-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update TTPs for AWS Services #11
Changes from 30 commits
9fc3b6a
63e57dc
846bef8
a465843
4959b4a
a6b445c
111f22c
ddfa428
158d34a
46f554c
8844877
44aaa33
94358f1
889a591
0d07944
f7e239f
ae1d3c9
bc2bddf
5b979bc
bc0a8f7
a104e4d
6f881dc
0a04912
f73fd72
6be7159
8a792c5
2cc82d8
f6f545b
dd24747
c732cc1
2617eef
b532c17
b0eb7fd
3bc56da
46ecc50
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Large diffs are not rendered by default.
Large diffs are not rendered by default.
Large diffs are not rendered by default.
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -11,6 +11,35 @@ | |
"T1578 - Modify Cloud Compute Infrastructure", | ||
"T1556 - Modify Authentication Process" | ||
], | ||
"mitreAttackSubTechniques": [ | ||
|
||
], | ||
"unverifiedMitreAttackTechniques": [ | ||
{ | ||
"technique": "T1078 - Valid Accounts", | ||
"reason": "API keys are a form of credentials that attackers can use to gain and maintain access to cloud services." | ||
}, | ||
{ | ||
"technique": "T1056.004 - Credential API Hooking", | ||
"reason": "Attackers may hook into the API key creation process to intercept and use these credentials for unauthorized access." | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I belive this sub-technique is only windows focused and might cause confusion adding it here. Even if an attacker can intercept traffic to this API I wouldn't consider it hooking. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Sure, will remove it. I had it included because "Unlike Keylogging, this technique focuses specifically on API functions that include parameters that reveal user credentials." |
||
}, | ||
{ | ||
"technique": "T1098 - Account Manipulation", | ||
"reason": "Attackers may manipulate API keys to alter account permissions and settings, maintaining persistence and access." | ||
}, | ||
{ | ||
"technique": "T1531 - Account Access Removal", | ||
"reason": "API keys can be used to remove legitimate accounts, thereby maintaining persistence and disrupting normal operations." | ||
}, | ||
{ | ||
"technique": "T1550.001 - Use Alternate Authentication Material: Application Access Token", | ||
"reason": "API keys serve as alternate authentication material, in this case as application access tokens to access AppSync APIs." | ||
}, | ||
{ | ||
"technique": "T1090 - Proxy", | ||
"reason": "Attackers can use API keys to route their malicious traffic through a proxy, hiding their true origin and bypassing security measures." | ||
adanalvarez marked this conversation as resolved.
Show resolved
Hide resolved
|
||
} | ||
], | ||
"usedInWild": false, | ||
"incidents": [], | ||
"researchLinks": [ | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -11,6 +11,35 @@ | |
"T1578 - Modify Cloud Compute Infrastructure", | ||
"T1556 - Modify Authentication Process" | ||
], | ||
"mitreAttackSubTechniques": [ | ||
|
||
], | ||
"unverifiedMitreAttackTechniques": [ | ||
{ | ||
"technique": "T1136 - Create Account", | ||
"reason": "An attacker might use UpdateGraphqlApi to update settings in a way that allows creating new user accounts with elevated privileges." | ||
}, | ||
{ | ||
"technique": "T1212 - Exploitation for Credential Dumping", | ||
"reason": "Updating GraphQL API could be abused to alter application behavior to facilitate credential dumping." | ||
}, | ||
{ | ||
"technique": "T1078 - Valid Accounts", | ||
"reason": "An attacker could use the API call to modify existing configurations to maintain access through valid cloud accounts." | ||
}, | ||
{ | ||
"technique": "T1098 - Account Manipulation", | ||
"reason": "The API call could allow manipulation of user accounts or roles to maintain access or escalate privileges." | ||
}, | ||
{ | ||
"technique": "T1027 - Obfuscated Files or Information", | ||
"reason": "The API call might be used to modify or obfuscate logs and configurations to avoid detection." | ||
Comment on lines
+35
to
+36
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This technique is about making "an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit" As this are not files from an operative system, I'm not sure if this applies. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I am unsure why MITRE named it "Obfuscated Files or Information" and then did not have a reference on obfuscated information. The best I could find is
I admit it may not be the best match, but I thought to give it a try. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. In some way, I can see adding obfuscated code in the configuration or creating an endpoint for doing this. I see it too complex for an attack but is true that can happen. |
||
}, | ||
{ | ||
"technique": "T1078 - Valid Accounts", | ||
"reason": "By updating the API, attackers might ensure they can access privileged accounts for persistent access." | ||
} | ||
], | ||
"usedInWild": false, | ||
"incidents": [], | ||
"researchLinks": [ | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -9,6 +9,35 @@ | |
"mitreAttackTechniques": [ | ||
"T1580 - Cloud Infrastructure Discovery" | ||
], | ||
"mitreAttackSubTechniques": [ | ||
|
||
], | ||
"unverifiedMitreAttackTechniques": [ | ||
{ | ||
"technique": "T1070 - Indicator Removal", | ||
"reason": "Knowing the logging setup allows attackers to delete or alter logs to avoid detection and cover their tracks." | ||
}, | ||
{ | ||
"technique": "T1027 - Obfuscated Files or Information", | ||
"reason": "Attackers may use knowledge of logging configurations to craft their actions in ways that avoid triggering specific logging mechanisms." | ||
Comment on lines
+21
to
+22
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. As in the previous comment about this technique, I think it is focused on files on a files system. I think even knowing the configuration, this technique won't happen as the files won't be in a filesystem. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. See my previous comment. If you think it should be removed I'll do it. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think I see your point, maybe knowing the configuration, you'll act in a way that logs won't contain enough information to be useful and this might be considered obfuscation. I have no strong opinion on removing or not, my comments in general are to raise questions on techniques that I have more problems seeing the relationship and because of this, I wonder if this is going to help or might generate confusion. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I do appreciate your insights & comments. I do not have a strong opinion on it either. |
||
}, | ||
{ | ||
"technique": "T1518.001 - Software Discovery", | ||
"reason": "Understanding how model invocation is logged can reveal what security software is in use." | ||
}, | ||
{ | ||
"technique": "T1562 - Impair Defenses", | ||
"reason": "Knowing the logging configuration can help attackers understand how to disable or evade defensive logging." | ||
}, | ||
{ | ||
"technique": "T1071 - Application Layer Protocol", | ||
"reason": "Attackers might tailor their command and control communication methods based on the logging configurations discovered." | ||
}, | ||
{ | ||
"technique": "T1212 - Exploitation for Credential Access", | ||
"reason": "If the option textDataDeliveryEnabled is activated there could be credentials in it which attackers can exploit. If the option imageDataDeliveryEnabled is activated there could be sensitive information in the images which are delivered in the logs." | ||
} | ||
], | ||
"usedInWild": true, | ||
"incidents": [ | ||
{ | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have corrected that in the upcoming version.