpdateDevEndpoint could be used to create or modify scheduled tasks that ensure malicious scripts are run periodically." | ||
| }, |
There was a problem hiding this comment.
Native API it is only for OS API. The scheduled Tasks job technique . I'm not sure I understand how this endpoint might help with this.
There was a problem hiding this comment.
I'll remove those two for now.
events/Glue/UpdateJob.json
Outdated
| "technique": "T1484 - Domain or Tenant Policy Modification", | ||
| "reason": "Adversaries can change job definitions to alter the behavior of the Glue job, affecting the overall data processing policies and workflows within the AWS environment." |
There was a problem hiding this comment.
This technique seems to much related with AD or Trust policies between domain, for this reason I'm not sure this one matches here.
There was a problem hiding this comment.
I am also a byte unsure. I will remove it for now.
events/GuardDuty/CreateFilter.json
Outdated
| "technique": "T1070 - Indicator Removal", | ||
| "reason": "Adversaries can create filters that suppress alerts for file deletion activities, allowing them to remove indicators of their presence without triggering alarms." |
There was a problem hiding this comment.
I think this is Impair Defenses. As the action does not allow removing anything but impacts the defenses ( triggering alerts)
There was a problem hiding this comment.
Ok, will remove that. I will add T1562.001 - Impair Defenses: Disable or Modify Tools as a subtechnique instead.
events/GuardDuty/DeleteMembers.json
Outdated
| "unverifiedMitreAttackTechniques": [ | ||
| { | ||
| "technique": "T1531 - Account Access Removal", | ||
| "reason": "Deleting GuardDuty member accounts can prevent legitimate users from accessing the service, thus disrupting monitoring and security alerts." |
There was a problem hiding this comment.
| "reason": "Deleting GuardDuty member accounts can prevent legitimate users from accessing the service, thus disrupting monitoring and security alerts." | |
| "reason": "Deleting GuardDuty member accounts can prevent legitimate accounts from getting data from member accounts, thus disrupting monitoring and security alerts." |
There was a problem hiding this comment.
Suggestion is applied in next commit.
| "unverifiedMitreAttackTechniques": [ | ||
| { | ||
| "technique": "T1485 - Data Destruction", | ||
| "reason": "Although not directly data destruction, it disrupts the availability of security logs which could be considered an impact on the integrity and availability of logging data." |
There was a problem hiding this comment.
I think this is what Impair defense covers.
There was a problem hiding this comment.
Yeah. I will remove that.
| }, | ||
| { | ||
| "technique": "T1531 - Account Access Removal", | ||
| "reason": "Deleting the publishing destination can prevent security personnel from receiving critical alerts, effectively limiting their ability to respond to threats. This action reduces the ability to monitor and manage GuardDuty findings, thereby diminishing the security team's control over the environment." |
There was a problem hiding this comment.
I think this is also part of Impair defenses, because users can still access the AWS account
There was a problem hiding this comment.
I will remove that too.
| }, | ||
| { | ||
| "technique": "T1485 - Data Destruction", | ||
| "reason": "By disassociating the account, attackers may intend to evade detection and subsequently destroy data within the compromised account without triggering alerts in the central monitoring account." |
There was a problem hiding this comment.
I think this and Data Manipulation is just part of what can happen after, but the event itself help as mentioned in the reason to evade detection so it Impair defenses.
events/IAM/PutUserPolicy.json
Outdated
| "unverifiedMitreAttackTechniques": [ | ||
| { | ||
| "technique": "T1070 - Indicator Removal", | ||
| "reason": "Updating inline policies can help adversaries evade detection by altering the permissions without creating new, noticeable accounts." |
There was a problem hiding this comment.
Also, it is not clear to me how adding a policy you might be removing evidence of their presence. I can see Impair defenses by maybe adding a policy that denies access.
events/IAM/PutUserPolicy.json
Outdated
| "technique": "Adversaries may use PutUserPolicy to remove access rights for legitimate users, causing disruption.", | ||
| "reason": "If an adversary can modify policies to grant administrative privileges, they effectively escalate their privileges." |
There was a problem hiding this comment.
This seems like privilege escalation
There was a problem hiding this comment.
It was T1068 - Exploitation for Privilege Escalation. Fixed in next commit.
| "unverifiedMitreAttackTechniques": [ | ||
| { | ||
| "technique": "T1070 - Indicator Removal", | ||
| "reason": "Modifying the policy's default version can be used to evade detection by altering the policies that would trigger alarms or logs." |
There was a problem hiding this comment.
| "reason": "Modifying the policy's default version can be used to evade detection by altering the policies that would trigger alarms or logs." | |
| "reason": "Modifying the policy's default version can be used to evade detection by setting the policy version that was in place before the attack." |
There was a problem hiding this comment.
Suggestion added in next commit.
events/IAM/UpdateAccessKey.json
Outdated
| "unverifiedMitreAttackTechniques": [ | ||
| { | ||
| "technique": "T1070. - Indicator Removal", | ||
| "reason": "Disabling keys can be a tactic to remove indicators of compromise, preventing detection and forensic analysis." |
There was a problem hiding this comment.
| "reason": "Disabling keys can be a tactic to remove indicators of compromise, preventing detection and forensic analysis." | |
| "reason": "Disabling keys can be a tactic to remove indicators of compromise, because keys need to be disabled before deletion, preventing detection and forensic analysis." |
There was a problem hiding this comment.
Added suggestion to next commit.
| }, | ||
| { | ||
| "technique": "T1036 - Masquerading", | ||
| "reason": "T1036.005] - Masquerading" |
There was a problem hiding this comment.
| "reason": "T1036.005] - Masquerading" | |
| "reason": "Attackers can allow access from an account they control to assume a valid role that is used in the organization making the access appear legitimate" |
There was a problem hiding this comment.
Whoops that was a copy/Paste error. Thank you for the suggestion!
| }, | ||
| { | ||
| "technique": "T1496 - Resource Hijacking", | ||
| "reason": "Attackers could use the symmetric data key to encrypt legitimate resources, thereby disrupting normal operations and potentially leading to financial or operational impacts." |
There was a problem hiding this comment.
I believe resource hijacking is about using resources from the company, that have an elevated cost in your favor, like cryptocurrency mining, use of AI, or email services. But in this case, you are not using expensive resources that benefit you.
There was a problem hiding this comment.
Agreed. I will remove this. I had "Modify Cloud Compute infrastructure" as a potential replacement in mind, but my confidence in that technqiue is low.
events/KMS/ScheduleKeyDeletion.json
Outdated
| }, | ||
| { | ||
| "technique": "T1531 - Account Access Removal", | ||
| "reason": "An adversary may remove access to encrypted data by scheduling the deletion of the KMS key, which is crucial for decryption." |
There was a problem hiding this comment.
I agree but the account itself continues to have access to the system, just the data is not there ( because of Disk Wipe )
There was a problem hiding this comment.
I would have counted that under access removal because it is cryptoshredded, but I will delete it.
| }, | ||
| { | ||
| "technique": "T1070 - Indicator Removal", | ||
| "reason": "Using AddPermission to adjust access rights can help hide malicious activities by removing or altering indicators of compromise." |
There was a problem hiding this comment.
I don't see it as strictly related, especially that here you allow somebody else to execute the lambda.
| }, | ||
| { | ||
| "technique": "T1040 - Credential Access via API", | ||
| "reason": "Granting permissions can facilitate the capture or misuse of credentials if permissions are set incorrectly, allowing access to sensitive functions." |
There was a problem hiding this comment.
I'm not really sure about this one, also T1040 is Network Sniffing https://attack.mitre.org/techniques/T1040/
There was a problem hiding this comment.
I do not know what went in my head. I'll remove it.
| }, | ||
| { | ||
| "technique": "T1190 - Exploit Public-Facing Application", | ||
| "reason": "If the Lambda function is triggered via a public-facing API, it can be exploited to gain initial access or execute code." |
There was a problem hiding this comment.
I agree with this but seems more related to the invoke than the creation
events/Lambda/Invoke.json
Outdated
| "technique": "T1027 - Obfuscated Files or Information", | ||
| "reason": "Attackers might use obfuscation techniques in Lambda functions to hide malicious activities." |
There was a problem hiding this comment.
The same I tought Exploit Public-Facing Application seems more invoke, I think obfuscate Files or Information seems more CreateFunction as is there when you can create a lambda with obfuscated malicious actions.
There was a problem hiding this comment.
I hhave also included serverless execution as a new technique.
| }, | ||
| { | ||
| "technique": "T1106 - Native API", | ||
| "reason": "Use of the AWS API directly is an example of leveraging native APIs to perform tasks, in this case, updating Lambda functions." |
There was a problem hiding this comment.
This technique is only for OS application programming interface (API)
| }, | ||
| { | ||
| "technique": "T1106 - Native API", | ||
| "reason": "Directly updating the Lambda function code allows adversaries to exploit native APIs to execute their payloads." |
There was a problem hiding this comment.
This technique is only for OS application programming interface (API)
| }, | ||
| { | ||
| "technique": "T1106 - Native API", | ||
| "reason": "Attackers use AWS API calls like UpdateFunctionConfiguration to directly interact with and manipulate Lambda functions to achieve their goals." |
There was a problem hiding this comment.
This technique is only for OS application programming interface (API)
| "technique": "T1566 - Phishing", | ||
| "reason": "Instances may host phishing websites to harvest credentials from targeted users." |
There was a problem hiding this comment.
I think this will be Resource Hijacking as it will be using the service for something malicious
There was a problem hiding this comment.
Okay. I will remove it.
| "technique": "T1583 - Acquire Infrastructure", | ||
| "reason": "CreateInstances can be used by adversaries to acquire infrastructure for future operations by provisioning new instances." |
There was a problem hiding this comment.
Interesting, I'm not sure if Resource Development techniques should be part of this.
On the one hand this might be the starting of a new attack, on the other this feels like such an initial tactic does not match an attack that already has initial compromise.
There was a problem hiding this comment.
I leave it up to you whether Resource Development techniques should be part of this or not.
| "technique": "T1071 - Application Layer Protocol", | ||
| "reason": "Using the API call to communicate and manage accounts in the organization can evade detection mechanisms focused on other layers." |
There was a problem hiding this comment.
I think this is a bit confusing. Because in the end all API calls can be considered Application Layer Protocol.
| "technique": "T1102 - Web Service", | ||
| "reason": "Utilizing AWS Organizations API as a web service to manage accounts can help in evading direct detection of unauthorized activities." |
There was a problem hiding this comment.
Similar to Application Layer Protocol, all APIs can be executed from the AWS Console.
| "technique": "T1078 - Valid Accounts", | ||
| "reason": "Creating a new DB security group could be used to establish persistence by allowing access to specific IP ranges or users who control the security group, effectively allowing continuous access." |
There was a problem hiding this comment.
I don't see the relationship with the Valid Account
events/RDS/DeleteGlobalCluster.json
Outdated
| "technique": "T1491 - Defacement", | ||
| "reason": "The deletion of a global database cluster could serve as a form of defacement, especially if the cluster supports a public-facing application, causing reputational damage." |
There was a problem hiding this comment.
I don't think we can call this defacement because there is no crafted message. From the technique "Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion"
events/RDS/ModifyActivityStream.json
Outdated
| "technique": "T1106 - Native API", | ||
| "reason": "The use of native APIs, such as ModifyActivityStream, can allow an adversary to modify system configurations to evade detection or gain persistence." |
There was a problem hiding this comment.
This technique is only for OS API
events/RDS/ModifyActivityStream.json
Outdated
| }, | ||
| { | ||
| "technique": "T1070 - Indicator Removal", | ||
| "reason": "By disabling the audit stream, an adversary could attempt to hide or remove traces of malicious activity by preventing the collection of activity logs." |
There was a problem hiding this comment.
| "reason": "By disabling the audit stream, an adversary could attempt to hide or remove traces of malicious activity by preventing the collection of activity logs." | |
| "reason": "Attackers might reconfigure the audit policy state to the original state to avoid an investigation." |
There was a problem hiding this comment.
Suggestion implemented in next commit.
events/RDS/StartExportTask.json
Outdated
| "technique": "T1552 - Unsecured Credentials", | ||
| "reason": "If the database snapshots contain unsecured credentials, such as plaintext passwords or API keys, exporting the snapshot to S3 could allow an adversary to access these credentials, which could then be used to further compromise the environment or exfiltrate additional data." |
There was a problem hiding this comment.
I agree but I don't see the StartExportTask extrictly related to unsecured credentials.
events/RDS/StartExportTask.json
Outdated
| "technique": "T1556 - Credentials from Password Stores", | ||
| "reason": "If the database snapshots contain password hashes or other credential stores, exporting the snapshot to S3 could allow an adversary to collect and crack these credentials for further exploitation." |
There was a problem hiding this comment.
Similar to Unsecured Credentials, I don't see this related. I agree that after a copy you can probably access and extract sensitive data ( maybe credentials ) but I find it difficult to match with the StartExportTask
events/ResourceExplorer/Search.json
Outdated
| "technique": "T1027 - Obfuscated Files or Information", | ||
| "reason": "By using specific query strings, attackers might identify resources where information or files are stored in a manner that obfuscates their true nature, aiding in evasion of detection." |
There was a problem hiding this comment.
This is not clear to me. I think the technique is about attackers ofuscating information, in this case if attackers identidy obfuscated information this woudn't be a problem.
events/Route53/CreateHostedZone.json
Outdated
| "technique": "T1087 - Account Discovery", | ||
| "reason": "The creation of a hosted zone provides attackers with insights into the cloud account structure, domain settings, and associated resources, aiding in further discovery and reconnaissance efforts." |
There was a problem hiding this comment.
It is not clear to me how creating a new hosted zone, will give insights into the cloud account structure.
events/Route53/CreateHostedZone.json
Outdated
| "technique": "T1590 - Gather Victim Network Information", | ||
| "reason": "By setting up a hosted zone and monitoring DNS traffic, attackers can gather information about the victim's network, such as domain structure and internal configurations." |
There was a problem hiding this comment.
It is not clear to me how creating a new hosted zone, will allow this. It would be weird for normal traffic to go to a new hosted zone if there are no additional actions.
events/Route53/CreateHostedZone.json
Outdated
| "technique": "T1119 - Automated Collection", | ||
| "reason": "Hosted zones can be configured to automatically redirect or collect DNS queries from targeted systems, facilitating the collection of sensitive information without direct interaction." |
There was a problem hiding this comment.
Similar to Gather Victim Network Information I think it would be weird for normal traffic to go to a new hosted zone if there are no additional actions.
events/Route53/RegisterDomain.json
Outdated
| "technique": "T1070 - Indicator Removal", | ||
| "reason": "Enabling privacy protection can hide WHOIS information, making it harder to attribute the domain to its true owner, aiding in defense evasion." |
There was a problem hiding this comment.
I think in this case, as the infra is not yours you do not care if the WHOIS points to the owner of the AWS acccount. As you are registering something new I don't think this can be a indicator removal.
events/SSM/GetParameters.json
Outdated
| "technique": "T1213 - Data from Information Repositories", | ||
| "reason": "Attackers can exploit GetParameters to extract important data stored within the Parameter Store, such as system configurations, secrets, or other critical information." |
There was a problem hiding this comment.
I'm not sure we can consider this a repository.
| "technique": "T1505 - Server Software Component", | ||
| "reason": "By creating a new server, attackers can install or manage software components that support malicious activities, such as maintaining persistence or running unauthorized code." |
There was a problem hiding this comment.
I don't think this one would work here as the SFTP is just an S3. There is nothing else you can do.
| "technique": "T1562 - Impair Defenses", | ||
| "reason": "Attackers could configure the server in a way that bypasses or disables certain security controls, allowing them to evade detection and maintain access." |
There was a problem hiding this comment.
For the description
| "technique": "T1562 - Impair Defenses", | |
| "reason": "Attackers could configure the server in a way that bypasses or disables certain security controls, allowing them to evade detection and maintain access." | |
| "technique": "T1562 - Impair Defenses", | |
| "reason": "Attackers could configure the server to allow them to access from the internet to S3 files." |
There was a problem hiding this comment.
Suggestion added in next commit.
| }, | ||
| { | ||
| "technique": "T1070 - Indicator Removal", | ||
| "reason": "The deletion of a RuleGroup can be used to eliminate logs or indicators of malicious activity by disabling the mechanisms that detect and log those activities." |
There was a problem hiding this comment.
| "reason": "The deletion of a RuleGroup can be used to eliminate logs or indicators of malicious activity by disabling the mechanisms that detect and log those activities." | |
| "reason": "The deletion of a RuleGroup can be used to eliminate logs or indicators of malicious activity by disabling the mechanisms that detect and log those activities. Also, to delete a group that was used previously by attackers" |
There was a problem hiding this comment.
Added suggestion to the next commit.
events/WAFV2/UpdateIPSet.json
Outdated
| "technique": "T1078 - Valid Accounts", | ||
| "reason": "An attacker with legitimate credentials could update the IPSet to include malicious IPs, ensuring ongoing access or enabling external connections from trusted addresses." |
There was a problem hiding this comment.
I agree but as mentioned in other techniques, the use of legitimate credentials is needed in all techniques.
The purpose of this PR is to add possible MITRE ATT&CK TTPs, which are reasonably possible, but have not been verified by external sources, such as research or in the wild observations