update TTPs for AWS Services

events/ACMPCA/GetCertificate.json

@@ -9,6 +9,47 @@
     "mitreAttackTechniques": [
         "T1040- Network Sniffing"
     ],
+    "mitreAttackSubTechniques": [
+
+    ],
+    "unverifiedMitreAttackTechniques": [
+        {
+            "technique": "T1119- Automated Collection",
+            "reason": "An attacker could write a script that continiously calls GetCertificate to get all certificates"
+        },
+        {
+            "technique": "T1580- Cloud Infrastructure Discovery",
+            "reason": "Using GetCertificate, adversaries can discover details about the cloud infrastructure, including how certificates are managed and issued within the environment."
+        },
+        {
+            "technique": "TT1589- Gather Victim Identity Information",
+            "reason": "Often times victim information is present in the certificate, f.e. email adresses."
+        },
+        {
+            "technique": "T1526- Cloud Service Discovery",
+            "reason": "Often times certificates are issued for single cloud services. "
+        },
+        {
+            "technique": "T1530- Data from Cloud Storage",
+            "reason": "One could label the ACMPCA as a cloud storage, because the certificates are stored in there."
+        },
+        {
+            "technique": "T1021.007- Remote Services: Cloud Services",
+            "reason": "The GetCertificate API call retrieves certificates from a private CA or one that has been shared, which can then be used to authenticate access to various cloud services. Adversaries can use these certificates to authenticate themselves to cloud services remotely, leveraging the trust established by the certificate. This enables the adversary to move laterally within the cloud environment, access additional resources, or establish persistence by maintaining authenticated sessions with the compromised certificates"
+        },
+        {
+            "technique": "T1212 - Exploitation for Credential Access",
+            "reason": "Certificates can be exploited to gain credential access, especially if they include sensitive authentication details"
+        },
+        {
+            "technique": "T1557 - Adversary-in-the-Middle",
+            "reason": "Certificates retrieved can be used in Man-in-the-Middle (MitM) attacks to intercept and decrypt secure communications."
+        },
+        {
+            "technique": "T1021: Remote Services",
+            "reason": "Certificates are often used as an authetication material, especially in enterprise environments and can be therefore used to move laterally."
+        }
+    ],
     "usedInWild": false,
     "incidents": [],
     "researchLinks": [

events/ACMPCA/IssueCertificate.json

@@ -9,6 +9,47 @@
     "mitreAttackTechniques": [
         "T1040- Network Sniffing"
     ],
+    "mitreAttackSubTechniques": [
+
+    ],
+    "unverifiedMitreAttackTechniques": [
+        {
+            "technique": "T1078- Valid Accounts",
+            "reason": "Issuing a certificate can create a valid cloud account credential. This certificate could be used to authenticate against various services. Issued certificates could be used to create or access local accounts within the cloud infrastructure. "
+        },
+        {
+            "technique": "T1212- Exploitation for Credential Access",
+            "reason": "Certificates can be exploited to gain credential access, especially if they include sensitive authentication details or are from a trustd CA."
+        },
+        {
+            "technique": "T1136- Create Account",
+            "reason": "An adversary might use a certificate to create new cloud accounts or gain access to existing ones under the guise of legitimate credentials."
+        },
+        {
+            "technique": "T1588- Obtain Capabilities",
+            "reason": "By using this API call an adversary has successfully gained the capability to create digital certificates."
+        },
+        {
+            "technique": "T1550- Use Alternate Authentication Material",
+            "reason": "Issued certificates can be used as alternative authentication material in place of traditional credentials like web cookies, aiding in Credential Access and Defense Evasion."
+        },
+        {
+            "technique": "T1586.003- Compromise Accounts",
+            "reason": "By issuing certificates through the IssueCertificate API call, adversaries can compromise cloud accounts by creating legitimate credentials for accessing cloud services. These certificates can be used to authenticate and gain control over cloud accounts, facilitating Initial Access and Persistence. The adversary can then maintain access by leveraging these certificates, bypassing traditional authentication mechanisms and evading detection."
+        },
+        {
+            "technique": "T1027- Obfuscated Files or Information",
+            "reason": "Certificates issued via this API call can be used to obfuscate the true nature of communication and data, aiding in Defense Evasion."
+        },
+        {
+            "technique": "T1553- Subvert Trust Controls",
+            "reason": "By issuing a certificate, an adversary can sign malicious binaries, making them appear legitimate and trusted, aiding in Defense Evasion."
+        },
+        {
+            "technique": "T1071.001- Application Layer Protocol - Web Protocols",
+            "reason": "Issued certificates can be used to secure communication over web protocols, potentially aiding in Defense Evasion and Credential Access by making malicious traffic appear legitimate."
+        }
+    ],
     "usedInWild": false,
     "incidents": [],
     "researchLinks": [

events/AppSync/CreateApiKey.json

@@ -11,6 +11,35 @@
         "T1578 - Modify Cloud Compute Infrastructure",
         "T1556 - Modify Authentication Process"
     ],
+    "mitreAttackSubTechniques": [
+
+    ],
+    "unverifiedMitreAttackTechniques": [
+        {
+            "technique": "T1078 - Valid Accounts",
+            "reason": "API keys are a form of credentials that attackers can use to gain and maintain access to cloud services."
+        },
+        {
+            "technique": "T1056.004 - Credential API Hooking",
+            "reason": "Attackers may hook into the API key creation process to intercept and use these credentials for unauthorized access."
+        },
+        {
+            "technique": "T1098 - Account Manipulation",
+            "reason": "Attackers may manipulate API keys to alter account permissions and settings, maintaining persistence and access."
+        },
+        {
+            "technique": "T1531 - Account Access Removal",
+            "reason": "API keys can be used to remove legitimate accounts, thereby maintaining persistence and disrupting normal operations."
+        },
+        {
+            "technique": "T1550.001 - Use Alternate Authentication Material: Application Access Token",
+            "reason": "API keys serve as alternate authentication material, in this case as application access tokens to access AppSync APIs."
+        },
+        {
+            "technique": "T1090 - Proxy",
+            "reason": "Attackers can use API keys to route their malicious traffic through a proxy, hiding their true origin and bypassing security measures."
+        }
+    ],
     "usedInWild": false,
     "incidents": [],
     "researchLinks": [

events/AppSync/GetIntrospectionSchema.json

@@ -9,6 +9,19 @@
     "mitreAttackTechniques": [
         "T1526 - Cloud Service Discovery"
     ],
+    "mitreAttackSubTechniques": [
+
+    ],
+    "unverifiedMitreAttackTechniques": [
+        {
+            "technique": "T1087 - Account Discovery",
+            "reason": "The GetIntrospectionSchema API call can be used to gather detailed information about the structure of an AWS AppSync GraphQL schema. This can help in identifying user roles, permissions, and accounts associated with the schema in this AWS account."
+        },
+        {
+            "technique": "T1590: Gather Victim Network Information",
+            "reason": "Through the introspection schema, an attacker can identify dependencies and integrations with other network services or external APIs, revealing trust relationships and potential attack vectors. By retrieving the introspection schema, an attacker can map out the network structure as exposed by the GraphQL API, including services, endpoints, and connections within the AWS environment."
+        }
+    ],
     "usedInWild": false,
     "incidents": [],
     "researchLinks": [

events/AppSync/UpdateGraphqlApi.json

@@ -11,6 +11,35 @@
         "T1578 - Modify Cloud Compute Infrastructure",
         "T1556 - Modify Authentication Process"
     ],
+    "mitreAttackSubTechniques": [
+
+    ],
+    "unverifiedMitreAttackTechniques": [
+        {
+            "technique": "T1136 - Create Account",
+            "reason": "An attacker might use UpdateGraphqlApi to update settings in a way that allows creating new user accounts with elevated privileges."
+        },
+        {
+            "technique": "T1212 - Exploitation for Credential Dumping",
+            "reason": "Updating GraphQL API could be abused to alter application behavior to facilitate credential dumping."
+        },
+        {
+            "technique": "T1078 - Valid Accounts",
+            "reason": "An attacker could use the API call to modify existing configurations to maintain access through valid cloud accounts."
+        },
+        {
+            "technique": "T1098 - Account Manipulation",
+            "reason": "The API call could allow manipulation of user accounts or roles to maintain access or escalate privileges."
+        },
+        {
+            "technique": "T1027 - Obfuscated Files or Information",
+            "reason": "The API call might be used to modify or obfuscate logs and configurations to avoid detection."
+        },
+        {
+            "technique": "T1078 - Valid Accounts",
+            "reason": "By updating the API, attackers might ensure they can access privileged accounts for persistent access."
+        }
+    ],
     "usedInWild": false,
     "incidents": [],
     "researchLinks": [

events/AppSync/UpdateResolver.json

@@ -11,6 +11,43 @@
         "T1578 - Modify Cloud Compute Infrastructure",
         "T1556 - Modify Authentication Process"
     ],
+    "mitreAttackSubTechniques": [
+
+    ],
+    "unverifiedMitreAttackTechniques": [
+        {
+            "technique":  "T1136 - Create Account",
+            "reason": "Using the UpdateResolver API, an adversary can manipulate the AppSync resolver to create new user accounts with specific roles or permissions, enabling persistent access to the AWS environment."
+        },
+        {
+            "technique": "T1078 - Valid Accounts",
+            "reason": "By updating the resolver, adversaries can utilize valid credentials to access AppSync and maintain persistence."
+        },
+        {
+            "technique": "T1070 - Indicator Removal on Host",
+            "reason": "Adversaries can update resolvers to manipulate logs or delete records, evading detection by altering or concealing their tracks."
+        },
+        {
+            "technique": "T1531 - Account Access Removal",
+            "reason": "Adversaries can use the UpdateResolver API to revoke access for legitimate users, thereby preventing them from detecting the adversarial activities."
+        },
+        {
+            "technique": "T1003 - Credential Dumping",
+            "reason": "By updating the resolver to capture sensitive data passed through AppSync, adversaries could dump credentials for further exploitation."
+        },
+        {
+            "technique": "T1071 - Application Layer Protocol",
+            "reason": "Modifying the resolver might allow adversaries to covertly communicate using AppSync's standard protocols, blending in with normal traffic and evading network defenses."
+        },
+        {
+            "technique": "T1562.001 - Impair Defenses: Disable or Modify Tools",
+            "reason": "An adversary might update the resolver to disable security tools or modify their behavior, thereby evading detection and maintaining access."
+        },
+        {
+            "technique": "T1027 - Obfuscated Files or Information",
+            "reason": "By updating resolvers, adversaries can obfuscate the information passed through AppSync, making it difficult to detect malicious activities within the data flow."
+        }
+    ],
     "usedInWild": false,
     "incidents": [],
     "researchLinks": [

events/Athena/GetQueryResults.json

@@ -7,7 +7,28 @@
         "TA0007 - Discovery"
     ],
     "mitreAttackTechniques": [
-        "T1580 - Cloud Infrastructure Discovery"
+        "T1580 - Cloud Infrastructure Discovery"        
+    ],
+    "mitreAttackSubTechniques": [
+
+    ],
+    "unverifiedMitreAttackTechniques": [
+        {
+            "technique": "T1082 - System Information Discovery",
+            "reason": "GetQueryResults can be used to gather information about the Athena environment, such as the metadata of the queries and databases. This can reveal insights about the system configuration and the types of data stored."
+        },
+        {
+            "technique": "T1213 - Data from Information Repositories",
+            "reason": "Athena queries can access and retrieve data from various repositories like S3. GetQueryResults is used to obtain this data, making it a critical step in extracting information from these repositories."
+        },
+        {
+            "technique": "T1039 - Data from Network Shared Drive",
+            "reason": " If Athena queries target data stored in network shared drives (like those mounted on EC2 instances and accessible via S3), the GetQueryResults API will be used to collect this data."
+        },
+        {
+            "technique": "T1074 - Data Staged",
+            "reason": "Attackers may stage data in a specific location after retrieving it with GetQueryResults before exfiltration. This staging is a preparatory step for further data handling or analysis."
+        }
     ],
     "usedInWild": true,
     "incidents": [

events/Bedrock/CreateFoundationModelAgreement.json

@@ -9,6 +9,15 @@
     "mitreAttackTechniques": [
         "T1496 - Resource Hijacking"
     ],
+    "mitreAttackSubTechniques": [
+
+    ],
+    "unverifiedMitreAttackTechniques": [
+        {
+            "technique": "T1098 - Account Manipulation",
+            "reason": "The CreateFoundationModelAgreement API call allows users to create or modify agreements, which can be used to manipulate account permissions. Attackers can create agreements with elevated privileges or modify existing ones to gain unauthorized access or escalate privileges."
+        }
+    ],
     "usedInWild": true,
     "incidents": [
         {

events/Bedrock/GetFoundationModelAvailability.json

@@ -9,6 +9,19 @@
     "mitreAttackTechniques": [
         "T1580 - Cloud Infrastructure Discovery"
     ],
+    "mitreAttackSubTechniques": [
+
+    ],
+    "unverifiedMitreAttackTechniques": [
+        {
+            "technique": "T1082 - System Information Discovery",
+            "reason": "Querying the availability of foundation models is a form of system information discovery, as it provides insight into the operational aspects of the system."
+        },
+        {
+            "technique": "T1590 - Gather Victim Network Information",
+            "reason": "The GetFoundationModelAvailability call can be used to determine the state and availability of foundation models, which is valuable host information."
+        }
+    ],
     "usedInWild": true,
     "incidents": [
         {

events/Bedrock/GetModelInvocationLoggingConfiguration.json

@@ -9,6 +9,35 @@
     "mitreAttackTechniques": [
         "T1580 - Cloud Infrastructure Discovery"
     ],
+    "mitreAttackSubTechniques": [
+
+    ],
+    "unverifiedMitreAttackTechniques": [
+        {
+            "technique": "T1070 - Indicator Removal",
+            "reason": "Knowing the logging setup allows attackers to delete or alter logs to avoid detection and cover their tracks."
+        },
+        {
+            "technique": "T1027 - Obfuscated Files or Information",
+            "reason": "Attackers may use knowledge of logging configurations to craft their actions in ways that avoid triggering specific logging mechanisms."
+        },
+        {
+            "technique": "T1518.001 - Software Discovery",
+            "reason": "Understanding how model invocation is logged can reveal what security software is in use."
+        },
+        {
+            "technique": "T1562 - Impair Defenses",
+            "reason": "Knowing the logging configuration can help attackers understand how to disable or evade defensive logging."
+        },
+        {
+            "technique": "T1071 - Application Layer Protocol",
+            "reason": "Attackers might tailor their command and control communication methods based on the logging configurations discovered."
+        },
+        {
+            "technique": "T1212 - Exploitation for Credential Access",
+            "reason": "If the option textDataDeliveryEnabled is activated there could be credentials in it which attackers can exploit. If the option imageDataDeliveryEnabled is activated there could be sensitive information in the images which are delivered in the logs."
+        }
+    ],
     "usedInWild": true,
     "incidents": [
         {

events/Bedrock/GetUseCaseForModelAccess.json

@@ -9,6 +9,35 @@
     "mitreAttackTechniques": [
         "T1580 - Cloud Infrastructure Discovery"
     ],
+    "mitreAttackSubTechniques": [
+
+    ],
+    "unverifiedMitreAttackTechniques": [
+        {
+            "technique": "T1078 - Valid Accounts: Cloud Accounts",
+            "reason": "If an attacker obtains credentials to use the GetUseCaseForModelAccess API call, they can gather sensitive information about model access use cases, which may aid further malicious activity."
+        },
+        {
+            "technique": "T1082 - System Information Discovery",
+            "reason": "The GetUseCaseForModelAccess API call can be used to collect details about model access, revealing important information about the environment and configurations, which is a form of system discovery."
+        },
+        {
+            "technique": "T1005 - Data from Local System",
+            "reason": "The API call can potentially be used to extract detailed data regarding model use cases, equivalent to gathering sensitive data from the local cloud environment."
+        },
+        {
+            "technique": "T1530 - Data from Cloud Storage",
+            "reason": "If the GetUseCaseForModelAccess API provides links or references to data stored in cloud storage, an attacker could use it to access and exfiltrate sensitive data."
+        },
+        {
+            "technique": "T1020 - Automated Exfiltration",
+            "reason": "An attacker could script the API call to automatically extract and exfiltrate information about model use cases over time."
+        },
+        {
+            "technique": "T1074 - Data Staged",
+            "reason": "Step-by-step explanation: The results from the GetUseCaseForModelAccess call could be staged locally in the attacker's environment for later exfiltration or use."
+        }
+    ],
     "usedInWild": true,
     "incidents": [
         {

events/Bedrock/InvokeModel.json

@@ -11,6 +11,23 @@
         "T1580 - Cloud Infrastructure Discovery",
         "T1496 - Resource Hijacking"
     ],
+    "mitreAttackSubTechniques": [
+
+    ],
+    "unverifiedMitreAttackTechniques": [
+        {
+            "technique": "T1020 - Automated Exfiltration",
+            "reason": "The InvokeModel API call can be scripted to run repeatedly, allowing for the continuous extraction of data. For example, an attacker could automate requests to the API, each time providing new or varied prompts that extract different pieces of sensitive information"
+        },
+        {
+            "technique": "T1567 - Exfiltration Over Web Service",
+            "reason": "An attacker who has access to AWS credentials can set up a process where InvokeModel API calls are made to generate sensitive information in small chunks. Each chunk of data, once generated, can be immediately sent to an S3 bucket or another cloud storage service controlled by the attacker. This method ensures that data is consistently moved out of the compromised environment without raising alarms associated with large data transfers."
+        },
+        {
+            "technique": "T1203 - Exploitation for Client Execution",
+            "reason": "Exploiting vulnerabilities in a model's interface could trigger unintended code execution through the InvokeModel API."
+        }
+    ],
     "usedInWild": true,
     "incidents": [
         {