-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update TTPs for AWS Services #11
Changes from all commits
9fc3b6a
63e57dc
846bef8
a465843
4959b4a
a6b445c
111f22c
ddfa428
158d34a
46f554c
8844877
44aaa33
94358f1
889a591
0d07944
f7e239f
ae1d3c9
bc2bddf
5b979bc
bc0a8f7
a104e4d
6f881dc
0a04912
f73fd72
6be7159
8a792c5
2cc82d8
f6f545b
dd24747
c732cc1
2617eef
b532c17
b0eb7fd
3bc56da
46ecc50
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Large diffs are not rendered by default.
Large diffs are not rendered by default.
Large diffs are not rendered by default.
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -9,6 +9,35 @@ | |
"mitreAttackTechniques": [ | ||
"T1580 - Cloud Infrastructure Discovery" | ||
], | ||
"mitreAttackSubTechniques": [ | ||
|
||
], | ||
"unverifiedMitreAttackTechniques": [ | ||
{ | ||
"technique": "T1070 - Indicator Removal", | ||
"reason": "Knowing the logging setup allows attackers to delete or alter logs to avoid detection and cover their tracks." | ||
}, | ||
{ | ||
"technique": "T1027 - Obfuscated Files or Information", | ||
"reason": "Attackers may use knowledge of logging configurations to craft their actions in ways that avoid triggering specific logging mechanisms." | ||
Comment on lines
+21
to
+22
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. As in the previous comment about this technique, I think it is focused on files on a files system. I think even knowing the configuration, this technique won't happen as the files won't be in a filesystem. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. See my previous comment. If you think it should be removed I'll do it. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think I see your point, maybe knowing the configuration, you'll act in a way that logs won't contain enough information to be useful and this might be considered obfuscation. I have no strong opinion on removing or not, my comments in general are to raise questions on techniques that I have more problems seeing the relationship and because of this, I wonder if this is going to help or might generate confusion. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I do appreciate your insights & comments. I do not have a strong opinion on it either. |
||
}, | ||
{ | ||
"technique": "T1518.001 - Software Discovery", | ||
"reason": "Understanding how model invocation is logged can reveal what security software is in use." | ||
}, | ||
{ | ||
"technique": "T1562 - Impair Defenses", | ||
"reason": "Knowing the logging configuration can help attackers understand how to disable or evade defensive logging." | ||
}, | ||
{ | ||
"technique": "T1071 - Application Layer Protocol", | ||
"reason": "Attackers might tailor their command and control communication methods based on the logging configurations discovered." | ||
}, | ||
{ | ||
"technique": "T1212 - Exploitation for Credential Access", | ||
"reason": "If the option textDataDeliveryEnabled is activated there could be credentials in it which attackers can exploit. If the option imageDataDeliveryEnabled is activated there could be sensitive information in the images which are delivered in the logs." | ||
} | ||
], | ||
"usedInWild": true, | ||
"incidents": [ | ||
{ | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This technique is about making "an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit"
As this are not files from an operative system, I'm not sure if this applies.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am unsure why MITRE named it "Obfuscated Files or Information" and then did not have a reference on obfuscated information. The best I could find is
I admit it may not be the best match, but I thought to give it a try.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In some way, I can see adding obfuscated code in the configuration or creating an endpoint for doing this. I see it too complex for an attack but is true that can happen.