diff --git a/.github/workflows/check-packs.yml b/.github/workflows/check-packs.yml index bb6a3139f..623a6b8c7 100644 --- a/.github/workflows/check-packs.yml +++ b/.github/workflows/check-packs.yml @@ -45,7 +45,7 @@ jobs: panther_analysis_tool check-packs || echo "errors=`cat errors.txt`" >> $GITHUB_OUTPUT - name: Comment PR - uses: thollander/actions-comment-pull-request@e2c37e53a7d2227b61585343765f73a9ca57eda9 + uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b if: ${{ steps.check-packs.outputs.errors }} with: mode: upsert @@ -57,7 +57,7 @@ jobs: ``` comment-tag: check-packs - name: Delete comment - uses: thollander/actions-comment-pull-request@e2c37e53a7d2227b61585343765f73a9ca57eda9 + uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b if: ${{ !steps.check-packs.outputs.errors }} with: mode: delete diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 24ab6793e..7fa3b49f7 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,6 +1,6 @@ # Contributing to `panther-analysis` -Thank you for your interest in contributing to Panther's open-source ruleset! We appreciate all types of contributions, including new detection rules, feature requests, and bug reports. +Thank you for your interest in contributing to Panther's open-source ruleset! We appreciate all types of contributions, including new detection rules, feature requests, and bug reports. ## What makes a good detection? @@ -19,18 +19,18 @@ Before submitting your pull request, make sure to: - Write or update relevant unit tests - Redact any sensitive information or PII from example logs - Format, lint, and test your changes to ensure CI tests pass, using the following commands: - ```bash - make fmt - make lint - make test - ``` + ```bash + make fmt + make lint + make test + ``` ## Pull Request process 1. Make desired detection changes. This may include creating new detections in existing log type directories, creating new log type directories, updating existing detections, etc 2. Commit both the Python and Metadata files 3. Write a clear commit message -4. Open a [Pull Request](https://github.com/panther-labs/panther-analysis/pulls). +4. Open a [Pull Request](https://github.com/panther-labs/panther-analysis/pulls) against the `develop` branch. 5. Once your PR has been approved by code owners, if you have merge permissions, merge it. If you do not have merge permissions, leave a comment requesting a code owner merge it for you ## Code of Conduct @@ -42,4 +42,5 @@ in all of your interactions with this project. If you need assistance at any point, feel free to open a support ticket, or reach out to us on [Panther Community Slack](https://pnthr.io/community). -Thank you again for your contributions, and we look forward to working together! \ No newline at end of file +Thank you again for your contributions, and we look forward to working together! + diff --git a/correlation_rules/aws_cloudtrail_stopinstance_followed_by_modifyinstanceattributes.yml b/correlation_rules/aws_cloudtrail_stopinstance_followed_by_modifyinstanceattributes.yml index 8642ad7fd..08fe4c3f7 100644 --- a/correlation_rules/aws_cloudtrail_stopinstance_followed_by_modifyinstanceattributes.yml +++ b/correlation_rules/aws_cloudtrail_stopinstance_followed_by_modifyinstanceattributes.yml @@ -18,11 +18,12 @@ Detection: - ID: StopInstance FOLLOWED BY StartupScriptChange From: StopInstance To: StartupScriptChange + WithinTimeFrameMinutes: 90 Match: - On: p_alert_context.instance_ids - LookbackWindowMinutes: 90 + LookbackWindowMinutes: 2160 Schedule: - RateMinutes: 60 + RateMinutes: 1440 TimeoutMinutes: 5 Tests: - Name: Instance Stopped, Followed By Script Change diff --git a/correlation_rules/aws_console_sign-in_without_okta.yml b/correlation_rules/aws_console_sign-in_without_okta.yml index 3aa81090f..6d9d45f71 100644 --- a/correlation_rules/aws_console_sign-in_without_okta.yml +++ b/correlation_rules/aws_console_sign-in_without_okta.yml @@ -26,7 +26,7 @@ Detection: Schedule: RateMinutes: 1440 TimeoutMinutes: 5 - LookbackWindowMinutes: 1440 + LookbackWindowMinutes: 2160 Tests: - Name: AWS Console Sign-In PRECEDED BY Okta Redirect ExpectedResult: false diff --git a/correlation_rules/aws_privilege_escalation_via_user_compromise.yml b/correlation_rules/aws_privilege_escalation_via_user_compromise.yml index 7893288b4..d0afa8937 100644 --- a/correlation_rules/aws_privilege_escalation_via_user_compromise.yml +++ b/correlation_rules/aws_privilege_escalation_via_user_compromise.yml @@ -16,12 +16,13 @@ Detection: - ID: User Backdoored TO User Accessed ON IP Addr From: User Backdoored To: User Accessed + WithinTimeFrameMinutes: 60 Match: - On: p_alert_context.ip_accessKeyId Schedule: - RateMinutes: 60 + RateMinutes: 1440 TimeoutMinutes: 10 - LookbackWindowMinutes: 90 + LookbackWindowMinutes: 2160 Tests: - Name: Access Key Created and Used from Same IP ExpectedResult: true diff --git a/correlation_rules/aws_sso_access_token_retrieved_by_unauthenticated_ip.yml b/correlation_rules/aws_sso_access_token_retrieved_by_unauthenticated_ip.yml index 18303a56b..5a2b0058b 100644 --- a/correlation_rules/aws_sso_access_token_retrieved_by_unauthenticated_ip.yml +++ b/correlation_rules/aws_sso_access_token_retrieved_by_unauthenticated_ip.yml @@ -25,7 +25,7 @@ Detection: Schedule: RateMinutes: 1440 TimeoutMinutes: 5 - LookbackWindowMinutes: 1440 + LookbackWindowMinutes: 2160 Tests: - Name: AWS SSO Access Token Retrieved by Authenticated IP ExpectedResult: false diff --git a/correlation_rules/aws_user_takeover_via_password_reset.yml b/correlation_rules/aws_user_takeover_via_password_reset.yml index c7a9b8995..05999b27d 100644 --- a/correlation_rules/aws_user_takeover_via_password_reset.yml +++ b/correlation_rules/aws_user_takeover_via_password_reset.yml @@ -16,12 +16,13 @@ Detection: - ID: Password Reset TO Login ON IP Addr From: Password Reset To: Login + WithinTimeFrameMinutes: 60 Match: - On: p_alert_context.ip_and_username Schedule: - RateMinutes: 60 + RateMinutes: 1440 TimeoutMinutes: 10 - LookbackWindowMinutes: 90 + LookbackWindowMinutes: 2160 Tests: - Name: Password Reset, Then Login From Same IP ExpectedResult: true diff --git a/correlation_rules/gcp_cloud_run_service_create_followed_by_set_iam_policy.yml b/correlation_rules/gcp_cloud_run_service_create_followed_by_set_iam_policy.yml index 51abac686..8a6db86d4 100644 --- a/correlation_rules/gcp_cloud_run_service_create_followed_by_set_iam_policy.yml +++ b/correlation_rules/gcp_cloud_run_service_create_followed_by_set_iam_policy.yml @@ -21,11 +21,12 @@ Detection: - ID: ServiceCreated FOLLOWED BY SetIAMPolicy From: ServiceCreated To: SetIAMPolicy + WithinTimeFrameMinutes: 90 Match: - On: p_alert_context.caller_ip - LookbackWindowMinutes: 90 + LookbackWindowMinutes: 2160 Schedule: - RateMinutes: 60 + RateMinutes: 1440 TimeoutMinutes: 5 Tests: - Name: GCP Service Run, Followed By IAM Policy Change From Same IP diff --git a/correlation_rules/github_advanced_security_change_not_followed_by_repo_archived.yml b/correlation_rules/github_advanced_security_change_not_followed_by_repo_archived.yml index 564781d5d..7b9b5e059 100644 --- a/correlation_rules/github_advanced_security_change_not_followed_by_repo_archived.yml +++ b/correlation_rules/github_advanced_security_change_not_followed_by_repo_archived.yml @@ -16,11 +16,12 @@ Detection: - ID: GHASChange NOT FOLLOWED BY RepoArchived From: RepoArchived To: GHASChange + WithinTimeFrameMinutes: 60 Match: - On: p_alert_context.repo - LookbackWindowMinutes: 90 + LookbackWindowMinutes: 2160 Schedule: - RateMinutes: 60 + RateMinutes: 1440 TimeoutMinutes: 10 Tests: - Name: Security Change on Repo, Followed By Same Repo Archived diff --git a/correlation_rules/notion_login_followed_by_account_change.yml b/correlation_rules/notion_login_followed_by_account_change.yml index 3149b8d40..44dcd406a 100644 --- a/correlation_rules/notion_login_followed_by_account_change.yml +++ b/correlation_rules/notion_login_followed_by_account_change.yml @@ -22,7 +22,7 @@ Detection: WithinTimeFrameMinutes: 15 Match: - On: p_alert_context.actor_id - LookbackWindowMinutes: 1440 + LookbackWindowMinutes: 2160 Schedule: RateMinutes: 1440 TimeoutMinutes: 5 diff --git a/correlation_rules/okta_login_without_push.yml b/correlation_rules/okta_login_without_push.yml index ac0418193..738c00948 100644 --- a/correlation_rules/okta_login_without_push.yml +++ b/correlation_rules/okta_login_without_push.yml @@ -21,13 +21,14 @@ Detection: - ID: Okta to Push From: Okta To: Push + WithinTimeFrameMinutes: 60 Match: - From: actor.alternateId To: new.email Schedule: - RateMinutes: 60 + RateMinutes: 1440 TimeoutMinutes: 10 - LookbackWindowMinutes: 90 + LookbackWindowMinutes: 2160 Tests: - Name: Okta Login, Followed By Push Authorized Login ExpectedResult: false diff --git a/correlation_rules/onelogin_successful_login_after_high_risk_failed_login.yml b/correlation_rules/onelogin_successful_login_after_high_risk_failed_login.yml index 34aa2edac..87155aab1 100644 --- a/correlation_rules/onelogin_successful_login_after_high_risk_failed_login.yml +++ b/correlation_rules/onelogin_successful_login_after_high_risk_failed_login.yml @@ -22,7 +22,7 @@ Detection: WithinTimeFrameMinutes: 15 Match: - On: user_name - LookbackWindowMinutes: 1440 + LookbackWindowMinutes: 2160 Schedule: RateMinutes: 1440 TimeoutMinutes: 5 diff --git a/correlation_rules/potential_compromised_okta_credentials.yml b/correlation_rules/potential_compromised_okta_credentials.yml index 15b9e79d9..4b0536831 100644 --- a/correlation_rules/potential_compromised_okta_credentials.yml +++ b/correlation_rules/potential_compromised_okta_credentials.yml @@ -20,13 +20,14 @@ Detection: - ID: Match on user From: Login Without Push Marker To: Push Phishing + WithinTimeFrameMinutes: 60 Match: - From: actor.alternateId To: new.employee.email Schedule: - RateMinutes: 60 + RateMinutes: 1440 TimeoutMinutes: 10 - LookbackWindowMinutes: 90 + LookbackWindowMinutes: 2160 Tests: - Name: Login Without Marker, Followed By Phishing Detection ExpectedResult: true diff --git a/correlation_rules/secret_exposed_and_not_quarantined.yml b/correlation_rules/secret_exposed_and_not_quarantined.yml index d8cd9e6c4..c50790a03 100644 --- a/correlation_rules/secret_exposed_and_not_quarantined.yml +++ b/correlation_rules/secret_exposed_and_not_quarantined.yml @@ -21,10 +21,11 @@ Detection: - ID: SecretFound TO SecretNotQuarantined From: SecretFound To: SecretNotQuarantined + WithinTimeFrameMinutes: 60 Schedule: - RateMinutes: 60 + RateMinutes: 1440 TimeoutMinutes: 10 - LookbackWindowMinutes: 90 + LookbackWindowMinutes: 2160 Tests: - Name: Secret Found and Quarantied ExpectedResult: false diff --git a/correlation_rules/snowflake_data_exfiltration.yml b/correlation_rules/snowflake_data_exfiltration.yml index 69fcfe6b6..dc6fd272f 100644 --- a/correlation_rules/snowflake_data_exfiltration.yml +++ b/correlation_rules/snowflake_data_exfiltration.yml @@ -28,9 +28,9 @@ Detection: Match: - On: stage Schedule: - RateMinutes: 720 + RateMinutes: 1440 TimeoutMinutes: 15 - LookbackWindowMinutes: 1440 + LookbackWindowMinutes: 2160 Tests: - Name: Data Exfiltration ExpectedResult: true diff --git a/correlation_rules/snowflake_potential_brute_force_success.yml b/correlation_rules/snowflake_potential_brute_force_success.yml new file mode 100644 index 000000000..54c13e45a --- /dev/null +++ b/correlation_rules/snowflake_potential_brute_force_success.yml @@ -0,0 +1,47 @@ +AnalysisType: correlation_rule +RuleID: "Snowflake.PotentialBruteForceSuccess" +DisplayName: "Snowflake Brute Force Login Success" +Enabled: true +Severity: High +Description: Detecting brute force activity and reporting when a user has incorrectly logged in multiple times and then had a successful login. +Detection: + - Sequence: + - ID: Multiple Failed Logins + RuleID: Snowflake.Stream.BruteForceByIp + MinMatchCount: 5 + - ID: Successful Login + RuleID: Snowflake.Stream.LoginSuccess + Transitions: + - ID: Multiple Failed Logins FOLLOWED BY Successful Login + From: Multiple Failed Logins + To: Successful Login + WithinTimeFrameMinutes: 30 + Match: + - On: CLIENT_IP + Schedule: + RateMinutes: 720 + TimeoutMinutes: 15 + LookbackWindowMinutes: 1440 +Tests: + - Name: Successful Bulk Login + ExpectedResult: true + RuleOutputs: + - ID: Multiple Failed Logins + Matches: + CLIENT_IP: + "1.1.1.1": [0, 2, 3, 6, 9, 10, 11, 15] + - ID: Successful Login + Matches: + CLIENT_IP: + "1.1.1.1": [16] + - Name: Successful Login With Single Failure + ExpectedResult: false + RuleOutputs: + - ID: Multiple Failed Logins + Matches: + CLIENT_IP: + "1.1.1.1": [0] + - ID: Successful Login + Matches: + CLIENT_IP: + "1.1.1.1": [1] diff --git a/global_helpers/panther_aws_helpers.py b/global_helpers/panther_aws_helpers.py index 5986c9cdd..738db8cb3 100644 --- a/global_helpers/panther_aws_helpers.py +++ b/global_helpers/panther_aws_helpers.py @@ -29,7 +29,7 @@ def aws_strip_role_session_id(user_identity_arn): return user_identity_arn -def aws_rule_context(event: dict): +def aws_rule_context(event): return { "eventName": event.get("eventName", ""), "eventSource": event.get("eventSource", ""), @@ -41,7 +41,7 @@ def aws_rule_context(event: dict): } -def aws_guardduty_context(event: dict): +def aws_guardduty_context(event): return { "description": event.get("description", ""), "severity": event.get("severity", ""), diff --git a/global_helpers/panther_box_helpers.py b/global_helpers/panther_box_helpers.py index cf4259c97..eb65e1dd5 100644 --- a/global_helpers/panther_box_helpers.py +++ b/global_helpers/panther_box_helpers.py @@ -139,7 +139,7 @@ def build_jwt_settings(response: dict) -> dict: # 'additional_details' from box logs varies by event_type. # This helper wraps the process of extracting those details. -def box_parse_additional_details(event: dict): +def box_parse_additional_details(event): additional_details = event.get("additional_details", {}) if isinstance(additional_details, (str, bytes)): try: diff --git a/global_helpers/panther_cloudflare_helpers.py b/global_helpers/panther_cloudflare_helpers.py index 3c2547eee..a0926ae8d 100644 --- a/global_helpers/panther_cloudflare_helpers.py +++ b/global_helpers/panther_cloudflare_helpers.py @@ -38,7 +38,7 @@ def map_source_to_name(event: Any) -> str: ) -def cloudflare_fw_alert_context(event: dict = None): +def cloudflare_fw_alert_context(event=None): keep_keys = [ "Action", "ClientIP", @@ -57,7 +57,7 @@ def cloudflare_fw_alert_context(event: dict = None): return context_dict -def cloudflare_http_alert_context(event: dict = None): +def cloudflare_http_alert_context(event=None): keep_keys = [ "BotScore", "BotScoreSrc", diff --git a/global_helpers/panther_crowdstrike_fdr_helpers.py b/global_helpers/panther_crowdstrike_fdr_helpers.py index 15c28f9db..214b1ffa3 100644 --- a/global_helpers/panther_crowdstrike_fdr_helpers.py +++ b/global_helpers/panther_crowdstrike_fdr_helpers.py @@ -1,4 +1,4 @@ -def crowdstrike_detection_alert_context(event: dict): +def crowdstrike_detection_alert_context(event): """Returns common context for Crowdstrike detections""" return { "aid": get_crowdstrike_field(event, "aid", default=""), @@ -13,7 +13,7 @@ def crowdstrike_detection_alert_context(event: dict): } -def crowdstrike_process_alert_context(event: dict): +def crowdstrike_process_alert_context(event): """Returns common process context for Crowdstrike detections""" return { "aid": get_crowdstrike_field(event, "aid", default=""), @@ -28,7 +28,7 @@ def crowdstrike_process_alert_context(event: dict): } -def crowdstrike_network_detection_alert_context(event: dict): +def crowdstrike_network_detection_alert_context(event): """Returns common network context for Crowdstrike detections""" return { "LocalAddressIP4": get_crowdstrike_field(event, "LocalAddressIP4", default=""), diff --git a/global_helpers/panther_duo_helpers.py b/global_helpers/panther_duo_helpers.py index 6eb00ad58..aea974746 100644 --- a/global_helpers/panther_duo_helpers.py +++ b/global_helpers/panther_duo_helpers.py @@ -2,7 +2,7 @@ from json import JSONDecodeError -def deserialize_administrator_log_event_description(event: dict) -> dict: +def deserialize_administrator_log_event_description(event) -> dict: """Intelligently try and decode a field that is usually stringified json into a python dict. This description field seems to take the form of stringified json, So this function diff --git a/global_helpers/panther_lookuptable_helpers.py b/global_helpers/panther_lookuptable_helpers.py index 295db4a2a..1d059ba14 100644 --- a/global_helpers/panther_lookuptable_helpers.py +++ b/global_helpers/panther_lookuptable_helpers.py @@ -27,7 +27,7 @@ def _lookup(self, match_field: str, *keys) -> list or str: def p_matched(self): return self._p_matched - def p_matches(self, event: dict, p_match: str = "") -> dict: + def p_matches(self, event, p_match: str = "") -> dict: """Collect enrichments by searching for a value match in the p_match field Parameters: diff --git a/global_helpers/panther_okta_helpers.py b/global_helpers/panther_okta_helpers.py index b8cf79cbe..ffbfb8af8 100644 --- a/global_helpers/panther_okta_helpers.py +++ b/global_helpers/panther_okta_helpers.py @@ -1,4 +1,4 @@ -def okta_alert_context(event: dict): +def okta_alert_context(event): """Returns common context for automation of Okta alerts""" return { "event_type": event.get("eventtype", ""), diff --git a/global_helpers/panther_snowflake_helpers.py b/global_helpers/panther_snowflake_helpers.py new file mode 100644 index 000000000..a09ec5bd2 --- /dev/null +++ b/global_helpers/panther_snowflake_helpers.py @@ -0,0 +1,11 @@ +""" Global helpers for Snowflake streaming detections. """ + + +def query_history_alert_context(event): + return { + "user": event.get("user_name", ""), + "role": event.get("role_name", ""), + "source": event.get("p_source_label", ""), + # Not all queries are run in a warehouse; e.g.: getting worksheet files + "warehouse": event.get("WAREHOUSE_NAME", ""), + } diff --git a/global_helpers/panther_snowflake_helpers.yml b/global_helpers/panther_snowflake_helpers.yml new file mode 100644 index 000000000..8222120d3 --- /dev/null +++ b/global_helpers/panther_snowflake_helpers.yml @@ -0,0 +1,5 @@ +AnalysisType: global +Filename: panther_snowflake_helpers.py +GlobalID: "panther_snowflake_helpers" +Description: > + Global helpers for Snowflake streaming detections diff --git a/global_helpers/panther_wiz_helpers.py b/global_helpers/panther_wiz_helpers.py index 39441b50a..96f498fe6 100644 --- a/global_helpers/panther_wiz_helpers.py +++ b/global_helpers/panther_wiz_helpers.py @@ -7,9 +7,33 @@ def wiz_success(event): def wiz_alert_context(event): return { "action": event.get("action", ""), - "user": event.get("user", ""), + "actor": wiz_actor(event), "source_ip": event.get("sourceip", ""), "event_id": event.get("id", ""), - "service_account": event.get("serviceaccount", ""), "action_parameters": event.get("actionparameters", ""), } + + +def wiz_actor(event): + user = event.get("user") + serviceaccount = event.get("serviceAccount") + + if user is not None: + return { + "type": "user", + "id": user.get("id"), + "name": user.get("name"), + } + + if serviceaccount is not None: + return { + "type": "serviceaccount", + "id": serviceaccount.get("id"), + "name": serviceaccount.get("name"), + } + + return { + "type": "unknown", + "id": "", + "name": "", + } diff --git a/global_helpers/panther_zscaler_helpers.py b/global_helpers/panther_zscaler_helpers.py new file mode 100644 index 000000000..a085e7459 --- /dev/null +++ b/global_helpers/panther_zscaler_helpers.py @@ -0,0 +1,19 @@ +def zia_success(event): + if ( + event.deep_get("event", "errorcode", default="") == "None" + and event.deep_get("event", "result", default="") == "SUCCESS" + ): + return True + return False + + +def zia_alert_context(event): + event_data = event.get("event", {}) + return { + "action": event_data.get("action", ""), + "admin_id": event_data.get("adminid", ""), + "category": event_data.get("category", ""), + "client_ip": event_data.get("clientip", ""), + "preaction": event_data.get("preaction", ""), + "postaction": event_data.get("postaction", ""), + } diff --git a/global_helpers/panther_zscaler_helpers.yml b/global_helpers/panther_zscaler_helpers.yml new file mode 100644 index 000000000..674367e94 --- /dev/null +++ b/global_helpers/panther_zscaler_helpers.yml @@ -0,0 +1,5 @@ +AnalysisType: global +Filename: panther_zscaler_helpers.py +GlobalID: "panther_zscaler_helpers" +Description: > + Used to define global helpers for Zscaler events diff --git a/lookup_tables/traildiscover/traildiscover_data.jsonl b/lookup_tables/traildiscover/traildiscover_data.jsonl index 34de5466f..d77fc2a77 100644 --- a/lookup_tables/traildiscover/traildiscover_data.jsonl +++ b/lookup_tables/traildiscover/traildiscover_data.jsonl @@ -1,283 +1,293 @@ -{"eventName": "LeaveOrganization", "eventSource": "organizations.amazonaws.com", "awsService": "Organizations", "description": "Removes a member account from its parent organization.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1562 - Impair Defenses"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "An AWS account attempted to leave the AWS Organization", "link": "hhttps://docs.datadoghq.com/security/default_rules/aws-organizations-leave-organization/"}], "securityImplications": "Attackers might use LeaveOrganization to disassociate resources and disrupt the structure of AWS organizations.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws organizations leave-organization"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.organizations-leave"}], "permissions": "https://aws.permissions.cloud/iam/organizations#organizations-LeaveOrganization"} -{"eventName": "ListOrganizationalUnitsForParent", "eventSource": "organizations.amazonaws.com", "awsService": "Organizations", "description": "Lists the organizational units (OUs) in a parent organizational unit or root.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1526 - Cloud Service Discovery"], "usedInWild": true, "incidents": [{"description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"}], "researchLinks": [], "securityImplications": "Attackers might use ListOrganizationalUnitsForParent to map the structure of an organization's AWS environment for potential vulnerabilities.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws organizations list-organizational-units-for-parent --parent-id r-traildiscover"}], "permissions": "https://aws.permissions.cloud/iam/organizations#organizations-ListOrganizationalUnitsForParent"} -{"eventName": "ListAccounts", "eventSource": "organizations.amazonaws.com", "awsService": "Organizations", "description": "Lists all the accounts in the organization.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1526 - Cloud Service Discovery"], "usedInWild": true, "incidents": [{"description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"}], "researchLinks": [], "securityImplications": "Attackers might use ListAccounts to gather information about the structure and resources of an organization's AWS environment.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws organizations list-accounts"}], "permissions": "https://aws.permissions.cloud/iam/organizations#organizations-ListAccounts"} -{"eventName": "DescribeOrganization", "eventSource": "organizations.amazonaws.com", "awsService": "Organizations", "description": "Retrieves information about the organization that the user's account belongs to.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1526 - Cloud Service Discovery"], "usedInWild": true, "incidents": [{"description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"}], "researchLinks": [], "securityImplications": "Attackers might use DescribeOrganization to gather information about the structure and details of an AWS organization.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws organizations describe-organization"}], "permissions": "https://aws.permissions.cloud/iam/organizations#organizations-DescribeOrganization"} -{"eventName": "GetParameters", "eventSource": "ssm.amazonaws.com", "awsService": "SSM", "description": "Get information about one or more parameters by specifying multiple parameter names.", "mitreAttackTactics": ["TA0007 - Discovery", "TA0006 - Credential Access"], "mitreAttackTechniques": ["T1526 - Cloud Service Discovery", "T1552 - Unsecured Credentials"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Detecting and removing risky actions out of your IAM security policies", "link": "https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/"}], "securityImplications": "Attackers might use GetParameters to gather sensitive information such as api keys or other secrets.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ssm get-parameters --names TrailDiscoverParameters"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ssm-retrieve-securestring-parameters"}], "permissions": "https://aws.permissions.cloud/iam/ssm#ssm-GetParameters"} -{"eventName": "StartSession", "eventSource": "ssm.amazonaws.com", "awsService": "SSM", "description": "Initiates a connection to a target (for example, a managed node) for a Session Manager session.", "mitreAttackTactics": ["TA0008 - Lateral Movement", "TA0002 - Execution"], "mitreAttackTechniques": ["T1021 - Remote Services", "T1651 - Cloud Administration Command"], "usedInWild": true, "incidents": [{"description": "Navigating the Cloud: Exploring Lateral Movement Techniques", "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/"}], "researchLinks": [{"description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide"}, {"description": "Run Shell Commands on EC2 with Send Command or Session Manager", "link": "https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/"}], "securityImplications": "Attackers might use StartSession to gain unauthorized access to managed instances.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ssm start-session --target TrailDiscoverTarget"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ssm-start-session"}], "permissions": "https://aws.permissions.cloud/iam/ssm#ssm-StartSession"} -{"eventName": "DescribeInstanceInformation", "eventSource": "ssm.amazonaws.com", "awsService": "SSM", "description": "Provides information about one or more of your managed nodes, including the operating system platform, SSM Agent version, association status, and IP address.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}], "researchLinks": [], "securityImplications": "Attackers might use DescribeInstanceInformation to gather sensitive information about the instances, potentially leading to unauthorized access.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ssm describe-instance-information --instance-information-filter-list key=InstanceIds,valueSet=TrailDiscoverInstanceIds"}], "permissions": "https://aws.permissions.cloud/iam/ssm#ssm-DescribeInstanceInformation"} -{"eventName": "SendCommand", "eventSource": "ssm.amazonaws.com", "awsService": "SSM", "description": "Runs commands on one or more managed nodes.", "mitreAttackTactics": ["TA0008 - Lateral Movement", "TA0002 - Execution"], "mitreAttackTechniques": ["T1021 - Remote Services", "T1651 - Cloud Administration Command"], "usedInWild": true, "incidents": [{"description": "Navigating the Cloud: Exploring Lateral Movement Techniques", "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/"}], "researchLinks": [{"description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide"}, {"description": "Run Shell Commands on EC2 with Send Command or Session Manager", "link": "https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/"}, {"description": "Attack Paths Into VMs in the Cloud", "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/"}], "securityImplications": "Attackers might use SendCommand to execute malicious commands on managed instances.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ssm send-command --instance-ids \"TrailDiscoverInstanceID\" --document-name \"AWS-RunShellScript\" --parameters commands=ls --output text"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ssm-send-command"}], "permissions": "https://aws.permissions.cloud/iam/ssm#ssm-SendCommand"} -{"eventName": "ResumeSession", "eventSource": "ssm.amazonaws.com", "awsService": "SSM", "description": "Reconnects a session to a managed node after it has been disconnected.", "mitreAttackTactics": ["TA0008 - Lateral Movement", "TA0002 - Execution"], "mitreAttackTechniques": ["T1021 - Remote Services", "T1651 - Cloud Administration Command"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Attack Paths Into VMs in the Cloud", "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/"}], "securityImplications": "Attackers might use ResumeSession to gain unauthorized access to managed instances.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ssm resume-session --session-id TrailDiscoverTarget"}], "permissions": "https://aws.permissions.cloud/iam/ssm#ssm-ResumeSession"} -{"eventName": "ListSecrets", "eventSource": "secretsmanager.amazonaws.com", "awsService": "SecretsManager", "description": "Lists the secrets that are stored by Secrets Manager in the AWS account, not including secrets that are marked for deletion.", "mitreAttackTactics": ["TA0006 - Credential Access"], "mitreAttackTechniques": ["T1555 - Credentials from Password Stores"], "usedInWild": true, "incidents": [{"description": "Muddled Libra’s Evolution to the Cloud", "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}, {"description": "Detecting AI resource-hijacking with Composite Alerts", "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"}, {"description": "Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/"}], "researchLinks": [], "securityImplications": "Attackers might use ListSecrets to list all the secrets and potentially access to them later.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws secretsmanager list-secrets"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets"}], "permissions": "https://aws.permissions.cloud/iam/secretsmanager#secretsmanager-ListSecrets"} -{"eventName": "DescribeSecret", "eventSource": "secretsmanager.amazonaws.com", "awsService": "SecretsManager", "description": "Retrieves the details of a secret.", "mitreAttackTactics": ["TA0006 - Credential Access"], "mitreAttackTechniques": ["T1555 - Credentials from Password Stores"], "usedInWild": true, "incidents": [{"description": "Muddled Libra’s Evolution to the Cloud", "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}], "researchLinks": [], "securityImplications": "Attackers might use DescribeSecret to get more information about the secrets that are stored in Secrets Manager.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws secretsmanager describe-secret --secret-id TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/secretsmanager#secretsmanager-DescribeSecret"} -{"eventName": "GetSecretValue", "eventSource": "secretsmanager.amazonaws.com", "awsService": "SecretsManager", "description": "Retrieves the contents of the encrypted fields SecretString or SecretBinary from the specified version of a secret, whichever contains content.", "mitreAttackTactics": ["TA0006 - Credential Access"], "mitreAttackTechniques": ["T1555 - Credentials from Password Stores"], "usedInWild": true, "incidents": [{"description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud"}, {"description": "Muddled Libra’s Evolution to the Cloud", "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}], "researchLinks": [], "securityImplications": "Attackers might use GetSecretValue to illicitly access sensitive information stored in the SecretsManager.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws secretsmanager get-secret-value --secret-id TrailDiscoverSecretId"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.secretsmanager-batch-retrieve-secrets"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets"}], "permissions": "https://aws.permissions.cloud/iam/secretsmanager#secretsmanager-GetSecretValue"} -{"eventName": "Encrypt", "eventSource": "kms.amazonaws.com", "awsService": "KMS", "description": "Encrypts plaintext of up to 4,096 bytes using a KMS key. ", "mitreAttackTactics": ["TA0040 - Impact"], "mitreAttackTechniques": ["T1486 - Data Encrypted for Impact"], "usedInWild": true, "incidents": [{"description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/"}], "researchLinks": [], "securityImplications": "Attackers might use Encrypt to encrypt data for ransom.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "https://aws.permissions.cloud/iam/kms#kms-Encrypt"} -{"eventName": "ScheduleKeyDeletion", "eventSource": "kms.amazonaws.com", "awsService": "KMS", "description": "Schedules the deletion of a KMS key.", "mitreAttackTactics": ["TA0040 - Impact"], "mitreAttackTechniques": ["T1485 - Data Destruction"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": " Threat Hunting with CloudTrail and GuardDuty in Splunk", "link": "https://www.chrisfarris.com/post/reinforce-threat-hunting/"}], "securityImplications": "Attackers might use ScheduleKeyDeletion to schedule the deletion of crucial encryption keys, disrupting data security and access.", "alerting": [{"type": "cloudwatchCISControls", "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-7"}], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "https://aws.permissions.cloud/iam/kms#kms-ScheduleKeyDeletion"} -{"eventName": "GenerateDataKeyWithoutPlaintext", "eventSource": "kms.amazonaws.com", "awsService": "KMS", "description": "Returns a unique symmetric data key for use outside of AWS KMS.", "mitreAttackTactics": ["TA0040 - Impact"], "mitreAttackTechniques": ["T1486 - Data Encrypted for Impact"], "usedInWild": true, "incidents": [{"description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/"}], "researchLinks": [], "securityImplications": "Attackers might use GenerateDataKeyWithoutPlaintext to generate encryption keys that can decrypt data in a ransom.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "https://aws.permissions.cloud/iam/kms#kms-GenerateDataKeyWithoutPlaintext"} -{"eventName": "RemoveTargets", "eventSource": "events.amazonaws.com", "awsService": "events", "description": "Removes the specified targets from the specified rule.", "mitreAttackTactics": ["TA0040 - Impact", "TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1489 - Service Stop", "T1578 - Modify Cloud Compute Infrastructure"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Modify GuardDuty Configuration", "link": "https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/"}], "securityImplications": "Attackers might use RemoveTargets in AWS EventBridge to eliminate crucial targets from event rules, effectively disabling intended actions or notifications triggered by specific events.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws events remove-targets --rule TrailDiscoverRule --ids TrailDiscoverTargetId"}], "permissions": "https://aws.permissions.cloud/iam/events#events-RemoveTargets"} -{"eventName": "PutRule", "eventSource": "events.amazonaws.com", "awsService": "events", "description": "Creates or updates the specified rule.", "mitreAttackTactics": ["TA0040 - Impact", "TA0005 - Defense Evasion", "TA0003 - Persistence"], "mitreAttackTechniques": ["T1489 - Service Stop", "T1578 - Modify Cloud Compute Infrastructure", "T1546 - Event Triggered Execution"], "usedInWild": true, "incidents": [{"description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/"}], "researchLinks": [{"description": "Modify GuardDuty Configuration", "link": "https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/"}], "securityImplications": "Attackers might use PutRule in AWS EventBridge to create unauthorized event rules, potentially automating malicious actions to gain persistence or triggering unwarranted responses within the environment.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws events put-rule --name TrailDiscoverRule --schedule-expression 'rate(5 minutes)' --state ENABLED --description \"TrailDiscover rule\""}], "permissions": "https://aws.permissions.cloud/iam/events#events-PutRule"} -{"eventName": "DisableRule", "eventSource": "events.amazonaws.com", "awsService": "events", "description": "Disables the specified rule.", "mitreAttackTactics": ["TA0040 - Impact", "TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1489 - Service Stop", "T1578 - Modify Cloud Compute Infrastructure"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS EventBridge Rule Disabled or Deleted", "link": "https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html"}, {"description": "AWS EventBridge rule disabled or deleted", "link": "https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/"}], "securityImplications": "Attackers might use DisableRule to deactivate AWS EventBridge rules, effectively silencing alarms and automated responses designed for incident detection and mitigation.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws events disable-rule --name TrailDiscoverRule --event-bus-name TrailDiscoverBus"}], "permissions": "https://aws.permissions.cloud/iam/events#events-DisableRule"} -{"eventName": "DeleteRule", "eventSource": "events.amazonaws.com", "awsService": "events", "description": "Deletes the specified rule.", "mitreAttackTactics": ["TA0040 - Impact", "TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1489 - Service Stop", "T1578 - Modify Cloud Compute Infrastructure"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS EventBridge Rule Disabled or Deleted", "link": "https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html"}, {"description": "AWS EventBridge rule disabled or deleted", "link": "https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/"}], "securityImplications": "Attackers might use DeleteRule to disrupt automated security responses and event logging in AWS EventBridge, potentially masking unauthorized activities or compromising system integrity.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws events delete-rule --name TrailDiscoverRule"}], "permissions": "https://aws.permissions.cloud/iam/events#events-DeleteRule"} -{"eventName": "PutTargets", "eventSource": "events.amazonaws.com", "awsService": "events", "description": "Adds the specified targets to the specified rule, or updates the targets if they are already associated with the rule.", "mitreAttackTactics": ["TA0003 - Persistence"], "mitreAttackTechniques": ["T1546 - Event Triggered Execution"], "usedInWild": true, "incidents": [{"description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/"}], "researchLinks": [], "securityImplications": "Attackers might use PutTargets in AWS EventBridge to trigger a malicious Lambda function periodically.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws events put-targets --rule TrailDiscoverLambdaFunction --targets \"Id\"=\"1\",\"Arn\"=\"arn:aws:lambda:us-east-1:123456789012:function:MyFunctionName\""}], "permissions": "https://aws.permissions.cloud/iam/events#events-PutTargets"} -{"eventName": "ListTargetsByRule", "eventSource": "events.amazonaws.com", "awsService": "events", "description": "Lists the targets assigned to the specified rule.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1526 - Cloud Service Discovery"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Modify GuardDuty Configuration", "link": "https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/"}], "securityImplications": "Attackers might use ListTargetsByRule in AWS EventBridge to enumerate the targets of specific rules, gaining insights into the architecture and response mechanisms of an environment.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws events list-targets-by-rule --rule TrailDiscoverRule"}], "permissions": "https://aws.permissions.cloud/iam/events#events-ListTargetsByRule"} -{"eventName": "ListRules", "eventSource": "events.amazonaws.com", "awsService": "events", "description": "Lists your Amazon EventBridge rules. You can either list all the rules or you can provide a prefix to match to the rule names.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1526 - Cloud Service Discovery"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Modify GuardDuty Configuration", "link": "https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/"}], "securityImplications": "Attackers might use ListRules in AWS EventBridge to catalog active event rules, identifying critical automated security mechanisms or logging functions to target for disruption or evasion.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws events list-rules --name-prefix TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/events#events-ListRules"} -{"eventName": "PutLogEvents", "eventSource": "logs.amazonaws.com", "awsService": "CloudWatchLogs", "description": "Uploads a batch of log events to the specified log stream.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1562 - Impair Defenses"], "usedInWild": true, "incidents": [{"description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/"}], "researchLinks": [], "securityImplications": "Attackers might use PutLogEvents to add benign log entries, effectively burying any signs of his malicious activities.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws logs put-log-events --log-group-name my-logs --log-stream-name 20150601 --log-events timestamp=$(date +%s%3N),message='TrailDiscover'"}], "permissions": "https://aws.permissions.cloud/iam/logs#logs-PutLogEvents"} -{"eventName": "CreateLogStream", "eventSource": "logs.amazonaws.com", "awsService": "CloudWatchLogs", "description": "Creates a log stream for the specified log group.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1562 - Impair Defenses"], "usedInWild": true, "incidents": [{"description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/"}], "researchLinks": [], "securityImplications": "Attackers might use CreateLogStream to later add benign log entries, effectively burying any signs of his malicious activities.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws logs create-log-stream --log-group-name my-logs --log-stream-name 20150601"}], "permissions": "https://aws.permissions.cloud/iam/logs#logs-CreateLogStream"} -{"eventName": "DeleteLogStream", "eventSource": "logs.amazonaws.com", "awsService": "CloudWatchLogs", "description": "Deletes the specified log stream and permanently deletes all the archived log events associated with the log stream.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1562 - Impair Defenses"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail", "link": "https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/"}], "securityImplications": "Attackers might use DeleteLogStream to erase CloudWatch logs, erasing evidence of their activities within AWS.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws logs delete-log-stream --log-group-name TrailDiscoverLogGroupName --log-stream-name TrailDiscoverLogStreamName"}], "permissions": "https://aws.permissions.cloud/iam/logs#logs-DeleteLogStream"} -{"eventName": "DescribeLogGroups", "eventSource": "logs.amazonaws.com", "awsService": "CloudWatchLogs", "description": "Lists the specified log groups.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [], "securityImplications": "Attackers might use DescribeLogGroups to discover CloudWatch log configurations.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws logs describe-log-groups --log-group-name-prefix TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/logs#logs-DescribeLogGroups"} -{"eventName": "DeleteLogGroup", "eventSource": "logs.amazonaws.com", "awsService": "CloudWatchLogs", "description": "Deletes the specified log group and permanently deletes all the archived log events associated with the log group.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1562 - Impair Defenses"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Penetration testing of aws-based environments", "link": "https://essay.utwente.nl/76955/1/Szabo_MSc_EEMCS.pdf"}, {"description": "Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail", "link": "https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/"}], "securityImplications": "Attackers might use DeleteLogGroup to erase CloudWatch logs, erasing evidence of their activities within AWS.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws logs delete-log-group --log-group-name TrailDiscoverLogGroup"}], "permissions": "https://aws.permissions.cloud/iam/logs#logs-DeleteLogGroup"} -{"eventName": "GetLogRecord", "eventSource": "logs.amazonaws.com", "awsService": "CloudWatchLogs", "description": "Retrieves all of the fields and values of a single log event.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [], "securityImplications": "Attackers might use GetLogRecord to precisely extract information from CloudWatch logs, potentially exposing sensitive data or insights into AWS operational activities.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "https://aws.permissions.cloud/iam/logs#logs-GetLogRecord"} -{"eventName": "DescribeLogStreams", "eventSource": "logs.amazonaws.com", "awsService": "CloudWatchLogs", "description": "Lists the log streams for the specified log group.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [], "securityImplications": "Attackers might use DescribeLogStreams to discover CloudWatch log configurations.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws logs describe-log-streams --log-group-name TrailDiscoverLogGroupName"}], "permissions": "https://aws.permissions.cloud/iam/logs#logs-DescribeLogStreams"} -{"eventName": "DescribeSubscriptionFilters", "eventSource": "logs.amazonaws.com", "awsService": "CloudWatchLogs", "description": "Lists the subscription filters for the specified log group.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [], "securityImplications": "Attackers might use DescribeSubscriptionFilters to discover CloudWatch log configurations.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws logs describe-subscription-filters --log-group-name TrailDiscoverLogGroupName"}], "permissions": "https://aws.permissions.cloud/iam/logs#logs-DescribeSubscriptionFilters"} -{"eventName": "DeleteAlarms", "eventSource": "monitoring.amazonaws.com", "awsService": "CloudWatch", "description": "Deletes the specified alarms. You can delete up to 100 alarms in one operation.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1562 - Impair Defenses"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS CloudWatch Alarm Deletion", "link": "https://www.elastic.co/guide/en/security/current/aws-cloudwatch-alarm-deletion.html"}], "securityImplications": "Attackers might use DeleteAlarms to disable critical CloudWatch alerts, undermining AWS environment monitoring", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws cloudwatch delete-alarms --alarm-names TrailDiscoverAlarm"}], "permissions": "https://aws.permissions.cloud/iam/cloudwatch#cloudwatch-DeleteAlarms"} -{"eventName": "UpdateDevEndpoint", "eventSource": "glue.amazonaws.com", "awsService": "Glue", "description": "Updates a specified development endpoint.", "mitreAttackTactics": ["TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}], "securityImplications": "Attackers might use UpdateDevEndpoint to modify the settings of a development endpoint, potentially disrupting data processing tasks or gaining unauthorized access to data.", "alerting": [{"type": "sigma", "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml"}], "simulation": [{"type": "commandLine", "value": "aws glue update-dev-endpoint --endpoint-name TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/glue#glue-UpdateDevEndpoint"} -{"eventName": "CreateJob", "eventSource": "glue.amazonaws.com", "awsService": "Glue", "description": "Creates a new job definition.", "mitreAttackTactics": ["TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}], "securityImplications": "Attackers might use CreateJob to create a glue job with a role with higer privileges to gain these privileges.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws glue create-job --name TrailDiscoverJob --role TrailDiscoverRole --command Name=pythonshell,ScriptLocation=s3://TrailDiscoverBucket/TrailDiscoverScript.py --default-arguments '{\"--job-language\": \"python\"}'"}], "permissions": "https://aws.permissions.cloud/iam/glue#glue-CreateJob"} -{"eventName": "CreateDevEndpoint", "eventSource": "glue.amazonaws.com", "awsService": "Glue", "description": "Creates a new development endpoint.", "mitreAttackTactics": ["TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}], "securityImplications": "Attackers might use CreateDevEndpoint in AWS Glue to escalate privileges or provision development endpoints, potentially exploiting them.", "alerting": [{"type": "sigma", "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml"}], "simulation": [{"type": "commandLine", "value": "aws glue create-dev-endpoint --endpoint-name TrailDiscover --role-arn arn:aws:iam::111122223333:role/TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/glue#glue-CreateDevEndpoint"} -{"eventName": "UpdateJob", "eventSource": "glue.amazonaws.com", "awsService": "Glue", "description": "Updates an existing job definition.", "mitreAttackTactics": ["TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}], "securityImplications": "Attackers might use UpdateJob to modify Glue job parameters, potentially disrupting data processing or injecting malicious code.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws glue update-job --job-name TrailDiscoverJob --job-update '{\"Role\": \"TrailDiscoverRole\", \"Command\": {\"Name\": \"glueetl\", \"ScriptLocation\": \"s3://mybucket/myscript.py\"}}'"}], "permissions": "https://aws.permissions.cloud/iam/glue#glue-UpdateJob"} -{"eventName": "ListServiceQuotas", "eventSource": "servicequotas.amazonaws.com", "awsService": "ServiceQuotas", "description": "Lists the applied quota values for the specified AWS service.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1087 - Account Discovery"], "usedInWild": true, "incidents": [{"description": "Ransomware in the cloud", "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud"}, {"description": "SES-PIONAGE", "link": "https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/"}], "researchLinks": [{"description": "Following attackers’ (Cloud)trail in AWS: Methodology and findings in the wild", "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}], "securityImplications": "Attackers might use ListServiceQuotas to identify potential services to exploit by understanding their usage limits.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws service-quotas list-service-quotas --service-code TrailDiscoverServiceCode"}], "permissions": "https://aws.permissions.cloud/iam/servicequotas#servicequotas-ListServiceQuotas"} -{"eventName": "RequestServiceQuotaIncrease", "eventSource": "servicequotas.amazonaws.com", "awsService": "ServiceQuotas", "description": "Submits a quota increase request for the specified quota at the account or resource level.", "mitreAttackTactics": ["TA0040 - Impact"], "mitreAttackTechniques": ["T1496 - Resource Hijacking"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}, {"description": "Incident report: From CLI to console, chasing an attacker in AWS", "link": "https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/"}], "researchLinks": [], "securityImplications": "Attackers might use RequestServiceQuotaIncrease to increase the quotas and so resource hijacking will have a bigger impact.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws service-quotas request-service-quota-increase --service-code ec2 --quota-code L-20F13EBD --desired-value 2"}], "permissions": "https://aws.permissions.cloud/iam/servicequotas#servicequotas-RequestServiceQuotaIncrease"} -{"eventName": "GetPublicAccessBlock", "eventSource": "s3.amazonaws.com", "awsService": "S3", "description": "Retrieves the PublicAccessBlock configuration for an Amazon S3 bucket.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1526 - Cloud Service Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}, {"description": "Muddled Libra’s Evolution to the Cloud", "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}], "researchLinks": [], "securityImplications": "Attackers might use GetPublicAccessBlock to identify S3 buckets with public access for potential data breaches.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "N/A"} -{"eventName": "GetObject", "eventSource": "s3.amazonaws.com", "awsService": "S3", "description": "Retrieves an object from Amazon S3.", "mitreAttackTactics": ["TA0010 - Exfiltration"], "mitreAttackTechniques": ["T1048 - Exfiltration Over Alternative Protocol"], "usedInWild": true, "incidents": [{"description": "Ransomware in the cloud", "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud"}, {"description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"}, {"description": "Incident 2 - Additional details of the attack", "link": "https://support.lastpass.com/s/document-item?language=en_US&bundleId=lastpass&topicId=LastPass/incident-2-details.html&_LANG=enus"}, {"description": "Aruba Central Security Incident", "link": "https://www.arubanetworks.com/support-services/security-bulletins/central-incident-faq/"}, {"description": "Sendtech Pte. Ltd", "link": "https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Sendtech-Pte-Ltd---220721.ashx?la=en"}, {"description": "GotRoot! AWS root Account Takeover", "link": "https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1"}, {"description": "A Technical Analysis of the Capital One Cloud Misconfiguration Breach", "link": "https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach"}, {"description": "Chegg, Inc", "link": "https://www.ftc.gov/system/files/ftc_gov/pdf/2023151-Chegg-Complaint.pdf"}, {"description": "Scattered Spider Attack Analysis", "link": "https://www.reliaquest.com/blog/scattered-spider-attack-analysis-account-compromise/"}, {"description": "Enumerate AWS Account ID from a Public S3 Bucket", "link": "https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/"}, {"description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/"}], "researchLinks": [{"description": "Data Exfiltration through S3 Server Access Logs", "link": "https://hackingthe.cloud/aws/exploitation/s3_server_access_logs/"}, {"description": "S3 Streaming Copy", "link": "https://hackingthe.cloud/aws/exploitation/s3_streaming_copy/"}], "securityImplications": "Attackers might use GetObject to download data from S3 buckets.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-client-side-encryption"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-individual-deletion"}], "permissions": "https://aws.permissions.cloud/iam/s3#s3-GetObject"} -{"eventName": "GetBucketPolicy", "eventSource": "s3.amazonaws.com", "awsService": "S3", "description": "Returns the policy of a specified bucket.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1526 - Cloud Service Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}, {"description": "Muddled Libra’s Evolution to the Cloud", "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}], "researchLinks": [], "securityImplications": "Attackers might use GetBucketPolicy to identify weak security policies and exploit them for unauthorized access to S3 buckets.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws s3api get-bucket-policy --bucket TrailDiscoverBucket"}], "permissions": "https://aws.permissions.cloud/iam/s3#s3-GetBucketPolicy"} -{"eventName": "ListBuckets", "eventSource": "s3.amazonaws.com", "awsService": "S3", "description": "Returns a list of all buckets owned by the authenticated sender of the request.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1526 - Cloud Service Discovery"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}, {"description": "Ransomware in the cloud", "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud"}, {"description": "ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING", "link": "https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/"}, {"description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"}, {"description": "A Technical Analysis of the Capital One Cloud Misconfiguration Breach", "link": "https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach"}, {"description": "Enumerate AWS Account ID from a Public S3 Bucket", "link": "https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/"}, {"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}, {"description": "Muddled Libra’s Evolution to the Cloud", "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}, {"description": "Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/"}], "researchLinks": [{"description": "Following attackers’ (Cloud)trail in AWS: Methodology and findings in the wild", "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}], "securityImplications": "Attackers might use ListAllMyBuckets to identify potential targets for data breaches or unauthorized access.", "alerting": [{"type": "sigma", "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml"}], "simulation": [{"type": "commandLine", "value": "aws s3api list-buckets --query \"Buckets[].Name\""}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance"}], "permissions": "N/A"} -{"eventName": "GetBucketVersioning", "eventSource": "s3.amazonaws.com", "awsService": "S3", "description": "Returns the versioning state of a bucket.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1526 - Cloud Service Discovery"], "usedInWild": true, "incidents": [{"description": "Ransomware in the cloud", "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud"}, {"description": "Muddled Libra’s Evolution to the Cloud", "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}], "researchLinks": [], "securityImplications": "Attackers might use GetBucketVersioning to identify unsecured S3 buckets with versioning disabled, making it easier to manipulate or delete data.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws s3api get-bucket-versioning --bucket TrailDiscoverBucket"}], "permissions": "https://aws.permissions.cloud/iam/s3#s3-GetBucketVersioning"} -{"eventName": "GetBucketTagging", "eventSource": "s3.amazonaws.com", "awsService": "S3", "description": "Returns the tag set associated with the bucket.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1526 - Cloud Service Discovery"], "usedInWild": true, "incidents": [{"description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/"}], "researchLinks": [], "securityImplications": "Attackers might use GetBucketTagging to look for tags reminiscent of PII or confidential data.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws s3api get-bucket-tagging --bucket TrailDiscoverBucket"}], "permissions": "https://aws.permissions.cloud/iam/s3#s3-GetBucketTagging"} -{"eventName": "PutBucketVersioning", "eventSource": "s3.amazonaws.com", "awsService": "S3", "description": "Sets the versioning state of an existing bucket.", "mitreAttackTactics": ["TA0040 - Impact", "TA0010 - Exfiltration"], "mitreAttackTechniques": ["T1490 - Inhibit System Recovery", "T1537 - Transfer Data to Cloud Account"], "usedInWild": true, "incidents": [{"description": "Ransomware in the cloud", "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud"}], "researchLinks": [{"description": "Exfiltrating S3 Data with Bucket Replication Policies", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"}], "securityImplications": "Attackers might set the versioning to 'Suspended' before deleting data. Attackers might enable versioning to add bucket replication to exfiltrate data.", "alerting": [{"type": "sigma", "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml"}], "simulation": [{"type": "commandLine", "value": "aws s3api put-bucket-versioning --bucket TrailDiscoverBucket --versioning-configuration Status=Enabled"}], "permissions": "https://aws.permissions.cloud/iam/s3#s3-PutBucketVersioning"} -{"eventName": "GetBucketLogging", "eventSource": "s3.amazonaws.com", "awsService": "S3", "description": "Returns the logging status of a bucket and the permissions users have to view and modify that status.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1526 - Cloud Service Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}, {"description": "Muddled Libra’s Evolution to the Cloud", "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}], "researchLinks": [], "securityImplications": "Attackers might use GetBucketLoggingStatus to identify if logging is enabled, potentially helping them avoid detection during unauthorized activities.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws s3api get-bucket-logging --bucket TrailDiscoverBucket"}], "permissions": "https://aws.permissions.cloud/iam/s3#s3-GetBucketLogging"} -{"eventName": "ListVaults", "eventSource": "glacier.amazonaws.com", "awsService": "S3", "description": "This operation lists all vaults owned by the calling user’s account.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1619 - Cloud Storage Object Discovery"], "usedInWild": true, "incidents": [{"description": "Detecting AI resource-hijacking with Composite Alerts", "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"}, {"description": "Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/"}], "researchLinks": [], "securityImplications": "Attackers might use ListVaults to identify data such as archived training data or related datasets.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws glacier list-vaults --account-id -"}], "permissions": "https://aws.permissions.cloud/iam/glacier#glacier-ListVaults"} -{"eventName": "DeleteBucketPolicy", "eventSource": "s3.amazonaws.com", "awsService": "S3", "description": "Deletes the policy of a specified bucket.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1578 - Modify Cloud Compute Infrastructure"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS S3 Bucket Configuration Deletion", "link": "https://www.elastic.co/guide/en/security/7.17/aws-s3-bucket-configuration-deletion.html"}], "securityImplications": "Attackers might use DeleteBucketPolicy to remove security policies and gain unauthorized access to S3 buckets.", "alerting": [{"type": "cloudwatchCISControls", "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8"}], "simulation": [{"type": "commandLine", "value": "aws s3api delete-bucket-policy --bucket TrailDiscoverBucketName"}], "permissions": "https://aws.permissions.cloud/iam/s3#s3-DeleteBucketPolicy"} -{"eventName": "PutBucketAcl", "eventSource": "s3.amazonaws.com", "awsService": "S3", "description": "Sets the permissions on an existing bucket using access control lists (ACL).", "mitreAttackTactics": ["TA0010 - Exfiltration"], "mitreAttackTechniques": ["T1048 - Exfiltration Over Alternative Protocol"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS S3 Bucket ACL made public", "link": "https://docs.datadoghq.com/security/default_rules/aws-bucket-acl-made-public/"}], "securityImplications": "Attackers might use SetBucketAccessControlPolicy to modify access control lists, potentially granting unauthorized access to S3 buckets.", "alerting": [{"type": "cloudwatchCISControls", "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8"}], "simulation": [{"type": "commandLine", "value": "aws s3api put-bucket-acl --bucket TrailDiscoverBucket --acl TrailDiscoverAcl"}], "permissions": "https://aws.permissions.cloud/iam/s3#s3-PutBucketAcl"} -{"eventName": "DeleteObject", "eventSource": "s3.amazonaws.com", "awsService": "S3", "description": "Removes an object from a bucket. The behavior depends on the bucket's versioning state.", "mitreAttackTactics": ["TA0040 - Impact"], "mitreAttackTechniques": ["T1485 - Data Destruction"], "usedInWild": true, "incidents": [{"description": "Ransomware in the cloud", "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud"}, {"description": "The attack on ONUS – A real-life case of the Log4Shell vulnerability", "link": "https://cystack.net/research/the-attack-on-onus-a-real-life-case-of-the-log4shell-vulnerability"}, {"description": "20/20 Eye Care Network and Hearing Care Network notify 3,253,822 health plan members of breach that deleted contents of AWS buckets", "link": "https://www.databreaches.net/20-20-eye-care-network-and-hearing-care-network-notify-3253822-health-plan-members-of-breach-that-deleted-contents-of-aws-buckets/"}, {"description": "Hacker Puts Hosting Service Code Spaces Out of Business", "link": "https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/"}], "researchLinks": [], "securityImplications": "Attackers might use DeleteObject to erase crucial data from S3 buckets.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-client-side-encryption"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-individual-deletion"}], "permissions": "https://aws.permissions.cloud/iam/s3#s3-DeleteObject"} -{"eventName": "HeadObject", "eventSource": "s3.amazonaws.com", "awsService": "S3", "description": "The HEAD operation retrieves metadata from an object without returning the object itself.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1619 - Cloud Storage Object Discovery"], "usedInWild": true, "incidents": [{"description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"}], "researchLinks": [], "securityImplications": "Attackers might use HeadObject to gather metadata about sensitive files stored in S3.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "N/A"} -{"eventName": "ListObjects", "eventSource": "s3.amazonaws.com", "awsService": "S3", "description": "Returns some or all (up to 1,000) of the objects in a bucket.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1619 - Cloud Storage Object Discovery"], "usedInWild": true, "incidents": [{"description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"}, {"description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/"}, {"description": "Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/"}], "researchLinks": [], "securityImplications": "Attackers might use ListObjects to identify potentially sensitive objects stored in S3 buckets.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "N/A"} -{"eventName": "JobCreated", "eventSource": "s3.amazonaws.com", "awsService": "S3", "description": "When a Batch Operations job is created, it is recorded as a JobCreated event in CloudTrail.", "mitreAttackTactics": ["TA0010 - Exfiltration"], "mitreAttackTechniques": ["T1537 - Transfer Data to Cloud Account"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Exfiltrating S3 Data with Bucket Replication Policies", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"}], "securityImplications": "Attackers might use Batch Operations jobs to initiate unauthorized data transfer or manipulation tasks in S3.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "N/A"} -{"eventName": "GetBucketReplication", "eventSource": "s3.amazonaws.com", "awsService": "S3", "description": "Returns the replication configuration of a bucket.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1526 - Cloud Service Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}, {"description": "Muddled Libra’s Evolution to the Cloud", "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}], "researchLinks": [], "securityImplications": "Attackers might use GetBucketReplication to identify replication configurations and target specific data for theft or corruption.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws s3api get-bucket-replication --bucket TrailDiscoverBucket"}], "permissions": "N/A"} -{"eventName": "PutBucketReplication", "eventSource": "s3.amazonaws.com", "awsService": "S3", "description": "Creates a replication configuration or replaces an existing one.", "mitreAttackTactics": ["TA0010 - Exfiltration"], "mitreAttackTechniques": ["T1537 - Transfer Data to Cloud Account"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Exfiltrating S3 Data with Bucket Replication Policies", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"}], "securityImplications": "Attackers might use PutBucketReplication to replicate sensitive data to unauthorized S3 buckets controlled by the attacker.", "alerting": [{"type": "cloudwatchCISControls", "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8"}], "simulation": [{"type": "commandLine", "value": "aws s3api put-bucket-replication --bucket AWSDOC-EXAMPLE-BUCKET1 --replication-configuration '{\"Role\":\"\",\"Rules\":[]}'"}], "permissions": "N/A"} -{"eventName": "GetBucketAcl", "eventSource": "s3.amazonaws.com", "awsService": "S3", "description": "This implementation of the GET action uses the acl subresource to return the access control list (ACL) of a bucket.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1526 - Cloud Service Discovery"], "usedInWild": true, "incidents": [{"description": "Muddled Libra’s Evolution to the Cloud", "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}], "researchLinks": [{"description": "Public S3 bucket through bucket ACL", "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/s3-bucket-public-acl/"}], "securityImplications": "Attackers might use GetBucketAccessControlPolicy to gain unauthorized access to sensitive data stored in S3 buckets.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws s3api get-bucket-acl --bucket TrailDiscoverBucket"}], "permissions": "https://aws.permissions.cloud/iam/s3#s3-GetBucketAcl"} -{"eventName": "PutBucketLifecycle", "eventSource": "s3.amazonaws.com", "awsService": "S3", "description": "Creates a new lifecycle configuration for the bucket or replaces an existing lifecycle configuration.", "mitreAttackTactics": ["TA0040 - Impact"], "mitreAttackTechniques": ["T1485 - Data Destruction"], "usedInWild": true, "incidents": [{"description": "USA VS Nickolas Sharp", "link": "https://www.justice.gov/usao-sdny/press-release/file/1452706/dl"}], "researchLinks": [], "securityImplications": "Attackers might use PutBucketLifecycle to add a lifecycle that deletes data after one day.", "alerting": [{"type": "cloudwatchCISControls", "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8"}], "simulation": [{"type": "commandLine", "value": "aws s3api put-bucket-lifecycle --bucket my-bucket --lifecycle-configuration '{\"Rules\":[{\"ID\":\"\",\"Status\": \"Enabled\", \"Prefix\": \"TrailDiscover/\"}]}'"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule"}], "permissions": "N/A"} -{"eventName": "PutObject", "eventSource": "s3.amazonaws.com", "awsService": "S3", "description": "Adds an object to a bucket.", "mitreAttackTactics": ["TA0040 - Impact"], "mitreAttackTechniques": ["T1565 - Data Manipulation"], "usedInWild": true, "incidents": [{"description": "Incident Report: TaskRouter JS SDK Security Incident - July 19, 2020", "link": "https://www.twilio.com/en-us/blog/incident-report-taskrouter-js-sdk-july-2020"}, {"description": "LA Times homicide website throttles cryptojacking attack", "link": "https://www.tripwire.com/state-of-security/la-times-website-cryptojacking-attack"}], "researchLinks": [], "securityImplications": "Attackers might use PutObject to upload malicious content or overwrite existing files in S3 buckets.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "https://aws.permissions.cloud/iam/s3#s3-PutObject"} -{"eventName": "PutBucketPolicy", "eventSource": "s3.amazonaws.com", "awsService": "S3", "description": "Applies an Amazon S3 bucket policy to an Amazon S3 bucket.", "mitreAttackTactics": ["TA0010 - Exfiltration"], "mitreAttackTechniques": ["T1048 - Exfiltration Over Alternative Protocol"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Detecting and removing risky actions out of your IAM security policies", "link": "https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/"}], "securityImplications": "Attackers might use PutBucketPolicy to modify bucket permissions, potentially allowing unauthorized access to sensitive data.", "alerting": [{"type": "cloudwatchCISControls", "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8"}], "simulation": [{"type": "commandLine", "value": "aws s3api put-bucket-policy --bucket TrailDiscover --policy {}"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.s3-backdoor-bucket-policy"}], "permissions": "https://aws.permissions.cloud/iam/s3#s3-PutBucketPolicy"} -{"eventName": "GetSMSSandboxAccountStatus", "eventSource": "sns.amazonaws.com", "awsService": "SNS", "description": "Retrieves the SMS sandbox status for the calling AWS account in the target AWS Region.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/"}], "researchLinks": [{"description": "NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS", "link": "https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/"}], "securityImplications": "Attackers might use GetSMSSandboxAccountStatus to monitor the status of a target's AWS SNS sandbox account for potential usage for smishing.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws sns get-sms-sandbox-account-status"}], "permissions": "https://aws.permissions.cloud/iam/sns#sns-GetSMSSandboxAccountStatus"} -{"eventName": "GetSMSAttributes", "eventSource": "sns.amazonaws.com", "awsService": "SNS", "description": "Returns the settings for sending SMS messages from your AWS account.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS", "link": "https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/"}, {"description": "Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/"}], "researchLinks": [{"description": "Following attackers’ (Cloud)trail in AWS: Methodology and findings in the wild", "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}], "securityImplications": "Attackers might use GetSMSAttributes to retrieve sensitive SMS configuration details for potential usage for smishing.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws sns get-sms-attributes --attributes TrailDiscoverAttributes"}], "permissions": "https://aws.permissions.cloud/iam/sns#sns-GetSMSAttributes"} -{"eventName": "ListOriginationNumbers", "eventSource": "sns.amazonaws.com", "awsService": "SNS", "description": "Lists the calling AWS account's dedicated origination numbers and their metadata.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS", "link": "https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/"}], "securityImplications": "Attackers might use ListOriginationNumbers to identify origination numbers for potential smishing campaings.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws sns list-origination-numbers"}], "permissions": "https://aws.permissions.cloud/iam/sns#sns-ListOriginationNumbers"} -{"eventName": "Publish", "eventSource": "sns.amazonaws.com", "awsService": "SNS", "description": "Sends a message to an Amazon SNS topic, a text message (SMS message) directly to a phone number, or a message to a mobile platform endpoint (when you specify the TargetArn).", "mitreAttackTactics": ["TA0040 - Impact"], "mitreAttackTechniques": ["T1496 - Resource Hijacking"], "usedInWild": true, "incidents": [{"description": "Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/"}, {"description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/"}], "researchLinks": [], "securityImplications": "Attackers might use Publish for smishing campaigns.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "https://aws.permissions.cloud/iam/sns#sns-Publish"} -{"eventName": "ListTopics", "eventSource": "sns.amazonaws.com", "awsService": "SNS", "description": "Returns a list of the requester's topics.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS", "link": "https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/"}], "securityImplications": "Attackers might use ListTopics to identify potential SNS topics for unauthorized access or disruption.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws sns list-topics"}], "permissions": "https://aws.permissions.cloud/iam/sns#sns-ListTopics"} -{"eventName": "ListSubscriptions", "eventSource": "sns.amazonaws.com", "awsService": "SNS", "description": "Lists the calling AWS account's dedicated origination numbers and their metadata.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS", "link": "https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/"}], "securityImplications": "Attackers might use ListSubscriptions to identify origination numbers for potential smishing campaings.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws sns list-subscriptions"}], "permissions": "https://aws.permissions.cloud/iam/sns#sns-ListSubscriptions"} -{"eventName": "DeleteDeliveryChannel", "eventSource": "config.amazonaws.com", "awsService": "Config", "description": "Deletes the delivery channel.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1562 - Impair Defenses"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS Config Resource Deletion", "link": "https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion"}, {"description": "AWS Config modified", "link": "https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-config-disabled/"}, {"description": "Threat Hunting with CloudTrail and GuardDuty in Splunk", "link": "https://www.chrisfarris.com/post/reinforce-threat-hunting/"}], "securityImplications": "Attackers might use DeleteDeliveryChannel to disrupt the flow of configuration history and compliance data in AWS.", "alerting": [{"type": "cloudwatchCISControls", "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-9"}, {"type": "sigma", "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml"}], "simulation": [{"type": "commandLine", "value": "aws configservice delete-delivery-channel --delivery-channel-name TrailDiscoverDeliveryChannel"}], "permissions": "https://aws.permissions.cloud/iam/config#config-DeleteDeliveryChannel"} -{"eventName": "DeleteConfigRule", "eventSource": "config.amazonaws.com", "awsService": "Config", "description": "Deletes the specified AWS Config rule and all of its evaluation results.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1562 - Impair Defenses"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS Config Resource Deletion", "link": "https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion"}], "securityImplications": "Attackers might use DeleteConfigRule to remove compliance rules, potentially affecting the response plan.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws configservice delete-config-rule --config-rule-name TrailDiscoverConfigRule"}], "permissions": "https://aws.permissions.cloud/iam/config#config-DeleteConfigRule"} -{"eventName": "StopConfigurationRecorder", "eventSource": "config.amazonaws.com", "awsService": "Config", "description": "Stops recording configurations of the AWS resources you have selected to record in your AWS account.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1562 - Impair Defenses"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS Configuration Recorder Stopped", "link": "https://www.elastic.co/guide/en/security/current/prebuilt-rule-8-2-1-aws-configuration-recorder-stopped.html#prebuilt-rule-8-2-1-aws-configuration-recorder-stopped"}, {"description": "AWS Config modified", "link": "https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-config-disabled/"}, {"description": "Threat Hunting with CloudTrail and GuardDuty in Splunk", "link": "https://www.chrisfarris.com/post/reinforce-threat-hunting/"}], "securityImplications": "Attackers might use StopConfigurationRecorder to halt the recording of AWS resource configurations, hindering audit trails.", "alerting": [{"type": "cloudwatchCISControls", "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-9"}, {"type": "sigma", "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml"}], "simulation": [{"type": "commandLine", "value": "aws configservice stop-configuration-recorder --configuration-recorder-name TrailDiscoverRecorder"}], "permissions": "https://aws.permissions.cloud/iam/config#config-StopConfigurationRecorder"} -{"eventName": "DeleteConfigurationRecorder", "eventSource": "config.amazonaws.com", "awsService": "Config", "description": "Deletes the configuration recorder.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1562 - Impair Defenses"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS Config Resource Deletion", "link": "https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion"}], "securityImplications": "Attackers might use DeleteConfigurationRecorder to disrupt AWS configuration auditing.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws configservice delete-configuration-recorder --configuration-recorder-name TrailDiscoverRecorder"}], "permissions": "https://aws.permissions.cloud/iam/config#config-DeleteConfigurationRecorder"} -{"eventName": "GetId", "eventSource": "cognito-identity.amazonaws.com", "awsService": "CognitoIdentity", "description": "Generates (or retrieves) IdentityID. Supplying multiple logins will create an implicit linked account.", "mitreAttackTactics": ["TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1078 - Valid Accounts"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Overpermissioned AWS Cognito Identity Pools", "link": "https://hackingthe.cloud/aws/exploitation/cognito_identity_pool_excessive_privileges/#exploitation"}], "securityImplications": "Attackers might use GetId to get an IdentityID that might be then used to get AWS credentials.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "https://aws.permissions.cloud/iam/cognito-identity#cognito-identity-GetId"} -{"eventName": "GetCredentialsForIdentity", "eventSource": "cognito-identity.amazonaws.com", "awsService": "CognitoIdentity", "description": "Returns credentials for the provided identity ID. Any provided logins will be validated against supported login providers.", "mitreAttackTactics": ["TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1078 - Valid Accounts"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Overpermissioned AWS Cognito Identity Pools", "link": "https://hackingthe.cloud/aws/exploitation/cognito_identity_pool_excessive_privileges/#exploitation"}], "securityImplications": "Attackers might use GetCredentialsForIdentity to obtain temporary AWS credentials, potentially accessing resources or executing actions unauthorizedly within the AWS environment.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "https://aws.permissions.cloud/iam/cognito-identity#cognito-identity-GetCredentialsForIdentity"} -{"eventName": "GetCostAndUsage", "eventSource": "ce.amazonaws.com", "awsService": "CostExplorer", "description": "Retrieves cost and usage metrics for your account.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1526 - Cloud Service Discovery"], "usedInWild": true, "incidents": [{"description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"}], "researchLinks": [], "securityImplications": "Attackers might use GetCostAndUsage to determine how active an account is by understanding the cost within a cloud account.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ce get-cost-and-usage --time-period Start=2017-09-01,End=2017-10-01 --granularity MONTHLY --metrics 'BlendedCost' 'UnblendedCost' 'UsageQuantity' --group-by Type=DIMENSION,Key=SERVICE Type=TAG,Key=Environment"}], "permissions": "https://aws.permissions.cloud/iam/ce#ce-GetCostAndUsage"} -{"eventName": "AssumeRoleWithSAML", "eventSource": "sts.amazonaws.com", "awsService": "STS", "description": "Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response.", "mitreAttackTactics": ["TA0001 - Initial Access"], "mitreAttackTechniques": ["T1199 - Trusted Relationship"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS - STS Privesc", "link": "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc"}], "securityImplications": "Attackers might use AssumeRoleWithSAML to impersonate legitimate users and gain unauthorized access to an AWS role.", "alerting": [{"type": "sigma", "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml"}], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "https://aws.permissions.cloud/iam/sts#sts-AssumeRoleWithSAML"} -{"eventName": "GetCallerIdentity", "eventSource": "sts.amazonaws.com", "awsService": "STS", "description": "Returns details about the IAM user or role whose credentials are used to call the operation.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1087 - Account Discovery"], "usedInWild": true, "incidents": [{"description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"}, {"description": "GotRoot! AWS root Account Takeover", "link": "https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1"}, {"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}, {"description": "Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/"}, {"description": "Detecting AI resource-hijacking with Composite Alerts", "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"}], "researchLinks": [{"description": "Following attackers’ (Cloud)trail in AWS: Methodology and findings in the wild", "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}, {"description": "New attack vectors in EKS", "link": "https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features"}, {"description": "Enumerate AWS Account ID from an EC2 Instance", "link": "https://hackingthe.cloud/aws/enumeration/account_id_from_ec2/"}], "securityImplications": "Attackers might use GetCallerIdentity to know what user or role are they using. This request does not need any permission.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws sts get-caller-identity"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials"}], "permissions": "https://aws.permissions.cloud/iam/sts#sts-GetCallerIdentity"} -{"eventName": "GetFederationToken", "eventSource": "sts.amazonaws.com", "awsService": "STS", "description": "Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a user.", "mitreAttackTactics": ["TA0003 - Persistence"], "mitreAttackTechniques": ["T1078 - Valid Accounts"], "usedInWild": false, "incidents": [{"description": "How Adversaries Can Persist with AWS User Federation", "link": "https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/"}], "researchLinks": [{"description": "Create a Console Session from IAM Credentials", "link": "https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/"}, {"description": "Survive Access Key Deletion with sts:GetFederationToken", "link": "https://hackingthe.cloud/aws/post_exploitation/survive_access_key_deletion_with_sts_getfederationtoken/"}], "securityImplications": "Attackers might use GetFederationToken to gain temporary access credentials.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws sts get-federation-token --name TrailDiscover --policy TrailDiscoverPolicy"}], "permissions": "https://aws.permissions.cloud/iam/sts#sts-GetFederationToken"} -{"eventName": "GetSessionToken", "eventSource": "sts.amazonaws.com", "awsService": "STS", "description": "Returns a set of temporary credentials for an AWS account or IAM user.", "mitreAttackTactics": ["TA0001 - Initial Access"], "mitreAttackTechniques": ["T1199 - Trusted Relationship"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS STS GetSessionToken Abuse", "link": "https://www.elastic.co/guide/en/security/7.17/aws-sts-getsessiontoken-abuse.html"}], "securityImplications": "Attackers might use GetSessionToken to obtain temporary access credentials.", "alerting": [{"type": "sigma", "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml"}], "simulation": [{"type": "commandLine", "value": "aws sts get-session-token --duration-seconds 900 --serial-number 'YourMFADeviceSerialNumber' --token-code 123456"}], "permissions": "https://aws.permissions.cloud/iam/sts#sts-GetSessionToken"} -{"eventName": "AssumeRole", "eventSource": "sts.amazonaws.com", "awsService": "STS", "description": "Returns a set of temporary security credentials that you can use to access AWS resources.", "mitreAttackTactics": ["TA0001 - Initial Access", "TA0003 - Persistence", "TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1199 - Trusted Relationship", "T1078 - Valid Accounts"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}, {"description": "Trouble in Paradise", "link": "https://blog.darklab.hk/2021/07/06/trouble-in-paradise/"}], "researchLinks": [{"description": "Role Chain Juggling", "link": "https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/"}, {"description": "Detecting and removing risky actions out of your IAM security policies", "link": "https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/"}], "securityImplications": "Attackers might use AssumeRole to gain unauthorized access to an AWS role. This might allow them to gain initial access, escalate privileges or in specific scenarios gain persistence.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws sts assume-role --role-arn arn:aws:iam::123456789012:role/TrailDiscover --role-session-name TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/sts#sts-AssumeRole"} -{"eventName": "AssumeRoleWithWebIdentity", "eventSource": "sts.amazonaws.com", "awsService": "STS", "description": "Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider.", "mitreAttackTactics": ["TA0001 - Initial Access", "TA0008 - Lateral Movement"], "mitreAttackTechniques": ["T1199 - Trusted Relationship", "T1550 - Use Alternate Authentication Material"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "From GitHub To Account Takeover: Misconfigured Actions Place GCP & AWS Accounts At Risk", "link": "https://www.rezonate.io/blog/github-misconfigurations-put-gcp-aws-in-account-takeover-risk/"}], "securityImplications": "Attackers might use AssumeRoleWithWebIdentity to impersonate legitimate users and gain unauthorized access to an AWS role.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "https://aws.permissions.cloud/iam/sts#sts-AssumeRoleWithWebIdentity"} -{"eventName": "PublishFunction", "eventSource": "cloudfront.amazonaws.com", "awsService": "CloudFront", "description": "Publishes a CloudFront function by copying the function code from the DEVELOPMENT stage to LIVE.", "mitreAttackTactics": ["TA0009 - Collection"], "mitreAttackTechniques": ["T1119 - Automated Collection"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "How Attackers Can Misuse AWS CloudFront Access to Make It ‘Rain’ Cookies", "link": "https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c"}], "securityImplications": "Attackers might use PublishFunction to publish a malicious function that might be used to exfiltrate data.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws cloudfront publish-function --name trail-discover-function --if-match trail-discover-function"}], "permissions": "https://aws.permissions.cloud/iam/cloudfront#cloudfront-PublishFunction"} -{"eventName": "CreateFunction", "eventSource": "cloudfront.amazonaws.com", "awsService": "CloudFront", "description": "Creates a CloudFront function.", "mitreAttackTactics": ["TA0009 - Collection"], "mitreAttackTechniques": ["T1119 - Automated Collection"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "How Attackers Can Misuse AWS CloudFront Access to Make It ‘Rain’ Cookies", "link": "https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c"}], "securityImplications": "Attackers might use CreateFunction to add a new function that can be use to exfiltrate date.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws cloudfront create-function --name trail-discover-function --function-config Comment='TrailDiscover',Runtime=cloudfront-js-1.0 --function-code VHJhaWxEaXNjb3Zlcgo="}], "permissions": "https://aws.permissions.cloud/iam/cloudfront#cloudfront-CreateFunction"} -{"eventName": "UpdateDistribution", "eventSource": "cloudfront.amazonaws.com", "awsService": "CloudFront", "description": "Updates the configuration for a CloudFront distribution.", "mitreAttackTactics": ["TA0009 - Collection"], "mitreAttackTechniques": ["T1119 - Automated Collection"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "How Attackers Can Misuse AWS CloudFront Access to Make It ‘Rain’ Cookies", "link": "https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c"}], "securityImplications": "Attackers might use UpdateDistribution to add a malicious configuration such as a function to exfiltrate data.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws cloudfront update-distribution --id EDFDVBD6EXAMPLE --distribution-config '{\"CallerReference\":\"\", \"Origins\":{\"Quantity\":1,\"Items\":[{\"Id\":\"\", \"DomainName\":\"\"}]}, \"DefaultCacheBehavior\":{\"TargetOriginId\":\"\", \"ViewerProtocolPolicy\":\"\"}, \"Comment\":\"\", \"Enabled\":false }'"}], "permissions": "https://aws.permissions.cloud/iam/cloudfront#cloudfront-UpdateDistribution"} -{"eventName": "UpdateIPSet", "eventSource": "wafv2.amazonaws.com", "awsService": "WAFV2", "description": "Updates the specified IPSet.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1562 - Impair Defenses"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS Incident Response", "link": "https://easttimor.github.io/aws-incident-response/"}], "securityImplications": "Attackers might use UpdateIPSet to modify IP address rules, potentially allowing unauthorized access from IPs they control.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws wafv2 update-ip-set --name testip --scope REGIONAL --id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 --addresses 198.51.100.0/16 --lock-token 447e55ac-2396-4c6d-b9f9-86b67c17f8b5"}], "permissions": "https://aws.permissions.cloud/iam/wafv2#wafv2-UpdateIPSet"} -{"eventName": "DeleteRuleGroup", "eventSource": "wafv2.amazonaws.com", "awsService": "WAFV2", "description": "Deletes the specified RuleGroup.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1562 - Impair Defenses"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS WAF Rule or Rule Group Deletion", "link": "https://www.elastic.co/guide/en/security/current/aws-waf-rule-or-rule-group-deletion.html"}, {"description": "AWS Incident Response", "link": "https://easttimor.github.io/aws-incident-response/"}], "securityImplications": "Attackers might use DeleteRuleGroup to disable security rules, making the system vulnerable to cyber attacks.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws wafv2 delete-rule-group --name TestRuleGroup --scope REGIONAL --id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 --lock-token 7b3bcec2-0000-0000-0000-563bf47249f0"}], "permissions": "https://aws.permissions.cloud/iam/wafv2#wafv2-DeleteRuleGroup"} -{"eventName": "DeleteWebACL", "eventSource": "wafv2.amazonaws.com", "awsService": "WAFV2", "description": "Deletes the specified WebACL.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1562 - Impair Defenses"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS Incident Response", "link": "https://easttimor.github.io/aws-incident-response/"}], "securityImplications": "Attackers might use DeleteWebACL to remove web access control lists, thereby disrupting web application firewall protections.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws wafv2 delete-web-acl --name TrailDiscoverWebACL --scope REGIONAL --id TrailDiscoverId --lock-token TrailDiscoverLockToken"}], "permissions": "https://aws.permissions.cloud/iam/wafv2#wafv2-DeleteWebACL"} -{"eventName": "GetRegions", "eventSource": "lightsail.amazonaws.com", "awsService": "LightSail", "description": "Returns a list of all valid regions for Amazon Lightsail.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Following attackers’ (Cloud)trail in AWS: Methodology and findings in the wild", "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}], "securityImplications": "Attackers might use GetRegions to identify potential targets in different geographical locations on AWS LightSail.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws lightsail get-regions"}], "permissions": "https://aws.permissions.cloud/iam/lightsail#lightsail-GetRegions"} -{"eventName": "CreateInstances", "eventSource": "lightsail.amazonaws.com", "awsService": "Lightsail", "description": "Creates one or more Amazon Lightsail instances.", "mitreAttackTactics": ["TA0005 - Defense Evasion", "TA0040 - Impact"], "mitreAttackTechniques": ["T1578 - Modify Cloud Compute Infrastructure", "T1496 - Resource Hijacking"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}], "researchLinks": [], "securityImplications": "Attackers might use CreateInstances to rapidly deploy malicious instances, causing financial loss and resource exhaustion. The use of lightsail might not be monitored.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws lightsail create-instances --instance-names Instance-1 --availability-zone us-west-2a --blueprint-id wordpress_5_1_1_2 --bundle-id nano_2_0"}], "permissions": "https://aws.permissions.cloud/iam/lightsail#lightsail-CreateInstances"} -{"eventName": "GetInstances", "eventSource": "lightsail.amazonaws.com", "awsService": "LightSail", "description": "Returns information about all Amazon Lightsail virtual private servers, or instances.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Following attackers’ (Cloud)trail in AWS: Methodology and findings in the wild", "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}], "securityImplications": "Attackers might use GetInstances to gather information about running instances for potential exploitation.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws lightsail get-instances"}], "permissions": "https://aws.permissions.cloud/iam/lightsail#lightsail-GetInstances"} -{"eventName": "CreateService", "eventSource": "ecs.amazonaws.com", "awsService": "ECS", "description": "Runs and maintains your desired number of tasks from a specified task definition.", "mitreAttackTactics": ["TA0040 - Impact"], "mitreAttackTechniques": ["T1496 - Resource Hijacking"], "usedInWild": true, "incidents": [{"description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"}], "researchLinks": [], "securityImplications": "Attackers might use CreateService in AWS ECS to orchestrate and deploy unauthorized services, potentially for malicious activities such as resource hijacking.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ecs create-service --service-name TrailDiscoverService --task-definition TrailDiscoverTaskDefinition"}], "permissions": "https://aws.permissions.cloud/iam/ecs#ecs-CreateService"} -{"eventName": "RegisterTaskDefinition", "eventSource": "ecs.amazonaws.com", "awsService": "ECS", "description": "Registers a new task definition from the supplied family and containerDefinitions.", "mitreAttackTactics": ["TA0040 - Impact"], "mitreAttackTechniques": ["T1496 - Resource Hijacking"], "usedInWild": true, "incidents": [{"description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"}], "researchLinks": [], "securityImplications": "Attackers might use RegisterTaskDefinition to deploy containers with malicious tasks in AWS ECS.", "alerting": [{"type": "sigma", "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml"}], "simulation": [{"type": "commandLine", "value": "aws ecs register-task-definition --family 'xtdb-bench-dev' --network-mode 'awsvpc' --container-definitions '[{\"name\":\"bench-container\", \"cpu\":2048, \"memory\":4092 }]'"}], "permissions": "https://aws.permissions.cloud/iam/ecs#ecs-RegisterTaskDefinition"} -{"eventName": "CreateCluster", "eventSource": "ecs.amazonaws.com", "awsService": "ECS", "description": "Creates a new Amazon ECS cluster.", "mitreAttackTactics": ["TA0040 - Impact"], "mitreAttackTechniques": ["T1496 - Resource Hijacking"], "usedInWild": true, "incidents": [{"description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"}], "researchLinks": [], "securityImplications": "Attackers might use CreateCluster to provision unauthorized cluster resources, aiming to deploy malicious workloads or use compute resources for cryptojacking", "alerting": [{"type": "sigma", "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_eks_cluster_created_or_deleted.yml"}], "simulation": [{"type": "commandLine", "value": "aws ecs create-cluster --cluster-name TrailDiscoverCluster"}], "permissions": "https://aws.permissions.cloud/iam/ecs#ecs-CreateCluster"} -{"eventName": "Search", "eventSource": "resource-explorer-2.amazonaws.com", "awsService": "ResourceExplorer", "description": "Searches for resources and displays details about all resources that match the specified criteria.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1087 - Account Discovery"], "usedInWild": true, "incidents": [{"description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"}], "researchLinks": [], "securityImplications": "Attackers might use Search to list resorces.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws resource-explorer-2 search --query-string 'service:iam'"}], "permissions": "https://aws.permissions.cloud/iam/resource-explorer-2#resource-explorer-2-Search"} -{"eventName": "CreateRule", "eventSource": "elasticloadbalancing.amazonaws.com", "awsService": "ELBv2", "description": "Creates a rule for the specified listener.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1578 - Modify Cloud Compute Infrastructure"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data", "link": "https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994"}], "securityImplications": "Attackers might use CreateRule to add rules that allow them access bypassing potential restrictions such as authentication.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws elbv2 create-rule --listener-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:listener/app/my-load-balancer/50dc6c495c0c9188/f2f7dc8efc522ab2 --priority 5 --actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-west-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 --conditions '[{}]'"}], "permissions": "https://aws.permissions.cloud/iam/elasticloadbalancing#elasticloadbalancing-CreateRule"} -{"eventName": "DescribeListeners", "eventSource": "elasticloadbalancing.amazonaws.com", "awsService": "ELBv2", "description": "Describes the specified listeners or the listeners for the specified Application Load Balancer, Network Load Balancer, or Gateway Load Balancer.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1526 - Cloud Service Discovery"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data", "link": "https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994"}], "securityImplications": "Attackers might use DescribeListeners to get information about the load balancers listeners for potential future modifications.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws elbv2 describe-listeners"}], "permissions": "https://aws.permissions.cloud/iam/elasticloadbalancing#elasticloadbalancing-DescribeListeners"} -{"eventName": "DescribeLoadBalancers", "eventSource": "elasticloadbalancing.amazonaws.com", "awsService": "ELBv2", "description": "Describes the specified load balancers or all of your load balancers.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1526 - Cloud Service Discovery"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data", "link": "https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994"}], "securityImplications": "Attackers might use DescribeLoadBalancers to get information about the load balancers for potential future attacks.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws elbv2 describe-load-balancers --names TrailDiscoverLoadBalancer"}], "permissions": "https://aws.permissions.cloud/iam/elasticloadbalancing#elasticloadbalancing-DescribeLoadBalancers"} -{"eventName": "InvokeModel", "eventSource": "bedrock.amazonaws.com", "awsService": "Bedrock", "description": "Invokes the specified Amazon Bedrock model to run inference using the prompt and inference parameters provided in the request body.", "mitreAttackTactics": ["TA0007 - Discovery", "TA0040 - Impact"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery", "T1496 - Resource Hijacking"], "usedInWild": true, "incidents": [{"description": "LLMjacking: Stolen Cloud Credentials Used in New AI Attack", "link": "https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/"}, {"description": "Detecting AI resource-hijacking with Composite Alerts", "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"}], "researchLinks": [], "securityImplications": "Attackers might use InvokeModel to check if the credentials have access to the LLMs and they have been enabled and invoke the model for resource hijacking.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-InvokeModel"} -{"eventName": "ListFoundationModelAgreementOffers", "eventSource": "bedrock.amazonaws.com", "awsService": "Bedrock", "description": "Grants permission to get a list of foundation model agreement offers.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Detecting AI resource-hijacking with Composite Alerts", "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"}], "researchLinks": [], "securityImplications": "Attackers might use ListFoundationModelAgreementOffers to enumerate accessible models.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-ListFoundationModelAgreementOffers"} -{"eventName": "PutUseCaseForModelAccess", "eventSource": "bedrock.amazonaws.com", "awsService": "Bedrock", "description": "Grants permission to put a use case for model access.", "mitreAttackTactics": ["TA0040 - Impact"], "mitreAttackTechniques": ["T1496 - Resource Hijacking"], "usedInWild": true, "incidents": [{"description": "Detecting AI resource-hijacking with Composite Alerts", "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"}], "researchLinks": [], "securityImplications": "Attackers might use PutUseCaseForModelAccess to prepare for using foundation models for resource hijacking.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-PutUseCaseForModelAccess"} -{"eventName": "ListFoundationModels", "eventSource": "bedrock.amazonaws.com", "awsService": "Bedrock", "description": "Grants permission to list Bedrock foundation models that you can use.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Detecting AI resource-hijacking with Composite Alerts", "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"}], "researchLinks": [], "securityImplications": "Attackers might use ListFoundationModels to enumerate accessible models.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-ListFoundationModels"} -{"eventName": "GetUseCaseForModelAccess", "eventSource": "bedrock.amazonaws.com", "awsService": "Bedrock", "description": "Grants permission to retrieve a use case for model access.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Detecting AI resource-hijacking with Composite Alerts", "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"}], "researchLinks": [], "securityImplications": "Attackers might use GetUseCaseForModelAccess to enumerate accessible models.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-GetUseCaseForModelAccess"} -{"eventName": "ListProvisionedModelThroughputs", "eventSource": "bedrock.amazonaws.com", "awsService": "Bedrock", "description": "Grants permission to list provisioned model throughputs that you created earlier.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Detecting AI resource-hijacking with Composite Alerts", "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"}], "researchLinks": [], "securityImplications": "Attackers might use ListProvisionedModelThroughputs to gather information on existing inputs and outputs for models in use.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-ListProvisionedModelThroughputs"} -{"eventName": "InvokeModelWithResponseStream", "eventSource": "bedrock.amazonaws.com", "awsService": "Bedrock", "description": "Grants permission to invoke the specified Bedrock model to run inference using the input provided in the request body with streaming response.", "mitreAttackTactics": ["TA0040 - Impact"], "mitreAttackTechniques": ["T1496 - Resource Hijacking"], "usedInWild": true, "incidents": [{"description": "Detecting AI resource-hijacking with Composite Alerts", "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"}], "researchLinks": [], "securityImplications": "Attackers might use InvokeModelWithResponseStream to invoke the model for resource hijacking.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-InvokeModelWithResponseStream"} -{"eventName": "GetFoundationModelAvailability", "eventSource": "bedrock.amazonaws.com", "awsService": "Bedrock", "description": "Grants permission to get the availability of a foundation model.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Detecting AI resource-hijacking with Composite Alerts", "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"}], "researchLinks": [], "securityImplications": "Attackers might use GetFoundationModelAvailability to enumerate accessible models", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-GetFoundationModelAvailability"} -{"eventName": "PutFoundationModelEntitlement", "eventSource": "bedrock.amazonaws.com", "awsService": "Bedrock", "description": "Grants permission to put entitlement to access a foundation model.", "mitreAttackTactics": ["TA0040 - Impact"], "mitreAttackTechniques": ["T1496 - Resource Hijacking"], "usedInWild": true, "incidents": [{"description": "Detecting AI resource-hijacking with Composite Alerts", "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"}], "researchLinks": [], "securityImplications": "Attackers might use PutFoundationModelEntitlement to prepare for using foundation models for resource hijacking.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-PutFoundationModelEntitlement"} -{"eventName": "CreateFoundationModelAgreement", "eventSource": "bedrock.amazonaws.com", "awsService": "Bedrock", "description": "Grants permission to create a new foundation model agreement.", "mitreAttackTactics": ["TA0040 - Impact"], "mitreAttackTechniques": ["T1496 - Resource Hijacking"], "usedInWild": true, "incidents": [{"description": "Detecting AI resource-hijacking with Composite Alerts", "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"}], "researchLinks": [], "securityImplications": "Attackers might use CreateFoundationModelAgreement to prepare for using foundation models for resource hijacking.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-CreateFoundationModelAgreement"} -{"eventName": "GetModelInvocationLoggingConfiguration", "eventSource": "bedrock.amazonaws.com", "awsService": "Bedrock", "description": "Get the current configuration values for model invocation logging.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "LLMjacking: Stolen Cloud Credentials Used in New AI Attack", "link": "https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/"}], "researchLinks": [], "securityImplications": "Attackers might use GetModelInvocationLoggingConfiguration to check S3 and Cloudwatch logging configuration.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-GetModelInvocationLoggingConfiguration"} -{"eventName": "PutEventSelectors", "eventSource": "cloudtrail.amazonaws.com", "awsService": "CloudTrail", "description": "Configures an event selector or advanced event selectors for your trail.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1562 - Impair Defenses"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "cloudtrail_guardduty_bypass", "link": "https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/cloudtrail_guardduty_bypass"}, {"description": "Detecting and removing risky actions out of your IAM security policies", "link": "https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/"}], "securityImplications": "Attackers might use PutEventSelectors to disrupting AWS logging.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws cloudtrail put-event-selectors --trail-name TrailDiscover --event-selectors '[{\"ReadWriteType\": \"All\", \"IncludeManagementEvents\":true, \"DataResources\": [{\"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3\"]}] }]'"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors"}], "permissions": "https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-PutEventSelectors"} -{"eventName": "StopLogging", "eventSource": "cloudtrail.amazonaws.com", "awsService": "CloudTrail", "description": "Suspends the recording of AWS API calls and log file delivery for the specified trail.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1562 - Impair Defenses"], "usedInWild": false, "incidents": [{"description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud"}], "researchLinks": [{"description": "Stopping a CloudTrail trail", "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/stopping-cloudtrail-trail/"}, {"description": "AWS Defense Evasion Stop Logging Cloudtrail", "link": "https://research.splunk.com/cloud/8a2f3ca2-4eb5-4389-a549-14063882e537/"}, {"description": "AWS Defense Evasion and Centralized Multi-Account Logging", "link": "https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/"}, {"description": "Disrupting AWS logging", "link": "https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594"}, {"description": "Enhancing Your Security Visibility and DetectionResponse Operations in AWS", "link": "https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf"}], "securityImplications": "Attackers might use StopLogging to disrupting AWS logging.", "alerting": [{"type": "cloudwatchCISControls", "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-5"}, {"type": "sigma", "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml"}], "simulation": [{"type": "commandLine", "value": "aws cloudtrail stop-logging --name TrailDiscover"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-stop"}], "permissions": "https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-StopLogging"} -{"eventName": "UpdateTrail", "eventSource": "cloudtrail.amazonaws.com", "awsService": "CloudTrail", "description": "Updates trail settings that control what events you are logging, and how to handle log files.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1562 - Impair Defenses"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS Defense Evasion and Centralized Multi-Account Logging", "link": "https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/"}, {"description": "Disrupting AWS logging", "link": "https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594"}], "securityImplications": "Attackers might use UpdateTrail to disrupting AWS logging.", "alerting": [{"type": "cloudwatchCISControls", "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-5"}, {"type": "sigma", "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml"}], "simulation": [{"type": "commandLine", "value": "aws cloudtrail update-trail --name TrailDiscoverName --s3-bucket-name TrailDiscoverBucketName"}], "permissions": "https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-UpdateTrail"} -{"eventName": "LookupEvents", "eventSource": "cloudtrail.amazonaws.com", "awsService": "CloudTrail", "description": "Looks up management events or CloudTrail Insights events that are captured by CloudTrail.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1654 - Log Enumeration"], "usedInWild": true, "incidents": [{"description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"}], "researchLinks": [], "securityImplications": "Attackers might use LookupEvents to monitoring CloudTrail logs for changes that might affect the attack.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-LookupEvents"} -{"eventName": "DeleteTrail", "eventSource": "cloudtrail.amazonaws.com", "awsService": "CloudTrail", "description": "Deletes a trail.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1562 - Impair Defenses"], "usedInWild": false, "incidents": [{"description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud"}], "researchLinks": [{"description": "AWS Defense Evasion Delete Cloudtrail", "link": "https://research.splunk.com/cloud/82092925-9ca1-4e06-98b8-85a2d3889552/"}, {"description": "Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail", "link": "https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/"}, {"description": "Disrupting AWS logging", "link": "https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594"}], "securityImplications": "Attackers might use DeleteTrail to disrupting AWS logging.", "alerting": [{"type": "cloudwatchCISControls", "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-5"}, {"type": "sigma", "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml"}], "simulation": [{"type": "commandLine", "value": "aws cloudtrail delete-trail --name TrailDiscoverTrailName"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-delete"}], "permissions": "https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-DeleteTrail"} -{"eventName": "AddUserToGroup", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Adds the specified user to the specified group.", "mitreAttackTactics": ["TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}], "securityImplications": "Attackers might use AddUserToGroup to add unauthorized users to privileged groups, gaining unauthorized access or escalating privileges.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws iam add-user-to-group --user-name TrailDiscover --group-name TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-AddUserToGroup"} -{"eventName": "SetDefaultPolicyVersion", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Sets the specified version of the specified policy as the policy's default (operative) version.", "mitreAttackTactics": ["TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}], "securityImplications": "Attackers might use SetDefaultPolicyVersion to revert IAM policies to less secure versions, potentially exposing sensitive resources.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws iam set-default-policy-version --policy-arn arn:aws:iam::123456789012:policy/TrailDiscover --version-id v2"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-SetDefaultPolicyVersion"} -{"eventName": "PutUserPermissionsBoundary", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Adds or updates the policy that is specified as the IAM user's permissions boundary.", "mitreAttackTactics": ["TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}], "securityImplications": "Attackers might use PutUserPermissionsBoundary to modify the permissions boundary for an IAM user, potentially escalating privileges or enabling unauthorized access.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws iam put-user-permissions-boundary --permissions-boundary arn:aws:iam::123456789012:policy/intern-boundary --user-name TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-PutUserPermissionsBoundary"} -{"eventName": "ListSAMLProviders", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Lists the SAML provider resource objects defined in IAM in the account.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1087 - Account Discovery"], "usedInWild": true, "incidents": [{"description": "Muddled Libra’s Evolution to the Cloud", "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}], "researchLinks": [], "securityImplications": "Attackers might use ListSAMLProviders to discover if there are SAML providers configured.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws iam list-saml-providers"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListSAMLProviders"} -{"eventName": "ListAccessKeys", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Returns information about the access key IDs associated with the specified IAM user.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1087 - Account Discovery"], "usedInWild": true, "incidents": [{"description": "Ransomware in the cloud", "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud"}], "researchLinks": [], "securityImplications": "Attackers might use ListAccessKeys to identify and exploit unused or unmonitored AWS IAM access keys.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws iam list-access-keys --user-name TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListAccessKeys"} -{"eventName": "UpdateAssumeRolePolicy", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Updates the policy that grants an IAM entity permission to assume a role.", "mitreAttackTactics": ["TA0003 - Persistence", "TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}, {"description": "AWS IAM Persistence Methods", "link": "https://hackingthe.cloud/aws/post_exploitation/iam_persistence/"}], "securityImplications": "Attackers might use UpdateAssumeRolePolicy to modify the assume role policy allowing access from an attacker compromised account.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws iam update-assume-role-policy --role-name TrailDiscover-Role --policy-document {}"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-backdoor-role"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-UpdateAssumeRolePolicy"} -{"eventName": "ListSSHPublicKeys", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Returns information about the SSH public keys associated with the specified IAM user.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1087 - Account Discovery"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}, {"description": "Muddled Libra’s Evolution to the Cloud", "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}], "researchLinks": [], "securityImplications": "Attackers might use ListSSHPublicKeys to get information about the user and the potential use of CodeCommit.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws iam list-ssh-public-keys --user-name TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListSSHPublicKeys"} -{"eventName": "ListUsers", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Lists the IAM users that have the specified path prefix. If no path prefix is specified, the operation returns all users in the AWS account.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1087 - Account Discovery"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}, {"description": "Ransomware in the cloud", "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud"}, {"description": "Incident report: From CLI to console, chasing an attacker in AWS", "link": "https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/"}, {"description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"}, {"description": "Muddled Libra’s Evolution to the Cloud", "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}], "researchLinks": [{"description": "Following attackers’ (Cloud)trail in AWS: Methodology and findings in the wild", "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}], "securityImplications": "Attackers might use ListUsers to enumerate IAM users for further attacks, such as adding keys or creating a login profile for persistence.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws iam list-users"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListUsers"} -{"eventName": "DeleteRolePermissionsBoundary", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Deletes the permissions boundary for the specified IAM role.", "mitreAttackTactics": ["TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}], "securityImplications": "Attackers might use DeleteRolePermissionsBoundary to remove restrictions and gain unauthorized access to AWS resources.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws iam delete-role-permissions-boundary --role-name trail-discover"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-DeleteRolePermissionsBoundary"} -{"eventName": "DeleteUserPolicy", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Deletes the specified inline policy that is embedded in the specified IAM user.", "mitreAttackTactics": ["TA0005 - Defense Evasion", "TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1578 - Modify Cloud Compute Infrastructure", "T1098 - Account Manipulation"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}, {"description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"}], "researchLinks": [{"description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}], "securityImplications": "Attackers might use DeleteUserPolicy to remove security policies and gain unauthorized access to AWS resources.", "alerting": [{"type": "cloudwatchCISControls", "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4"}], "simulation": [{"type": "commandLine", "value": "aws iam delete-user-policy --user-name TrailDiscover --policy-name TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-DeleteUserPolicy"} -{"eventName": "ListGroupsForUser", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Lists the IAM groups that the specified IAM user belongs to.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1087 - Account Discovery"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}], "researchLinks": [], "securityImplications": "Attackers might use ListGroupsForUser to identify privileged groups and target specific users for access escalation.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws iam list-groups-for-user --user-name TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListGroupsForUser"} -{"eventName": "CreateRole", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Creates a new role for your AWS account.", "mitreAttackTactics": ["TA0003 - Persistence"], "mitreAttackTechniques": ["T1136 - Create Account"], "usedInWild": true, "incidents": [{"description": "Attack Scenario 2: From Misconfigured Firewall to Cryptojacking Botnet", "link": "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/unit42-cloud-threat-report-volume7.pdf"}, {"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}], "researchLinks": [], "securityImplications": "Attackers use CreateRole to create roles with trust policies that allow principals from an attacker-controlled AWS account, establishing persistent unauthorized access.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws iam create-role --role-name TrailDiscover --assume-role-policy-document {}"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-backdoor-role"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-CreateRole"} -{"eventName": "DeleteAccessKey", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Deletes the access key pair associated with the specified IAM user.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1578 - Modify Cloud Compute Infrastructure", "T1070 - Indicator Removal"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}, {"description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"}], "researchLinks": [], "securityImplications": "Attackers might use DeleteAccessKey to revoke legitimate user access to AWS services. Also, it can be used to delete previously used keys to avoid detection.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws iam delete-access-key --access-key-id AKIDPMS9RO4H3FEXAMPLE --user-name TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-DeleteAccessKey"} -{"eventName": "CreateAccessKey", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active.", "mitreAttackTactics": ["TA0003 - Persistence", "TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1136 - Create Account", "T1078 - Valid Accounts"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}, {"description": "Incident report: From CLI to console, chasing an attacker in AWS", "link": "https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/"}, {"description": "SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto", "link": "https://sysdig.com/blog/scarleteel-2-0/"}, {"description": "ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING", "link": "https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/"}, {"description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"}, {"description": "BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability", "link": "https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/"}, {"description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud"}], "researchLinks": [{"description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide"}, {"description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}, {"description": "AWS IAM Persistence Methods", "link": "https://hackingthe.cloud/aws/post_exploitation/iam_persistence/"}], "securityImplications": "Attackers might use CreateAccessKey to generate unauthorized access keys, enabling them to gain illicit access to AWS services and resources.", "alerting": [{"type": "sigma", "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml"}, {"type": "sigma", "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml"}], "simulation": [{"type": "commandLine", "value": "aws iam create-access-key --user-name TrailDiscover"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-admin-user"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-backdoor-user"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-CreateAccessKey"} -{"eventName": "DeleteLoginProfile", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Deletes the password for the specified IAM user.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1578 - Modify Cloud Compute Infrastructure", "T1070 - Indicator Removal"], "usedInWild": true, "incidents": [{"description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"}], "researchLinks": [], "securityImplications": "Attackers might use DeleteLoginProfile to remove user's login credentials, preventing legitimate access to AWS services. Also, it might be used to delete a previously added profile to avoid detection.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws iam delete-login-profile --user-name TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-DeleteLoginProfile"} -{"eventName": "AddRoleToInstanceProfile", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Adds the specified IAM role to the specified instance profile.", "mitreAttackTactics": ["TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Cloudgoat AWS CTF solution- Scenerio 5 (iam_privesc_by_attachment)", "link": "https://pswalia2u.medium.com/cloudgoat-aws-ctf-solution-scenerio-5-iam-privesc-by-attachment-22145650f5f5"}], "securityImplications": "Attackers might use AddRoleToInstanceProfile to escalate privileges or gain unauthorized access to AWS resources.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws iam add-role-to-instance-profile --role-name TrailDiscover --instance-profile-name TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-AddRoleToInstanceProfile"} -{"eventName": "ListInstanceProfiles", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Lists the instance profiles that have the specified path prefix. If there are none, the operation returns an empty list.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1087 - Account Discovery"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}], "researchLinks": [], "securityImplications": "Attackers might use ListInstanceProfiles to identify potential targets for privilege escalation attacks in AWS.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws iam list-instance-profiles"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListInstanceProfiles"} -{"eventName": "GetAccountAuthorizationDetails", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Retrieves information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1087 - Account Discovery"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS - IAM Enum", "link": "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum"}], "securityImplications": "Attackers might use GetAccountAuthorizationDetails to gather information about IAM users, groups, roles, and policies in a targeted AWS account.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws iam get-account-authorization-details"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-GetAccountAuthorizationDetails"} -{"eventName": "DeleteRolePolicy", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Deletes the specified inline policy that is embedded in the specified IAM role.", "mitreAttackTactics": ["TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}], "securityImplications": "Attackers might use DeleteRolePolicy to remove security policies, potentially escalating their privileges.", "alerting": [{"type": "cloudwatchCISControls", "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4"}], "simulation": [{"type": "commandLine", "value": "aws iam delete-role-policy --role-name TrailDiscover-Role --policy-name TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-DeleteRolePolicy"} -{"eventName": "ListSigningCertificates", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Returns information about the signing certificates associated with the specified IAM user.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1087 - Account Discovery"], "usedInWild": true, "incidents": [{"description": "Muddled Libra’s Evolution to the Cloud", "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}], "researchLinks": [], "securityImplications": "Attackers might use ListSigningCertificates to review which users have active certificates", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws iam list-signing-certificates --user-name traildiscover"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListSigningCertificates"} -{"eventName": "ListRoles", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Lists the IAM roles that have the specified path prefix. ", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1087 - Account Discovery"], "usedInWild": true, "incidents": [{"description": "Muddled Libra’s Evolution to the Cloud", "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}], "researchLinks": [{"description": "AWS - IAM Enum", "link": "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum"}], "securityImplications": "Attackers might use ListRoles to identify potential targets for privilege escalation attacks in AWS.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws iam list-roles"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListRoles"} -{"eventName": "CreatePolicyVersion", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Creates a new version of the specified managed policy.", "mitreAttackTactics": ["TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}], "securityImplications": "Attackers might use CreatePolicyVersion to modify IAM policies, potentially granting themselves elevated permissions.", "alerting": [{"type": "cloudwatchCISControls", "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4"}], "simulation": [{"type": "commandLine", "value": "aws iam create-policy-version --policy-arn arn:aws:iam::123456789012:policy/TrailDiscover --policy-document {}"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-CreatePolicyVersion"} -{"eventName": "ListRolePolicies", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Lists the names of the inline policies that are embedded in the specified IAM role.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1087 - Account Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [], "securityImplications": "Attackers might use ListRolePolicies to identify permissions associated with various roles in AWS.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws iam list-role-policies --role-name TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListRolePolicies"} -{"eventName": "SimulatePrincipalPolicy", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Simulate how a set of IAM policies attached to an IAM entity works with a list of API operations and AWS resources to determine the policies' effective permissions.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1087 - Account Discovery"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}], "researchLinks": [], "securityImplications": "Attackers might use SimulatePrincipalPolicy to understand the permissions of a principal, to later potentially exploiting any over-permissive policies. Using this technique might allow attackers to evade defenses while enumerating permissions.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::123456789012:user/TrailDiscover --action-names codecommit:ListRepositories"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-SimulatePrincipalPolicy"} -{"eventName": "ChangePassword", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Changes the password of the IAM user who is calling this operation.", "mitreAttackTactics": ["TA0003 - Persistence", "TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1136 - Create Account", "T1078 - Valid Accounts"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS CloudTrail cheat sheet", "link": "https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet"}, {"description": "IAM User Changes Alarm", "link": "https://asecure.cloud/a/cwalarm_iam_user_changes/"}], "securityImplications": "Attackers might use ChangePassword to alter user credentials.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws iam change-password --old-password TrailDiscover --new-password TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-ChangePassword"} -{"eventName": "GetLoginProfile", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Retrieves the user name for the specified IAM user.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1087 - Account Discovery"], "usedInWild": true, "incidents": [{"description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"}], "researchLinks": [], "securityImplications": "Attackers might use GetLoginProfile to know if the account has a login profile or to get its user name.", "alerting": [{"type": "sigma", "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml"}], "simulation": [{"type": "commandLine", "value": "aws iam get-login-profile --user-name TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-GetLoginProfile"} -{"eventName": "ListGroups", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Lists the IAM groups that have the specified path prefix.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1087 - Account Discovery"], "usedInWild": true, "incidents": [{"description": "Muddled Libra’s Evolution to the Cloud", "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}], "researchLinks": [{"description": "AWS - IAM Enum", "link": "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum"}], "securityImplications": "Attackers might use ListGroups to identify potential targets by gathering information about IAM groups and their permissions.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws iam list-groups"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListGroups"} -{"eventName": "CreateLoginProfile", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Creates a password for the specified IAM user. A password allows an IAM user to access AWS services through the AWS Management Console.", "mitreAttackTactics": ["TA0003 - Persistence", "TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1098 - Account Manipulation", "T1078 - Valid Accounts"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}, {"description": "Incident report: From CLI to console, chasing an attacker in AWS", "link": "https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/"}, {"description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"}, {"description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"}, {"description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud"}, {"description": "Detecting AI resource-hijacking with Composite Alerts", "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"}], "researchLinks": [{"description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide"}, {"description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}, {"description": "AWS IAM Persistence Methods", "link": "https://hackingthe.cloud/aws/post_exploitation/iam_persistence/"}], "securityImplications": "Attackers use CreateLoginProfile to create login credentials for IAM users, allowing them access to the user via the AWS console.", "alerting": [{"type": "sigma", "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml"}], "simulation": [{"type": "commandLine", "value": "aws iam create-login-profile --user-name TrailDiscover --password TrailDiscover"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-user-login-profile"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-CreateLoginProfile"} -{"eventName": "CreateUser", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Creates a new IAM user for your AWS account.", "mitreAttackTactics": ["TA0003 - Persistence"], "mitreAttackTechniques": ["T1136 - Create Account"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}, {"description": "Ransomware in the cloud", "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud"}, {"description": "Responding to an attack in AWS", "link": "https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac"}, {"description": "Incident report: From CLI to console, chasing an attacker in AWS", "link": "https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/"}, {"description": "ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING", "link": "https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/"}, {"description": "Trouble in Paradise", "link": "https://blog.darklab.hk/2021/07/06/trouble-in-paradise/"}, {"description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"}, {"description": "Exposed long-lived access key resulted in unauthorized access", "link": "https://twitter.com/jhencinski/status/1578371249792724992?t=6oYeGYgGZq1B-LXFZzIqhQ"}, {"description": "SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto", "link": "https://sysdig.com/blog/scarleteel-2-0/"}, {"description": "Insider Threat Risks to Flat Environments", "link": "https://www.mandiant.com/sites/default/files/2021-09/rpt-mtrends-2021-3.pdf"}, {"description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"}, {"description": "Sendtech Pte. Ltd", "link": "https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Sendtech-Pte-Ltd---220721.ashx?la=en"}, {"description": "BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability", "link": "https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/"}, {"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}, {"description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud"}, {"description": "Detecting AI resource-hijacking with Composite Alerts", "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"}], "researchLinks": [{"description": "Creating a new IAM user", "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/creating-new-iam-user/"}, {"description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide"}, {"description": "Following attackers’ (Cloud)trail in AWS: Methodology and findings in the wild", "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}], "securityImplications": "Attackers use CreateUser to establish persistent footholds or in some cases, escalate privileges within AWS environments by creating new IAM users with strategic permissions.", "alerting": [{"type": "sigma", "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml"}], "simulation": [{"type": "commandLine", "value": "aws iam create-user --user-name TrailDiscover"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-admin-user"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-CreateUser"} -{"eventName": "PutRolePermissionsBoundary", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Adds or updates the policy that is specified as the IAM role's permissions boundary.", "mitreAttackTactics": ["TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}], "securityImplications": "Attackers might use PutRolePermissionsBoundary to modify permissions boundaries, potentially escalating privileges or enabling unauthorized access.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws iam put-role-permissions-boundary --permissions-boundary arn:aws:iam::123456789012:policy/intern-boundary --role-name TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-PutRolePermissionsBoundary"} -{"eventName": "AttachUserPolicy", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Attaches the specified managed policy to the specified user.", "mitreAttackTactics": ["TA0003 - Persistence", "TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}, {"description": "Incident report: From CLI to console, chasing an attacker in AWS", "link": "https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/"}, {"description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"}, {"description": "Detecting AI resource-hijacking with Composite Alerts", "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"}], "researchLinks": [{"description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}], "securityImplications": "Attackers use AttachUserPolicy to grant malicious policies to IAM users, potentially escalating privileges or enabling unauthorized access to AWS resources.", "alerting": [{"type": "cloudwatchCISControls", "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4"}], "simulation": [{"type": "commandLine", "value": "aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --user-name TrailDiscover"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-admin-user"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-AttachUserPolicy"} -{"eventName": "ListOpenIDConnectProviders", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Lists information about the IAM OpenID Connect (OIDC) provider resource objects defined in the AWS account.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1087 - Account Discovery"], "usedInWild": true, "incidents": [{"description": "Muddled Libra’s Evolution to the Cloud", "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}], "researchLinks": [], "securityImplications": "Attackers might use ListOpenIDConnectProviders to discover if there are OIDC providers configured.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws iam list-open-id-connect-providers"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListOpenIDConnectProviders"} -{"eventName": "ListAttachedRolePolicies", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Lists all managed policies that are attached to the specified IAM role.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1087 - Account Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [], "securityImplications": "Attackers might use ListAttachedRolePolicies to identify and exploit permissions associated with various roles in AWS.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws iam list-attached-role-policies --role-name TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListAttachedRolePolicies"} -{"eventName": "DeleteUser", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Deletes the specified IAM user.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1578 - Modify Cloud Compute Infrastructure", "T1070 - Indicator Removal"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}, {"description": "Insider Threat Risks to Flat Environments", "link": "https://www.mandiant.com/sites/default/files/2021-09/rpt-mtrends-2021-3.pdf"}, {"description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"}], "researchLinks": [], "securityImplications": "Attackers might use DeleteUser to remove users and their permissions, disrupting access control in AWS. Also, it can be used to delete previously used users to avoid detection.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws iam delete-user --user-name TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-DeleteUser"} -{"eventName": "UpdateAccessKey", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Changes the status of the specified access key from Active to Inactive, or vice versa.", "mitreAttackTactics": ["TA0003 - Persistence"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS - IAM Privesc", "link": "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc"}], "securityImplications": "Attackers might use UpdateAccessKey to modify existing IAM user access keys, potentially gaining unauthorized access to AWS services.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws iam update-access-key --access-key-id AKIAIOSFODNN7EXAMPLE --status Inactive --user-name TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-UpdateAccessKey"} -{"eventName": "PutUserPolicy", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Adds or updates an inline policy document that is embedded in the specified IAM user.", "mitreAttackTactics": ["TA0003 - Persistence", "TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}, {"description": "ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING", "link": "https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/"}, {"description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"}], "researchLinks": [{"description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}], "securityImplications": "Attackers use PutUserPolicy to grant an inline policy to IAM users, potentially escalating privileges or enabling unauthorized access to AWS resources.", "alerting": [{"type": "cloudwatchCISControls", "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4"}, {"type": "sigma", "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml"}], "simulation": [{"type": "commandLine", "value": "aws iam put-user-policy --user-name TrailDiscover --policy-name TrailDiscover --policy-document {}"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-PutUserPolicy"} -{"eventName": "DetachRolePolicy", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Removes the specified managed policy from the specified role.", "mitreAttackTactics": ["TA0005 - Defense Evasion", "TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1578 - Modify Cloud Compute Infrastructure", "T1098 - Account Manipulation"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}], "researchLinks": [{"description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}], "securityImplications": "Attackers might use DetachRolePolicy to remove crucial permissions from IAM roles, disrupting AWS services.", "alerting": [{"type": "cloudwatchCISControls", "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4"}], "simulation": [{"type": "commandLine", "value": "aws iam detach-role-policy --role-name TrailDiscover --policy-arn arn:aws:iam::123456789012:policy/FederatedTesterAccessPolicy"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-DetachRolePolicy"} -{"eventName": "DeleteUserPermissionsBoundary", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Deletes the permissions boundary for the specified IAM user.", "mitreAttackTactics": ["TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}], "securityImplications": "Attackers might use DeleteUserPermissionsBoundary to remove restrictions and gain unauthorized access to AWS resources.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws iam delete-user-permissions-boundary --user-name TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-DeleteUserPermissionsBoundary"} -{"eventName": "DetachUserPolicy", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Removes the specified managed policy from the specified user.", "mitreAttackTactics": ["TA0005 - Defense Evasion", "TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1578 - Modify Cloud Compute Infrastructure", "T1098 - Account Manipulation"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}], "researchLinks": [{"description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}], "securityImplications": "Attackers might use DetachUserPolicy to remove security policies and gain unauthorized access to AWS resources.", "alerting": [{"type": "cloudwatchCISControls", "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4"}], "simulation": [{"type": "commandLine", "value": "aws iam detach-user-policy --user-name TrailDiscover --policy-arn arn:aws:iam::123456789012:policy/TesterPolicy"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-DetachUserPolicy"} -{"eventName": "UpdateLoginProfile", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Changes the password for the specified IAM user. You can use the AWS CLI, the AWS API, or the Users page in the IAM console to change the password for any IAM user.", "mitreAttackTactics": ["TA0003 - Persistence", "TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}, {"description": "Incident report: From CLI to console, chasing an attacker in AWS", "link": "https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/"}, {"description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud"}], "researchLinks": [{"description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide"}, {"description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}], "securityImplications": "Attackers might use UpdateLoginProfile to change the password of an IAM user, gaining unauthorized access to it.", "alerting": [{"type": "sigma", "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_update_login_profile.yml"}], "simulation": [{"type": "commandLine", "value": "aws iam update-login-profile --user-name TrailDiscover --password TrailDiscover"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-user-login-profile"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-UpdateLoginProfile"} -{"eventName": "PutGroupPolicy", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Adds or updates an inline policy document that is embedded in the specified IAM group.", "mitreAttackTactics": ["TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}], "securityImplications": "Attackers might use PutGroupPolicy to modify permissions of a group, potentially granting unauthorized access to sensitive resources.", "alerting": [{"type": "cloudwatchCISControls", "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4"}], "simulation": [{"type": "commandLine", "value": "aws iam put-group-policy --group-name TrailDiscover --policy-document {} --policy-name TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-PutGroupPolicy"} -{"eventName": "AttachGroupPolicy", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Attaches the specified managed policy to the specified IAM group.", "mitreAttackTactics": ["TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}], "securityImplications": "Attackers might use AttachGroupPolicy to assign malicious policies to a group, escalating privileges or enabling unauthorized access.", "alerting": [{"type": "cloudwatchCISControls", "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4"}], "simulation": [{"type": "commandLine", "value": "aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/TrailDiscover --group-name TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-AttachGroupPolicy"} -{"eventName": "GetUser", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1087 - Account Discovery"], "usedInWild": true, "incidents": [{"description": "GotRoot! AWS root Account Takeover", "link": "https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1"}, {"description": "Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/"}], "researchLinks": [], "securityImplications": "Attackers might use GetUser to obtain user information.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws iam get-user --user-name TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-GetUser"} -{"eventName": "PutRolePolicy", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Adds or updates an inline policy document that is embedded in the specified IAM role.", "mitreAttackTactics": ["TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}], "securityImplications": "Attackers might use PutRolePolicy to modify permissions of IAM roles, potentially granting unauthorized access to AWS resources.", "alerting": [{"type": "cloudwatchCISControls", "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4"}], "simulation": [{"type": "commandLine", "value": "aws iam put-role-policy --role-name TrailDiscover-Role --policy-name TrailDiscover --policy-document {}"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-PutRolePolicy"} -{"eventName": "DeactivateMFADevice", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Deactivates the specified MFA device and removes it from association with the user name for which it was originally enabled.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1562 - Impair Defenses"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS IAM Deactivation of MFA Device", "link": "https://www.elastic.co/guide/en/security/current/aws-iam-deactivation-of-mfa-device.html"}], "securityImplications": "Attackers might use DeactivateMFADevice to disable multi-factor authentication, potentially weakening account security.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws iam deactivate-mfa-device --user-name TrailDiscover --serial-number arn:aws:iam::210987654321:mfa/BobsMFADevice"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-DeactivateMFADevice"} -{"eventName": "AttachRolePolicy", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Attaches the specified managed policy to the specified IAM role. When you attach a managed policy to a role, the managed policy becomes part of the role's permission (access) policy.", "mitreAttackTactics": ["TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}], "researchLinks": [{"description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}], "securityImplications": "Attackers use AttachRolePolicy to grant malicious policies to IAM roles, potentially escalating privileges or enabling unauthorized access to AWS resources.", "alerting": [{"type": "cloudwatchCISControls", "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4"}], "simulation": [{"type": "commandLine", "value": "aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/TrailDiscover --role-name TrailDiscover"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-backdoor-role"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-AttachRolePolicy"} -{"eventName": "CreateGroup", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Creates a new group.", "mitreAttackTactics": ["TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS IAM Group Creation", "link": "https://www.elastic.co/guide/en/security/current/aws-iam-group-creation.html"}], "securityImplications": "Attackers use CreateGroup to create a group that they can use to escalate privileges.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws iam create-group --group-name TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-CreateGroup"} -{"eventName": "ListServiceSpecificCredentials", "eventSource": "iam.amazonaws.com", "awsService": "IAM", "description": "Returns information about the service-specific credentials associated with the specified IAM user.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1087 - Account Discovery"], "usedInWild": true, "incidents": [{"description": "Muddled Libra’s Evolution to the Cloud", "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}], "researchLinks": [], "securityImplications": "Attackers might use ListServiceSpecificCredentials to get information about the relationship about users and services and gather CredentialIds.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws iam list-service-specific-credentials --user-name traildiscover --service-name codecommit.amazonaws.com"}], "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListServiceSpecificCredentials"} -{"eventName": "SwitchRole", "eventSource": "signin.amazonaws.com", "awsService": "SignIn", "description": "This event is recorded when a user manually switches to a different IAM role within the AWS Management Console.", "mitreAttackTactics": ["TA0008 - Lateral Movement"], "mitreAttackTechniques": ["T1021 - Remote Services"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS CloudTrail cheat sheet", "link": "https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet"}], "securityImplications": "Attackers might use SwitchRole when using the console to escalate privileges and gain unauthorized access to AWS resources.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "N/A"} -{"eventName": "PasswordRecoveryRequested ", "eventSource": "signin.amazonaws.com", "awsService": "SignIn", "description": "This is the CloudTrail event generated when you request a password recovery.", "mitreAttackTactics": ["TA0001 - Initial Access"], "mitreAttackTechniques": ["T1078 - Valid Accounts"], "usedInWild": true, "incidents": [{"description": "An Ongoing AWS Phishing Campaign", "link": "https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/"}, {"description": "Disclosure of Security Incidents on imToken", "link": "https://support.token.im/hc/en-us/articles/360005681954-Disclosure-of-Security-Incidents-on-imToken"}], "researchLinks": [], "securityImplications": "Attackers might start a password recovery process to steal AWS access if they have compromised the email of the user.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "N/A"} -{"eventName": "ConsoleLogin", "eventSource": "signin.amazonaws.com", "awsService": "SignIn", "description": "This is the CloudTrail event generated when you sign-in.", "mitreAttackTactics": ["TA0001 - Initial Access"], "mitreAttackTechniques": ["T1078 - Valid Accounts"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}, {"description": "Responding to an attack in AWS", "link": "https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac"}, {"description": "Credential Phishing", "link": "https://ramimac.me/aws-phishing#credential-phishing"}, {"description": "Incident report: From CLI to console, chasing an attacker in AWS", "link": "https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/"}, {"description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"}, {"description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"}, {"description": "Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies", "link": "https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/"}], "researchLinks": [{"description": "Compromising AWS Console credentials", "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/compromising-aws-console-credentials/"}, {"description": "Create a Console Session from IAM Credentials", "link": "https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/"}, {"description": "Enhancing Your Security Visibility and DetectionResponse Operations in AWS", "link": "https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf"}], "securityImplications": "Attackers might access via AWS console (generating a ConsoleLogin event).", "alerting": [{"type": "cloudwatchCISControls", "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-6"}, {"type": "cloudwatchCISControls", "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-3"}], "simulation": [{"type": "commandLine", "value": "N/A"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.initial-access.console-login-without-mfa"}], "permissions": "N/A"} -{"eventName": "AssociateAccessPolicy", "eventSource": "eks.amazonaws.com", "awsService": "EKS", "description": "Associates an access policy and its scope to an access entry.", "mitreAttackTactics": ["TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "New attack vectors in EKS", "link": "https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features"}], "securityImplications": "Attackers might use AssociateAccessPolicy to escalate privileges by linking access entries with highly privileged policies, allowing unauthorized control over clusters.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws eks associate-access-policy --cluster-name beta-fish --principal-arn arn:aws:iam::111122223333:role/TrailDiscover --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy --access-scope type=cluster"}], "permissions": "https://aws.permissions.cloud/iam/eks#eks-AssociateAccessPolicy"} -{"eventName": "DescribeCluster", "eventSource": "eks.amazonaws.com", "awsService": "EKS", "description": "Describes an Amazon EKS cluster.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "New attack vectors in EKS", "link": "https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features"}], "securityImplications": "Attackers might use DescribeCluster to gain insights into the configuration and status of AWS EKS clusters.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws eks describe-cluster --name TrailDiscoverCluster"}], "permissions": "https://aws.permissions.cloud/iam/eks#eks-DescribeCluster"} -{"eventName": "ListAssociatedAccessPolicies", "eventSource": "eks.amazonaws.com", "awsService": "EKS", "description": "Lists the access policies associated with an access entry.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "New attack vectors in EKS", "link": "https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features"}], "securityImplications": "Attackers might use ListAssociatedAccessPolicies to enumerate policies associated with resources in AWS services, identifying overly permissive access that can be exploited to escalate privileges.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws eks list-associated-access-policies --cluster-name beta-fish --principal-arn arn:aws:iam::111122223333:role/TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/eks#eks-ListAssociatedAccessPolicies"} -{"eventName": "CreateAccessEntry", "eventSource": "eks.amazonaws.com", "awsService": "EKS", "description": "Creates an access entry.", "mitreAttackTactics": ["TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "New attack vectors in EKS", "link": "https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features"}], "securityImplications": "Attackers might use CreateAccessEntry to craft access entries that link to high-privileged policies, effectively granting themselves unauthorized admin-level access to clusters.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws eks create-access-entry --cluster-name beta-fish --principal-arn arn:aws:iam::111122223333:role/TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/eks#eks-CreateAccessEntry"} -{"eventName": "DescribeAccessEntry", "eventSource": "eks.amazonaws.com", "awsService": "EKS", "description": "Describes an access entry.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "New attack vectors in EKS", "link": "https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features"}], "securityImplications": "Attackers might use DescribeAccessEntry for reconnaissance, gathering detailed information about access configurations within AWS EKS.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws eks describe-access-entry --cluster-name beta-fish --principal-arn arn:aws:iam::111122223333:role/TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/eks#eks-DescribeAccessEntry"} -{"eventName": "ListClusters", "eventSource": "eks.amazonaws.com", "awsService": "EKS", "description": "Lists the Amazon EKS clusters in your AWS account in the specified AWS Region.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "New attack vectors in EKS", "link": "https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features"}], "securityImplications": "Attackers might use ListClusters to inventory AWS EKS clusters, identifying active clusters for further exploration or to pinpoint potential targets for subsequent attacks.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws eks list-clusters"}], "permissions": "https://aws.permissions.cloud/iam/eks#eks-ListClusters"} -{"eventName": "GetIntrospectionSchema", "eventSource": "appsync.amazonaws.com", "awsService": "AppSync", "description": "Retrieves the introspection schema for a GraphQL API.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1526 - Cloud Service Discovery"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker’s Backdoor", "link": "https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8"}], "securityImplications": "Attackers might use GetIntrospectionSchema to understand the API for future attacks or use the configuration for future modifications.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws appsync get-introspection-schema --api-id TrailDiscover --format json output"}], "permissions": "https://aws.permissions.cloud/iam/appsync#appsync-GetIntrospectionSchema"} -{"eventName": "CreateApiKey", "eventSource": "appsync.amazonaws.com", "awsService": "AppSync", "description": "Creates a unique key that you can distribute to clients who invoke your API.", "mitreAttackTactics": ["TA0005 - Defense Evasion", "TA0003 - Persistence"], "mitreAttackTechniques": ["T1578 - Modify Cloud Compute Infrastructure", "T1556 - Modify Authentication Process"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker’s Backdoor", "link": "https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8"}], "securityImplications": "Attackers might use CreateApiKey to add a key they control for authentication. Bypassing current authentication and potentially allowing persistent access to data.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws appsync create-api-key --api-id TrailDiscoverApiId"}], "permissions": "https://aws.permissions.cloud/iam/appsync#appsync-CreateApiKey"} -{"eventName": "UpdateResolver", "eventSource": "appsync.amazonaws.com", "awsService": "AppSync", "description": "Updates a Resolver object.", "mitreAttackTactics": ["TA0005 - Defense Evasion", "TA0003 - Persistence"], "mitreAttackTechniques": ["T1578 - Modify Cloud Compute Infrastructure", "T1556 - Modify Authentication Process"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker’s Backdoor", "link": "https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8"}], "securityImplications": "Attackers might use UpdateResolver to execute custom code that could allow potential access to data and bypass protections.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws appsync update-resolver --api-id TrailDiscoverApiId --type-name TrailDiscoverTypeName --field-name TrailDiscoverFieldName --pipeline-config functions=TrailDiscoverFunctions --request-mapping-template TrailDiscoverRequestMappingTemplate --response-mapping-template TrailDiscoverResponseMappingTemplate"}], "permissions": "https://aws.permissions.cloud/iam/appsync#appsync-UpdateResolver"} -{"eventName": "UpdateGraphqlApi", "eventSource": "appsync.amazonaws.com", "awsService": "AppSync", "description": "Updates a GraphqlApi object.", "mitreAttackTactics": ["TA0005 - Defense Evasion", "TA0003 - Persistence"], "mitreAttackTechniques": ["T1578 - Modify Cloud Compute Infrastructure", "T1556 - Modify Authentication Process"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker’s Backdoor", "link": "https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8"}], "securityImplications": "Attackers might use UpdateGraphqlApi to add additional authentications options. Bypassing current authentication and potentially allowing persistent access to data.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws appsync update-graphql-api --api-id TrailDiscoverApiId --name TrailDiscoverName --log-config cloudWatchLogsRoleArn=TrailDiscoverRoleArn,fieldLogLevel=TrailDiscoverLogLevel"}], "permissions": "https://aws.permissions.cloud/iam/appsync#appsync-UpdateGraphqlApi"} -{"eventName": "UpdateFunctionCode20150331v2", "eventSource": "lambda.amazonaws.com", "awsService": "Lambda", "description": "Updates a Lambda function's code. If code signing is enabled for the function, the code package must be signed by a trusted publisher.", "mitreAttackTactics": ["TA0003 - Persistence", "TA0040 - Impact", "TA0009 - Collection"], "mitreAttackTechniques": ["T1098 - Account Manipulation", "T1496 - Resource Hijacking", "T1119 - Automated Collection"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide"}, {"description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}, {"description": "Enhancing Your Security Visibility and DetectionResponse Operations in AWS", "link": "https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf"}, {"description": "How Attackers Can Misuse AWS CloudFront Access to Make It ‘Rain’ Cookies", "link": "https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c"}], "securityImplications": "Attackers might use UpdateFunctionCode to modify the code of a Lambda function, potentially injecting malicious code.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws lambda update-function-code --function-name my-function"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-overwrite-code"}], "permissions": "https://aws.permissions.cloud/iam/lambda#lambda-UpdateFunctionCode"} -{"eventName": "CreateFunction20150331", "eventSource": "lambda.amazonaws.com", "awsService": "Lambda", "description": "Creates a Lambda function.", "mitreAttackTactics": ["TA0003 - Persistence", "TA0004 - Privilege Escalation", "TA0040 - Impact"], "mitreAttackTechniques": ["T1098 - Account Manipulation", "T1496 - Resource Hijacking"], "usedInWild": true, "incidents": [{"description": "Mining Crypto", "link": "https://twitter.com/jonnyplatt/status/1471453527390277638"}, {"description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/"}], "researchLinks": [{"description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide"}, {"description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}], "securityImplications": "Attackers might use CreateFunction to deploy malicious code or functions, depending on the scenario this might allow the attacker to gain persistence, escalate privileges, or hijack resources.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws lambda create-function --function-name my-function --runtime nodejs18.x --code S3Bucket=string --role arn:aws:iam::123456789012:role/service-role/MyTestFunction-role-tges6bf4"}], "permissions": "https://aws.permissions.cloud/iam/lambda#lambda-CreateFunction"} -{"eventName": "AddPermission20150331v2", "eventSource": "lambda.amazonaws.com", "awsService": "Lambda", "description": "Grants an AWS service, AWS account, or AWS organization permission to use a function.", "mitreAttackTactics": ["TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}], "securityImplications": "Attackers might use AddPermission to grant unauthorized access to sensitive Lambda functions and then perform Privilege Escalation.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws lambda add-permission --function-name my-function --action lambda:InvokeFunction --statement-id sns --principal sns.amazonaws.com"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-backdoor-function"}], "permissions": "https://aws.permissions.cloud/iam/lambda#lambda-AddPermission"} -{"eventName": "UpdateFunctionConfiguration20150331v2", "eventSource": "lambda.amazonaws.com", "awsService": "Lambda", "description": "Modify the version-specific settings of a Lambda function.", "mitreAttackTactics": ["TA0003 - Persistence"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}, {"description": "Enhancing Your Security Visibility and DetectionResponse Operations in AWS", "link": "https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf"}, {"description": "LambdaSpy - Implanting the Lambda execution environment (Part two)", "link": "https://www.clearvector.com/blog/lambda-spy/"}], "securityImplications": "Attackers might use UpdateFunctionConfiguration to modify the behavior of Lambda functions, adding a layer that can allow persistence and/or data exfiltration.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws lambda update-function-configuration --function-name my-function --memory-size 256"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-layer-extension"}], "permissions": "https://aws.permissions.cloud/iam/lambda#lambda-UpdateFunctionConfiguration"} -{"eventName": "UpdateEventSourceMapping20150331", "eventSource": "lambda.amazonaws.com", "awsService": "Lambda", "description": "Updates an event source mapping. You can change the function that AWS Lambda invokes, or pause invocation and resume later from the same location.", "mitreAttackTactics": ["TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Enhancing Your Security Visibility and DetectionResponse Operations in AWS", "link": "https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf"}], "securityImplications": "Attackers might use UpdateEventSourceMapping to pull data from a different source, leading to incorrect function results.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws lambda update-event-source-mapping --uuid 'a1b2c3d4-5678-90ab-cdef-11111EXAMPLE' --batch-size 8"}], "permissions": "https://aws.permissions.cloud/iam/lambda#lambda-UpdateEventSourceMapping"} -{"eventName": "Invoke", "eventSource": "lambda.amazonaws.com", "awsService": "Lambda", "description": "Invokes a Lambda function.", "mitreAttackTactics": ["TA0040 - Impact", "TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1496 - Resource Hijacking"], "usedInWild": true, "incidents": [{"description": "Mining Crypto", "link": "https://twitter.com/jonnyplatt/status/1471453527390277638"}, {"description": "Cloud Security Stories: From Risky Permissions to Ransomware Execution", "link": "https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/"}], "researchLinks": [{"description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}], "securityImplications": "Attackers might use Invoke to execute previously modified functions in AWS Lambda.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "https://aws.permissions.cloud/iam/lambda#lambda-InvokeFunction"} -{"eventName": "CreateEventSourceMapping20150331", "eventSource": "lambda.amazonaws.com", "awsService": "Lambda", "description": "Creates a mapping between an event source and an AWS Lambda function.", "mitreAttackTactics": ["TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}], "securityImplications": "Attackers might use CreateEventSourceMapping to trigger unauthorized Lambda functions with malicious code.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws lambda create-event-source-mapping --function-name my-function --batch-size 5 --event-source-arn arn:aws:sqs:us-west-2:123456789012:mySQSqueue"}], "permissions": "https://aws.permissions.cloud/iam/lambda#lambda-CreateEventSourceMapping"} -{"eventName": "CreateServer", "eventSource": "transfer.amazonaws.com", "awsService": "TransferFamily", "description": "Instantiates an auto-scaling virtual server based on the selected file transfer protocol in AWS.", "mitreAttackTactics": ["TA0010 - Exfiltration"], "mitreAttackTechniques": ["T1537 - Transfer Data to Cloud Account"], "usedInWild": true, "incidents": [{"description": "Muddled Libra’s Evolution to the Cloud", "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}], "researchLinks": [], "securityImplications": "Attackers might use CreateServer to create a server that allows to transfer files into and out of AWS storage services.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws transfer create-server --protocols SFTP --endpoint-type PUBLIC --identity-provider-type SERVICE_MANAGED"}], "permissions": "https://aws.permissions.cloud/iam/transfer#transfer-CreateServer"} -{"eventName": "DeleteMembers", "eventSource": "guardduty.amazonaws.com", "awsService": "GuardDuty", "description": "Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1562 - Impair Defenses"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Threat Hunting with CloudTrail and GuardDuty in Splunk", "link": "https://www.chrisfarris.com/post/reinforce-threat-hunting/"}], "securityImplications": "Attackers might use DeleteMembers to remove members from a GuardDuty detector, disrupting threat detection and security analysis.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws guardduty delete-members --account-ids TrailDiscoverAccountIds --detector-id TrailDiscoverDetectorId"}], "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-DeleteMembers"} -{"eventName": "CreateFilter", "eventSource": "guardduty.amazonaws.com", "awsService": "GuardDuty", "description": "Creates a filter using the specified finding criteria.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1562 - Impair Defenses"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Modify GuardDuty Configuration", "link": "https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/"}], "securityImplications": "Attackers might use CreateFilter to manipulate GuardDuty settings, potentially allowing malicious activity to go undetected.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws guardduty create-filter --detector-id TrailDiscoverDetectorId --name TrailDiscoverFilterName --finding-criteria '{\"Criterion\": {\"service.action.actionType\": {\"Eq\": [\"TrailDiscover\"]}}}' --action NOOP"}], "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-CreateFilter"} -{"eventName": "DisassociateFromMasterAccount", "eventSource": "guardduty.amazonaws.com", "awsService": "GuardDuty", "description": "Disassociates the current GuardDuty member account from its administrator account.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1562 - Impair Defenses"], "usedInWild": true, "incidents": [{"description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud"}], "researchLinks": [{"description": "Threat Hunting with CloudTrail and GuardDuty in Splunk", "link": "https://www.chrisfarris.com/post/reinforce-threat-hunting/"}], "securityImplications": "Attackers might use DisassociateFromMasterAccount to remove the link to the master GuardDuty account, disrupting centralized security monitoring and analysis.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws guardduty disassociate-from-master-account --detector-id TrailDiscoverDetectorId"}], "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-DisassociateFromMasterAccount"} -{"eventName": "GetFindings", "eventSource": "guardduty.amazonaws.com", "awsService": "GuardDuty", "description": "Returns a list of findings that match the specified criteria.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1526 - Cloud Service Discovery"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}], "researchLinks": [], "securityImplications": "Attackers might use GetFindings to identify if previous actions generated alerts.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws guardduty get-findings --detector-id TrailDiscoverDetectorId --finding-ids TrailDiscoverFindingIds"}], "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-GetFindings"} -{"eventName": "CreateIPSet", "eventSource": "guardduty.amazonaws.com", "awsService": "GuardDuty", "description": "Creates a new IPSet, which is called a trusted IP list in the console user interface.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1562 - Impair Defenses"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Modify GuardDuty Configuration", "link": "https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/"}], "securityImplications": "Attackers might use CreateIPSet to add malicious IP addresses to the GuardDuty whitelist, bypassing security measures.", "alerting": [{"type": "sigma", "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_guardduty_disruption.yml"}], "simulation": [{"type": "commandLine", "value": "aws guardduty create-ip-set --detector-id 12abc34d567e8fa901bc2d34eexample --name new-ip-set --format TXT --location s3://traildiscover/traildiscover.csv --activate"}], "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-CreateIPSet"} -{"eventName": "DeleteDetector", "eventSource": "guardduty.amazonaws.com", "awsService": "GuardDuty", "description": "Deletes an Amazon GuardDuty detector that is specified by the detector ID.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1562 - Impair Defenses"], "usedInWild": true, "incidents": [{"description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud"}], "researchLinks": [{"description": "AWS GuardDuty detector deleted", "link": "https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-guardduty-detector-deleted/"}, {"description": "AWS GuardDuty Evasion", "link": "https://medium.com/@cloud_tips/aws-guardduty-evasion-c181e55f3af1"}, {"description": "Threat Hunting with CloudTrail and GuardDuty in Splunk", "link": "https://www.chrisfarris.com/post/reinforce-threat-hunting/"}], "securityImplications": "Attackers might use DeleteDetector to disable GuardDuty, thereby evading detection of malicious activity.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws guardduty delete-detector --detector-id TrailDiscoverDetectorId"}], "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-DeleteDetector"} -{"eventName": "StopMonitoringMembers", "eventSource": "guardduty.amazonaws.com", "awsService": "GuardDuty", "description": "Stops GuardDuty monitoring for the specified member accounts.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1562 - Impair Defenses"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Threat Hunting with CloudTrail and GuardDuty in Splunk", "link": "https://www.chrisfarris.com/post/reinforce-threat-hunting/"}], "securityImplications": "Attackers might use StopMonitoringMembers to halt the surveillance of specific AWS accounts, reducing security visibility.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws guardduty stop-monitoring-members --account-ids TrailDiscoverAccountIds --detector-id TrailDiscoverDetectorId"}], "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-StopMonitoringMembers"} -{"eventName": "GetDetector", "eventSource": "guardduty.amazonaws.com", "awsService": "GuardDuty", "description": "Retrieves an Amazon GuardDuty detector specified by the detectorId.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1526 - Cloud Service Discovery"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}], "researchLinks": [], "securityImplications": "Attackers might use GetDetector to identify active threat detection systems in AWS GuardDuty.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws guardduty get-detector --detector-id TrailDiscoverDetectorId"}], "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-GetDetector"} -{"eventName": "DeletePublishingDestination", "eventSource": "guardduty.amazonaws.com", "awsService": "GuardDuty", "description": "Deletes the publishing definition with the specified destinationId.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1562 - Impair Defenses"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Modify GuardDuty Configuration", "link": "https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/"}], "securityImplications": "Attackers might use DeletePublishingDestination to disrupt the security monitoring and incident response process in AWS GuardDuty.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws guardduty delete-publishing-destination --detector-id TrailDiscoverDetectorId --destination-id TrailDiscoverDestinationId"}], "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-DeletePublishingDestination"} -{"eventName": "DisassociateMembers", "eventSource": "guardduty.amazonaws.com", "awsService": "GuardDuty", "description": "Disassociates GuardDuty member accounts (from the current administrator account) specified by the account IDs.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1562 - Impair Defenses"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Threat Hunting with CloudTrail and GuardDuty in Splunk", "link": "https://www.chrisfarris.com/post/reinforce-threat-hunting/"}], "securityImplications": "Attackers might use DisassociateMembers to remove members from a GuardDuty detector, disrupting threat detection and security analysis.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws guardduty disassociate-members --detector-id TrailDiscoverDetectorId --account-ids TrailDiscoverAccountIds"}], "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-DisassociateMembers"} -{"eventName": "DeleteInvitations", "eventSource": "guardduty.amazonaws.com", "awsService": "GuardDuty", "description": "Deletes invitations sent to the current member account by AWS accounts specified by their account IDs.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1562 - Impair Defenses"], "usedInWild": true, "incidents": [{"description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud"}], "researchLinks": [], "securityImplications": "Attackers might use DeleteInvitations to avoid the use of GuardDuty, thereby evading detection of malicious activity.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws guardduty delete-invitations --account-ids 111222333444"}], "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-DeleteInvitations"} -{"eventName": "UpdateDetector", "eventSource": "guardduty.amazonaws.com", "awsService": "GuardDuty", "description": "Updates the GuardDuty detector specified by the detectorId.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1562 - Impair Defenses"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Modify GuardDuty Configuration", "link": "https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/"}], "securityImplications": "Attackers might use UpdateDetector to modify the settings of GuardDuty, potentially disabling or weakening security monitoring.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws guardduty update-detector --detector-id TrailDiscoverDetectorId --enable --finding-publishing-frequency TrailDiscoverFrequency"}], "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-UpdateDetector"} -{"eventName": "ListIPSets", "eventSource": "guardduty.amazonaws.com", "awsService": "GuardDuty", "description": "Lists the IPSets of the GuardDuty service specified by the detector ID.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1526 - Cloud Service Discovery"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Modify GuardDuty Configuration", "link": "https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/"}], "securityImplications": "Attackers might use ListIPSets to identify what IPs won't generate an alert.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws guardduty list-ip-sets --detector-id TrailDiscoverDetectorId"}], "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-ListIPSets"} -{"eventName": "ListDetectors", "eventSource": "guardduty.amazonaws.com", "awsService": "GuardDuty", "description": "Lists detectorIds of all the existing Amazon GuardDuty detector resources.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1526 - Cloud Service Discovery"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}], "researchLinks": [{"description": "Modify GuardDuty Configuration", "link": "https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/"}], "securityImplications": "Attackers might use ListDetectors to identify active threat detection systems in AWS GuardDuty.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws guardduty list-detectors"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance"}], "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-ListDetectors"} -{"eventName": "ListFindings", "eventSource": "guardduty.amazonaws.com", "awsService": "GuardDuty", "description": "Lists GuardDuty findings for the specified detector ID.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1526 - Cloud Service Discovery"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}], "researchLinks": [], "securityImplications": "Attackers might use ListFindings to identify if previous actions generated alerts.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws guardduty list-findings --detector-id TrailDiscoverDetectorId"}], "permissions": "https://aws.permissions.cloud/iam/guardduty#guardduty-ListFindings"} -{"eventName": "IssueCertificate", "eventSource": "acm-pca.amazonaws.com", "awsService": "ACMPCA", "description": "Uses your private certificate authority (CA), or one that has been shared with you, to issue a client certificate.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1040- Network Sniffing"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS API Call Hijacking via ACM-PCA", "link": "https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/"}], "securityImplications": "Attackers might use IssueCertificate combined with Route 53 control to intercept and read data from AWS API calls.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "https://aws.permissions.cloud/iam/acm-pca#acm-pca-IssueCertificate"} -{"eventName": "GetCertificate", "eventSource": "acm-pca.amazonaws.com", "awsService": "ACMPCA", "description": "Retrieves a certificate from your private CA or one that has been shared with you.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1040- Network Sniffing"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS API Call Hijacking via ACM-PCA", "link": "https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/"}], "securityImplications": "Attackers might use GetCertificate combined with Route 53 control to intercept and read data from AWS API calls.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws acm-pca get-certificate --certificate-authority-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012 --certificate-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/6707447683a9b7f4055627ffd55cebcc"}], "permissions": "https://aws.permissions.cloud/iam/acm-pca#acm-pca-GetCertificate"} -{"eventName": "GetAccountSendingEnabled", "eventSource": "ses.amazonaws.com", "awsService": "SES", "description": "Returns the email sending status of the Amazon SES account for the current Region.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1087 - Account Discovery"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "SES-PIONAGE", "link": "https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/"}], "securityImplications": "Attackers might use GetAccountSendingEnabled to identify if an AWS account's email sending capabilities are enabled, potentially exploiting it for spamming or phishing activities.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ses get-account-sending-enabled"}], "permissions": "https://aws.permissions.cloud/iam/ses#ses-GetAccountSendingEnabled"} -{"eventName": "VerifyEmailIdentity", "eventSource": "ses.amazonaws.com", "awsService": "SES", "description": "Adds an email address to the list of identities for your Amazon SES account in the current AWS Region and attempts to verify it.", "mitreAttackTactics": ["TA0040 - Impact"], "mitreAttackTechniques": ["T1496 - Resource Hijacking"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [], "securityImplications": "Attackers might use VerifyEmailIdentity to send phishing emails or spam from a verified email address.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ses verify-email-identity --email-address TrailDiscoverEmail"}], "permissions": "https://aws.permissions.cloud/iam/ses#ses-VerifyEmailIdentity"} -{"eventName": "GetAccount", "eventSource": "ses.amazonaws.com", "awsService": "SES", "description": "Lists the applied quota values for the specified AWS service.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1087 - Account Discovery"], "usedInWild": true, "incidents": [{"description": "Ransomware in the cloud", "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud"}, {"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}, {"description": "SES-PIONAGE", "link": "https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/"}], "researchLinks": [{"description": "Following attackers’ (Cloud)trail in AWS: Methodology and findings in the wild", "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}], "securityImplications": "Attackers might use GetAccount to gather sensitive information about the AWS SES account for malicious purposes.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws sesv2 get-account"}], "permissions": "https://aws.permissions.cloud/iam/ses#ses-GetAccount"} -{"eventName": "CreateEmailIdentity", "eventSource": "ses.amazonaws.com", "awsService": "SES", "description": "Starts the process of verifying an email identity. An identity is an email address or domain that you use when you send email.", "mitreAttackTactics": ["TA0040 - Impact"], "mitreAttackTechniques": ["T1496 - Resource Hijacking"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}], "researchLinks": [], "securityImplications": "Attackers use CreateEmailIdentity to create its own identity for sending spam or phishing emails later.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws sesv2 create-email-identity --email-identity cloudtrail.cloud"}], "permissions": "https://aws.permissions.cloud/iam/ses#ses-CreateEmailIdentity"} -{"eventName": "DeleteIdentity", "eventSource": "ses.amazonaws.com", "awsService": "SES", "description": "Deletes the specified identity (an email address or a domain) from the list of verified identities.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1578 - Modify Cloud Compute Infrastructure", "T1070 - Indicator Removal"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [], "securityImplications": "Attackers might use DeleteIdentity to disrupt email sending capabilities or delete an identity previously used attackers.", "alerting": [{"type": "sigma", "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_delete_identity.yml"}], "simulation": [{"type": "commandLine", "value": "aws ses delete-identity --identity TrailDiscoverIdentity"}], "permissions": "https://aws.permissions.cloud/iam/ses#ses-DeleteIdentity"} -{"eventName": "GetSendQuota", "eventSource": "ses.amazonaws.com", "awsService": "SES", "description": "Provides the sending limits for the Amazon SES account.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}, {"description": "Ransomware in the cloud", "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud"}, {"description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"}, {"description": "SES-PIONAGE", "link": "https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/"}], "researchLinks": [{"description": "Following attackers’ (Cloud)trail in AWS: Methodology and findings in the wild", "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}], "securityImplications": "Attackers use GetSendQuota to assess the email sending capacity of an AWS account, potentially planning persistent spam or phishing campaigns by identifying limits they can exploit or escalate.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ses get-send-quota"}], "permissions": "https://aws.permissions.cloud/iam/ses#ses-GetSendQuota"} -{"eventName": "GetIdentityVerificationAttributes", "eventSource": "ses.amazonaws.com", "awsService": "SES", "description": "Given a list of identities (email addresses and/or domains), returns the verification status and (for domain identities) the verification token for each identity.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1526 - Cloud Service Discovery"], "usedInWild": true, "incidents": [{"description": "SES-PIONAGE", "link": "https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/"}], "researchLinks": [], "securityImplications": "Attackers might use GetIdentityVerificationAttributes to gather sensitive information about the verification status of email addresses and domains.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ses get-identity-verification-attributes --identities TrailDiscoverIdentity"}], "permissions": "https://aws.permissions.cloud/iam/ses#ses-GetIdentityVerificationAttributes"} -{"eventName": "ListIdentities", "eventSource": "ses.amazonaws.com", "awsService": "SES", "description": "Returns a list containing all of the identities (email addresses and domains) for your AWS account in the current AWS Region, regardless of verification status.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1087 - Account Discovery"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}, {"description": "Ransomware in the cloud", "link": "https://www.invictus-ir.com/news/ransomware-in-the-cloud"}, {"description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"}, {"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}, {"description": "SES-PIONAGE", "link": "https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/"}], "researchLinks": [{"description": "Following attackers’ (Cloud)trail in AWS: Methodology and findings in the wild", "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}], "securityImplications": "Attackers use ListIdentities from SES to enumerate email addresses or domains verified under the AWS account.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ses list-identities --identity-type \"EmailAddress\""}], "permissions": "https://aws.permissions.cloud/iam/ses#ses-ListIdentities"} -{"eventName": "UpdateAccountSendingEnabled", "eventSource": "ses.amazonaws.com", "awsService": "SES", "description": "Enables or disables email sending across your entire Amazon SES account in the current AWS Region.", "mitreAttackTactics": ["TA0040 - Impact"], "mitreAttackTechniques": ["T1496 - Resource Hijacking"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}, {"description": "SES-PIONAGE", "link": "https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/"}], "researchLinks": [], "securityImplications": "Attackers might use UpdateAccountSendingEnabled to enable sending from compromised AWS accounts, facilitating spam or phishing campaigns.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ses update-account-sending-enabled"}], "permissions": "https://aws.permissions.cloud/iam/ses#ses-UpdateAccountSendingEnabled"} -{"eventName": "AuthorizeDBSecurityGroupIngress", "eventSource": "rds.amazonaws.com", "awsService": "RDS", "description": "Enables ingress to a DBSecurityGroup using one of two forms of authorization.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1578 - Modify Cloud Compute Infrastructure"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Enhancing Your Security Visibility and DetectionResponse Operations in AWS", "link": "https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf"}, {"description": "Hunting AWS RDS security events with Sysdig", "link": "https://sysdig.com/blog/aws-rds-security-events-sysdig/"}], "securityImplications": "Attackers might use AuthorizeDBSecurityGroupIngress to allow unauthorized access to the database by modifying security group rules.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws rds authorize-db-security-group-ingress --db-security-group-name TrailDiscoverDBSecurityGroupName --cidrip TrailDiscoverCIDRIP"}], "permissions": "https://aws.permissions.cloud/iam/rds#rds-AuthorizeDBSecurityGroupIngress"} -{"eventName": "DeleteDBCluster", "eventSource": "rds.amazonaws.com", "awsService": "RDS", "description": "The DeleteDBCluster action deletes a previously provisioned DB cluster.", "mitreAttackTactics": ["TA0040 - Impact"], "mitreAttackTechniques": ["T1485 - Data Destruction"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Hunting AWS RDS security events with Sysdig", "link": "https://sysdig.com/blog/aws-rds-security-events-sysdig/"}, {"description": "AWS Deletion of RDS Instance or Cluster", "link": "https://www.elastic.co/guide/en/security/current/aws-deletion-of-rds-instance-or-cluster.html"}], "securityImplications": "Attackers might use DeleteDBCluster to delete crucial databases, causing data loss and service disruption.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws rds delete-db-cluster --db-cluster-identifier TrailDiscoverDBCluster"}], "permissions": "https://aws.permissions.cloud/iam/rds#rds-DeleteDBCluster"} -{"eventName": "CreateDBSecurityGroup", "eventSource": "rds.amazonaws.com", "awsService": "RDS", "description": "Creates a new DB security group. DB security groups control access to a DB instance.", "mitreAttackTactics": ["TA0010 - Exfiltration"], "mitreAttackTechniques": ["T1537 - Transfer Data to Cloud Account"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Enhancing Your Security Visibility and DetectionResponse Operations in AWS", "link": "https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf"}, {"description": "Hunting AWS RDS security events with Sysdig", "link": "https://sysdig.com/blog/aws-rds-security-events-sysdig/"}], "securityImplications": "Attackers might use CreateDBSecurityGroup to create new security groups with lax rules, potentially allowing unauthorized access to the database.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws rds create-db-security-group --db-security-group-name TrailDiscoverSecurityGroupName --db-security-group-description TrailDiscoverDescription"}], "permissions": "https://aws.permissions.cloud/iam/rds#rds-CreateDBSecurityGroup"} -{"eventName": "DeleteGlobalCluster", "eventSource": "rds.amazonaws.com", "awsService": "RDS", "description": "Deletes a global database cluster. The primary and secondary clusters must already be detached or destroyed first.", "mitreAttackTactics": ["TA0040 - Impact"], "mitreAttackTechniques": ["T1485 - Data Destruction"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS Deletion of RDS Instance or Cluster", "link": "https://www.elastic.co/guide/en/security/current/aws-deletion-of-rds-instance-or-cluster.html"}], "securityImplications": "Attackers might use DeleteGlobalCluster to disrupt database services by deleting global clusters in AWS RDS.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws rds delete-global-cluster --global-cluster-identifier TrailDiscoverGlobalClusterIdentifier"}], "permissions": "https://aws.permissions.cloud/iam/rds#rds-DeleteGlobalCluster"} -{"eventName": "ModifyDBSnapshotAttribute", "eventSource": "rds.amazonaws.com", "awsService": "RDS", "description": "Adds an attribute and values to, or removes an attribute and values from, a manual DB snapshot.", "mitreAttackTactics": ["TA0010 - Exfiltration"], "mitreAttackTechniques": ["T1537 - Transfer Data to Cloud Account"], "usedInWild": true, "incidents": [{"description": "Imperva Security Update", "link": "https://www.imperva.com/blog/ceoblog/"}, {"description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"}], "researchLinks": [{"description": "Stealing an RDS database by creating a snapshot and sharing it", "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-rds-snapshot/"}, {"description": "Hunting AWS RDS security events with Sysdig", "link": "https://sysdig.com/blog/aws-rds-security-events-sysdig/"}], "securityImplications": "Attackers might use ModifyDBSnapshotAttribute to alter database snapshot permissions, potentially gaining unauthorized access to sensitive data via sharing it.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws rds modify-db-snapshot-attribute --db-snapshot-identifier TrailDiscoverDBSnapshotIdentifier --attribute-name TrailDiscoverAttributeName --values-to-add TrailDiscoverValuesToAdd"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.rds-share-snapshot"}], "permissions": "https://aws.permissions.cloud/iam/rds#rds-ModifyDBSnapshotAttribute"} -{"eventName": "StartExportTask", "eventSource": "rds.amazonaws.com", "awsService": "RDS", "description": "Starts an export of DB snapshot or DB cluster data to Amazon S3.", "mitreAttackTactics": ["TA0010 - Exfiltration"], "mitreAttackTechniques": ["T1537 - Transfer Data to Cloud Account"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS - RDS Post Exploitation", "link": "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation"}], "securityImplications": "Attackers might use StartExportTask to export database snapshots to an S3 they control and gain access to the data.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws rds start-export-task --export-task-identifier my-s3-export --source-arn arn:aws:rds:us-west-2:123456789012:snapshot:db5-snapshot-test --s3-bucket-name mybucket --iam-role-arn arn:aws:iam::123456789012:role/service-role/TrailDiscover --kms-key-id arn:aws:kms:us-west-2:123456789012:key/abcd0000-7fca-4128-82f2-aabbccddeeff"}], "permissions": "https://aws.permissions.cloud/iam/rds#rds-StartExportTask"} -{"eventName": "CreateDBSnapshot", "eventSource": "rds.amazonaws.com", "awsService": "RDS", "description": "Creates a snapshot of a DB instance.", "mitreAttackTactics": ["TA0010 - Exfiltration"], "mitreAttackTechniques": ["T1537 - Transfer Data to Cloud Account"], "usedInWild": true, "incidents": [{"description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"}], "researchLinks": [{"description": "Stealing an RDS database by creating a snapshot and sharing it", "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-rds-snapshot/"}], "securityImplications": "Attackers might use CreateDBSnapshot to create unauthorized backups of sensitive databases for data theft.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws rds create-db-snapshot --db-instance-identifier TrailDiscoverDBInstance --db-snapshot-identifier TrailDiscoverDBSnapshot"}], "permissions": "https://aws.permissions.cloud/iam/rds#rds-CreateDBSnapshot"} -{"eventName": "ModifyActivityStream", "eventSource": "rds.amazonaws.com", "awsService": "RDS", "description": "Changes the audit policy state of a database activity stream to either locked (default) or unlocked.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1578 - Modify Cloud Compute Infrastructure"], "usedInWild": true, "incidents": [{"description": "Uncovering Hybrid Cloud Attacks Through Intelligence-Driven Incident Response: Part 3 – The Response", "link": "https://www.gem.security/post/uncovering-hybrid-cloud-attacks-through-intelligence-driven-incident-response-part-3-the-response"}], "researchLinks": [], "securityImplications": "Attackers might use ModifyActivityStream to alter the configuration of the activity stream, potentially hiding malicious activities or causing disruptions in the database operations.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws rds modify-activity-stream"}], "permissions": "https://aws.permissions.cloud/iam/rds#rds-ModifyActivityStream"} -{"eventName": "DeleteMountTarget", "eventSource": "elasticfilesystem.amazonaws.com", "awsService": "elasticfilesystem", "description": "Deletes the specified mount target.", "mitreAttackTactics": ["TA0040 - Impact"], "mitreAttackTechniques": ["T1485 - Data Destruction"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS EFS File System or Mount Deleted", "link": "https://www.elastic.co/guide/en/security/7.17/aws-efs-file-system-or-mount-deleted.html"}], "securityImplications": "Attackers might use DeleteMountTarget in AWS EFS to remove mount targets, disrupting access to file system and as a preliminary phase before data deletion.", "alerting": [{"type": "sigma", "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_efs_fileshare_mount_modified_or_deleted.yml"}], "simulation": [{"type": "commandLine", "value": "aws efs delete-mount-target --mount-target-id fsmt-f9a14450"}], "permissions": "https://aws.permissions.cloud/iam/elasticfilesystem#elasticfilesystem-DeleteMountTarget"} -{"eventName": "DeleteFileSystem", "eventSource": "elasticfilesystem.amazonaws.com", "awsService": "elasticfilesystem", "description": "Deletes a file system, permanently severing access to its contents.", "mitreAttackTactics": ["TA0040 - Impact"], "mitreAttackTechniques": ["T1485 - Data Destruction"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS EFS File System or Mount Deleted", "link": "https://www.elastic.co/guide/en/security/7.17/aws-efs-file-system-or-mount-deleted.html"}], "securityImplications": "Attackers might use DeleteFileSystem in AWS EFS to deliberately erase file systems, leading to data loss.", "alerting": [{"type": "sigma", "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_efs_fileshare_modified_or_deleted.yml"}], "simulation": [{"type": "commandLine", "value": "aws efs delete-file-system --file-system-id fs-c7a0456e"}], "permissions": "https://aws.permissions.cloud/iam/elasticfilesystem#elasticfilesystem-DeleteFileSystem"} -{"eventName": "GetQueryResults", "eventSource": "athena.amazonaws.com", "awsService": "Athena", "description": "Streams the results of a single query execution specified by QueryExecutionId from the Athena query results location in Amazon S3.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [], "securityImplications": "Attackers might use GetQueryResults from Amazon Athena to illicitly access and read potential sensitive data.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "https://aws.permissions.cloud/iam/athena#athena-GetQueryResults"} -{"eventName": "GetHostedZoneCount", "eventSource": "route53.amazonaws.com", "awsService": "Route53", "description": "Retrieves the number of hosted zones that are associated with the current AWS account.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Following attackers’ (Cloud)trail in AWS: Methodology and findings in the wild", "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}], "securityImplications": "Attackers might use GetHostedZoneCount to gather information about the number of hosted zones, potentially identifying targets for DNS attacks.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws route53 get-hosted-zone-count"}], "permissions": "https://aws.permissions.cloud/iam/route53#route53-GetHostedZoneCount"} -{"eventName": "ChangeResourceRecordSets", "eventSource": "route53.amazonaws.com", "awsService": "Route53", "description": "Creates, changes, or deletes a resource record set, which contains authoritative DNS information for a specified domain name or subdomain name.", "mitreAttackTactics": ["TA0040 - Impact"], "mitreAttackTechniques": ["T1496 - Resource Hijacking"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}], "researchLinks": [{"description": "AWS API Call Hijacking via ACM-PCA", "link": "https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/"}], "securityImplications": "Attackers might use ChangeResourceRecordSets to redirect traffic to malicious websites.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "https://aws.permissions.cloud/iam/route53#route53-ChangeResourceRecordSets"} -{"eventName": "CreateHostedZone", "eventSource": "route53.amazonaws.com", "awsService": "Route53", "description": "Creates a new public or private hosted zone. You create records in a public hosted zone to define how you want to route traffic on the internet for a domain, such as example.com, and its subdomains.", "mitreAttackTactics": ["TA0040 - Impact"], "mitreAttackTechniques": ["T1496 - Resource Hijacking"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}], "researchLinks": [{"description": "AWS API Call Hijacking via ACM-PCA", "link": "https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/"}], "securityImplications": "Attackers might use CreateHostedZone to create malicious DNS zones for phishing or redirecting traffic.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws route53 create-hosted-zone --name traildiscover.cloud --caller-reference 2014-04-01-18:47 --hosted-zone-config Comment='traildiscover'"}], "permissions": "https://aws.permissions.cloud/iam/route53#route53-CreateHostedZone"} -{"eventName": "ListDomains", "eventSource": "route53domains.amazonaws.com", "awsService": "route53domains", "description": "This operation returns all the domain names registered with Amazon Route 53 for the current AWS account if no filtering conditions are used.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Following attackers’ (Cloud)trail in AWS: Methodology and findings in the wild", "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}], "securityImplications": "Attackers might use ListDomains to identify potential targets for DNS hijacking or DDoS attacks.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws route53domains list-domains --region us-east-1"}], "permissions": "https://aws.permissions.cloud/iam/route53domains#route53domains-ListDomains"} -{"eventName": "RegisterDomain", "eventSource": "route53domains.amazonaws.com", "awsService": "route53domains", "description": "This operation registers a domain. For some top-level domains (TLDs), this operation requires extra parameters.", "mitreAttackTactics": ["TA0040 - Impact"], "mitreAttackTechniques": ["T1496 - Resource Hijacking"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}], "researchLinks": [], "securityImplications": "Attackers might use RegisterDomain to register malicious domains for phishing or malware distribution.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws route53domains register-domain --region us-east-1 --cli-input-json '{\"DomainName\": \"\", \"DurationInYears\": 1, \"AdminContact\": { \"FirstName\": \"\", \"LastName\": \"\"}, \"RegistrantContact\": {\"FirstName\": \"\", \"LastName\": \"\" }, \"TechContact\": {\"FirstName\": \"\", \"LastName\": \"\"}}'"}], "permissions": "https://aws.permissions.cloud/iam/route53domains#route53domains-RegisterDomain"} -{"eventName": "CreateTrafficMirrorTarget", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Creates a target for your Traffic Mirror session.", "mitreAttackTactics": ["TA0009 - Collection"], "mitreAttackTechniques": ["T1074 - Data Staged"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Abusing VPC Traffic Mirroring in AWS", "link": "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/"}], "securityImplications": "Attackers might use CreateTrafficMirrorTarget to establish destinations for mirrored traffic, potentially facilitating the unauthorized observation or capture of sensitive information.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 create-traffic-mirror-target --description TrailDiscoverDescription --network-interface-id TrailDiscoverNetworkInterfaceId --network-load-balancer-arn TrailDiscoverNetworkLoadBalancerArn"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateTrafficMirrorTarget"} -{"eventName": "DeleteFlowLogs", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Deletes one or more flow logs.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1089 - Disabling Security Tools"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Removing VPC flow logs", "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/removing-vpc-flow-logs/"}, {"description": "AWS Incident Response", "link": "https://github.com/easttimor/aws-incident-response"}, {"description": "Proactive Cloud Security w/ AWS Organizations", "link": "https://witoff.medium.com/proactive-cloud-security-w-aws-organizations-d58695bcae16"}], "securityImplications": "Attackers might use DeleteFlowLogs to remove records of network traffic within AWS.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 delete-flow-logs --flow-log-ids TrailDiscoverFlowLogId"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DeleteFlowLogs"} -{"eventName": "GetLaunchTemplateData", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Retrieves the configuration data of the specified instance. You can use this data to create a launch template.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [], "securityImplications": "Attackers might use GetLaunchTemplateData to obtain configurations of EC2 launch templates, identifying predefined instance settings or network configuration.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 get-launch-template-data --instance-id TrailDiscoverInstanceId"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-GetLaunchTemplateData"} -{"eventName": "SendSSHPublicKey", "eventSource": "ec2-instance-connect.amazonaws.com", "awsService": "EC2InstanceConnect", "description": "Pushes an SSH public key to the specified EC2 instance for use by the specified user.", "mitreAttackTactics": ["TA0008 - Lateral Movement"], "mitreAttackTechniques": ["T1021 - Remote Services"], "usedInWild": true, "incidents": [{"description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"}, {"description": "Navigating the Cloud: Exploring Lateral Movement Techniques", "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/"}], "researchLinks": [{"description": "Attack Paths Into VMs in the Cloud", "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/"}], "securityImplications": "Attackers might use SendSSHPublicKey to inject unauthorized SSH keys into EC2 instances, granting them access for remote control.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.lateral-movement.ec2-instance-connect"}], "permissions": "https://aws.permissions.cloud/iam/ec2-instance-connect#ec2-instance-connect-SendSSHPublicKey"} -{"eventName": "DescribeRegions", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Describes the Regions that are enabled for your account, or all Regions.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [{"description": "Following attackers’ (Cloud)trail in AWS: Methodology and findings in the wild", "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}], "securityImplications": "Attackers might use DescribeRegions to identify all available AWS regions, possibly to explore regional deployment patterns and target specific regions where defenses might be weaker.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 describe-regions"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeRegions"} -{"eventName": "DescribeSecurityGroups", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Describes the specified security groups or all of your security groups.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Case Study: Responding to an Attack in AWS", "link": "https://www.cadosecurity.com/case-study-responding-to-an-attack-in-aws/"}], "researchLinks": [], "securityImplications": "Attackers might use DescribeSecurityGroups to review AWS VPC security group configurations, seeking misconfigurations that could be exploited for unauthorized access or to bypass network security controls.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 describe-security-groups --group-names TrailDiscoverSecurityGroup"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeSecurityGroups"} -{"eventName": "CreateVolume", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Creates an EBS volume that can be attached to an instance in the same Availability Zone.", "mitreAttackTactics": ["TA0008 - Lateral Movement"], "mitreAttackTechniques": ["T1021 - Remote Services"], "usedInWild": true, "incidents": [{"description": "Navigating the Cloud: Exploring Lateral Movement Techniques", "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/"}], "researchLinks": [], "securityImplications": "Attackers might use CreateVolume to create a volume from a snapshot and mount it to an EC2 instance under their control.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 create-volume --size 80 --availability-zone us-east-1a"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateVolume"} -{"eventName": "DeleteVolume", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Deletes the specified EBS volume. The volume must be in the available state (not attached to an instance).", "mitreAttackTactics": ["TA0040 - Impact"], "mitreAttackTechniques": ["T1485 - Data Destruction"], "usedInWild": true, "incidents": [{"description": "Hacker Puts Hosting Service Code Spaces Out of Business", "link": "https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/"}], "researchLinks": [], "securityImplications": "Attackers might use DeleteVolume to remove Elastic Block Store (EBS) volumes, leading to data loss and potentially disrupting operations.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 delete-volume --volume-id TrailDiscoverVolumeId"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DeleteVolume"} -{"eventName": "DescribeImages", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Describes the specified images (AMIs, AKIs, and ARIs) available to you or all of the images available to you.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [], "securityImplications": "Attackers might use DescribeImages to identify AMIs (Amazon Machine Images) within AWS.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 describe-images --filters Name=name,Values=TrailDiscover"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeImages"} -{"eventName": "CreateTrafficMirrorFilter", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Creates a Traffic Mirror filter.", "mitreAttackTactics": ["TA0009 - Collection"], "mitreAttackTechniques": ["T1074 - Data Staged"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Abusing VPC Traffic Mirroring in AWS", "link": "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/"}], "securityImplications": "Attackers might use CreateTrafficMirrorFilter to clandestinely mirror network traffic for analysis or exfiltration.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 create-traffic-mirror-filter --description 'TCP Filter'"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateTrafficMirrorFilter"} -{"eventName": "DescribeInstanceAttribute", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Describes the specified attribute of the specified instance. You can specify only one attribute at a time.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [], "securityImplications": "Attackers might use DescribeInstanceAttribute to inspect detailed configurations of EC2 instances.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 describe-instance-attribute --instance-id TrailDiscoverInstanceId --attribute TrailDiscoverAttribute"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-download-user-data"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeInstanceAttribute"} -{"eventName": "CreateSnapshot", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Creates a snapshot of an EBS volume and stores it in Amazon S3.", "mitreAttackTactics": ["TA0008 - Lateral Movement", "TA0010 - Exfiltration"], "mitreAttackTechniques": ["T1537 - Transfer Data to Cloud Account", "T1021 - Remote Services"], "usedInWild": true, "incidents": [{"description": "CrowdStrike’s work with the Democratic National Committee: Setting the record straight", "link": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"}, {"description": "Navigating the Cloud: Exploring Lateral Movement Techniques", "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/"}], "researchLinks": [{"description": "Stealing an EBS snapshot by creating a snapshot and sharing it", "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-ebs-snapshot/"}, {"description": "Exfiltrate EBS Snapshot by Sharing It", "link": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/"}], "securityImplications": "Attackers might use ModifySnapshotAttribute to alter permissions on EBS snapshots, potentially exposing sensitive data to unauthorized parties.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 modify-snapshot-attribute --snapshot-id snap-1234567890abcdef0 --attribute createVolumePermission --operation-type remove --user-ids 123456789012"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-ModifySnapshotAttribute"} -{"eventName": "CreateKeyPair", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Creates an ED25519 or 2048-bit RSA key pair with the specified name and in the specified PEM or PPK format.", "mitreAttackTactics": ["TA0003 - Persistence"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}, {"description": "ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING", "link": "https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/"}, {"description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"}], "researchLinks": [{"description": "Following attackers’ (Cloud)trail in AWS: Methodology and findings in the wild", "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}], "securityImplications": "Attackers might use CreateKeyPair to generate keys that can latter be used to access EC2s.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 create-key-pair --key-name TrailDiscoverKeyPair"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateKeyPair"} -{"eventName": "ModifySnapshotAttribute", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Adds or removes permission settings for the specified snapshot.", "mitreAttackTactics": ["TA0010 - Exfiltration"], "mitreAttackTechniques": ["T1537 - Transfer Data to Cloud Account"], "usedInWild": true, "incidents": [{"description": "CrowdStrike’s work with the Democratic National Committee: Setting the record straight", "link": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"}], "researchLinks": [], "securityImplications": "Attackers might use ModifySnapshotAttribute to change permissions on Amazon EBS snapshots, potentially making them accessible to unauthorized users or public.", "alerting": [{"type": "sigma", "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_snapshot_backup_exfiltration.yml"}], "simulation": [{"type": "commandLine", "value": "aws ec2 modify-snapshot-attribute --snapshot-id snap-046281ab24d756c50 --attribute createVolumePermission --operation-type remove --user-ids 123456789012"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-ModifySnapshotAttribute"} -{"eventName": "CreateTrafficMirrorFilterRule", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Creates a Traffic Mirror filter rule.", "mitreAttackTactics": ["TA0009 - Collection"], "mitreAttackTechniques": ["T1074 - Data Staged"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Abusing VPC Traffic Mirroring in AWS", "link": "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/"}], "securityImplications": "Attackers might use CreateTrafficMirrorFilterRule to fine-tune traffic mirroring for selective interception.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 create-traffic-mirror-filter-rule --description 'TCP Rule' --destination-cidr-block 0.0.0.0/0 --protocol 6 --rule-action accept --rule-number 1 --source-cidr-block 0.0.0.0/0 --traffic-direction ingress --traffic-mirror-filter-id tmf-04812ff784b25ae67"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateTrafficMirrorFilterRule"} -{"eventName": "DeleteNetworkAcl", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Deletes the specified network ACL.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1562 - Impair Defenses"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Ensure CloudWatch has an Alarm for Network ACL Changes", "link": "https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-network-acl-change"}], "securityImplications": "Attackers might use DeleteNetworkAcl to remove network access control lists, potentially opening up network segments for unauthorized access.", "alerting": [{"type": "cloudwatchCISControls", "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-11"}], "simulation": [{"type": "commandLine", "value": "aws ec2 delete-network-acl --network-acl-id TrailDiscoverNetworkAclId"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DeleteNetworkAcl"} -{"eventName": "DescribeTransitGatewayMulticastDomains", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Describes one or more transit gateway multicast domains.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [], "securityImplications": "Attackers might use DescribeTransitGatewayMulticastDomains to obtain details on multicast domains within AWS Transit Gateways, identifying network segments and multicast configurations.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 describe-transit-gateway-multicast-domains --transit-gateway-multicast-domain-ids TrailDiscoverTransitGatewayMulticastDomainId"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeTransitGatewayMulticastDomains"} -{"eventName": "DescribeAvailabilityZones", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Describes the Availability Zones, Local Zones, and Wavelength Zones that are available to you.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [], "securityImplications": "Attackers might use DescribeAvailabilityZones to map the deployment regions of an AWS environment.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 describe-availability-zones --filters Name=region-name,Values=TrailDiscoverRegion"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeAvailabilityZones"} -{"eventName": "DescribeCarrierGateways", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Describes one or more of your carrier gateways.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [], "securityImplications": "Attackers might use DescribeCarrierGateways to uncover details about carrier gateways in an AWS environment, which could reveal network configurations.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 describe-carrier-gateways --carrier-gateway-ids TrailDiscoverCarrierGatewayId"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeCarrierGateways"} -{"eventName": "DescribeVolumes", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Describes the specified EBS volumes or all of your EBS volumes.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [], "securityImplications": "Attackers might use DescribeVolumes to enumerate EBS volumes in an AWS environment, identifying valuable data storage.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 describe-volumes --volume-ids TrailDiscoverVolumeId"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeVolumes"} -{"eventName": "ModifyImageAttribute", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Modifies the specified attribute of the specified AMI.", "mitreAttackTactics": ["TA0010 - Exfiltration"], "mitreAttackTechniques": ["T1537 - Transfer Data to Cloud Account"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS AMI Atttribute Modification for Exfiltration", "link": "https://research.splunk.com/cloud/f2132d74-cf81-4c5e-8799-ab069e67dc9f/"}], "securityImplications": "Attackers might use ModifyImageAttribute to alter permissions or settings of Amazon Machine Images (AMIs), potentially exposing them to unauthorized users or making them public.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 modify-image-attribute --image-id TrailDiscoverImageId --attribute TrailDiscoverAttribute --value TrailDiscoverValue"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-ModifyImageAttribute"} -{"eventName": "GetEbsEncryptionByDefault", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Describes whether EBS encryption by default is enabled for your account in the current Region.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [], "securityImplications": "Attackers might use GetEbsEncryptionByDefault to determine if new Amazon EBS volumes are encrypted by default, seeking to exploit unencrypted volumes.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 get-ebs-encryption-by-default"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-GetEbsEncryptionByDefault"} -{"eventName": "AttachVolume", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Attaches an EBS volume to a running or stopped instance and exposes it to the instance with the specified device name.", "mitreAttackTactics": ["TA0008 - Lateral Movement"], "mitreAttackTechniques": ["T1021 - Remote Services"], "usedInWild": true, "incidents": [{"description": "Navigating the Cloud: Exploring Lateral Movement Techniques", "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/"}], "researchLinks": [], "securityImplications": "Attackers might use AttachVolume to mount a volume to an EC2 instance under their control.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 attach-volume --volume-id TrailDiscoverVolumeId --instance-id TrailDiscoverInstanceId --device TrailDiscoverDeviceName"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-AttachVolume"} -{"eventName": "DescribeBundleTasks", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Describes the specified bundle tasks or all of your bundle tasks.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [], "securityImplications": "Attackers might use DescribeBundleTasks to gain insights into the bundling tasks of EC2 instances.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 describe-bundle-tasks --bundle-ids TrailDiscoverBundleId"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeBundleTasks"} -{"eventName": "AuthorizeSecurityGroupEgress", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Adds the specified outbound (egress) rules to a security group.", "mitreAttackTactics": ["TA0010 - Exfiltration"], "mitreAttackTechniques": ["T1048 - Exfiltration Over Alternative Protocol"], "usedInWild": true, "incidents": [{"description": "Trouble in Paradise", "link": "https://blog.darklab.hk/2021/07/06/trouble-in-paradise/"}], "researchLinks": [], "securityImplications": "Attackers might use AuthorizeSecurityGroupEgress to allow exfiltration.", "alerting": [{"type": "cloudwatchCISControls", "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-10"}], "simulation": [{"type": "commandLine", "value": "aws ec2 authorize-security-group-egress --group-id sg-1a2b3c4d --ip-permissions IpProtocol=tcp,FromPort=80,ToPort=80,IpRanges='[{CidrIp=10.0.0.0/16}]'"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-AuthorizeSecurityGroupEgress"} -{"eventName": "DescribeKeyPairs", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Describes the specified key pairs or all of your key pairs.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Behind the scenes in the Expel SOC: Alert-to-fix in AWS", "link": "https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/"}], "researchLinks": [], "securityImplications": "Attackers might use DescribeKeyPairs to audit the SSH key pairs associated with EC2 instances", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 describe-key-pairs --key-names TrailDiscoverKeyPair"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeKeyPairs"} -{"eventName": "CreateInstanceExportTask", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Exports a running or stopped instance to an Amazon S3 bucket.", "mitreAttackTactics": ["TA0009 - Collection"], "mitreAttackTechniques": ["T1005 - Data from Local System"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS EC2 VM Export Failure", "link": "https://www.elastic.co/guide/en/security/current/aws-ec2-vm-export-failure.html"}], "securityImplications": "Attackers might use CreateInstanceExportTask to extract or exfiltrate information", "alerting": [{"type": "sigma", "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_ec2_vm_export_failure.yml"}], "simulation": [{"type": "commandLine", "value": "aws ec2 create-instance-export-task --instance-id TrailDiscoverInstanceId --target-environment TrailDiscoverTargetEnvironment --export-to-s3-task DiskImageFormat=TrailDiscoverDiskImageFormat,ContainerFormat=TrailDiscoverContainerFormat,S3Bucket=TrailDiscoverS3Bucket,S3Prefix=TrailDiscoverS3Prefix"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateInstanceExportTask"} -{"eventName": "CreateDefaultVpc", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Creates a default VPC with a size /16 IPv4 CIDR block and a default subnet in each Availability Zone.", "mitreAttackTactics": ["TA0003 - Persistence", "TA0040 - Impact"], "mitreAttackTechniques": ["T1098 - Account Manipulation", "T1496 - Resource Hijacking"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}], "researchLinks": [], "securityImplications": "Attackers might use CreateDefaultVpc to create a VPC and lauch EC2 instances.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 create-default-vpc"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateDefaultVpc"} -{"eventName": "GetTransitGatewayRouteTableAssociations", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Gets information about the associations for the specified transit gateway route table.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [], "securityImplications": "Attackers might use GetTransitGatewayRouteTableAssociations to examine the associations between transit gateway route tables and attached resources, potentially to understand network routing policies.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 get-transit-gateway-route-table-associations --transit-gateway-route-table-id tgw-rtb-0a823edbdeEXAMPLE"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-GetTransitGatewayRouteTableAssociations"} -{"eventName": "CreateSecurityGroup", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Creates a security group.", "mitreAttackTactics": ["TA0003 - Persistence", "TA0008 - Lateral Movement"], "mitreAttackTechniques": ["T1098 - Account Manipulation", "T1021 - Remote Services"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}, {"description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"}, {"description": "Behind the scenes in the Expel SOC: Alert-to-fix in AWS", "link": "https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/"}, {"description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"}, {"description": "ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING", "link": "https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/"}], "researchLinks": [{"description": "Following attackers’ (Cloud)trail in AWS: Methodology and findings in the wild", "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}, {"description": "Abusing VPC Traffic Mirroring in AWS", "link": "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/"}], "securityImplications": "Attackers might use CreateSecurityGroup to establish new security groups with lax rules, facilitating unauthorized access or resource exploitation within AWS environments.", "alerting": [{"type": "cloudwatchCISControls", "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-10"}], "simulation": [{"type": "commandLine", "value": "aws ec2 create-security-group --group-name TrailDiscoverGroupName --description \"TrailDiscoverDescription\""}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateSecurityGroup"} -{"eventName": "DescribeAccountAttributes", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Describes attributes of your AWS account.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [], "securityImplications": "Attackers might use DescribeAccountAttributes to gather detailed information about AWS account configurations and limits.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 describe-account-attributes --attribute-names TrailDiscoverAttribute"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeAccountAttributes"} -{"eventName": "TerminateInstances", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Shuts down the specified instances. This operation is idempotent; if you terminate an instance more than once, each call succeeds.", "mitreAttackTactics": ["TA0040 - Impact", "TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1485 - Data Destruction", "T1070 - Indicator Removal"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}, {"description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"}, {"description": "Former Cisco engineer sentenced to prison for deleting 16k Webex accounts", "link": "https://www.zdnet.com/article/former-cisco-engineer-sentenced-to-prison-for-deleting-16k-webex-accounts/"}, {"description": "Hacker Puts Hosting Service Code Spaces Out of Business", "link": "https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/"}], "researchLinks": [], "securityImplications": "Attackers might use TerminateInstances to permanently delete EC2 instances, resulting in irreversible data loss and service disruption or for defense evasion.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 terminate-instances --instance-ids TrailDiscoverInstanceID"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-TerminateInstances"} -{"eventName": "CreateTrafficMirrorSession", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Creates a Traffic Mirror session.", "mitreAttackTactics": ["TA0009 - Collection"], "mitreAttackTechniques": ["T1074 - Data Staged"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Abusing VPC Traffic Mirroring in AWS", "link": "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/"}], "securityImplications": "Attackers might use CreateTrafficMirrorSession to initiate a session for mirroring network traffic, potentially for malicious monitoring or data exfiltration.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 create-traffic-mirror-session --description TrailDiscoverDescription --traffic-mirror-target-id tmt-07f75d8feeEXAMPLE --network-interface-id eni-070203f901EXAMPLE --session-number 1 --packet-length 25 --traffic-mirror-filter-id tmf-04812ff784EXAMPLE"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateTrafficMirrorSession"} -{"eventName": "GetConsoleScreenshot", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Retrieve a JPG-format screenshot of a running instance to help with troubleshooting.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [], "securityImplications": "Attackers might use GetConsoleScreenshot to capture the current state of an EC2 instance's console, potentially revealing sensitive information displayed on the screen or identifying misconfigurations.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 get-console-screenshot --instance-id TrailDiscoverInstanceId"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-GetConsoleScreenshot"} -{"eventName": "DescribeSnapshotAttribute", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Describes the specified attribute of the specified snapshot.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [], "securityImplications": "Attackers might use DescribeSnapshotAttribute to inspect attributes of EBS snapshots, such as permissions, aiming to find snapshots shared publicly or with broad access.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 describe-snapshot-attribute --snapshot-id TrailDiscoverSnapshotId --attribute TrailDiscoverAttribute"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeSnapshotAttribute"} -{"eventName": "AuthorizeSecurityGroupIngress", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Adds the specified inbound (ingress) rules to a security group.", "mitreAttackTactics": ["TA0003 - Persistence", "TA0008 - Lateral Movement"], "mitreAttackTechniques": ["T1098 - Account Manipulation", "T1021 - Remote Services"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}, {"description": "Finding evil in AWS", "link": "https://expel.com/blog/finding-evil-in-aws/"}, {"description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"}, {"description": "Behind the scenes in the Expel SOC: Alert-to-fix in AWS", "link": "https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/"}, {"description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"}, {"description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"}, {"description": "BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability", "link": "https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/"}, {"description": "Navigating the Cloud: Exploring Lateral Movement Techniques", "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/"}], "researchLinks": [{"description": "Opening a security group to the Internet", "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/opening-security-group-port/"}], "securityImplications": "Attackers might use AuthorizeSecurityGroupIngress to allow access to resources to gain persistence or move laterally.", "alerting": [{"type": "cloudwatchCISControls", "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-10"}], "simulation": [{"type": "commandLine", "value": "aws ec2 authorize-security-group-ingress --group-id sg-0683fcf7a41c82593 --protocol tcp --port 22 --cidr 203.0.113.0/24"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-security-group-open-port-22-ingress"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-AuthorizeSecurityGroupIngress"} -{"eventName": "ModifyInstanceAttribute", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Modifies the specified attribute of the specified instance.", "mitreAttackTactics": ["TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Executing commands through EC2 user data", "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/"}, {"description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide"}, {"description": "EC2 Privilege Escalation Through User Data", "link": "https://hackingthe.cloud/aws/exploitation/local_ec2_priv_esc_through_user_data/"}, {"description": "User Data Script Persistence", "link": "https://hackingthe.cloud/aws/post_exploitation/user_data_script_persistence/"}, {"description": "Attack Paths Into VMs in the Cloud", "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/"}], "securityImplications": "Attackers might use ModifyInstanceAttribute to change configurations of EC2 instances or overwrite the user data of an EC2 instance to have it execute malicious commands when the instance starts.", "alerting": [{"type": "sigma", "value": "https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_ec2_startup_script_change.yml"}], "simulation": [{"type": "commandLine", "value": "aws ec2 modify-instance-attribute --instance-id TrailDiscoverInstanceId --attribute TrailDiscoverAttribute --value TrailDiscoverValue"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ec2-user-data"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-ModifyInstanceAttribute"} -{"eventName": "DeleteNetworkAclEntry", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Deletes the specified ingress or egress entry (rule) from the specified network ACL.", "mitreAttackTactics": ["TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1562 - Impair Defenses"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Ensure CloudWatch has an Alarm for Network ACL Changes", "link": "https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-network-acl-change"}], "securityImplications": "Attackers might use DeleteNetworkAclEntry to remove specific rules from network access control lists, potentially opening network paths for unauthorized access.", "alerting": [{"type": "cloudwatchCISControls", "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-11"}], "simulation": [{"type": "commandLine", "value": "aws ec2 delete-network-acl-entry --network-acl-id acl-5fb85d36 --ingress --rule-number 100"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DeleteNetworkAclEntry"} -{"eventName": "StartInstances", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Starts an Amazon EBS-backed instance that you've previously stopped.", "mitreAttackTactics": ["TA0003 - Persistence", "TA0040 - Impact"], "mitreAttackTechniques": ["T1098 - Account Manipulation", "T1496 - Resource Hijacking"], "usedInWild": true, "incidents": [{"description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"}], "researchLinks": [{"description": "Executing commands through EC2 user data", "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/"}, {"description": "Attack Paths Into VMs in the Cloud", "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/"}], "securityImplications": "Attackers might use StartInstances to reactivate dormant EC2 instances or after having modified the user data for execution of commands.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 start-instances --instance-ids TrailDiscoverInstanceID"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-StartInstances"} -{"eventName": "SharedSnapshotVolumeCreated", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Modifies the specified attribute of the specified instance.", "mitreAttackTactics": ["TA0010 - Exfiltration"], "mitreAttackTechniques": ["T1537 - Transfer Data to Cloud Account"], "usedInWild": true, "incidents": [{"description": "M-Trends Report - 2020", "link": "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf"}, {"description": "Democratic National Committee hack", "link": "https://www.politico.com/f/?id=00000168-6161-de11-af7d-ef7327ea0000"}], "researchLinks": [{"description": "Detecting exfiltration of EBS snapshots in AWS", "link": "https://twitter.com/christophetd/status/1574681313218506753"}], "securityImplications": "SharedSnapshotVolumeCreated might be a signal of an attacker copying a snapshot to their account.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot"}], "permissions": "N/A"} -{"eventName": "DescribeDhcpOptions", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Describes one or more of your DHCP options sets.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [], "securityImplications": "Attackers might use DescribeDhcpOptions to inspect DHCP configurations in an AWS VPC.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 describe-dhcp-options --dhcp-options-ids TrailDiscoverDhcpOptionsId"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeDhcpOptions"} -{"eventName": "CreateRoute", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Creates a route in a route table within a VPC.", "mitreAttackTactics": ["TA0009 - Collection"], "mitreAttackTechniques": ["T1074 - Data Staged"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "Ensure CloudWatch has an Alarm for Route Table Changes", "link": "https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-route-table-change"}, {"description": "AWS Incident Response", "link": "https://easttimor.github.io/aws-incident-response/"}], "securityImplications": "Attackers might use CreateRoute to redirect network traffic within AWS VPCs to eavesdrop or exfiltrate data.", "alerting": [{"type": "cloudwatchCISControls", "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-13"}], "simulation": [{"type": "commandLine", "value": "aws ec2 create-route --route-table-id TrailDiscoverRouteTableId --destination-cidr-block TrailDiscoverDestinationCidrBlock --gateway-id TrailDiscoverGatewayId"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateRoute"} -{"eventName": "DescribeInstanceTypes", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Describes the details of the instance types that are offered in a location.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [], "securityImplications": "Attackers might use DescribeInstanceTypes to assess the capabilities and resources of EC2 instance types.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 describe-instance-types --instance-types TrailDiscoverInstanceType"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeInstanceTypes"} -{"eventName": "DescribeVpcs", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Describes one or more of your VPCs.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Following attackers’ (Cloud)trail in AWS: Methodology and findings in the wild", "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}], "researchLinks": [], "securityImplications": "Attackers might use DescribeVpcs to enumerate all Virtual Private Clouds (VPCs) within an AWS environment, aiming to map out network architectures.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 describe-vpcs --vpc-ids TrailDiscoverVpcId"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeVpcs"} -{"eventName": "RunInstances", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Launches the specified number of instances using an AMI for which you have permissions.", "mitreAttackTactics": ["TA0003 - Persistence", "TA0040 - Impact", "TA0008 - Lateral Movement"], "mitreAttackTechniques": ["T1098 - Account Manipulation", "T1496 - Resource Hijacking", "T1021 - Remote Services"], "usedInWild": true, "incidents": [{"description": "The curious case of DangerDev@protonmail.me", "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}, {"description": "DXC spills AWS private keys on public GitHub", "link": "https://www.theregister.com/2017/11/14/dxc_github_aws_keys_leaked/"}, {"description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"}, {"description": "Behind the scenes in the Expel SOC: Alert-to-fix in AWS", "link": "https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/"}, {"description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"}, {"description": "SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto", "link": "https://sysdig.com/blog/scarleteel-2-0/"}, {"description": "ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING", "link": "https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/"}, {"description": "UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR", "link": "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"}, {"description": "Clear and Uncommon Story About Overcoming Issues With AWS", "link": "https://topdigital.agency/clear-and-uncommon-story-about-overcoming-issues-with-aws/"}, {"description": "onelogin 2017 Security Incident", "link": "https://web.archive.org/web/20210620180614/https://www.onelogin.com/blog/may-31-2017-security-incident"}, {"description": "BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability", "link": "https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/"}, {"description": "Navigating the Cloud: Exploring Lateral Movement Techniques", "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/"}], "researchLinks": [{"description": "Launching EC2 instances", "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/launching-ec2-instances/"}, {"description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide"}, {"description": "AWS IAM Privilege Escalation Techniques", "link": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}, {"description": "Abusing VPC Traffic Mirroring in AWS", "link": "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/"}], "securityImplications": "Attackers might use RunInstances to programmatically launch unauthorized EC2 instances for crypto mining or to create a foothold within the AWS environment for further exploitation.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 run-instances --image-id ami-0b98a32b1c5e0d105 --instance-type t2.micro --key-name MyKeyPair"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ec2-launch-unusual-instances"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-RunInstances"} -{"eventName": "EnableSerialConsoleAccess", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Enables access to the EC2 serial console of all instances for your account.", "mitreAttackTactics": ["TA0008 - Lateral Movement"], "mitreAttackTechniques": ["T1021 - Remote Services"], "usedInWild": true, "incidents": [{"description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud"}], "researchLinks": [{"description": "How to detect EC2 Serial Console enabled", "link": "https://sysdig.com/blog/ec2-serial-console-enabled/"}, {"description": "Attack Paths Into VMs in the Cloud", "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/"}], "securityImplications": "Attackers might use EnableSerialConsoleAccess to enable the serial console access and bypass security group rules and gain access to EC2 instances.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 enable-serial-console-access"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-EnableSerialConsoleAccess"} -{"eventName": "CreateNetworkAclEntry", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Creates an entry (a rule) in a network ACL with the specified rule number.", "mitreAttackTactics": ["TA0003 - Persistence"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": false, "incidents": [], "researchLinks": [{"description": "AWS EC2 Network Access Control List Creation", "link": "https://www.elastic.co/guide/en/security/current/aws-ec2-network-access-control-list-creation.html"}, {"description": "Enhancing Your Security Visibility and DetectionResponse Operations in AWS", "link": "https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf"}], "securityImplications": "Attackers might use CreateNetworkAclEntry to allow traffic to the network from an IP they control.", "alerting": [{"type": "cloudwatchCISControls", "value": "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-11"}], "simulation": [{"type": "commandLine", "value": "aws ec2 create-network-acl-entry --network-acl-id acl-5fb85d36 --ingress --rule-number 100 --protocol udp --port-range From=53,To=53 --cidr-block 0.0.0.0/0 --rule-action allow"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateNetworkAclEntry"} -{"eventName": "SharedSnapshotCopyInitiated", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Modifies the specified attribute of the specified instance.", "mitreAttackTactics": ["TA0010 - Exfiltration"], "mitreAttackTechniques": ["T1537 - Transfer Data to Cloud Account"], "usedInWild": true, "incidents": [{"description": "M-Trends Report - 2020", "link": "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf"}, {"description": "Democratic National Committee hack", "link": "https://www.politico.com/f/?id=00000168-6161-de11-af7d-ef7327ea0000"}], "researchLinks": [{"description": "Detecting exfiltration of EBS snapshots in AWS", "link": "https://twitter.com/christophetd/status/1574681313218506753"}], "securityImplications": "SharedSnapshotCopyInitiated might be a signal of an attacker copying a snapshot to their account.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot"}], "permissions": "N/A"} -{"eventName": "StopInstances", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Stops an Amazon EBS-backed instance.", "mitreAttackTactics": ["TA0040 - Impact", "TA0005 - Defense Evasion"], "mitreAttackTechniques": ["T1499 - Endpoint Denial of Service", "T1578 - Modify Cloud Compute Infrastructure"], "usedInWild": true, "incidents": [{"description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"}], "researchLinks": [{"description": "Executing commands through EC2 user data", "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/"}, {"description": "Attack Paths Into VMs in the Cloud", "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/"}], "securityImplications": "Attackers might use StopInstances to avoid being detected or to do changes that will be executed when the EC2 is started.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 stop-instances --instance-ids TrailDiscoverInstanceID"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ec2-user-data"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-StopInstances"} -{"eventName": "DescribeVolumesModifications", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Describes the most recent volume modification request for the specified EBS volumes.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [], "securityImplications": "Attackers might use DescribeVolumesModifications to track changes in EBS volumes.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 describe-volumes-modifications --volume-ids TrailDiscoverVolumeId"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeVolumesModifications"} -{"eventName": "DescribeFlowLogs", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Describes one or more flow logs.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [], "securityImplications": "Attackers might use DescribeFlowLogs to review VPC flow log configurations, aiming to understand what network traffic is being logged.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 describe-flow-logs --filter Name=resource-id,Values=TrailDiscoverResourceId"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeFlowLogs"} -{"eventName": "DeleteSnapshot", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Deletes the specified snapshot.", "mitreAttackTactics": ["TA0040 - Impact"], "mitreAttackTechniques": ["T1485 - Data Destruction"], "usedInWild": true, "incidents": [{"description": "Hacker Puts Hosting Service Code Spaces Out of Business", "link": "https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/"}], "researchLinks": [], "securityImplications": "Attackers might use DeleteSnapshot to erase Amazon EBS snapshots, potentially destroying backup data and hampering recovery efforts after an attack.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 delete-snapshot --snapshot-id TrailDiscoverSnapshotId"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DeleteSnapshot"} -{"eventName": "DescribeVpcEndpointConnectionNotifications", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Describes the connection notifications for VPC endpoints and VPC endpoint services.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [], "securityImplications": "Attackers might use DescribeVpcEndpointConnectionNotifications to monitor notification configurations for VPC endpoints.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 describe-vpc-endpoint-connection-notifications --connection-notification-id TrailDiscoverConnectionNotificationId"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeVpcEndpointConnectionNotifications"} -{"eventName": "GetFlowLogsIntegrationTemplate", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Generates a CloudFormation template that streamlines and automates the integration of VPC flow logs with Amazon Athena.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [], "securityImplications": "Attackers might use GetFlowLogsIntegrationTemplate to create templates for integrating VPC flow logs with external monitoring solutions, potentially to configure exfiltration pathways for gathered data or to understand security monitoring setups.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 get-flow-logs-integration-template --flow-log-id fl-1234567890abcdef0 --config-delivery-s3-destination-arn arn:aws:s3:::DOC-EXAMPLE-BUCKET --integrate-services AthenaIntegrations='[{IntegrationResultS3DestinationArn=arn:aws:s3:::DOC-EXAMPLE-BUCKET,PartitionLoadFrequency=none,PartitionStartDate=2021-07-21T00:40:00,PartitionEndDate=2021-07-21T00:42:00},{IntegrationResultS3DestinationArn=arn:aws:s3:::DOC-EXAMPLE-BUCKET,PartitionLoadFrequency=none,PartitionStartDate=2021-07-21T00:40:00,PartitionEndDate=2021-07-21T00:42:00}]'"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-GetFlowLogsIntegrationTemplate"} -{"eventName": "GetPasswordData", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Retrieves the encrypted administrator password for a running Windows instance.", "mitreAttackTactics": ["TA0006 - Credential Access"], "mitreAttackTechniques": ["T1555 - Credentials from Password Stores"], "usedInWild": true, "incidents": [{"description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"}, {"description": "Behind the scenes in the Expel SOC: Alert-to-fix in AWS", "link": "https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/"}, {"description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"}, {"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [], "securityImplications": "Attackers might use GetPasswordData to retrieve the password data for Windows instances, allowing unauthorized access.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 get-password-data --instance-id TrailDiscoverInstanceId"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-GetPasswordData"} -{"eventName": "GetEbsDefaultKmsKeyId", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Describes the default AWS KMS key for EBS encryption by default for your account in this Region.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [], "securityImplications": "Attackers might use GetEbsDefaultKmsKeyId to identify the default AWS Key Management Service (KMS) key used for encrypting new Amazon EBS volumes.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 get-ebs-default-kms-key-id"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-GetEbsDefaultKmsKeyId"} -{"eventName": "ReplaceIamInstanceProfileAssociation", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Replaces an IAM instance profile for the specified running instance.", "mitreAttackTactics": ["TA0004 - Privilege Escalation"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": true, "incidents": [{"description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud"}], "researchLinks": [], "securityImplications": "Attackers might use ReplaceIamInstanceProfileAssociation to replace the IAM instance profile on an instance they control with one that has higher privileges.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 replace-iam-instance-profile-association --iam-instance-profile Name=TrailDiscoverAdminRole --association-id iip-assoc-060bae234aac2e7fa"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-ReplaceIamInstanceProfileAssociation"} -{"eventName": "SendSerialConsoleSSHPublicKey", "eventSource": "ec2-instance-connect.amazonaws.com", "awsService": "EC2InstanceConnect", "description": "Pushes an SSH public key to the specified EC2 instance.", "mitreAttackTactics": ["TA0008 - Lateral Movement"], "mitreAttackTechniques": ["T1021 - Remote Services"], "usedInWild": true, "incidents": [{"description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud"}, {"description": "Navigating the Cloud: Exploring Lateral Movement Techniques", "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/"}], "researchLinks": [], "securityImplications": "Attackers might use SendSerialConsoleSSHPublicKey to inject unauthorized SSH keys into EC2 instances, granting them access for remote control.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "https://aws.permissions.cloud/iam/ec2-instance-connect#ec2-instance-connect-SendSerialConsoleSSHPublicKey"} -{"eventName": "DescribeSnapshotTierStatus", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Describes the storage tier status of one or more Amazon EBS snapshots.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [], "securityImplications": "Attackers might use DescribeSnapshotTierStatus to assess the tiering status and potential lifecycle transitions of EBS snapshots, seeking to identify snapshots that are less frequently accessed or potentially unmonitored.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 describe-snapshot-tier-status"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeSnapshotTierStatus"} -{"eventName": "CreateImage", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Creates an Amazon EBS-backed AMI from an Amazon EBS-backed instance that is either running or stopped.", "mitreAttackTactics": ["TA0010 - Exfiltration"], "mitreAttackTechniques": ["T1537 - Transfer Data to Cloud Account"], "usedInWild": true, "incidents": [{"description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"}], "researchLinks": [], "securityImplications": "Attackers might use CreateImage to create images from running EC2s and use them after adding their own keys", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 create-image --instance-id TrailDiscoverInstanceId --name \"TrailDiscoverImageName\" --description \"TrailDiscoverImageDescription\""}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-CreateImage"} -{"eventName": "DescribeInstances", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Describes the specified instances or all instances.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Following attackers’ (Cloud)trail in AWS: Methodology and findings in the wild", "link": "https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}], "researchLinks": [{"description": "Abusing VPC Traffic Mirroring in AWS", "link": "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/"}], "securityImplications": "Attackers might use DescribeInstances to inventory EC2 instances within an AWS environment.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 describe-instances --instance-ids TrailDiscoverInstanceID"}, {"type": "stratusRedTeam", "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeInstances"} -{"eventName": "DescribeClientVpnRoutes", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Describes the routes for the specified Client VPN endpoint.", "mitreAttackTactics": ["TA0007 - Discovery"], "mitreAttackTechniques": ["T1580 - Cloud Infrastructure Discovery"], "usedInWild": true, "incidents": [{"description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}], "researchLinks": [], "securityImplications": "Attackers might use DescribeClientVpnRoutes to gather information about the routing configuration of an AWS Client VPN endpoint, potentially identifying routes that could be exploited for network access.", "alerting": [], "simulation": [{"type": "commandLine", "value": "aws ec2 describe-client-vpn-routes --client-vpn-endpoint-id cvpn-endpoint-123456789123abcde"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-DescribeClientVpnRoutes"} -{"eventName": "ImportKeyPair", "eventSource": "ec2.amazonaws.com", "awsService": "EC2", "description": "Imports the public key from an RSA or ED25519 key pair that you created with a third-party tool.", "mitreAttackTactics": ["TA0003 - Persistence"], "mitreAttackTechniques": ["T1098 - Account Manipulation"], "usedInWild": true, "incidents": [{"description": "Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"}, {"description": "Behind the scenes in the Expel SOC: Alert-to-fix in AWS", "link": "https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/"}, {"description": "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability", "link": "https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"}], "researchLinks": [{"description": "Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident", "link": "https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide"}], "securityImplications": "Attackers might use ImportKeyPair to upload malicious SSH keys to AWS EC2 instances, granting unauthorized access.", "alerting": [], "simulation": [{"type": "commandLine", "value": "N/A"}], "permissions": "https://aws.permissions.cloud/iam/ec2#ec2-ImportKeyPair"} +{"eventName":"GetCertificate","eventSource":"acm-pca.amazonaws.com","awsService":"ACMPCA","description":"Retrieves a certificate from your private CA or one that has been shared with you.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1040 - Network Sniffing"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1119 - Automated Collection","reason":"An attacker could write a script that continiously calls GetCertificate to get all certificates"},{"technique":"T1580 - Cloud Infrastructure Discovery","reason":"Using GetCertificate, adversaries can discover details about the cloud infrastructure, including how certificates are managed and issued within the environment."},{"technique":"TT1589 - Gather Victim Identity Information","reason":"Often times victim information is present in the certificate, f.e. email adresses."},{"technique":"T1526 - Cloud Service Discovery","reason":"Often times certificates are issued for single cloud services. "},{"technique":"T1530 - Data from Cloud Storage","reason":"One could label the ACMPCA as a cloud storage, because the certificates are stored in there."},{"technique":"T1021.007 - Remote Services: Cloud Services","reason":"The GetCertificate API call retrieves certificates from a private CA or one that has been shared, which can then be used to authenticate access to various cloud services. Adversaries can use these certificates to authenticate themselves to cloud services remotely, leveraging the trust established by the certificate. This enables the adversary to move laterally within the cloud environment, access additional resources, or establish persistence by maintaining authenticated sessions with the compromised certificates"},{"technique":"T1212 - Exploitation for Credential Access","reason":"Certificates can be exploited to gain credential access, especially if they include sensitive authentication details"},{"technique":"T1557 - Adversary-in-the-Middle","reason":"Certificates retrieved can be used in Man-in-the-Middle (MitM) attacks to intercept and decrypt secure communications."},{"technique":"T1021 - Remote Services","reason":"Certificates are often used as an authetication material, especially in enterprise environments and can be therefore used to move laterally."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS API Call Hijacking via ACM-PCA","link":"https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/"}],"securityImplications":"Attackers might use GetCertificate combined with Route 53 control to intercept and read data from AWS API calls.","alerting":[],"simulation":[{"type":"commandLine","value":"aws acm-pca get-certificate --certificate-authority-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012 --certificate-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/6707447683a9b7f4055627ffd55cebcc"}],"permissions":"https://aws.permissions.cloud/iam/acm-pca#acm-pca-GetCertificate"} +{"eventName":"IssueCertificate","eventSource":"acm-pca.amazonaws.com","awsService":"ACMPCA","description":"Uses your private certificate authority (CA), or one that has been shared with you, to issue a client certificate.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1040 - Network Sniffing"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1078- Valid Accounts","reason":"Issuing a certificate can create a valid cloud account credential. This certificate could be used to authenticate against various services. Issued certificates could be used to create or access local accounts within the cloud infrastructure. "},{"technique":"T1212- Exploitation for Credential Access","reason":"Certificates can be exploited to gain credential access, especially if they include sensitive authentication details or are from a trustd CA."},{"technique":"T1136- Create Account","reason":"An adversary might use a certificate to create new cloud accounts or gain access to existing ones under the guise of legitimate credentials."},{"technique":"T1588- Obtain Capabilities","reason":"By using this API call an adversary has successfully gained the capability to create digital certificates."},{"technique":"T1550- Use Alternate Authentication Material","reason":"Issued certificates can be used as alternative authentication material in place of traditional credentials like web cookies, aiding in Credential Access and Defense Evasion."},{"technique":"T1586.003- Compromise Accounts","reason":"By issuing certificates through the IssueCertificate API call, adversaries can compromise cloud accounts by creating legitimate credentials for accessing cloud services. These certificates can be used to authenticate and gain control over cloud accounts, facilitating Initial Access and Persistence. The adversary can then maintain access by leveraging these certificates, bypassing traditional authentication mechanisms and evading detection."},{"technique":"T1027- Obfuscated Files or Information","reason":"Certificates issued via this API call can be used to obfuscate the true nature of communication and data, aiding in Defense Evasion."},{"technique":"T1553- Subvert Trust Controls","reason":"By issuing a certificate, an adversary can sign malicious binaries, making them appear legitimate and trusted, aiding in Defense Evasion."},{"technique":"T1071.001- Application Layer Protocol - Web Protocols","reason":"Issued certificates can be used to secure communication over web protocols, potentially aiding in Defense Evasion and Credential Access by making malicious traffic appear legitimate."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS API Call Hijacking via ACM-PCA","link":"https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/"}],"securityImplications":"Attackers might use IssueCertificate combined with Route 53 control to intercept and read data from AWS API calls.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"https://aws.permissions.cloud/iam/acm-pca#acm-pca-IssueCertificate"} +{"eventName":"CreateApiKey","eventSource":"appsync.amazonaws.com","awsService":"AppSync","description":"Creates a unique key that you can distribute to clients who invoke your API.","mitreAttackTactics":["TA0005 - Defense Evasion","TA0003 - Persistence"],"mitreAttackTechniques":["T1578 - Modify Cloud Compute Infrastructure","T1556 - Modify Authentication Process"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"API keys are a form of credentials that attackers can use to gain and maintain access to cloud services."},{"technique":"T1098 - Account Manipulation","reason":"Attackers may manipulate API keys to alter account permissions and settings, maintaining persistence and access."},{"technique":"T1531 - Account Access Removal","reason":"API keys can be used to remove legitimate accounts, thereby maintaining persistence and disrupting normal operations."},{"technique":"T1550.001 - Use Alternate Authentication Material: Application Access Token","reason":"API keys serve as alternate authentication material, in this case as application access tokens to access AppSync APIs."},{"technique":"T1090 - Proxy","reason":"Attackers can use API keys to route their malicious traffic through a AppSync, which acts here as a proxy, hiding their true origin and bypassing security measures."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor","link":"https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8"}],"securityImplications":"Attackers might use CreateApiKey to add a key they control for authentication. Bypassing current authentication and potentially allowing persistent access to data.","alerting":[],"simulation":[{"type":"commandLine","value":"aws appsync create-api-key --api-id TrailDiscoverApiId"}],"permissions":"https://aws.permissions.cloud/iam/appsync#appsync-CreateApiKey"} +{"eventName":"GetIntrospectionSchema","eventSource":"appsync.amazonaws.com","awsService":"AppSync","description":"Retrieves the introspection schema for a GraphQL API.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1526 - Cloud Service Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1087 - Account Discovery","reason":"The GetIntrospectionSchema API call can be used to gather detailed information about the structure of an AWS AppSync GraphQL schema. This can help in identifying user roles, permissions, and accounts associated with the schema in this AWS account."},{"technique":"T1590: Gather Victim Network Information","reason":"Through the introspection schema, an attacker can identify dependencies and integrations with other network services or external APIs, revealing trust relationships and potential attack vectors. By retrieving the introspection schema, an attacker can map out the network structure as exposed by the GraphQL API, including services, endpoints, and connections within the AWS environment."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor","link":"https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8"}],"securityImplications":"Attackers might use GetIntrospectionSchema to understand the API for future attacks or use the configuration for future modifications.","alerting":[],"simulation":[{"type":"commandLine","value":"aws appsync get-introspection-schema --api-id TrailDiscover --format json output"}],"permissions":"https://aws.permissions.cloud/iam/appsync#appsync-GetIntrospectionSchema"} +{"eventName":"UpdateGraphqlApi","eventSource":"appsync.amazonaws.com","awsService":"AppSync","description":"Updates a GraphqlApi object.","mitreAttackTactics":["TA0005 - Defense Evasion","TA0003 - Persistence"],"mitreAttackTechniques":["T1578 - Modify Cloud Compute Infrastructure","T1556 - Modify Authentication Process"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1136 - Create Account","reason":"An attacker might use UpdateGraphqlApi to update settings in a way that allows creating new user accounts with elevated privileges."},{"technique":"T1212 - Exploitation for Credential Dumping","reason":"Updating GraphQL API could be abused to alter application behavior to facilitate credential dumping."},{"technique":"T1078 - Valid Accounts","reason":"An attacker could use the API call to modify existing configurations to maintain access through valid cloud accounts."},{"technique":"T1098 - Account Manipulation","reason":"The API call could allow manipulation of user accounts or roles to maintain access or escalate privileges."},{"technique":"T1027 - Obfuscated Files or Information","reason":"The API call might be used to modify or obfuscate logs and configurations to avoid detection."},{"technique":"T1078 - Valid Accounts","reason":"By updating the API, attackers might ensure they can access privileged accounts for persistent access."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor","link":"https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8"}],"securityImplications":"Attackers might use UpdateGraphqlApi to add additional authentications options. Bypassing current authentication and potentially allowing persistent access to data.","alerting":[],"simulation":[{"type":"commandLine","value":"aws appsync update-graphql-api --api-id TrailDiscoverApiId --name TrailDiscoverName --log-config cloudWatchLogsRoleArn=TrailDiscoverRoleArn,fieldLogLevel=TrailDiscoverLogLevel"}],"permissions":"https://aws.permissions.cloud/iam/appsync#appsync-UpdateGraphqlApi"} +{"eventName":"UpdateResolver","eventSource":"appsync.amazonaws.com","awsService":"AppSync","description":"Updates a Resolver object.","mitreAttackTactics":["TA0005 - Defense Evasion","TA0003 - Persistence"],"mitreAttackTechniques":["T1578 - Modify Cloud Compute Infrastructure","T1556 - Modify Authentication Process"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1136 - Create Account","reason":"Using the UpdateResolver API, an adversary can manipulate the AppSync resolver to create new user accounts with specific roles or permissions, enabling persistent access to the AWS environment."},{"technique":"T1078 - Valid Accounts","reason":"By updating the resolver, adversaries can utilize valid credentials to access AppSync and maintain persistence."},{"technique":"T1070 - Indicator Removal","reason":"Adversaries can update resolvers to manipulate logs or delete records, evading detection by altering or concealing their tracks."},{"technique":"T1531 - Account Access Removal","reason":"Adversaries can use the UpdateResolver API to revoke access for legitimate users, thereby preventing them from detecting the adversarial activities."},{"technique":"T1003 - Credential Dumping","reason":"By updating the resolver to capture sensitive data passed through AppSync, adversaries could dump credentials for further exploitation."},{"technique":"T1071 - Application Layer Protocol","reason":"Modifying the resolver might allow adversaries to covertly communicate using AppSync's standard protocols, blending in with normal traffic and evading network defenses."},{"technique":"T1562.001 - Impair Defenses: Disable or Modify Tools","reason":"An adversary might update the resolver to disable security tools or modify their behavior, thereby evading detection and maintaining access."},{"technique":"T1027 - Obfuscated Files or Information","reason":"By updating resolvers, adversaries can obfuscate the information passed through AppSync, making it difficult to detect malicious activities within the data flow."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor","link":"https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8"}],"securityImplications":"Attackers might use UpdateResolver to execute custom code that could allow potential access to data and bypass protections.","alerting":[],"simulation":[{"type":"commandLine","value":"aws appsync update-resolver --api-id TrailDiscoverApiId --type-name TrailDiscoverTypeName --field-name TrailDiscoverFieldName --pipeline-config functions=TrailDiscoverFunctions --request-mapping-template TrailDiscoverRequestMappingTemplate --response-mapping-template TrailDiscoverResponseMappingTemplate"}],"permissions":"https://aws.permissions.cloud/iam/appsync#appsync-UpdateResolver"} +{"eventName":"GetQueryResults","eventSource":"athena.amazonaws.com","awsService":"Athena","description":"Streams the results of a single query execution specified by QueryExecutionId from the Athena query results location in Amazon S3.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1082 - System Information Discovery","reason":"GetQueryResults can be used to gather information about the Athena environment, such as the metadata of the queries and databases. This can reveal insights about the system configuration and the types of data stored."},{"technique":"T1213 - Data from Information Repositories","reason":"Athena queries can access and retrieve data from various repositories like S3. GetQueryResults is used to obtain this data, making it a critical step in extracting information from these repositories."},{"technique":"T1039 - Data from Network Shared Drive","reason":"If Athena queries target data stored in network shared drives (like those mounted on EC2 instances and accessible via S3), the GetQueryResults API will be used to collect this data."},{"technique":"T1074 - Data Staged","reason":"Attackers may stage data in a specific location after retrieving it with GetQueryResults before exfiltration. This staging is a preparatory step for further data handling or analysis."}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[],"securityImplications":"Attackers might use GetQueryResults from Amazon Athena to illicitly access and read potential sensitive data.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"https://aws.permissions.cloud/iam/athena#athena-GetQueryResults"} +{"eventName":"CreateFoundationModelAgreement","eventSource":"bedrock.amazonaws.com","awsService":"Bedrock","description":"Grants permission to create a new foundation model agreement.","mitreAttackTactics":["TA0040 - Impact"],"mitreAttackTechniques":["T1496 - Resource Hijacking"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1098 - Account Manipulation","reason":"The CreateFoundationModelAgreement API call allows users to create or modify agreements, which can be used to manipulate account permissions. Attackers can create agreements with elevated privileges or modify existing ones to gain unauthorized access or escalate privileges."}],"usedInWild":true,"incidents":[{"description":"Detecting AI resource-hijacking with Composite Alerts","link":"https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"},{"description":"When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying","link":"https://permiso.io/blog/exploiting-hosted-models"}],"researchLinks":[],"securityImplications":"Attackers might use CreateFoundationModelAgreement to prepare for using foundation models for resource hijacking.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"https://aws.permissions.cloud/iam/bedrock#bedrock-CreateFoundationModelAgreement"} +{"eventName":"GetFoundationModelAvailability","eventSource":"bedrock.amazonaws.com","awsService":"Bedrock","description":"Grants permission to get the availability of a foundation model.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1082 - System Information Discovery","reason":"Querying the availability of foundation models is a form of system information discovery, as it provides insight into the operational aspects of the system."},{"technique":"T1590 - Gather Victim Network Information","reason":"The GetFoundationModelAvailability call can be used to determine the state and availability of foundation models, which is valuable host information."}],"usedInWild":true,"incidents":[{"description":"Detecting AI resource-hijacking with Composite Alerts","link":"https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"},{"description":"When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying","link":"https://permiso.io/blog/exploiting-hosted-models"}],"researchLinks":[],"securityImplications":"Attackers might use GetFoundationModelAvailability to enumerate accessible models","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"https://aws.permissions.cloud/iam/bedrock#bedrock-GetFoundationModelAvailability"} +{"eventName":"GetModelInvocationLoggingConfiguration","eventSource":"bedrock.amazonaws.com","awsService":"Bedrock","description":"Get the current configuration values for model invocation logging.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1070 - Indicator Removal","reason":"Knowing the logging setup allows attackers to delete or alter logs to avoid detection and cover their tracks."},{"technique":"T1027 - Obfuscated Files or Information","reason":"Attackers may use knowledge of logging configurations to craft their actions in ways that avoid triggering specific logging mechanisms."},{"technique":"T1518.001 - Software Discovery","reason":"Understanding how model invocation is logged can reveal what security software is in use."},{"technique":"T1562 - Impair Defenses","reason":"Knowing the logging configuration can help attackers understand how to disable or evade defensive logging."},{"technique":"T1071 - Application Layer Protocol","reason":"Attackers might tailor their command and control communication methods based on the logging configurations discovered."},{"technique":"T1212 - Exploitation for Credential Access","reason":"If the option textDataDeliveryEnabled is activated there could be credentials in it which attackers can exploit. If the option imageDataDeliveryEnabled is activated there could be sensitive information in the images which are delivered in the logs."}],"usedInWild":true,"incidents":[{"description":"LLMjacking: Stolen Cloud Credentials Used in New AI Attack","link":"https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/"}],"researchLinks":[],"securityImplications":"Attackers might use GetModelInvocationLoggingConfiguration to check S3 and Cloudwatch logging configuration.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"https://aws.permissions.cloud/iam/bedrock#bedrock-GetModelInvocationLoggingConfiguration"} +{"eventName":"GetUseCaseForModelAccess","eventSource":"bedrock.amazonaws.com","awsService":"Bedrock","description":"Grants permission to retrieve a use case for model access.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts: Cloud Accounts","reason":"If an attacker obtains credentials to use the GetUseCaseForModelAccess API call, they can gather sensitive information about model access use cases, which may aid further malicious activity."},{"technique":"T1082 - System Information Discovery","reason":"The GetUseCaseForModelAccess API call can be used to collect details about model access, revealing important information about the environment and configurations, which is a form of system discovery."},{"technique":"T1005 - Data from Local System","reason":"The API call can potentially be used to extract detailed data regarding model use cases, equivalent to gathering sensitive data from the local cloud environment."},{"technique":"T1530 - Data from Cloud Storage","reason":"If the GetUseCaseForModelAccess API provides links or references to data stored in cloud storage, an attacker could use it to access and exfiltrate sensitive data."},{"technique":"T1020 - Automated Exfiltration","reason":"An attacker could script the API call to automatically extract and exfiltrate information about model use cases over time."},{"technique":"T1074 - Data Staged","reason":"Step-by-step explanation: The results from the GetUseCaseForModelAccess call could be staged locally in the attacker's environment for later exfiltration or use."}],"usedInWild":true,"incidents":[{"description":"Detecting AI resource-hijacking with Composite Alerts","link":"https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"},{"description":"When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying","link":"https://permiso.io/blog/exploiting-hosted-models"}],"researchLinks":[],"securityImplications":"Attackers might use GetUseCaseForModelAccess to enumerate accessible models.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"https://aws.permissions.cloud/iam/bedrock#bedrock-GetUseCaseForModelAccess"} +{"eventName":"InvokeModel","eventSource":"bedrock.amazonaws.com","awsService":"Bedrock","description":"Invokes the specified Amazon Bedrock model to run inference using the prompt and inference parameters provided in the request body.","mitreAttackTactics":["TA0007 - Discovery","TA0040 - Impact"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery","T1496 - Resource Hijacking"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1020 - Automated Exfiltration","reason":"The InvokeModel API call can be scripted to run repeatedly, allowing for the continuous extraction of data. For example, an attacker could automate requests to the API, each time providing new or varied prompts that extract different pieces of sensitive information"},{"technique":"T1567 - Exfiltration Over Web Service","reason":"An attacker who has access to AWS credentials can set up a process where InvokeModel API calls are made to generate sensitive information in small chunks. Each chunk of data, once generated, can be immediately sent to an S3 bucket or another cloud storage service controlled by the attacker. This method ensures that data is consistently moved out of the compromised environment without raising alarms associated with large data transfers."},{"technique":"T1203 - Exploitation for Client Execution","reason":"Exploiting vulnerabilities in a model's interface could trigger unintended code execution through the InvokeModel API."}],"usedInWild":true,"incidents":[{"description":"LLMjacking: Stolen Cloud Credentials Used in New AI Attack","link":"https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/"},{"description":"Detecting AI resource-hijacking with Composite Alerts","link":"https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"},{"description":"New tactics and techniques for proactive threat detection","link":"https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"},{"description":"When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying","link":"https://permiso.io/blog/exploiting-hosted-models"}],"researchLinks":[],"securityImplications":"Attackers might use InvokeModel to check if the credentials have access to the LLMs and they have been enabled and invoke the model for resource hijacking.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"https://aws.permissions.cloud/iam/bedrock#bedrock-InvokeModel"} +{"eventName":"InvokeModelWithResponseStream","eventSource":"bedrock.amazonaws.com","awsService":"Bedrock","description":"Grants permission to invoke the specified Bedrock model to run inference using the input provided in the request body with streaming response.","mitreAttackTactics":["TA0040 - Impact"],"mitreAttackTechniques":["T1496 - Resource Hijacking"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1059 - Command and Scripting Interpreter","reason":"Attackers could potentially exploit the model invocation process to execute arbitrary commands or scripts, depending on how the input data to the model is handled and interpreted."},{"technique":"T1020 - Automated Exfiltration","reason":"The streaming response can be used to automatically exfiltrate data as it is processed by the model."},{"technique":"T1041 - Exfiltration Over C2 Channel","reason":"The streaming response feature can be exploited to send sensitive data back to an attacker over an established C2 channel."},{"technique":"T1005 - Data from Local System","reason":"If the Bedrock model has access to and processes local system data, attackers could leverage the API call to collect sensitive information. This scenario assumes that the model's processing involves data that might include confidential or proprietary information."},{"technique":"T1071.004 - Application Layer Protocol: DNS","reason":"DNS can be used for exfiltration or command and control if the model's streaming response can be encoded into DNS queries/responses."}],"usedInWild":true,"incidents":[{"description":"Detecting AI resource-hijacking with Composite Alerts","link":"https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"},{"description":"New tactics and techniques for proactive threat detection","link":"https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"}],"researchLinks":[],"securityImplications":"Attackers might use InvokeModelWithResponseStream to invoke the model for resource hijacking.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"https://aws.permissions.cloud/iam/bedrock#bedrock-InvokeModelWithResponseStream"} +{"eventName":"ListFoundationModelAgreementOffers","eventSource":"bedrock.amazonaws.com","awsService":"Bedrock","description":"Grants permission to get a list of foundation model agreement offers.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1591.002 - Gather Victim Org Information: Business Relationships","reason":"The list of foundation model agreement offers can provide insights into the organization's partnerships and agreements with other entities, revealing valuable business relationship details."},{"technique":"T1591 - Gather Victim Org Information","reason":"This API call might yield information about the internal structure of the organization, such as departments or teams involved with foundation models, contributing to a broader understanding of the target's organizational setup."},{"technique":"T1069 - Permission Groups Discovery","reason":"The information retrieved from this API call could indicate which groups or roles within the AWS account have permissions to access these foundation models, helping to understand the permission hierarchy and potential targets for privilege escalation or further discovery."}],"usedInWild":true,"incidents":[{"description":"Detecting AI resource-hijacking with Composite Alerts","link":"https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"}],"researchLinks":[],"securityImplications":"Attackers might use ListFoundationModelAgreementOffers to enumerate accessible models.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"https://aws.permissions.cloud/iam/bedrock#bedrock-ListFoundationModelAgreementOffers"} +{"eventName":"ListFoundationModels","eventSource":"bedrock.amazonaws.com","awsService":"Bedrock","description":"Grants permission to list Bedrock foundation models that you can use.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1087 - Account Discovery","reason":"Listing foundation models can help an adversary understand what cloud resources are available and their configurations"},{"technique":"T1057 - Process Discovery","reason":"Listing foundation models can be a step towards understanding the processes and operations running within the cloud environment."},{"technique":"T1069 - Permission Groups Discovery","reason":"Identifying which models are accessible can reveal information about permission groups and roles within the cloud environment"},{"technique":"T1082 - System Information Discovery","reason":"Listing foundation models helps in gathering detailed system information."},{"technique":"T1482 - Domain Trust Discovery","reason":"Adversaries may list foundation models to understand the trust relationships and dependencies between different cloud resources."}],"usedInWild":true,"incidents":[{"description":"Detecting AI resource-hijacking with Composite Alerts","link":"https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"}],"researchLinks":[],"securityImplications":"Attackers might use ListFoundationModels to enumerate accessible models.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"https://aws.permissions.cloud/iam/bedrock#bedrock-ListFoundationModels"} +{"eventName":"ListProvisionedModelThroughputs","eventSource":"bedrock.amazonaws.com","awsService":"Bedrock","description":"Grants permission to list provisioned model throughputs that you created earlier.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1087.004 - Cloud Account","reason":"The ListProvisionedModelThroughputs API call can help an attacker identify active cloud accounts and associated resources by listing the provisioned models, providing insight into the resources allocated in the cloud environment."},{"technique":"T1082 - System Information Discovery","reason":"This API call can be used to gather information about the configuration and state of the provisioned model throughputs, which contributes to understanding the system's current setup and operational status."},{"technique":"T1530 - Data from Cloud Storage Object","reason":"By listing provisioned model throughputs, an attacker can potentially identify models and associated data stored in cloud storage, enabling them to target specific data repositories."},{"technique":"T1078 - Valid Accounts","reason":"Legitimate cloud accounts with access to this API call can be used to gather information on provisioned models. If an attacker gains control of such an account, they can enumerate resources to assess what data and services are available within the cloud environment."}],"usedInWild":true,"incidents":[{"description":"Detecting AI resource-hijacking with Composite Alerts","link":"https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"}],"researchLinks":[],"securityImplications":"Attackers might use ListProvisionedModelThroughputs to gather information on existing inputs and outputs for models in use.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"https://aws.permissions.cloud/iam/bedrock#bedrock-ListProvisionedModelThroughputs"} +{"eventName":"PutFoundationModelEntitlement","eventSource":"bedrock.amazonaws.com","awsService":"Bedrock","description":"Grants permission to put entitlement to access a foundation model.","mitreAttackTactics":["TA0040 - Impact"],"mitreAttackTechniques":["T1496 - Resource Hijacking"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1098 - Account Manipulation","reason":"By modifying account entitlements, an attacker could adjust or extend permissions, gaining higher privileges or persistence within the cloud environment."},{"technique":"T1078 - Valid Accounts","reason":"Authorized accounts might be modified or managed to maintain persistent access to foundational models. Cloud accounts could be granted additional entitlements, leading to unauthorized access or privileges within the cloud environment. Access might be granted to default accounts, which could be exploited if not properly managed. Local accounts could be granted access, potentially leading to unauthorized activities within the environment."},{"technique":"T1059 - Command and Scripting Interpreter","reason":"The granted entitlements may include permissions that enable the execution of scripts or code, potentially facilitating the execution of malicious scripts under legitimate operations within a controlled environment."},{"technique":"T1562 - Impair Defenses","reason":"Adjusting entitlements could be used to weaken security controls and mechanisms, aiding in defense evasion."}],"usedInWild":true,"incidents":[{"description":"Detecting AI resource-hijacking with Composite Alerts","link":"https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"},{"description":"When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying","link":"https://permiso.io/blog/exploiting-hosted-models"}],"researchLinks":[],"securityImplications":"Attackers might use PutFoundationModelEntitlement to prepare for using foundation models for resource hijacking.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"https://aws.permissions.cloud/iam/bedrock#bedrock-PutFoundationModelEntitlement"} +{"eventName":"PutUseCaseForModelAccess","eventSource":"bedrock.amazonaws.com","awsService":"Bedrock","description":"Grants permission to put a use case for model access.","mitreAttackTactics":["TA0040 - Impact"],"mitreAttackTechniques":["T1496 - Resource Hijacking"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"Although not creating new users, it enables valid accounts to access models, which can be exploited for continued access."},{"technique":"T1098 - Account Manipulation","reason":"This API call allows manipulation of permissions related to model access, which can be leveraged for privilege escalation or maintaining access."}],"usedInWild":true,"incidents":[{"description":"Detecting AI resource-hijacking with Composite Alerts","link":"https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"},{"description":"When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying","link":"https://permiso.io/blog/exploiting-hosted-models"}],"researchLinks":[],"securityImplications":"Attackers might use PutUseCaseForModelAccess to prepare for using foundation models for resource hijacking.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"https://aws.permissions.cloud/iam/bedrock#bedrock-PutUseCaseForModelAccess"} +{"eventName":"CreateStack","eventSource":"cloudformation.amazonaws.com","awsService":"CloudFormation","description":"Creates a stack as specified in the template.","mitreAttackTactics":["TA0040 - Impact"],"mitreAttackTechniques":["T1496 - Resource Hijacking"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1136 - Create Account","reason":"The CreateStack API call can be used to set up new accounts within the cloud environment as part of deploying a CloudFormation stack, which aids in gaining and maintaining access."},{"technique":"T1578 - Modify Cloud Compute Infrastructure","reason":"The creation of new stacks can be used to modify or add cloud compute infrastructure, which can be part of defense evasion by creating resources that blend into the existing environment."},{"technique":"T1098 - Account Manipulation","reason":"Creating new stacks could involve setting up new accounts or roles that can be used later, contributing to persistence within the environment."}],"usedInWild":true,"incidents":[{"description":"New tactics and techniques for proactive threat detection","link":"https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"}],"researchLinks":[],"securityImplications":"Attackers might use CreateStack to provision unauthorized resources","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"https://aws.permissions.cloud/iam/cloudformation#cloudformation-CreateStack"} +{"eventName":"CreateFunction","eventSource":"cloudfront.amazonaws.com","awsService":"CloudFront","description":"Creates a CloudFront function.","mitreAttackTactics":["TA0009 - Collection"],"mitreAttackTechniques":["T1119 - Automated Collection"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1059 - Command and Scripting Interpreter","reason":"CloudFront functions are written in JavaScript, enabling the execution of scripts."},{"technique":"T1546 - Event Triggered Execution","reason":"A CloudFront function can be set to trigger on specific events, establishing persistence."},{"technique":"T1562.001 - Impair Defenses","reason":"CloudFront functions can modify requests and responses, which can be used to evade detection tools."},{"technique":"T1027 - Obfuscated Files or Information","reason":"The JavaScript code within CloudFront functions can be obfuscated to hide malicious intent."},{"technique":"T1071 - Application Layer Protocol","reason":"CloudFront functions can communicate using web protocols, facilitating command and control."},{"technique":"T1070 - Indicator Removal","reason":"Functions can be used to remove or alter log files, helping in defense evasion."},{"technique":"T1574 - Hijack Execution Flow","reason":"CloudFront functions manipulate the flow of requests, which can be seen as hijacking the execution flow within the cloud infrastructure."},{"technique":"T1008 - Fallback Channels","reason":"CloudFront functions can be designed to use fallback channels for command and control if the primary method is disrupted."},{"technique":"T1499 - Endpoint Denial of Service","reason":"Improperly configured or malicious CloudFront functions can cause application exhaustion, leading to denial-of-service attacks."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies","link":"https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c"}],"securityImplications":"Attackers might use CreateFunction to add a new function that can be use to exfiltrate date.","alerting":[],"simulation":[{"type":"commandLine","value":"aws cloudfront create-function --name trail-discover-function --function-config Comment='TrailDiscover',Runtime=cloudfront-js-1.0 --function-code VHJhaWxEaXNjb3Zlcgo="}],"permissions":"https://aws.permissions.cloud/iam/cloudfront#cloudfront-CreateFunction"} +{"eventName":"PublishFunction","eventSource":"cloudfront.amazonaws.com","awsService":"CloudFront","description":"Publishes a CloudFront function by copying the function code from the DEVELOPMENT stage to LIVE.","mitreAttackTactics":["TA0009 - Collection"],"mitreAttackTechniques":["T1119 - Automated Collection"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1560 - Archive Collected Data","reason":"A published CloudFront function could aggregate and compress data, preparing it for exfiltration."},{"technique":"T1070 - Indicator Removal","reason":"A function can be programmed to clean up or remove indicators of compromise, aiding in evasion of detection"},{"technique":"T1036 - Masquerading","reason":"Malicious functions can be disguised as legitimate CloudFront functions, hiding malicious activities within seemingly normal operations."},{"technique":"T1090 - Proxy","reason":"A CloudFront function could redirect traffic through CloudFront, acting as a proxy and obscuring the origin of command and control traffic."},{"technique":"T1102 - Web Service","reason":"Leveraging CloudFront functions to interact with web services, enabling command and control via HTTP or HTTPS, blending with regular web traffic"},{"technique":"T1204 - User Execution","reason":"If the published function requires user interaction or specific conditions to trigger, it aligns with techniques requiring user execution."},{"technique":"T1048 - Exfiltration Over Alternative Protocol","reason":"A CloudFront function could use alternative protocols for data exfiltration, bypassing standard monitoring tools."},{"technique":"T1071 - Application Layer Protocol","reason":"The function may use application layer protocols (HTTP/S) for communication, facilitating command and control or data exfiltration."},{"technique":"T1574 - Hijack Execution Flow","reason":"The PublishFunction API can be used to modify how CloudFront handles requests, potentially hijacking the execution flow to achieve malicious objectives"}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies","link":"https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c"}],"securityImplications":"Attackers might use PublishFunction to publish a malicious function that might be used to exfiltrate data.","alerting":[],"simulation":[{"type":"commandLine","value":"aws cloudfront publish-function --name trail-discover-function --if-match trail-discover-function"}],"permissions":"https://aws.permissions.cloud/iam/cloudfront#cloudfront-PublishFunction"} +{"eventName":"UpdateDistribution","eventSource":"cloudfront.amazonaws.com","awsService":"CloudFront","description":"Updates the configuration for a CloudFront distribution.","mitreAttackTactics":["TA0009 - Collection"],"mitreAttackTechniques":["T1119 - Automated Collection"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1070 - Indicator Removal","reason":"An attacker could modify CloudFront distribution settings to remove or alter logging configurations, thus deleting or hiding evidence of malicious activities."},{"technique":"T1090 - Proxy","reason":"By updating CloudFront distribution, an attacker can route traffic through CloudFront, effectively hiding the origin of malicious traffic and obfuscating command and control communications."},{"technique":"T1567 - Exfiltration Over Web Service","reason":"An attacker might reconfigure CloudFront to redirect sensitive data to an external endpoint under their control, facilitating data exfiltration over a web service."},{"technique":"T1562 - Impair Defenses","reason":"Modifying CloudFront distribution settings can be used to impair security monitoring and defense mechanisms by disabling or altering configurations that are critical for security monitoring."},{"technique":"T1560 - Archive Collected Data","reason":"An attacker might modify the CloudFront distribution to use cloud storage as a method to archive and exfiltrate collected data."},{"technique":"T1497 - Virtualization/Sandbox Evasion","reason":"CloudFront configurations can be updated to delay or slow responses, making detection and analysis more difficult, effectively evading automated analysis systems."},{"technique":"T1568 - Dynamic Resolution","reason":"By updating CloudFront distributions, an attacker can implement domain generation algorithms to dynamically change domain names for command and control, evading detection."},{"technique":"T1095 - Non-Application Layer Protocol","reason":"By configuring CloudFront to use non-standard protocols for data transmission, an attacker can exfiltrate data or communicate with compromised assets using non-application layer protocols."},{"technique":"T1071.001 - Application Layer Protocol: Web Protocols","reason":"loudFront can be configured to use common web protocols (HTTP/HTTPS) for malicious command and control communications, blending in with normal traffic and avoiding detection."},{"technique":"T1565.002 - Data Manipulation: Transmitted Data Manipulation","reason":"Attackers can update CloudFront distribution settings to manipulate data as it transits through CloudFront, altering its content for malicious purposes or exfiltrating manipulated data."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies","link":"https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c"}],"securityImplications":"Attackers might use UpdateDistribution to add a malicious configuration such as a function to exfiltrate data.","alerting":[],"simulation":[{"type":"commandLine","value":"aws cloudfront update-distribution --id EDFDVBD6EXAMPLE --distribution-config '{\"CallerReference\":\"\", \"Origins\":{\"Quantity\":1,\"Items\":[{\"Id\":\"\", \"DomainName\":\"\"}]}, \"DefaultCacheBehavior\":{\"TargetOriginId\":\"\", \"ViewerProtocolPolicy\":\"\"}, \"Comment\":\"\", \"Enabled\":false }'"}],"permissions":"https://aws.permissions.cloud/iam/cloudfront#cloudfront-UpdateDistribution"} +{"eventName":"DeleteTrail","eventSource":"cloudtrail.amazonaws.com","awsService":"CloudTrail","description":"Deletes a trail.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1562 - Impair Defenses"],"mitreAttackSubTechniques":["T1562.001 - Impair Defenses: Disable or Modify Tools","T1562.008 - Impair Defenses: Disable or Modify Cloud Logs"],"unverifiedMitreAttackTechniques":[{"technique":"T1070 - Indicator Removal","reason":"Deleting a CloudTrail trail can be seen as an attempt to remove logs that could be used to detect malicious activity, thereby evading detection."},{"technique":"T1485 - Data Destruction","reason":"Deleting the CloudTrail trail results in the destruction of important log data, which can impact the ability to investigate and respond to incidents."}],"usedInWild":true,"incidents":[{"description":"LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD","link":"https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud"},{"description":"Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)","link":"https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"}],"researchLinks":[{"description":"AWS Defense Evasion Delete Cloudtrail","link":"https://research.splunk.com/cloud/82092925-9ca1-4e06-98b8-85a2d3889552/"},{"description":"Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail","link":"https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/"},{"description":"Disrupting AWS logging","link":"https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594"}],"securityImplications":"Attackers might use DeleteTrail to disrupting AWS logging.","alerting":[{"type":"cloudwatchCISControls","value":"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-5"},{"type":"sigma","value":"https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml"}],"simulation":[{"type":"commandLine","value":"aws cloudtrail delete-trail --name TrailDiscoverTrailName"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-delete"}],"permissions":"https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-DeleteTrail"} +{"eventName":"LookupEvents","eventSource":"cloudtrail.amazonaws.com","awsService":"CloudTrail","description":"Looks up management events or CloudTrail Insights events that are captured by CloudTrail.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1654 - Log Enumeration"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1087 - Account Discovery","reason":"The LookupEvents API call can be used to identify information about AWS cloud accounts, potentially revealing new or unused accounts that can be targeted."},{"technique":"T1530 - Data from Cloud Storage","reason":"By looking up events, attackers can identify access patterns or sensitive data locations within cloud storage, facilitating data collection or exfiltration."},{"technique":"T1078 - Valid Accounts","reason":" If attackers are trying to access accounts, LookupEvents can help them discover which accounts are being used, aiding in the identification of valid credentials. By using LookupEvents, attackers can gain insights into which accounts have been accessed, helping them target specific accounts for compromise."},{"technique":"T1033 - System Owner/User Discovery","reason":"Discovering user activities and patterns can help attackers understand who owns or uses specific systems, making it easier to target high-value accounts."},{"technique":"T1580 - Cloud Infrastructure Discovery","reason":"LookupEvents can reveal information about the cloud infrastructure, including services and resources used within the environment."},{"technique":"T1020 - Automated Exfiltration","reason":" By understanding event patterns and data flows, attackers can automate the exfiltration of data from the cloud environment."},{"technique":"T1057 - Process Discovery","reason":"Attackers can use LookupEvents to see which processes or applications are being invoked, gaining insight into the operational environment."}],"usedInWild":true,"incidents":[{"description":"UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR","link":"https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"}],"researchLinks":[],"securityImplications":"Attackers might use LookupEvents to monitoring CloudTrail logs for changes that might affect the attack.","alerting":[],"simulation":[{"type":"commandLine","value":"aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-LookupEvents"} +{"eventName":"PutEventSelectors","eventSource":"cloudtrail.amazonaws.com","awsService":"CloudTrail","description":"Configures an event selector or advanced event selectors for your trail.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1562 - Impair Defenses"],"mitreAttackSubTechniques":["T1562.001: Impair Defenses: Disable or Modify Tools"],"unverifiedMitreAttackTechniques":[{"technique":"T1070 - Indicator Removal","reason":"By configuring event selectors, adversaries can exclude certain activities from being logged, effectively removing traces of their presence and actions, which hinders detection and forensic analysis."}],"usedInWild":true,"incidents":[{"description":"New tactics and techniques for proactive threat detection","link":"https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"}],"researchLinks":[{"description":"cloudtrail_guardduty_bypass","link":"https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/cloudtrail_guardduty_bypass"},{"description":"Detecting and removing risky actions out of your IAM security policies","link":"https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/"}],"securityImplications":"Attackers might use PutEventSelectors to disrupting AWS logging.","alerting":[],"simulation":[{"type":"commandLine","value":"aws cloudtrail put-event-selectors --trail-name TrailDiscover --event-selectors '[{\"ReadWriteType\": \"All\", \"IncludeManagementEvents\":true, \"DataResources\": [{\"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3\"]}] }]'"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors"}],"permissions":"https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-PutEventSelectors"} +{"eventName":"StopLogging","eventSource":"cloudtrail.amazonaws.com","awsService":"CloudTrail","description":"Suspends the recording of AWS API calls and log file delivery for the specified trail.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1562 - Impair Defenses"],"mitreAttackSubTechniques":["T1562.001 - Impair Defenses: Disable or Modify Tools","T1562.008 - Impair Defenses: Disable or Modify Cloud Logs"],"unverifiedMitreAttackTechniques":[{"technique":"T1070 - Indicator Removal","reason":"By stopping the logging, the adversary prevents the creation of future log entries, effectively removing indicators that would otherwise be generated, thus evading detection and hindering incident response efforts."}],"usedInWild":false,"incidents":[{"description":"LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD","link":"https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud"}],"researchLinks":[{"description":"Stopping a CloudTrail trail","link":"https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/stopping-cloudtrail-trail/"},{"description":"AWS Defense Evasion Stop Logging Cloudtrail","link":"https://research.splunk.com/cloud/8a2f3ca2-4eb5-4389-a549-14063882e537/"},{"description":"AWS Defense Evasion and Centralized Multi-Account Logging","link":"https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/"},{"description":"Disrupting AWS logging","link":"https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594"},{"description":"Enhancing Your Security Visibility and DetectionResponse Operations in AWS","link":"https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf"}],"securityImplications":"Attackers might use StopLogging to disrupting AWS logging.","alerting":[{"type":"cloudwatchCISControls","value":"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-5"},{"type":"sigma","value":"https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml"}],"simulation":[{"type":"commandLine","value":"aws cloudtrail stop-logging --name TrailDiscover"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-stop"}],"permissions":"https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-StopLogging"} +{"eventName":"UpdateTrail","eventSource":"cloudtrail.amazonaws.com","awsService":"CloudTrail","description":"Updates trail settings that control what events you are logging, and how to handle log files.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1562 - Impair Defenses"],"mitreAttackSubTechniques":["T1562.001 - Impair Defenses: Disable or Modify Tools"],"unverifiedMitreAttackTechniques":[{"technique":"T1070 - Indicator Removal","reason":"Modifying CloudTrail settings can involve stopping log generation or deleting logs, removing evidence of activities."},{"technique":"T1098 - Account Manipulation","reason":"Changing CloudTrail settings might require manipulating account permissions or configurations to control logging."},{"technique":"T1537 - Transfer Data to Cloud Account","reason":"Updating trail settings could facilitate the transfer of logs or sensitive data to an attacker-controlled cloud account for exfiltration."}],"usedInWild":true,"incidents":[{"description":"Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)","link":"https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"}],"researchLinks":[{"description":"AWS Defense Evasion and Centralized Multi-Account Logging","link":"https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/"},{"description":"Disrupting AWS logging","link":"https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594"}],"securityImplications":"Attackers might use UpdateTrail to disrupting AWS logging.","alerting":[{"type":"cloudwatchCISControls","value":"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-5"},{"type":"sigma","value":"https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml"}],"simulation":[{"type":"commandLine","value":"aws cloudtrail update-trail --name TrailDiscoverName --s3-bucket-name TrailDiscoverBucketName"}],"permissions":"https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-UpdateTrail"} +{"eventName":"CreateLogStream","eventSource":"logs.amazonaws.com","awsService":"CloudWatchLogs","description":"Creates a log stream for the specified log group.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1562 - Impair Defenses"],"mitreAttackSubTechniques":["T1562.001 Impair Defenses: Disable or Modify Tools"],"unverifiedMitreAttackTechniques":[{"technique":"T1036 - Masquerading","reason":"Creating log streams with names that mimic legitimate applications or services helps attackers blend in with normal operations and evade detection."},{"technique":"T1119 - Automated Collection","reason":"Log streams can be used to automate the collection of log data from various sources within the cloud environment, aiding attackers in data aggregation."},{"technique":"T1074 - Data Staged","reason":"Using log streams to stage data before it is exfiltrated, organizing it for easy access and transfer."}],"usedInWild":true,"incidents":[{"description":"Cloud Security Stories: From Risky Permissions to Ransomware Execution","link":"https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/"}],"researchLinks":[],"securityImplications":"Attackers might use CreateLogStream to later add benign log entries, effectively burying any signs of his malicious activities.","alerting":[],"simulation":[{"type":"commandLine","value":"aws logs create-log-stream --log-group-name my-logs --log-stream-name 20150601"}],"permissions":"https://aws.permissions.cloud/iam/logs#logs-CreateLogStream"} +{"eventName":"DeleteAlarms","eventSource":"monitoring.amazonaws.com","awsService":"CloudWatch","description":"Deletes the specified alarms. You can delete up to 100 alarms in one operation.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1562 - Impair Defenses"],"mitreAttackSubTechniques":["T1562.001 - Impair Defenses: Disable or Modify Tools","T1562.006 - Impair Defenses: Indicator Blocking"],"unverifiedMitreAttackTechniques":[{"technique":"T1485 - Data Destruction","reason":"Deleting alarms can be part of a broader strategy to destroy or disrupt data by removing key monitoring and alert mechanisms."},{"technique":"T1489 - Service Stop","reason":"By deleting alarms, an attacker can effectively stop the alerting service from functioning as expected, similar to stopping a service"},{"technique":"T1070 - Indicator Removal","reason":"Deleting alarms can be seen as removing indicators of potential issues or past activities, which is a broader form of indicator removal than just file deletion."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS CloudWatch Alarm Deletion","link":"https://www.elastic.co/guide/en/security/current/aws-cloudwatch-alarm-deletion.html"},{"description":"Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)","link":"https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"}],"securityImplications":"Attackers might use DeleteAlarms to disable critical CloudWatch alerts, undermining AWS environment monitoring","alerting":[],"simulation":[{"type":"commandLine","value":"aws cloudwatch delete-alarms --alarm-names TrailDiscoverAlarm"}],"permissions":"https://aws.permissions.cloud/iam/cloudwatch#cloudwatch-DeleteAlarms"} +{"eventName":"DeleteLogGroup","eventSource":"logs.amazonaws.com","awsService":"CloudWatchLogs","description":"Deletes the specified log group and permanently deletes all the archived log events associated with the log group.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1562 - Impair Defenses"],"mitreAttackSubTechniques":["T1562.001 - Impair Defenses: Disable or Modify Tools"],"unverifiedMitreAttackTechniques":[{"technique":"T1070 - Indicator Removal","reason":"Deleting log groups removes evidence of activities from log files, thus covering tracks and aiding in evading detection."},{"technique":"T1485 - Data Destruction","reason":"Deleting log groups leads to the permanent removal of critical log data, effectively erasing records that could be used for forensic analysis or troubleshooting. This action disrupts the availability of essential logs, potentially causing significant operational impact and hindering incident response efforts."},{"technique":"T1565.001 - Data Manipulation: Stored Data Manipulation","reason":"The deletion of log groups can be considered a form of data manipulation, as it involves removing stored data, impacting its integrity and availability."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Penetration testing of aws-based environments","link":"https://essay.utwente.nl/76955/1/Szabo_MSc_EEMCS.pdf"},{"description":"Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail","link":"https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/"}],"securityImplications":"Attackers might use DeleteLogGroup to erase CloudWatch logs, erasing evidence of their activities within AWS.","alerting":[],"simulation":[{"type":"commandLine","value":"aws logs delete-log-group --log-group-name TrailDiscoverLogGroup"}],"permissions":"https://aws.permissions.cloud/iam/logs#logs-DeleteLogGroup"} +{"eventName":"DeleteLogStream","eventSource":"logs.amazonaws.com","awsService":"CloudWatchLogs","description":"Deletes the specified log stream and permanently deletes all the archived log events associated with the log stream.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1562 - Impair Defenses"],"mitreAttackSubTechniques":["T1562.001 - Impair Defenses: Disable or Modify Tools"],"unverifiedMitreAttackTechniques":[{"technique":"T1070 - Indicator Removal","reason":"Deleting log streams removes critical log data, effectively erasing evidence of activities that could be used to detect or investigate malicious behavior. This action makes it difficult for defenders to trace the attacker's steps or identify potential indicators of compromise."},{"technique":"T1485 - Data Destruction","reason":"The permanent deletion of archived log events constitutes data destruction, impacting the organization\u2019s ability to conduct forensic analysis and understand the scope of an attack."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail","link":"https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/"}],"securityImplications":"Attackers might use DeleteLogStream to erase CloudWatch logs, erasing evidence of their activities within AWS.","alerting":[],"simulation":[{"type":"commandLine","value":"aws logs delete-log-stream --log-group-name TrailDiscoverLogGroupName --log-stream-name TrailDiscoverLogStreamName"}],"permissions":"https://aws.permissions.cloud/iam/logs#logs-DeleteLogStream"} +{"eventName":"DescribeLogGroups","eventSource":"logs.amazonaws.com","awsService":"CloudWatchLogs","description":"Lists the specified log groups.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1007 - System Service Discovery","reason":"Listing log groups can provide insights into the services and activities running within the AWS environment, aiding in identifying active services and their configurations."},{"technique":"T1018 - Remote System Discovery","reason":"Describing log groups can reveal information about the systems and their operations, helping in mapping out remote systems within the cloud infrastructure."},{"technique":"T1046 - Network Service Discovery","reason":"By examining log groups, attackers can understand the network services being utilized and their respective configurations, which is crucial for further discovery and potential exploitation."},{"technique":"T1087 - Account Discovery","reason":"Log groups often include data about different user activities and roles, which can be used to discover account details and permissions within the cloud environment."}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[],"securityImplications":"Attackers might use DescribeLogGroups to discover CloudWatch log configurations.","alerting":[],"simulation":[{"type":"commandLine","value":"aws logs describe-log-groups --log-group-name-prefix TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/logs#logs-DescribeLogGroups"} +{"eventName":"DescribeLogStreams","eventSource":"logs.amazonaws.com","awsService":"CloudWatchLogs","description":"Lists the log streams for the specified log group.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1087 - Account Discovery","reason":"Listing log streams can help identify different cloud accounts or services that are being logged."},{"technique":"T1119 - Automated Collection","reason":"Automating the listing of log streams is a part of setting up a system for automated data collection."},{"technique":"T1057 - Process Discovery","reason":"Log streams may include process logs that reveal information about running processes in the environment."},{"technique":"T1033 - System Owner/User Discovery","reason":"Log streams can help in identifying which users or systems are generating logs, aiding in system owner/user discovery."},{"technique":"T1018 - Remote System Discovery","reason":"By listing log streams, one can determine the existence of remote systems being logged."},{"technique":"T1082 - System Information Discovery","reason":"Logs may contain information about system configurations, operating systems, and other details relevant for system information discovery."},{"technique":"T1078 - Valid Accounts","reason":"Identifying log streams can help in discovering the usage of valid accounts, potentially indicating compromised or misused accounts."}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[],"securityImplications":"Attackers might use DescribeLogStreams to discover CloudWatch log configurations.","alerting":[],"simulation":[{"type":"commandLine","value":"aws logs describe-log-streams --log-group-name TrailDiscoverLogGroupName"}],"permissions":"https://aws.permissions.cloud/iam/logs#logs-DescribeLogStreams"} +{"eventName":"DescribeSubscriptionFilters","eventSource":"logs.amazonaws.com","awsService":"CloudWatchLogs","description":"Lists the subscription filters for the specified log group.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1087 - Account Discovery","reason":"Attackers might use DescribeSubscriptionFilters to identify log groups and their associated subscription filters, which can provide insight into monitoring and logging configurations specific to cloud infrastructure. This information helps attackers understand the cloud environment and its accounts."},{"technique":"T1046 - Network Service Scanning","reason":"By listing subscription filters, attackers can determine what types of network services and activities are being monitored. This can help them identify potential targets or services that are not being adequately monitored."},{"technique":"T1007 - System Service Discovery","reason":"DescribeSubscriptionFilters can reveal details about the log group's configuration, helping attackers discover how system services are being logged and monitored. This can aid in understanding the security posture and identifying potential weaknesses."}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[],"securityImplications":"Attackers might use DescribeSubscriptionFilters to discover CloudWatch log configurations.","alerting":[],"simulation":[{"type":"commandLine","value":"aws logs describe-subscription-filters --log-group-name TrailDiscoverLogGroupName"}],"permissions":"https://aws.permissions.cloud/iam/logs#logs-DescribeSubscriptionFilters"} +{"eventName":"GetLogRecord","eventSource":"logs.amazonaws.com","awsService":"CloudWatchLogs","description":"Retrieves all of the fields and values of a single log event.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1087.004 - Account Discovery: Cloud Account","reason":"Retrieving log records can help identify details about cloud accounts in use, such as who accessed certain services and when."},{"technique":"T1057 - Process Discovery","reason":"Logs may contain information about processes running in the cloud environment, which can help in identifying active processes and their behavior."},{"technique":"T1033 - System Owner/User Discovery","reason":"Log records can reveal information about system owners or users who are interacting with the cloud environment, such as user activity logs and access patterns."}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[],"securityImplications":"Attackers might use GetLogRecord to precisely extract information from CloudWatch logs, potentially exposing sensitive data or insights into AWS operational activities.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"https://aws.permissions.cloud/iam/logs#logs-GetLogRecord"} +{"eventName":"PutLogEvents","eventSource":"logs.amazonaws.com","awsService":"CloudWatchLogs","description":"Uploads a batch of log events to the specified log stream.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1562 - Impair Defenses"],"mitreAttackSubTechniques":["T1562.008 - Impair Defenses: Disable or Modify Cloud Logs"],"unverifiedMitreAttackTechniques":[{"technique":"T1027 - Obfuscated Files or Information","reason":"Attackers may obfuscate the content of logs or include obfuscated commands in logs to avoid detection and analysis."},{"technique":"T1074 - Data Staged","reason":"Logs might be staged in a certain format before being uploaded, allowing attackers to organize and structure the data for further analysis or exfiltration."},{"technique":"T1071 - Application Layer Protocol","reason":"The use of AWS APIs like PutLogEvents to communicate can serve as a method to transfer data stealthily."},{"technique":"T1119 - Automated Collection","reason":"Automated tools or scripts could be used to collect and upload log data regularly to CloudWatchLogs for monitoring or further use."},{"technique":"T1213 - Data from Information Repositories","reason":"Logs from various information repositories might be collected and uploaded to CloudWatchLogs to facilitate data aggregation and analysis."},{"technique":"T1029 - Scheduled Transfer","reason":"Log uploads could be scheduled at specific intervals to CloudWatchLogs to ensure consistent data transfer."},{"technique":"T1036.004 - Masquerading","reason":"An attacker might disguise malicious activities or uploads as legitimate CloudWatch log entries to evade detection."}],"usedInWild":true,"incidents":[{"description":"Cloud Security Stories: From Risky Permissions to Ransomware Execution","link":"https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/"}],"researchLinks":[],"securityImplications":"Attackers might use PutLogEvents to add benign log entries, effectively burying any signs of his malicious activities.","alerting":[],"simulation":[{"type":"commandLine","value":"aws logs put-log-events --log-group-name my-logs --log-stream-name 20150601 --log-events timestamp=$(date +%s%3N),message='TrailDiscover'"}],"permissions":"https://aws.permissions.cloud/iam/logs#logs-PutLogEvents"} +{"eventName":"GetCredentialsForIdentity","eventSource":"cognito-identity.amazonaws.com","awsService":"CognitoIdentity","description":"Returns credentials for the provided identity ID. Any provided logins will be validated against supported login providers.","mitreAttackTactics":["TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1078 - Valid Accounts"],"mitreAttackSubTechniques":["T1078.004: Valid Accounts: Cloud Accounts","T1078.001: Valid Accounts: Default Accounts","T1078.003: Valid Accounts: Local Accounts","T1078.002: Valid Accounts: Domain Accounts"],"unverifiedMitreAttackTechniques":[{"technique":"T1550.004: Use Alternate Authentication Material: Web Session Cookie","reason":"Attackers may use credentials obtained from this API to generate session tokens or cookies for web sessions."},{"technique":"T1212: Exploitation for Credential Access","reason":"Exploiting the GetCredentialsForIdentity API call can be a direct method to gain credentials."},{"technique":"T1528: Steal Application Access Token","reason":"The credentials obtained from the API call could include tokens that grant access to applications, allowing attackers to impersonate legitimate users or services."},{"technique":"T1098: Account Manipulation","reason":"With the credentials returned by this API call, attackers might manipulate account settings or permissions to maintain access or escalate privileges."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Overpermissioned AWS Cognito Identity Pools","link":"https://hackingthe.cloud/aws/exploitation/cognito_identity_pool_excessive_privileges/#exploitation"}],"securityImplications":"Attackers might use GetCredentialsForIdentity to obtain temporary AWS credentials, potentially accessing resources or executing actions unauthorizedly within the AWS environment.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"https://aws.permissions.cloud/iam/cognito-identity#cognito-identity-GetCredentialsForIdentity"} +{"eventName":"GetId","eventSource":"cognito-identity.amazonaws.com","awsService":"CognitoIdentity","description":"Generates (or retrieves) IdentityID. Supplying multiple logins will create an implicit linked account.","mitreAttackTactics":["TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1078 - Valid Accounts"],"mitreAttackSubTechniques":["T1078.004 - Valid Accounts: Cloud Accounts","T1078.002 - Valid Accounts: Domain Accounts","T1078.001 - Valid Accounts: Default Accounts"],"unverifiedMitreAttackTechniques":[{"technique":"T1110 - Brute Force","reason":"Attackers might attempt to generate or retrieve multiple IdentityIDs through brute force, seeking unauthorized access."},{"technique":"T1589 - Gather Victim Identity Information","reason":"The Logins parameter allows attackers to gather or brute-force information tied to identity providers (e.g., linked Google or Facebook accounts), which might reveal valuable identity information."},{"technique":"T1087 - Account Discovery","reason":"By retrieving an IdentityId, attackers could discover cloud accounts linked to multiple identity providers, which might give them further access or knowledge about an organization's cloud infrastructure."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Overpermissioned AWS Cognito Identity Pools","link":"https://hackingthe.cloud/aws/exploitation/cognito_identity_pool_excessive_privileges/#exploitation"}],"securityImplications":"Attackers might use GetId to get an IdentityID that might be then used to get AWS credentials.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"https://aws.permissions.cloud/iam/cognito-identity#cognito-identity-GetId"} +{"eventName":"DeleteConfigRule","eventSource":"config.amazonaws.com","awsService":"Config","description":"Deletes the specified AWS Config rule and all of its evaluation results.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1562 - Impair Defenses"],"mitreAttackSubTechniques":["T1562.001 - Impair Defenses: Disable or Modify Tools"],"unverifiedMitreAttackTechniques":[{"technique":"T1485 - Data Destruction","reason":"By deleting configuration rules and their results, an attacker could be aiming to destroy security data that would alert defenders to their activities."},{"technique":"T1499 - Endpoint Denial of Service","reason":"While not directly causing a denial of service, deleting config rules could indirectly contribute by removing mechanisms that ensure the stability and compliance of services."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS Config Resource Deletion","link":"https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion"}],"securityImplications":"Attackers might use DeleteConfigRule to remove compliance rules, potentially affecting the response plan.","alerting":[],"simulation":[{"type":"commandLine","value":"aws configservice delete-config-rule --config-rule-name TrailDiscoverConfigRule"}],"permissions":"https://aws.permissions.cloud/iam/config#config-DeleteConfigRule"} +{"eventName":"DeleteConfigurationRecorder","eventSource":"config.amazonaws.com","awsService":"Config","description":"Deletes the configuration recorder.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1562 - Impair Defenses"],"mitreAttackSubTechniques":["T1562.001 - Impair Defenses: Disable or Modify Tools"],"unverifiedMitreAttackTechniques":[{"technique":"T1070 - Indicator Removal","reason":"Deleting the configuration recorder aligns with the broader goal of eliminating records that could be used for forensic purposes, removing indicators of compromise."},{"technique":"T1098 - Account Manipulation","reason":"Disabling the configuration recorder could be part of manipulating accounts or roles to evade detection and maintain control over the environment."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS Config Resource Deletion","link":"https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion"}],"securityImplications":"Attackers might use DeleteConfigurationRecorder to disrupt AWS configuration auditing.","alerting":[],"simulation":[{"type":"commandLine","value":"aws configservice delete-configuration-recorder --configuration-recorder-name TrailDiscoverRecorder"}],"permissions":"https://aws.permissions.cloud/iam/config#config-DeleteConfigurationRecorder"} +{"eventName":"DeleteDeliveryChannel","eventSource":"config.amazonaws.com","awsService":"Config","description":"Deletes the delivery channel.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1562 - Impair Defenses"],"mitreAttackSubTechniques":["T1562.001 - Impair Defenses: Disable or Modify Tools"],"unverifiedMitreAttackTechniques":[{"technique":"T1070 - Indicator Removal","reason":"By deleting the delivery channel, logs that might contain evidence of malicious activities are removed."},{"technique":"T1485 - Data Destruction","reason":"Deleting the delivery channel could be part of a broader tactic to destroy data, including configuration logs that are crucial for incident response and auditing."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS Config Resource Deletion","link":"https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion"},{"description":"AWS Config modified","link":"https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-config-disabled/"},{"description":"Threat Hunting with CloudTrail and GuardDuty in Splunk","link":"https://www.chrisfarris.com/post/reinforce-threat-hunting/"}],"securityImplications":"Attackers might use DeleteDeliveryChannel to disrupt the flow of configuration history and compliance data in AWS.","alerting":[{"type":"cloudwatchCISControls","value":"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-9"},{"type":"sigma","value":"https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml"}],"simulation":[{"type":"commandLine","value":"aws configservice delete-delivery-channel --delivery-channel-name TrailDiscoverDeliveryChannel"}],"permissions":"https://aws.permissions.cloud/iam/config#config-DeleteDeliveryChannel"} +{"eventName":"StopConfigurationRecorder","eventSource":"config.amazonaws.com","awsService":"Config","description":"Stops recording configurations of the AWS resources you have selected to record in your AWS account.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1562 - Impair Defenses"],"mitreAttackSubTechniques":["T1562.001 - Impair Defenses: Disable or Modify Tools"],"unverifiedMitreAttackTechniques":[{"technique":"T1485 - Data Destruction","reason":"By stopping the configuration recorder, an attacker can effectively disrupt the ability to track and monitor changes, which can be a precursor to or part of a broader data destruction strategy."},{"technique":"T1489 - Service Stop","reason":"Stopping a critical service like the configuration recorder can be part of a larger strategy to disrupt services, resulting in a loss of visibility and monitoring, hence impacting the organization."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS Configuration Recorder Stopped","link":"https://www.elastic.co/guide/en/security/current/prebuilt-rule-8-2-1-aws-configuration-recorder-stopped.html#prebuilt-rule-8-2-1-aws-configuration-recorder-stopped"},{"description":"AWS Config modified","link":"https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-config-disabled/"},{"description":"Threat Hunting with CloudTrail and GuardDuty in Splunk","link":"https://www.chrisfarris.com/post/reinforce-threat-hunting/"}],"securityImplications":"Attackers might use StopConfigurationRecorder to halt the recording of AWS resource configurations, hindering audit trails.","alerting":[{"type":"cloudwatchCISControls","value":"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-9"},{"type":"sigma","value":"https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml"}],"simulation":[{"type":"commandLine","value":"aws configservice stop-configuration-recorder --configuration-recorder-name TrailDiscoverRecorder"}],"permissions":"https://aws.permissions.cloud/iam/config#config-StopConfigurationRecorder"} +{"eventName":"GetCostAndUsage","eventSource":"ce.amazonaws.com","awsService":"CostExplorer","description":"Retrieves cost and usage metrics for your account.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1526 - Cloud Service Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1082 - System Information Discovery","reason":"The attacker calls the GetCostAndUsage API to gather detailed usage information about the AWS resources being utilized. By analyzing the cost and usage data, the attacker can infer details about the types of services, their usage patterns, and potentially the structure of the environment."},{"technique":"T1518 - Software Discovery","reason":"By reviewing the cost and usage metrics, the attacker identifies expenditures related to security services (e.g., GuardDuty, CloudTrail). This information helps the attacker understand the security posture and tools in use, potentially avoiding or disabling them during an attack."},{"technique":"T1213 - Data from Information Repositories","reason":"The attacker uses the GetCostAndUsage API to access billing and usage metrics stored in the AWS CostExplorer service. This data is collected to understand the financial and resource allocation details of the target environment."},{"technique":"T1071.001 - Application Layer Protocol: Web Protocols","reason":"The attacker uses web protocols (e.g., HTTPS) to interact with the CostExplorer service and retrieve cost and usage metrics. The data collected is then sent over the web protocol to a remote server controlled by the attacker."},{"technique":"T1020 - Automated Exfiltration","reason":"The attacker scripts the retrieval of cost and usage metrics using the GetCostAndUsage API. This script regularly exfiltrates data, providing continuous updates to the attacker on the victim's cloud usage patterns."},{"technique":"T1530 - Data from Cloud Storage Object","reason":"The attacker stores the retrieved cost and usage data in a cloud storage object (e.g., S3 bucket). This stored data is later accessed or transferred to the attacker's own environment for further analysis or sale."}],"usedInWild":true,"incidents":[{"description":"When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability","link":"https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"}],"researchLinks":[],"securityImplications":"Attackers might use GetCostAndUsage to determine how active an account is by understanding the cost within a cloud account.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ce get-cost-and-usage --time-period Start=2017-09-01,End=2017-10-01 --granularity MONTHLY --metrics 'BlendedCost' 'UnblendedCost' 'UsageQuantity' --group-by Type=DIMENSION,Key=SERVICE Type=TAG,Key=Environment"}],"permissions":"https://aws.permissions.cloud/iam/ce#ce-GetCostAndUsage"} +{"eventName":"AttachVolume","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Attaches an EBS volume to a running or stopped instance and exposes it to the instance with the specified device name.","mitreAttackTactics":["TA0008 - Lateral Movement"],"mitreAttackTechniques":["T1021 - Remote Services"],"mitreAttackSubTechniques":["T1021.007 - Remote Services: Cloud Services"],"unverifiedMitreAttackTechniques":[{"technique":"T1098 - Account Manipulation","reason":"By attaching or detaching volumes, attackers can manipulate account settings or the environment to further their objectives, such as making specific data accessible or inaccessible."},{"technique":"T1036 - Masquerading","reason":"Attackers might attach volumes that appear legitimate or contain misleading data, thereby disguising their malicious activities."},{"technique":"T1074 - Data Staged","reason":"EBS volumes can be used to stage data for exfiltration or further manipulation by the attackers."},{"technique":"T1105 - Ingress Tool Transfer","reason":"Attackers can use attached volumes to transfer tools, scripts, or other malicious files into the target environment."},{"technique":"T1027 - Obfuscated Files or Information","reason":"Malicious actors can store obfuscated data or tools on an EBS volume to evade detection mechanisms."},{"technique":"T1560 - Archive Collected Data","reason":"Attackers may attach volumes to archive collected data for exfiltration or future use, leveraging the storage capacity of the EBS volumes."},{"technique":"T1213 - Data from Information Repositories","reason":"By attaching a volume that contains information repositories, attackers can access and extract sensitive data stored within these repositories"},{"technique":"T1530 - Data from Cloud Storage","reason":"Attackers can attach volumes that contain cloud storage objects, allowing them to access and manipulate the data stored within these objects."},{"technique":"T1030 - Data Transfer Size Limits","reason":"Attackers may attach EBS volumes to instances to handle large amounts of data transfer without triggering size-based detection mechanisms."},{"technique":"T1005 - Data from Local System","reason":"By attaching an EBS volume, attackers can access and extract data from the local file system of the EC2 instance."}],"usedInWild":true,"incidents":[{"description":"Navigating the Cloud: Exploring Lateral Movement Techniques","link":"https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/"}],"researchLinks":[],"securityImplications":"Attackers might use AttachVolume to mount a volume to an EC2 instance under their control.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 attach-volume --volume-id TrailDiscoverVolumeId --instance-id TrailDiscoverInstanceId --device TrailDiscoverDeviceName"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-AttachVolume"} +{"eventName":"AuthorizeSecurityGroupEgress","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Adds the specified outbound (egress) rules to a security group.","mitreAttackTactics":["TA0010 - Exfiltration"],"mitreAttackTechniques":["T1048 - Exfiltration Over Alternative Protocol"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1040 - Network Sniffing","reason":"Outbound rules can be adjusted to send traffic to specific external destinations, which may allow attackers to capture or monitor network traffic for sensitive information."},{"technique":"T1071 - Application Layer Protocol","reason":"Attackers can use specific egress rules to allow communication over commonly used application layer protocols."},{"technique":"T1074 - Data Staged","reason":"Attackers can set up egress rules to exfiltrate staged data through approved channels."},{"technique":"T1021 - Remote Services","reason":"By setting egress rules, attackers can allow outbound traffic for remote desktop connections, facilitating lateral movement."},{"technique":"T1095 - Non-Application Layer Protocol","reason":"Attackers might configure rules to allow exfiltration using non-standard protocols."},{"technique":"T1571 - Non-Standard Port","reason":"By authorizing specific outbound ports, attackers can use non-standard ports for communication to evade defenses."},{"technique":"T1599 - Network Boundary Bridging","reason":"Attackers can use egress rules to bridge network boundaries, aiding lateral movement or exfiltration"}],"usedInWild":true,"incidents":[{"description":"Trouble in Paradise","link":"https://blog.darklab.hk/2021/07/06/trouble-in-paradise/"}],"researchLinks":[],"securityImplications":"Attackers might use AuthorizeSecurityGroupEgress to allow exfiltration.","alerting":[{"type":"cloudwatchCISControls","value":"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-10"}],"simulation":[{"type":"commandLine","value":"aws ec2 authorize-security-group-egress --group-id sg-1a2b3c4d --ip-permissions IpProtocol=tcp,FromPort=80,ToPort=80,IpRanges='[{CidrIp=10.0.0.0/16}]'"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-AuthorizeSecurityGroupEgress"} +{"eventName":"AuthorizeSecurityGroupIngress","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Adds the specified inbound (ingress) rules to a security group.","mitreAttackTactics":["TA0003 - Persistence","TA0008 - Lateral Movement"],"mitreAttackTechniques":["T1098 - Account Manipulation","T1021 - Remote Services"],"mitreAttackSubTechniques":["T1021.004 - Remote Services: SSH","T1021.007 - Remote Services: Cloud Services"],"unverifiedMitreAttackTechniques":[{"technique":"T1133 - External Remote Services","reason":"By adding or modifying ingress rules, attackers can enable remote access to the EC2 instances, which is a direct use of the AuthorizeSecurityGroupIngress API call to allow external services."},{"technique":"T1105 - Ingress Tool Transfer","reason":"Attackers can use the API call to allow inbound traffic, facilitating the transfer of tools or payloads directly into the compromised environment."},{"technique":"T1562 - Impair Defenses","reason":"Modifying security group rules to disable defenses or monitoring directly involves the AuthorizeSecurityGroupIngress API call."},{"technique":"T1069 - Permission Groups Discovery","reason":"Discovering which permission groups can modify security group rules is directly relevant as it informs the attacker's strategy to use the AuthorizeSecurityGroupIngress API call."},{"technique":"T1203 - Exploitation for Client Execution","reason":"If an attacker exploits a vulnerability and gains access to an AWS account, they might use the AuthorizeSecurityGroupIngress API call to allow them to exploit applications that were not previously reachable."},{"technique":"T1090 - Proxy","reason":"Attackers might modify ingress rules to allow traffic through a proxy, enabling them to route malicious traffic through the compromised environment."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"},{"description":"Finding evil in AWS","link":"https://expel.com/blog/finding-evil-in-aws/"},{"description":"Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining","link":"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"},{"description":"Behind the scenes in the Expel SOC: Alert-to-fix in AWS","link":"https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/"},{"description":"When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability","link":"https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"},{"description":"UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR","link":"https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"},{"description":"BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability","link":"https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/"},{"description":"Navigating the Cloud: Exploring Lateral Movement Techniques","link":"https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/"},{"description":"New tactics and techniques for proactive threat detection","link":"https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"}],"researchLinks":[{"description":"Opening a security group to the Internet","link":"https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/opening-security-group-port/"}],"securityImplications":"Attackers might use AuthorizeSecurityGroupIngress to allow access to resources to gain persistence or move laterally.","alerting":[{"type":"cloudwatchCISControls","value":"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-10"}],"simulation":[{"type":"commandLine","value":"aws ec2 authorize-security-group-ingress --group-id sg-0683fcf7a41c82593 --protocol tcp --port 22 --cidr 203.0.113.0/24"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-security-group-open-port-22-ingress"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-AuthorizeSecurityGroupIngress"} +{"eventName":"CreateDefaultVpc","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Creates a default VPC with a size /16 IPv4 CIDR block and a default subnet in each Availability Zone.","mitreAttackTactics":["TA0003 - Persistence","TA0040 - Impact"],"mitreAttackTechniques":["T1098 - Account Manipulation","T1496 - Resource Hijacking"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1021 - Remote Services","reason":"With a default VPC in place, adversaries can use it to establish connections between various services, facilitating lateral movement across different instances and resources."},{"technique":"T1133 - External Remote Services","reason":"The VPC configuration can be exploited to set up remote access points, which adversaries can use to maintain command and control over compromised resources."},{"technique":"T1041 - Exfiltration Over C2 Channel","reason":"Once command and control is established within the VPC, data can be exfiltrated through these channels without raising immediate suspicion, leveraging the network infrastructure."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}],"researchLinks":[],"securityImplications":"Attackers might use CreateDefaultVpc to create a VPC and lauch EC2 instances.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 create-default-vpc"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-CreateDefaultVpc"} +{"eventName":"CreateImage","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Creates an Amazon EBS-backed AMI from an Amazon EBS-backed instance that is either running or stopped.","mitreAttackTactics":["TA0010 - Exfiltration"],"mitreAttackTechniques":["T1537 - Transfer Data to Cloud Account"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1003 - OS Credential Dumping","reason":"Attackers can create an AMI, then analyze the offline image to perform credential dumping, extracting sensitive information from the instance's filesystem"},{"technique":"T1562 - Impair Defenses","reason":"Attackers can create an AMI from an instance, disable or alter security tools and configurations within the AMI, and redeploy the compromised AMI to evade detection and maintain control."},{"technique":"T1578 - Modify Cloud Compute Infrastructure","reason":"Creating an AMI involves creating a snapshot of the instance's state. Attackers can use this snapshot to capture and analyze the data and configurations of the instance, which may include sensitive information or enable further attacks."},{"technique":"T1098 - Account Manipulation","reason":"Attackers can use the CreateImage API to create an AMI from an instance they control. This AMI can then be used to deploy new instances with pre-configured settings, including backdoors or other malicious configurations, effectively manipulating accounts and resources within the cloud environment."}],"usedInWild":true,"incidents":[{"description":"When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability","link":"https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"}],"researchLinks":[],"securityImplications":"Attackers might use CreateImage to create images from running EC2s and use them after adding their own keys","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 create-image --instance-id TrailDiscoverInstanceId --name \"TrailDiscoverImageName\" --description \"TrailDiscoverImageDescription\""}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-CreateImage"} +{"eventName":"CreateInstanceExportTask","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Exports a running or stopped instance to an Amazon S3 bucket.","mitreAttackTactics":["TA0009 - Collection","TA0010 - Exfiltration"],"mitreAttackTechniques":["T1005 - Data from Local System","T1537 - Transfer Data to Cloud Account"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1567 - Exfiltration Over Web Service","reason":"Exporting an EC2 instance to an S3 bucket involves transferring data over a web service, which aligns with exfiltrating data through a web-based method."},{"technique":"T1071 - Application Layer Protocol","reason":"The export task utilizes application layer protocols for communication, relevant for exfiltrating data using such protocols."},{"technique":"T1005 - Data from Local System","reason":"The instance's data being exported can be seen as collecting data from a local system before transferring it to another location."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS EC2 VM Export Failure","link":"https://www.elastic.co/guide/en/security/current/aws-ec2-vm-export-failure.html"}],"securityImplications":"Attackers might use CreateInstanceExportTask to extract or exfiltrate information","alerting":[{"type":"sigma","value":"https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_ec2_vm_export_failure.yml"}],"simulation":[{"type":"commandLine","value":"aws ec2 create-instance-export-task --instance-id TrailDiscoverInstanceId --target-environment TrailDiscoverTargetEnvironment --export-to-s3-task DiskImageFormat=TrailDiscoverDiskImageFormat,ContainerFormat=TrailDiscoverContainerFormat,S3Bucket=TrailDiscoverS3Bucket,S3Prefix=TrailDiscoverS3Prefix"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-CreateInstanceExportTask"} +{"eventName":"CreateKeyPair","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Creates an ED25519 or 2048-bit RSA key pair with the specified name and in the specified PEM or PPK format.","mitreAttackTactics":["TA0003 - Persistence"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":["T1098.001 - Account Manipulation: Additional Cloud Credentials"],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"The creation of a new key pair can facilitate unauthorized access to cloud accounts if an attacker obtains the private key, allowing them to log in and perform actions within the compromised account. By creating a new key pair, attackers can establish valid accounts that can be used to maintain access and evade detection, as the access looks legitimate. Similar to cloud accounts, valid local accounts can be exploited if the attacker uses the key pair to gain access to specific instances or services within the local environment. If the key pair is used to authenticate to domain accounts within the cloud environment, it can provide attackers with persistent access to those accounts, facilitating further malicious activities."},{"technique":"T1562 - Impair Defense","reason":"An attacker with a newly created key pair might use it to disable security tools or modify settings within the cloud environment to avoid detection and maintain persistence."},{"technique":"T1552 - Unsecured Credentials","reason":"The private key returned is unencrypted, which poses a risk if intercepted or improperly stored, leading to potential credential exposure. The private key might be stored in files within the cloud instances, which could be exploited by an attacker to gain unauthorized access."},{"technique":"T1040 - Network Sniffing","reason":"If the private key is transmitted over the network in plaintext, it can be intercepted by an attacker, leading to credential access."},{"technique":"T1530 - Data from Cloud Storage Object","reason":"If the EC2 instance has permissions to access Cloud storage, the key can be used to get this data via the EC2 permissions"},{"technique":"T1212 - Exploitation for Credential Access","reason":"An attacker might exploit the creation and handling of key pairs to gain access to credentials if there are vulnerabilities or misconfigurations in how the keys are managed and stored."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"},{"description":"ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING","link":"https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/"},{"description":"UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR","link":"https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"}],"researchLinks":[{"description":"Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild","link":"https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}],"securityImplications":"Attackers might use CreateKeyPair to generate keys that can latter be used to access EC2s.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 create-key-pair --key-name TrailDiscoverKeyPair"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-CreateKeyPair"} +{"eventName":"CreateNetworkAclEntry","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Creates an entry (a rule) in a network ACL with the specified rule number.","mitreAttackTactics":["TA0003 - Persistence"],"mitreAttackTechniques":["T1098 - Account Manipulation","T1133 - External Remote Services"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1562 - Impair Defenses","reason":"Creating or modifying network ACLs can disable or alter firewall rules, thus impairing defenses. By modifying ACLs, attackers might disable security tools that rely on specific network configurations."},{"technique":"T1105 - Ingress Tool Transfer","reason":"Modifying network ACLs could allow malicious payloads to be transferred into the network."},{"technique":"T1071 - Application Layer Protocol","reason":"By changing ACL rules, an attacker might permit unauthorized web traffic for command and control. By modifying network ACLs, an attacker could allow unauthorized email traffic for exfiltration or command and control."},{"technique":"T1021 - Remote Services","reason":"Creating or modifying ACL entries can facilitate unauthorized RDP access, aiding lateral movement."},{"technique":"T1090 - Proxy","reason":"Attackers could create ACL rules that permit traffic to and from external proxies, aiding command and control operations"},{"technique":"T1033 - System Owner/User Discovery","reason":"By modifying network ACL rules, an attacker can enable access to specific ports used by services like SMB (TCP/445). SMB ports are often used for sharing files and resources within a network. Access to these ports can provide the attacker with the ability to query for system information, users, and groups (such as through NetSessionEnum or NetUserEnum calls), helping them to discover the system owner or logged-in users, which aids in understanding the target environment."},{"technique":"T1078 - Valid Accounts","reason":"An attacker might create ACL entries to allow traffic to sites or services where the attacker has valid accounts."},{"technique":"T1049 - System Network Connections Discovery","reason":"Creating specific ACL rules might help attackers map out network connections and understand the network layout."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS EC2 Network Access Control List Creation","link":"https://www.elastic.co/guide/en/security/current/aws-ec2-network-access-control-list-creation.html"},{"description":"Enhancing Your Security Visibility and DetectionResponse Operations in AWS","link":"https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf"}],"securityImplications":"Attackers might use CreateNetworkAclEntry to allow traffic to the network from an IP they control.","alerting":[{"type":"cloudwatchCISControls","value":"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-11"}],"simulation":[{"type":"commandLine","value":"aws ec2 create-network-acl-entry --network-acl-id acl-5fb85d36 --ingress --rule-number 100 --protocol udp --port-range From=53,To=53 --cidr-block 0.0.0.0/0 --rule-action allow"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-CreateNetworkAclEntry"} +{"eventName":"CreateRoute","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Creates a route in a route table within a VPC.","mitreAttackTactics":["TA0009 - Collection"],"mitreAttackTechniques":["T1074 - Data Staged"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1090 - Proxy","reason":"Creating a route can facilitate the use of external proxies by directing traffic through a specific intermediary node. Using the CreateRoute API can set up routing that utilizes proxies to hide the origin of network traffic."},{"technique":"T1078 - Valid Accounts","reason":"The creation of routes might involve the use of compromised cloud accounts to establish persistence within a network."},{"technique":"T1570 - Lateral Tool Transfer","reason":"Routes can be used to facilitate the transfer of tools across different segments of a network, aiding lateral movement."},{"technique":"T1070: Indicator Removal","reason":"Creating routes might assist in evading detection and preserving stealth by directing traffic in a way that avoids logging mechanisms, aiding in the removal or obfuscation of evidence."},{"technique":"T1046: Network Service Discovery","reason":"Adjusting routes can help in discovering network services by ensuring that specific network segments are reachable, aiding in reconnaissance."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Ensure CloudWatch has an Alarm for Route Table Changes","link":"https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-route-table-change"},{"description":"AWS Incident Response","link":"https://easttimor.github.io/aws-incident-response/"}],"securityImplications":"Attackers might use CreateRoute to redirect network traffic within AWS VPCs to eavesdrop or exfiltrate data.","alerting":[{"type":"cloudwatchCISControls","value":"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-13"}],"simulation":[{"type":"commandLine","value":"aws ec2 create-route --route-table-id TrailDiscoverRouteTableId --destination-cidr-block TrailDiscoverDestinationCidrBlock --gateway-id TrailDiscoverGatewayId"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-CreateRoute"} +{"eventName":"CreateSecurityGroup","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Creates a security group.","mitreAttackTactics":["TA0003 - Persistence","TA0008 - Lateral Movement"],"mitreAttackTechniques":["T1098 - Account Manipulation","T1021 - Remote Services"],"mitreAttackSubTechniques":["T1021.001 - Remote Services: Remote Desktop Protocol","T1021.004 - Remote Services: SSH"],"unverifiedMitreAttackTechniques":[{"technique":"T1562 - Impair Defenses","reason":"By creating or modifying security group rules, adversaries can manipulate the flow of network traffic to bypass security monitoring tools, which aids in defense evasion."},{"technique":"T1036 - Masquerading","reason":"By configuring security groups under seemingly legitimate purposes while actually facilitating malicious activities, adversaries can use this to disguise their network traffic and actions."},{"technique":"T1499 - Endpoint Denial of Service","reason":"Adversaries may configure security groups to specifically allow traffic types that can cause application layer exhaustion, effectively using this method to flood systems with requests that exhaust resources and lead to service disruption."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"},{"description":"Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining","link":"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"},{"description":"Behind the scenes in the Expel SOC: Alert-to-fix in AWS","link":"https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/"},{"description":"When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability","link":"https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"},{"description":"ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING","link":"https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/"}],"researchLinks":[{"description":"Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild","link":"https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"},{"description":"Abusing VPC Traffic Mirroring in AWS","link":"https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/"}],"securityImplications":"Attackers might use CreateSecurityGroup to establish new security groups with lax rules, facilitating unauthorized access or resource exploitation within AWS environments.","alerting":[{"type":"cloudwatchCISControls","value":"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-10"}],"simulation":[{"type":"commandLine","value":"aws ec2 create-security-group --group-name TrailDiscoverGroupName --description \"TrailDiscoverDescription\""}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-CreateSecurityGroup"} +{"eventName":"CreateSnapshot","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Creates a snapshot of an EBS volume and stores it in Amazon S3.","mitreAttackTactics":["TA0008 - Lateral Movement","TA0010 - Exfiltration"],"mitreAttackTechniques":["T1537 - Transfer Data to Cloud Account","T1021 - Remote Services"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1537 - Transfer Data to Cloud Account","reason":"Creating a snapshot and storing it in S3 can be used to exfiltrate data by transferring it to another account or region."},{"technique":"T1003 - OS Credential Dumping","reason":"If an adversary has access to an EBS volume containing credentials, creating a snapshot of that volume could allow them to extract those credentials."},{"technique":"T1485 - Data Destruction","reason":"An adversary could create a snapshot before deleting the original volume, ensuring they can still access the data"},{"technique":"T1567 - Exfiltration Over Web Service","reason":"The snapshot data can be exfiltrated using AWS APIs, moving it to S3 or other cloud storage."},{"technique":"T1030 - Data Transfer Size Limits","reason":"Creating multiple snapshots to evade detection mechanisms that monitor for large data transfers."},{"technique":"T1027 - Obfuscated Files or Information","reason":"By creating snapshots of EBS volumes, adversaries can hide data transfers under the guise of legitimate backup operations. This makes it harder to distinguish between regular snapshot activities and potential malicious data movements."},{"technique":"T1074 - Data Staged","reason":"Snapshots can serve as a stage for data before exfiltration"},{"technique":"T1550 - Use Alternate Authentication Material","reason":"Adversaries might use stolen keys or other credentials extracted from snapshots as authentication material."},{"technique":"T1496 - Resource Hijacking","reason":"Adversaries could create snapshots and use them in other environments, leveraging the stored resources for malicious purposes."}],"usedInWild":true,"incidents":[{"description":"CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight","link":"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"},{"description":"Navigating the Cloud: Exploring Lateral Movement Techniques","link":"https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/"}],"researchLinks":[{"description":"Stealing an EBS snapshot by creating a snapshot and sharing it","link":"https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-ebs-snapshot/"},{"description":"Exfiltrate EBS Snapshot by Sharing It","link":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/"}],"securityImplications":"Attackers might use ModifySnapshotAttribute to alter permissions on EBS snapshots, potentially exposing sensitive data to unauthorized parties.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 modify-snapshot-attribute --snapshot-id snap-1234567890abcdef0 --attribute createVolumePermission --operation-type remove --user-ids 123456789012"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-ModifySnapshotAttribute"} +{"eventName":"CreateTrafficMirrorFilter","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Creates a Traffic Mirror filter.","mitreAttackTactics":["TA0009 - Collection"],"mitreAttackTechniques":["T1074 - Data Staged"],"mitreAttackSubTechniques":["T1074.002 - Data Staged: Remote Data Staging"],"unverifiedMitreAttackTechniques":[{"technique":"T1040 - Network Sniffing","reason":"By creating a Traffic Mirror filter, attackers can intercept and analyze network traffic to capture sensitive information. This directly relates to the ability to observe all mirrored network traffic."},{"technique":"T1046 - Network Service Scanning","reason":"raffic mirroring can be used to observe and scan network services and discover active services and devices on the network. By analyzing mirrored traffic, attackers can map the network and identify active services."},{"technique":"T1020 - Automated Exfiltration","reason":"Traffic mirroring can facilitate the automated exfiltration of data through observed network traffic. Mirrored traffic can be continuously collected and sent to an attacker's controlled server for automatic processing and exfiltration."},{"technique":"T1033 - System Owner/User Discovery","reason":"Mirrored traffic can help attackers discover information about system owners or users by analyzing the traffic. For instance, login attempts, user credentials, and other user-related information might be observed."},{"technique":"T1518 - Software Discovery","reason":"Traffic mirroring can be used to identify security software and appliances by analyzing network traffic. Attackers can look for traffic patterns related to security software to understand the defenses in place."},{"technique":"T1005 - Data from Local System","reason":"By capturing mirrored traffic, attackers can collect data from local systems indirectly by observing network communications. This can include files being transferred over the network, credentials, and other sensitive information."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Abusing VPC Traffic Mirroring in AWS","link":"https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/"}],"securityImplications":"Attackers might use CreateTrafficMirrorFilter to clandestinely mirror network traffic for analysis or exfiltration.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 create-traffic-mirror-filter --description 'TCP Filter'"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-CreateTrafficMirrorFilter"} +{"eventName":"CreateTrafficMirrorFilterRule","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Creates a Traffic Mirror filter rule.","mitreAttackTactics":["TA0009 - Collection"],"mitreAttackTechniques":["T1074 - Data Staged"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1020 - Automated Collection","reason":"Traffic mirroring can automate the collection of network traffic, which can include sensitive data."},{"technique":"T1033 - System Owner/User Discovery","reason":"By intercepting traffic, an attacker can discover information about the system owner or users based on network communications."},{"technique":"T1071 - Application Layer Protocol","reason":"Traffic mirroring can help attackers understand and manipulate application layer protocols by observing the traffic."},{"technique":"T1040: Network Sniffing","reason":"Traffic mirroring is essentially a form of network sniffing, capturing data in transit for further analysis"},{"technique":"T1567: Exfiltration Over Web Service","reason":"Intercepted traffic can be exfiltrated over web services if the mirrored data is sent to an external destination."},{"technique":"T1213: Data from Information Repositories","reason":"T1213: Data from Information Repositories"},{"technique":"T1005: Data from Local System","reason":"Traffic mirroring can capture data from the local system that is transmitted over the network."},{"technique":"T1083: File and Directory Discovery","reason":"Analysis of mirrored traffic can help in discovering files and directories being accessed and used on the network"}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Abusing VPC Traffic Mirroring in AWS","link":"https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/"}],"securityImplications":"Attackers might use CreateTrafficMirrorFilterRule to fine-tune traffic mirroring for selective interception.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 create-traffic-mirror-filter-rule --description 'TCP Rule' --destination-cidr-block 0.0.0.0/0 --protocol 6 --rule-action accept --rule-number 1 --source-cidr-block 0.0.0.0/0 --traffic-direction ingress --traffic-mirror-filter-id tmf-04812ff784b25ae67"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-CreateTrafficMirrorFilterRule"} +{"eventName":"CreateTrafficMirrorSession","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Creates a Traffic Mirror session.","mitreAttackTactics":["TA0009 - Collection"],"mitreAttackTechniques":["T1074 - Data Staged"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1040 - Network Sniffing","reason":"By creating a Traffic Mirror session, an adversary can passively collect data on the network, capturing traffic to gather sensitive information."},{"technique":"T1071 - Application Layer Protocol","reason":"Traffic Mirror sessions can be used to monitor application layer protocols to understand communication patterns"},{"technique":"T1020 - Automated Exfiltration","reason":"The mirrored traffic could be sent to an external system for automated analysis and potential exfiltration of data."},{"technique":"T1036 - Masquerading","reason":"In the later stages of an attack, traffic mirrored sessions might help disguise malicious traffic by blending it with legitimate traffic, by using already learnt traffic patterns, aiding in evasion of detection"},{"technique":"T1018 - Remote System Discovery","reason":"Analyzing the mirrored traffic can provide information on remote systems, including their IP addresses and services, aiding in further discovery."},{"technique":"T1090 - Proxy","reason":"raffic Mirror can be utilized to capture and analyze traffic routed through proxy servers, identifying potential points of interest for further compromise."},{"technique":"T1119 - Automated Collection","reason":"Automating the creation of Traffic Mirror sessions allows for continuous data collection without manual intervention"},{"technique":"T1213 - Data from Information Repositories","reason":"Traffic Mirror sessions could capture data from repositories by monitoring traffic related to repository access"},{"technique":"T1560 - Archive Collected Data","reason":"Adversaries can use traffic mirroring to collect and then archive large amounts of network traffic for later analysis or exfiltration."},{"technique":"T1049 - System Network Connections Discovery","reason":"Monitoring mirrored traffic can reveal details about network connections on systems, such as active connections, protocols used, and the nature of the traffic."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Abusing VPC Traffic Mirroring in AWS","link":"https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/"}],"securityImplications":"Attackers might use CreateTrafficMirrorSession to initiate a session for mirroring network traffic, potentially for malicious monitoring or data exfiltration.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 create-traffic-mirror-session --description TrailDiscoverDescription --traffic-mirror-target-id tmt-07f75d8feeEXAMPLE --network-interface-id eni-070203f901EXAMPLE --session-number 1 --packet-length 25 --traffic-mirror-filter-id tmf-04812ff784EXAMPLE"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-CreateTrafficMirrorSession"} +{"eventName":"CreateTrafficMirrorTarget","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Creates a target for your Traffic Mirror session.","mitreAttackTactics":["TA0009 - Collection"],"mitreAttackTechniques":["T1074 - Data Staged"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1016 - System Network Configuration Discovery","reason":"When a Traffic Mirror target is created, it enables the capture of network traffic, which can be analyzed to understand the network configuration, including IP addresses, subnets, and routing."},{"technique":"T1046 - Network Service Scanning","reason":"Mirrored traffic provides visibility into the types of services running on the network, allowing adversaries to map out the network services and identify potential vulnerabilities."},{"technique":"T1071 - Application Layer Protocol","reason":"By examining the mirrored traffic, attackers can identify and understand the protocols used at the application layer, which can be exploited for further attacks."},{"technique":"T1567 - Exfiltration Over Web Service","reason":"The data captured through traffic mirroring can be exfiltrated via web services, making it easier for attackers to move large amounts of data without detection."},{"technique":"T1571 - Non-Standard Port","reason":"Traffic mirroring can uncover the use of non-standard ports, which can then be targeted in later stages of the attack for covert command and control communications."},{"technique":"1590 - Gather Victim Network Information","reason":"The detailed information gathered from traffic mirroring helps attackers build a comprehensive profile of the victim's network."},{"technique":"T1580 - Cloud Infrastructure Discovery","reason":"By analyzing the traffic within a cloud environment, adversaries can discover cloud infrastructure details and configurations, which can be critical for planning further attacks."},{"technique":"T1033 - System Owner/User Discovery","reason":"Analysis of mirrored traffic can reveal information about system owners or users, which can be leveraged for further attacks."},{"technique":"T1005 - Data from Local System","reason":"Mirrored traffic can reveal sensitive data being transmitted within the network, which can be captured and analyzed."},{"technique":"T1020 - Automated Exfiltration","reason":"Traffic mirroring enables the continuous collection of network traffic, which can then be automatically exfiltrated for further analysis or exploitation."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Abusing VPC Traffic Mirroring in AWS","link":"https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/"}],"securityImplications":"Attackers might use CreateTrafficMirrorTarget to establish destinations for mirrored traffic, potentially facilitating the unauthorized observation or capture of sensitive information.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 create-traffic-mirror-target --description TrailDiscoverDescription --network-interface-id TrailDiscoverNetworkInterfaceId --network-load-balancer-arn TrailDiscoverNetworkLoadBalancerArn"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-CreateTrafficMirrorTarget"} +{"eventName":"CreateVolume","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Creates an EBS volume that can be attached to an instance in the same Availability Zone.","mitreAttackTactics":["TA0008 - Lateral Movement"],"mitreAttackTechniques":["T1021 - Remote Services"],"mitreAttackSubTechniques":["T1021.007 - Remote Services: Cloud Services"],"unverifiedMitreAttackTechniques":[{"technique":"T1003 - OS Credential Dumping","reason":"Attackers can create volumes and attach them to instances to access filesystems and potentially extract sensitive files such as /etc/passwd and /etc/shadow on Linux systems for credential dumping."},{"technique":"T1078 - Valid Accounts","reason":"By creating a volume from a snapshot that contains valid credentials or authentication tokens, attackers can gain persistent access to cloud resources."},{"technique":"T1202 - Indirect Command Execution","reason":"Attackers might use the creation of volumes and the data contained within them to execute commands indirectly by leveraging scripts or binaries stored in these volumes. Some of the commands could be called by methods like autorun scripts or similar"},{"technique":"T1496 - Resource Hijacking","reason":"Creating and using volumes for storing large amounts of data or for computational tasks can be a form of resource hijacking, impacting the cloud environment's availability and cost."},{"technique":"T1485 - Data Destruction","reason":"Attackers might use newly created volumes to overwrite sensitive data, effectively destroying it and causing a significant impact"},{"technique":"T1486 - Data Encrypted for Impact","reason":"Encrypted volumes can be used by attackers to encrypt data and then demand ransom for decryption keys, directly impacting data availability."},{"technique":"T1074 - Data Staged","reason":"Attackers can use created volumes to stage collected data locally before exfiltration, facilitating the organization and preparation of data for extraction."},{"technique":"T1036 - Masquerading","reason":"Attackers might create volumes that mimic legitimate snapshots or backups to evade detection and maintain persistent access by blending into normal operations."},{"technique":"T1537 - Transfer Data to Cloud Account","reason":"Attackers can create volumes to transfer and store exfiltrated data within a cloud account, enabling them to securely move sensitive information out of the victim's environment"}],"usedInWild":true,"incidents":[{"description":"Navigating the Cloud: Exploring Lateral Movement Techniques","link":"https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/"}],"researchLinks":[],"securityImplications":"Attackers might use CreateVolume to create a volume from a snapshot and mount it to an EC2 instance under their control.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 create-volume --size 80 --availability-zone us-east-1a"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-CreateVolume"} +{"eventName":"DeleteFlowLogs","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Deletes one or more flow logs.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1089 - Disabling Security Tools"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1070 - Indicator Removal","reason":"Deleting flow logs can remove indicators that were stored, making it harder to detect malicious activities"},{"technique":"T1562 - Impair Defenses","reason":"Disabling or deleting flow logs can impair defensive mechanisms by removing visibility into network traffic. It also supersedes T1089 since v7.1."},{"technique":"T1485 - Data Destruction","reason":"Deleting flow logs can be part of a broader data destruction strategy. By removing logs that track network activity, an attacker can ensure that no historical data remains to aid in the forensic investigation of their activities. This makes it significantly harder to trace malicious actions back to the perpetrator, thus effectively destroying critical evidence"},{"technique":"T1098 - Account Manipulation","reason":"Deleting flow logs can be part of account manipulation to hide tracks and activities conducted using compromised accounts."}],"usedInWild":true,"incidents":[{"description":"Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)","link":"https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"}],"researchLinks":[{"description":"Removing VPC flow logs","link":"https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/removing-vpc-flow-logs/"},{"description":"AWS Incident Response","link":"https://github.com/easttimor/aws-incident-response"},{"description":"Proactive Cloud Security w/ AWS Organizations","link":"https://witoff.medium.com/proactive-cloud-security-w-aws-organizations-d58695bcae16"}],"securityImplications":"Attackers might use DeleteFlowLogs to remove records of network traffic within AWS.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 delete-flow-logs --flow-log-ids TrailDiscoverFlowLogId"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-DeleteFlowLogs"} +{"eventName":"DeleteNetworkAcl","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Deletes the specified network ACL.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1562 - Impair Defenses"],"mitreAttackSubTechniques":["T1562.007 - Impair Defenses: Disable or Modify Cloud Firewall"],"unverifiedMitreAttackTechniques":[{"technique":"T1485 - Data Destruction","reason":"Deleting a network ACL can be a form of data destruction as it disrupts the network configuration, potentially leading to data loss or service disruption"},{"technique":"T1489 - Service Stop","reason":"Removing network ACLs can stop or disrupt services by blocking legitimate network traffic, effectively causing denial of service conditions"},{"technique":"T1531 - Account Access Removal","reason":"Deleting network ACLs can be part of a broader strategy to remove access to resources, making it difficult for legitimate users to access networked systems and services. For example, deleting a network ACL that allows SSH access."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Ensure CloudWatch has an Alarm for Network ACL Changes","link":"https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-network-acl-change"}],"securityImplications":"Attackers might use DeleteNetworkAcl to remove network access control lists, potentially opening up network segments for unauthorized access.","alerting":[{"type":"cloudwatchCISControls","value":"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-11"}],"simulation":[{"type":"commandLine","value":"aws ec2 delete-network-acl --network-acl-id TrailDiscoverNetworkAclId"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-DeleteNetworkAcl"} +{"eventName":"DeleteNetworkAclEntry","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Deletes the specified ingress or egress entry (rule) from the specified network ACL.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1562 - Impair Defenses"],"mitreAttackSubTechniques":["T1562.001: Impair Defenses - Disable or Modify Tools","T1562.004: Impair Defenses - Disable or Modify System Firewall"],"unverifiedMitreAttackTechniques":[{"technique":"T1098 - Account Manipulation","reason":"Attackers may manipulate network ACLs as part of account manipulation to remove or alter security controls. This can enable unauthorized access or disrupt normal operations within the cloud environment."},{"technique":"T1531 - Account Access Removal","reason":"Deleting network ACL entries could be part of an attack to disrupt services and remove access to accounts, affecting the availability of resources. For example, deleting a network ACL that allows SSH access."},{"technique":"T1489 - Service Stop","reason":"By deleting critical network ACL entries, an attacker can disrupt or stop essential services by either blocking required traffic or allowing malicious traffic, leading to a service interruption."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Ensure CloudWatch has an Alarm for Network ACL Changes","link":"https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-network-acl-change"}],"securityImplications":"Attackers might use DeleteNetworkAclEntry to remove specific rules from network access control lists, potentially opening network paths for unauthorized access.","alerting":[{"type":"cloudwatchCISControls","value":"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-11"}],"simulation":[{"type":"commandLine","value":"aws ec2 delete-network-acl-entry --network-acl-id acl-5fb85d36 --ingress --rule-number 100"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-DeleteNetworkAclEntry"} +{"eventName":"DeleteSnapshot","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Deletes the specified snapshot.","mitreAttackTactics":["TA0040 - Impact"],"mitreAttackTechniques":["T1485 - Data Destruction"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1070 - Indicator Removal","reason":"Deleting snapshots can be part of an effort to remove indicators of compromise or evidence of malicious activity."},{"technique":"T1486 - Data Encrypted for Impact","reason":"If the adversary has encrypted the data and then deletes snapshots, it makes recovery impossible without the decryption keys, thus increasing the impact."},{"technique":"T1565 - Data Manipulation","reason":"Deleting snapshots can be a form of manipulating stored data, particularly if snapshots are used for data recovery and the deletion disrupts normal recovery processes."},{"technique":"T1561 - Disk Wipe","reason":"Deleting snapshots can be considered a form of disk wipe if the snapshots contain the only copies of certain data, effectively wiping that data from existence."}],"usedInWild":true,"incidents":[{"description":"Hacker Puts Hosting Service Code Spaces Out of Business","link":"https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/"}],"researchLinks":[],"securityImplications":"Attackers might use DeleteSnapshot to erase Amazon EBS snapshots, potentially destroying backup data and hampering recovery efforts after an attack.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 delete-snapshot --snapshot-id TrailDiscoverSnapshotId"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-DeleteSnapshot"} +{"eventName":"DeleteVolume","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Deletes the specified EBS volume. The volume must be in the available state (not attached to an instance).","mitreAttackTactics":["TA0040 - Impact"],"mitreAttackTechniques":["T1485 - Data Destruction"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1070 - Indicator Removal","reason":"Deleting an EBS volume can be used to remove evidence of malicious activity, such as log files or other data stored on the volume."},{"technique":"T1485 - Data Destruction","reason":"The deletion of an EBS volume results in the permanent loss of the data it contained, which is a form of data destruction."},{"technique":"T1561 - Disk Wipe","reason":"Deleting the volume ensures that all data on the volume is removed, which is similar to a disk wipe."}],"usedInWild":true,"incidents":[{"description":"Hacker Puts Hosting Service Code Spaces Out of Business","link":"https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/"}],"researchLinks":[],"securityImplications":"Attackers might use DeleteVolume to remove Elastic Block Store (EBS) volumes, leading to data loss and potentially disrupting operations.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 delete-volume --volume-id TrailDiscoverVolumeId"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-DeleteVolume"} +{"eventName":"DescribeAccountAttributes","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Describes attributes of your AWS account.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1082 - System Information Discovery","reason":"By describing the account attributes, an adversary can gather information about the AWS environment, such as supported platforms, EC2 limitations, and default settings, which aids in understanding the overall cloud infrastructure."},{"technique":"T1069 - Permission Groups Discovery","reason":"Understanding the maximum number of security groups that can be assigned to a network interface can help an adversary in identifying the possible scope and structure of permissions within the account."},{"technique":"T1526 - Cloud Service Discovery","reason":"his technique is relevant as it involves obtaining information about the cloud services and configurations, such as the maximum number of instances and Elastic IP addresses, supported platforms, and default VPC ID"},{"technique":"T1538 - Cloud Service Dashboard","reason":"Accessing the account attributes via the API is akin to viewing settings in the cloud service dashboard, providing a view into the configurations and limitations of the AWS environment."}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[],"securityImplications":"Attackers might use DescribeAccountAttributes to gather detailed information about AWS account configurations and limits.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 describe-account-attributes --attribute-names TrailDiscoverAttribute"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-DescribeAccountAttributes"} +{"eventName":"DescribeAvailabilityZones","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Describes the Availability Zones, Local Zones, and Wavelength Zones that are available to you.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1082 - System Information Discovery","reason":"Knowing the availability zones is a part of system information that an attacker might want to know. This API call provides insights into the environment setup and operational state."},{"technique":"T1526 - Cloud Service Discovery","reason":"The DescribeAvailabilityZones API call provides information about the geographical distribution of cloud services, aiding in the identification of cloud services in use."},{"technique":"T1018 - Remote System Discovery","reason":"By knowing which availability zones are in use, attackers can identify the distribution of systems and services across the cloud environment. This helps in mapping the network architecture and planning subsequent lateral movement or targeted attacks."}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[],"securityImplications":"Attackers might use DescribeAvailabilityZones to map the deployment regions of an AWS environment.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 describe-availability-zones --filters Name=region-name,Values=TrailDiscoverRegion"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-DescribeAvailabilityZones"} +{"eventName":"DescribeBundleTasks","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Describes the specified bundle tasks or all of your bundle tasks.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1082 - System Information Discovery","reason":"The DescribeBundleTasks API call can provide details about the instance, which can be used to gather information about the system's configuration and status. The description of what a Bundle Task is not even available on AWS anymore."},{"technique":"T1553.002 - Subvert Trust Controls: Code Signing","reason":"nsuring that the bundled data is from a legitimate source and not tampered with might involve code signing, particularly if the bundle is intended for deployment or transfer. The description of what a Bundle Task is not even available on AWS anymore."},{"technique":"T1074 - Data Staged","reason":"The bundling process involves staging data for bundling and transfer, which is a crucial step in the data management process. The description of what a Bundle Task is not even available on AWS anymore."}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[],"securityImplications":"Attackers might use DescribeBundleTasks to gain insights into the bundling tasks of EC2 instances.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 describe-bundle-tasks --bundle-ids TrailDiscoverBundleId"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-DescribeBundleTasks"} +{"eventName":"DescribeCarrierGateways","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Describes one or more of your carrier gateways.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1016 - System Network Configuration Discovery","reason":"This API call helps in discovering the network configuration, including the carrier gateway, which can provide insight into how traffic is routed"},{"technique":"T1049 - System Network Connections Discovery","reason":"Describing the carrier gateways can reveal details about network connections and traffic flow between Wavelength Zones and carrier networks."},{"technique":"T1090 - Proxy","reason":"Carrier gateways' NAT function can be leveraged to hide the source of attack traffic, aiding in defense evasion"},{"technique":"T1078 - Valid Accounts","reason":"Identifying carrier gateways could be useful for attackers aiming to gain access to the network using valid accounts"},{"technique":"T1210 - Exploitation of Remote Services","reason":"Knowing the setup of carrier gateways can help in exploiting remote services that rely on this infrastructure"},{"technique":"T1482 - Domain Trust Discovery","reason":"Insights into carrier gateways might reveal trust relationships between different network segments and domains"},{"technique":"T1018 - Remote System Discovery","reason":"Information from the carrier gateway description can help identify other remote systems within the network."}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[],"securityImplications":"Attackers might use DescribeCarrierGateways to uncover details about carrier gateways in an AWS environment, which could reveal network configurations.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 describe-carrier-gateways --carrier-gateway-ids TrailDiscoverCarrierGatewayId"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-DescribeCarrierGateways"} +{"eventName":"DescribeClientVpnRoutes","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Describes the routes for the specified Client VPN endpoint.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1046 - Network Service Scanning","reason":"An adversary might use DescribeClientVpnRoutes to enumerate network routes within the VPN, identifying potential targets and pivot points within the network."},{"technique":"T1021- Remote Services","reason":"This API call can provide details on how to access different parts of the network remotely, which could facilitate lateral movement or remote execution of commands"},{"technique":"T1016 - System Network Configuration Discovery","reason":"Information from DescribeClientVpnRoutes can reveal internal network structures, including IP ranges and network topologies, which can be used for further discovery and evasion activities"}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[],"securityImplications":"Attackers might use DescribeClientVpnRoutes to gather information about the routing configuration of an AWS Client VPN endpoint, potentially identifying routes that could be exploited for network access.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 describe-client-vpn-routes --client-vpn-endpoint-id cvpn-endpoint-123456789123abcde"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-DescribeClientVpnRoutes"} +{"eventName":"DescribeDhcpOptions","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Describes one or more of your DHCP options sets.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1049 - System Network Connections Discovery","reason":"Describing DHCP options is directly related to understanding network configurations and connections within the AWS environment"},{"technique":"T1590 - Gather Victim Network Information","reason":"The DHCP options can reveal information about DNS servers, domain names, NTP servers, and other network configurations, aiding in network discovery"},{"technique":"T1018 - Remote System Discovery","reason":"Describing DHCP options can help attackers discover remote systems within the network, providing a map of targets for lateral movement."},{"technique":"T1033 - System Owner/User Discovery","reason":"Understanding DHCP options might reveal information about the system owners or users, helping attackers tailor their strategies for further exploitation."}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[],"securityImplications":"Attackers might use DescribeDhcpOptions to inspect DHCP configurations in an AWS VPC.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 describe-dhcp-options --dhcp-options-ids TrailDiscoverDhcpOptionsId"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-DescribeDhcpOptions"} +{"eventName":"DescribeFlowLogs","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Describes one or more flow logs.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1033 - System Owner/User Discovery","reason":"Describing flow logs can help attackers understand which users are accessing specific network resources."},{"technique":"T1016 - System Network Configuration Discovery","reason":"Flow logs can reveal network configurations, allowing attackers to map out the network layout"},{"technique":"T1040 - Network Sniffing","reason":"By analyzing flow logs, attackers can infer traffic patterns and potentially sensitive information about network communications"},{"technique":"T1020 - Automated Collection","reason":"Attackers can use the flow logs to automate the collection of network traffic data for further analysis"}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[],"securityImplications":"Attackers might use DescribeFlowLogs to review VPC flow log configurations, aiming to understand what network traffic is being logged.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 describe-flow-logs --filter Name=resource-id,Values=TrailDiscoverResourceId"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-DescribeFlowLogs"} +{"eventName":"DescribeImages","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Describes the specified images (AMIs, AKIs, and ARIs) available to you or all of the images available to you.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1082 - System Information Discovery","reason":"DescribeImages can be used to gather detailed information about the system images in use, which is critical for planning further attacks or understanding the environment."},{"technique":"T1202 - Indirect Command Execution","reason":"By using DescribeImages, attackers can identify images that may allow them to indirectly execute commands through specific software or configurations present in the images"},{"technique":"T1608 - Stage Capabilities","reason":"An attacker might use DescribeImages to find specific images to stage capabilities like installing digital certificates on chosen instances."},{"technique":"T1083 - File and Directory Discovery","reason":"DescribeImages can reveal the existence and properties of files and directories associated with specific AMIs, aiding in discovery efforts"},{"technique":"T1613 - Container and Resource Discovery","reason":"Attackers can use DescribeImages to identify available container images and resources in the environment. This helps them understand the infrastructure and identify potential targets for exploitation within containerized applications."},{"technique":"T1526 - Cloud Service Discovery","reason":"Using DescribeImages helps attackers discover available cloud services, their configurations, and associated resources."},{"technique":"T1195 - Supply Chain Compromise","reason":"Attackers can use DescribeImages to identify and exploit vulnerabilities in the software dependencies and development tools used within specific images, leading to a supply chain compromise."}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[],"securityImplications":"Attackers might use DescribeImages to identify AMIs (Amazon Machine Images) within AWS.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 describe-images --filters Name=name,Values=TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-DescribeImages"} +{"eventName":"DescribeInstanceAttribute","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Describes the specified attribute of the specified instance. You can specify only one attribute at a time.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1082 - System Information Discovery","reason":"Using DescribeInstanceAttribute can reveal information about the instance's configuration, such as instance type, which aids in understanding the system environment."},{"technique":"T1078 - Valid Accounts","reason":"Information about the instance attributes can be used to identify potential valid accounts associated with the instance, particularly if the attribute reveals details about the IAM roles or users associated with it."},{"technique":"T1069 - Permission Groups Discovery","reason":"Describing instance attributes can provide details about the permissions and security groups associated with the instance, aiding in the discovery of network access control configurations."},{"technique":"T1033 - System Owner/User Discovery","reason":"The attribute information might include details about the instance owner or users, helping to identify key individuals for potential targeted attacks"},{"technique":"T1074 - Data Staged","reason":"Information about storage attributes of an instance can help in planning the staging of data for exfiltration."},{"technique":"T1007 - System Service Discovery","reason":"Attributes related to the services running on the instance can be described, aiding in the discovery of available services for further exploitation."},{"technique":"T1018 - Remote System Discovery","reason":"Details about network interfaces and configurations discovered through instance attributes can assist in identifying other remote systems and services within the network."},{"technique":"T1518 - Software Discovery","reason":"Describing instance attributes may reveal information about the installed software and applications, assisting in software discovery efforts."}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[],"securityImplications":"Attackers might use DescribeInstanceAttribute to inspect detailed configurations of EC2 instances.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 describe-instance-attribute --instance-id TrailDiscoverInstanceId --attribute TrailDiscoverAttribute"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-download-user-data"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-DescribeInstanceAttribute"} +{"eventName":"DescribeInstanceTypes","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Describes the details of the instance types that are offered in a location.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1590 - Gather Victim Network Information","reason":"By describing instance types, attackers can identify the network configurations and resources used in the target's AWS environment. This information aids in understanding the network structure and potential vulnerabilities that could be exploited."},{"technique":"T1082 - System Information Discovery","reason":"DescribeInstanceTypes provides detailed information about different instance types, including their capabilities and configurations, which can help an attacker understand the system architecture and capabilities."},{"technique":"T1213 - Data from Information Repositories","reason":"Knowing the types of instances helps in determining how data might be stored or managed in cloud repositories, aiding in planning data collection strategies."},{"technique":"T1592 - Gather Victim Host Information","reason":"DescribeInstanceTypes can provide details on the hardware and software configurations of the instances, helping attackers gather comprehensive information about the victim's host environment."},{"technique":"T1046 - Network Service Discovery","reason":"By knowing the instance types, attackers can infer what network services might be running, aiding in the discovery of network service configurations and potential vulnerabilities."},{"technique":"T1526 - Cloud Service Discovery","reason":"DescribeInstanceTypes helps attackers discover the available cloud services and their configurations, which is crucial for understanding the overall cloud environment and potential targets."},{"technique":"T1497 - Virtualization/Sandbox Evasion","reason":"Knowing the instance types can help attackers tailor their techniques to evade detection within virtualized environments specific to the cloud infrastructure in use."},{"technique":"T1482 - Domain Trust Discovery","reason":"DescribeInstanceTypes can provide insights into the types of instances and their configurations, which may include details relevant to domain trust relationships within the cloud infrastructure."}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[],"securityImplications":"Attackers might use DescribeInstanceTypes to assess the capabilities and resources of EC2 instance types.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 describe-instance-types --instance-types TrailDiscoverInstanceType"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-DescribeInstanceTypes"} +{"eventName":"DescribeInstances","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Describes the specified instances or all instances.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1082 - System Information Discovery","reason":"The DescribeInstances call provides detailed information about the EC2 instances, including instance type, state, and configuration details. This information is essential for an adversary performing system information discovery to understand the environment."},{"technique":"T1033 - System Owner/User Discovery","reason":"The DescribeInstances output can include tags and other metadata that may contain user information, helping adversaries to identify system owners and users."},{"technique":"T1562 - Impair Defenses","reason":"Discovering the details of security configurations, such as security groups and network ACLs associated with instances, can help adversaries to plan how to impair or bypass defenses"},{"technique":"T1098 - Account Manipulation","reason":"Understanding the details of EC2 instances can enable an adversary to manipulate accounts associated with those instances, such as creating or deleting IAM roles attached to instances."},{"technique":"T1016 - System Network Configuration Discovery","reason":"DescribeInstances can reveal network configurations of instances, including VPC, subnet, and security group details, aiding in network discovery"},{"technique":"T1046 - Network Service Scanning","reason":"While DescribeInstances does not directly perform network service scanning, the information it provides about instance IP addresses and configurations can be used to facilitate subsequent network scanning activities."},{"technique":"T1210 - Exploitation of Remote Services","reason":"Detailed information about EC2 instances, such as their public IP addresses and running services, can be used to exploit remote services running on these instances."},{"technique":"T1135 - Network Share Discovery","reason":"Information from DescribeInstances can indicate the presence of network shares or attached storage, which may be targeted for further discovery or exploitation."},{"technique":"T1057 - Process Discovery","reason":"DescribeInstances can provide insights into the software and processes running on the instances, helping adversaries identify potential targets for process discovery and further exploitation."}],"usedInWild":true,"incidents":[{"description":"Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild","link":"https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}],"researchLinks":[{"description":"Abusing VPC Traffic Mirroring in AWS","link":"https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/"}],"securityImplications":"Attackers might use DescribeInstances to inventory EC2 instances within an AWS environment.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 describe-instances --instance-ids TrailDiscoverInstanceID"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-DescribeInstances"} +{"eventName":"DescribeKeyPairs","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Describes the specified key pairs or all of your key pairs.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1580 - Cloud Service Discovery","reason":"The DescribeKeyPairs API call can be used to enumerate key pairs associated with EC2 instances, which aids in discovering cloud resources and configurations."},{"technique":"T1528 - Steal Application Access Token","reason":"Key pairs can be used to steal application access tokens if they are used for application authentication mechanisms."}],"usedInWild":true,"incidents":[{"description":"Behind the scenes in the Expel SOC: Alert-to-fix in AWS","link":"https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/"}],"researchLinks":[],"securityImplications":"Attackers might use DescribeKeyPairs to audit the SSH key pairs associated with EC2 instances","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 describe-key-pairs --key-names TrailDiscoverKeyPair"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-DescribeKeyPairs"} +{"eventName":"DescribeRegions","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Describes the Regions that are enabled for your account, or all Regions.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1590 - Gather Victim Network Information","reason":"Attackers can use the DescribeRegions API call to obtain information about the cloud regions where a victim's resources are deployed. This helps in mapping the network and understanding the potential attack surface."},{"technique":"T1082 - System Information Discovery","reason":"By utilizing DescribeRegions, attackers can gain insights into the geographical distribution of the victim's cloud infrastructure, contributing to the overall system information."},{"technique":"T1213 - Data from Information Repositories","reason":"DescribeRegions gives access to the regional metadata of AWS, which acts as an information repository. Attackers may exploit this data to gain insights into the structure and status of the cloud environment."},{"technique":"T1135 - Network Share Discovery","reason":"Although not directly relevant attackers can use DescribeRegions to understand the layout of network resources across different regions, which can aid in discovering network shares and how resources are distributed geographically."}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[{"description":"Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild","link":"https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}],"securityImplications":"Attackers might use DescribeRegions to identify all available AWS regions, possibly to explore regional deployment patterns and target specific regions where defenses might be weaker.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 describe-regions"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-DescribeRegions"} +{"eventName":"GetLaunchTemplateData","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Retrieves the configuration data of the specified instance. You can use this data to create a launch template.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1082 - System Information Discovery","reason":"The GetLaunchTemplateData API call retrieves configuration data of an instance, providing detailed information about the system, including its configurations and metadata."},{"technique":"T1046 - Network Service Scanning","reason":"Information about the instance's network configurations can aid in scanning for active services and identifying potential targets"},{"technique":"T1560 - Archive Collected Data","reason":"Adversaries might use the gathered configuration data to create archives for exfiltration purposes"},{"technique":"T1033 - System Owner/User Discovery","reason":"The GetLaunchTemplateData call may reveal information about the system owner or users associated with the instance."}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[],"securityImplications":"Attackers might use GetLaunchTemplateData to obtain configurations of EC2 launch templates, identifying predefined instance settings or network configuration.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 get-launch-template-data --instance-id TrailDiscoverInstanceId"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-GetLaunchTemplateData"} +{"eventName":"DescribeSecurityGroups","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Describes the specified security groups or all of your security groups.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1526 - Cloud Service Discovery","reason":"The DescribeSecurityGroups API call allows an adversary to gather information about security groups, which is crucial for understanding the security posture and configurations of the cloud environment"},{"technique":"T1087 - Account Discovery","reason":"By describing security groups, adversaries can infer the roles and privileges associated with different accounts and identify potential targets for further compromise."},{"technique":"T1046 - Network Service Scanning","reason":"Knowledge of security group configurations can help adversaries understand which network services are exposed, enabling them to scan for open ports and services"},{"technique":"T1069 - Permission Groups Discovery","reason":"Security groups often define permissions for accessing various resources within the cloud environment. Understanding these groups can help adversaries identify critical permissions and exploit them."},{"technique":"T1105 - Ingress Tool Transfer","reason":"If an adversary identifies security groups that allow inbound access, they might transfer tools or malware into the environment through these entry points"},{"technique":"T1071 - Application Layer Protocol","reason":"Understanding security group rules helps adversaries in crafting communication methods that can bypass security controls using allowed protocols."},{"technique":"T1040 - Network Sniffing","reason":"By knowing the security groups, adversaries can position themselves in a network segment where they can capture sensitive traffic."},{"technique":"T1021 - Remote Services","reason":"Knowledge of security group configurations that allow remote services access can be exploited to move laterally within the network using those services."}],"usedInWild":true,"incidents":[{"description":"Case Study: Responding to an Attack in AWS","link":"https://www.cadosecurity.com/case-study-responding-to-an-attack-in-aws/"}],"researchLinks":[],"securityImplications":"Attackers might use DescribeSecurityGroups to review AWS VPC security group configurations, seeking misconfigurations that could be exploited for unauthorized access or to bypass network security controls.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 describe-security-groups --group-names TrailDiscoverSecurityGroup"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-DescribeSecurityGroups"} +{"eventName":"DescribeSnapshotAttribute","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Describes the specified attribute of the specified snapshot.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1087 - Account Discovery","reason":"By describing snapshot attributes, an adversary can discover accounts associated with specific snapshots, providing insight into user and service accounts in the environment."},{"technique":"T1530 - Data from Cloud Storage","reason":" Snapshots often contain data stored in the cloud, and describing their attributes is a step towards accessing and exploiting this data."},{"technique":"T1119 - Automated Collection","reason":"DescribeSnapshotAttribute can be used in scripts to automatically collect data on snapshots for further analysis or malicious use."},{"technique":"T1033 - System Owner/User Discovery","reason":"By gathering detailed information about snapshots, an adversary can infer the system owner or user details, which is crucial for furthering their attack strategy."},{"technique":"T1602 - Data from Configuration Repository","reason":"Snapshot attributes may include configuration information that could be valuable for understanding the environment or identifying further targets for exfiltration or attack."}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[],"securityImplications":"Attackers might use DescribeSnapshotAttribute to inspect attributes of EBS snapshots, such as permissions, aiming to find snapshots shared publicly or with broad access.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 describe-snapshot-attribute --snapshot-id TrailDiscoverSnapshotId --attribute TrailDiscoverAttribute"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-DescribeSnapshotAttribute"} +{"eventName":"DescribeSnapshotTierStatus","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Describes the storage tier status of one or more Amazon EBS snapshots.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1087 - Account Discovery","reason":"By analyzing the snapshot tier status, an attacker could infer which accounts have access to particular snapshots, thereby gaining insights into the account structures and permissions within the target environment."},{"technique":"T1033 - System Owner/User Discovery","reason":"Information about the storage tier status of snapshots includes metadata that helps identify system owners or users associated with those snapshots, thus aiding in the discovery of target users within the environment."},{"technique":"T1213 - Data from Information Repositories","reason":"This API call provides detailed information about EBS snapshots, which are a form of cloud storage. An attacker can use this to identify and access sensitive data stored within these snapshots."}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[],"securityImplications":"Attackers might use DescribeSnapshotTierStatus to assess the tiering status and potential lifecycle transitions of EBS snapshots, seeking to identify snapshots that are less frequently accessed or potentially unmonitored.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 describe-snapshot-tier-status"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-DescribeSnapshotTierStatus"} +{"eventName":"DescribeTransitGatewayMulticastDomains","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Describes one or more transit gateway multicast domains.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1590 - Gather Victim Network Information","reason":"This api call involves identifying details about the victim's network, such as the structure and topology, which can be aided by describing transit gateway multicast domains."},{"technique":"T1592 - Gather Victim Host Information","reason":"The information from the API call could help an attacker understand the hosts connected via the multicast domains."},{"technique":"T1087 - Account Discovery","reason":"Information from transit gateway multicast domains could include details about the accounts associated with them."},{"technique":"T1049 - System Network Connections Discovery","reason":"Describing multicast domains helps in mapping out system network connections."},{"technique":"T1033 - System Owner/User Discovery","reason":"The API call may return information about the users or owners of the systems within the multicast domains."}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[],"securityImplications":"Attackers might use DescribeTransitGatewayMulticastDomains to obtain details on multicast domains within AWS Transit Gateways, identifying network segments and multicast configurations.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 describe-transit-gateway-multicast-domains --transit-gateway-multicast-domain-ids TrailDiscoverTransitGatewayMulticastDomainId"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-DescribeTransitGatewayMulticastDomains"} +{"eventName":"DescribeVolumes","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Describes the specified EBS volumes or all of your EBS volumes.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1087 - Account Discovery","reason":"The DescribeVolumes API call can reveal information about EBS volumes which might contain details about the accounts that created or use them."},{"technique":"T1526 - Cloud Service Discovery","reason":"DescribeVolumes allows attackers to list and understand the configuration of EBS volumes within a cloud environment. This information helps map out the storage resources, potentially revealing sensitive data or misconfigurations."},{"technique":"T1069 - Permission Groups Discovery","reason":"By describing volumes, attackers can infer the permissions set on EBS volumes and potentially discover groups with access to these volumes"},{"technique":"T1613 - Container and Resource Discovery","reason":"Volumes can be linked to container storage. Discovering volumes helps in mapping container usage and dependencies"}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[],"securityImplications":"Attackers might use DescribeVolumes to enumerate EBS volumes in an AWS environment, identifying valuable data storage.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 describe-volumes --volume-ids TrailDiscoverVolumeId"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-DescribeVolumes"} +{"eventName":"DescribeVolumesModifications","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Describes the most recent volume modification request for the specified EBS volumes.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1087 - Account Discovery","reason":"Viewing volume modifications might help attackers understand cloud account structures and usage patterns, aiding in discovering privileged accounts"}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[],"securityImplications":"Attackers might use DescribeVolumesModifications to track changes in EBS volumes.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 describe-volumes-modifications --volume-ids TrailDiscoverVolumeId"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-DescribeVolumesModifications"} +{"eventName":"DescribeVpcEndpointConnectionNotifications","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Describes the connection notifications for VPC endpoints and VPC endpoint services.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1135 - Network Share Discovery","reason":"Describing VPC endpoint connection notifications can help identify shared resources within the VPC, providing information on the network structure and potential entry points."},{"technique":"T1049 - System Network Connections Discovery","reason":"By describing VPC endpoint connection notifications, an attacker can gather information about the network connections and endpoints configured in the VPC."},{"technique":"T1007 - Network Service Scanning","reason":"Describing VPC endpoint connection notifications can reveal details about network services in use, which can be leveraged for further network service scanning."}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[],"securityImplications":"Attackers might use DescribeVpcEndpointConnectionNotifications to monitor notification configurations for VPC endpoints.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 describe-vpc-endpoint-connection-notifications --connection-notification-id TrailDiscoverConnectionNotificationId"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-DescribeVpcEndpointConnectionNotifications"} +{"eventName":"DescribeVpcs","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Describes one or more of your VPCs.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1016 - System Network Configuration Discovery","reason":"Understanding the network configuration by querying VPCs helps an attacker identify the architecture, including subnets, route tables, and network ACLs. This information can reveal how the network is structured and potential points for further exploitation."},{"technique":"T1040 - Network Sniffing","reason":"By describing the VPCs, attackers can identify potential points of network sniffing to capture valuable information traversing the network."},{"technique":"T1087 - Account Discovery","reason":"Understanding the VPCs helps in mapping out the cloud environment, potentially identifying accounts that manage or are associated with those VPCs."},{"technique":"T1482 - Domain Trust Discovery","reason":"By describing VPCs, adversaries can identify trusts between different VPCs or between on-premises and cloud environments, aiding lateral movement and privilege escalation attempts."},{"technique":"T1590 - Gather Victim Network Information","reason":"Describing VPCs directly aligns with gathering information about cloud network configurations, including CIDR blocks, subnets, and associated components."},{"technique":"T1526 - Cloud Service Discovery","reason":"Discovering details about VPCs is part of a broader effort to map out cloud services and their configurations, providing a clearer picture of the cloud environment's landscape."}],"usedInWild":true,"incidents":[{"description":"Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild","link":"https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}],"researchLinks":[],"securityImplications":"Attackers might use DescribeVpcs to enumerate all Virtual Private Clouds (VPCs) within an AWS environment, aiming to map out network architectures.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 describe-vpcs --vpc-ids TrailDiscoverVpcId"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-DescribeVpcs"} +{"eventName":"EnableSerialConsoleAccess","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Enables access to the EC2 serial console of all instances for your account.","mitreAttackTactics":["TA0008 - Lateral Movement"],"mitreAttackTechniques":["T1021 - Remote Services"],"mitreAttackSubTechniques":["T1021.008 - Remote Services: Direct Cloud VM Connections"],"unverifiedMitreAttackTechniques":[{"technique":"T1059 - Command and Scripting Interpreter","reason":"Enabling serial console access allows attackers to execute commands directly in the Unix shell of the EC2 instances."},{"technique":"T1098 - Account Manipulation","reason":"Serial console access can be used to manipulate or create new accounts on the instance, ensuring persistent access."},{"technique":"T1037 - Boot or Logon Initialization Scripts","reason":"Attackers can use the console to modify initialization scripts, ensuring their scripts run on startup for persistence."},{"technique":"T1078 - Valid Accounts","reason":"Serial console access might be exploited using compromised credentials, allowing attackers to use valid accounts to access the console."},{"technique":"T1547 - Boot or Logon Autostart Execution","reason":"The serial console can be used to modify system configurations or add scripts to ensure code execution upon system start."},{"technique":"T1543 - Create or Modify System Process","reason":"If the instances are running Windows, attackers might use the serial console to create or modify services for persistence and privilege escalation."},{"technique":"T1055 - Process Injection","reason":"Serial console access could potentially be used for injecting code into running processes to evade defenses"},{"technique":"T1207 - Rogue Domain Controller","reason":"Attackers with console access could promote a compromised instance to a domain controller in an Active Directory environment, escalating privileges."},{"technique":"T1070 - Indicator Removal","reason":"The serial console allows attackers to directly interact with the system to delete logs and other indicators of their presence."}],"usedInWild":true,"incidents":[{"description":"LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD","link":"https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud"}],"researchLinks":[{"description":"How to detect EC2 Serial Console enabled","link":"https://sysdig.com/blog/ec2-serial-console-enabled/"},{"description":"Attack Paths Into VMs in the Cloud","link":"https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/"}],"securityImplications":"Attackers might use EnableSerialConsoleAccess to enable the serial console access and bypass security group rules and gain access to EC2 instances.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 enable-serial-console-access"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-EnableSerialConsoleAccess"} +{"eventName":"GetConsoleScreenshot","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Retrieve a JPG-format screenshot of a running instance to help with troubleshooting.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1113 - Screen Capture","reason":"The GetConsoleScreenshot API call captures a screenshot of a running EC2 instance, providing a visual snapshot of the system's state. This can reveal sensitive information displayed on the screen, such as open applications, user activities, or visible credentials."},{"technique":"T1087 - Account Discovery","reason":"The screenshot can provide insights into user accounts and other details visible on the instance, aiding in account discovery."},{"technique":"T1057 - Process Discovery","reason":"The screenshot might reveal running processes or applications, helping in process discovery."},{"technique":"T1016 - System Network Configuration Discovery","reason":"Screenshots may reveal network configurations displayed on the system's desktop."},{"technique":"T1018 - Remote System Discovery","reason":"Information visible in the screenshot might provide details about other systems or network topology."},{"technique":"T1110 - Brute Force","reason":"If the screenshot shows login prompts or error messages related to login attempts, it can aid in brute force attempts."}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[],"securityImplications":"Attackers might use GetConsoleScreenshot to capture the current state of an EC2 instance's console, potentially revealing sensitive information displayed on the screen or identifying misconfigurations.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 get-console-screenshot --instance-id TrailDiscoverInstanceId"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-GetConsoleScreenshot"} +{"eventName":"GetEbsDefaultKmsKeyId","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Describes the default AWS KMS key for EBS encryption by default for your account in this Region.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1082 - System Information Discovery","reason":"Retrieving the default KMS key provides information about the encryption settings of the EBS volumes in the account."},{"technique":"T1530 - Data from Cloud Storage Object","reason":"By knowing the KMS key, attackers could potentially access encrypted data if they manage to retrieve the corresponding encrypted volumes."},{"technique":"T1562 - Impair Defenses","reason":"Attackers could use this information to modify or disable encryption settings, impacting defenses."},{"technique":"T1036 - Masquerading","reason":"Attackers might use the default KMS key information to create resources that appear legitimate but are malicious in nature."}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[],"securityImplications":"Attackers might use GetEbsDefaultKmsKeyId to identify the default AWS Key Management Service (KMS) key used for encrypting new Amazon EBS volumes.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 get-ebs-default-kms-key-id"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-GetEbsDefaultKmsKeyId"} +{"eventName":"GetEbsEncryptionByDefault","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Describes whether EBS encryption by default is enabled for your account in the current Region.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1538 - Cloud Service Dashboard","reason":"Accessing configuration information through API calls to understand settings."}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[],"securityImplications":"Attackers might use GetEbsEncryptionByDefault to determine if new Amazon EBS volumes are encrypted by default, seeking to exploit unencrypted volumes.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 get-ebs-encryption-by-default"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-GetEbsEncryptionByDefault"} +{"eventName":"GetFlowLogsIntegrationTemplate","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Generates a CloudFormation template that streamlines and automates the integration of VPC flow logs with Amazon Athena.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"By analyzing the resulting template, adversaries might identify configurations and permissions related to valid accounts"},{"technique":"T1203 - Exploitation for Client Execution","reason":"The template could potentially include commands or scripts that are executed in the cloud environment, exploiting existing vulnerabilities for execution."},{"technique":"T1562 - Impair Defenses","reason":"The template could include configurations that disable or alter logging, monitoring, or other security tools."},{"technique":"T1027 - Obfuscated Files or Information","reason":"The CloudFormation template could include obfuscated scripts or configurations to evade detection"},{"technique":"T1210 - Exploitation of Remote Services","reason":"The setup process defined in the template might interact with remote services, offering a vector for exploitation."},{"technique":"T1046 - Network Service Scanning","reason":"The information gleaned from the template can assist adversaries in understanding the network services in use, aiding in further network scanning and enumeration."},{"technique":"T1497 - Virtualization/Sandbox Evasion","reason":"The template could be designed to detect and avoid execution within certain virtualized environments or sandboxes, thereby evading analysis or detection."},{"technique":"T1059 - Command and Scripting Interpreter","reason":"The CloudFormation template might include scripts executed via command and scripting interpreters, which can be leveraged for execution."},{"technique":"T1560 - Archive Collected Data","reason":"By using the CloudFormation template to configure the VPC flow logs integration, adversaries can automate the collection, archiving, and storage of flow logs data, potentially using S3 to archive collected logs before exfiltration or analysis."}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[],"securityImplications":"Attackers might use GetFlowLogsIntegrationTemplate to create templates for integrating VPC flow logs with external monitoring solutions, potentially to configure exfiltration pathways for gathered data or to understand security monitoring setups.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 get-flow-logs-integration-template --flow-log-id fl-1234567890abcdef0 --config-delivery-s3-destination-arn arn:aws:s3:::DOC-EXAMPLE-BUCKET --integrate-services AthenaIntegrations='[{IntegrationResultS3DestinationArn=arn:aws:s3:::DOC-EXAMPLE-BUCKET,PartitionLoadFrequency=none,PartitionStartDate=2021-07-21T00:40:00,PartitionEndDate=2021-07-21T00:42:00},{IntegrationResultS3DestinationArn=arn:aws:s3:::DOC-EXAMPLE-BUCKET,PartitionLoadFrequency=none,PartitionStartDate=2021-07-21T00:40:00,PartitionEndDate=2021-07-21T00:42:00}]'"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-GetFlowLogsIntegrationTemplate"} +{"eventName":"GetPasswordData","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Retrieves the encrypted administrator password for a running Windows instance.","mitreAttackTactics":["TA0006 - Credential Access"],"mitreAttackTechniques":["T1555 - Credentials from Password Stores"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"By decrypting the administrator password with the key pair, an attacker can obtain valid credentials for the Windows instance, allowing them to log in with legitimate access. z If the Windows instance is part of a domain, obtaining the administrator password could provide domain-level access, enabling further exploitation within the domain. The password retrieved is for the local administrator account, giving full access to the instance's local resources and potentially allowing further escalation."},{"technique":"T1098 - Account Manipulation","reason":"Attackers can use the retrieved administrator credentials to create new accounts or manipulate existing ones to ensure continued access to the instance."},{"technique":"T1531 - Account Access Removal","reason":"With the administrator password, an attacker can remove access to existing accounts, locking out legitimate users and maintaining control over the instance."},{"technique":"T1548.002 - Abuse Elevation Control Mechanism","reason":"Once an attacker has the administrator password, they can bypass User Account Control (UAC) on the instance to elevate privileges without user consent."},{"technique":"T1070 - Indicator Removal","reason":"An attacker with administrator access might delete logs and other files to cover their tracks and ensure persistent access without detection."}],"usedInWild":true,"incidents":[{"description":"Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining","link":"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"},{"description":"Behind the scenes in the Expel SOC: Alert-to-fix in AWS","link":"https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/"},{"description":"When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability","link":"https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"},{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[],"securityImplications":"Attackers might use GetPasswordData to retrieve the password data for Windows instances, allowing unauthorized access.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 get-password-data --instance-id TrailDiscoverInstanceId"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-GetPasswordData"} +{"eventName":"GetTransitGatewayRouteTableAssociations","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Gets information about the associations for the specified transit gateway route table.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1018 - Remote System Discovery","reason":"The API call provides information about the transit gateway route table associations, which can be used to identify and map remote systems within the network."},{"technique":"T1423 - Network Service Scanning","reason":"Understanding route table associations helps in scanning and identifying active services and their routing paths, facilitating network service discovery."},{"technique":"T1133 - External Remote Services","reason":"By analyzing transit gateway associations, attackers can identify potential external services that can be targeted for initial access or further exploitation"},{"technique":"T1219 - Remote Access Software","reason":"Knowledge of network routes and associations is crucial for deploying and managing remote access tools within the network"},{"technique":"T1570 - Lateral Tool Transfer","reason":"Route table information can be used to facilitate the transfer of tools across different segments of the network, aiding lateral movement."},{"technique":"T1021 - Remote Services","reason":"The information obtained from the API call can be used to identify and exploit remote services for lateral movement or persistence"},{"technique":"T1071 - Application Layer Protocol","reason":"Attackers can use knowledge of network routing to communicate using application layer protocols that traverse the transit gateway routes"},{"technique":"T1590 - Gather Victim Network Information","reason":"The transit gateway route table associations provide valuable insights into the network's structure and configuration, useful for gathering detailed network information"}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[],"securityImplications":"Attackers might use GetTransitGatewayRouteTableAssociations to examine the associations between transit gateway route tables and attached resources, potentially to understand network routing policies.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 get-transit-gateway-route-table-associations --transit-gateway-route-table-id tgw-rtb-0a823edbdeEXAMPLE"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-GetTransitGatewayRouteTableAssociations"} +{"eventName":"ImportKeyPair","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Imports the public key from an RSA or ED25519 key pair that you created with a third-party tool.","mitreAttackTactics":["TA0003 - Persistence"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":["T1098.001 - Account Manipulation: Additional Cloud Credentials"],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"An attacker can import their own key pair to gain initial access to the AWS environment using a compromised or newly created account. The imported key can also be used to maintain persistent access. This can be applied to both cloud and domain accounts in the cloud, ensuring access across different services."},{"technique":"T1070 - Indicator Removal","reason":"Attackers may delete logs or evidence after importing the keypair."}],"usedInWild":true,"incidents":[{"description":"Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining","link":"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"},{"description":"Behind the scenes in the Expel SOC: Alert-to-fix in AWS","link":"https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/"},{"description":"When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability","link":"https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"}],"researchLinks":[{"description":"Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident","link":"https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide"}],"securityImplications":"Attackers might use ImportKeyPair to upload malicious SSH keys to AWS EC2 instances, granting unauthorized access.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-ImportKeyPair"} +{"eventName":"ModifyImageAttribute","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Modifies the specified attribute of the specified AMI.","mitreAttackTactics":["TA0010 - Exfiltration"],"mitreAttackTechniques":["T1537 - Transfer Data to Cloud Account"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1098 - Account Manipulation","reason":"Modifying AMI launch permissions could allow an attacker to grant additional cloud accounts the ability to launch instances with the compromised AMI."},{"technique":"T1078 - Valid Accounts","reason":"Modifying launchPermission can be used to grant access to valid accounts or remove access, effectively controlling which accounts can launch instances from the AMI."},{"technique":"T1003 - OS Credential Dumping","reason":"Changing launch permissions to launch the AMI in an attacker AWS account might grant attackers access to instances where they can execute credential dumping tools."},{"technique":"T1021 - Remote Services","reason":"If the AMI is launched by specific users, it could enable the attacker to move laterally by exploiting remote services and admin privileges."},{"technique":"T1036 - Masquerading","reason":"By modifying the AMI description, attackers can disguise malicious activities under benign-sounding descriptions to evade detection."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS AMI Atttribute Modification for Exfiltration","link":"https://research.splunk.com/cloud/f2132d74-cf81-4c5e-8799-ab069e67dc9f/"}],"securityImplications":"Attackers might use ModifyImageAttribute to alter permissions or settings of Amazon Machine Images (AMIs), potentially exposing them to unauthorized users or making them public.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 modify-image-attribute --image-id TrailDiscoverImageId --attribute TrailDiscoverAttribute --value TrailDiscoverValue"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-ModifyImageAttribute"} +{"eventName":"ModifyInstanceAttribute","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Modifies the specified attribute of the specified instance.","mitreAttackTactics":["TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"Modifying instance attributes can involve, via modifications of the UserData, changing account settings to maintain access to the instance, including the use or creation of default, local, or cloud accounts."},{"technique":"T1562 - Impair Defenses","reason":"Via modifications of the UserData an attacker could disable or modify security tools and defenses on the instance, impairing the system's ability to detect or respond to threats"},{"technique":"T1496 - Resource Hijacking","reason":"Modifying instance attributes could allow the hijacking of resources for unauthorized uses such as cryptocurrency mining. You could also increase the size of CPU or RAM"},{"technique":"T1485 - Data Destruction","reason":"Changes in instance attributes could be used to facilitate the destruction of data on the instance, impacting the integrity and availability of information."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Executing commands through EC2 user data","link":"https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/"},{"description":"Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident","link":"https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide"},{"description":"EC2 Privilege Escalation Through User Data","link":"https://hackingthe.cloud/aws/exploitation/local_ec2_priv_esc_through_user_data/"},{"description":"User Data Script Persistence","link":"https://hackingthe.cloud/aws/post_exploitation/user_data_script_persistence/"},{"description":"Attack Paths Into VMs in the Cloud","link":"https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/"}],"securityImplications":"Attackers might use ModifyInstanceAttribute to change configurations of EC2 instances or overwrite the user data of an EC2 instance to have it execute malicious commands when the instance starts.","alerting":[{"type":"sigma","value":"https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_ec2_startup_script_change.yml"}],"simulation":[{"type":"commandLine","value":"aws ec2 modify-instance-attribute --instance-id TrailDiscoverInstanceId --attribute TrailDiscoverAttribute --value TrailDiscoverValue"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ec2-user-data"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-ModifyInstanceAttribute"} +{"eventName":"ModifySnapshotAttribute","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Adds or removes permission settings for the specified snapshot.","mitreAttackTactics":["TA0010 - Exfiltration"],"mitreAttackTechniques":["T1537 - Transfer Data to Cloud Account"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"By adding permissions to a snapshot, attackers can grant access to unauthorized cloud accounts or default accounts, which can be used for persistence and privilege escalation."},{"technique":"T1552 - Unsecured Credentials","reason":"Adding permissions to a snapshot might expose sensitive files that contain credentials, aiding in credential access."},{"technique":"T1070 - Indicator Removal","reason":"Removing permissions from a snapshot can be used to hide or delete evidence of unauthorized access, aiding in defense evasion."},{"technique":"T1530 - Data from Cloud Storage","reason":"By modifying snapshot permissions, attackers can gain access to sensitive data stored within snapshots, aiding in data collection and exfiltration."},{"technique":"T1562 - Impair Defenses","reason":"Modifying permissions could impair security controls or defenses by granting unauthorized access to the snapshots, potentially containing security-related configurations, backups, or tools."},{"technique":"T1087 - Account Discovery","reason":"Modifying snapshot permissions could help attackers discover cloud accounts with access to the snapshot, aiding in further attacks."},{"technique":"T1003 - OS Credential Dumping","reason":"If a snapshot contains OS-level files, attackers can use it to extract credentials, aiding in credential access."},{"technique":"T1074 - Data Staged","reason":"Snapshots can be used to stage data locally for later exfiltration, aiding in data collection and exfiltration"}],"usedInWild":true,"incidents":[{"description":"CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight","link":"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"}],"researchLinks":[],"securityImplications":"Attackers might use ModifySnapshotAttribute to change permissions on Amazon EBS snapshots, potentially making them accessible to unauthorized users or public.","alerting":[{"type":"sigma","value":"https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_snapshot_backup_exfiltration.yml"}],"simulation":[{"type":"commandLine","value":"aws ec2 modify-snapshot-attribute --snapshot-id snap-046281ab24d756c50 --attribute createVolumePermission --operation-type remove --user-ids 123456789012"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-ModifySnapshotAttribute"} +{"eventName":"ReplaceIamInstanceProfileAssociation","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Replaces an IAM instance profile for the specified running instance.","mitreAttackTactics":["TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":["T1098.003 - Account Manipulation: Additional Cloud Roles"],"unverifiedMitreAttackTechniques":[{"technique":"T1548 - Abuse Elevation Control Mechanism","reason":"By changing the IAM instance profile, an attacker can elevate the privileges of the EC2 instance, allowing it to perform actions that require higher permissions. This abuse of the role mechanism can be used to execute privileged commands."},{"technique":"T1556 - Modify Authentication Process","reason":"By altering the IAM instance profile, an attacker can modify the authentication process. This change could allow the instance to authenticate as a different role with different permissions, potentially bypassing security controls."},{"technique":"T1531 - Account Access Removal","reason":"An attacker might replace an IAM instance profile to remove certain access controls or permissions temporarily to perform specific actions without triggering alerts or restrictions. Additionally they might remove the instances from the contol of certain accounts to maybe evade detection. AN example would be to remove access from known cloud security tools."}],"usedInWild":true,"incidents":[{"description":"LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD","link":"https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud"}],"researchLinks":[],"securityImplications":"Attackers might use ReplaceIamInstanceProfileAssociation to replace the IAM instance profile on an instance they control with one that has higher privileges.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 replace-iam-instance-profile-association --iam-instance-profile Name=TrailDiscoverAdminRole --association-id iip-assoc-060bae234aac2e7fa"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-ReplaceIamInstanceProfileAssociation"} +{"eventName":"RunInstances","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Launches the specified number of instances using an AMI for which you have permissions.","mitreAttackTactics":["TA0003 - Persistence","TA0040 - Impact","TA0008 - Lateral Movement"],"mitreAttackTechniques":["T1098 - Account Manipulation","T1496 - Resource Hijacking","T1021 - Remote Services"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1133 - External Remote Services","reason":"Adversaries can launch EC2 instances that can be remotely accessed via SSH, RDP, or other protocols, gaining an initial access point into the AWS environment or maintaining persistence."},{"technique":"T1578 - Modify Cloud Compute Infrastructure","reason":"Launching instances directly modifies the cloud compute infrastructure, which can be leveraged by adversaries to create a foothold, evade defenses, or escalate privileges."},{"technique":"T1105 - Ingress Tool Transfer","reason":"Instances launched can be used to transfer malicious tools into the cloud environment, supporting various attack strategies. This is especally true if the instance is initiated with an malicious image."},{"technique":"T1570 - Lateral Tool Transfer","reason":"New instances can facilitate the lateral movement of tools and malware across the cloud infrastructure, aiding in broader attack campaigns."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"},{"description":"DXC spills AWS private keys on public GitHub","link":"https://www.theregister.com/2017/11/14/dxc_github_aws_keys_leaked/"},{"description":"Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining","link":"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"},{"description":"Behind the scenes in the Expel SOC: Alert-to-fix in AWS","link":"https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/"},{"description":"When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability","link":"https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"},{"description":"SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto","link":"https://sysdig.com/blog/scarleteel-2-0/"},{"description":"ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING","link":"https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/"},{"description":"UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR","link":"https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"},{"description":"Clear and Uncommon Story About Overcoming Issues With AWS","link":"https://topdigital.agency/clear-and-uncommon-story-about-overcoming-issues-with-aws/"},{"description":"onelogin 2017 Security Incident","link":"https://web.archive.org/web/20210620180614/https://www.onelogin.com/blog/may-31-2017-security-incident"},{"description":"BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability","link":"https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/"},{"description":"Navigating the Cloud: Exploring Lateral Movement Techniques","link":"https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/"},{"description":"New tactics and techniques for proactive threat detection","link":"https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"}],"researchLinks":[{"description":"Launching EC2 instances","link":"https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/launching-ec2-instances/"},{"description":"Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident","link":"https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide"},{"description":"AWS IAM Privilege Escalation Techniques","link":"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"},{"description":"Abusing VPC Traffic Mirroring in AWS","link":"https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/"}],"securityImplications":"Attackers might use RunInstances to programmatically launch unauthorized EC2 instances for crypto mining or to create a foothold within the AWS environment for further exploitation.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 run-instances --image-id ami-0b98a32b1c5e0d105 --instance-type t2.micro --key-name MyKeyPair"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ec2-launch-unusual-instances"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-RunInstances"} +{"eventName":"SendSSHPublicKey","eventSource":"ec2-instance-connect.amazonaws.com","awsService":"EC2InstanceConnect","description":"Pushes an SSH public key to the specified EC2 instance for use by the specified user.","mitreAttackTactics":["TA0008 - Lateral Movement"],"mitreAttackTechniques":["T1021 - Remote Services"],"mitreAttackSubTechniques":["T1021.004 - Remote Services: SSH"],"unverifiedMitreAttackTechniques":[{"technique":"T1021 - Remote Services","reason":"Pushing an SSH public key to an EC2 instance allows remote access to the system over SSH. This API call enables secure communication and command execution on the instance, potentially giving adversaries the ability to interact with and control the system remotely."},{"technique":"T1136 - Create Account","reason":"Pushing a new SSH key can be seen as creating a new means of access for a specific user, akin to account creation."},{"technique":"T1578 - Modify Cloud Compute Infrastructure","reason":"The API call modifies the authentication state of an EC2 instance, part of cloud compute infrastructure."},{"technique":"T1562 - Impair Defenses","reason":"Pushing a new key could be used to temporarily bypass defenses or monitoring on the instance."},{"technique":"T1210 - Exploitation of Remote Services","reason":"An adversary can misuse the SendSSHPublicKey API to gain unauthorized access to an EC2 instance by injecting their SSH key. This allows them to control the instance remotely, leveraging legitimate remote services for malicious purposes."}],"usedInWild":true,"incidents":[{"description":"Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining","link":"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"},{"description":"Navigating the Cloud: Exploring Lateral Movement Techniques","link":"https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/"},{"description":"Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)","link":"https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"}],"researchLinks":[{"description":"Attack Paths Into VMs in the Cloud","link":"https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/"}],"securityImplications":"Attackers might use SendSSHPublicKey to inject unauthorized SSH keys into EC2 instances, granting them access for remote control.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.lateral-movement.ec2-instance-connect"}],"permissions":"https://aws.permissions.cloud/iam/ec2-instance-connect#ec2-instance-connect-SendSSHPublicKey"} +{"eventName":"SendSerialConsoleSSHPublicKey","eventSource":"ec2-instance-connect.amazonaws.com","awsService":"EC2InstanceConnect","description":"Pushes an SSH public key to the specified EC2 instance.","mitreAttackTactics":["TA0008 - Lateral Movement"],"mitreAttackTechniques":["T1021 - Remote Services"],"mitreAttackSubTechniques":["T1021.004 - Remote Services: SSH"],"unverifiedMitreAttackTechniques":[{"technique":"T1059 - Command and Scripting Interpreter","reason":"Once access is established, attackers can use the command and scripting interpreter to execute commands on the instance."},{"technique":"T1098 - Account Manipulation","reason":"Attackers may push their own SSH keys to the EC2 instances, effectively manipulating access control."},{"technique":"T1562 - Impair Defenses","reason":"After gaining access, attackers could disable security tools or logs to evade detection."},{"technique":"T1036 - Masquerading","reason":"Attackers may use legitimate commands and tools to mask their activities within the compromised instance"},{"technique":"T1203 - Exploitation for Client Execution","reason":"Exploiting the SSH access to execute further malicious code or scripts within the EC2 instance."},{"technique":"T1219 - Remote Access Software","reason":"Using SSH as a remote access tool to maintain control over the compromised EC2 instance."},{"technique":"T1078 - Valid Accounts","reason":"Attackers may use or create local accounts on the EC2 instance to facilitate further access and actions."}],"usedInWild":true,"incidents":[{"description":"LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD","link":"https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud"},{"description":"Navigating the Cloud: Exploring Lateral Movement Techniques","link":"https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/"},{"description":"Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)","link":"https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"}],"researchLinks":[],"securityImplications":"Attackers might use SendSerialConsoleSSHPublicKey to inject unauthorized SSH keys into EC2 instances, granting them access for remote control.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"https://aws.permissions.cloud/iam/ec2-instance-connect#ec2-instance-connect-SendSerialConsoleSSHPublicKey"} +{"eventName":"SharedSnapshotCopyInitiated","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Modifies the specified attribute of the specified instance.","mitreAttackTactics":["TA0010 - Exfiltration"],"mitreAttackTechniques":["T1537 - Transfer Data to Cloud Account"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1530 - Data from Cloud Storage Object","reason":"Snapshots can contain data stored in cloud environments which may be exfiltrated. Attackers can access sensitive information stored within these snapshots, which can include configuration data, database contents, or other critical data."},{"technique":"T1027 - Obfuscated Files or Information","reason":"Adversaries might obfuscate the data within snapshots to avoid detection during transfer. This can involve encrypting the contents of a snapshot or otherwise making the data less recognizable to automated defense mechanisms"},{"technique":"T1567 - Exfiltration Over Web Service","reason":"Copying a snapshot to another region or account over AWS services can be a form of exfiltration. Attackers can exploit this API call to move large volumes of data seamlessly across AWS infrastructure, avoiding some traditional network-based exfiltration detection mechanisms."},{"technique":"T1074 - Data Staged","reason":"Creating a shared snapshot can be used to stage data before exfiltration, preparing it for easy transfer or download."}],"usedInWild":true,"incidents":[{"description":"M-Trends Report - 2020","link":"https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf"},{"description":"Democratic National Committee hack","link":"https://www.politico.com/f/?id=00000168-6161-de11-af7d-ef7327ea0000"}],"researchLinks":[{"description":"Detecting exfiltration of EBS snapshots in AWS","link":"https://twitter.com/christophetd/status/1574681313218506753"}],"securityImplications":"SharedSnapshotCopyInitiated might be a signal of an attacker copying a snapshot to their account.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot"}],"permissions":"N/A"} +{"eventName":"SharedSnapshotVolumeCreated","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Modifies the specified attribute of the specified instance.","mitreAttackTactics":["TA0010 - Exfiltration"],"mitreAttackTechniques":["T1537 - Transfer Data to Cloud Account"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1530 - Data from Cloud Storage Object","reason":"Snapshots can contain data stored in cloud environments which may be exfiltrated. Attackers can access sensitive information stored within these snapshots, which can include configuration data, database contents, or other critical data."},{"technique":"T1027 - Obfuscated Files or Information","reason":"Adversaries might obfuscate the data within snapshots to avoid detection during transfer. This can involve encrypting the contents of a snapshot or otherwise making the data less recognizable to automated defense mechanisms"},{"technique":"T1567 - Exfiltration Over Web Service","reason":"Copying a snapshot to another region or account over AWS services can be a form of exfiltration. Attackers can exploit this API call to move large volumes of data seamlessly across AWS infrastructure, avoiding some traditional network-based exfiltration detection mechanisms."},{"technique":"T1074 - Data Staged","reason":"Creating a shared snapshot can be used to stage data before exfiltration, preparing it for easy transfer or download."}],"usedInWild":true,"incidents":[{"description":"M-Trends Report - 2020","link":"https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf"},{"description":"Democratic National Committee hack","link":"https://www.politico.com/f/?id=00000168-6161-de11-af7d-ef7327ea0000"}],"researchLinks":[{"description":"Detecting exfiltration of EBS snapshots in AWS","link":"https://twitter.com/christophetd/status/1574681313218506753"}],"securityImplications":"SharedSnapshotVolumeCreated might be a signal of an attacker copying a snapshot to their account.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot"}],"permissions":"N/A"} +{"eventName":"StartInstances","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Starts an Amazon EBS-backed instance that you've previously stopped.","mitreAttackTactics":["TA0003 - Persistence","TA0040 - Impact"],"mitreAttackTechniques":["T1098 - Account Manipulation","T1496 - Resource Hijacking"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1036 - Masquerading","reason":"Adversaries could rename stopped instances to appear legitimate and start them without raising alarms."},{"technique":"T1053 - Scheduled Task/Job","reason":"Attackers might schedule tasks to automatically start stopped instances at certain times to execute malicious actions"},{"technique":"T1105 - Ingress Tool Transfer","reason":"Once the instance is started, adversaries could transfer tools and malware to the instance for execution"},{"technique":"T1219 - Remote Access Software","reason":"Adversaries might start instances that have remote access tools installed to regain control over the environment."},{"technique":"T1562 - Impair Defenses","reason":"Starting instances can impair defenses by creating new workloads that may not be monitored by existing security tools, enabling attackers to perform malicious activities without detection."},{"technique":"T1578 - Modify Cloud Compute Infrastructure","reason":"Attackers can directly use the StartInstances API call to manipulate the state of instances, aiding in persistence and execution of tasks."},{"technique":"T1074 - Data Staged","reason":"Starting an instance can be used to stage data locally before exfiltration."}],"usedInWild":true,"incidents":[{"description":"When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability","link":"https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"}],"researchLinks":[{"description":"Executing commands through EC2 user data","link":"https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/"},{"description":"Attack Paths Into VMs in the Cloud","link":"https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/"}],"securityImplications":"Attackers might use StartInstances to reactivate dormant EC2 instances or after having modified the user data for execution of commands.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 start-instances --instance-ids TrailDiscoverInstanceID"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-StartInstances"} +{"eventName":"StopInstances","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Stops an Amazon EBS-backed instance.","mitreAttackTactics":["TA0040 - Impact","TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1499 - Endpoint Denial of Service","T1578 - Modify Cloud Compute Infrastructure"],"mitreAttackSubTechniques":["T1578.003 - Modify Cloud Compute Infrastructure: Delete Cloud Instance"],"unverifiedMitreAttackTechniques":[{"technique":"T1565 - Data Manipulation","reason":"Stopping an instance can be a precursor to manipulating the stored data, especially if the instance is hibernated and the memory contents are preserved but the disk is later modified."},{"technique":"T1562 - Impair Defenses","reason":"Stopping instances can disable security monitoring tools and defenses running on those instances, hindering their ability to detect malicious activities."},{"technique":"T1489 - Service Stop","reason":"Stopping an instance directly impacts availability and can be used as part of a larger attack to disrupt services."}],"usedInWild":true,"incidents":[{"description":"When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability","link":"https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"}],"researchLinks":[{"description":"Executing commands through EC2 user data","link":"https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/"},{"description":"Attack Paths Into VMs in the Cloud","link":"https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/"}],"securityImplications":"Attackers might use StopInstances to avoid being detected or to do changes that will be executed when the EC2 is started.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 stop-instances --instance-ids TrailDiscoverInstanceID"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ec2-user-data"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-StopInstances"} +{"eventName":"TerminateInstances","eventSource":"ec2.amazonaws.com","awsService":"EC2","description":"Shuts down the specified instances. This operation is idempotent; if you terminate an instance more than once, each call succeeds.","mitreAttackTactics":["TA0040 - Impact","TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1485 - Data Destruction","T1070 - Indicator Removal"],"mitreAttackSubTechniques":["T1070.004 - Indicator Removal: File Deletion"],"unverifiedMitreAttackTechniques":[{"technique":"T1489 - Service Stop","reason":"Terminating instances disrupts the availability of services hosted on those instances."},{"technique":"T1562 - Impair Defenses","reason":"Terminating instances can remove defensive tools installed on those instances"},{"technique":"T1496 - Resource Hijacking","reason":"Attackers might terminate instances to free up resources for other malicious activities."},{"technique":"T1098 - Account Manipulation","reason":"The TerminateInstances API call can be a form of account manipulation when an attacker uses it to interfere with the normal operations of an account. By terminating instances, an attacker can disrupt services, remove evidence of their activities, and create obstacles for account recovery. This manipulation ensures that the attacker maintains control over the account\u2019s activities and resources."},{"technique":"T1499 - Endpoint Denial of Service","reason":"Terminating critical instances can be a form of denial of service against specific endpoints or applications."},{"technique":"T1565 - Data Manipulation","reason":"If instance termination leads to data loss or corruption, it can be considered a form of data manipulation."},{"technique":"T1488 - Disk Wipe","reason":"Terminating an instance with attached EBS volumes may result in wiping the data on those volumes if they are deleted as part of the termination process"}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"},{"description":"UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR","link":"https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"},{"description":"Former Cisco engineer sentenced to prison for deleting 16k Webex accounts","link":"https://www.zdnet.com/article/former-cisco-engineer-sentenced-to-prison-for-deleting-16k-webex-accounts/"},{"description":"Hacker Puts Hosting Service Code Spaces Out of Business","link":"https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/"}],"researchLinks":[],"securityImplications":"Attackers might use TerminateInstances to permanently delete EC2 instances, resulting in irreversible data loss and service disruption or for defense evasion.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ec2 terminate-instances --instance-ids TrailDiscoverInstanceID"}],"permissions":"https://aws.permissions.cloud/iam/ec2#ec2-TerminateInstances"} +{"eventName":"CreateCluster","eventSource":"ecs.amazonaws.com","awsService":"ECS","description":"Creates a new Amazon ECS cluster.","mitreAttackTactics":["TA0040 - Impact"],"mitreAttackTechniques":["T1496 - Resource Hijacking"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1098 - Account Manipulation","reason":"The creation of a new cluster could be part of manipulating accounts within AWS, enabling the attacker to maintain control or establish backdoor access."},{"technique":"T1053 - Scheduled Task/Job","reason":"New ECS clusters can be configured to run tasks at scheduled intervals, which can be used to execute malicious activities regularly."},{"technique":"T1090 - Proxy","reason":"An attacker might use the new ECS cluster to set up an external proxy, which can be used to relay commands and data, aiding in defense evasion and persistent access."},{"technique":"T1204 - User Execution","reason":"Creating an ECS cluster to run container images, which might be malicious, facilitating execution of malicious code in the environment."},{"technique":"T1583 - Acquire Infrastructure","reason":"Creating new ECS clusters is a form of acquiring infrastructure within AWS, which can be used to support further malicious activities."},{"technique":"T1027 - Obfuscated Files or Information","reason":"The cluster could be used to deploy obfuscated code or data, making it harder to detect malicious activities."},{"technique":"T1578 - Modify Cloud Compute Infrastructure","reason":"Creating a new ECS cluster modifies the cloud compute infrastructure, which can be leveraged for both execution and evasion purposes."},{"technique":"T1584 - Compromise Infrastructure","reason":"Compromising cloud infrastructure to create ECS clusters enables attackers to establish control over resources. This can support further malicious activities, such as launching attacks or maintaining persistence in the environment."},{"technique":"T1210 - Exploitation of Remote Services","reason":"An attacker might create a new ECS cluster to host services that exploit vulnerabilities in remote services for lateral movement or further attacks."}],"usedInWild":true,"incidents":[{"description":"Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining","link":"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"},{"description":"New tactics and techniques for proactive threat detection","link":"https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"}],"researchLinks":[],"securityImplications":"Attackers might use CreateCluster to provision unauthorized cluster resources, aiming to deploy malicious workloads or use compute resources for cryptojacking","alerting":[{"type":"sigma","value":"https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_eks_cluster_created_or_deleted.yml"}],"simulation":[{"type":"commandLine","value":"aws ecs create-cluster --cluster-name TrailDiscoverCluster"}],"permissions":"https://aws.permissions.cloud/iam/ecs#ecs-CreateCluster"} +{"eventName":"CreateService","eventSource":"ecs.amazonaws.com","awsService":"ECS","description":"Runs and maintains your desired number of tasks from a specified task definition.","mitreAttackTactics":["TA0040 - Impact"],"mitreAttackTechniques":["T1496 - Resource Hijacking"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1059 - Command and Scripting Interpreter","reason":"By creating ECS services, adversaries can execute commands or scripts in the context of containers that run on Unix-based systems"},{"technique":"T1556 - Modify Authentication Process","reason":"The AWS CreateService API call can be used to create tasks that modify authentication processes within a cloud environment."},{"technique":"T1036 - Masquerading","reason":"Match Legitimate Name or Location: An adversary could create services with names that mimic legitimate services to avoid detection."},{"technique":"T1071 - Application Layer Protocol","reason":"Malicious ECS tasks could communicate over common web protocols to blend in with normal network traffic."},{"technique":"T1090 - Proxy","reason":"Adversaries might set up a chain of ECS services to act as proxies, hiding their true location."},{"technique":"T1027 - Obfuscated Files or Information","reason":"Adversaries might create services that deploy obfuscated scripts or binaries to evade detection."},{"technique":"T1046 - Network Service Discovery","reason":"ECS tasks might be used to run discovery scripts to enumerate network services."},{"technique":"T1210 - Exploitation of Remote Services","reason":"Adversaries might create services that exploit vulnerabilities in other services or tasks within the ECS cluster to gain unauthorized access or escalate privileges"}],"usedInWild":true,"incidents":[{"description":"Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining","link":"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"}],"researchLinks":[],"securityImplications":"Attackers might use CreateService in AWS ECS to orchestrate and deploy unauthorized services, potentially for malicious activities such as resource hijacking.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ecs create-service --service-name TrailDiscoverService --task-definition TrailDiscoverTaskDefinition"}],"permissions":"https://aws.permissions.cloud/iam/ecs#ecs-CreateService"} +{"eventName":"RegisterTaskDefinition","eventSource":"ecs.amazonaws.com","awsService":"ECS","description":"Registers a new task definition from the supplied family and containerDefinitions.","mitreAttackTactics":["TA0040 - Impact"],"mitreAttackTechniques":["T1496 - Resource Hijacking"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1053 - Scheduled Task/Job","reason":"Registering a task definition can be leveraged to create scheduled tasks within ECS, allowing for persistence and automated execution of malicious tasks."},{"technique":"T1105 - Ingress Tool Transfer","reason":"Task definitions could be used to download and execute additional tools or scripts from external sources"},{"technique":"T1562 - Impair Defenses","reason":"ECS tasks can be configured to disable or modify security tools within the container environment, aiding in defense evasion."},{"technique":"T1059 - Command and Scripting Interpreter","reason":"The task definitions can contain Unix shell commands, facilitating execution of malicious scripts or commands."},{"technique":"T1036 - Masquerading","reason":"Malicious task definitions can be disguised as legitimate ones to evade detection and blend in with normal operations"},{"technique":"T1027 - Obfuscated Files or Information","reason":"Container definitions within ECS can include obfuscated or packed scripts and binaries, making detection harder."}],"usedInWild":true,"incidents":[{"description":"Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining","link":"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"}],"researchLinks":[],"securityImplications":"Attackers might use RegisterTaskDefinition to deploy containers with malicious tasks in AWS ECS.","alerting":[{"type":"sigma","value":"https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml"}],"simulation":[{"type":"commandLine","value":"aws ecs register-task-definition --family 'xtdb-bench-dev' --network-mode 'awsvpc' --container-definitions '[{\"name\":\"bench-container\", \"cpu\":2048, \"memory\":4092 }]'"}],"permissions":"https://aws.permissions.cloud/iam/ecs#ecs-RegisterTaskDefinition"} +{"eventName":"DeleteFileSystem","eventSource":"elasticfilesystem.amazonaws.com","awsService":"elasticfilesystem","description":"Deletes a file system, permanently severing access to its contents.","mitreAttackTactics":["TA0040 - Impact"],"mitreAttackTechniques":["T1485 - Data Destruction"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1070 - Indicator Removal","reason":"Deleting an EFS file system removes all its contents, including logs and other forensic evidence, effectively erasing any indicators of malicious activity. This action helps attackers avoid detection by eliminating traces of their presence in the environment."},{"technique":"T1565 - Data Manipulation","reason":"Deleting an EFS file system alters the state of stored data by permanently removing it. This can disrupt operations and affect data integrity, making it a significant form of data manipulation."},{"technique":"T1107 - File Deletion","reason":"File deletion focuses on the removal of files to impact data availability or to hide malicious activity. Deleting a file system in AWS EFS results in the removal of all files and directories within that file system."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS EFS File System or Mount Deleted","link":"https://www.elastic.co/guide/en/security/7.17/aws-efs-file-system-or-mount-deleted.html"}],"securityImplications":"Attackers might use DeleteFileSystem in AWS EFS to deliberately erase file systems, leading to data loss.","alerting":[{"type":"sigma","value":"https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_efs_fileshare_modified_or_deleted.yml"}],"simulation":[{"type":"commandLine","value":"aws efs delete-file-system --file-system-id fs-c7a0456e"}],"permissions":"https://aws.permissions.cloud/iam/elasticfilesystem#elasticfilesystem-DeleteFileSystem"} +{"eventName":"DeleteMountTarget","eventSource":"elasticfilesystem.amazonaws.com","awsService":"elasticfilesystem","description":"Deletes the specified mount target.","mitreAttackTactics":["TA0040 - Impact"],"mitreAttackTechniques":["T1485 - Data Destruction"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1562 - Impair Defenses","reason":"Removing a mount target may disrupt monitoring or defense mechanisms that rely on the file system for logging or other security functions."},{"technique":"T1070 - Indicator Removal","reason":"By deleting the mount target and the associated network interface, traces and logs of malicious activity stored on the file system may be removed, aiding in defense evasion."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS EFS File System or Mount Deleted","link":"https://www.elastic.co/guide/en/security/7.17/aws-efs-file-system-or-mount-deleted.html"}],"securityImplications":"Attackers might use DeleteMountTarget in AWS EFS to remove mount targets, disrupting access to file system and as a preliminary phase before data deletion.","alerting":[{"type":"sigma","value":"https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_efs_fileshare_mount_modified_or_deleted.yml"}],"simulation":[{"type":"commandLine","value":"aws efs delete-mount-target --mount-target-id fsmt-f9a14450"}],"permissions":"https://aws.permissions.cloud/iam/elasticfilesystem#elasticfilesystem-DeleteMountTarget"} +{"eventName":"AssociateAccessPolicy","eventSource":"eks.amazonaws.com","awsService":"EKS","description":"Associates an access policy and its scope to an access entry.","mitreAttackTactics":["TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"By associating an access policy, attackers can use legitimate credentials to access the system, either by modifying existing ones or changing permissions."},{"technique":"T1543 - Create or Modify System Process","reason":"Associating an access policy can be used to modify the permissions of processes within the EKS environment, ensuring the attacker retains control or gains elevated privileges for their processes."},{"technique":"T1070 - Indicator Removal","reason":"Associating access policies can assist attackers in evading detection by allowing them to remove or alter logs and other indicators that track account and permission changes, thereby obscuring their activities."},{"technique":"T1003 - OS Credential Dumping","reason":"Modifying access policies might allow attackers to gain access to sensitive areas of the system where they can extract credentials."},{"technique":"T1071 - Application Layer Protocol","reason":"Associating new access policies can help attackers use application layer protocols more effectively to communicate with compromised systems, especially if these policies grant access to necessary network services."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"New attack vectors in EKS","link":"https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features"}],"securityImplications":"Attackers might use AssociateAccessPolicy to escalate privileges by linking access entries with highly privileged policies, allowing unauthorized control over clusters.","alerting":[],"simulation":[{"type":"commandLine","value":"aws eks associate-access-policy --cluster-name beta-fish --principal-arn arn:aws:iam::111122223333:role/TrailDiscover --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy --access-scope type=cluster"}],"permissions":"https://aws.permissions.cloud/iam/eks#eks-AssociateAccessPolicy"} +{"eventName":"CreateAccessEntry","eventSource":"eks.amazonaws.com","awsService":"EKS","description":"Creates an access entry.","mitreAttackTactics":["TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"Creating an access entry for an IAM principal can establish valid credentials that can be used for access."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"New attack vectors in EKS","link":"https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features"}],"securityImplications":"Attackers might use CreateAccessEntry to craft access entries that link to high-privileged policies, effectively granting themselves unauthorized admin-level access to clusters.","alerting":[],"simulation":[{"type":"commandLine","value":"aws eks create-access-entry --cluster-name beta-fish --principal-arn arn:aws:iam::111122223333:role/TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/eks#eks-CreateAccessEntry"} +{"eventName":"DescribeAccessEntry","eventSource":"eks.amazonaws.com","awsService":"EKS","description":"Describes an access entry.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1526 - Cloud Service Discovery","reason":"The DescribeAccessEntry API call can be used to identify access permissions and configurations within the EKS service, revealing which cloud services are in use. This information helps attackers understand the cloud environment and potential targets."},{"technique":"T1587 - Develop Capabilities","reason":"Access information can aid in developing tailored malware that exploits specific permissions or configurations discovered within EKS."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"New attack vectors in EKS","link":"https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features"}],"securityImplications":"Attackers might use DescribeAccessEntry for reconnaissance, gathering detailed information about access configurations within AWS EKS.","alerting":[],"simulation":[{"type":"commandLine","value":"aws eks describe-access-entry --cluster-name beta-fish --principal-arn arn:aws:iam::111122223333:role/TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/eks#eks-DescribeAccessEntry"} +{"eventName":"DescribeCluster","eventSource":"eks.amazonaws.com","awsService":"EKS","description":"Describes an Amazon EKS cluster.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1087 - Account Discovery","reason":"Information from DescribeCluster can reveal IAM roles and identities associated with the cluster, aiding in the discovery of accounts."},{"technique":"T1069 - Permission Groups Discovery","reason":"The DescribeCluster call might include details about Kubernetes RBAC roles and permissions, helping to discover privilege groups."},{"technique":"T1082 - System Information Discovery","reason":"The DescribeCluster API reveals extensive system information about the EKS cluster, such as Kubernetes version, endpoint, and VPC configuration, aiding in system information discovery."},{"technique":"T1482 - Domain Trust Discovery","reason":"The DescribeCluster call can provide insights into how the cluster is integrated with other AWS services and trust relationships, such as IAM roles and policies"}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"New attack vectors in EKS","link":"https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features"}],"securityImplications":"Attackers might use DescribeCluster to gain insights into the configuration and status of AWS EKS clusters.","alerting":[],"simulation":[{"type":"commandLine","value":"aws eks describe-cluster --name TrailDiscoverCluster"}],"permissions":"https://aws.permissions.cloud/iam/eks#eks-DescribeCluster"} +{"eventName":"ListAssociatedAccessPolicies","eventSource":"eks.amazonaws.com","awsService":"EKS","description":"Lists the access policies associated with an access entry.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1087 - Account Discovery - Cloud Account","reason":"Listing associated access policies allows adversaries to discover the cloud accounts associated with those policies, identifying potential targets"},{"technique":"T1069 - Permission Groups Discovery","reason":"By listing the access policies, adversaries can discern the permission groups within the EKS cluster, aiding in understanding the permissions and roles configured."},{"technique":"T1046 - Network Service Scanning","reason":"Listing access policies helps map out the services and permissions in use, aiding in reconnaissance efforts to identify potential targets and vulnerabilities."},{"technique":"T1552 - Unsecured Credentials","reason":"By listing associated access policies, adversaries might identify misconfigurations or unsecured credentials that can be exploited to gain further access."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"New attack vectors in EKS","link":"https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features"}],"securityImplications":"Attackers might use ListAssociatedAccessPolicies to enumerate policies associated with resources in AWS services, identifying overly permissive access that can be exploited to escalate privileges.","alerting":[],"simulation":[{"type":"commandLine","value":"aws eks list-associated-access-policies --cluster-name beta-fish --principal-arn arn:aws:iam::111122223333:role/TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/eks#eks-ListAssociatedAccessPolicies"} +{"eventName":"ListClusters","eventSource":"eks.amazonaws.com","awsService":"EKS","description":"Lists the Amazon EKS clusters in your AWS account in the specified AWS Region.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1526 - Cloud Service Discovery","reason":"Listing EKS clusters helps adversaries understand the cloud services being used and their configurations."},{"technique":"T1087 - Account Discovery","reason":"By listing clusters, attackers can infer the structure and number of accounts that manage these resources."},{"technique":"T1135 - Network Share Discovery","reason":"Knowing the clusters can help adversaries understand shared network resources within the EKS environment."},{"technique":"T1007 - Network Service Scanning","reason":"Identifying clusters can help adversaries in mapping the network services exposed by these clusters."},{"technique":"T1590 - Gather Victim Network Information","reason":"Identifying clusters helps in understanding the internal network architecture and relationships."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"New attack vectors in EKS","link":"https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features"}],"securityImplications":"Attackers might use ListClusters to inventory AWS EKS clusters, identifying active clusters for further exploration or to pinpoint potential targets for subsequent attacks.","alerting":[],"simulation":[{"type":"commandLine","value":"aws eks list-clusters"}],"permissions":"https://aws.permissions.cloud/iam/eks#eks-ListClusters"} +{"eventName":"CreateRule","eventSource":"elasticloadbalancing.amazonaws.com","awsService":"ELBv2","description":"Creates a rule for the specified listener.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1578 - Modify Cloud Compute Infrastructure"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1203 - Exploitation for Client Execution","reason":"By creating a malicious rule that directs traffic to a compromised endpoint, an attacker could exploit vulnerabilities in client applications to execute malicious code."},{"technique":"T1190 - Exploit Public-Facing Application","reason":"By modifying or creating new rules, an attacker could exploit vulnerabilities in the public-facing application load balancer to gain initial access."},{"technique":"T1071 - Application Layer Protocol","reason":"Creating rules that redirect traffic to malicious servers using HTTP/S or mail protocols for command and control communication."},{"technique":"T1562 - Impair Defenses","reason":"Rules could be used to disable security controls or modify traffic patterns to evade detection tools and logs."},{"technique":"T1105 - Ingress Tool Transfer","reason":"Rules can be set to allow the transfer of malicious tools or payloads through the load balancer to a compromised system."},{"technique":"T1027 - Obfuscated Files or Information","reason":"Attackers can create rules that handle or route traffic in a manner that uses encoded or obfuscated data. This can include routing traffic to endpoints that encrypt the data payloads or encode commands to be less conspicuous"},{"technique":"T1070 - Indicator Removal","reason":"Rules could be used to route traffic in ways that delete or bypass log files to avoid detection."},{"technique":"T1496 - Resource Hijacking","reason":"Creating rules that direct traffic to perform unauthorized actions like cryptocurrency mining or other forms of resource hijacking."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data","link":"https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994"}],"securityImplications":"Attackers might use CreateRule to add rules that allow them access bypassing potential restrictions such as authentication.","alerting":[],"simulation":[{"type":"commandLine","value":"aws elbv2 create-rule --listener-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:listener/app/my-load-balancer/50dc6c495c0c9188/f2f7dc8efc522ab2 --priority 5 --actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-west-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 --conditions '[{}]'"}],"permissions":"https://aws.permissions.cloud/iam/elasticloadbalancing#elasticloadbalancing-CreateRule"} +{"eventName":"DescribeListeners","eventSource":"elasticloadbalancing.amazonaws.com","awsService":"ELBv2","description":"Describes the specified listeners or the listeners for the specified Application Load Balancer, Network Load Balancer, or Gateway Load Balancer.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1526 - Cloud Service Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1087 - Account Discovery","reason":"By describing listeners, an adversary could identify configurations and attributes related to the load balancer, which may include discovering IAM roles or users with specific permissions."},{"technique":"T1046 - Network Service Scanning","reason":"Describing listeners provides details about the services exposed by the load balancer, which helps in scanning and understanding the network topology."},{"technique":"T1069 - Permission Groups Discovery","reason":"Querying listener details can reveal information about the permissions and roles associated with the load balancer, providing insight into group policies."},{"technique":"T1071 - Application Layer Protocol","reason":"Load balancers typically handle various application layer protocols, and knowing listener configurations can assist in crafting command and control channels over allowed protocols."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data","link":"https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994"}],"securityImplications":"Attackers might use DescribeListeners to get information about the load balancers listeners for potential future modifications.","alerting":[],"simulation":[{"type":"commandLine","value":"aws elbv2 describe-listeners"}],"permissions":"https://aws.permissions.cloud/iam/elasticloadbalancing#elasticloadbalancing-DescribeListeners"} +{"eventName":"DescribeLoadBalancers","eventSource":"elasticloadbalancing.amazonaws.com","awsService":"ELBv2","description":"Describes the specified load balancers or all of your load balancers.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1526 - Cloud Service Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1580 - Cloud Infrastructure Discovery","reason":"The DescribeLoadBalancers API call directly provides information about the cloud infrastructure, specifically the load balancers, which can be used to understand the deployment and configurations of network resources in the cloud."},{"technique":"T1590 - Gather Victim Network Information","reason":"Describing load balancers allows an adversary to obtain details on how network traffic is managed and routed within the cloud environment. This information can reveal critical network components and their configurations."},{"technique":"T1046 - Network Service Discovery","reason":"Describing load balancers can reveal the network services that are being managed by these load balancers, including ports, protocols, and the IP ranges used, which are crucial for understanding the network service layout."},{"technique":"T1133 - External Remote Services","reason":"Load balancers often manage external access to services. By describing them, an adversary can identify the external endpoints and understand how remote services are being accessed and managed."},{"technique":"T1482 - Domain Trust Discovery","reason":"The DescribeLoadBalancers API call can provide information on how load balancers are configured across different domains, revealing trust relationships and how traffic is managed between different parts of the network."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data","link":"https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994"}],"securityImplications":"Attackers might use DescribeLoadBalancers to get information about the load balancers for potential future attacks.","alerting":[],"simulation":[{"type":"commandLine","value":"aws elbv2 describe-load-balancers --names TrailDiscoverLoadBalancer"}],"permissions":"https://aws.permissions.cloud/iam/elasticloadbalancing#elasticloadbalancing-DescribeLoadBalancers"} +{"eventName":"DeleteRule","eventSource":"events.amazonaws.com","awsService":"events","description":"Deletes the specified rule.","mitreAttackTactics":["TA0040 - Impact","TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1489 - Service Stop","T1578 - Modify Cloud Compute Infrastructure"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1070 - Indicator Removal","reason":"By deleting a rule, attackers can remove evidence of malicious activity."},{"technique":"T1098 - Account Manipulation","reason":"Attackers might delete rules to alter the behavior of scheduled tasks, maintaining persistence. By manipulating accounts and associated rules, they ensure their malicious processes can run without interruption or detection."},{"technique":"T1562 - Impair Defenses","reason":"Deleting rules can weaken security monitoring by removing triggers that would generate alerts, effectively blinding security teams to ongoing malicious activities. This action allows attackers to operate with reduced risk of detection, making further exploitation easier."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS EventBridge Rule Disabled or Deleted","link":"https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html"},{"description":"AWS EventBridge rule disabled or deleted","link":"https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/"}],"securityImplications":"Attackers might use DeleteRule to disrupt automated security responses and event logging in AWS EventBridge, potentially masking unauthorized activities or compromising system integrity.","alerting":[],"simulation":[{"type":"commandLine","value":"aws events delete-rule --name TrailDiscoverRule"}],"permissions":"https://aws.permissions.cloud/iam/events#events-DeleteRule"} +{"eventName":"DisableRule","eventSource":"events.amazonaws.com","awsService":"events","description":"Disables the specified rule.","mitreAttackTactics":["TA0040 - Impact","TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1489 - Service Stop","T1578 - Modify Cloud Compute Infrastructure"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1562 - Impair Defenses","reason":"Disabling a rule can be used to impair defenses by preventing the triggering of certain automated responses or detections."},{"technique":"T1531 - Account Access Removal","reason":"T1531 - Account Access Removal"},{"technique":"T1070 - Indicator Removal","reason":"Disabling a rule can be a part of removing evidence of the attack by stopping logging and monitoring for certain activities, which helps in evading detection."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS EventBridge Rule Disabled or Deleted","link":"https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html"},{"description":"AWS EventBridge rule disabled or deleted","link":"https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/"}],"securityImplications":"Attackers might use DisableRule to deactivate AWS EventBridge rules, effectively silencing alarms and automated responses designed for incident detection and mitigation.","alerting":[],"simulation":[{"type":"commandLine","value":"aws events disable-rule --name TrailDiscoverRule --event-bus-name TrailDiscoverBus"}],"permissions":"https://aws.permissions.cloud/iam/events#events-DisableRule"} +{"eventName":"ListRules","eventSource":"events.amazonaws.com","awsService":"events","description":"Lists your Amazon EventBridge rules. You can either list all the rules or you can provide a prefix to match to the rule names.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1526 - Cloud Service Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1580 - Cloud Infrastructure Discovery","reason":"By using ListRules to view the configuration of EventBridge rules, an adversary gains understanding of the event-driven workflows and integrations within the target's AWS environment. This can reveal insights into operational processes and potential areas for deeper exploration or exploitation."},{"technique":"T1082 - System Information Discovery","reason":"Listing rules helps attackers understand what events are being monitored, giving insight into the environment."},{"technique":"T1069 - Permission Groups Discovery","reason":"By examining the conditions and targets of EventBridge rules, attackers can infer the roles and permissions required to trigger these rules, which might provide insights into permission configurations and potential privilege escalation paths."},{"technique":"T1018 - Remote System Discovery","reason":"Identifying EventBridge rules can help attackers understand the configuration and interconnectivity of remote systems and services in the environment."},{"technique":"T1482 - Domain Trust Discovery","reason":"Listing rules may reveal integrations and trust relationships with other domains or AWS accounts, aiding in the mapping of domain trust paths."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Modify GuardDuty Configuration","link":"https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/"}],"securityImplications":"Attackers might use ListRules in AWS EventBridge to catalog active event rules, identifying critical automated security mechanisms or logging functions to target for disruption or evasion.","alerting":[],"simulation":[{"type":"commandLine","value":"aws events list-rules --name-prefix TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/events#events-ListRules"} +{"eventName":"ListTargetsByRule","eventSource":"events.amazonaws.com","awsService":"events","description":"Lists the targets assigned to the specified rule.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1526 - Cloud Service Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1007 - System Service Discovery","reason":"Attackers can use this API call to discover information about targets assigned to specific rules within the AWS EventBridge service, providing insights into potentially vulnerable or interesting systems."},{"technique":"T1087 - Account Discovery","reason":"By listing targets assigned to rules, an attacker can gather information about AWS accounts and their configurations, aiding in understanding the environment and potential attack paths."},{"technique":"T1046 - Network Service Scanning","reason":"Understanding the targets associated with EventBridge rules allows an attacker to potentially identify network services that could be targeted for further exploration or exploitation."},{"technique":"T1018 - Remote System Discovery","reason":"The API call provides information about remote systems (AWS resources) that are targeted by specific rules, aiding attackers in identifying potential entry points into the environment."},{"technique":"T1033 - System Owner/User Discovery","reason":"Listing targets by rule in EventBridge can reveal details about the users or roles associated with those resources. This information helps attackers identify key personnel or accounts with access, aiding in targeted attacks or privilege escalation efforts."},{"technique":"T1057 - Process Discovery","reason":"The ListTargetsByRule call can be used to discover the targets (potentially processes or functions) that are triggered by specific CloudWatch rules, helping attackers understand what processes might be running in the environment."},{"technique":"T1087 - Account Discovery","reason":"By understanding the targets associated with specific rules, attackers might infer the existence of certain IAM roles or accounts that have the permissions to execute these targets."},{"technique":"T1069 - Permission Groups Discovery","reason":"By listing the targets of rules, attackers can identify which resources and permissions are associated with specific rules, aiding in understanding the permission structures."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Modify GuardDuty Configuration","link":"https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/"}],"securityImplications":"Attackers might use ListTargetsByRule in AWS EventBridge to enumerate the targets of specific rules, gaining insights into the architecture and response mechanisms of an environment.","alerting":[],"simulation":[{"type":"commandLine","value":"aws events list-targets-by-rule --rule TrailDiscoverRule"}],"permissions":"https://aws.permissions.cloud/iam/events#events-ListTargetsByRule"} +{"eventName":"PutRule","eventSource":"events.amazonaws.com","awsService":"events","description":"Creates or updates the specified rule.","mitreAttackTactics":["TA0040 - Impact","TA0005 - Defense Evasion","TA0003 - Persistence"],"mitreAttackTechniques":["T1489 - Service Stop","T1578 - Modify Cloud Compute Infrastructure","T1546 - Event Triggered Execution"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1205 - Traffic Signaling","reason":"EventBridge rules can be configured to trigger signals that facilitate command and control communication, masking malicious traffic as legitimate event triggers."},{"technique":"T1053 - Scheduled Task/Job: Scheduled Task","reason":"Creating or updating EventBridge rules can schedule tasks or jobs that perform malicious activities without user intervention."},{"technique":"T1070 - Indicator Removal","reason":"By manipulating EventBridge rules, attackers can potentially alter the flow of logs and events to hide their activities."},{"technique":"T1562 - Impair Defenses","reason":"By updating EventBridge rules, attackers can disable or modify security tools and alerts, impairing defenses and ensuring continued access."}],"usedInWild":true,"incidents":[{"description":"Cloud Security Stories: From Risky Permissions to Ransomware Execution","link":"https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/"}],"researchLinks":[{"description":"Modify GuardDuty Configuration","link":"https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/"}],"securityImplications":"Attackers might use PutRule in AWS EventBridge to create unauthorized event rules, potentially automating malicious actions to gain persistence or triggering unwarranted responses within the environment.","alerting":[],"simulation":[{"type":"commandLine","value":"aws events put-rule --name TrailDiscoverRule --schedule-expression 'rate(5 minutes)' --state ENABLED --description \"TrailDiscover rule\""}],"permissions":"https://aws.permissions.cloud/iam/events#events-PutRule"} +{"eventName":"PutTargets","eventSource":"events.amazonaws.com","awsService":"events","description":"Adds the specified targets to the specified rule, or updates the targets if they are already associated with the rule.","mitreAttackTactics":["TA0003 - Persistence"],"mitreAttackTechniques":["T1546 - Event Triggered Execution"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1059 - Command and Scripting Interpreter","reason":"An attacker could add a target that executes a script or command interpreter, allowing for arbitrary command execution"},{"technique":"T1098 - Account Manipulation","reason":"An attacker could add a target that executes a script or command interpreter, allowing for arbitrary command execution"},{"technique":"T1105 - Ingress Tool Transfer","reason":"The attacker could configure targets that download and execute malicious tools, facilitating further exploitation."},{"technique":"T1560 - Archive Collected Data","reason":"If targets are added to an event rule to trigger actions like archiving (e.g., invoking a Lambda function to zip and store data in an S3 bucket), this can be used to collect and prepare data for later exfiltration."},{"technique":"T1070 - Indicator Removal","reason":"The attacker could configure targets to delete logs or other indicators of compromise upon execution, aiding in defense evasion"},{"technique":"T1203 - Exploitation for Client Execution","reason":"An attacker could create or modify a target to execute a particular payload or exploit code on services that are automatically triggered by the event, which might lead to exploiting client applications or services."}],"usedInWild":true,"incidents":[{"description":"Cloud Security Stories: From Risky Permissions to Ransomware Execution","link":"https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/"}],"researchLinks":[],"securityImplications":"Attackers might use PutTargets in AWS EventBridge to trigger a malicious Lambda function periodically.","alerting":[],"simulation":[{"type":"commandLine","value":"aws events put-targets --rule TrailDiscoverLambdaFunction --targets \"Id\"=\"1\",\"Arn\"=\"arn:aws:lambda:us-east-1:123456789012:function:MyFunctionName\""}],"permissions":"https://aws.permissions.cloud/iam/events#events-PutTargets"} +{"eventName":"RemoveTargets","eventSource":"events.amazonaws.com","awsService":"events","description":"Removes the specified targets from the specified rule.","mitreAttackTactics":["TA0040 - Impact","TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1489 - Service Stop","T1578 - Modify Cloud Compute Infrastructure"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1098 - Account Manipulation","reason":"Manipulating EventBridge rules by removing targets can alter the capabilities and behaviors of accounts without directly deleting them."},{"technique":"T1562 - Impair Defenses","reason":"Removing security monitoring targets from EventBridge rules can impair defenses by preventing certain security actions from being triggered."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Modify GuardDuty Configuration","link":"https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/"}],"securityImplications":"Attackers might use RemoveTargets in AWS EventBridge to eliminate crucial targets from event rules, effectively disabling intended actions or notifications triggered by specific events.","alerting":[],"simulation":[{"type":"commandLine","value":"aws events remove-targets --rule TrailDiscoverRule --ids TrailDiscoverTargetId"}],"permissions":"https://aws.permissions.cloud/iam/events#events-RemoveTargets"} +{"eventName":"CreateDevEndpoint","eventSource":"glue.amazonaws.com","awsService":"Glue","description":"Creates a new development endpoint.","mitreAttackTactics":["TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1133 - External Remote Services","reason":"Development endpoints can be accessed remotely, providing a vector for persistent remote access by attackers."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS IAM Privilege Escalation Techniques","link":"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}],"securityImplications":"Attackers might use CreateDevEndpoint in AWS Glue to escalate privileges or provision development endpoints, potentially exploiting them.","alerting":[{"type":"sigma","value":"https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml"}],"simulation":[{"type":"commandLine","value":"aws glue create-dev-endpoint --endpoint-name TrailDiscover --role-arn arn:aws:iam::111122223333:role/TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/glue#glue-CreateDevEndpoint"} +{"eventName":"CreateJob","eventSource":"glue.amazonaws.com","awsService":"Glue","description":"Creates a new job definition.","mitreAttackTactics":["TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1059 - Command and Scripting Interpreter","reason":"Glue jobs can be defined to execute Python scripts for various data manipulation tasks."},{"technique":"T1560 - Archive Collected Data","reason":"Glue jobs can be used to collect, compress, and store large datasets, which can later be exfiltrated."},{"technique":"T1027 - Obfuscated Files or Information","reason":"Job definitions may include obfuscated scripts or commands to avoid detection."},{"technique":"T1074 - Data Staged","reason":"Glue jobs can be configured to stage data in S3 buckets, making it easier for exfiltration."},{"technique":"T1083 - File and Directory Discovery","reason":"Glue jobs can be scripted to discover and list files and directories in S3 or other storage services."},{"technique":"T1071 - Application Layer Protocol","reason":"Glue jobs might be used to exfiltrate data using DNS queries, a method that can bypass some network monitoring tools. Python or Java jobs are extremely likely to do this. Glue jobs can send data over HTTP/S, facilitating communication with external servers for command and control or exfiltration"},{"technique":"T1105 - Ingress Tool Transfer","reason":"Glue jobs can be created to download and execute additional scripts or tools from external sources."},{"technique":"T1567 - Exfiltration Over Web Service","reason":"Data processed by Glue jobs can be moved to external cloud storage for exfiltration purposes."},{"technique":"T1552 - Unsecured Credentials","reason":"Glue jobs might access files containing credentials, which can then be exfiltrated."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS IAM Privilege Escalation Techniques","link":"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}],"securityImplications":"Attackers might use CreateJob to create a glue job with a role with higer privileges to gain these privileges.","alerting":[],"simulation":[{"type":"commandLine","value":"aws glue create-job --name TrailDiscoverJob --role TrailDiscoverRole --command Name=pythonshell,ScriptLocation=s3://TrailDiscoverBucket/TrailDiscoverScript.py --default-arguments '{\"--job-language\": \"python\"}'"}],"permissions":"https://aws.permissions.cloud/iam/glue#glue-CreateJob"} +{"eventName":"UpdateDevEndpoint","eventSource":"glue.amazonaws.com","awsService":"Glue","description":"Updates a specified development endpoint.","mitreAttackTactics":["TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1059 - Command and Scripting Interpreter","reason":"Glue allows the use of Python scripts - updating the endpoint could change the scripts to execute arbitrary code directly in the development environment."},{"technique":"T1070 - Indicator Removal","reason":"Adversaries may update the endpoint to include scripts that delete logs or other files, helping to evade detection."},{"technique":"T1027 - Obfuscated Files or Information","reason":"Updates could involve obfuscated scripts or configurations to hide malicious code and evade detection mechanisms"},{"technique":"T1036 - Masquerading","reason":"Adversaries could update the endpoint to masquerade malicious activities as legitimate by matching names or locations."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS IAM Privilege Escalation Techniques","link":"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}],"securityImplications":"Attackers might use UpdateDevEndpoint to modify the settings of a development endpoint, potentially disrupting data processing tasks or gaining unauthorized access to data.","alerting":[{"type":"sigma","value":"https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml"}],"simulation":[{"type":"commandLine","value":"aws glue update-dev-endpoint --endpoint-name TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/glue#glue-UpdateDevEndpoint"} +{"eventName":"UpdateJob","eventSource":"glue.amazonaws.com","awsService":"Glue","description":"Updates an existing job definition.","mitreAttackTactics":["TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1036 - Masquerading","reason":"Adversaries can modify the job definition to make the job appear legitimate, effectively hiding malicious activities within a seemingly benign job."},{"technique":"T1070 - Indicator Removal","reason":"Updating a job definition can include instructions to remove or alter logs and other artifacts, helping adversaries evade detection."},{"technique":"T1480 - Execution Guardrails","reason":"Adversaries can update the job definition to include specific conditions or constraints, ensuring the job only executes under certain circumstances, which helps in evading detection."},{"technique":"T1565 - Data Manipulation","reason":"Adversaries can alter the job definition to manipulate data processed by the Glue job, affecting the integrity and outcome of the data workflows."},{"technique":"T1496 - Resource Hijacking","reason":"By altering job definitions, adversaries can repurpose AWS Glue jobs for their own computational needs, impacting the resource allocation of the environment."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS IAM Privilege Escalation Techniques","link":"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}],"securityImplications":"Attackers might use UpdateJob to modify Glue job parameters, potentially disrupting data processing or injecting malicious code.","alerting":[],"simulation":[{"type":"commandLine","value":"aws glue update-job --job-name TrailDiscoverJob --job-update '{\"Role\": \"TrailDiscoverRole\", \"Command\": {\"Name\": \"glueetl\", \"ScriptLocation\": \"s3://mybucket/myscript.py\"}}'"}],"permissions":"https://aws.permissions.cloud/iam/glue#glue-UpdateJob"} +{"eventName":"CreateFilter","eventSource":"guardduty.amazonaws.com","awsService":"GuardDuty","description":"Creates a filter using the specified finding criteria.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1562 - Impair Defenses"],"mitreAttackSubTechniques":["T1562.001 - Impair Defenses: Disable or Modify Tools"],"unverifiedMitreAttackTechniques":[],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Modify GuardDuty Configuration","link":"https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/"}],"securityImplications":"Attackers might use CreateFilter to manipulate GuardDuty settings, potentially allowing malicious activity to go undetected.","alerting":[],"simulation":[{"type":"commandLine","value":"aws guardduty create-filter --detector-id TrailDiscoverDetectorId --name TrailDiscoverFilterName --finding-criteria '{\"Criterion\": {\"service.action.actionType\": {\"Eq\": [\"TrailDiscover\"]}}}' --action NOOP"}],"permissions":"https://aws.permissions.cloud/iam/guardduty#guardduty-CreateFilter"} +{"eventName":"CreateIPSet","eventSource":"guardduty.amazonaws.com","awsService":"GuardDuty","description":"Creates a new IPSet, which is called a trusted IP list in the console user interface.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1562 - Impair Defenses"],"mitreAttackSubTechniques":["T1562.001 - Impair Defenses: Disable or Modify Tools"],"unverifiedMitreAttackTechniques":[{"technique":"T1070 - Indicator Removal","reason":"Adding an IP address to a trusted list effectively removes the monitoring of network traffic and activities associated with that IP, making it undetectable by GuardDuty, similar to how indicator removal hides evidence of malicious activity."},{"technique":"T1090 - Proxy","reason":"Adversaries may use a proxy to route their traffic through trusted IP addresses added to the IPSet, thereby evading detection and maintaining persistence."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Modify GuardDuty Configuration","link":"https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/"}],"securityImplications":"Attackers might use CreateIPSet to add malicious IP addresses to the GuardDuty whitelist, bypassing security measures.","alerting":[{"type":"sigma","value":"https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_guardduty_disruption.yml"}],"simulation":[{"type":"commandLine","value":"aws guardduty create-ip-set --detector-id 12abc34d567e8fa901bc2d34eexample --name new-ip-set --format TXT --location s3://traildiscover/traildiscover.csv --activate"}],"permissions":"https://aws.permissions.cloud/iam/guardduty#guardduty-CreateIPSet"} +{"eventName":"DeleteDetector","eventSource":"guardduty.amazonaws.com","awsService":"GuardDuty","description":"Deletes an Amazon GuardDuty detector that is specified by the detector ID.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1562 - Impair Defenses"],"mitreAttackSubTechniques":["T1562.001 - Impair Defenses: Disable or Modify Tools"],"unverifiedMitreAttackTechniques":[{"technique":"T1485 - Data Destruction","reason":"Deleting the GuardDuty detector can be part of a larger strategy to destroy or manipulate security configurations and logs, impacting the integrity of the security monitoring system."}],"usedInWild":true,"incidents":[{"description":"LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD","link":"https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud"}],"researchLinks":[{"description":"AWS GuardDuty detector deleted","link":"https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-guardduty-detector-deleted/"},{"description":"AWS GuardDuty Evasion","link":"https://medium.com/@cloud_tips/aws-guardduty-evasion-c181e55f3af1"},{"description":"Threat Hunting with CloudTrail and GuardDuty in Splunk","link":"https://www.chrisfarris.com/post/reinforce-threat-hunting/"},{"description":"Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)","link":"https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"}],"securityImplications":"Attackers might use DeleteDetector to disable GuardDuty, thereby evading detection of malicious activity.","alerting":[],"simulation":[{"type":"commandLine","value":"aws guardduty delete-detector --detector-id TrailDiscoverDetectorId"}],"permissions":"https://aws.permissions.cloud/iam/guardduty#guardduty-DeleteDetector"} +{"eventName":"DeleteInvitations","eventSource":"guardduty.amazonaws.com","awsService":"GuardDuty","description":"Deletes invitations sent to the current member account by AWS accounts specified by their account IDs.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1562 - Impair Defenses"],"mitreAttackSubTechniques":["T1562.001 - Impair Defenses: Disable or Modify Tools","T1562.006 - Impair Defenses: Indicator Blocking"],"unverifiedMitreAttackTechniques":[{"technique":"T1070 - Indicator Removal","reason":"Deleting GuardDuty invitations can be seen as a form of defense evasion by removing traces of an invitation that might otherwise be used for investigative purposes. Invitations could be used by security teams to track and verify legitimate connections between AWS accounts. By removing these invitations, the adversary might prevent the detection of unauthorized or suspicious account activities."}],"usedInWild":true,"incidents":[{"description":"LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD","link":"https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud"}],"researchLinks":[],"securityImplications":"Attackers might use DeleteInvitations to avoid the use of GuardDuty, thereby evading detection of malicious activity.","alerting":[],"simulation":[{"type":"commandLine","value":"aws guardduty delete-invitations --account-ids 111222333444"}],"permissions":"https://aws.permissions.cloud/iam/guardduty#guardduty-DeleteInvitations"} +{"eventName":"DeleteMembers","eventSource":"guardduty.amazonaws.com","awsService":"GuardDuty","description":"Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1562 - Impair Defenses"],"mitreAttackSubTechniques":["T1562.001 - Impair Defenses: Disable or Modify Tools"],"unverifiedMitreAttackTechniques":[{"technique":"T1531 - Account Access Removal","reason":"Deleting GuardDuty member accounts can prevent legitimate accounts from getting data from member accounts, thus disrupting monitoring and security alerts."},{"technique":"T1070 - Indicator Removal","reason":"By deleting member accounts, logs and other related files might be purged or altered, aiding in hiding the malicious activities."},{"technique":"T1098 - Account Manipulation","reason":"Deleting GuardDuty member accounts involves altering account configurations, potentially changing access controls or permissions. This action can disrupt security monitoring and allow unauthorized activities to go undetected."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Threat Hunting with CloudTrail and GuardDuty in Splunk","link":"https://www.chrisfarris.com/post/reinforce-threat-hunting/"}],"securityImplications":"Attackers might use DeleteMembers to remove members from a GuardDuty detector, disrupting threat detection and security analysis.","alerting":[],"simulation":[{"type":"commandLine","value":"aws guardduty delete-members --account-ids TrailDiscoverAccountIds --detector-id TrailDiscoverDetectorId"}],"permissions":"https://aws.permissions.cloud/iam/guardduty#guardduty-DeleteMembers"} +{"eventName":"DeletePublishingDestination","eventSource":"guardduty.amazonaws.com","awsService":"GuardDuty","description":"Deletes the publishing definition with the specified destinationId.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1562 - Impair Defenses"],"mitreAttackSubTechniques":["T1562.001 - Impair Defenses: Disable or Modify Tools"],"unverifiedMitreAttackTechniques":[{"technique":"T1565 - Data Manipulation","reason":"By deleting the publishing destination, critical security findings are not reported, which can be seen as manipulating the availability of security data and hindering incident response efforts."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Modify GuardDuty Configuration","link":"https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/"}],"securityImplications":"Attackers might use DeletePublishingDestination to disrupt the security monitoring and incident response process in AWS GuardDuty.","alerting":[],"simulation":[{"type":"commandLine","value":"aws guardduty delete-publishing-destination --detector-id TrailDiscoverDetectorId --destination-id TrailDiscoverDestinationId"}],"permissions":"https://aws.permissions.cloud/iam/guardduty#guardduty-DeletePublishingDestination"} +{"eventName":"DisassociateFromMasterAccount","eventSource":"guardduty.amazonaws.com","awsService":"GuardDuty","description":"Disassociates the current GuardDuty member account from its administrator account.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1562 - Impair Defenses"],"mitreAttackSubTechniques":["T1562.001 - Impair Defenses: Disable or Modify Tools"],"unverifiedMitreAttackTechniques":[{"technique":"T1098 - Account Manipulation","reason":"This involves actions taken to manipulate accounts to maintain access or evade detection. Disassociating the GuardDuty member account from its master account can be seen as a form of account manipulation to avoid centralized logging and monitoring."},{"technique":"T1531 - Account Access Removal","reason":"Disassociating from the master account effectively removes the centralized management and monitoring capabilities, making it harder to regain control or visibility over the account."}],"usedInWild":true,"incidents":[{"description":"LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD","link":"https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud"}],"researchLinks":[{"description":"Threat Hunting with CloudTrail and GuardDuty in Splunk","link":"https://www.chrisfarris.com/post/reinforce-threat-hunting/"}],"securityImplications":"Attackers might use DisassociateFromMasterAccount to remove the link to the master GuardDuty account, disrupting centralized security monitoring and analysis.","alerting":[],"simulation":[{"type":"commandLine","value":"aws guardduty disassociate-from-master-account --detector-id TrailDiscoverDetectorId"}],"permissions":"https://aws.permissions.cloud/iam/guardduty#guardduty-DisassociateFromMasterAccount"} +{"eventName":"DisassociateMembers","eventSource":"guardduty.amazonaws.com","awsService":"GuardDuty","description":"Disassociates GuardDuty member accounts (from the current administrator account) specified by the account IDs.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1562 - Impair Defenses"],"mitreAttackSubTechniques":["T1562.001 - Impair Defenses: Disable or Modify Tools"],"unverifiedMitreAttackTechniques":[{"technique":"T1531 - Account Access Removal","reason":"By disassociating member accounts, an adversary could remove access to GuardDuty for specific accounts, reducing the ability to detect and respond to malicious activities."},{"technique":"T1489 - Service Stop","reason":"Disassociating member accounts might effectively stop the GuardDuty service from monitoring those accounts, similar to stopping a security service to avoid detection."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Threat Hunting with CloudTrail and GuardDuty in Splunk","link":"https://www.chrisfarris.com/post/reinforce-threat-hunting/"}],"securityImplications":"Attackers might use DisassociateMembers to remove members from a GuardDuty detector, disrupting threat detection and security analysis.","alerting":[],"simulation":[{"type":"commandLine","value":"aws guardduty disassociate-members --detector-id TrailDiscoverDetectorId --account-ids TrailDiscoverAccountIds"}],"permissions":"https://aws.permissions.cloud/iam/guardduty#guardduty-DisassociateMembers"} +{"eventName":"GetDetector","eventSource":"guardduty.amazonaws.com","awsService":"GuardDuty","description":"Retrieves an Amazon GuardDuty detector specified by the detectorId.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1526 - Cloud Service Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1082 - System Information Discovery","reason":"Retrieving a GuardDuty detector provides information about the security monitoring and configurations in the AWS environment."},{"technique":"T1580 - Cloud Infrastructure Discovery","reason":"Accessing the GuardDuty detector can give insights into the cloud infrastructure setup and the security measures in place."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}],"researchLinks":[],"securityImplications":"Attackers might use GetDetector to identify active threat detection systems in AWS GuardDuty.","alerting":[],"simulation":[{"type":"commandLine","value":"aws guardduty get-detector --detector-id TrailDiscoverDetectorId"}],"permissions":"https://aws.permissions.cloud/iam/guardduty#guardduty-GetDetector"} +{"eventName":"GetFindings","eventSource":"guardduty.amazonaws.com","awsService":"GuardDuty","description":"Returns a list of findings that match the specified criteria.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1526 - Cloud Service Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1057 - Process Discovery","reason":"Adversaries can use the findings to discover details about processes running on compromised instances, aiding them in identifying and targeting specific processes for further exploitation."},{"technique":"T1020 - Automated Exfiltration","reason":"An adversary can identify findings that indicate automated data exfiltration activities, allowing them to understand what methods were detected and possibly refine their tactics."},{"technique":"T1580 - Cloud Infrastructure Discovery","reason":"Analyzing findings can help adversaries discover details about the cloud infrastructure, such as the types of resources and their configurations, aiding in planning further attacks."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}],"researchLinks":[],"securityImplications":"Attackers might use GetFindings to identify if previous actions generated alerts.","alerting":[],"simulation":[{"type":"commandLine","value":"aws guardduty get-findings --detector-id TrailDiscoverDetectorId --finding-ids TrailDiscoverFindingIds"}],"permissions":"https://aws.permissions.cloud/iam/guardduty#guardduty-GetFindings"} +{"eventName":"ListDetectors","eventSource":"guardduty.amazonaws.com","awsService":"GuardDuty","description":"Lists detectorIds of all the existing Amazon GuardDuty detector resources.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1526 - Cloud Service Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1580 - Cloud Infrastructure Discovery","reason":"Knowledge of detector IDs can guide attackers in identifying monitored versus unmonitored cloud assets, facilitating targeted reconnaissance on less protected resources."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}],"researchLinks":[{"description":"Modify GuardDuty Configuration","link":"https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/"}],"securityImplications":"Attackers might use ListDetectors to identify active threat detection systems in AWS GuardDuty.","alerting":[],"simulation":[{"type":"commandLine","value":"aws guardduty list-detectors"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance"}],"permissions":"https://aws.permissions.cloud/iam/guardduty#guardduty-ListDetectors"} +{"eventName":"ListFindings","eventSource":"guardduty.amazonaws.com","awsService":"GuardDuty","description":"Lists GuardDuty findings for the specified detector ID.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1526 - Cloud Service Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1057 - Process Discovery","reason":"By retrieving and analyzing finding IDs, attackers can discover details about processes associated with GuardDuty findings, helping them understand which processes were flagged and why."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}],"researchLinks":[],"securityImplications":"Attackers might use ListFindings to identify if previous actions generated alerts.","alerting":[],"simulation":[{"type":"commandLine","value":"aws guardduty list-findings --detector-id TrailDiscoverDetectorId"}],"permissions":"https://aws.permissions.cloud/iam/guardduty#guardduty-ListFindings"} +{"eventName":"ListIPSets","eventSource":"guardduty.amazonaws.com","awsService":"GuardDuty","description":"Lists the IPSets of the GuardDuty service specified by the detector ID.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1526 - Cloud Service Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1590 - Gather Victim Network Information","reason":"Listing IPSets provides insights into the network's structure and the external IPs that are considered trusted or monitored. This information is crucial for attackers to map out the network and plan their actions accordingly."},{"technique":"T1016 - System Network Configuration Discovery","reason":"By accessing the list of IPSets, attackers can understand the network configuration, including which IP addresses are allowed or blocked. This helps in identifying potential weak points or entry points into the network."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Modify GuardDuty Configuration","link":"https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/"}],"securityImplications":"Attackers might use ListIPSets to identify what IPs won't generate an alert.","alerting":[],"simulation":[{"type":"commandLine","value":"aws guardduty list-ip-sets --detector-id TrailDiscoverDetectorId"}],"permissions":"https://aws.permissions.cloud/iam/guardduty#guardduty-ListIPSets"} +{"eventName":"StopMonitoringMembers","eventSource":"guardduty.amazonaws.com","awsService":"GuardDuty","description":"Stops GuardDuty monitoring for the specified member accounts.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1562 - Impair Defenses"],"mitreAttackSubTechniques":["T1562.001 - Impair Defenses: Disable or Modify Tools","T1562.008 - Impair Defenses: Disable or Modify Cloud Logs"],"unverifiedMitreAttackTechniques":[{"technique":"T1489 - Service Stop","reason":"Stopping GuardDuty monitoring is an example of halting a service, which can impact the overall security monitoring and incident response capabilities."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Threat Hunting with CloudTrail and GuardDuty in Splunk","link":"https://www.chrisfarris.com/post/reinforce-threat-hunting/"}],"securityImplications":"Attackers might use StopMonitoringMembers to halt the surveillance of specific AWS accounts, reducing security visibility.","alerting":[],"simulation":[{"type":"commandLine","value":"aws guardduty stop-monitoring-members --account-ids TrailDiscoverAccountIds --detector-id TrailDiscoverDetectorId"}],"permissions":"https://aws.permissions.cloud/iam/guardduty#guardduty-StopMonitoringMembers"} +{"eventName":"UpdateDetector","eventSource":"guardduty.amazonaws.com","awsService":"GuardDuty","description":"Updates the GuardDuty detector specified by the detectorId.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1562 - Impair Defenses"],"mitreAttackSubTechniques":["T1562.001 - Impair Defenses: Disable or Modify Tools"],"unverifiedMitreAttackTechniques":[{"technique":"T1070 - Indicator Removal","reason":"An attacker may update the GuardDuty detector to avoid detection by altering or hiding security logs and alarms"}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Modify GuardDuty Configuration","link":"https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/"}],"securityImplications":"Attackers might use UpdateDetector to modify the settings of GuardDuty, potentially disabling or weakening security monitoring.","alerting":[],"simulation":[{"type":"commandLine","value":"aws guardduty update-detector --detector-id TrailDiscoverDetectorId --enable --finding-publishing-frequency TrailDiscoverFrequency"}],"permissions":"https://aws.permissions.cloud/iam/guardduty#guardduty-UpdateDetector"} +{"eventName":"UpdateIPSet","eventSource":"guardduty.amazonaws.com","awsService":"GuardDuty","description":"Updates the IPSet specified by the IPSet ID.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1562 - Impair Defenses"],"mitreAttackSubTechniques":["T1562.001 - Impair Defenses: Disable or Modify Tools"],"unverifiedMitreAttackTechniques":[{"technique":"T1070.004 - Indicator Removal","reason":"Modifying an IPSet can remove IPs that would otherwise generate security findings, thus evading detection."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Modify GuardDuty Configuration","link":"https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/"}],"securityImplications":"Attackers might use UpdateIPSet to modify the IP address filters, potentially allowing malicious traffic to bypass detection.","alerting":[],"simulation":[{"type":"commandLine","value":"aws wafv2 update-ip-set --name testip --scope REGIONAL --id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 --addresses 198.51.100.0/16 --lock-token 447e55ac-2396-4c6d-b9f9-86b67c17f8b5"}],"permissions":"https://aws.permissions.cloud/iam/guardduty#guardduty-UpdateIPSet"} +{"eventName":"AddRoleToInstanceProfile","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Adds the specified IAM role to the specified instance profile.","mitreAttackTactics":["TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":["T1098.001 - Account Manipulation: Additional Cloud Credentials"],"unverifiedMitreAttackTechniques":[{"technique":"T1068 - Exploitation for Privilege Escalation","reason":" - Exploitation for Privilege Escalation"}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Cloudgoat AWS CTF solution- Scenerio 5 (iam_privesc_by_attachment)","link":"https://pswalia2u.medium.com/cloudgoat-aws-ctf-solution-scenerio-5-iam-privesc-by-attachment-22145650f5f5"}],"securityImplications":"Attackers might use AddRoleToInstanceProfile to escalate privileges or gain unauthorized access to AWS resources.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam add-role-to-instance-profile --role-name TrailDiscover --instance-profile-name TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-AddRoleToInstanceProfile"} +{"eventName":"AddUserToGroup","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Adds the specified user to the specified group.","mitreAttackTactics":["TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"Adding a user to a group with elevated permissions can allow the user to maintain access to the AWS environment with legitimate credentials."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS IAM Privilege Escalation Techniques","link":"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}],"securityImplications":"Attackers might use AddUserToGroup to add unauthorized users to privileged groups, gaining unauthorized access or escalating privileges.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam add-user-to-group --user-name TrailDiscover --group-name TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-AddUserToGroup"} +{"eventName":"AttachGroupPolicy","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Attaches the specified managed policy to the specified IAM group.","mitreAttackTactics":["TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":["T1098.003 - Account Manipulation: Additional Cloud Roles"],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"By attaching a policy to a group, an adversary can ensure that even if certain accounts are revoked, the group as a whole still retains the permissions."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS IAM Privilege Escalation Techniques","link":"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}],"securityImplications":"Attackers might use AttachGroupPolicy to assign malicious policies to a group, escalating privileges or enabling unauthorized access.","alerting":[{"type":"cloudwatchCISControls","value":"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4"}],"simulation":[{"type":"commandLine","value":"aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/TrailDiscover --group-name TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-AttachGroupPolicy"} +{"eventName":"AttachRolePolicy","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Attaches the specified managed policy to the specified IAM role. When you attach a managed policy to a role, the managed policy becomes part of the role's permission (access) policy.","mitreAttackTactics":["TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1562 - Impair Defenses","reason":"Attaching policies with permissions that affect logging or monitoring tools can be used to evade detection by modifying the environment to reduce visibility."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}],"researchLinks":[{"description":"AWS IAM Privilege Escalation Techniques","link":"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}],"securityImplications":"Attackers use AttachRolePolicy to grant malicious policies to IAM roles, potentially escalating privileges or enabling unauthorized access to AWS resources.","alerting":[{"type":"cloudwatchCISControls","value":"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4"}],"simulation":[{"type":"commandLine","value":"aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/TrailDiscover --role-name TrailDiscover"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-backdoor-role"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-AttachRolePolicy"} +{"eventName":"AttachUserPolicy","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Attaches the specified managed policy to the specified user.","mitreAttackTactics":["TA0003 - Persistence","TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":["T1098.003 - Account Manipulation: Additional Cloud Roles"],"unverifiedMitreAttackTechniques":[{"technique":"T1556 - Modify Authentication Process","reason":"By attaching a policy, an adversary can alter the authentication process, potentially bypassing multi-factor authentication (MFA) or other security measures."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"},{"description":"Incident report: From CLI to console, chasing an attacker in AWS","link":"https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/"},{"description":"Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining","link":"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"},{"description":"Detecting AI resource-hijacking with Composite Alerts","link":"https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"}],"researchLinks":[{"description":"AWS IAM Privilege Escalation Techniques","link":"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}],"securityImplications":"Attackers use AttachUserPolicy to grant malicious policies to IAM users, potentially escalating privileges or enabling unauthorized access to AWS resources.","alerting":[{"type":"cloudwatchCISControls","value":"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4"}],"simulation":[{"type":"commandLine","value":"aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --user-name TrailDiscover"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-admin-user"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-AttachUserPolicy"} +{"eventName":"ChangePassword","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Changes the password of the IAM user who is calling this operation.","mitreAttackTactics":["TA0003 - Persistence","TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1136 - Create Account","T1078 - Valid Accounts"],"mitreAttackSubTechniques":["T1078.004 - Valid Accounts: Cloud Accounts"],"unverifiedMitreAttackTechniques":[{"technique":"T1098 - Account Manipulation","reason":"Changing the password of an IAM user can be used to maintain access to an account, thus manipulating account credentials."},{"technique":"T1556 - Modify Authentication Process","reason":"Changing the password modifies the authentication process for the IAM user, which can be a method to evade detection."},{"technique":"T1531 - Account Access Removal","reason":"An attacker might change a password to lock out the legitimate user, removing their access."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS CloudTrail cheat sheet","link":"https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet"},{"description":"IAM User Changes Alarm","link":"https://asecure.cloud/a/cwalarm_iam_user_changes/"}],"securityImplications":"Attackers might use ChangePassword to alter user credentials.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam change-password --old-password TrailDiscover --new-password TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-ChangePassword"} +{"eventName":"CreateAccessKey","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active.","mitreAttackTactics":["TA0003 - Persistence","TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1136 - Create Account","T1078 - Valid Accounts"],"mitreAttackSubTechniques":["T1078.004 - Valid Accounts: Cloud Accounts","T1136.003 - Create Account: Cloud Account"],"unverifiedMitreAttackTechniques":[{"technique":"T1098 - Account Manipulation","reason":"New keys can be used for account manipulation activities, providing additional or unauthorized access."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"},{"description":"Incident report: From CLI to console, chasing an attacker in AWS","link":"https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/"},{"description":"SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto","link":"https://sysdig.com/blog/scarleteel-2-0/"},{"description":"ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING","link":"https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/"},{"description":"UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR","link":"https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"},{"description":"BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability","link":"https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/"},{"description":"LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD","link":"https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud"}],"researchLinks":[{"description":"Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident","link":"https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide"},{"description":"AWS IAM Privilege Escalation Techniques","link":"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"},{"description":"AWS IAM Persistence Methods","link":"https://hackingthe.cloud/aws/post_exploitation/iam_persistence/"}],"securityImplications":"Attackers might use CreateAccessKey to generate unauthorized access keys, enabling them to gain illicit access to AWS services and resources.","alerting":[{"type":"sigma","value":"https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml"},{"type":"sigma","value":"https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml"}],"simulation":[{"type":"commandLine","value":"aws iam create-access-key --user-name TrailDiscover"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-admin-user"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-backdoor-user"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-CreateAccessKey"} +{"eventName":"CreateGroup","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Creates a new group.","mitreAttackTactics":["TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":["T1098.003 - Account Manipulation: Additional Cloud Roles"],"unverifiedMitreAttackTechniques":[{"technique":"T1036 - Masquerading","reason":"Creating a new group with a name similar to existing groups can help attackers blend in and avoid detection"}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS IAM Group Creation","link":"https://www.elastic.co/guide/en/security/current/aws-iam-group-creation.html"}],"securityImplications":"Attackers use CreateGroup to create a group that they can use to escalate privileges.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam create-group --group-name TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-CreateGroup"} +{"eventName":"CreateLoginProfile","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Creates a password for the specified IAM user. A password allows an IAM user to access AWS services through the AWS Management Console.","mitreAttackTactics":["TA0003 - Persistence","TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1098 - Account Manipulation","T1078 - Valid Accounts"],"mitreAttackSubTechniques":["T1078.004 - Valid Accounts: Cloud Accounts","T1078.001 - Valid Accounts: Local Accounts","T1098.001 - Account Manipulation: Additional Cloud Credentials"],"unverifiedMitreAttackTechniques":[{"technique":"T1556 - Modify Authentication Process","reason":"The CreateLoginProfile API call can be used to set a new password for an existing IAM user, effectively modifying the authentication process for that user."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"},{"description":"Incident report: From CLI to console, chasing an attacker in AWS","link":"https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/"},{"description":"Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining","link":"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"},{"description":"UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR","link":"https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"},{"description":"LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD","link":"https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud"},{"description":"Detecting AI resource-hijacking with Composite Alerts","link":"https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"}],"researchLinks":[{"description":"Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident","link":"https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide"},{"description":"AWS IAM Privilege Escalation Techniques","link":"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"},{"description":"AWS IAM Persistence Methods","link":"https://hackingthe.cloud/aws/post_exploitation/iam_persistence/"}],"securityImplications":"Attackers use CreateLoginProfile to create login credentials for IAM users, allowing them access to the user via the AWS console.","alerting":[{"type":"sigma","value":"https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml"}],"simulation":[{"type":"commandLine","value":"aws iam create-login-profile --user-name TrailDiscover --password TrailDiscover"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-user-login-profile"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-CreateLoginProfile"} +{"eventName":"CreateOpenIDConnectProvider","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC)","mitreAttackTactics":["TA0003 - Persistence"],"mitreAttackTechniques":["T1136 - Create Account"],"mitreAttackSubTechniques":["T1136.003 - Create Account: Cloud Account"],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"Creating an OpenID Connect Provider can be used to generate valid credentials that can be exploited for persistent access"},{"technique":"T1136 - Create Account","reason":"Establishing new accounts or providers in the IAM can assist in maintaining access over time"},{"technique":"T1556 - Modify Authentication Process","reason":"Adjusting authentication settings to include a new provider can bypass certain security measures."},{"technique":"T1098 - Account Manipulation","reason":"Creating and managing new accounts or providers can lead to manipulation of permissions and roles."}],"usedInWild":true,"incidents":[{"description":"New tactics and techniques for proactive threat detection","link":"https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"}],"researchLinks":[],"securityImplications":"Attackers use CreateOpenIDConnectProvider to establish persistent footholds.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam create-open-id-connect-provider --cli-input-json '{\"Url\": \"https://server.example.com\",\"ClientIDList\": [\"example-application-ID\"],\"ThumbprintList\": [\"c3768084dfb3d2b68b7897bf5f565da8eEXAMPLE\"]}'"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-CreateOpenIDConnectProvider"} +{"eventName":"CreatePolicyVersion","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Creates a new version of the specified managed policy.","mitreAttackTactics":["TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":["T1098.003 - Account Manipulation: Additional Cloud Roles"],"unverifiedMitreAttackTechniques":[{"technique":"T1531 - Account Access Removal","reason":"By altering IAM policies, attackers can remove access for legitimate users, ensuring only malicious actors maintain control."},{"technique":"T1489 - Service Stop","reason":"By altering permissions with a new policy version, an attacker could restrict or stop critical services within an AWS environment."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS IAM Privilege Escalation Techniques","link":"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}],"securityImplications":"Attackers might use CreatePolicyVersion to modify IAM policies, potentially granting themselves elevated permissions.","alerting":[{"type":"cloudwatchCISControls","value":"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4"}],"simulation":[{"type":"commandLine","value":"aws iam create-policy-version --policy-arn arn:aws:iam::123456789012:policy/TrailDiscover --policy-document {}"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-CreatePolicyVersion"} +{"eventName":"CreateRole","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Creates a new role for your AWS account.","mitreAttackTactics":["TA0003 - Persistence"],"mitreAttackTechniques":["T1136 - Create Account"],"mitreAttackSubTechniques":["T1136.003 - Create Account: Cloud Account"],"unverifiedMitreAttackTechniques":[{"technique":"T1098 - Account Manipulation","reason":"Attackers might create a new role to maintain access or elevate privileges within the environment."}],"usedInWild":true,"incidents":[{"description":"Attack Scenario 2: From Misconfigured Firewall to Cryptojacking Botnet","link":"https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/unit42-cloud-threat-report-volume7.pdf"},{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}],"researchLinks":[],"securityImplications":"Attackers use CreateRole to create roles with trust policies that allow principals from an attacker-controlled AWS account, establishing persistent unauthorized access.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam create-role --role-name TrailDiscover --assume-role-policy-document {}"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-backdoor-role"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-CreateRole"} +{"eventName":"CreateSAMLProvider","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0.","mitreAttackTactics":["TA0003 - Persistence"],"mitreAttackTechniques":["T1136 - Create Account"],"mitreAttackSubTechniques":["T1136.003 - Create Account: Cloud Account"],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":" Creating a SAML provider can lead to the creation and use of valid credentials, allowing the adversary to maintain persistence."},{"technique":"T1098 - Account Manipulation","reason":"The creation of a SAML provider involves the manipulation of account settings to allow federated authentication, which can be used by adversaries to maintain access and evade detection."},{"technique":"T1556 - Modify Authentication Process","reason":"The creation of a SAML provider could be used to modify the authentication process, allowing adversaries to authenticate as different users within the AWS environment."}],"usedInWild":true,"incidents":[{"description":"New tactics and techniques for proactive threat detection","link":"https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"}],"researchLinks":[],"securityImplications":"Attackers use CreateSAMLProvider to establish persistent footholds.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-CreateSAMLProvider"} +{"eventName":"StartSSO","eventSource":"sso.amazonaws.com","awsService":"SSO","description":"Initialize AWS IAM Identity Center","mitreAttackTactics":["TA0003 - Persistence"],"mitreAttackTechniques":["T1136 - Create Account"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1098 - Account Manipulation","reason":"By starting SSO, an adversary can manipulate IAM user accounts, adding or modifying permissions to maintain persistent access."},{"technique":"T1078 - Valid Accounts","reason":"Use of valid SSO credentials can help adversaries gain access to various services and resources without raising alarms."}],"usedInWild":true,"incidents":[{"description":"New tactics and techniques for proactive threat detection","link":"https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"}],"researchLinks":[],"securityImplications":"Attackers use StartSSO to establish persistent footholds.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"https://aws.permissions.cloud/iam/sso#sso-StartSSO"} +{"eventName":"CreateUser","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Creates a new IAM user for your AWS account.","mitreAttackTactics":["TA0003 - Persistence"],"mitreAttackTechniques":["T1136 - Create Account"],"mitreAttackSubTechniques":["T1136.001 - Create Account: Local Account","T1136.003 - Create Account: Cloud Account"],"unverifiedMitreAttackTechniques":[{"technique":"T1098 - Account Manipulation","reason":"Adversaries may create new IAM users to manipulate accounts for continuous access or privilege escalation."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"},{"description":"Ransomware in the cloud","link":"https://www.invictus-ir.com/news/ransomware-in-the-cloud"},{"description":"Responding to an attack in AWS","link":"https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac"},{"description":"Incident report: From CLI to console, chasing an attacker in AWS","link":"https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/"},{"description":"ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING","link":"https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/"},{"description":"Trouble in Paradise","link":"https://blog.darklab.hk/2021/07/06/trouble-in-paradise/"},{"description":"Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining","link":"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"},{"description":"Exposed long-lived access key resulted in unauthorized access","link":"https://twitter.com/jhencinski/status/1578371249792724992?t=6oYeGYgGZq1B-LXFZzIqhQ"},{"description":"SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto","link":"https://sysdig.com/blog/scarleteel-2-0/"},{"description":"Insider Threat Risks to Flat Environments","link":"https://www.mandiant.com/sites/default/files/2021-09/rpt-mtrends-2021-3.pdf"},{"description":"UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR","link":"https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"},{"description":"Sendtech Pte. Ltd","link":"https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Sendtech-Pte-Ltd---220721.ashx?la=en"},{"description":"BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability","link":"https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/"},{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"},{"description":"LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD","link":"https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud"},{"description":"Detecting AI resource-hijacking with Composite Alerts","link":"https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"}],"researchLinks":[{"description":"Creating a new IAM user","link":"https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/creating-new-iam-user/"},{"description":"Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident","link":"https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide"},{"description":"Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild","link":"https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}],"securityImplications":"Attackers use CreateUser to establish persistent footholds or in some cases, escalate privileges within AWS environments by creating new IAM users with strategic permissions.","alerting":[{"type":"sigma","value":"https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml"}],"simulation":[{"type":"commandLine","value":"aws iam create-user --user-name TrailDiscover"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-admin-user"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-CreateUser"} +{"eventName":"DeactivateMFADevice","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Deactivates the specified MFA device and removes it from association with the user name for which it was originally enabled.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1562 - Impair Defenses"],"mitreAttackSubTechniques":["T1562.001 - Impair Defenses: Disable or Modify Tools"],"unverifiedMitreAttackTechniques":[{"technique":"T1586 - Compromise Accounts","reason":"Deactivating MFA might be part of an account compromise if the attacker knows the password but has no access to the MFA. By disabling the MFA the attacker will be able to compromise the account."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS IAM Deactivation of MFA Device","link":"https://www.elastic.co/guide/en/security/current/aws-iam-deactivation-of-mfa-device.html"}],"securityImplications":"Attackers might use DeactivateMFADevice to disable multi-factor authentication, potentially weakening account security.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam deactivate-mfa-device --user-name TrailDiscover --serial-number arn:aws:iam::210987654321:mfa/BobsMFADevice"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-DeactivateMFADevice"} +{"eventName":"DeleteAccessKey","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Deletes the access key pair associated with the specified IAM user.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1578 - Modify Cloud Compute Infrastructure","T1070 - Indicator Removal"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1531 - Account Access Removal","reason":"Deleting the access key pair is a direct method to remove access credentials, which aligns with the technique of account access removal."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"},{"description":"UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR","link":"https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"}],"researchLinks":[],"securityImplications":"Attackers might use DeleteAccessKey to revoke legitimate user access to AWS services. Also, it can be used to delete previously used keys to avoid detection.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam delete-access-key --access-key-id AKIDPMS9RO4H3FEXAMPLE --user-name TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-DeleteAccessKey"} +{"eventName":"DeleteLoginProfile","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Deletes the password for the specified IAM user.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1578 - Modify Cloud Compute Infrastructure","T1070 - Indicator Removal"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1098 - Account Manipulation","reason":"The deletion of a login profile is a form of account manipulation, altering the state of an IAM user account to possibly favor continued unauthorized access through other means like access keys or roles"},{"technique":"T1531 - Account Access Removal","reason":"By deleting the login profile, an attacker can remove a user's ability to log in with a password, thus removing an access method that might be used for legitimate purposes or incident response, aiding in persistence and defense evasion."},{"technique":"T1556 - Modify Authentication Process","reason":"Removing the password of an IAM user modifies the way that user can authenticate, potentially replacing it with a method controlled by the attacker, facilitating unauthorized access while evading detection."}],"usedInWild":true,"incidents":[{"description":"UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR","link":"https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"}],"researchLinks":[],"securityImplications":"Attackers might use DeleteLoginProfile to remove user's login credentials, preventing legitimate access to AWS services. Also, it might be used to delete a previously added profile to avoid detection.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam delete-login-profile --user-name TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-DeleteLoginProfile"} +{"eventName":"DeleteRolePermissionsBoundary","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Deletes the permissions boundary for the specified IAM role.","mitreAttackTactics":["TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1562 - Impair Defenses","reason":"Removing permissions boundaries can weaken the security posture by reducing the effectiveness of policies designed to limit role actions."},{"technique":"T1068 - Exploitation for Privilege Escalation","reason":"Removing permissions boundaries may be used as part of exploiting a misconfiguration to gain elevated privileges."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS IAM Privilege Escalation Techniques","link":"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}],"securityImplications":"Attackers might use DeleteRolePermissionsBoundary to remove restrictions and gain unauthorized access to AWS resources.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam delete-role-permissions-boundary --role-name trail-discover"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-DeleteRolePermissionsBoundary"} +{"eventName":"DeleteRolePolicy","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Deletes the specified inline policy that is embedded in the specified IAM role.","mitreAttackTactics":["TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1531 - Account Access Removal","reason":"Deleting inline policies from IAM roles can remove critical permissions, effectively locking out legitimate users or restricting their access. This action can hinder incident response and obscure the attacker's presence in the environment."},{"technique":"T1562 - Impair Defenses","reason":"By deleting IAM role policies, an attacker could impair security tools that rely on those policies for correct operation, effectively reducing the efficacy of security defenses."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS IAM Privilege Escalation Techniques","link":"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}],"securityImplications":"Attackers might use DeleteRolePolicy to remove security policies, potentially escalating their privileges.","alerting":[{"type":"cloudwatchCISControls","value":"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4"}],"simulation":[{"type":"commandLine","value":"aws iam delete-role-policy --role-name TrailDiscover-Role --policy-name TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-DeleteRolePolicy"} +{"eventName":"DeleteUser","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Deletes the specified IAM user.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1578 - Modify Cloud Compute Infrastructure","T1070 - Indicator Removal"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1531 - Account Access Removal","reason":"Deleting a user account immediately revokes all permissions and access rights associated with that IAM user, disrupting access to critical resources. This action can prevent legitimate users from performing essential tasks, effectively halting operations and response efforts."},{"technique":"T1485 - Data Destruction","reason":" The deletion of an IAM user can be part of a deliberate attempt to destroy data or disrupt normal operations. Users often have associated data, policies, and access controls that, when removed, can result in data loss or corruption. "}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"},{"description":"Insider Threat Risks to Flat Environments","link":"https://www.mandiant.com/sites/default/files/2021-09/rpt-mtrends-2021-3.pdf"},{"description":"UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR","link":"https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"}],"researchLinks":[],"securityImplications":"Attackers might use DeleteUser to remove users and their permissions, disrupting access control in AWS. Also, it can be used to delete previously used users to avoid detection.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam delete-user --user-name TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-DeleteUser"} +{"eventName":"DeleteUserPermissionsBoundary","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Deletes the permissions boundary for the specified IAM user.","mitreAttackTactics":["TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"Compromised cloud accounts can be manipulated by deleting permissions boundaries, giving adversaries increased permissions to execute further malicious activities."},{"technique":"T1562 - Impair Defenses","reason":"Deleting the permissions boundary could be part of a broader strategy to disable or modify security tools or settings to avoid detection."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS IAM Privilege Escalation Techniques","link":"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}],"securityImplications":"Attackers might use DeleteUserPermissionsBoundary to remove restrictions and gain unauthorized access to AWS resources.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam delete-user-permissions-boundary --user-name TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-DeleteUserPermissionsBoundary"} +{"eventName":"DeleteUserPolicy","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Deletes the specified inline policy that is embedded in the specified IAM user.","mitreAttackTactics":["TA0005 - Defense Evasion","TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1578 - Modify Cloud Compute Infrastructure","T1098 - Account Manipulation"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1531 - Account Access Removal","reason":"Removing a policy from an IAM user could be a step to disable access for an account, which aligns with tactics for impact."},{"technique":"T1078 - Valid Accounts","reason":"Removing policies can help adversaries to evade detection and persist in the environment by modifying account permissions."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"},{"description":"UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR","link":"https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"}],"researchLinks":[{"description":"AWS IAM Privilege Escalation Techniques","link":"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}],"securityImplications":"Attackers might use DeleteUserPolicy to remove security policies and gain unauthorized access to AWS resources.","alerting":[{"type":"cloudwatchCISControls","value":"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4"}],"simulation":[{"type":"commandLine","value":"aws iam delete-user-policy --user-name TrailDiscover --policy-name TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-DeleteUserPolicy"} +{"eventName":"DetachRolePolicy","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Removes the specified managed policy from the specified role.","mitreAttackTactics":["TA0005 - Defense Evasion","TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1578 - Modify Cloud Compute Infrastructure","T1098 - Account Manipulation"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"By detaching policies from roles, attackers can invalidate certain permissions, reducing the risk of detection while using compromised accounts."},{"technique":"T1531 - Account Access Removal","reason":"By detaching policies, attackers can remove access permissions, disrupting legitimate user operations and evading detection."},{"technique":"T1070 - Indicator Removal","reason":"Removing policies can be part of a strategy to clean up indicators of malicious activity on the account, aiding in defense evasion."},{"technique":"T1562 - Impair Defenses","reason":"Detaching policies may impair security configurations, reducing the ability of the environment to detect or prevent further malicious activities."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}],"researchLinks":[{"description":"AWS IAM Privilege Escalation Techniques","link":"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}],"securityImplications":"Attackers might use DetachRolePolicy to remove crucial permissions from IAM roles, disrupting AWS services.","alerting":[{"type":"cloudwatchCISControls","value":"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4"}],"simulation":[{"type":"commandLine","value":"aws iam detach-role-policy --role-name TrailDiscover --policy-arn arn:aws:iam::123456789012:policy/FederatedTesterAccessPolicy"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-DetachRolePolicy"} +{"eventName":"DetachUserPolicy","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Removes the specified managed policy from the specified user.","mitreAttackTactics":["TA0005 - Defense Evasion","TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1578 - Modify Cloud Compute Infrastructure","T1098 - Account Manipulation"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1531 - Account Access Removal","reason":"Detaching a policy can be used as a way to remove or limit access to critical accounts, impacting operational capabilities."},{"technique":"T1562 - Impair Defenses","reason":"Security controls relying on certain policies may be disabled or impaired when those policies are detached."},{"technique":"T1499 - Endpoint Denial of Service","reason":"By removing critical policies, the attacker can cause a denial of service for endpoints relying on those permissions to function properly."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}],"researchLinks":[{"description":"AWS IAM Privilege Escalation Techniques","link":"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}],"securityImplications":"Attackers might use DetachUserPolicy to remove security policies and gain unauthorized access to AWS resources.","alerting":[{"type":"cloudwatchCISControls","value":"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4"}],"simulation":[{"type":"commandLine","value":"aws iam detach-user-policy --user-name TrailDiscover --policy-arn arn:aws:iam::123456789012:policy/TesterPolicy"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-DetachUserPolicy"} +{"eventName":"GetAccountAuthorizationDetails","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Retrieves information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1087 - Account Discovery"],"mitreAttackSubTechniques":["T1087.004 - Account Discovery: Cloud Account"],"unverifiedMitreAttackTechniques":[{"technique":"T1069 - Permission Groups Discovery","reason":"By retrieving information on IAM groups and their policies, attackers can understand the permissions associated with each group. This information is useful for identifying which groups have elevated privileges."},{"technique":"T1078 - Valid Accounts","reason":"If an adversary gains access to this information, they can identify valid accounts within the AWS environment, aiding in furthering access or compromising specific accounts."},{"technique":"T1580 - Cloud Infrastructure Discovery","reason":"By gathering detailed information on IAM roles and policies, attackers can map out the cloud infrastructure, understand the hierarchy and relationships between resources, and identify potential weaknesses or entry points."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS - IAM Enum","link":"https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum"}],"securityImplications":"Attackers might use GetAccountAuthorizationDetails to gather information about IAM users, groups, roles, and policies in a targeted AWS account.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam get-account-authorization-details"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-GetAccountAuthorizationDetails"} +{"eventName":"GetLoginProfile","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Retrieves the user name for the specified IAM user.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1087 - Account Discovery"],"mitreAttackSubTechniques":["T1087.004 - Account Discovery: Cloud Account"],"unverifiedMitreAttackTechniques":[{"technique":"T1580 - Cloud Infrastructure Discovery","reason":"Retrieving IAM user details can help attackers understand the structure and users within the cloud infrastructure."}],"usedInWild":true,"incidents":[{"description":"UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR","link":"https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"}],"researchLinks":[],"securityImplications":"Attackers might use GetLoginProfile to know if the account has a login profile or to get its user name.","alerting":[{"type":"sigma","value":"https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml"}],"simulation":[{"type":"commandLine","value":"aws iam get-login-profile --user-name TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-GetLoginProfile"} +{"eventName":"GetUser","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1087 - Account Discovery"],"mitreAttackSubTechniques":["T1087.004 - Account Discovery: Cloud Account"],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"Adversaries use existing cloud accounts to gain access to cloud services. The GetUser API call can reveal information useful for identifying valid accounts."},{"technique":"T1082 - System Information Discovery","reason":"By retrieving information about IAM users, adversaries can gather details about the system environment and user configurations."},{"technique":"T1531 - Account Access Removal","reason":"Adversaries may enumerate existing IAM users to identify which accounts can be targeted for access removal in order to evade detection and maintain access."}],"usedInWild":true,"incidents":[{"description":"GotRoot! AWS root Account Takeover","link":"https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1"},{"description":"Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets","link":"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/"}],"researchLinks":[],"securityImplications":"Attackers might use GetUser to obtain user information.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam get-user --user-name TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-GetUser"} +{"eventName":"ListAccessKeys","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Returns information about the access key IDs associated with the specified IAM user.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1087 - Account Discovery"],"mitreAttackSubTechniques":["T1087.004 - Account Discovery: Cloud Account"],"unverifiedMitreAttackTechniques":[{"technique":"T1589 - Gather Victim Identity Information","reason":"Access key information can reveal details about the IAM user's identity, such as their role and permissions, which can be valuable for planning further attacks."},{"technique":"T1580 - Cloud Infrastructure Discovery","reason":"By listing access keys, attackers can identify existing cloud infrastructure accounts and keys, revealing how the cloud environment is structured."}],"usedInWild":true,"incidents":[{"description":"Ransomware in the cloud","link":"https://www.invictus-ir.com/news/ransomware-in-the-cloud"}],"researchLinks":[],"securityImplications":"Attackers might use ListAccessKeys to identify and exploit unused or unmonitored AWS IAM access keys.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam list-access-keys --user-name TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-ListAccessKeys"} +{"eventName":"ListAttachedRolePolicies","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Lists all managed policies that are attached to the specified IAM role.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1087 - Account Discovery"],"mitreAttackSubTechniques":["T1087.004 - Account Discovery: Cloud Account"],"unverifiedMitreAttackTechniques":[{"technique":"T1069 - Permission Groups Discovery","reason":"By listing attached role policies, attackers can understand the permissions associated with specific roles, which is essential for discovering permission groups within a cloud environment."},{"technique":"T1526 - Cloud Service Discovery","reason":"Listing attached role policies reveals the configuration and permissions of cloud services tied to specific roles. This information helps attackers map out the cloud environment and identify potential targets for further exploitation."}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[],"securityImplications":"Attackers might use ListAttachedRolePolicies to identify and exploit permissions associated with various roles in AWS.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam list-attached-role-policies --role-name TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-ListAttachedRolePolicies"} +{"eventName":"ListGroups","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Lists the IAM groups that have the specified path prefix.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1087 - Account Discovery"],"mitreAttackSubTechniques":["T1087.004 - Account Discovery: Cloud Account"],"unverifiedMitreAttackTechniques":[{"technique":"T1069 - Permission Groups Discovery","reason":"Listing IAM groups helps identify the permission groups within an AWS environment, which is crucial for understanding the access levels and privileges assigned to different users."}],"usedInWild":true,"incidents":[{"description":"Muddled Libra\u2019s Evolution to the Cloud","link":"https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}],"researchLinks":[{"description":"AWS - IAM Enum","link":"https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum"}],"securityImplications":"Attackers might use ListGroups to identify potential targets by gathering information about IAM groups and their permissions.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam list-groups"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-ListGroups"} +{"eventName":"ListGroupsForUser","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Lists the IAM groups that the specified IAM user belongs to.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1087 - Account Discovery"],"mitreAttackSubTechniques":["T1087.004 - Account Discovery: Cloud Account"],"unverifiedMitreAttackTechniques":[{"technique":"T1069 - Permission Group Discovery","reason":"By listing the groups for a user, adversaries can identify the permissions associated with different IAM groups and plan further actions based on the discovered roles and policies."},{"technique":"T1057 - Process Discovery","reason":"Information about user groups can be utilized by adversaries to infer the types of processes and operations a user can perform, aiding in planning subsequent steps of an attack."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}],"researchLinks":[],"securityImplications":"Attackers might use ListGroupsForUser to identify privileged groups and target specific users for access escalation.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam list-groups-for-user --user-name TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-ListGroupsForUser"} +{"eventName":"ListInstanceProfiles","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Lists the instance profiles that have the specified path prefix. If there are none, the operation returns an empty list.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1087 - Account Discovery"],"mitreAttackSubTechniques":["T1087.004 - Account Discovery: Cloud Account"],"unverifiedMitreAttackTechniques":[{"technique":"T1580 - Cloud Infrastructure Discovery","reason":"The ListInstanceProfiles API call provides details about instance profiles and their associated IAM roles, helping an attacker map out the cloud infrastructure. Understanding the roles in use aids in identifying potential targets for further exploitation or privilege escalation."},{"technique":"T1589 - Gather Victim Identity Information","reason":"The API call can help gather information about the identities and roles within the AWS environment, which could be used for further attacks or social engineering."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}],"researchLinks":[],"securityImplications":"Attackers might use ListInstanceProfiles to identify potential targets for privilege escalation attacks in AWS.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam list-instance-profiles"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-ListInstanceProfiles"} +{"eventName":"ListOpenIDConnectProviders","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Lists information about the IAM OpenID Connect (OIDC) provider resource objects defined in the AWS account.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1087 - Account Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1580 - Cloud Infrastructure Discovery","reason":"Identifying OIDC providers gives attackers insights into the cloud infrastructure, revealing the different third-party services and platforms integrated with the AWS environment."},{"technique":"T1082 - System Information Discovery","reason":"Listing OIDC providers provides details about the system's authentication setup, contributing to the overall system information an attacker can gather."}],"usedInWild":true,"incidents":[{"description":"Muddled Libra\u2019s Evolution to the Cloud","link":"https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}],"researchLinks":[],"securityImplications":"Attackers might use ListOpenIDConnectProviders to discover if there are OIDC providers configured.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam list-open-id-connect-providers"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-ListOpenIDConnectProviders"} +{"eventName":"ListRolePolicies","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Lists the names of the inline policies that are embedded in the specified IAM role.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1087 - Account Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1484 - Domain Policy Discovery","reason":"Inline policies may reveal roles with the ability to discover or enumerate domain policies, which can be used to further understand the security posture and potential attack paths within the environment."},{"technique":"T1057 - Process Discovery","reason":"Inline policies may help identify roles with permissions to discover running processes, aiding in reconnaissance activities."}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[],"securityImplications":"Attackers might use ListRolePolicies to identify permissions associated with various roles in AWS.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam list-role-policies --role-name TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-ListRolePolicies"} +{"eventName":"ListRoles","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Lists the IAM roles that have the specified path prefix. ","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1087 - Account Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1069 - Permission Groups Discovery","reason":"Discovering IAM roles helps adversaries understand their permissions and group memberships, enabling them to identify roles with excessive privileges that can be misused for unauthorized activities."},{"technique":"T1518 - Software Discovery","reason":"Listing IAM roles can reveal roles associated with various software applications, including security, administrative, and operational tools."}],"usedInWild":true,"incidents":[{"description":"Muddled Libra\u2019s Evolution to the Cloud","link":"https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}],"researchLinks":[{"description":"AWS - IAM Enum","link":"https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum"}],"securityImplications":"Attackers might use ListRoles to identify potential targets for privilege escalation attacks in AWS.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam list-roles"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-ListRoles"} +{"eventName":"ListSAMLProviders","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Lists the SAML provider resource objects defined in IAM in the account.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1087 - Account Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1580 - Cloud Infrastructure Discovery","reason":"Listing SAML providers can help attackers map out the cloud infrastructure and understand how identity federation is being handled within the account."},{"technique":"T1592 - Gather Victim Host Information","reason":"Identifying SAML providers can reveal details about the host environment and configurations, which may be used to further map the attack surface."},{"technique":"T1589 - Gather Victim Identity Information","reason":"Listing SAML providers can help attackers collect information about identities and roles within the target environment, aiding in crafting more targeted attacks"}],"usedInWild":true,"incidents":[{"description":"Muddled Libra\u2019s Evolution to the Cloud","link":"https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}],"researchLinks":[],"securityImplications":"Attackers might use ListSAMLProviders to discover if there are SAML providers configured.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam list-saml-providers"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-ListSAMLProviders"} +{"eventName":"ListSSHPublicKeys","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Returns information about the SSH public keys associated with the specified IAM user.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1087 - Account Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1078. - Valid Accounts","reason":"If attackers can associate public keys with user accounts, they might leverage this information to attempt to use stolen or weak credentials elsewhere."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"},{"description":"Muddled Libra\u2019s Evolution to the Cloud","link":"https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}],"researchLinks":[],"securityImplications":"Attackers might use ListSSHPublicKeys to get information about the user and the potential use of CodeCommit.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam list-ssh-public-keys --user-name TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-ListSSHPublicKeys"} +{"eventName":"ListServiceSpecificCredentials","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Returns information about the service-specific credentials associated with the specified IAM user.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1087 - Account Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1580 - Cloud Infrastructure Discovery","reason":"Adversaries may enumerate cloud infrastructure to understand the environment better, and listing service-specific credentials provides information about the associated IAM users"}],"usedInWild":true,"incidents":[{"description":"Muddled Libra\u2019s Evolution to the Cloud","link":"https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}],"researchLinks":[],"securityImplications":"Attackers might use ListServiceSpecificCredentials to get information about the relationship about users and services and gather CredentialIds.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam list-service-specific-credentials --user-name traildiscover --service-name codecommit.amazonaws.com"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-ListServiceSpecificCredentials"} +{"eventName":"ListSigningCertificates","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Returns information about the signing certificates associated with the specified IAM user.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1087 - Account Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1550 - Use Alternate Authentication Material","reason":"Identifying signing certificates shows which users have configured alternate authentication mechanisms, revealing potential entry points that do not rely on passwords."},{"technique":"T1580 - Cloud Infrastructure Discovery","reason":"Gaining information about signing certificates aids in mapping the IAM infrastructure, helping to understand the authentication methods and structure of the cloud environment."},{"technique":"T1033 - System Owner/User Discovery","reason":"Listing signing certificates assists in discovering the primary users and owners of the accounts, which aids in planning targeted attacks."}],"usedInWild":true,"incidents":[{"description":"Muddled Libra\u2019s Evolution to the Cloud","link":"https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}],"researchLinks":[],"securityImplications":"Attackers might use ListSigningCertificates to review which users have active certificates","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam list-signing-certificates --user-name traildiscover"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-ListSigningCertificates"} +{"eventName":"ListUsers","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Lists the IAM users that have the specified path prefix. If no path prefix is specified, the operation returns all users in the AWS account.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1087 - Account Discovery"],"mitreAttackSubTechniques":["T1087.004 - Account Discovery: Cloud Account"],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"Attackers may use the ListUsers API call to discover valid user accounts within an AWS environment. Knowledge of valid accounts can help in attempts to compromise or leverage these accounts."},{"technique":"T1057 - Process Discovery","reason":"Knowledge of IAM users can help an attacker identify which processes might be running under specific user accounts, assisting in further exploitation or lateral movement within the cloud environment."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"},{"description":"Ransomware in the cloud","link":"https://www.invictus-ir.com/news/ransomware-in-the-cloud"},{"description":"Incident report: From CLI to console, chasing an attacker in AWS","link":"https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/"},{"description":"Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining","link":"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"},{"description":"Muddled Libra\u2019s Evolution to the Cloud","link":"https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"},{"description":"Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)","link":"https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"}],"researchLinks":[{"description":"Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild","link":"https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}],"securityImplications":"Attackers might use ListUsers to enumerate IAM users for further attacks, such as adding keys or creating a login profile for persistence.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam list-users"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-ListUsers"} +{"eventName":"PutGroupPolicy","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Adds or updates an inline policy document that is embedded in the specified IAM group.","mitreAttackTactics":["TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1562 - Impair Defenses","reason":"Inline policies can be altered to disable or impair security features such as monitoring and alerting."},{"technique":"T1556 - Modify Authentication Process","reason":"Inline policies can be modified to change authentication processes, making it easier to bypass existing security controls."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS IAM Privilege Escalation Techniques","link":"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}],"securityImplications":"Attackers might use PutGroupPolicy to modify permissions of a group, potentially granting unauthorized access to sensitive resources.","alerting":[{"type":"cloudwatchCISControls","value":"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4"}],"simulation":[{"type":"commandLine","value":"aws iam put-group-policy --group-name TrailDiscover --policy-document {} --policy-name TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-PutGroupPolicy"} +{"eventName":"PutRolePermissionsBoundary","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Adds or updates the policy that is specified as the IAM role's permissions boundary.","mitreAttackTactics":["TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1212 - Exploitation for Privilege Escalation","reason":"Modifying permissions boundaries can be used to elevate the privileges of the role, enabling actions that would otherwise be restricted."},{"technique":"T1556 - Modify Authentication Process","reason":"By altering the permissions boundary, attackers can change the authentication process for the role to grant themselves higher privileges."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS IAM Privilege Escalation Techniques","link":"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}],"securityImplications":"Attackers might use PutRolePermissionsBoundary to modify permissions boundaries, potentially escalating privileges or enabling unauthorized access.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam put-role-permissions-boundary --permissions-boundary arn:aws:iam::123456789012:policy/intern-boundary --role-name TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-PutRolePermissionsBoundary"} +{"eventName":"PutRolePolicy","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Adds or updates an inline policy document that is embedded in the specified IAM role.","mitreAttackTactics":["TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1531 - Account Access Removal","reason":"Modifying IAM role policies can be used to restrict or remove access to certain users or roles, aiding in defense evasion."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS IAM Privilege Escalation Techniques","link":"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}],"securityImplications":"Attackers might use PutRolePolicy to modify permissions of IAM roles, potentially granting unauthorized access to AWS resources.","alerting":[{"type":"cloudwatchCISControls","value":"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4"}],"simulation":[{"type":"commandLine","value":"aws iam put-role-policy --role-name TrailDiscover-Role --policy-name TrailDiscover --policy-document {}"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-PutRolePolicy"} +{"eventName":"PutUserPermissionsBoundary","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Adds or updates the policy that is specified as the IAM user's permissions boundary.","mitreAttackTactics":["TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1531 - Account Access Removal","reason":"Setting a permissions boundary might be part of a strategy to later remove access to certain resources or actions, effectively controlling or limiting account capabilities."},{"technique":"T1556 - Modify Authentication Process","reason":"Attackers may modify permissions boundaries to ensure their access is maintained across cloud accounts, preventing account lockout or access removal."},{"technique":"T1562 - Impair Defenses","reason":"Changing the permissions boundary might be used to impact security settings or access, impairing the effectiveness of security tools and preventing detection or response to malicious activity."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS IAM Privilege Escalation Techniques","link":"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}],"securityImplications":"Attackers might use PutUserPermissionsBoundary to modify the permissions boundary for an IAM user, potentially escalating privileges or enabling unauthorized access.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam put-user-permissions-boundary --permissions-boundary arn:aws:iam::123456789012:policy/intern-boundary --user-name TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-PutUserPermissionsBoundary"} +{"eventName":"PutUserPolicy","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Adds or updates an inline policy document that is embedded in the specified IAM user.","mitreAttackTactics":["TA0003 - Persistence","TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":["T1098.003 - Account Manipulation: Additional Cloud Roles"],"unverifiedMitreAttackTechniques":[{"technique":"T1562 - Impair Defenses","reason":"By embedding policies that allow for disabling or bypassing security controls, adversaries can impair defense mechanisms."},{"technique":"T1531 - Account Access Removal","reason":"Adversaries may use PutUserPolicy to remove access rights for legitimate users, causing disruption."},{"technique":"T1068 - Exploitation for Privilege Escalation","reason":"If an adversary can modify policies to grant administrative privileges, they effectively escalate their privileges."},{"technique":"T1556 - Modify Authentication Process","reason":"Inline policies can be changed to weaken authentication requirements, making it easier for adversaries to access the account."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"},{"description":"ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING","link":"https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/"},{"description":"UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR","link":"https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"}],"researchLinks":[{"description":"AWS IAM Privilege Escalation Techniques","link":"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}],"securityImplications":"Attackers use PutUserPolicy to grant an inline policy to IAM users, potentially escalating privileges or enabling unauthorized access to AWS resources.","alerting":[{"type":"cloudwatchCISControls","value":"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4"},{"type":"sigma","value":"https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml"}],"simulation":[{"type":"commandLine","value":"aws iam put-user-policy --user-name TrailDiscover --policy-name TrailDiscover --policy-document {}"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-PutUserPolicy"} +{"eventName":"SetDefaultPolicyVersion","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Sets the specified version of the specified policy as the policy's default (operative) version.","mitreAttackTactics":["TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1070 - Indicator Removal","reason":"Modifying the policy's default version can be used to evade detection by setting the policy version that was in place before the attack."},{"technique":"T1531 - Account Access Removal","reason":"Attackers can use this API call to update policies in a way that prevents legitimate users from accessing resources, ensuring continued control over the compromised environment."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS IAM Privilege Escalation Techniques","link":"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}],"securityImplications":"Attackers might use SetDefaultPolicyVersion to revert IAM policies to less secure versions, potentially exposing sensitive resources.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam set-default-policy-version --policy-arn arn:aws:iam::123456789012:policy/TrailDiscover --version-id v2"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-SetDefaultPolicyVersion"} +{"eventName":"SimulatePrincipalPolicy","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Simulate how a set of IAM policies attached to an IAM entity works with a list of API operations and AWS resources to determine the policies' effective permissions.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1087 - Account Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1069 - Permission Groups Discovery","reason":" Using this API, attackers can determine the permissions associated with specific IAM roles or users, aiding in privilege escalation planning."},{"technique":"T1615 - Group Policy Discovery","reason":"By simulating principal policies, attackers can identify the group policies and their impact on IAM roles and entities."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}],"researchLinks":[],"securityImplications":"Attackers might use SimulatePrincipalPolicy to understand the permissions of a principal, to later potentially exploiting any over-permissive policies. Using this technique might allow attackers to evade defenses while enumerating permissions.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::123456789012:user/TrailDiscover --action-names codecommit:ListRepositories"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-SimulatePrincipalPolicy"} +{"eventName":"UpdateAccessKey","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Changes the status of the specified access key from Active to Inactive, or vice versa.","mitreAttackTactics":["TA0003 - Persistence"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1070. - Indicator Removal","reason":"Disabling keys can be a tactic to remove indicators of compromise, because keys need to be disabled before deletion, preventing detection and forensic analysis."},{"technique":"T1531 - Account Access Removal","reason":"Temporarily deactivating keys to remove access can help adversaries evade detection while they perform malicious activities."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS - IAM Privesc","link":"https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc"}],"securityImplications":"Attackers might use UpdateAccessKey to modify existing IAM user access keys, potentially gaining unauthorized access to AWS services.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam update-access-key --access-key-id AKIAIOSFODNN7EXAMPLE --status Inactive --user-name TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-UpdateAccessKey"} +{"eventName":"UpdateAssumeRolePolicy","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Updates the policy that grants an IAM entity permission to assume a role.","mitreAttackTactics":["TA0003 - Persistence","TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"Updating the assume role policy can allow attackers to use valid IAM roles to maintain access."},{"technique":"T1036 - Masquerading","reason":"Attackers can allow access from an account they control to assume a valid role that is used in the organization making the access appear legitimate"}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS IAM Privilege Escalation Techniques","link":"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"},{"description":"AWS IAM Persistence Methods","link":"https://hackingthe.cloud/aws/post_exploitation/iam_persistence/"}],"securityImplications":"Attackers might use UpdateAssumeRolePolicy to modify the assume role policy allowing access from an attacker compromised account.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam update-assume-role-policy --role-name TrailDiscover-Role --policy-document {}"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-backdoor-role"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-UpdateAssumeRolePolicy"} +{"eventName":"UpdateLoginProfile","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Changes the password for the specified IAM user. You can use the AWS CLI, the AWS API, or the Users page in the IAM console to change the password for any IAM user.","mitreAttackTactics":["TA0003 - Persistence","TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"Changing an IAM user's password allows an attacker to maintain access using a legitimate account."},{"technique":"T1556 - Modify Authentication Process","reason":"Changing the password directly impacts the authentication process, potentially locking out legitimate users and ensuring only the attacker has access."},{"technique":"T1531 - Account Access Removal","reason":"Changing the password of an IAM user can also serve as a means to remove legitimate account access for the rightful user, ensuring only the attacker can access the account."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"},{"description":"Incident report: From CLI to console, chasing an attacker in AWS","link":"https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/"},{"description":"LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD","link":"https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud"}],"researchLinks":[{"description":"Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident","link":"https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide"},{"description":"AWS IAM Privilege Escalation Techniques","link":"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}],"securityImplications":"Attackers might use UpdateLoginProfile to change the password of an IAM user, gaining unauthorized access to it.","alerting":[{"type":"sigma","value":"https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_update_login_profile.yml"}],"simulation":[{"type":"commandLine","value":"aws iam update-login-profile --user-name TrailDiscover --password TrailDiscover"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-user-login-profile"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-UpdateLoginProfile"} +{"eventName":"UpdateSAMLProvider","eventSource":"iam.amazonaws.com","awsService":"IAM","description":"Updates the metadata document for an existing SAML provider resource object.","mitreAttackTactics":["TA0003 - Persistence","TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1556 - Modify Authentication Process","reason":"The UpdateSAMLProvider API call allows changing the SAML metadata document, directly affecting how AWS handles authentication through SAML assertions. This can enable an attacker to alter authentication mechanisms or potentially introduce unauthorized access methods."},{"technique":"T1078 - Valid Accounts","reason":"By changing the SAML metadata document, an attacker could gain access to valid accounts. The new or altered assertions in the SAML metadata can be used to authenticate as legitimate AWS users or roles."},{"technique":"T1550 - Use Alternate Authentication Material","reason":"Altering the SAML metadata document provides an opportunity to use different authentication material. An attacker could insert alternate cryptographic keys or certificates into the SAML assertions, allowing them to authenticate to AWS resources as a trusted user or entity."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Gaining AWS Persistence by Updating a SAML Identity Provider","link":"https://medium.com/@adan.alvarez/gaining-aws-persistence-by-updating-a-saml-identity-provider-ef57ebdc8db5"}],"securityImplications":"Attackers might use UpdateSAMLProvider to change the metadata document from a SAML provider for latter being able to assume the roles that trust this provider.","alerting":[],"simulation":[{"type":"commandLine","value":"aws iam update-saml-provider --saml-metadata-document file://TrailDiscoverSAMLMetaData.xml --saml-provider-arn arn:aws:iam::123456789012:saml-provider/traildiscover"}],"permissions":"https://aws.permissions.cloud/iam/iam#iam-UpdateSAMLProvider"} +{"eventName":"Encrypt","eventSource":"kms.amazonaws.com","awsService":"KMS","description":"Encrypts plaintext of up to 4,096 bytes using a KMS key. ","mitreAttackTactics":["TA0040 - Impact"],"mitreAttackTechniques":["T1486 - Data Encrypted for Impact"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1560 - Archive Collected Data","reason":"Encrypting data before exfiltration can help to evade detection and bypass certain security controls, however this would be quite noisy."},{"technique":"T1027 - Obfuscated Files or Information","reason":"Encrypting information can make it harder for security tools to analyze the content of the data, aiding in evasion. This could be used for things like other keys to avoid suspicion."}],"usedInWild":true,"incidents":[{"description":"Cloud Security Stories: From Risky Permissions to Ransomware Execution","link":"https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/"}],"researchLinks":[],"securityImplications":"Attackers might use Encrypt to encrypt data for ransom.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"https://aws.permissions.cloud/iam/kms#kms-Encrypt"} +{"eventName":"GenerateDataKeyWithoutPlaintext","eventSource":"kms.amazonaws.com","awsService":"KMS","description":"Returns a unique symmetric data key for use outside of AWS KMS.","mitreAttackTactics":["TA0040 - Impact"],"mitreAttackTechniques":["T1486 - Data Encrypted for Impact"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1485 - Data Destruction","reason":"The symmetric data key can be used to encrypt or delete critical data, rendering it useless and causing operational disruptions."},{"technique":"T1560 - Archive Collected Data","reason":"The data key can facilitate the encryption of collected data before exfiltration to avoid detection."}],"usedInWild":true,"incidents":[{"description":"Cloud Security Stories: From Risky Permissions to Ransomware Execution","link":"https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/"}],"researchLinks":[],"securityImplications":"Attackers might use GenerateDataKeyWithoutPlaintext to generate encryption keys that can decrypt data in a ransom.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"https://aws.permissions.cloud/iam/kms#kms-GenerateDataKeyWithoutPlaintext"} +{"eventName":"ScheduleKeyDeletion","eventSource":"kms.amazonaws.com","awsService":"KMS","description":"Schedules the deletion of a KMS key.","mitreAttackTactics":["TA0040 - Impact"],"mitreAttackTechniques":["T1485 - Data Destruction"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1561 - Disk Wipe","reason":"By scheduling the deletion of a KMS key, the adversary could render encrypted data useless, effectively wiping the disk content indirectly."},{"technique":"T1499 - Endpoint Denial of Service","reason":"Deleting a KMS key can disrupt the availability of data, causing a denial of service on the applications relying on the encrypted data."},{"technique":"T1098 - Account Manipulation","reason":"The scheduling of a key deletion might involve manipulating existing KMS permissions or roles to gain the necessary rights to perform the action."},{"technique":"T1562 - Impair Defenses","reason":"Deleting a KMS key can impair security defenses by making logs or other critical data inaccessible if they are encrypted with the deleted key."},{"technique":"T1486 - Data Encrypted for Impact","reason":"By deleting the encryption key, the adversary ensures that the encrypted data is rendered unusable, impacting the integrity and availability of the data."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":" Threat Hunting with CloudTrail and GuardDuty in Splunk","link":"https://www.chrisfarris.com/post/reinforce-threat-hunting/"}],"securityImplications":"Attackers might use ScheduleKeyDeletion to schedule the deletion of crucial encryption keys, disrupting data security and access.","alerting":[{"type":"cloudwatchCISControls","value":"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-7"}],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"https://aws.permissions.cloud/iam/kms#kms-ScheduleKeyDeletion"} +{"eventName":"AddPermission20150331v2","eventSource":"lambda.amazonaws.com","awsService":"Lambda","description":"Grants an AWS service, AWS account, or AWS organization permission to use a function.","mitreAttackTactics":["TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1098 - Account Manipulation","reason":"The AddPermission API call can be used to alter permissions, effectively manipulating accounts to maintain access or escalate privileges."},{"technique":"T1090 - Proxy","reason":"Permissions granted via AddPermission could enable an attacker to set up functions that act as proxies, helping to evade defenses."},{"technique":"T1087 - Account Discovery","reason":"Attackers could use the AddPermission call to discover additional accounts that have access to specific Lambda functions, aiding in lateral movement."},{"technique":"T1071 - Application Layer Protocol","reason":"Permissions can be used to manipulate Lambda functions to communicate over various application layer protocols, aiding in command and control."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS IAM Privilege Escalation Techniques","link":"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}],"securityImplications":"Attackers might use AddPermission to grant unauthorized access to sensitive Lambda functions and then perform Privilege Escalation.","alerting":[],"simulation":[{"type":"commandLine","value":"aws lambda add-permission --function-name my-function --action lambda:InvokeFunction --statement-id sns --principal sns.amazonaws.com"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-backdoor-function"}],"permissions":"https://aws.permissions.cloud/iam/lambda#lambda-AddPermission"} +{"eventName":"CreateEventSourceMapping20150331","eventSource":"lambda.amazonaws.com","awsService":"Lambda","description":"Creates a mapping between an event source and an AWS Lambda function.","mitreAttackTactics":["TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1059 - Command and Scripting Interpreter","reason":"The Lambda function might execute code based on the event source data, potentially running JavaScript if included in the payload."},{"technique":"T1071 - Application Layer Protocol","reason":"Lambda functions can communicate over web protocols, enabling command and control through event source triggers."},{"technique":"T1546 - Event Triggered Execution","reason":"Event source mappings can be used to trigger Lambda functions, executing code in response to specific events or data."},{"technique":"T1098 - Account Manipulation","reason":"Modifying the event source mappings can change the behavior of Lambda functions, possibly to escalate privileges or persist in the environment."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS IAM Privilege Escalation Techniques","link":"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}],"securityImplications":"Attackers might use CreateEventSourceMapping to trigger unauthorized Lambda functions with malicious code.","alerting":[],"simulation":[{"type":"commandLine","value":"aws lambda create-event-source-mapping --function-name my-function --batch-size 5 --event-source-arn arn:aws:sqs:us-west-2:123456789012:mySQSqueue"}],"permissions":"https://aws.permissions.cloud/iam/lambda#lambda-CreateEventSourceMapping"} +{"eventName":"CreateFunction20150331","eventSource":"lambda.amazonaws.com","awsService":"Lambda","description":"Creates a Lambda function.","mitreAttackTactics":["TA0003 - Persistence","TA0004 - Privilege Escalation","TA0040 - Impact"],"mitreAttackTechniques":["T1098 - Account Manipulation","T1496 - Resource Hijacking"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1059 - Command and Scripting Interpreter","reason":"The Lambda function can be configured to execute JavaScript code, enabling attackers to run malicious scripts."},{"technique":"T1070 - Indicator Removal","reason":" By using Lambda, attackers can delete logs or files to evade detection."},{"technique":"T1562 - Impair Defenses","reason":"Attackers might create Lambda functions designed to disable security monitoring tools or alerts."},{"technique":"T1071 - Application Layer Protocol","reason":"Lambda functions can communicate over standard web protocols, enabling Command and Control communication that blends with regular traffic."},{"technique":"T1027 - Obfuscated Files or Information","reason":"If attackers use code-signing configurations and different deployment packaging (e.g., obfuscated container images or encrypted .zip archives), it can help evade detection by concealing the true nature of the function code."},{"technique":"T1053 - Scheduled Task/Job","reason":"Attackers might schedule Lambda functions to execute at specific intervals, providing a means of persistence or delayed execution."}],"usedInWild":true,"incidents":[{"description":"Mining Crypto","link":"https://twitter.com/jonnyplatt/status/1471453527390277638"},{"description":"Cloud Security Stories: From Risky Permissions to Ransomware Execution","link":"https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/"}],"researchLinks":[{"description":"Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident","link":"https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide"},{"description":"AWS IAM Privilege Escalation Techniques","link":"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}],"securityImplications":"Attackers might use CreateFunction to deploy malicious code or functions, depending on the scenario this might allow the attacker to gain persistence, escalate privileges, or hijack resources.","alerting":[],"simulation":[{"type":"commandLine","value":"aws lambda create-function --function-name my-function --runtime nodejs18.x --code S3Bucket=string --role arn:aws:iam::123456789012:role/service-role/MyTestFunction-role-tges6bf4"}],"permissions":"https://aws.permissions.cloud/iam/lambda#lambda-CreateFunction"} +{"eventName":"Invoke","eventSource":"lambda.amazonaws.com","awsService":"Lambda","description":"Invokes a Lambda function.","mitreAttackTactics":["TA0040 - Impact","TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1496 - Resource Hijacking"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1059 - Command and Scripting Interpreter","reason":"Lambda functions can be used to execute scripts and commands, allowing attackers to run arbitrary code within the AWS environment."},{"technique":"T1071 - Application Layer Protocol","reason":"The Invoke API call can be used to establish communication channels over various application layer protocols for command and control purposes."},{"technique":"T1036 - Masquerading","reason":"Attackers can invoke Lambda functions under the guise of legitimate requests to evade detection."},{"technique":"T1105 - Ingress Tool Transfer","reason":"An attacker can use Lambda functions to download or transfer malicious tools into the environment."},{"technique":"T1074 - Data Staged","reason":"Lambda functions can be used to stage data for exfiltration, storing collected information temporarily."},{"technique":"T1219 - Remote Access Software","reason":"Attackers can use Lambda functions as a form of remote access to maintain control over compromised systems."},{"technique":"T1190 - Exploit Public-Facing Application","reason":"If the Lambda function is triggered via a public-facing API endpoint, it could be exploited to gain unauthorized access. Attackers may abuse vulnerable API configurations or input validation flaws to invoke the function, thus compromising the environment."},{"technique":"T1053 - Scheduled Task/Job","reason":"Lambda functions can be scheduled to execute tasks periodically, allowing persistent execution of malicious code."},{"technique":"T1648 - Serverless Execution","reason":"By invoking a Lambda function, an attacker can leverage the serverless environment to run malicious code, perform lateral movement, or conduct other post-exploitation activities while taking advantage of the scalability and ephemeral nature of serverless computing to evade detection and persist within the environment."}],"usedInWild":true,"incidents":[{"description":"Mining Crypto","link":"https://twitter.com/jonnyplatt/status/1471453527390277638"},{"description":"Cloud Security Stories: From Risky Permissions to Ransomware Execution","link":"https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/"}],"researchLinks":[{"description":"AWS IAM Privilege Escalation Techniques","link":"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"}],"securityImplications":"Attackers might use Invoke to execute previously modified functions in AWS Lambda.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"https://aws.permissions.cloud/iam/lambda#lambda-InvokeFunction"} +{"eventName":"UpdateEventSourceMapping20150331","eventSource":"lambda.amazonaws.com","awsService":"Lambda","description":"Updates an event source mapping. You can change the function that AWS Lambda invokes, or pause invocation and resume later from the same location.","mitreAttackTactics":["TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1071 - Application Layer Protocol","reason":"Changing the event source mapping can be used to invoke a function via HTTP/S requests, which aligns with utilizing web protocols for execution."},{"technique":"T1053 - Scheduled Task/Job","reason":"Adversaries can use this API call to set up or alter scheduled tasks or jobs, such as Lambda functions, to achieve persistence by ensuring repeated or delayed execution."},{"technique":"T1562 - Impair Defenses","reason":"Adversaries can pause the invocation of a Lambda function to impair or disable security tools or monitoring functions, thereby evading detection or preventing logging."},{"technique":"T1027 - Obfuscated Files or Information","reason":"Adversaries can obfuscate their actions by frequently changing the event source mapping, making it harder to trace the function invocations."},{"technique":"T1098 - Account Manipulation","reason":"Changing the event source mapping can also be used to manipulate which account or function is invoked, potentially changing the permissions context."},{"technique":"T1578 - Modify Cloud Compute Infrastructure","reason":"Updating the event source mapping involves modifying the cloud infrastructure to change how functions are executed, which is a form of altering cloud resources for persistence or evasion."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Enhancing Your Security Visibility and DetectionResponse Operations in AWS","link":"https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf"}],"securityImplications":"Attackers might use UpdateEventSourceMapping to pull data from a different source, leading to incorrect function results.","alerting":[],"simulation":[{"type":"commandLine","value":"aws lambda update-event-source-mapping --uuid 'a1b2c3d4-5678-90ab-cdef-11111EXAMPLE' --batch-size 8"}],"permissions":"https://aws.permissions.cloud/iam/lambda#lambda-UpdateEventSourceMapping"} +{"eventName":"UpdateFunctionCode20150331v2","eventSource":"lambda.amazonaws.com","awsService":"Lambda","description":"Updates a Lambda function's code. If code signing is enabled for the function, the code package must be signed by a trusted publisher.","mitreAttackTactics":["TA0003 - Persistence","TA0040 - Impact","TA0009 - Collection"],"mitreAttackTechniques":["T1098 - Account Manipulation","T1496 - Resource Hijacking","T1119 - Automated Collection"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1059 - Command and Scripting Interpreter","reason":"Adversaries can use AWS Lambda to execute commands or scripts by updating the function code to include the desired commands or scripts."},{"technique":"T1648 - Serverless Execution","reason":"Attackers may maintain persistence in a target environment by continually updating Lambda function code in serverless environments."},{"technique":"T1074 - Data Staged","reason":"Staging data in cloud storage services can be facilitated by updating the Lambda function code to interact with these storage resources."},{"technique":"T1560 - Archive Collected Data","reason":"Updating Lambda function code to access metadata services enables the function to collect and archive data."},{"technique":"T1578 - Modify Cloud Compute Infrastructure","reason":"Attackers can modify cloud compute infrastructure to execute malicious activities by updating the Lambda function."},{"technique":"T1056 - Input Capture","reason":"By updating the Lambda function code to capture inputs, such as keystrokes or API inputs, adversaries can collect sensitive information."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident","link":"https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide"},{"description":"AWS IAM Privilege Escalation Techniques","link":"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"},{"description":"Enhancing Your Security Visibility and DetectionResponse Operations in AWS","link":"https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf"},{"description":"How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies","link":"https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c"}],"securityImplications":"Attackers might use UpdateFunctionCode to modify the code of a Lambda function, potentially injecting malicious code.","alerting":[],"simulation":[{"type":"commandLine","value":"aws lambda update-function-code --function-name my-function"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-overwrite-code"}],"permissions":"https://aws.permissions.cloud/iam/lambda#lambda-UpdateFunctionCode"} +{"eventName":"UpdateFunctionConfiguration20150331v2","eventSource":"lambda.amazonaws.com","awsService":"Lambda","description":"Modify the version-specific settings of a Lambda function.","mitreAttackTactics":["TA0003 - Persistence"],"mitreAttackTechniques":["T1098 - Account Manipulation"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1059 - Command and Scripting Interpreter","reason":"Modifying Lambda function configurations allows execution of scripts or commands in the runtime environment."},{"technique":"T1562 - Impair Defenses","reason":"Attackers might modify configurations like logging settings or environment variables to prevent detection efforts."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS IAM Privilege Escalation Techniques","link":"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"},{"description":"Enhancing Your Security Visibility and DetectionResponse Operations in AWS","link":"https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf"},{"description":"LambdaSpy - Implanting the Lambda execution environment (Part two)","link":"https://www.clearvector.com/blog/lambda-spy/"}],"securityImplications":"Attackers might use UpdateFunctionConfiguration to modify the behavior of Lambda functions, adding a layer that can allow persistence and/or data exfiltration.","alerting":[],"simulation":[{"type":"commandLine","value":"aws lambda update-function-configuration --function-name my-function --memory-size 256"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-layer-extension"}],"permissions":"https://aws.permissions.cloud/iam/lambda#lambda-UpdateFunctionConfiguration"} +{"eventName":"CreateInstances","eventSource":"lightsail.amazonaws.com","awsService":"Lightsail","description":"Creates one or more Amazon Lightsail instances.","mitreAttackTactics":["TA0005 - Defense Evasion","TA0040 - Impact"],"mitreAttackTechniques":["T1578 - Modify Cloud Compute Infrastructure","T1496 - Resource Hijacking"],"mitreAttackSubTechniques":["T1578.002 - Modify Cloud Compute Infrastructure: Create Cloud Instance"],"unverifiedMitreAttackTechniques":[{"technique":"T1583 - Acquire Infrastructure","reason":"CreateInstances can be used by adversaries to acquire infrastructure for future operations by provisioning new instances."},{"technique":"T1090 - Proxy","reason":"Instances could act as proxies to route malicious traffic and hide the true source of the attack."},{"technique":"T1102 - Web Services","reason":"Instances may be used to communicate with web services to facilitate command and control or data exfiltration."},{"technique":"T1036 - Masquerading","reason":"Instances may be named or configured to masquerade as legitimate services or systems."},{"technique":"T1074 - Data Staged","reason":"Instances can be used to stage data before exfiltration, serving as temporary storage points."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}],"researchLinks":[],"securityImplications":"Attackers might use CreateInstances to rapidly deploy malicious instances, causing financial loss and resource exhaustion. The use of lightsail might not be monitored.","alerting":[],"simulation":[{"type":"commandLine","value":"aws lightsail create-instances --instance-names Instance-1 --availability-zone us-west-2a --blueprint-id wordpress_5_1_1_2 --bundle-id nano_2_0"}],"permissions":"https://aws.permissions.cloud/iam/lightsail#lightsail-CreateInstances"} +{"eventName":"GetInstances","eventSource":"lightsail.amazonaws.com","awsService":"LightSail","description":"Returns information about all Amazon Lightsail virtual private servers, or instances.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1082 - System Information Discovery","reason":"Using GetInstances, attackers can retrieve detailed information about the instances, such as instance IDs, names, and states, providing insight into the system's configuration."},{"technique":"T1057 - Process Discovery","reason":"Although indirect, details about instances can hint at the types of processes and services running within those instances."},{"technique":"T1033 - System Owner/User Discovery","reason":"Instance metadata often includes user or owner information, which can be used to identify who is responsible for the instances."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild","link":"https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}],"securityImplications":"Attackers might use GetInstances to gather information about running instances for potential exploitation.","alerting":[],"simulation":[{"type":"commandLine","value":"aws lightsail get-instances"}],"permissions":"https://aws.permissions.cloud/iam/lightsail#lightsail-GetInstances"} +{"eventName":"GetRegions","eventSource":"lightsail.amazonaws.com","awsService":"LightSail","description":"Returns a list of all valid regions for Amazon Lightsail.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1082 - System Information Discovery","reason":"The GetRegions API call can provide information about the geographical distribution of LightSail resources, which is useful for understanding the environment."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild","link":"https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}],"securityImplications":"Attackers might use GetRegions to identify potential targets in different geographical locations on AWS LightSail.","alerting":[],"simulation":[{"type":"commandLine","value":"aws lightsail get-regions"}],"permissions":"https://aws.permissions.cloud/iam/lightsail#lightsail-GetRegions"} +{"eventName":"CreateAccount","eventSource":"organizations.amazonaws.com","awsService":"Organizations","description":"Creates an AWS account that is automatically a member of the organization whose credentials made the request.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1535 - Unused/Unsupported Cloud Regions"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"By creating a new AWS account within the organization, attackers can obtain valid cloud credentials for future access and operations."},{"technique":"T1098 - Account Manipulation","reason":"Creating a new account can be used to manipulate and manage user accounts, potentially hiding malicious activities under a legitimate-looking account."},{"technique":"T1136 - Create Account","reason":"Creating a new account can establish persistence, allowing an attacker to maintain access even if the initially compromised account is detected and removed."},{"technique":"T1562 - Impair Defenses","reason":"Attackers can use the new account to disable or modify security tools and configurations within the cloud environment to avoid detection."}],"usedInWild":true,"incidents":[{"description":"New tactics and techniques for proactive threat detection","link":"https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"}],"researchLinks":[],"securityImplications":"Attackers might use CreateAccount to add a new account for defense evasion, resource hijacking.","alerting":[],"simulation":[{"type":"commandLine","value":"aws organizations create-account --email traildiscover@example.com --account-name \"TrailDiscover Account\""}],"permissions":"https://aws.permissions.cloud/iam/organizations#organizations-CreateAccount"} +{"eventName":"DescribeOrganization","eventSource":"organizations.amazonaws.com","awsService":"Organizations","description":"Retrieves information about the organization that the user's account belongs to.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1526 - Cloud Service Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1087 - Account Discovery","reason":"DescribeOrganization can be used to discover details about accounts within the organization, including account IDs and email addresses."},{"technique":"T1078 - Valid Accounts","reason":"Information gathered can assist in identifying valid accounts within the organization, aiding further actions that require valid credentials."}],"usedInWild":true,"incidents":[{"description":"When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability","link":"https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"}],"researchLinks":[],"securityImplications":"Attackers might use DescribeOrganization to gather information about the structure and details of an AWS organization.","alerting":[],"simulation":[{"type":"commandLine","value":"aws organizations describe-organization"}],"permissions":"https://aws.permissions.cloud/iam/organizations#organizations-DescribeOrganization"} +{"eventName":"InviteAccountToOrganization","eventSource":"organizations.amazonaws.com","awsService":"Organizations","description":"Sends an invitation to another account to join your organization as a member account.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1535 - Unused/Unsupported Cloud Regions"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1098 - Account Manipulation","reason":"Adding accounts to the organization can be used to manipulate account permissions and roles for persistence or escalation of privileges."},{"technique":"T1562 - Impair Defenses","reason":"By adding new accounts, an attacker might impair the existing security defenses, such as monitoring and logging configurations, by creating noise or adding trusted accounts."},{"technique":"T1199 - Trusted Relationship","reason":"Inviting an account creates a trusted relationship that can be exploited for initial access or lateral movement within the organization."}],"usedInWild":true,"incidents":[{"description":"New tactics and techniques for proactive threat detection","link":"https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"}],"researchLinks":[],"securityImplications":"Attackers might use InviteAccountToOrganization to add an account they control for defense evasion, resource hijacking.","alerting":[],"simulation":[{"type":"commandLine","value":"aws organizations invite-account-to-organization --target '{\"Type\": \"EMAIL\", \"Id\": \"traildiscover@example.com\"}'"}],"permissions":"https://aws.permissions.cloud/iam/organizations#organizations-InviteAccountToOrganization"} +{"eventName":"LeaveOrganization","eventSource":"organizations.amazonaws.com","awsService":"Organizations","description":"Removes a member account from its parent organization.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1070 - Indicator Removal"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1562 - Impair Defenses","reason":"Leaving the organization can be used to evade security controls and monitoring that are applied at the organization level, reducing the chances of detection."}],"usedInWild":false,"incidents":[{"description":"New tactics and techniques for proactive threat detection","link":"https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"}],"researchLinks":[{"description":"An AWS account attempted to leave the AWS Organization","link":"https://docs.datadoghq.com/security/default_rules/aws-organizations-leave-organization/"}],"securityImplications":"Attackers might use LeaveOrganization to disassociate resources and disrupt the structure of AWS organizations.","alerting":[],"simulation":[{"type":"commandLine","value":"aws organizations leave-organization"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.organizations-leave"}],"permissions":"https://aws.permissions.cloud/iam/organizations#organizations-LeaveOrganization"} +{"eventName":"ListAccounts","eventSource":"organizations.amazonaws.com","awsService":"Organizations","description":"Lists all the accounts in the organization.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1526 - Cloud Service Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1087 - Account Discovery","reason":"Using the ListAccounts API call, an attacker can enumerate all accounts within the AWS organization, gaining insight into the structure and scope of the organization's AWS environment."}],"usedInWild":true,"incidents":[{"description":"When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability","link":"https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"}],"researchLinks":[],"securityImplications":"Attackers might use ListAccounts to gather information about the structure and resources of an organization's AWS environment.","alerting":[],"simulation":[{"type":"commandLine","value":"aws organizations list-accounts"}],"permissions":"https://aws.permissions.cloud/iam/organizations#organizations-ListAccounts"} +{"eventName":"ListOrganizationalUnitsForParent","eventSource":"organizations.amazonaws.com","awsService":"Organizations","description":"Lists the organizational units (OUs) in a parent organizational unit or root.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1526 - Cloud Service Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1482 - Domain Trust Discovery","reason":"By listing the organizational units, an adversary can identify relationships and trust boundaries between different parts of the organization, gaining insight into the hierarchical structure that may be exploited later."},{"technique":"T1018 - Remote System Discovery","reason":"Knowledge of the organizational units can inform an adversary about different parts of the cloud infrastructure, helping to discover systems or accounts that can be targeted for further actions."},{"technique":"T1069 - Permission Groups Discovery","reason":"The API can reveal different organizational units that might correspond to permission groupings or roles within the AWS environment, which is crucial for understanding how access is managed across the organization."},{"technique":"T1590 - Gather Victim Network Information","reason":"By understanding the organizational units, an adversary can piece together information about the internal network structure, which can be critical for furthering internal reconnaissance efforts."}],"usedInWild":true,"incidents":[{"description":"When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability","link":"https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"}],"researchLinks":[],"securityImplications":"Attackers might use ListOrganizationalUnitsForParent to map the structure of an organization's AWS environment for potential vulnerabilities.","alerting":[],"simulation":[{"type":"commandLine","value":"aws organizations list-organizational-units-for-parent --parent-id r-traildiscover"}],"permissions":"https://aws.permissions.cloud/iam/organizations#organizations-ListOrganizationalUnitsForParent"} +{"eventName":"AuthorizeDBSecurityGroupIngress","eventSource":"rds.amazonaws.com","awsService":"RDS","description":"Enables ingress to a DBSecurityGroup using one of two forms of authorization.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1578 - Modify Cloud Compute Infrastructure"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1021 - Remote Services","reason":"By authorizing specific IP ranges or security groups, this API call can enable remote access to the database from specified instances or IP addresses, potentially allowing attackers to establish unauthorized access directly."},{"technique":"T1071 - Application Layer Protocol","reason":"The authorization of ingress rules through this API call may enable attackers to use common web protocols (HTTP/S) to interact with the database, facilitating access over application-layer protocols."},{"technique":"T1090 - Proxy","reason":"Attackers might exploit the authorized IP range through this API call by routing their traffic via an external proxy, masking their true origin and evading detection."},{"technique":"T1133 - External Remote Services","reason":"The API call directly allows the configuration of external access to cloud-based database services, which could be exploited by attackers to bypass internal network protections by directly accessing the database."},{"technique":"T1036 - Masquerading","reason":"Attackers might use the API call to authorize ingress for IP addresses or security groups that appear legitimate or benign, thus evading detection by security monitoring tools that rely on expected network traffic patterns."},{"technique":"T1562 - Impair Defenses","reason":"By carefully selecting which IPs or security groups to authorize, attackers can effectively impair or avoid network-based defenses, such as firewalls or intrusion detection systems (IDS), that rely on stricter ingress rules to protect the database."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Enhancing Your Security Visibility and DetectionResponse Operations in AWS","link":"https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf"},{"description":"Hunting AWS RDS security events with Sysdig","link":"https://sysdig.com/blog/aws-rds-security-events-sysdig/"}],"securityImplications":"Attackers might use AuthorizeDBSecurityGroupIngress to allow unauthorized access to the database by modifying security group rules.","alerting":[],"simulation":[{"type":"commandLine","value":"aws rds authorize-db-security-group-ingress --db-security-group-name TrailDiscoverDBSecurityGroupName --cidrip TrailDiscoverCIDRIP"}],"permissions":"https://aws.permissions.cloud/iam/rds#rds-AuthorizeDBSecurityGroupIngress"} +{"eventName":"CreateDBSecurityGroup","eventSource":"rds.amazonaws.com","awsService":"RDS","description":"Creates a new DB security group. DB security groups control access to a DB instance.","mitreAttackTactics":["TA0010 - Exfiltration"],"mitreAttackTechniques":["T1537 - Transfer Data to Cloud Account"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1071 - Application Layer Protocol","reason":"The security group settings can be configured to allow specific protocols or applications to communicate with the DB instance, facilitating control or exfiltration methods."},{"technique":"T1562 - Impair Defenses","reason":"Modifying or creating a security group that permits broader access to the DB instance could serve as a form of defense evasion by bypassing firewall rules set to protect the database."},{"technique":"T1098 - Account Manipulation","reason":"Creating or modifying a security group could be a method to manipulate access controls and permissions, thereby escalating privileges or creating a backdoor for persistent access."},{"technique":"T1036 - Masquerading","reason":"An attacker could create or name a DB security group to resemble legitimate or existing groups to avoid detection. This can deceive administrators or monitoring systems, allowing malicious actions to go unnoticed."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Enhancing Your Security Visibility and DetectionResponse Operations in AWS","link":"https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf"},{"description":"Hunting AWS RDS security events with Sysdig","link":"https://sysdig.com/blog/aws-rds-security-events-sysdig/"}],"securityImplications":"Attackers might use CreateDBSecurityGroup to create new security groups with lax rules, potentially allowing unauthorized access to the database.","alerting":[],"simulation":[{"type":"commandLine","value":"aws rds create-db-security-group --db-security-group-name TrailDiscoverSecurityGroupName --db-security-group-description TrailDiscoverDescription"}],"permissions":"https://aws.permissions.cloud/iam/rds#rds-CreateDBSecurityGroup"} +{"eventName":"CreateDBSnapshot","eventSource":"rds.amazonaws.com","awsService":"RDS","description":"Creates a snapshot of a DB instance.","mitreAttackTactics":["TA0010 - Exfiltration"],"mitreAttackTechniques":["T1537 - Transfer Data to Cloud Account"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1003 - OS Credential Dumping","reason":"Snapshots could contain credentials or other sensitive information that can be extracted and exploited by an attacker."},{"technique":"T1078 - Valid Accounts","reason":"Snapshots containing authentication data or API keys can be used by attackers to maintain unauthorized access to cloud environments."},{"technique":"T1530 - Data from Cloud Storage Object","reason":"Snapshots stored in cloud storage can be accessed by attackers to extract sensitive information."},{"technique":"T1005 - Data from Local System","reason":"The snapshot may contain data from the local system of the database instance that attackers could extract."},{"technique":"T1020 - Automated Exfiltration","reason":"The snapshot could be automatically transferred out of the environment to an external location, facilitating data exfiltration without manual intervention."}],"usedInWild":true,"incidents":[{"description":"When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability","link":"https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"},{"description":"New tactics and techniques for proactive threat detection","link":"https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"}],"researchLinks":[{"description":"Stealing an RDS database by creating a snapshot and sharing it","link":"https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-rds-snapshot/"}],"securityImplications":"Attackers might use CreateDBSnapshot to create unauthorized backups of sensitive databases for data theft.","alerting":[],"simulation":[{"type":"commandLine","value":"aws rds create-db-snapshot --db-instance-identifier TrailDiscoverDBInstance --db-snapshot-identifier TrailDiscoverDBSnapshot"}],"permissions":"https://aws.permissions.cloud/iam/rds#rds-CreateDBSnapshot"} +{"eventName":"DeleteDBCluster","eventSource":"rds.amazonaws.com","awsService":"RDS","description":"The DeleteDBCluster action deletes a previously provisioned DB cluster.","mitreAttackTactics":["TA0040 - Impact"],"mitreAttackTechniques":["T1485 - Data Destruction"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1562 - Impair Defenses","reason":"By deleting the DB cluster, an attacker could disable or remove a crucial part of an organization\u2019s monitoring or logging setup if these were hosted on the RDS instance."},{"technique":"T1531 - Account Access Removal","reason":"Deleting a DB cluster could also serve to remove access to critical data and services, thereby disrupting operations and hindering incident response."},{"technique":"T1070 - Indicator Removal","reason":"Deleting the DB cluster may remove evidence of previous activities, such as logs or data that could be used to investigate the attack, serving as a method to evade detection."},{"technique":"T1489 - Service Stop","reason":"The deletion of a DB cluster directly results in stopping the associated service, causing disruption to any applications or services relying on that database."},{"technique":"T1499 - Endpoint Denial of Service","reason":"By deleting the DB cluster, the attacker effectively denies access to the endpoint associated with the database, preventing legitimate users from interacting with the data and services hosted on the DB cluster."},{"technique":"T1490 - Inhibit System Recovery","reason":"Deleting a DB cluster can prevent data recovery if backups are also targeted or if the deletion is part of a strategy to ensure that data cannot be restored."}],"usedInWild":true,"incidents":[{"description":"New tactics and techniques for proactive threat detection","link":"https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"}],"researchLinks":[{"description":"Hunting AWS RDS security events with Sysdig","link":"https://sysdig.com/blog/aws-rds-security-events-sysdig/"},{"description":"AWS Deletion of RDS Instance or Cluster","link":"https://www.elastic.co/guide/en/security/current/aws-deletion-of-rds-instance-or-cluster.html"}],"securityImplications":"Attackers might use DeleteDBCluster to delete crucial databases, causing data loss and service disruption.","alerting":[],"simulation":[{"type":"commandLine","value":"aws rds delete-db-cluster --db-cluster-identifier TrailDiscoverDBCluster"}],"permissions":"https://aws.permissions.cloud/iam/rds#rds-DeleteDBCluster"} +{"eventName":"DeleteDBInstance","eventSource":"rds.amazonaws.com","awsService":"RDS","description":"Deletes a previously provisioned DB instance.","mitreAttackTactics":["TA0040 - Impact"],"mitreAttackTechniques":["T1485 - Data Destruction"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1070 - Indicator Removal","reason":"Removing a DB instance can help an adversary eliminate logs or traces of malicious activity by erasing the entire database where logs might be stored."},{"technique":"T1531 - Account Access Removal","reason":"If an attacker deletes a DB instance, it could be a part of denying access to legitimate users by removing the resource they need."},{"technique":"T1489 - Service Stop","reason":"Deleting a DB instance can effectively stop a critical service, rendering the associated application or service unavailable."},{"technique":"T1499 - Endpoint Denial of Service","reason":"By deleting a DB instance, an attacker can cause a denial of service by removing the endpoint that the application or users rely on for database services."},{"technique":"T1565 - Data Manipulation","reason":"While not strictly altering data, deleting a DB instance can result in the loss of data integrity, as the sudden removal can lead to incomplete data or service disruptions."}],"usedInWild":true,"incidents":[{"description":"New tactics and techniques for proactive threat detection","link":"https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"}],"researchLinks":[],"securityImplications":"Attackers might use DeleteDBInstance to delete crucial databases, causing data loss and service disruption.","alerting":[],"simulation":[{"type":"commandLine","value":"aws rds delete-db-instance --db-instance-identifier TrailDiscoverDB"}],"permissions":"https://aws.permissions.cloud/iam/rds#rds-DeleteDBInstance"} +{"eventName":"DeleteGlobalCluster","eventSource":"rds.amazonaws.com","awsService":"RDS","description":"Deletes a global database cluster. The primary and secondary clusters must already be detached or destroyed first.","mitreAttackTactics":["TA0040 - Impact"],"mitreAttackTechniques":["T1485 - Data Destruction"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1499 - Endpoint Denial of Service","reason":"Deleting a global database cluster can cause an application or system to become unavailable, effectively denying service to legitimate users."},{"technique":"T1561 - Disk Wipe","reason":"The deletion of a global database cluster can be seen as a form of storage deletion, where critical data is irreversibly destroyed."},{"technique":"T1070 - Indicator Removal","reason":"By deleting the global database cluster, an attacker can remove evidence of the existence of that cluster, potentially hindering forensic investigations."},{"technique":"T1489 - Service Stop","reason":"Deleting a global database cluster will stop associated services, disrupting operations and causing an impact on availability."},{"technique":"T1562 - Impair Defenses","reason":"Deleting the database cluster can disable monitoring or logging capabilities, thus impairing defenses by making it harder to detect malicious activity."},{"technique":"T1490 - Inhibit System Recovery","reason":"By deleting a global database cluster, an attacker may prevent system recovery by ensuring that critical data or configurations cannot be restored."},{"technique":"T1531 - Account Access Removal","reason":"If the global database cluster contains authentication information or is tied to account access mechanisms, deleting it can effectively remove or disrupt account access."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS Deletion of RDS Instance or Cluster","link":"https://www.elastic.co/guide/en/security/current/aws-deletion-of-rds-instance-or-cluster.html"}],"securityImplications":"Attackers might use DeleteGlobalCluster to disrupt database services by deleting global clusters in AWS RDS.","alerting":[],"simulation":[{"type":"commandLine","value":"aws rds delete-global-cluster --global-cluster-identifier TrailDiscoverGlobalClusterIdentifier"}],"permissions":"https://aws.permissions.cloud/iam/rds#rds-DeleteGlobalCluster"} +{"eventName":"ModifyActivityStream","eventSource":"rds.amazonaws.com","awsService":"RDS","description":"Changes the audit policy state of a database activity stream to either locked (default) or unlocked.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1578 - Modify Cloud Compute Infrastructure"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1562 - Impair Defenses","reason":"Modifying the database activity stream to an unlocked state could impair logging and monitoring, effectively evading defenses."},{"technique":"T1070 - Indicator Removal","reason":"Attackers might reconfigure the audit policy state to the original state to avoid an investigation."}],"usedInWild":true,"incidents":[{"description":"Uncovering Hybrid Cloud Attacks Through Intelligence-Driven Incident Response: Part 3 \u2013 The Response","link":"https://www.gem.security/post/uncovering-hybrid-cloud-attacks-through-intelligence-driven-incident-response-part-3-the-response"}],"researchLinks":[],"securityImplications":"Attackers might use ModifyActivityStream to alter the configuration of the activity stream, potentially hiding malicious activities or causing disruptions in the database operations.","alerting":[],"simulation":[{"type":"commandLine","value":"aws rds modify-activity-stream"}],"permissions":"https://aws.permissions.cloud/iam/rds#rds-ModifyActivityStream"} +{"eventName":"ModifyDBSnapshotAttribute","eventSource":"rds.amazonaws.com","awsService":"RDS","description":"Adds an attribute and values to, or removes an attribute and values from, a manual DB snapshot.","mitreAttackTactics":["TA0010 - Exfiltration"],"mitreAttackTechniques":["T1537 - Transfer Data to Cloud Account"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"By adding specific AWS account IDs to the ValuesToAdd parameter, an attacker can ensure persistent access to a DB snapshot by authorized accounts."},{"technique":"T1562 - Impair Defenses","reason":"Modifying the snapshot to make it public or share it with specific accounts might bypass certain security controls, aiding in defense evasion."},{"technique":"T1537 - Transfer Data to Cloud Account","reason":"Making a DB snapshot public or sharing it with specific accounts allows unauthorized access, facilitating the exfiltration of sensitive data to an attacker-controlled AWS account."},{"technique":"T1070 - Indicator Removal","reason":"Removing attributes or specific account IDs from the ValuesToAdd parameter can be used to cover tracks by eliminating evidence of unauthorized access."},{"technique":"T1087 - Account Manipulation","reason":"Modifying the attributes to include or exclude certain account IDs is a form of account manipulation, impacting who can access the snapshot."},{"technique":"T1531 - Account Access Removal","reason":"By removing access to certain AWS accounts from the ValuesToAdd parameter, legitimate users may be denied access, contributing to account access removal tactics."},{"technique":"T1071 - Application Layer Protocol","reason":"The API call itself operates over an application layer protocol (typically HTTPS) and can be part of a communication channel used by the attacker to modify and transfer data within the cloud."}],"usedInWild":true,"incidents":[{"description":"Imperva Security Update","link":"https://www.imperva.com/blog/ceoblog/"},{"description":"When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability","link":"https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"}],"researchLinks":[{"description":"Stealing an RDS database by creating a snapshot and sharing it","link":"https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-rds-snapshot/"},{"description":"Hunting AWS RDS security events with Sysdig","link":"https://sysdig.com/blog/aws-rds-security-events-sysdig/"}],"securityImplications":"Attackers might use ModifyDBSnapshotAttribute to alter database snapshot permissions, potentially gaining unauthorized access to sensitive data via sharing it.","alerting":[],"simulation":[{"type":"commandLine","value":"aws rds modify-db-snapshot-attribute --db-snapshot-identifier TrailDiscoverDBSnapshotIdentifier --attribute-name TrailDiscoverAttributeName --values-to-add TrailDiscoverValuesToAdd"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.rds-share-snapshot"}],"permissions":"https://aws.permissions.cloud/iam/rds#rds-ModifyDBSnapshotAttribute"} +{"eventName":"StartExportTask","eventSource":"rds.amazonaws.com","awsService":"RDS","description":"Starts an export of DB snapshot or DB cluster data to Amazon S3.","mitreAttackTactics":["TA0010 - Exfiltration"],"mitreAttackTechniques":["T1537 - Transfer Data to Cloud Account"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1567 - Exfiltration Over Web Service","reason":"By exporting data to an S3 bucket, adversaries can use cloud services as a method to exfiltrate data without direct interaction with the database."},{"technique":"T1530 - Data from Cloud Storage Object","reason":"After exporting snapshot data to S3, an adversary can retrieve and analyze the data from the S3 bucket, provided they maintain access to the cloud storage."},{"technique":"T1213 - Data from Information Repositories","reason":"By exporting the RDS snapshot, an adversary gains access to a repository of information stored within the database, which they can then access through the S3 bucket."},{"technique":"T1078 - Cloud Accounts","reason":"Adversaries may leverage compromised cloud accounts to persist within the environment, using cloud-native functionality like the StartExportTask to maintain access to sensitive data over time."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS - RDS Post Exploitation","link":"https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation"}],"securityImplications":"Attackers might use StartExportTask to export database snapshots to an S3 they control and gain access to the data.","alerting":[],"simulation":[{"type":"commandLine","value":"aws rds start-export-task --export-task-identifier my-s3-export --source-arn arn:aws:rds:us-west-2:123456789012:snapshot:db5-snapshot-test --s3-bucket-name mybucket --iam-role-arn arn:aws:iam::123456789012:role/service-role/TrailDiscover --kms-key-id arn:aws:kms:us-west-2:123456789012:key/abcd0000-7fca-4128-82f2-aabbccddeeff"}],"permissions":"https://aws.permissions.cloud/iam/rds#rds-StartExportTask"} +{"eventName":"Search","eventSource":"resource-explorer-2.amazonaws.com","awsService":"ResourceExplorer","description":"Searches for resources and displays details about all resources that match the specified criteria.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1087 - Account Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1069 - Permission Groups Discovery","reason":"Attackers can create queries to discover permission groups, roles, and policies within the AWS environment, which might aid in understanding access levels across different resources."},{"technique":"T1538 - Cloud Service Discovery","reason":"By specifying queries related to cloud services, attackers can discover details about various services in use, aiding in the mapping of the environment."},{"technique":"T1580 - Cloud Infrastructure Discovery","reason":"The search results can reveal information about infrastructure components like EC2 instances, S3 buckets, and databases, providing attackers with critical data about the cloud architecture."},{"technique":"T1201 - Password Policy Discovery","reason":"Queries can be tailored to discover password policies related to IAM users, assisting attackers in crafting password-based attacks."},{"technique":"T1552 - Unsecured Credentials","reason":"If the search results reveal IAM roles or users with associated access keys, attackers might identify unsecured credentials that could be exploited for unauthorized access."},{"technique":"T1078 - Valid Accounts","reason":"Searches might return details about valid accounts that could be targeted for unauthorized access, particularly if accounts are not adequately secured."}],"usedInWild":true,"incidents":[{"description":"Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining","link":"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"}],"researchLinks":[],"securityImplications":"Attackers might use Search to list resorces.","alerting":[],"simulation":[{"type":"commandLine","value":"aws resource-explorer-2 search --query-string 'service:iam'"}],"permissions":"https://aws.permissions.cloud/iam/resource-explorer-2#resource-explorer-2-Search"} +{"eventName":"ChangeResourceRecordSets","eventSource":"route53.amazonaws.com","awsService":"Route53","description":"Creates, changes, or deletes a resource record set, which contains authoritative DNS information for a specified domain name or subdomain name.","mitreAttackTactics":["TA0040 - Impact"],"mitreAttackTechniques":["T1496 - Resource Hijacking"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1071 - Application Layer Protocol","reason":"The ChangeResourceRecordSets API can be used to modify DNS records, allowing attackers to establish command and control channels using DNS or other application-layer protocols like HTTP/HTTPS."},{"technique":"T1070 - Indicator Removal","reason":"By altering DNS records, attackers can hide or modify evidence of their activities, such as tampering with or removing logs associated with DNS queries to avoid detection by security systems."},{"technique":"T1090 - Proxy","reason":"Attackers may use this API to redirect network traffic through external or internal proxies by changing DNS records, which helps conceal the true destination of the traffic and evade monitoring tools."},{"technique":"T1565 - Data Manipulation","reason":"Altering DNS records can mislead or redirect users and systems, potentially sending them to malicious IP addresses or disrupting the normal operation of services by providing false information."},{"technique":"T1568 - Dynamic Resolution","reason":"Attackers can frequently update DNS entries using this API to maintain control over compromised systems or to evade detection by constantly altering the destination of command and control traffic."},{"technique":"T1531 - Account Access Removal","reason":"By modifying or deleting DNS records, attackers can effectively deny legitimate users access to services, redirecting traffic to incorrect or malicious servers, thereby locking out authorized access."},{"technique":"T1499 - Endpoint Denial of Service","reason":"Changing or deleting essential DNS records can lead to a denial of service, where users are unable to access critical resources because DNS queries resolve to incorrect addresses."},{"technique":"T1027 - Obfuscated Files or Information","reason":"Constant manipulation of DNS records may be used to obscure the attacker's activities, making it more challenging for defenders to trace or understand the methods used for command and control or data exfiltration."},{"technique":"T1213 - Data from Information Repositories","reason":"By redirecting traffic from legitimate information repositories to a malicious destination through altered DNS records, attackers can collect sensitive data under the guise of normal operations"},{"technique":"T1557 - Man-in-the-Middle","reason":"Modifying DNS records to reroute traffic to malicious sites can facilitate man-in-the-middle attacks, allowing attackers to intercept or manipulate communications between users and services."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}],"researchLinks":[{"description":"AWS API Call Hijacking via ACM-PCA","link":"https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/"}],"securityImplications":"Attackers might use ChangeResourceRecordSets to redirect traffic to malicious websites.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"https://aws.permissions.cloud/iam/route53#route53-ChangeResourceRecordSets"} +{"eventName":"CreateHostedZone","eventSource":"route53.amazonaws.com","awsService":"Route53","description":"Creates a new public or private hosted zone. You create records in a public hosted zone to define how you want to route traffic on the internet for a domain, such as example.com, and its subdomains.","mitreAttackTactics":["TA0040 - Impact"],"mitreAttackTechniques":["T1496 - Resource Hijacking"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1071 - Application Layer Protocol","reason":"Creating a hosted zone allows attackers to use DNS or web protocols for communication between compromised systems and attacker-controlled infrastructure, facilitating covert command and control operations."},{"technique":"T1090 - Proxy","reason":"The hosted zone can be configured to route traffic through multiple proxies, aiding in defense evasion by obscuring the true source or destination of the traffic."},{"technique":"T1568 - Dynamic Resolution","reason":"Attackers may use dynamically generated domains within the hosted zone to maintain command and control, making it difficult for defenders to track or block these communications."},{"technique":"T1036 - Masquerading","reason":"Attackers might create a hosted zone with a domain or subdomain that closely mimics a legitimate one, aiding in phishing or other forms of deception to mislead users or systems."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}],"researchLinks":[{"description":"AWS API Call Hijacking via ACM-PCA","link":"https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/"}],"securityImplications":"Attackers might use CreateHostedZone to create malicious DNS zones for phishing or redirecting traffic.","alerting":[],"simulation":[{"type":"commandLine","value":"aws route53 create-hosted-zone --name traildiscover.cloud --caller-reference 2014-04-01-18:47 --hosted-zone-config Comment='traildiscover'"}],"permissions":"https://aws.permissions.cloud/iam/route53#route53-CreateHostedZone"} +{"eventName":"GetHostedZoneCount","eventSource":"route53.amazonaws.com","awsService":"Route53","description":"Retrieves the number of hosted zones that are associated with the current AWS account.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1087 - Account Discovery","reason":"The GetHostedZoneCount API call can be used to enumerate the number of DNS zones hosted in a cloud environment, which reveals information about the cloud account's resources."},{"technique":"T1526 - Cloud Service Discovery","reason":"The GetHostedZoneCount API call reveals the presence and scale of Route 53 DNS services within the cloud environment. This information helps adversaries understand the cloud infrastructure and identify potential targets for further actions."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild","link":"https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}],"securityImplications":"Attackers might use GetHostedZoneCount to gather information about the number of hosted zones, potentially identifying targets for DNS attacks.","alerting":[],"simulation":[{"type":"commandLine","value":"aws route53 get-hosted-zone-count"}],"permissions":"https://aws.permissions.cloud/iam/route53#route53-GetHostedZoneCount"} +{"eventName":"ListDomains","eventSource":"route53domains.amazonaws.com","awsService":"route53domains","description":"This operation returns all the domain names registered with Amazon Route 53 for the current AWS account if no filtering conditions are used.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1526 - Cloud Service Discovery","reason":"The ListDomains API call allows an adversary to discover domain names associated with the AWS account, providing insights into the cloud infrastructure."},{"technique":"T1590 - Gather Victim Network Information","reason":"The ListDomains API call can be used to gather DNS information, which may reveal the structure of the victim\u2019s network and other valuable network details."},{"technique":"T1087 - Account Discovery","reason":"Knowing the domains registered within the AWS account can help identify associated cloud resources and potential attack vectors within the cloud environment."},{"technique":"T1046 - Network Service Scanning","reason":"The ListDomains API call could assist an adversary in identifying network services associated with the domain names, contributing to their reconnaissance efforts."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild","link":"https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}],"securityImplications":"Attackers might use ListDomains to identify potential targets for DNS hijacking or DDoS attacks.","alerting":[],"simulation":[{"type":"commandLine","value":"aws route53domains list-domains --region us-east-1"}],"permissions":"https://aws.permissions.cloud/iam/route53domains#route53domains-ListDomains"} +{"eventName":"RegisterDomain","eventSource":"route53domains.amazonaws.com","awsService":"route53domains","description":"This operation registers a domain. For some top-level domains (TLDs), this operation requires extra parameters.","mitreAttackTactics":["TA0040 - Impact"],"mitreAttackTechniques":["T1496 - Resource Hijacking"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1583 - Acquire Infrastructure","reason":"The RegisterDomain API call is used to acquire a new domain, which can be leveraged to set up malicious infrastructure, such as phishing sites or command and control servers."},{"technique":"T1584 - Compromise Infrastructure","reason":"Registering a domain and creating a corresponding hosted zone allows attackers to establish and control an infrastructure that supports malicious activities."},{"technique":"T1071 - Application Layer Protocol","reason":"By creating a hosted zone and assigning name servers, the domain can be used to facilitate communication via DNS, a common method for establishing command and control channels."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}],"researchLinks":[],"securityImplications":"Attackers might use RegisterDomain to register malicious domains for phishing or malware distribution.","alerting":[],"simulation":[{"type":"commandLine","value":"aws route53domains register-domain --region us-east-1 --cli-input-json '{\"DomainName\": \"\", \"DurationInYears\": 1, \"AdminContact\": { \"FirstName\": \"\", \"LastName\": \"\"}, \"RegistrantContact\": {\"FirstName\": \"\", \"LastName\": \"\" }, \"TechContact\": {\"FirstName\": \"\", \"LastName\": \"\"}}'"}],"permissions":"https://aws.permissions.cloud/iam/route53domains#route53domains-RegisterDomain"} +{"eventName":"DeleteBucket","eventSource":"s3.amazonaws.com","awsService":"S3","description":"Deletes the S3 bucket.","mitreAttackTactics":["TA0040 - Impact"],"mitreAttackTechniques":["T1485 - Data Destruction"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1485 - Data Destruction","reason":"Permanently deleting objects or versions from S3 can result in the loss of critical data, affecting the availability and integrity of information. This action can disrupt business operations by removing essential files, leading to significant data loss and operational downtime."},{"technique":"T1070 - Indicator Removal","reason":"Deleting an S3 bucket can serve as a method of removing evidence or logs that may be stored within the bucket, helping to evade detection."},{"technique":"T1499 - Endpoint Denial of Service","reason":"Deleting an S3 bucket could result in a denial of service if critical data or services that rely on that bucket become unavailable."},{"technique":"T1489 - Service Stop","reason":"Deleting key objects or configuration files from S3 can cause critical services to stop functioning. This disruption can lead to downtime and loss of access to essential systems, impacting business operations."}],"usedInWild":true,"incidents":[{"description":"New tactics and techniques for proactive threat detection","link":"https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"}],"researchLinks":[],"securityImplications":"Attackers might use DeleteBucket to delete resources.","alerting":[],"simulation":[{"type":"commandLine","value":"aws s3api delete-bucket --bucket my-traildiscover-bucket --region us-east-1"}],"permissions":"https://aws.permissions.cloud/iam/s3#s3-DeleteBucket"} +{"eventName":"DeleteBucketPolicy","eventSource":"s3.amazonaws.com","awsService":"S3","description":"Deletes the policy of a specified bucket.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1578 - Modify Cloud Compute Infrastructure"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1531 - Account Access Removal","reason":"Deleting a bucket policy can remove specific account or role permissions, effectively locking out other identities from accessing the bucket, which supports account access removal."},{"technique":"T1562 - Impair Defenses","reason":"By deleting a bucket policy, an attacker could disable or weaken security controls that were enforced by the policy, making it easier to execute subsequent malicious actions."},{"technique":"T1098 - Account Manipulation","reason":"If an attacker deletes the bucket policy, they can manipulate access controls to further their persistence or impede legitimate access, which could be considered a form of account manipulation."},{"technique":"T1070 - Indicator Removal","reason":"Deleting the bucket policy can remove key indicators of unauthorized access or changes. Since the policy itself might contain logging configurations or access control rules, its removal could make it harder to detect and track the attacker's actions, thereby aiding in evasion of detection."},{"technique":"T1499 - Endpoint Denial of Service","reason":"Deleting the bucket policy can lead to denial of service for legitimate users who rely on the policy to access the bucket, especially if the policy enforced critical access controls."},{"technique":"T1489 - Service Stop","reason":"By deleting the bucket policy, an attacker might indirectly cause services depending on that policy to stop functioning correctly, thereby achieving a form of service stop."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS S3 Bucket Configuration Deletion","link":"https://www.elastic.co/guide/en/security/7.17/aws-s3-bucket-configuration-deletion.html"}],"securityImplications":"Attackers might use DeleteBucketPolicy to remove security policies and gain unauthorized access to S3 buckets.","alerting":[{"type":"cloudwatchCISControls","value":"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8"}],"simulation":[{"type":"commandLine","value":"aws s3api delete-bucket-policy --bucket TrailDiscoverBucketName"}],"permissions":"https://aws.permissions.cloud/iam/s3#s3-DeleteBucketPolicy"} +{"eventName":"DeleteObject","eventSource":"s3.amazonaws.com","awsService":"S3","description":"Removes an object from a bucket. The behavior depends on the bucket's versioning state.","mitreAttackTactics":["TA0040 - Impact"],"mitreAttackTechniques":["T1485 - Data Destruction"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1070 - Indicator Removal","reason":"Deleting an object can be used to remove evidence of prior activity, aiding in evasion of detection and analysis."},{"technique":"T1562 - Impair Defenses","reason":"By deleting logs, configurations, or security-related data stored in S3, attackers can impair defensive mechanisms, reducing the effectiveness of monitoring and alerting systems."},{"technique":"T1490 - Inhibit System Recovery","reason":"By deleting critical backups or data versions in S3, an attacker can inhibit recovery processes, making it difficult to restore systems to their pre-attack state."},{"technique":"T1499 - Endpoint Denial of Service","reason":"Deleting important objects required for system functionality or application performance could result in a denial of service, preventing users from accessing necessary resources or causing system disruptions."},{"technique":"T1489 - Service Stop","reason":"Deleting configuration files or objects critical to the operation of a service hosted in AWS can lead to a service stop, effectively disrupting operations and causing downtime."}],"usedInWild":true,"incidents":[{"description":"Ransomware in the cloud","link":"https://www.invictus-ir.com/news/ransomware-in-the-cloud"},{"description":"The attack on ONUS \u2013 A real-life case of the Log4Shell vulnerability","link":"https://cystack.net/research/the-attack-on-onus-a-real-life-case-of-the-log4shell-vulnerability"},{"description":"20/20 Eye Care Network and Hearing Care Network notify 3,253,822 health plan members of breach that deleted contents of AWS buckets","link":"https://www.databreaches.net/20-20-eye-care-network-and-hearing-care-network-notify-3253822-health-plan-members-of-breach-that-deleted-contents-of-aws-buckets/"},{"description":"Hacker Puts Hosting Service Code Spaces Out of Business","link":"https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/"},{"description":"New tactics and techniques for proactive threat detection","link":"https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"}],"researchLinks":[],"securityImplications":"Attackers might use DeleteObject to erase crucial data from S3 buckets.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-client-side-encryption"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-individual-deletion"}],"permissions":"https://aws.permissions.cloud/iam/s3#s3-DeleteObject"} +{"eventName":"GetBucketAcl","eventSource":"s3.amazonaws.com","awsService":"S3","description":"This implementation of the GET action uses the acl subresource to return the access control list (ACL) of a bucket.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1526 - Cloud Service Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"By examining the ACL, an attacker can identify accounts or roles that have access to the bucket, which can then be used to gain unauthorized access through valid credentials."},{"technique":"T1589 - Gather Victim Identity Information","reason":"By examining the ACL, an attacker could gather information about the identities (users, roles, or accounts) that have access to the bucket, which can be useful in planning further attacks."}],"usedInWild":true,"incidents":[{"description":"Muddled Libra\u2019s Evolution to the Cloud","link":"https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}],"researchLinks":[{"description":"Public S3 bucket through bucket ACL","link":"https://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/s3-bucket-public-acl/"}],"securityImplications":"Attackers might use GetBucketAccessControlPolicy to gain unauthorized access to sensitive data stored in S3 buckets.","alerting":[],"simulation":[{"type":"commandLine","value":"aws s3api get-bucket-acl --bucket TrailDiscoverBucket"}],"permissions":"https://aws.permissions.cloud/iam/s3#s3-GetBucketAcl"} +{"eventName":"GetBucketLogging","eventSource":"s3.amazonaws.com","awsService":"S3","description":"Returns the logging status of a bucket and the permissions users have to view and modify that status.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1526 - Cloud Service Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1087 - Account Discovery","reason":"The API call provides insights into which IAM accounts have permissions to view or modify bucket logging, aiding an attacker in identifying accounts with specific privileges."}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"},{"description":"Muddled Libra\u2019s Evolution to the Cloud","link":"https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}],"researchLinks":[],"securityImplications":"Attackers might use GetBucketLoggingStatus to identify if logging is enabled, potentially helping them avoid detection during unauthorized activities.","alerting":[],"simulation":[{"type":"commandLine","value":"aws s3api get-bucket-logging --bucket TrailDiscoverBucket"}],"permissions":"https://aws.permissions.cloud/iam/s3#s3-GetBucketLogging"} +{"eventName":"GetBucketPolicy","eventSource":"s3.amazonaws.com","awsService":"S3","description":"Returns the policy of a specified bucket.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1526 - Cloud Service Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"If an adversary can access a bucket policy, it may provide insights into valid accounts or roles that can be exploited for further access."},{"technique":"T1087 - Account Discovery","reason":"By analyzing the bucket policy, an attacker can discover accounts or IAM roles that have access to the S3 bucket, which may help in escalating privileges within the environment."}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"},{"description":"Muddled Libra\u2019s Evolution to the Cloud","link":"https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}],"researchLinks":[],"securityImplications":"Attackers might use GetBucketPolicy to identify weak security policies and exploit them for unauthorized access to S3 buckets.","alerting":[],"simulation":[{"type":"commandLine","value":"aws s3api get-bucket-policy --bucket TrailDiscoverBucket"}],"permissions":"https://aws.permissions.cloud/iam/s3#s3-GetBucketPolicy"} +{"eventName":"GetPublicAccessBlock","eventSource":"s3.amazonaws.com","awsService":"S3","description":"Retrieves the PublicAccessBlock configuration for an Amazon S3 bucket.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1526 - Cloud Service Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"Adversaries might use the GetPublicAccessBlock API call to check for misconfigurations or overly permissive settings in S3 buckets, potentially leading to unauthorized access and exploitation of valid cloud accounts."},{"technique":"T1530 - Data from Cloud Storage","reason":"Retrieving the PublicAccessBlock configuration can assist attackers in identifying S3 buckets that are misconfigured to allow public access, which may lead to unauthorized access and potential exfiltration of data from cloud storage."}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"},{"description":"Muddled Libra\u2019s Evolution to the Cloud","link":"https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}],"researchLinks":[],"securityImplications":"Attackers might use GetPublicAccessBlock to identify S3 buckets with public access for potential data breaches.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"N/A"} +{"eventName":"GetBucketReplication","eventSource":"s3.amazonaws.com","awsService":"S3","description":"Returns the replication configuration of a bucket.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1526 - Cloud Service Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"Accessing replication configuration details could help an adversary identify which accounts or roles have permissions related to replication, enabling targeted attacks on these accounts for unauthorized access."},{"technique":"T1036 - Masquerading","reason":"With knowledge of the replication setup, an adversary can craft actions that closely mimic legitimate activities, such as modifying replication settings, which helps them evade detection by blending in with normal operations."}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"},{"description":"Muddled Libra\u2019s Evolution to the Cloud","link":"https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}],"researchLinks":[],"securityImplications":"Attackers might use GetBucketReplication to identify replication configurations and target specific data for theft or corruption.","alerting":[],"simulation":[{"type":"commandLine","value":"aws s3api get-bucket-replication --bucket TrailDiscoverBucket"}],"permissions":"N/A"} +{"eventName":"GetBucketTagging","eventSource":"s3.amazonaws.com","awsService":"S3","description":"Returns the tag set associated with the bucket.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1526 - Cloud Service Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1482 - Domain Trust Discovery","reason":"The GetBucketTagging API call can reveal tag information that may indicate domain or organizational trust relationships within AWS, helping adversaries understand the trust boundaries of the bucket."},{"technique":"T1530 - Data from Cloud Storage Object","reason":"Tags may include sensitive information or classifications about the data stored in the S3 bucket, aiding attackers in prioritizing which data to exfiltrate or further target."},{"technique":"T1078 - Valid Accounts","reason":"ags retrieved from the bucket may contain information about the AWS accounts, IAM roles, or user groups with permissions, which can be used to identify potential targets for credential theft or account takeover."},{"technique":"T1087 - Account Discovery","reason":"The API call might provide insights into user or service accounts associated with the bucket through tags, allowing adversaries to identify accounts that have access to critical resources."},{"technique":"T1033 - System Owner/User Discovery","reason":"Tags could provide information about the owner of the bucket or associated resources, which could help attackers in social engineering or in targeting specific individuals or roles within the organization."},{"technique":"T1484 - Group Policy Discovery","reason":"Tags could indicate group-like configurations or policies associated with buckets, such as those related to access control or data management, offering insights into how resources are managed or accessed."}],"usedInWild":true,"incidents":[{"description":"Cloud Security Stories: From Risky Permissions to Ransomware Execution","link":"https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/"}],"researchLinks":[],"securityImplications":"Attackers might use GetBucketTagging to look for tags reminiscent of PII or confidential data.","alerting":[],"simulation":[{"type":"commandLine","value":"aws s3api get-bucket-tagging --bucket TrailDiscoverBucket"}],"permissions":"https://aws.permissions.cloud/iam/s3#s3-GetBucketTagging"} +{"eventName":"GetBucketVersioning","eventSource":"s3.amazonaws.com","awsService":"S3","description":"Returns the versioning state of a bucket.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1526 - Cloud Service Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1530 - Data from Cloud Storage Object","reason":"Understanding the versioning and MFA Delete status allows attackers to potentially collect older or deleted versions of data, which might not be available in a non-versioned setup."},{"technique":"T1078 - Valid Accounts","reason":"Attackers with valid accounts (e.g., those who have compromised credentials) may use this API call to gather information that could further their goals, such as determining the best method to evade detection or exfiltrate data."},{"technique":"T1213 - Data from Information Repositories","reason":"The versioning status of a bucket might indicate the presence of multiple versions of stored data, which attackers could access and collect as part of their broader objective of gathering information from cloud storage."}],"usedInWild":true,"incidents":[{"description":"Ransomware in the cloud","link":"https://www.invictus-ir.com/news/ransomware-in-the-cloud"},{"description":"Muddled Libra\u2019s Evolution to the Cloud","link":"https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}],"researchLinks":[],"securityImplications":"Attackers might use GetBucketVersioning to identify unsecured S3 buckets with versioning disabled, making it easier to manipulate or delete data.","alerting":[],"simulation":[{"type":"commandLine","value":"aws s3api get-bucket-versioning --bucket TrailDiscoverBucket"}],"permissions":"https://aws.permissions.cloud/iam/s3#s3-GetBucketVersioning"} +{"eventName":"GetObject","eventSource":"s3.amazonaws.com","awsService":"S3","description":"Retrieves an object from Amazon S3.","mitreAttackTactics":["TA0010 - Exfiltration"],"mitreAttackTechniques":["T1048 - Exfiltration Over Alternative Protocol"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1530 - Data from Cloud Storage Object","reason":"The GetObject API call is used to retrieve data from specific objects within S3 buckets, making it essential for adversaries collecting data from cloud storage."},{"technique":"T1071 - Application Layer Protocol","reason":"The GetObject operation can be invoked over HTTPS, which is a common method for communicating with AWS services and could be used to exfiltrate data covertly."},{"technique":"T1074 - Data Staged","reason":"The GetObject operation might be part of a process where data is retrieved and temporarily stored (staged) before further processing or exfiltration."},{"technique":"T1570 - Lateral Tool Transfer","reason":"Retrieving an object that contains tools or scripts via GetObject can be part of a lateral movement strategy, where tools are transferred between compromised systems."}],"usedInWild":true,"incidents":[{"description":"Ransomware in the cloud","link":"https://www.invictus-ir.com/news/ransomware-in-the-cloud"},{"description":"Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining","link":"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"},{"description":"Incident 2 - Additional details of the attack","link":"https://support.lastpass.com/s/document-item?language=en_US&bundleId=lastpass&topicId=LastPass/incident-2-details.html&_LANG=enus"},{"description":"Aruba Central Security Incident","link":"https://www.arubanetworks.com/support-services/security-bulletins/central-incident-faq/"},{"description":"Sendtech Pte. Ltd","link":"https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Sendtech-Pte-Ltd---220721.ashx?la=en"},{"description":"GotRoot! AWS root Account Takeover","link":"https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1"},{"description":"A Technical Analysis of the Capital One Cloud Misconfiguration Breach","link":"https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach"},{"description":"Chegg, Inc","link":"https://www.ftc.gov/system/files/ftc_gov/pdf/2023151-Chegg-Complaint.pdf"},{"description":"Scattered Spider Attack Analysis","link":"https://www.reliaquest.com/blog/scattered-spider-attack-analysis-account-compromise/"},{"description":"Enumerate AWS Account ID from a Public S3 Bucket","link":"https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/"},{"description":"Cloud Security Stories: From Risky Permissions to Ransomware Execution","link":"https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/"}],"researchLinks":[{"description":"Data Exfiltration through S3 Server Access Logs","link":"https://hackingthe.cloud/aws/exploitation/s3_server_access_logs/"},{"description":"S3 Streaming Copy","link":"https://hackingthe.cloud/aws/exploitation/s3_streaming_copy/"}],"securityImplications":"Attackers might use GetObject to download data from S3 buckets.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-client-side-encryption"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-individual-deletion"}],"permissions":"https://aws.permissions.cloud/iam/s3#s3-GetObject"} +{"eventName":"HeadObject","eventSource":"s3.amazonaws.com","awsService":"S3","description":"The HEAD operation retrieves metadata from an object without returning the object itself.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1619 - Cloud Storage Object Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1537 - Transfer Data to Cloud Account","reason":"The HeadObject API call helps verify the existence of data in S3 buckets, allowing attackers to understand what data is available for transfer or collection."},{"technique":"T1087 - Account Discovery","reason":"Attackers may use HeadObject to discover information about objects in S3 buckets, which can help identify sensitive accounts or resources within a cloud environment."},{"technique":"T1083 - File and Directory Discovery","reason":"This API call provides metadata about objects, helping attackers discover the organization and structure of files stored in S3, facilitating further actions."},{"technique":"T1530 - Data from Cloud Storage Object","reason":"The operation assists in identifying which specific cloud storage objects might contain valuable data for exfiltration."},{"technique":"T1580 - Cloud Infrastructure Discovery","reason":"By accessing metadata, attackers can infer details about the cloud infrastructure, such as object creation dates, storage classes, and more, providing insights into the environment's configuration."},{"technique":"T1557 - Service Discovery","reason":"The ability to query metadata from S3 objects can help attackers gather information about the usage and configuration of cloud services, potentially revealing misconfigurations or security weaknesses."}],"usedInWild":true,"incidents":[{"description":"Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining","link":"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"}],"researchLinks":[],"securityImplications":"Attackers might use HeadObject to gather metadata about sensitive files stored in S3.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"N/A"} +{"eventName":"JobCreated","eventSource":"s3.amazonaws.com","awsService":"S3","description":"When a Batch Operations job is created, it is recorded as a JobCreated event in CloudTrail.","mitreAttackTactics":["TA0010 - Exfiltration"],"mitreAttackTechniques":["T1537 - Transfer Data to Cloud Account"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1560 - Archive Collected Data","reason":"An attacker could use the S3 Batch Operations to aggregate and compress large amounts of data for exfiltration, creating a job that is recorded as a JobCreated event."},{"technique":"T1074 - Data Staged","reason":"The JobCreated event indicates that data could be staged in an S3 bucket, possibly in preparation for further actions such as exfiltration."},{"technique":"T1020 - Automated Exfiltration","reason":"The job creation could be part of an automated process designed to move data out of the environment, with minimal manual intervention required once set up."},{"technique":"T1105 - Ingress Tool Transfer","reason":"A JobCreated event could be used to transfer tools or scripts into the environment, using S3 as a storage mechanism before execution."},{"technique":"T1071 - Application Layer Protocol","reason":"The Batch Operations job may involve communication over standard protocols (like HTTPS) for command and control, making it harder to detect malicious activity."},{"technique":"T1098 - Account Manipulation","reason":"Attackers may manipulate or create new accounts with the necessary permissions to execute Batch Operations jobs, facilitating unauthorized data access or exfiltration."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Exfiltrating S3 Data with Bucket Replication Policies","link":"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"}],"securityImplications":"Attackers might use Batch Operations jobs to initiate unauthorized data transfer or manipulation tasks in S3.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"N/A"} +{"eventName":"ListBuckets","eventSource":"s3.amazonaws.com","awsService":"S3","description":"Returns a list of all buckets owned by the authenticated sender of the request.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1526 - Cloud Service Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1087 - Account Discovery","reason":"he ListBuckets API call helps identify the scope of an AWS account by revealing all S3 buckets owned by the account, giving insight into the account's cloud resources."},{"technique":"T1530 - Data from Cloud Storage Object","reason":"Once buckets are listed, attackers can target specific buckets for data extraction, which is critical for both understanding and potentially exfiltrating data stored in the cloud."},{"technique":"T1078 - Valid Accounts","reason":"The ability to list buckets verifies that the credentials used have sufficient permissions, which can inform the attacker about the level of access they have and what actions they can perform."},{"technique":"T1082 - System Information Discovery","reason":"By listing buckets, attackers can gather information about the organization of data and system configurations within the cloud environment, indirectly giving insight into how the cloud infrastructure is managed."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"},{"description":"Ransomware in the cloud","link":"https://www.invictus-ir.com/news/ransomware-in-the-cloud"},{"description":"ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING","link":"https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/"},{"description":"UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR","link":"https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"},{"description":"A Technical Analysis of the Capital One Cloud Misconfiguration Breach","link":"https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach"},{"description":"Enumerate AWS Account ID from a Public S3 Bucket","link":"https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/"},{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"},{"description":"Muddled Libra\u2019s Evolution to the Cloud","link":"https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"},{"description":"Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets","link":"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/"}],"researchLinks":[{"description":"Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild","link":"https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}],"securityImplications":"Attackers might use ListAllMyBuckets to identify potential targets for data breaches or unauthorized access.","alerting":[{"type":"sigma","value":"https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml"}],"simulation":[{"type":"commandLine","value":"aws s3api list-buckets --query \"Buckets[].Name\""},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance"}],"permissions":"N/A"} +{"eventName":"ListObjects","eventSource":"s3.amazonaws.com","awsService":"S3","description":"Returns some or all (up to 1,000) of the objects in a bucket.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1619 - Cloud Storage Object Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1083 - File and Directory Discovery","reason":"Even though directory buckets are not supported, ListObjects allows an attacker to discover the contents and structure of an S3 bucket by listing objects."},{"technique":"T1213 - Data from Information Repositories","reason":"The ListObjects call enables the retrieval of data stored within S3 buckets, which are often utilized as information repositories."}],"usedInWild":true,"incidents":[{"description":"Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining","link":"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"},{"description":"Cloud Security Stories: From Risky Permissions to Ransomware Execution","link":"https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/"},{"description":"Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets","link":"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/"}],"researchLinks":[],"securityImplications":"Attackers might use ListObjects to identify potentially sensitive objects stored in S3 buckets.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"N/A"} +{"eventName":"ListVaults","eventSource":"glacier.amazonaws.com","awsService":"S3","description":"This operation lists all vaults owned by the calling user\u2019s account.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1619 - Cloud Storage Object Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1530 - Data from Cloud Storage Object","reason":"The ListVaults API call is used to enumerate all vaults within S3 Glacier, which could help an attacker identify potential storage locations for exfiltration."},{"technique":"T1087 - Account Discovery","reason":"Listing vaults provides insight into the structure and ownership of cloud storage resources, which can be useful for discovering cloud accounts and identifying valuable targets."},{"technique":"T1213 - Data from Information Repositories","reason":"The API call can be used to list and access data stored in vaults, which may be part of broader data collection or exfiltration efforts."},{"technique":"T1078 - Valid Accounts","reason":"Understanding the vaults associated with an account can inform attackers about which accounts manage sensitive data, potentially guiding further credential access attempts."}],"usedInWild":true,"incidents":[{"description":"Detecting AI resource-hijacking with Composite Alerts","link":"https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"},{"description":"Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets","link":"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/"}],"researchLinks":[],"securityImplications":"Attackers might use ListVaults to identify data such as archived training data or related datasets.","alerting":[],"simulation":[{"type":"commandLine","value":"aws glacier list-vaults --account-id -"}],"permissions":"https://aws.permissions.cloud/iam/glacier#glacier-ListVaults"} +{"eventName":"PutBucketAcl","eventSource":"s3.amazonaws.com","awsService":"S3","description":"Sets the permissions on an existing bucket using access control lists (ACL).","mitreAttackTactics":["TA0010 - Exfiltration"],"mitreAttackTechniques":["T1048 - Exfiltration Over Alternative Protocol"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"Adjusting the ACL to include additional accounts or groups can provide persistent access to unauthorized entities, allowing the adversary to maintain control over the resource."},{"technique":"T1548 - Abuse Elevation Control Mechanism","reason":"By setting the ACL with more permissive controls, an attacker could elevate their access privileges, gaining the ability to perform actions beyond their intended scope."},{"technique":"T1562 - Impair Defenses","reason":"Modifying ACLs can be used to prevent security tools or monitoring from detecting malicious actions by restricting access to logging or alerting services."},{"technique":"T1070 - Indicator Removal","reason":"Changing ACLs can serve to obscure evidence of unauthorized access or changes by modifying who has visibility into the bucket, thereby evading detection."},{"technique":"T1036 - Masquerading","reason":"An attacker can alter the ACL to make unauthorized access appear as legitimate traffic, thus avoiding suspicion and detection."},{"technique":"T1531 - Account Access Removal","reason":"Adjusting the ACL could be used to remove legitimate access to a bucket, effectively denying access to authorized users while maintaining control over the resource."},{"technique":"T1098 - Account Manipulation","reason":"The ability to modify ACLs directly correlates with manipulating which accounts have what level of access to a resource, aligning with broader account manipulation strategies."},{"technique":"T1199 - Trusted Relationship","reason":"If an attacker modifies ACLs to include entities that are typically trusted, this can facilitate initial access through a trusted relationship, leveraging the trust model to gain unauthorized access."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS S3 Bucket ACL made public","link":"https://docs.datadoghq.com/security/default_rules/aws-bucket-acl-made-public/"}],"securityImplications":"Attackers might use SetBucketAccessControlPolicy to modify access control lists, potentially granting unauthorized access to S3 buckets.","alerting":[{"type":"cloudwatchCISControls","value":"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8"}],"simulation":[{"type":"commandLine","value":"aws s3api put-bucket-acl --bucket TrailDiscoverBucket --acl TrailDiscoverAcl"}],"permissions":"https://aws.permissions.cloud/iam/s3#s3-PutBucketAcl"} +{"eventName":"PutBucketLifecycle","eventSource":"s3.amazonaws.com","awsService":"S3","description":"Creates a new lifecycle configuration for the bucket or replaces an existing lifecycle configuration.","mitreAttackTactics":["TA0040 - Impact"],"mitreAttackTechniques":["T1485 - Data Destruction"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1562 - Impair Defenses","reason":"An attacker could manipulate lifecycle configurations to delete, transition, or obscure data, effectively impairing defensive mechanisms by reducing the visibility or availability of critical data."},{"technique":"T1537 - Transfer Data to Cloud Account","reason":"Manipulating lifecycle configurations could facilitate the movement of data to different storage locations or accounts, enabling data exfiltration or staging of information."},{"technique":"T1486 - Data Encrypted for Impact","reason":"Lifecycle configurations could be altered to move data into encrypted storage, rendering it inaccessible as a form of impact, effectively denying access to the legitimate users."},{"technique":"T1027 - Obfuscated Files or Information","reason":"An attacker might adjust lifecycle configurations to archive or obscure files, making them harder to detect or stage them for later exfiltration, thus evading detection."}],"usedInWild":true,"incidents":[{"description":"USA VS Nickolas Sharp","link":"https://www.justice.gov/usao-sdny/press-release/file/1452706/dl"},{"description":"New tactics and techniques for proactive threat detection","link":"https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"}],"researchLinks":[],"securityImplications":"Attackers might use PutBucketLifecycle to add a lifecycle that deletes data after one day.","alerting":[{"type":"cloudwatchCISControls","value":"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8"}],"simulation":[{"type":"commandLine","value":"aws s3api put-bucket-lifecycle --bucket my-bucket --lifecycle-configuration '{\"Rules\":[{\"ID\":\"\",\"Status\": \"Enabled\", \"Prefix\": \"TrailDiscover/\"}]}'"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule"}],"permissions":"N/A"} +{"eventName":"PutBucketPolicy","eventSource":"s3.amazonaws.com","awsService":"S3","description":"Applies an Amazon S3 bucket policy to an Amazon S3 bucket.","mitreAttackTactics":["TA0010 - Exfiltration"],"mitreAttackTechniques":["T1048 - Exfiltration Over Alternative Protocol"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1567 - Exfiltration Over Web Service","reason":"A malicious policy could allow an attacker to exfiltrate data from an S3 bucket to an external location."},{"technique":"T1550 - Use Alternate Authentication Material","reason":"An attacker might leverage the modified bucket policy to maintain access via alternate authentication methods, such as session tokens or identity federation mechanisms."},{"technique":"T1531 - Account Access Removal","reason":"Attackers can modify a bucket policy to revoke access from certain users or roles, making it difficult for legitimate users to regain control over the resource."},{"technique":"T1098 - Account Manipulation","reason":"Modifying the bucket policy can directly alter the permissions and access rights of various accounts, effectively manipulating who has control over the S3 resources."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Detecting and removing risky actions out of your IAM security policies","link":"https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/"}],"securityImplications":"Attackers might use PutBucketPolicy to modify bucket permissions, potentially allowing unauthorized access to sensitive data.","alerting":[{"type":"cloudwatchCISControls","value":"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8"}],"simulation":[{"type":"commandLine","value":"aws s3api put-bucket-policy --bucket TrailDiscover --policy {}"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.s3-backdoor-bucket-policy"}],"permissions":"https://aws.permissions.cloud/iam/s3#s3-PutBucketPolicy"} +{"eventName":"PutBucketReplication","eventSource":"s3.amazonaws.com","awsService":"S3","description":"Creates a replication configuration or replaces an existing one.","mitreAttackTactics":["TA0010 - Exfiltration"],"mitreAttackTechniques":["T1537 - Transfer Data to Cloud Account"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1098 - Account Manipulation","reason":"The ability to modify or create replication configurations can be used to ensure that critical data is continuously replicated to an attacker-controlled bucket, maintaining persistence even if access controls are modified or removed."},{"technique":"T1562 - Impair Defenses","reason":"An attacker could misuse the replication configuration to redirect logs or other monitoring data away from security tools, effectively evading detection and disabling defenses."},{"technique":"T1020 - Automated Exfiltration","reason":"By setting up replication to an external or unauthorized S3 bucket, an attacker can automatically exfiltrate data, transferring large volumes without direct manual intervention."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Exfiltrating S3 Data with Bucket Replication Policies","link":"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"}],"securityImplications":"Attackers might use PutBucketReplication to replicate sensitive data to unauthorized S3 buckets controlled by the attacker.","alerting":[{"type":"cloudwatchCISControls","value":"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-8"}],"simulation":[{"type":"commandLine","value":"aws s3api put-bucket-replication --bucket AWSDOC-EXAMPLE-BUCKET1 --replication-configuration '{\"Role\":\"\",\"Rules\":[]}'"}],"permissions":"N/A"} +{"eventName":"PutBucketVersioning","eventSource":"s3.amazonaws.com","awsService":"S3","description":"Sets the versioning state of an existing bucket.","mitreAttackTactics":["TA0040 - Impact","TA0010 - Exfiltration"],"mitreAttackTechniques":["T1490 - Inhibit System Recovery","T1537 - Transfer Data to Cloud Account"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1531 - Account Access Removal","reason":"If an attacker suspends versioning, they could delete IAM policies or credentials stored in S3, making recovery of previous versions impossible, thereby preventing account recovery."},{"technique":"T1070 - Indicator Removal","reason":"An attacker might disable versioning or enable it without MFA Delete, which allows them to delete or overwrite objects in a way that removes evidence of their activity, complicating forensic investigation."},{"technique":"T1488 - Data Destruction","reason":"If an attacker sets an object expiration lifecycle in a version-enabled bucket and suspends versioning, they could effectively destroy all noncurrent object versions over time, leading to the loss of data."}],"usedInWild":true,"incidents":[{"description":"Ransomware in the cloud","link":"https://www.invictus-ir.com/news/ransomware-in-the-cloud"}],"researchLinks":[{"description":"Exfiltrating S3 Data with Bucket Replication Policies","link":"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"}],"securityImplications":"Attackers might set the versioning to 'Suspended' before deleting data. Attackers might enable versioning to add bucket replication to exfiltrate data.","alerting":[{"type":"sigma","value":"https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml"}],"simulation":[{"type":"commandLine","value":"aws s3api put-bucket-versioning --bucket TrailDiscoverBucket --versioning-configuration Status=Enabled"}],"permissions":"https://aws.permissions.cloud/iam/s3#s3-PutBucketVersioning"} +{"eventName":"PutObject","eventSource":"s3.amazonaws.com","awsService":"S3","description":"Adds an object to a bucket.","mitreAttackTactics":["TA0040 - Impact"],"mitreAttackTechniques":["T1565 - Data Manipulation"],"mitreAttackSubTechniques":["T1565.001 - Data Manipulation: Stored Data Manipulation"],"unverifiedMitreAttackTechniques":[{"technique":"T1074 - Data Staged","reason":"The PutObject API call can be used to store objects in S3 as a staging area for data that might be collected or processed before exfiltration or further use."},{"technique":"T1070 - Indicator Removal","reason":"Attackers can use PutObject to overwrite existing objects with benign data or to modify metadata, helping to conceal malicious activity by removing indicators of compromise within cloud storage."},{"technique":"T1105 - Ingress Tool Transfer","reason":"The PutObject API can be used to transfer tools or malicious binaries into an S3 bucket, facilitating their retrieval and execution elsewhere in the environment."},{"technique":"T1036 - Masquerading","reason":"Attackers could upload objects with names or metadata that mimic legitimate files using the PutObject API, making malicious content harder to detect."},{"technique":"T1485 - Data Destruction","reason":"The PutObject API could be used to overwrite critical objects, leading to data loss or destruction, particularly if previous versions are not preserved."},{"technique":"T1027 - Obfuscated Files or Information","reason":"Attackers can use PutObject to upload files containing hidden or obfuscated data (e.g., within images), supporting defense evasion."},{"technique":"T1570 - Lateral Tool Transfer","reason":"Objects added to an S3 bucket via PutObject can be used to transfer tools or payloads across different cloud environments, supporting lateral movement within compromised infrastructure."}],"usedInWild":true,"incidents":[{"description":"Incident Report: TaskRouter JS SDK Security Incident - July 19, 2020","link":"https://www.twilio.com/en-us/blog/incident-report-taskrouter-js-sdk-july-2020"},{"description":"LA Times homicide website throttles cryptojacking attack","link":"https://www.tripwire.com/state-of-security/la-times-website-cryptojacking-attack"}],"researchLinks":[],"securityImplications":"Attackers might use PutObject to upload malicious content or overwrite existing files in S3 buckets.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"https://aws.permissions.cloud/iam/s3#s3-PutObject"} +{"eventName":"CreateEmailIdentity","eventSource":"ses.amazonaws.com","awsService":"SES","description":"Starts the process of verifying an email identity. An identity is an email address or domain that you use when you send email.","mitreAttackTactics":["TA0040 - Impact"],"mitreAttackTechniques":["T1496 - Resource Hijacking"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1583 - Acquire Infrastructure","reason":"Verifying an email identity or domain is part of acquiring the necessary infrastructure for sending emails, which could be used for malicious activities such as phishing or command and control."},{"technique":"T1078 - Valid Accounts","reason":"The verification of an email identity, especially when using DKIM, helps establish a legitimate-looking account or service that can be exploited for malicious purposes."},{"technique":"T1566 - Phishing","reason":"The verified email identity or domain can be utilized to send phishing emails, leveraging the trust established by a verified and legitimate-looking sender address or domain."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}],"researchLinks":[],"securityImplications":"Attackers use CreateEmailIdentity to create its own identity for sending spam or phishing emails later.","alerting":[],"simulation":[{"type":"commandLine","value":"aws sesv2 create-email-identity --email-identity cloudtrail.cloud"}],"permissions":"https://aws.permissions.cloud/iam/ses#ses-CreateEmailIdentity"} +{"eventName":"DeleteIdentity","eventSource":"ses.amazonaws.com","awsService":"SES","description":"Deletes the specified identity (an email address or a domain) from the list of verified identities.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1578 - Modify Cloud Compute Infrastructure","T1070 - Indicator Removal"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1531 - Account Access Removal","reason":"Deleting an email address or domain from the list of verified identities can remove access for legitimate users, thereby evading detection by disrupting normal email flows and alert mechanisms that rely on these identities."},{"technique":"T1485 - Data Destruction","reason":"Deleting a verified identity can disrupt communication channels, especially if the identity is tied to critical email systems, effectively leading to the destruction of necessary operational data."},{"technique":"T1499 - Endpoint Denial of Service","reason":"This operation could contribute to a denial of service by removing a critical identity that is required for sending emails, thus halting communication or alerting capabilities within the affected system."}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[],"securityImplications":"Attackers might use DeleteIdentity to disrupt email sending capabilities or delete an identity previously used attackers.","alerting":[{"type":"sigma","value":"https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_delete_identity.yml"}],"simulation":[{"type":"commandLine","value":"aws ses delete-identity --identity TrailDiscoverIdentity"}],"permissions":"https://aws.permissions.cloud/iam/ses#ses-DeleteIdentity"} +{"eventName":"GetAccount","eventSource":"ses.amazonaws.com","awsService":"SES","description":"Obtain information about the email-sending status and capabilities of your Amazon SES account in the current AWS Region.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1087 - Account Discovery"],"mitreAttackSubTechniques":["T1087.004 - Account Discovery: Cloud Account"],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"By obtaining information about the SES account, attackers can identify if an account is enabled for sending emails, aiding in the identification of valid accounts for unauthorized access."},{"technique":"T1580 - Cloud Infrastructure Discovery","reason":"The GetAccount API call allows an attacker to gather information related to the cloud infrastructure's email capabilities, essential for understanding the cloud environment and planning further malicious activities."}],"usedInWild":true,"incidents":[{"description":"Ransomware in the cloud","link":"https://www.invictus-ir.com/news/ransomware-in-the-cloud"},{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"},{"description":"SES-PIONAGE","link":"https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/"}],"researchLinks":[{"description":"Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild","link":"https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}],"securityImplications":"Attackers might use GetAccount to gather sensitive information about the AWS SES account for malicious purposes.","alerting":[],"simulation":[{"type":"commandLine","value":"aws sesv2 get-account"}],"permissions":"https://aws.permissions.cloud/iam/ses#ses-GetAccount"} +{"eventName":"GetAccountSendingEnabled","eventSource":"ses.amazonaws.com","awsService":"SES","description":"Returns the email sending status of the Amazon SES account for the current Region.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1087 - Account Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1082 - System Information Discovery","reason":"By querying the SES email sending status, attackers can learn whether the service is configured and operational, revealing critical details about the cloud environment's setup."},{"technique":"T1590 - Gather Victim Identity Information","reason":"Understanding the email sending status through GetAccountSendingEnabled may provide insights into associated email addresses or domains, which can be used for further reconnaissance activities."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"SES-PIONAGE","link":"https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/"}],"securityImplications":"Attackers might use GetAccountSendingEnabled to identify if an AWS account's email sending capabilities are enabled, potentially exploiting it for spamming or phishing activities.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ses get-account-sending-enabled"}],"permissions":"https://aws.permissions.cloud/iam/ses#ses-GetAccountSendingEnabled"} +{"eventName":"GetIdentityVerificationAttributes","eventSource":"ses.amazonaws.com","awsService":"SES","description":"Given a list of identities (email addresses and/or domains), returns the verification status and (for domain identities) the verification token for each identity.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1526 - Cloud Service Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1589 - Gather Victim Identity Information","reason":"The API can be used to verify the status of email addresses, enabling attackers to identify active and valid email addresses that may be targeted for social engineering or phishing attacks."},{"technique":"T1078 - Valid Accounts","reason":"Access to this API could indicate that an attacker has compromised cloud credentials, allowing them to monitor or manipulate email verification statuses, potentially leading to further unauthorized access."}],"usedInWild":true,"incidents":[{"description":"SES-PIONAGE","link":"https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/"}],"researchLinks":[],"securityImplications":"Attackers might use GetIdentityVerificationAttributes to gather sensitive information about the verification status of email addresses and domains.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ses get-identity-verification-attributes --identities TrailDiscoverIdentity"}],"permissions":"https://aws.permissions.cloud/iam/ses#ses-GetIdentityVerificationAttributes"} +{"eventName":"GetSendQuota","eventSource":"ses.amazonaws.com","awsService":"SES","description":"Provides the sending limits for the Amazon SES account.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1082 - System Information Discovery","reason":"The GetSendQuota API call can be used to determine the current email sending limits of an account, which is a form of system information that could help an adversary understand the operational capabilities of the target environment."},{"technique":"T1602 - Gather Victim Host Information","reason":"By using GetSendQuota, an attacker could gather details about the SES service's capacity and limitations, which is part of understanding the victim's resources."},{"technique":"T1580 - Cloud Service Discovery","reason":"This API call allows adversaries to discover details about the cloud services in use (SES in this case), contributing to broader cloud service reconnaissance."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"},{"description":"Ransomware in the cloud","link":"https://www.invictus-ir.com/news/ransomware-in-the-cloud"},{"description":"Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining","link":"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"},{"description":"SES-PIONAGE","link":"https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/"}],"researchLinks":[{"description":"Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild","link":"https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}],"securityImplications":"Attackers use GetSendQuota to assess the email sending capacity of an AWS account, potentially planning persistent spam or phishing campaigns by identifying limits they can exploit or escalate.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ses get-send-quota"}],"permissions":"https://aws.permissions.cloud/iam/ses#ses-GetSendQuota"} +{"eventName":"ListIdentities","eventSource":"ses.amazonaws.com","awsService":"SES","description":"Returns a list containing all of the identities (email addresses and domains) for your AWS account in the current AWS Region, regardless of verification status.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1087 - Account Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"The ListIdentities API might help an attacker identify valid cloud accounts or identities to target for subsequent attacks, such as trying to access these accounts using stolen or guessed credentials."},{"technique":"T1033 - System Owner/User Discovery","reason":"Identifying system owners or users based on the listed identities can help attackers target specific accounts or tailor attacks based on the roles of those users."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"},{"description":"Ransomware in the cloud","link":"https://www.invictus-ir.com/news/ransomware-in-the-cloud"},{"description":"Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining","link":"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"},{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"},{"description":"SES-PIONAGE","link":"https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/"}],"researchLinks":[{"description":"Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild","link":"https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}],"securityImplications":"Attackers use ListIdentities from SES to enumerate email addresses or domains verified under the AWS account.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ses list-identities --identity-type \"EmailAddress\""}],"permissions":"https://aws.permissions.cloud/iam/ses#ses-ListIdentities"} +{"eventName":"UpdateAccountSendingEnabled","eventSource":"ses.amazonaws.com","awsService":"SES","description":"Enables or disables email sending across your entire Amazon SES account in the current AWS Region.","mitreAttackTactics":["TA0040 - Impact"],"mitreAttackTechniques":["T1496 - Resource Hijacking"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1070 - Indicator Removal","reason":"Disabling email sending can help evade detection by preventing the generation of SES-based alerts or logs that might indicate malicious activities."},{"technique":"T1562 - Impair Defenses","reason":"An attacker could use this API call to disable email sending, potentially preventing security teams from receiving critical alerts and impairing the defenses of the environment."}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"},{"description":"SES-PIONAGE","link":"https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/"}],"researchLinks":[],"securityImplications":"Attackers might use UpdateAccountSendingEnabled to enable sending from compromised AWS accounts, facilitating spam or phishing campaigns.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ses update-account-sending-enabled"}],"permissions":"https://aws.permissions.cloud/iam/ses#ses-UpdateAccountSendingEnabled"} +{"eventName":"VerifyEmailIdentity","eventSource":"ses.amazonaws.com","awsService":"SES","description":"Adds an email address to the list of identities for your Amazon SES account in the current AWS Region and attempts to verify it.","mitreAttackTactics":["TA0040 - Impact"],"mitreAttackTechniques":["T1496 - Resource Hijacking"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":" By verifying an email address, an adversary might create a valid cloud account identity that could be used in subsequent malicious activities, making it appear as if actions are being carried out by a legitimate user."},{"technique":"T1588 - Obtain Capabilities","reason":"Adversaries could use the API to validate an email identity, thereby acquiring a tool or resource that can be utilized in future phishing or spamming campaigns."}],"usedInWild":true,"incidents":[{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"}],"researchLinks":[],"securityImplications":"Attackers might use VerifyEmailIdentity to send phishing emails or spam from a verified email address.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ses verify-email-identity --email-address TrailDiscoverEmail"}],"permissions":"https://aws.permissions.cloud/iam/ses#ses-VerifyEmailIdentity"} +{"eventName":"GetSMSAttributes","eventSource":"sns.amazonaws.com","awsService":"SNS","description":"Returns the settings for sending SMS messages from your AWS account.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1082 - System Information Discovery","reason":"The GetSMSAttributes call can reveal details about the SMS configuration, including regions, usage patterns, and sender IDs, providing an attacker with valuable information about the environment."}],"usedInWild":true,"incidents":[{"description":"NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS","link":"https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/"},{"description":"Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns","link":"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/"}],"researchLinks":[{"description":"Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild","link":"https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}],"securityImplications":"Attackers might use GetSMSAttributes to retrieve sensitive SMS configuration details for potential usage for smishing.","alerting":[],"simulation":[{"type":"commandLine","value":"aws sns get-sms-attributes --attributes TrailDiscoverAttributes"}],"permissions":"https://aws.permissions.cloud/iam/sns#sns-GetSMSAttributes"} +{"eventName":"GetSMSSandboxAccountStatus","eventSource":"sns.amazonaws.com","awsService":"SNS","description":"Retrieves the SMS sandbox status for the calling AWS account in the target AWS Region.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1087 - Account Discovery","reason":"This API call allows an adversary to determine the SMS sandbox status, which can reveal if an AWS account is still in a test phase or if it's been moved to production, indicating how the account might be used or targeted."}],"usedInWild":true,"incidents":[{"description":"Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns","link":"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/"}],"researchLinks":[{"description":"NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS","link":"https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/"}],"securityImplications":"Attackers might use GetSMSSandboxAccountStatus to monitor the status of a target's AWS SNS sandbox account for potential usage for smishing.","alerting":[],"simulation":[{"type":"commandLine","value":"aws sns get-sms-sandbox-account-status"}],"permissions":"https://aws.permissions.cloud/iam/sns#sns-GetSMSSandboxAccountStatus"} +{"eventName":"ListOriginationNumbers","eventSource":"sns.amazonaws.com","awsService":"SNS","description":"Lists the calling AWS account's dedicated origination numbers and their metadata.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1087 - Account Discovery","reason":"The ListOriginationNumbers API call provides information on the account's SMS origination numbers, which could help an adversary discover and map out cloud resources associated with the account."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS","link":"https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/"}],"securityImplications":"Attackers might use ListOriginationNumbers to identify origination numbers for potential smishing campaings.","alerting":[],"simulation":[{"type":"commandLine","value":"aws sns list-origination-numbers"}],"permissions":"https://aws.permissions.cloud/iam/sns#sns-ListOriginationNumbers"} +{"eventName":"ListSubscriptions","eventSource":"sns.amazonaws.com","awsService":"SNS","description":"Lists the calling AWS account's dedicated origination numbers and their metadata.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1087 - Account Discovery","reason":"An attacker could use ListSubscriptions to enumerate all subscriptions associated with SNS topics, providing insight into the AWS environment and identifying active accounts."},{"technique":"T1007 - System Service Discovery","reason":"The information retrieved via ListSubscriptions can reveal details about services in the AWS environment, helping an attacker understand available resources and configurations."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS","link":"https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/"}],"securityImplications":"Attackers might use ListSubscriptions to identify origination numbers for potential smishing campaings.","alerting":[],"simulation":[{"type":"commandLine","value":"aws sns list-subscriptions"}],"permissions":"https://aws.permissions.cloud/iam/sns#sns-ListSubscriptions"} +{"eventName":"ListTopics","eventSource":"sns.amazonaws.com","awsService":"SNS","description":"Returns a list of the requester's topics.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1087 - Account Discovery","reason":"An attacker could use ListSubscriptions to enumerate all subscriptions associated with SNS topics, providing insight into the AWS environment and identifying active accounts."},{"technique":"T1007 - System Service Discovery","reason":"The information retrieved via ListSubscriptions can reveal details about services in the AWS environment, helping an attacker understand available resources and configurations."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS","link":"https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/"}],"securityImplications":"Attackers might use ListTopics to identify potential SNS topics for unauthorized access or disruption.","alerting":[],"simulation":[{"type":"commandLine","value":"aws sns list-topics"}],"permissions":"https://aws.permissions.cloud/iam/sns#sns-ListTopics"} +{"eventName":"Publish","eventSource":"sns.amazonaws.com","awsService":"SNS","description":"Sends a message to an Amazon SNS topic, a text message (SMS message) directly to a phone number, or a message to a mobile platform endpoint (when you specify the TargetArn).","mitreAttackTactics":["TA0040 - Impact"],"mitreAttackTechniques":["T1496 - Resource Hijacking"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1071 - Application Layer Protocol","reason":"The SNS Publish API can send messages using common application layer protocols such as HTTPS. This can be used for command and control communication by sending instructions or payloads to subscribed endpoints in a covert manner."},{"technique":"T1537 - Transfer Data to Cloud Account","reason":"Attackers can use SNS to exfiltrate data by sending it as a message to a subscribed endpoint, which may belong to an external cloud account controlled by the adversary."},{"technique":"T1090 - Proxy","reason":"The SNS service can act as a relay for communications, allowing attackers to hide the true source and destination of their messages by using SNS as an intermediary, which can evade detection mechanisms."},{"technique":"T1020 - Automated Exfiltration","reason":"By automating the use of SNS Publish to regularly send messages containing exfiltrated data to external endpoints, attackers can maintain a consistent and automated exfiltration channel."}],"usedInWild":true,"incidents":[{"description":"Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns","link":"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/"},{"description":"Cloud Security Stories: From Risky Permissions to Ransomware Execution","link":"https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/"}],"researchLinks":[],"securityImplications":"Attackers might use Publish for smishing campaigns.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"https://aws.permissions.cloud/iam/sns#sns-Publish"} +{"eventName":"DescribeInstanceInformation","eventSource":"ssm.amazonaws.com","awsService":"SSM","description":"Provides information about one or more of your managed nodes, including the operating system platform, SSM Agent version, association status, and IP address.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1580 - Cloud Infrastructure Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1082 - System Information Discovery","reason":"The API retrieves comprehensive details about the managed nodes, including platform name, version, and agent status, which helps in understanding the target system."},{"technique":"T1078 - Valid Accounts","reason":"The IAM role associated with each managed node can be analyzed to identify and potentially exploit valid credentials, leading to unauthorized access."},{"technique":"T1018 - Remote System Discovery","reason":"IP addresses and system information can be used to discover and map out other systems within the network environment."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"}],"researchLinks":[],"securityImplications":"Attackers might use DescribeInstanceInformation to gather sensitive information about the instances, potentially leading to unauthorized access.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ssm describe-instance-information --instance-information-filter-list key=InstanceIds,valueSet=TrailDiscoverInstanceIds"}],"permissions":"https://aws.permissions.cloud/iam/ssm#ssm-DescribeInstanceInformation"} +{"eventName":"GetParameters","eventSource":"ssm.amazonaws.com","awsService":"SSM","description":"Get information about one or more parameters by specifying multiple parameter names.","mitreAttackTactics":["TA0007 - Discovery","TA0006 - Credential Access"],"mitreAttackTechniques":["T1526 - Cloud Service Discovery","T1552 - Unsecured Credentials"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1552 - Unsecured Credentials","reason":"The GetParameters API, particularly with decryption enabled, can be used to retrieve sensitive credentials if they are stored in the SSM Parameter Store. This can expose API keys, passwords, or other authentication materials."},{"technique":"T1082 - System Information Discovery","reason":"By using GetParameters, an attacker can gather configuration and environment details stored in the parameters, aiding in system information discovery."},{"technique":"T1078 - Valid Accounts","reason":"If parameter values include credentials or tokens, the attacker could use them to access valid accounts, facilitating further malicious activity."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Detecting and removing risky actions out of your IAM security policies","link":"https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/"}],"securityImplications":"Attackers might use GetParameters to gather sensitive information such as api keys or other secrets.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ssm get-parameters --names TrailDiscoverParameters"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ssm-retrieve-securestring-parameters"}],"permissions":"https://aws.permissions.cloud/iam/ssm#ssm-GetParameters"} +{"eventName":"ResumeSession","eventSource":"ssm.amazonaws.com","awsService":"SSM","description":"Reconnects a session to a managed node after it has been disconnected.","mitreAttackTactics":["TA0008 - Lateral Movement","TA0002 - Execution"],"mitreAttackTechniques":["T1021 - Remote Services","T1651 - Cloud Administration Command"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"Attackers can use valid credentials to reconnect to a previously disconnected session, allowing them to maintain persistent access to a system without re-authenticating."},{"technique":"T1105 - Ingress Tool Transfer","reason":"By reconnecting to an active session, attackers can continue to upload malicious tools or scripts to the managed node without needing to initiate a new session, facilitating ongoing exploitation."},{"technique":"T1071 - Application Layer Protocol","reason":"The reconnection process uses HTTPS, allowing attackers to maintain an encrypted communication channel, which could be used for executing commands or transferring data during the resumed session."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"Attack Paths Into VMs in the Cloud","link":"https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/"}],"securityImplications":"Attackers might use ResumeSession to gain unauthorized access to managed instances.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ssm resume-session --session-id TrailDiscoverTarget"}],"permissions":"https://aws.permissions.cloud/iam/ssm#ssm-ResumeSession"} +{"eventName":"SendCommand","eventSource":"ssm.amazonaws.com","awsService":"SSM","description":"Runs commands on one or more managed nodes.","mitreAttackTactics":["TA0008 - Lateral Movement","TA0002 - Execution"],"mitreAttackTechniques":["T1021 - Remote Services","T1651 - Cloud Administration Command"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1059 - Command and Scripting Interpreter","reason":"The SendCommand API is designed to execute commands on managed nodes, which directly involves the use of command and scripting interpreters to run scripts or commands."},{"technique":"T1053 - Scheduled Task/Job","reason":"The SendCommand API can be used to create or modify scheduled tasks on managed nodes, enabling the execution of commands at specified times, which is essential for maintaining persistence."},{"technique":"T1105 - Ingress Tool Transfer","reason":"Attackers can use SendCommand to download and execute additional tools or payloads on the managed nodes, which is directly relevant to executing commands that facilitate further compromise."},{"technique":"T1569 - System Services","reason":"The SendCommand API can start, stop, or restart system services on managed nodes, allowing for the execution of commands that may serve various purposes, including persistence or privilege escalation."}],"usedInWild":true,"incidents":[{"description":"Navigating the Cloud: Exploring Lateral Movement Techniques","link":"https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/"},{"description":"Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)","link":"https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"}],"researchLinks":[{"description":"Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident","link":"https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide"},{"description":"Run Shell Commands on EC2 with Send Command or Session Manager","link":"https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/"},{"description":"Attack Paths Into VMs in the Cloud","link":"https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/"}],"securityImplications":"Attackers might use SendCommand to execute malicious commands on managed instances.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ssm send-command --instance-ids \"TrailDiscoverInstanceID\" --document-name \"AWS-RunShellScript\" --parameters commands=ls --output text"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ssm-send-command"}],"permissions":"https://aws.permissions.cloud/iam/ssm#ssm-SendCommand"} +{"eventName":"StartSession","eventSource":"ssm.amazonaws.com","awsService":"SSM","description":"Initiates a connection to a target (for example, a managed node) for a Session Manager session.","mitreAttackTactics":["TA0008 - Lateral Movement","TA0002 - Execution"],"mitreAttackTechniques":["T1021 - Remote Services","T1651 - Cloud Administration Command"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1059 - Command and Scripting Interpreter","reason":"The StartSession API allows for establishing a session where commands can be executed on the managed node through a command-line interface. This enables direct interaction with the system, facilitating the execution of scripts or commands remotely."},{"technique":"T1078 - Valid Accounts","reason":"The StartSession API requires valid credentials and an authenticated token to initiate a session, allowing access to managed nodes. Attackers with compromised credentials can exploit this to gain unauthorized access to systems."},{"technique":"T1071 - Application Layer Protocol","reason":"The StartSession API uses WebSocket connections over HTTPS, enabling communication with the managed node. This can be leveraged to disguise command and control traffic within regular web traffic, making detection more challenging."}],"usedInWild":true,"incidents":[{"description":"Navigating the Cloud: Exploring Lateral Movement Techniques","link":"https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/"}],"researchLinks":[{"description":"Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident","link":"https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide"},{"description":"Run Shell Commands on EC2 with Send Command or Session Manager","link":"https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/"}],"securityImplications":"Attackers might use StartSession to gain unauthorized access to managed instances.","alerting":[],"simulation":[{"type":"commandLine","value":"aws ssm start-session --target TrailDiscoverTarget"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ssm-start-session"}],"permissions":"https://aws.permissions.cloud/iam/ssm#ssm-StartSession"} +{"eventName":"DescribeSecret","eventSource":"secretsmanager.amazonaws.com","awsService":"SecretsManager","description":"Retrieves the details of a secret.","mitreAttackTactics":["TA0006 - Credential Access"],"mitreAttackTechniques":["T1555 - Credentials from Password Stores"],"mitreAttackSubTechniques":["T1555.006 - Credentials from Password Stores: Cloud Secrets Management Stores"],"unverifiedMitreAttackTechniques":[{"technique":"T1087 - Account Discovery","reason":"The API call could reveal metadata about the secret, including associated AWS accounts or services, contributing to account discovery."},{"technique":"T1552 - Unsecured Credentials","reason":"Although the secret value is not retrieved, the API may still provide information about the existence and purpose of certain credentials, which could be used to find unsecured credentials elsewhere"},{"technique":"T1580 - Cloud Storage Object Discovery","reason":"Information revealed by the API could point to cloud storage objects associated with the secret, helping to identify and potentially target cloud resources."},{"technique":"T1078 - Valid Accounts","reason":"Metadata obtained might give clues about the existence of valid accounts, which could be useful in further attempts to gain unauthorized access."},{"technique":"T1213 - Data from Information Repositories","reason":"Even without the secret value, information from the API could reveal details about data repositories or services that are secured by the secret, which could be exploited in further attacks."}],"usedInWild":true,"incidents":[{"description":"Muddled Libra\u2019s Evolution to the Cloud","link":"https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}],"researchLinks":[],"securityImplications":"Attackers might use DescribeSecret to get more information about the secrets that are stored in Secrets Manager.","alerting":[],"simulation":[{"type":"commandLine","value":"aws secretsmanager describe-secret --secret-id TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/secretsmanager#secretsmanager-DescribeSecret"} +{"eventName":"GetSecretValue","eventSource":"secretsmanager.amazonaws.com","awsService":"SecretsManager","description":"Retrieves the contents of the encrypted fields SecretString or SecretBinary from the specified version of a secret, whichever contains content.","mitreAttackTactics":["TA0006 - Credential Access"],"mitreAttackTechniques":["T1555 - Credentials from Password Stores"],"mitreAttackSubTechniques":["T1555.006 - Credentials from Password Stores: Cloud Secrets Management Stores"],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"Attackers can use retrieved secrets to log into cloud accounts or services, expanding their control over the cloud environment."},{"technique":"T1580 - Cloud Infrastructure Discovery","reason":"Accessing secrets via GetSecretValue provides insights into cloud resource configurations and other details useful for discovering and mapping the cloud infrastructure."},{"technique":"T1082 - System Information Discovery","reason":"Retrieving secrets may give attackers information about the system, such as environment configurations, which helps them understand the environment they are targeting."}],"usedInWild":true,"incidents":[{"description":"LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD","link":"https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud"},{"description":"Muddled Libra\u2019s Evolution to the Cloud","link":"https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"},{"description":"Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)","link":"https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"}],"researchLinks":[],"securityImplications":"Attackers might use GetSecretValue to illicitly access sensitive information stored in the SecretsManager.","alerting":[],"simulation":[{"type":"commandLine","value":"aws secretsmanager get-secret-value --secret-id TrailDiscoverSecretId"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.secretsmanager-batch-retrieve-secrets"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets"}],"permissions":"https://aws.permissions.cloud/iam/secretsmanager#secretsmanager-GetSecretValue"} +{"eventName":"ListSecrets","eventSource":"secretsmanager.amazonaws.com","awsService":"SecretsManager","description":"Lists the secrets that are stored by Secrets Manager in the AWS account, not including secrets that are marked for deletion.","mitreAttackTactics":["TA0006 - Credential Access"],"mitreAttackTechniques":["T1555 - Credentials from Password Stores"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1526 - Cloud Service Discovery","reason":"The ListSecrets API call allows an attacker to enumerate stored secrets within the AWS environment, facilitating discovery of sensitive information or configurations."},{"technique":"T1552 - Unsecured Credentials","reason":"An attacker listing secrets might identify credentials stored within Secrets Manager, which could lead to unauthorized access if those credentials are not properly secured or rotated."},{"technique":"T1078 - Valid Accounts","reason":"By listing secrets, an attacker could discover credentials for valid accounts stored in Secrets Manager, which could then be used to gain unauthorized access to services or resources."},{"technique":"T1036 - Masquerading","reason":"An attacker could use discovered secrets to masquerade as legitimate tasks or services, blending in with normal operations to avoid detection."}],"usedInWild":true,"incidents":[{"description":"Muddled Libra\u2019s Evolution to the Cloud","link":"https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"},{"description":"Detecting AI resource-hijacking with Composite Alerts","link":"https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"},{"description":"Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets","link":"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/"},{"description":"Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)","link":"https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"}],"researchLinks":[],"securityImplications":"Attackers might use ListSecrets to list all the secrets and potentially access to them later.","alerting":[],"simulation":[{"type":"commandLine","value":"aws secretsmanager list-secrets"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets"}],"permissions":"https://aws.permissions.cloud/iam/secretsmanager#secretsmanager-ListSecrets"} +{"eventName":"AssumeRole","eventSource":"sts.amazonaws.com","awsService":"STS","description":"Returns a set of temporary security credentials that you can use to access AWS resources.","mitreAttackTactics":["TA0001 - Initial Access","TA0003 - Persistence","TA0004 - Privilege Escalation"],"mitreAttackTechniques":["T1199 - Trusted Relationship","T1078 - Valid Accounts"],"mitreAttackSubTechniques":["T1078.004 - Valid Accounts: Cloud Accounts"],"unverifiedMitreAttackTechniques":[],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"},{"description":"Trouble in Paradise","link":"https://blog.darklab.hk/2021/07/06/trouble-in-paradise/"}],"researchLinks":[{"description":"Role Chain Juggling","link":"https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/"},{"description":"Detecting and removing risky actions out of your IAM security policies","link":"https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/"}],"securityImplications":"Attackers might use AssumeRole to gain unauthorized access to an AWS role. This might allow them to gain initial access, escalate privileges or in specific scenarios gain persistence.","alerting":[],"simulation":[{"type":"commandLine","value":"aws sts assume-role --role-arn arn:aws:iam::123456789012:role/TrailDiscover --role-session-name TrailDiscover"}],"permissions":"https://aws.permissions.cloud/iam/sts#sts-AssumeRole"} +{"eventName":"AssumeRoleWithSAML","eventSource":"sts.amazonaws.com","awsService":"STS","description":"Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response.","mitreAttackTactics":["TA0001 - Initial Access"],"mitreAttackTechniques":["T1199 - Trusted Relationship"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"The AssumeRoleWithSAML API call allows attackers to use valid SAML assertions to gain temporary access to AWS resources, enabling them to gain initial access, maintain persistence, or escalate privileges."},{"technique":"T1071 - Application Layer Protocol","reason":"Since SAML authentication typically uses web-based protocols, attackers can use the AssumeRoleWithSAML API call to blend in with legitimate web traffic, making their actions harder to detect."},{"technique":"T1550 - Use Alternate Authentication Material","reason":"By using SAML tokens via the AssumeRoleWithSAML API, attackers can authenticate to AWS services without traditional credentials, assisting in defense evasion."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS - STS Privesc","link":"https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc"}],"securityImplications":"Attackers might use AssumeRoleWithSAML to impersonate legitimate users and gain unauthorized access to an AWS role.","alerting":[{"type":"sigma","value":"https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml"}],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"https://aws.permissions.cloud/iam/sts#sts-AssumeRoleWithSAML"} +{"eventName":"AssumeRoleWithWebIdentity","eventSource":"sts.amazonaws.com","awsService":"STS","description":"Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider.","mitreAttackTactics":["TA0001 - Initial Access","TA0008 - Lateral Movement"],"mitreAttackTechniques":["T1199 - Trusted Relationship","T1550 - Use Alternate Authentication Material"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"The AssumeRoleWithWebIdentity API allows an attacker to gain valid temporary AWS credentials through a web identity provider, enabling them to access AWS services with authenticated permissions."},{"technique":"T1505 - Server Software Component","reason":"If an attacker has compromised a web application, they can use the AssumeRoleWithWebIdentity API to escalate privileges or maintain persistence by obtaining temporary credentials."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"From GitHub To Account Takeover: Misconfigured Actions Place GCP & AWS Accounts At Risk","link":"https://www.rezonate.io/blog/github-misconfigurations-put-gcp-aws-in-account-takeover-risk/"}],"securityImplications":"Attackers might use AssumeRoleWithWebIdentity to impersonate legitimate users and gain unauthorized access to an AWS role.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"https://aws.permissions.cloud/iam/sts#sts-AssumeRoleWithWebIdentity"} +{"eventName":"GetCallerIdentity","eventSource":"sts.amazonaws.com","awsService":"STS","description":"Returns details about the IAM user or role whose credentials are used to call the operation.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1087 - Account Discovery"],"mitreAttackSubTechniques":["T1087.004 - Account Discovery: Cloud Account"],"unverifiedMitreAttackTechniques":[{"technique":"T1082 - System Information Discovery","reason":"The GetCallerIdentity API call provides detailed information about the IAM user or role making the request, enabling an attacker to understand the current access context and tailor subsequent actions based on available permissions."},{"technique":"T1078 - Valid Accounts","reason":"By successfully calling GetCallerIdentity, an attacker can confirm that a set of credentials is valid and active, which is essential for leveraging these credentials to access additional resources within the AWS environment."},{"technique":"T1550 - Use Alternate Authentication Material","reason":"Attackers can use stolen or compromised credentials to invoke GetCallerIdentity, verifying the legitimacy and scope of these credentials without needing specific permissions, aiding in maintaining unauthorized access."},{"technique":"T1580 - Cloud Infrastructure Discovery","reason":"The information retrieved can help map out aspects of the cloud environment, such as account numbers and associated roles, providing insight necessary for further reconnaissance and targeted attacks."}],"usedInWild":true,"incidents":[{"description":"When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability","link":"https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"},{"description":"GotRoot! AWS root Account Takeover","link":"https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1"},{"description":"Compromised Cloud Compute Credentials: Case Studies From the Wild","link":"https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"},{"description":"Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns","link":"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/"},{"description":"Detecting AI resource-hijacking with Composite Alerts","link":"https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"},{"description":"Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)","link":"https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"}],"researchLinks":[{"description":"Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild","link":"https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"},{"description":"New attack vectors in EKS","link":"https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features"},{"description":"Enumerate AWS Account ID from an EC2 Instance","link":"https://hackingthe.cloud/aws/enumeration/account_id_from_ec2/"}],"securityImplications":"Attackers might use GetCallerIdentity to know what user or role are they using. This request does not need any permission.","alerting":[],"simulation":[{"type":"commandLine","value":"aws sts get-caller-identity"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials"}],"permissions":"https://aws.permissions.cloud/iam/sts#sts-GetCallerIdentity"} +{"eventName":"GetFederationToken","eventSource":"sts.amazonaws.com","awsService":"STS","description":"Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a user.","mitreAttackTactics":["TA0003 - Persistence"],"mitreAttackTechniques":["T1078 - Valid Accounts"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1550 - Use Alternate Authentication Material","reason":"The temporary credentials provided by GetFederationToken can serve as alternate authentication tokens, enabling access to various AWS services without relying on long-term credentials, thereby aiding in defense evasion."},{"technique":"T1212 - Exploitation for Credential Access","reason":"An attacker with access to the credentials of an IAM user could exploit GetFederationToken to generate new credentials, which can be used to escalate their privileges or access other resources."},{"technique":"T1134 - Access Token Manipulation","reason":"Similar to manipulating access tokens, attackers can use GetFederationToken to create temporary sessions that spoof legitimate access patterns, aiding in evasion and unauthorized access."}],"usedInWild":true,"incidents":[{"description":"How Adversaries Can Persist with AWS User Federation","link":"https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/"},{"description":"New tactics and techniques for proactive threat detection","link":"https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"},{"description":"Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)","link":"https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"}],"researchLinks":[{"description":"Create a Console Session from IAM Credentials","link":"https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/"},{"description":"Survive Access Key Deletion with sts:GetFederationToken","link":"https://hackingthe.cloud/aws/post_exploitation/survive_access_key_deletion_with_sts_getfederationtoken/"}],"securityImplications":"Attackers might use GetFederationToken to gain temporary access credentials.","alerting":[],"simulation":[{"type":"commandLine","value":"aws sts get-federation-token --name TrailDiscover --policy TrailDiscoverPolicy"}],"permissions":"https://aws.permissions.cloud/iam/sts#sts-GetFederationToken"} +{"eventName":"GetSessionToken","eventSource":"sts.amazonaws.com","awsService":"STS","description":"Returns a set of temporary credentials for an AWS account or IAM user.","mitreAttackTactics":["TA0001 - Initial Access"],"mitreAttackTechniques":["T1199 - Trusted Relationship"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"The GetSessionToken API call generates temporary credentials that can be used as valid accounts, allowing an adversary to bypass certain security measures by leveraging these temporary credentials."},{"technique":"T1550 - Use Alternate Authentication Material","reason":"The temporary credentials from GetSessionToken can act as alternative authentication material, enabling attackers to maintain access without the need to use the compromised long-term credentials again, thus evading certain detection mechanisms."}],"usedInWild":true,"incidents":[{"description":"New tactics and techniques for proactive threat detection","link":"https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"}],"researchLinks":[{"description":"AWS STS GetSessionToken Abuse","link":"https://www.elastic.co/guide/en/security/7.17/aws-sts-getsessiontoken-abuse.html"}],"securityImplications":"Attackers might use GetSessionToken to obtain temporary access credentials.","alerting":[{"type":"sigma","value":"https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml"}],"simulation":[{"type":"commandLine","value":"aws sts get-session-token --duration-seconds 900 --serial-number 'YourMFADeviceSerialNumber' --token-code 123456"}],"permissions":"https://aws.permissions.cloud/iam/sts#sts-GetSessionToken"} +{"eventName":"ListServiceQuotas","eventSource":"servicequotas.amazonaws.com","awsService":"ServiceQuotas","description":"Lists the applied quota values for the specified AWS service.","mitreAttackTactics":["TA0007 - Discovery"],"mitreAttackTechniques":["T1087 - Account Discovery"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1082 - System Information Discovery","reason":"Listing service quotas provides detailed information about the configuration and resource limits within an AWS environment. This information helps attackers understand the system's structure, enabling them to identify potential areas for exploitation or further reconnaissance."},{"technique":"T1069 - Permission Groups Discovery","reason":"Filtering by account or resource level when retrieving quotas may expose details about which permissions are associated with different accounts or roles."},{"technique":"T1007 - System Service Discovery","reason":"Listing quotas can reveal which AWS services are in use and their configurations, helping attackers map out the environment and understand what services are available."}],"usedInWild":true,"incidents":[{"description":"Ransomware in the cloud","link":"https://www.invictus-ir.com/news/ransomware-in-the-cloud"},{"description":"SES-PIONAGE","link":"https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/"}],"researchLinks":[{"description":"Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild","link":"https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/"}],"securityImplications":"Attackers might use ListServiceQuotas to identify potential services to exploit by understanding their usage limits.","alerting":[],"simulation":[{"type":"commandLine","value":"aws service-quotas list-service-quotas --service-code TrailDiscoverServiceCode"}],"permissions":"https://aws.permissions.cloud/iam/servicequotas#servicequotas-ListServiceQuotas"} +{"eventName":"RequestServiceQuotaIncrease","eventSource":"servicequotas.amazonaws.com","awsService":"ServiceQuotas","description":"Submits a quota increase request for the specified quota at the account or resource level.","mitreAttackTactics":["TA0040 - Impact"],"mitreAttackTechniques":["T1496 - Resource Hijacking"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1583 - Acquire Infrastructure","reason":"The API allows for requesting additional resources, enabling the attacker to develop infrastructure needed for further malicious activities."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"},{"description":"Incident report: From CLI to console, chasing an attacker in AWS","link":"https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/"}],"researchLinks":[],"securityImplications":"Attackers might use RequestServiceQuotaIncrease to increase the quotas and so resource hijacking will have a bigger impact.","alerting":[],"simulation":[{"type":"commandLine","value":"aws service-quotas request-service-quota-increase --service-code ec2 --quota-code L-20F13EBD --desired-value 2"}],"permissions":"https://aws.permissions.cloud/iam/servicequotas#servicequotas-RequestServiceQuotaIncrease"} +{"eventName":"ConsoleLogin","eventSource":"signin.amazonaws.com","awsService":"SignIn","description":"This is the CloudTrail event generated when you sign-in.","mitreAttackTactics":["TA0001 - Initial Access"],"mitreAttackTechniques":["T1078 - Valid Accounts"],"mitreAttackSubTechniques":["T1078.004 - Valid Accounts: Cloud Accounts"],"unverifiedMitreAttackTechniques":[{"technique":"T1199 - Trusted Relationship","reason":"An attacker might exploit trusted relationships between accounts, leading to a console login that can be traced back to an initial access attempt."}],"usedInWild":true,"incidents":[{"description":"The curious case of DangerDev@protonmail.me","link":"https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"},{"description":"Responding to an attack in AWS","link":"https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac"},{"description":"Credential Phishing","link":"https://ramimac.me/aws-phishing#credential-phishing"},{"description":"Incident report: From CLI to console, chasing an attacker in AWS","link":"https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/"},{"description":"Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining","link":"https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/"},{"description":"When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability","link":"https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/"},{"description":"Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies","link":"https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/"}],"researchLinks":[{"description":"Compromising AWS Console credentials","link":"https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/compromising-aws-console-credentials/"},{"description":"Create a Console Session from IAM Credentials","link":"https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/"},{"description":"Enhancing Your Security Visibility and DetectionResponse Operations in AWS","link":"https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf"}],"securityImplications":"Attackers might access via AWS console (generating a ConsoleLogin event).","alerting":[{"type":"cloudwatchCISControls","value":"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-6"},{"type":"cloudwatchCISControls","value":"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-3"}],"simulation":[{"type":"commandLine","value":"N/A"},{"type":"stratusRedTeam","value":"https://stratus-red-team.cloud/attack-techniques/AWS/aws.initial-access.console-login-without-mfa"}],"permissions":"N/A"} +{"eventName":"GetSigninToken","eventSource":"signin.amazonaws.com","awsService":"SignIn","description":"Generate a SigninToken that can be used to login to the the AWS Management Console.","mitreAttackTactics":["TA0001 - Initial Access"],"mitreAttackTechniques":["T1078 - Valid Accounts"],"mitreAttackSubTechniques":["T1078.004 - Valid Accounts: Cloud Accounts"],"unverifiedMitreAttackTechniques":[],"usedInWild":true,"incidents":[{"description":"Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)","link":"https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"}],"researchLinks":[],"securityImplications":"Attackers might access via a Federated identity (such as AWS SSO) to the Management Console.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"N/A"} +{"eventName":"PasswordRecoveryRequested","eventSource":"signin.amazonaws.com","awsService":"SignIn","description":"This is the CloudTrail event generated when you request a password recovery.","mitreAttackTactics":["TA0001 - Initial Access"],"mitreAttackTechniques":["T1078 - Valid Accounts"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1212 - Exploitation for Credential Access","reason":"The password recovery process could be manipulated or exploited to gain access to credentials, especially if the attacker can intercept or redirect the recovery process."}],"usedInWild":true,"incidents":[{"description":"An Ongoing AWS Phishing Campaign","link":"https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/"},{"description":"Disclosure of Security Incidents on imToken","link":"https://support.token.im/hc/en-us/articles/360005681954-Disclosure-of-Security-Incidents-on-imToken"}],"researchLinks":[],"securityImplications":"Attackers might start a password recovery process to steal AWS access if they have compromised the email of the user.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"N/A"} +{"eventName":"SwitchRole","eventSource":"signin.amazonaws.com","awsService":"SignIn","description":"This event is recorded when a user manually switches to a different IAM role within the AWS Management Console.","mitreAttackTactics":["TA0008 - Lateral Movement"],"mitreAttackTechniques":["T1021 - Remote Services"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"The SwitchRole API call indicates that a user is leveraging valid credentials to access different roles, which could be used for maintaining persistence, evading detection, or moving laterally within the AWS environment."},{"technique":"T1068 - Exploitation for Privilege Escalation","reason":"Switching to a role with higher privileges could be an attempt to escalate privileges within the AWS environment."},{"technique":"T1036 - Masquerading","reason":"The API call might be used to masquerade as a different user or role, enabling an attacker to carry out malicious activities under the guise of a legitimate user."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS CloudTrail cheat sheet","link":"https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet"}],"securityImplications":"Attackers might use SwitchRole when using the console to escalate privileges and gain unauthorized access to AWS resources.","alerting":[],"simulation":[{"type":"commandLine","value":"N/A"}],"permissions":"N/A"} +{"eventName":"CreateServer","eventSource":"transfer.amazonaws.com","awsService":"TransferFamily","description":"Instantiates an auto-scaling virtual server based on the selected file transfer protocol in AWS.","mitreAttackTactics":["TA0010 - Exfiltration"],"mitreAttackTechniques":["T1537 - Transfer Data to Cloud Account"],"mitreAttackSubTechniques":[],"unverifiedMitreAttackTechniques":[{"technique":"T1078 - Valid Accounts","reason":"The server creation process may involve generating or utilizing valid credentials, which can be leveraged by attackers to gain unauthorized access to the system."},{"technique":"T1071 - Application Layer Protocol","reason":"The server can be used to facilitate command and control communications using standard file transfer protocols (e.g., SFTP, FTPS), which are application layer protocols."},{"technique":"T1562 - Impair Defenses","reason":"Attackers could configure the server to allow them to access from the internet to S3 files."}],"usedInWild":true,"incidents":[{"description":"Muddled Libra\u2019s Evolution to the Cloud","link":"https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"}],"researchLinks":[],"securityImplications":"Attackers might use CreateServer to create a server that allows to transfer files into and out of AWS storage services.","alerting":[],"simulation":[{"type":"commandLine","value":"aws transfer create-server --protocols SFTP --endpoint-type PUBLIC --identity-provider-type SERVICE_MANAGED"}],"permissions":"https://aws.permissions.cloud/iam/transfer#transfer-CreateServer"} +{"eventName":"DeleteRuleGroup","eventSource":"wafv2.amazonaws.com","awsService":"WAFV2","description":"Deletes the specified RuleGroup.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1562 - Impair Defenses"],"mitreAttackSubTechniques":["T1562.007 - Impair Defenses: Disable or Modify Cloud Firewall"],"unverifiedMitreAttackTechniques":[{"technique":"T1098 - Account Manipulation","reason":"By deleting a RuleGroup that is crucial for access management, an attacker could manipulate accounts or credentials to bypass security controls."},{"technique":"T1499 - Endpoint Denial of Service","reason":"Removing critical firewall rules could lead to a Denial of Service (DoS) by allowing malicious traffic to overwhelm the system or service endpoints."},{"technique":"T1070 - Indicator Removal","reason":"The deletion of a RuleGroup can be used to eliminate logs or indicators of malicious activity by disabling the mechanisms that detect and log those activities. Also, to delete a group that was used previously by attackers."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS WAF Rule or Rule Group Deletion","link":"https://www.elastic.co/guide/en/security/current/aws-waf-rule-or-rule-group-deletion.html"},{"description":"AWS Incident Response","link":"https://easttimor.github.io/aws-incident-response/"}],"securityImplications":"Attackers might use DeleteRuleGroup to disable security rules, making the system vulnerable to cyber attacks.","alerting":[],"simulation":[{"type":"commandLine","value":"aws wafv2 delete-rule-group --name TestRuleGroup --scope REGIONAL --id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 --lock-token 7b3bcec2-0000-0000-0000-563bf47249f0"}],"permissions":"https://aws.permissions.cloud/iam/wafv2#wafv2-DeleteRuleGroup"} +{"eventName":"DeleteWebACL","eventSource":"wafv2.amazonaws.com","awsService":"WAFV2","description":"Deletes the specified WebACL.","mitreAttackTactics":["TA0005 - Defense Evasion"],"mitreAttackTechniques":["T1562 - Impair Defenses"],"mitreAttackSubTechniques":["T1562.007 - Impair Defenses: Disable or Modify Cloud Firewall"],"unverifiedMitreAttackTechniques":[{"technique":"T1070 - Indicator Removal","reason":"Deleting the WebACL after disassociating it from resources could be used to remove evidence of previous configurations that could have logged or blocked malicious activity."},{"technique":"T1036 - Masquerading","reason":"By deleting the WebACL, an attacker could attempt to make malicious traffic appear legitimate by removing the security policies that would identify or block it."},{"technique":"T1499 - Endpoint Denial of Service","reason":"Deleting critical WebACL protections, especially after disassociating them from resources, may increase the likelihood of successful DoS attacks against those now-unprotected resources, affecting service availability."}],"usedInWild":false,"incidents":[],"researchLinks":[{"description":"AWS Incident Response","link":"https://easttimor.github.io/aws-incident-response/"}],"securityImplications":"Attackers might use DeleteWebACL to remove web access control lists, thereby disrupting web application firewall protections.","alerting":[],"simulation":[{"type":"commandLine","value":"aws wafv2 delete-web-acl --name TrailDiscoverWebACL --scope REGIONAL --id TrailDiscoverId --lock-token TrailDiscoverLockToken"}],"permissions":"https://aws.permissions.cloud/iam/wafv2#wafv2-DeleteWebACL"} diff --git a/packs/aws.yml b/packs/aws.yml index c4591af93..820a4a43f 100644 --- a/packs/aws.yml +++ b/packs/aws.yml @@ -144,6 +144,7 @@ PackDefinition: - AWS.CMK.KeyRotation - AWS.DynamoDB.TableTTLEnabled - AWS.EC2.Vulnerable.XZ.Image.Launched + - Amazon.EKS.AnonymousAPIAccess - AWS.IAM.Policy.DoesNotGrantAdminAccess - AWS.IAM.Policy.DoesNotGrantNetworkAdminAccess - AWS.IAM.Resource.DoesNotHaveInlinePolicy diff --git a/packs/snowflake_streaming.yml b/packs/snowflake_streaming.yml new file mode 100644 index 000000000..a7f5439d3 --- /dev/null +++ b/packs/snowflake_streaming.yml @@ -0,0 +1,23 @@ +AnalysisType: pack +PackID: PantherManaged.SnowflakeStreaming +DisplayName: "Panther Snowflake Real-Time Rules" +Description: Group of all streaming (real-time) Snowflake detections +PackDefinition: + IDs: + # Correlation Rules + - Snowflake.PotentialBruteForceSuccess + # Helpers + - panther_snowflake_helpers + # Rules + - Snowflake.Stream.AccountAdminGranted + - Snowflake.Stream.BruteForceByIp + - Snowflake.Stream.BruteForceByUsername + - Snowflake.Stream.ExternalShares + - Snowflake.Stream.FileDownloaded + - Snowflake.Stream.LoginSuccess + - Snowflake.Stream.LoginWithoutMFA + - Snowflake.Stream.PublicRoleGrant + - Snowflake.Stream.TableCopiedIntoStage + - Snowflake.Stream.TempStageCreated + - Snowflake.Stream.UserCreated + - Snowflake.Stream.UserEnabled \ No newline at end of file diff --git a/packs/zscaler_zia.yml b/packs/zscaler_zia.yml new file mode 100644 index 000000000..5cea13ed8 --- /dev/null +++ b/packs/zscaler_zia.yml @@ -0,0 +1,14 @@ +AnalysisType: pack +PackID: PantherManaged.Zscaler.ZIA +Description: Group of all Zscaler ZIA detections +DisplayName: "Panther Zscaler ZIA Pack" +PackDefinition: + IDs: + - ZIA.Account.Access.Removed + - ZIA.Additional.Cloud.Roles + - ZIA.Cloud.Account.Created + - ZIA.Password.Expiration + - ZIA.Trust.Modification + - panther_zscaler_helpers + - panther_base_helpers + diff --git a/rules/aws_eks_rules/anonymous_api_access.py b/rules/aws_eks_rules/anonymous_api_access.py new file mode 100644 index 000000000..b85f24fde --- /dev/null +++ b/rules/aws_eks_rules/anonymous_api_access.py @@ -0,0 +1,30 @@ +from panther_aws_helpers import eks_panther_obj_ref + + +def rule(event): + # Check if the username is set to "system:anonymous", which indicates anonymous access + p_eks = eks_panther_obj_ref(event) + if p_eks.get("actor") == "system:anonymous": + return True + return False + + +def title(event): + p_eks = eks_panther_obj_ref(event) + return ( + f"Anonymous API access detected on Kubernetes API server " + f"from [{p_eks.get('sourceIPs')[0]}] to [{p_eks.get('resource')}] " + f"in namespace [{p_eks.get('ns')}] on [{p_eks.get('p_source_label')}]" + ) + + +def dedup(event): + p_eks = eks_panther_obj_ref(event) + return f"anonymous_access_{p_eks.get('p_source_label')}_{p_eks.get('sourceIPs')[0]}" + + +def alert_context(event): + p_eks = eks_panther_obj_ref(event) + mutable_event = event.to_dict() + mutable_event["p_eks"] = p_eks + return dict(mutable_event) diff --git a/rules/aws_eks_rules/anonymous_api_access.yml b/rules/aws_eks_rules/anonymous_api_access.yml new file mode 100644 index 000000000..e8f2548fb --- /dev/null +++ b/rules/aws_eks_rules/anonymous_api_access.yml @@ -0,0 +1,132 @@ +AnalysisType: rule +Filename: anonymous_api_access.py +RuleID: "Amazon.EKS.AnonymousAPIAccess" +DisplayName: "EKS Anonymous API Access Detected" +Enabled: true +LogTypes: + - Amazon.EKS.Audit +Severity: Medium +Reports: + MITRE ATT&CK: + - "TA0001:T1190" # Initial Access: Exploit Public-Facing Application +Description: > + This rule detects anonymous API requests made to the Kubernetes API server. + In production environments, anonymous access should be disabled to prevent + unauthorized access to the API server. +DedupPeriodMinutes: 60 +Reference: + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests +Runbook: > + Check the EKS cluster configuration and ensure that anonymous access + to the Kubernetes API server is disabled. This can be done by verifying the API + server arguments and authentication webhook configuration. +SummaryAttributes: + - user:username + - p_any_ip_addresses + - p_source_label +Tags: + - EKS + - Security Control + - API + - Initial Access:Exploit Public-Facing Application +Tests: + - Name: Anonymous API Access + ExpectedResult: true + Log: + { + "annotations": { + "authorization.k8s.io/decision": "allow", + "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding system:public-info-viewer" + }, + "apiVersion": "audit.k8s.io/v1", + "auditID": "abcde12345", + "kind": "Event", + "level": "Request", + "objectRef": { + "apiVersion": "v1", + "name": "test-pod", + "namespace": "default", + "resource": "pods" + }, + "p_any_aws_account_ids": [ + "123412341234" + ], + "p_any_aws_arns": [ + "arn:aws:iam::123412341234:role/DevAdministrator" + ], + "p_any_ip_addresses": [ + "8.8.8.8" + ], + "p_any_usernames": [ + "system:anonymous" + ], + "p_event_time": "2022-11-29 00:09:04.38", + "p_log_type": "Amazon.EKS.Audit", + "p_parse_time": "2022-11-29 00:10:25.067", + "p_row_id": "2e4ab474b0f0f7a4a8fff4f014a9b32a", + "p_source_id": "4c859cd4-9406-469b-9e0e-c2dc1bee24fa", + "p_source_label": "example-cluster-eks-logs", + "requestReceivedTimestamp": "2022-11-29 00:09:04.38", + "requestURI": "/api/v1/namespaces/default/pods/test-pod", + "responseStatus": { + "code": 200 + }, + "sourceIPs": [ + "8.8.8.8" + ], + "stage": "ResponseComplete", + "user": { + "username": "system:anonymous" + }, + "userAgent": "kubectl/v1.25.4" + } + - Name: Non-Anonymous API Access + ExpectedResult: false + Log: + { + "annotations": { + "authorization.k8s.io/decision": "allow", + "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding system:public-info-viewer" + }, + "apiVersion": "audit.k8s.io/v1", + "auditID": "abcde12345", + "kind": "Event", + "level": "Request", + "objectRef": { + "apiVersion": "v1", + "name": "test-pod", + "namespace": "default", + "resource": "pods" + }, + "p_any_aws_account_ids": [ + "123412341234" + ], + "p_any_aws_arns": [ + "arn:aws:iam::123412341234:role/DevAdministrator" + ], + "p_any_ip_addresses": [ + "8.8.8.8" + ], + "p_any_usernames": [ + "kubernetes-admin" + ], + "p_event_time": "2022-11-29 00:09:04.38", + "p_log_type": "Amazon.EKS.Audit", + "p_parse_time": "2022-11-29 00:10:25.067", + "p_row_id": "2e4ab474b0f0f7a4a8fff4f014a9b32a", + "p_source_id": "4c859cd4-9406-469b-9e0e-c2dc1bee24fa", + "p_source_label": "example-cluster-eks-logs", + "requestReceivedTimestamp": "2022-11-29 00:09:04.38", + "requestURI": "/api/v1/namespaces/default/pods/test-pod", + "responseStatus": { + "code": 200 + }, + "sourceIPs": [ + "8.8.8.8" + ], + "stage": "ResponseComplete", + "user": { + "username": "kubernetes-admin" + }, + "userAgent": "kubectl/v1.25.4" + } diff --git a/rules/crowdstrike_rules/event_stream_rules/crowdstrike_ephemeral_user_account.yml b/rules/crowdstrike_rules/event_stream_rules/crowdstrike_ephemeral_user_account.yml index b8e1b3136..c33b2364d 100644 --- a/rules/crowdstrike_rules/event_stream_rules/crowdstrike_ephemeral_user_account.yml +++ b/rules/crowdstrike_rules/event_stream_rules/crowdstrike_ephemeral_user_account.yml @@ -19,11 +19,12 @@ Detection: - ID: User Created FOLLOWED BY User Deleted From: AccountCreated To: AccountDeleted + WithinTimeFrameMinutes: 720 # 12 hours Match: - On: p_alert_context.target_name - LookbackWindowMinutes: 720 # 12 hours + LookbackWindowMinutes: 2160 Schedule: - RateMinutes: 480 # 8 hours + RateMinutes: 1440 TimeoutMinutes: 1 Tests: - Name: User Creation, Followed By Deletion diff --git a/rules/crowdstrike_rules/event_stream_rules/crowdstrike_new_admin_user_created.yml b/rules/crowdstrike_rules/event_stream_rules/crowdstrike_new_admin_user_created.yml index 9fa576129..3b9e2d488 100644 --- a/rules/crowdstrike_rules/event_stream_rules/crowdstrike_new_admin_user_created.yml +++ b/rules/crowdstrike_rules/event_stream_rules/crowdstrike_new_admin_user_created.yml @@ -19,11 +19,12 @@ Detection: - ID: AcountCreated FOLLOWED BY AdminRoleAssigned ON target AND actor From: AccountCreated To: AdminRoleAssigned + WithinTimeFrameMinutes: 45 Match: - On: p_alert_context.actor_target - LookbackWindowMinutes: 45 + LookbackWindowMinutes: 2160 Schedule: - RateMinutes: 30 + RateMinutes: 1440 TimeoutMinutes: 1 Tests: - Name: User Creation, Followed By Role Assignment diff --git a/rules/snowflake_rules/snowflake_stream_account_admin_assigned.py b/rules/snowflake_rules/snowflake_stream_account_admin_assigned.py new file mode 100644 index 000000000..911d47ca1 --- /dev/null +++ b/rules/snowflake_rules/snowflake_stream_account_admin_assigned.py @@ -0,0 +1,12 @@ +def rule(event): + if event.get("DELETED_ON"): + return False + return "admin" in event.get("GRANTEE_NAME", "").lower() + + +def title(event): + source_name = event.get("p_source_label", "") + target = event.get("GRANTED_TO", "") + actor = event.get("GRANTED_BY", "") + role = event.get("GRANTEE_NAME", "") + return f"{source_name}: {actor} granted role {role} to {target}" diff --git a/rules/snowflake_rules/snowflake_stream_account_admin_assigned.yml b/rules/snowflake_rules/snowflake_stream_account_admin_assigned.yml new file mode 100644 index 000000000..c8d08df3b --- /dev/null +++ b/rules/snowflake_rules/snowflake_stream_account_admin_assigned.yml @@ -0,0 +1,41 @@ +AnalysisType: rule +Filename: snowflake_stream_account_admin_assigned.py +RuleID: "Snowflake.Stream.AccountAdminGranted" +DisplayName: Snowflake Account Admin Granted +Enabled: true +LogTypes: + - Snowflake.GrantsToUsers +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0004:T1078 +Description: Detect when account admin is granted. +Tags: + - Snowflake + - '[MITRE] Privilege Escalation' + - '[MITRE] Valid Accounts' +Tests: + - Name: Admin Role Assigned + ExpectedResult: true + Log: + { + "p_event_time": "2024-10-08 11:24:50.682000000", + "p_log_type": "Snowflake.GrantsToUsers", + "p_source_label": "Snowflake Prod", + "CREATED_ON": "2024-10-08 11:24:50.682000000", + "GRANTED_BY": "SNOWFLAKE", + "GRANTED_TO": "APPLICATION_ROLE", + "GRANTEE_NAME": "TRUST_CENTER_ADMIN" + } + - Name: Non-Admin Role Assigned + ExpectedResult: false + Log: + { + "p_event_time": "2024-10-08 11:24:50.682000000", + "p_log_type": "Snowflake.GrantsToUsers", + "p_source_label": "Snowflake Prod", + "CREATED_ON": "2024-10-08 11:24:50.682000000", + "GRANTED_BY": "SNOWFLAKE", + "GRANTED_TO": "APPLICATION_ROLE", + "GRANTEE_NAME": "TRUST_CENTER_VIEWER" + } diff --git a/rules/snowflake_rules/snowflake_stream_brute_force_by_ip.py b/rules/snowflake_rules/snowflake_stream_brute_force_by_ip.py new file mode 100644 index 000000000..75891247c --- /dev/null +++ b/rules/snowflake_rules/snowflake_stream_brute_force_by_ip.py @@ -0,0 +1,18 @@ +def rule(event): + # Return true for any login attempt; Let Panther's dedup and threshold handle the brute force + # detection. + return event.get("EVENT_TYPE") == "LOGIN" and event.get("IS_SUCCESS") == "NO" + + +def title(event): + return ( + "Login attempts from IP " + f"{event.get('CLIENT_IP', '')} " + "have exceeded the failed logins threshold" + ) + + +def dedup(event): + return event.get("CLIENT_IP", "") + event.get( + "REPORTED_CLIENT_TYPE", "" + ) diff --git a/rules/snowflake_rules/snowflake_stream_brute_force_by_ip.yml b/rules/snowflake_rules/snowflake_stream_brute_force_by_ip.yml new file mode 100644 index 000000000..bc9557fb0 --- /dev/null +++ b/rules/snowflake_rules/snowflake_stream_brute_force_by_ip.yml @@ -0,0 +1,56 @@ +AnalysisType: rule +Filename: snowflake_stream_brute_force_by_ip.py +RuleID: "Snowflake.Stream.BruteForceByIp" +DisplayName: Snowflake Brute Force Attacks by IP +Enabled: true +LogTypes: + - Snowflake.LoginHistory +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0006:T1110 +Description: Detect brute force attacks by monitorign failed logins from the same + IP address +DedupPeriodMinutes: 60 +Threshold: 5 +Tags: + - Snowflake + - '[MITRE] Credential Access' + - '[MITRE] Brute Force' +Tests: + - Name: Successful Login + ExpectedResult: false + Log: + { + "p_event_time": "2024-10-08 14:38:46.061000000", + "p_log_type": "Snowflake.LoginHistory", + "p_source_label": "Snowflake Prod", + "CLIENT_IP": "1.1.1.1", + "EVENT_ID": "393754014361778", + "EVENT_TIMESTAMP": "2024-10-08 14:38:46.061000000", + "EVENT_TYPE": "LOGIN", + "FIRST_AUTHENTICATION_FACTOR": "PASSWORD", + "IS_SUCCESS": "YES", + "RELATED_EVENT_ID": "0", + "REPORTED_CLIENT_TYPE": "OTHER", + "REPORTED_CLIENT_VERSION": "1.11.1", + "USER_NAME": "ckent@dailyplanet.org" + } + - Name: Unsuccessful Login + ExpectedResult: true + Log: + { + "p_event_time": "2024-10-08 14:38:46.061000000", + "p_log_type": "Snowflake.LoginHistory", + "p_source_label": "Snowflake Prod", + "CLIENT_IP": "1.2.3.4", + "EVENT_ID": "393754014361778", + "EVENT_TIMESTAMP": "2024-10-08 14:38:46.061000000", + "EVENT_TYPE": "LOGIN", + "FIRST_AUTHENTICATION_FACTOR": "PASSWORD", + "IS_SUCCESS": "NO", + "RELATED_EVENT_ID": "0", + "REPORTED_CLIENT_TYPE": "OTHER", + "REPORTED_CLIENT_VERSION": "1.11.1", + "USER_NAME": "luthor@lexcorp.com" + } diff --git a/rules/snowflake_rules/snowflake_stream_brute_force_by_username.py b/rules/snowflake_rules/snowflake_stream_brute_force_by_username.py new file mode 100644 index 000000000..b9cc76dce --- /dev/null +++ b/rules/snowflake_rules/snowflake_stream_brute_force_by_username.py @@ -0,0 +1,16 @@ +def rule(event): + # Return true for any login attempt; Let Panther's dedup and threshold handle the brute force + # detection. + return event.get("EVENT_TYPE") == "LOGIN" and event.get("IS_SUCCESS") == "NO" + + +def title(event): + return ( + f"User {event.get('USER_NAME', '')} has exceeded the failed logins threshold" + ) + + +def dedup(event): + return event.get("USER_NAME", "") + event.get( + "REPORTED_CLIENT_TYPE", "" + ) diff --git a/rules/snowflake_rules/snowflake_stream_brute_force_by_username.yml b/rules/snowflake_rules/snowflake_stream_brute_force_by_username.yml new file mode 100644 index 000000000..80fe931bb --- /dev/null +++ b/rules/snowflake_rules/snowflake_stream_brute_force_by_username.yml @@ -0,0 +1,56 @@ +AnalysisType: rule +Filename: snowflake_stream_brute_force_by_username.py +RuleID: "Snowflake.Stream.BruteForceByUsername" +DisplayName: Snowflake Brute Force Attacks by User +Enabled: true +LogTypes: + - Snowflake.LoginHistory +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0006:T1110 +Description: Detect brute force attacks by monitorign failed logins from the same + IP address +DedupPeriodMinutes: 60 +Threshold: 5 +Tags: + - Snowflake + - '[MITRE] Credential Access' + - '[MITRE] Brute Force' +Tests: + - Name: Successful Login + ExpectedResult: false + Log: + { + "p_event_time": "2024-10-08 14:38:46.061000000", + "p_log_type": "Snowflake.LoginHistory", + "p_source_label": "Snowflake Prod", + "CLIENT_IP": "1.1.1.1", + "EVENT_ID": "393754014361778", + "EVENT_TIMESTAMP": "2024-10-08 14:38:46.061000000", + "EVENT_TYPE": "LOGIN", + "FIRST_AUTHENTICATION_FACTOR": "PASSWORD", + "IS_SUCCESS": "YES", + "RELATED_EVENT_ID": "0", + "REPORTED_CLIENT_TYPE": "OTHER", + "REPORTED_CLIENT_VERSION": "1.11.1", + "USER_NAME": "ckent@dailyplanet.org" + } + - Name: Unsuccessful Login + ExpectedResult: true + Log: + { + "p_event_time": "2024-10-08 14:38:46.061000000", + "p_log_type": "Snowflake.LoginHistory", + "p_source_label": "Snowflake Prod", + "CLIENT_IP": "1.2.3.4", + "EVENT_ID": "393754014361778", + "EVENT_TIMESTAMP": "2024-10-08 14:38:46.061000000", + "EVENT_TYPE": "LOGIN", + "FIRST_AUTHENTICATION_FACTOR": "PASSWORD", + "IS_SUCCESS": "NO", + "RELATED_EVENT_ID": "0", + "REPORTED_CLIENT_TYPE": "OTHER", + "REPORTED_CLIENT_VERSION": "1.11.1", + "USER_NAME": "luthor@lexcorp.com" + } diff --git a/rules/snowflake_rules/snowflake_stream_external_shares.py b/rules/snowflake_rules/snowflake_stream_external_shares.py new file mode 100644 index 000000000..b57b6e0cf --- /dev/null +++ b/rules/snowflake_rules/snowflake_stream_external_shares.py @@ -0,0 +1,36 @@ +# CONFIGURATION REQUIRED +# Be sure to add code to exclude any transfers from acounts designed to host data shares. Either +# add those account names to the set below, or add a rule filter to exclude events with those +# account names. +DATA_SHARE_HOSTING_ACCOUNTS = { + # Add account names here +} + + +def rule(event): + return all( + [ + event.get("ACCOUNT_NAME") not in get_data_share_hosting_accounts(), + event.get("SOURCE_CLOUD"), + event.get("TARGET_CLOUD"), + event.get("BYTES_TRANSFERRED", 0) > 0, + ] + ) + + +def title(event): + return ( + f"{event.get('ORGANIZATION_NAME', '')}: " + "A data export has been initiated from source cloud " + f"{event.get('SOURCE_CLOUD', '')} " + f"in source region {event.get('SOURCE_REGION', '')} " + f"to target cloud {event.get('TARGET_CLOUD', '')} " + f"in target region {event.get('TARGET_REGION', '')} " + f"with transfer type {event.get('TRANSFER_TYPE', '')} " + f"for {event.get('BYTES_TRANSFERRED', '')} bytes" + ) + + +def get_data_share_hosting_accounts(): + """Getter function. Used so we can mock during unit tests.""" + return DATA_SHARE_HOSTING_ACCOUNTS diff --git a/rules/snowflake_rules/snowflake_stream_external_shares.yml b/rules/snowflake_rules/snowflake_stream_external_shares.yml new file mode 100644 index 000000000..bbb689d8f --- /dev/null +++ b/rules/snowflake_rules/snowflake_stream_external_shares.yml @@ -0,0 +1,54 @@ +AnalysisType: rule +Filename: snowflake_stream_external_shares.py +RuleID: Snowflake.Stream.ExternalShares +DisplayName: Snowflake External Data Share +Enabled: true +LogTypes: + - Snowflake.DataTransferHistory +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0010:T1537 +Description: Detect when an external share has been initiated from one source cloud + to another target cloud. +Runbook: Determine if this occurred as a result of a valid business request. +Tags: + - Configuration Required + - Snowflake + - '[MITRE] Exfiltration' + - '[MITRE] Transfer Data to Cloud Account' +Tests: + - Name: Allowed Share + ExpectedResult: false + Mocks: + - objectName: get_data_share_hosting_accounts + returnValue: '{DP_EUROPE}, {DP_ASIA}, {DP_AMERICA}' + Log: + { + "ORGANIZATION_NAME": "DAILY_PLANET", + "ACCOUNT_NAME": "DP_EUROPE", + "REGION": "US-EAST-2", + "SOURCE_CLOUD": "AWS", + "SOURCE_REGION": "US-EAST-2", + "TARGET_CLOUD": "AWS", + "TARGET_REGION": "EU-WEST-1", + "BYTES_TRANSFERRED": 61235879, + "TRANSFER_TYPE": "COPY" + } + - Name: Disallowed Share + ExpectedResult: true + Mocks: + - objectName: get_data_share_hosting_accounts + returnValue: '{DP_EUROPE}, {DP_ASIA}, {DP_AMERICA}' + Log: + { + "ORGANIZATION_NAME": "LEXCORP", + "ACCOUNT_NAME": "LEX_SECRET_ACCOUNT", + "REGION": "US-EAST-2", + "SOURCE_CLOUD": "AWS", + "SOURCE_REGION": "US-EAST-2", + "TARGET_CLOUD": "AWS", + "TARGET_REGION": "EU-WEST-1", + "BYTES_TRANSFERRED": 61235879, + "TRANSFER_TYPE": "COPY" + } diff --git a/rules/snowflake_rules/snowflake_stream_file_downloaded.py b/rules/snowflake_rules/snowflake_stream_file_downloaded.py new file mode 100644 index 000000000..620011a9b --- /dev/null +++ b/rules/snowflake_rules/snowflake_stream_file_downloaded.py @@ -0,0 +1,39 @@ +import re + +from panther_snowflake_helpers import query_history_alert_context + +PATH_EXPR = re.compile(r"'file:\/\/([\/\w\.]+)'", flags=re.I) +STAGE_EXPR = re.compile(r"GET\s+'(@[\w\.\/\@\%]+)'", flags=re.I) + +PATH = "" +STAGE = "" + + +def rule(event): + # pylint: disable=global-statement + # Check these conditions first to avoid running an expensive regex on every log + if not all( + ( + event.get("QUERY_TYPE") == "GET_FILES", + event.get("EXECUTION_STATUS") == "SUCCESS", + # Avoid alerting for fetching worksheets: + event.get("QUERY_TEXT") != "GET '@~/worksheet_data/metadata' 'file:///'", + ) + ): + return False + + global PATH + PATH = PATH_EXPR.search(event.get("QUERY_TEXT", "")) + + return PATH is not None + + +def alert_context(event): + # pylint: disable=global-statement + global PATH + global STAGE + STAGE = STAGE_EXPR.match(event.get("QUERY_TEXT", "")) + return query_history_alert_context(event) | { + "path": PATH.group(1), + "stage": None if not STAGE else STAGE.group(1), + } diff --git a/rules/snowflake_rules/snowflake_stream_file_downloaded.yml b/rules/snowflake_rules/snowflake_stream_file_downloaded.yml new file mode 100644 index 000000000..c85e6e8e0 --- /dev/null +++ b/rules/snowflake_rules/snowflake_stream_file_downloaded.yml @@ -0,0 +1,46 @@ +AnalysisType: rule +Filename: snowflake_stream_file_downloaded.py +RuleID: Snowflake.Stream.FileDownloaded +DisplayName: Snowflake File Downloaded +Enabled: true +LogTypes: + - Snowflake.QueryHistory +Severity: Info +CreateAlert: false +Reports: + MITRE ATT&CK: + - TA0010:T1041 # Exfiltration Over C2 Channel +Description: A file was downloaded from a stage. +Reference: + https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion/ +Tags: + - Snowflake + - '[MITRE] Exfiltration' + - '[MITRE] Exfiltration Over C2 Channel' +Tests: + - Name: Worksheet File Downloaded + ExpectedResult: false + Log: + { + "p_event_time": "2024-10-09 19:38:06.158000000", + "p_log_type": "Snowflake.QueryHistory", + "p_source_label": "SF-Ben", + "EXECUTION_STATUS": "SUCCESS", + "QUERY_TEXT": "GET '@~/worksheet_data/metadata' 'file:///'", + "QUERY_TYPE": "GET_FILES", + "ROLE_NAME": "PUBLIC", + "USER_NAME": "CLARK_KENT" + } + - Name: Other File Downloaded + ExpectedResult: true + Log: + { + "p_event_time": "2024-10-09 19:38:06.158000000", + "p_log_type": "Snowflake.QueryHistory", + "p_source_label": "SF-Ben", + "EXECUTION_STATUS": "SUCCESS", + "QUERY_TEXT": "GET '@%/secret_files' 'file:///research/superman_identity'", + "QUERY_TYPE": "GET_FILES", + "ROLE_NAME": "PUBLIC", + "USER_NAME": "LEX_LUTHOR" + } diff --git a/rules/snowflake_rules/snowflake_stream_login_success.py b/rules/snowflake_rules/snowflake_stream_login_success.py new file mode 100644 index 000000000..8f9fcfac2 --- /dev/null +++ b/rules/snowflake_rules/snowflake_stream_login_success.py @@ -0,0 +1,2 @@ +def rule(event): + return all((event.get("EVENT_TYPE") == "LOGIN", event.get("IS_SUCCESS") == "YES")) diff --git a/rules/snowflake_rules/snowflake_stream_login_success.yml b/rules/snowflake_rules/snowflake_stream_login_success.yml new file mode 100644 index 000000000..2eaa305f7 --- /dev/null +++ b/rules/snowflake_rules/snowflake_stream_login_success.yml @@ -0,0 +1,49 @@ +AnalysisType: rule +Filename: snowflake_stream_login_success.py +RuleID: Snowflake.Stream.LoginSuccess +DisplayName: Snowflake Successful Login +Enabled: true +LogTypes: + - Snowflake.LoginHistory +Severity: Info +CreateAlert: false +Description: Track successful login signals for correlation. +Tags: + - Snowflake +Tests: + - Name: Successful Login + ExpectedResult: true + Log: + { + "p_event_time": "2024-10-08 14:38:46.061000000", + "p_log_type": "Snowflake.LoginHistory", + "p_source_label": "Snowflake Prod", + "CLIENT_IP": "1.1.1.1", + "EVENT_ID": "393754014361778", + "EVENT_TIMESTAMP": "2024-10-08 14:38:46.061000000", + "EVENT_TYPE": "LOGIN", + "FIRST_AUTHENTICATION_FACTOR": "PASSWORD", + "IS_SUCCESS": "YES", + "RELATED_EVENT_ID": "0", + "REPORTED_CLIENT_TYPE": "OTHER", + "REPORTED_CLIENT_VERSION": "1.11.1", + "USER_NAME": "ckent@dailyplanet.org" + } + - Name: Unsuccessful Login + ExpectedResult: false + Log: + { + "p_event_time": "2024-10-08 14:38:46.061000000", + "p_log_type": "Snowflake.LoginHistory", + "p_source_label": "Snowflake Prod", + "CLIENT_IP": "1.2.3.4", + "EVENT_ID": "393754014361778", + "EVENT_TIMESTAMP": "2024-10-08 14:38:46.061000000", + "EVENT_TYPE": "LOGIN", + "FIRST_AUTHENTICATION_FACTOR": "PASSWORD", + "IS_SUCCESS": "NO", + "RELATED_EVENT_ID": "0", + "REPORTED_CLIENT_TYPE": "OTHER", + "REPORTED_CLIENT_VERSION": "1.11.1", + "USER_NAME": "luthor@lexcorp.com" + } diff --git a/rules/snowflake_rules/snowflake_stream_login_without_mfa.py b/rules/snowflake_rules/snowflake_stream_login_without_mfa.py new file mode 100644 index 000000000..551f841c4 --- /dev/null +++ b/rules/snowflake_rules/snowflake_stream_login_without_mfa.py @@ -0,0 +1,19 @@ +MFA_EXCEPTIONS = {"PANTHER_READONLY", "PANTHER_ADMIN", "PANTHERACCOUNTADMIN"} + + +def rule(event): + return all( + ( + event.get("EVENT_TYPE") == "LOGIN", + event.get("IS_SUCCESS") == "YES", + event.get("FIRST_AUTHENTICATION_FACTOR") == "PASSWORD", + not event.get("SECOND_AUTHENTICATION_FACTOR"), + event.get("USER_NAME") not in MFA_EXCEPTIONS, + ) + ) + + +def title(event): + source = event.get("p_source_label", "") + user = event.get("USER_NAME", "") + return f"{source}: User {user} logged in without MFA" diff --git a/rules/snowflake_rules/snowflake_stream_login_without_mfa.yml b/rules/snowflake_rules/snowflake_stream_login_without_mfa.yml new file mode 100644 index 000000000..a18dc7f9c --- /dev/null +++ b/rules/snowflake_rules/snowflake_stream_login_without_mfa.yml @@ -0,0 +1,54 @@ +AnalysisType: rule +Filename: snowflake_stream_login_without_mfa.py +RuleID: Snowflake.Stream.LoginWithoutMFA +DisplayName: Snowflake Login Without MFA +Enabled: false +LogTypes: + - Snowflake.LoginHistory +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0005:T1556 +Description: Detect Snowflake logins without multifactor authentication +Tags: + - Snowflake + - '[MITRE] Defense Evasion' + - '[MITRE] Modify Authentication Process' +Tests: + - Name: Login With MFA + ExpectedResult: false + Log: + { + "p_event_time": "2024-10-08 14:38:46.061000000", + "p_log_type": "Snowflake.LoginHistory", + "p_source_label": "Snowflake Prod", + "CLIENT_IP": "1.1.1.1", + "EVENT_ID": "393754014361778", + "EVENT_TIMESTAMP": "2024-10-08 14:38:46.061000000", + "EVENT_TYPE": "LOGIN", + "FIRST_AUTHENTICATION_FACTOR": "PASSWORD", + "IS_SUCCESS": "YES", + "RELATED_EVENT_ID": "0", + "REPORTED_CLIENT_TYPE": "OTHER", + "REPORTED_CLIENT_VERSION": "1.11.1", + "SECOND_AUTHENTICATION_FACTOR": "OTP", + "USER_NAME": "ckent@dailyplanet.org" + } + - Name: Login Without MFA + ExpectedResult: true + Log: + { + "p_event_time": "2024-10-08 14:38:46.061000000", + "p_log_type": "Snowflake.LoginHistory", + "p_source_label": "Snowflake Prod", + "CLIENT_IP": "1.2.3.4", + "EVENT_ID": "393754014361778", + "EVENT_TIMESTAMP": "2024-10-08 14:38:46.061000000", + "EVENT_TYPE": "LOGIN", + "FIRST_AUTHENTICATION_FACTOR": "PASSWORD", + "IS_SUCCESS": "YES", + "RELATED_EVENT_ID": "0", + "REPORTED_CLIENT_TYPE": "OTHER", + "REPORTED_CLIENT_VERSION": "1.11.1", + "USER_NAME": "luthor@lexcorp.com" + } diff --git a/rules/snowflake_rules/snowflake_stream_public_role_grant.py b/rules/snowflake_rules/snowflake_stream_public_role_grant.py new file mode 100644 index 000000000..ed29088ac --- /dev/null +++ b/rules/snowflake_rules/snowflake_stream_public_role_grant.py @@ -0,0 +1,9 @@ +def rule(event): + return event.get("GRANTEE_NAME").lower() == "public" + + +def title(event): + return ( + f"{event.get('p_source_label', '')}: " + f"{event.get('GRANTED_BY', '')} made changes to the PUBLIC role" + ) diff --git a/rules/snowflake_rules/snowflake_stream_public_role_grant.yml b/rules/snowflake_rules/snowflake_stream_public_role_grant.yml new file mode 100644 index 000000000..7f24d306b --- /dev/null +++ b/rules/snowflake_rules/snowflake_stream_public_role_grant.yml @@ -0,0 +1,60 @@ +AnalysisType: rule +Filename: snowflake_stream_public_role_grant.py +RuleID: Snowflake.Stream.PublicRoleGrant +DisplayName: Snowflake Grant to Public Role +Enabled: true +LogTypes: + - Snowflake.GrantsToRoles +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0004:T1078.001 +Description: Detect additional grants to the public role. +Runbook: Determine if this is a necessary grant for the public role, which should + be kept to the fewest possible. +Tags: + - Snowflake + - '[MITRE] Privilege Escalation' + - '[MITRE] Valid Accounts' + - '[MITRE] Valid Accounts: Default Accounts' +Tests: + - Name: SELECT Granted to Public + ExpectedResult: true + Log: + { + "p_source_label": "DailyPlanet-Snowflake", + "CREATED_ON": "2024-10-10 12:56:35.822 -0700", + "MODIFIED_ON": "2024-10-10 12:56:35.822 -0700", + "PRIVILEGE": "SELECT", + "GRANTED_ON": "TABLE", + "NAME": "MYTABLE", + "TABLE_CATALOG": "TEST_DB", + "TABLE_SCHEMA": "PUBLIC", + "GRANTED_TO": "ROLE", + "GRANTEE_NAME": "PUBLIC", + "GRANT_OPTION": false, + "GRANTED_BY": "ACCOUNTADMIN", + "DELETED_ON": "", + "GRANTED_BY_ROLE_TYPE": "ROLE", + "OBJECT_INSTANCE": "" + } + - Name: Privilege Granted to Non-PUBLIC Role + ExpectedResult: false + Log: + { + "p_source_label": "DailyPlanet-Snowflake", + "CREATED_ON": "2024-10-10 12:56:35.822 -0700", + "MODIFIED_ON": "2024-10-10 12:56:35.822 -0700", + "PRIVILEGE": "SELECT", + "GRANTED_ON": "TABLE", + "NAME": "MYTABLE", + "TABLE_CATALOG": "TEST_DB", + "TABLE_SCHEMA": "PUBLIC", + "GRANTED_TO": "ROLE", + "GRANTEE_NAME": "APP_READONLY", + "GRANT_OPTION": false, + "GRANTED_BY": "ACCOUNTADMIN", + "DELETED_ON": "", + "GRANTED_BY_ROLE_TYPE": "ROLE", + "OBJECT_INSTANCE": "" + } diff --git a/rules/snowflake_rules/snowflake_stream_table_copied_into_stage.py b/rules/snowflake_rules/snowflake_stream_table_copied_into_stage.py new file mode 100644 index 000000000..fdee88592 --- /dev/null +++ b/rules/snowflake_rules/snowflake_stream_table_copied_into_stage.py @@ -0,0 +1,26 @@ +import re + +STAGE_EXPR = re.compile(r"COPY\s+INTO\s+(?:\$\$|\')?@([\w\.]+)", flags=re.I) +PATH_EXPR = re.compile(r"COPY\s+INTO\s+(?:\$\$|\')?@([\w\./]+)(?:\$\$|\')?\s+FROM", flags=re.I) + +STAGE = "" + + +def rule(event): + # pylint: disable=global-statement + global STAGE + STAGE = STAGE_EXPR.match(event.get("QUERY_TEXT", "")) + return all( + ( + event.get("QUERY_TYPE") == "UNLOAD", + STAGE is not None, + event.get("EXECUTION_STATUS") == "SUCCESS", + ) + ) + + +def alert_context(event): + # pylint: disable=global-statement + global STAGE + path = PATH_EXPR.match(event.get("QUERY_TEXT", "")) + return {"actor": event.get("USER_NAME"), "path": path.group(1), "stage": STAGE.group(1)} diff --git a/rules/snowflake_rules/snowflake_stream_table_copied_into_stage.yml b/rules/snowflake_rules/snowflake_stream_table_copied_into_stage.yml new file mode 100644 index 000000000..665b7dd69 --- /dev/null +++ b/rules/snowflake_rules/snowflake_stream_table_copied_into_stage.yml @@ -0,0 +1,40 @@ +AnalysisType: rule +Filename: snowflake_stream_table_copied_into_stage.py +RuleID: Snowflake.Stream.TableCopiedIntoStage +DisplayName: Snowflake Table Copied Into Stage +Enabled: true +LogTypes: + - Snowflake.QueryHistory +Severity: Info +CreateAlert: false +Reports: + MITRE ATT&CK: + - TA0010:T1041 # Exfiltration Over C2 Channel +Description: A table was copied into a stage. +Reference: + https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion/ +Tags: + - Snowflake + - '[MITRE] Exfiltration' + - '[MITRE] Exfiltration Over C2 Channel' +Tests: + - Name: Copy from Table into Stage + ExpectedResult: true + Log: + { + "EXECUTION_STATUS": "SUCCESS", + "QUERY_TEXT": "COPY INTO @mystage/result/data_\nFROM mytable FILE_FORMAT = + (FORMAT_NAME='CSV' COMPRESSION='GZIP');", + "QUERY_TYPE": "UNLOAD", + "USER_NAME": "LEX_LUTHOR" + } + - Name: Copy from Stage into Table + ExpectedResult: false + Log: + { + "EXECUTION_STATUS": "SUCCESS", + "QUERY_TEXT": "COPY INTO mytable\nFROM @mystage/result/data_ FILE_FORMAT = + (FORMAT_NAME='CSV' COMPRESSION='GZIP');", + "QUERY_TYPE": "UNLOAD", + "USER_NAME": "LEX_LUTHOR" + } diff --git a/rules/snowflake_rules/snowflake_stream_temp_stage_created.py b/rules/snowflake_rules/snowflake_stream_temp_stage_created.py new file mode 100644 index 000000000..aae1ab3f4 --- /dev/null +++ b/rules/snowflake_rules/snowflake_stream_temp_stage_created.py @@ -0,0 +1,33 @@ +import re + +from panther_snowflake_helpers import query_history_alert_context + +STAGE_EXPR = re.compile( + ( + r"CREATE\s+(?:OR\s+REPLACE\s+)?(?:TEMPORARY\s+|TEMP\s+)STAGE\s+" + r"(?:IF\s+NOT\s+EXISTS\s+)?([a-zA-Z0-9_\\.]+)" + ), + flags=re.I, +) + +STAGE = "" + + +def rule(event): + # pylint: disable=global-statement + global STAGE + STAGE = STAGE_EXPR.match(event.get("QUERY_TEXT", "")) + + return all( + ( + event.get("QUERY_TYPE") == "CREATE", + event.get("EXECUTION_STATUS") == "SUCCESS", + STAGE is not None, + ) + ) + + +def alert_context(event): + # pylint: disable=global-statement + global STAGE + return query_history_alert_context(event) | {"stage": STAGE.group(1)} diff --git a/rules/snowflake_rules/snowflake_stream_temp_stage_created.yml b/rules/snowflake_rules/snowflake_stream_temp_stage_created.yml new file mode 100644 index 000000000..f9e00e4ab --- /dev/null +++ b/rules/snowflake_rules/snowflake_stream_temp_stage_created.yml @@ -0,0 +1,62 @@ +AnalysisType: rule +Filename: snowflake_stream_temp_stage_created.py +RuleID: Snowflake.Stream.TempStageCreated +DisplayName: Snowflake Temporary Stage Created +Enabled: true +LogTypes: + - Snowflake.QueryHistory +Severity: Info +CreateAlert: false +Reports: + MITRE ATT&CK: + - TA0010:T1041 # Exfiltration Over C2 Channel +Description: A temporary stage was created. +Reference: + https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion/ +Tags: + - Snowflake + - '[MITRE] Exfiltration' + - '[MITRE] Exfiltration Over C2 Channel' +Tests: + - Name: Successful Temp Stage Created + ExpectedResult: true + Log: + { + "p_event_time": "2024-10-09 21:06:03.631000000", + "p_log_type": "Snowflake.QueryHistory", + "p_source_id": "132d65cd-d6e4-4981-a209-a1d5902afd59", + "p_source_label": "SF-Ben", + "EXECUTION_STATUS": "SUCCESS", + "QUERY_TEXT": "CREATE TEMP STAGE my_temp_stage;", + "QUERY_TYPE": "CREATE", + "USER_NAME": "LEX_LUTHOR", + "WAREHOUSE_NAME": "ADMIN_WH" + } + - Name: Successful Temp Stage Created or Replaced + ExpectedResult: true + Log: + { + "p_event_time": "2024-10-09 21:06:03.631000000", + "p_log_type": "Snowflake.QueryHistory", + "p_source_id": "132d65cd-d6e4-4981-a209-a1d5902afd59", + "p_source_label": "SF-Ben", + "EXECUTION_STATUS": "SUCCESS", + "QUERY_TEXT": "CREATE OR REPLACE TEMP STAGE my_temp_stage;", + "QUERY_TYPE": "CREATE", + "USER_NAME": "LEX_LUTHOR", + "WAREHOUSE_NAME": "ADMIN_WH" + } + - Name: Unsuccessful Temp Stage Created + ExpectedResult: false + Log: + { + "p_event_time": "2024-10-09 21:06:03.631000000", + "p_log_type": "Snowflake.QueryHistory", + "p_source_id": "132d65cd-d6e4-4981-a209-a1d5902afd59", + "p_source_label": "SF-Ben", + "EXECUTION_STATUS": "FAIL", + "QUERY_TEXT": "CREATE TEMP STAGE my_temp_stage;", + "QUERY_TYPE": "CREATE", + "USER_NAME": "LEX_LUTHOR", + "WAREHOUSE_NAME": "ADMIN_WH" + } diff --git a/rules/snowflake_rules/snowflake_stream_user_created.py b/rules/snowflake_rules/snowflake_stream_user_created.py new file mode 100644 index 000000000..2801c596c --- /dev/null +++ b/rules/snowflake_rules/snowflake_stream_user_created.py @@ -0,0 +1,33 @@ +import re + +from panther_snowflake_helpers import query_history_alert_context + +CREATE_USER_EXPR = re.compile(r"create user (\w+).*", flags=re.I) + +CREATE_USER = "" + + +def rule(event): + # pylint: disable=global-statement + global CREATE_USER + CREATE_USER = CREATE_USER_EXPR.match(event.get("QUERY_TEXT", "")) + return all( + ( + event.get("EXECUTION_STATUS") == "SUCCESS", + event.get("QUERY_TYPE") == "CREATE_USER", + CREATE_USER is not None, + ) + ) + + +def title(event): + # pylint: disable=global-statement + global CREATE_USER + new_user = CREATE_USER.group(1) + actor = event.get("user_name", "") + source = event.get("p_source_label", "") + return f"{source}: Snowflake user {new_user} created by {actor}" + + +def alert_context(event): + return query_history_alert_context(event) diff --git a/rules/snowflake_rules/snowflake_stream_user_created.yml b/rules/snowflake_rules/snowflake_stream_user_created.yml new file mode 100644 index 000000000..0748e038d --- /dev/null +++ b/rules/snowflake_rules/snowflake_stream_user_created.yml @@ -0,0 +1,31 @@ +AnalysisType: rule +Filename: snowflake_stream_user_created.py +RuleID: Snowflake.Stream.UserCreated +DisplayName: Snowflake User Created +Enabled: false +LogTypes: + - Snowflake.QueryHistory +Severity: Info +Reports: + MITRE ATT&CK: + - TA0003:T1136 +Description: Detect new users created in Snowflake. +Tags: + - Snowflake + - '[MITRE] Persistence' + - '[MITRE] Create Account' +Tests: + - Name: User Created + ExpectedResult: true + Log: + { + "p_event_time": "2024-10-09 19:43:05.007000000", + "p_log_type": "Snowflake.QueryHistory", + "BYTES_DELETED": 0, + "EXECUTION_STATUS": "SUCCESS", + "QUERY_TEXT": "CREATE USER MERCY\nPASSWORD = '\u263a\u263a\u263a\u263a\u263a'\nDEFAULT_ROLE = PUBLIC;", + "QUERY_TYPE": "CREATE_USER", + "ROLE_NAME": "ACCOUNTADMIN", + "USER_NAME": "LEX_LUTHOR", + "WAREHOUSE_NAME": "ADMIN_WH" + } diff --git a/rules/snowflake_rules/snowflake_stream_user_enabled.py b/rules/snowflake_rules/snowflake_stream_user_enabled.py new file mode 100644 index 000000000..8497637b3 --- /dev/null +++ b/rules/snowflake_rules/snowflake_stream_user_enabled.py @@ -0,0 +1,35 @@ +import re + +from panther_snowflake_helpers import query_history_alert_context + +USER_ENABLED_EXPR = re.compile(r"alter\s+user\s+(.+?)\s+.*?set\s+disabled\s*=\s*false", flags=re.I) + +USER_ENABLED = "" + + +def rule(event): + # pylint: disable=global-statement + global USER_ENABLED + USER_ENABLED = USER_ENABLED_EXPR.match(event.get("QUERY_TEXT", "")) + + # Exit out early to avoid needless regex + return all( + ( + event.get("QUERY_TYPE") == "ALTER_USER", + event.get("EXECUTION_STATUS") == "SUCCESS", + USER_ENABLED is not None, + ) + ) + + +def title(event): + # pylint: disable=global-statement + global USER_ENABLED + enabled_user = USER_ENABLED.group(1) + actor = event.get("USER_NAME", "") + source = event.get("p_source_label", "") + return f"{source}: Snowflake user {enabled_user} enabled by {actor}" + + +def alert_context(event): + return query_history_alert_context(event) diff --git a/rules/snowflake_rules/snowflake_stream_user_enabled.yml b/rules/snowflake_rules/snowflake_stream_user_enabled.yml new file mode 100644 index 000000000..e28ddb2fa --- /dev/null +++ b/rules/snowflake_rules/snowflake_stream_user_enabled.yml @@ -0,0 +1,47 @@ +AnalysisType: rule +Filename: snowflake_stream_user_enabled.py +RuleID: Snowflake.Stream.UserEnabled +DisplayName: Snowflake User Enabled +Enabled: true +LogTypes: + - Snowflake.QueryHistory +Severity: Info +Reports: + MITRE ATT&CK: + - TA0003:T1136 +Description: Detects users being re-enabled in your environment. +Tags: + - Snowflake + - '[MITRE] Persistence' + - '[MITRE] Create Account' +Tests: + - Name: User Enabled + ExpectedResult: true + Log: + { + "p_event_time": "2024-10-09 21:03:25.750000000", + "p_log_type": "Snowflake.QueryHistory", + "p_row_id": "6283439ab35193e891ac9ea1227b", + "p_source_label": "SF-Ben", + "EXECUTION_STATUS": "SUCCESS", + "QUERY_TEXT": "ALTER USER CLARK_KENT SET DISABLED=FALSE;", + "QUERY_TYPE": "ALTER_USER", + "ROLE_NAME": "ACCOUNTADMIN", + "USER_NAME": "LEX_LUTHOR", + "WAREHOUSE_NAME": "DATAOPS_WH" + } + - Name: User Disabled + ExpectedResult: false + Log: + { + "p_event_time": "2024-10-09 21:03:25.750000000", + "p_log_type": "Snowflake.QueryHistory", + "p_row_id": "6283439ab35193e891ac9ea1227b", + "p_source_label": "SF-Ben", + "EXECUTION_STATUS": "SUCCESS", + "QUERY_TEXT": "ALTER USER CLARK_KENT SET DISABLED=TRUE;", + "QUERY_TYPE": "ALTER_USER", + "ROLE_NAME": "ACCOUNTADMIN", + "USER_NAME": "PERRY_WHITE", + "WAREHOUSE_NAME": "DATAOPS_WH" + } diff --git a/rules/wiz_rules/wiz_cicd_scan_policy_updated_or_deleted.py b/rules/wiz_rules/wiz_cicd_scan_policy_updated_or_deleted.py index 30c256af9..6eef0f865 100644 --- a/rules/wiz_rules/wiz_cicd_scan_policy_updated_or_deleted.py +++ b/rules/wiz_rules/wiz_cicd_scan_policy_updated_or_deleted.py @@ -1,4 +1,4 @@ -from panther_wiz_helpers import wiz_alert_context, wiz_success +from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success SUSPICIOUS_ACTIONS = ["DeleteCICDScanPolicy", "UpdateCICDScanPolicy"] @@ -10,9 +10,11 @@ def rule(event): def title(event): + actor = wiz_actor(event) + return ( f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " - f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + f"performed by {actor.get('type')} [{actor.get('name')}]" ) diff --git a/rules/wiz_rules/wiz_connector_updated_or_deleted.py b/rules/wiz_rules/wiz_connector_updated_or_deleted.py index 212d962cd..a45e0a2f7 100644 --- a/rules/wiz_rules/wiz_connector_updated_or_deleted.py +++ b/rules/wiz_rules/wiz_connector_updated_or_deleted.py @@ -1,4 +1,4 @@ -from panther_wiz_helpers import wiz_alert_context, wiz_success +from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success SUSPICIOUS_ACTIONS = ["DeleteConnector", "UpdateConnector"] @@ -10,9 +10,11 @@ def rule(event): def title(event): + actor = wiz_actor(event) + return ( f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " - f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + f"performed by {actor.get('type')} [{actor.get('name')}]" ) diff --git a/rules/wiz_rules/wiz_data_classifier_updated_or_deleted.py b/rules/wiz_rules/wiz_data_classifier_updated_or_deleted.py index 19d531b25..122033d2e 100644 --- a/rules/wiz_rules/wiz_data_classifier_updated_or_deleted.py +++ b/rules/wiz_rules/wiz_data_classifier_updated_or_deleted.py @@ -1,4 +1,4 @@ -from panther_wiz_helpers import wiz_alert_context, wiz_success +from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success SUSPICIOUS_ACTIONS = ["DeleteDataClassifier", "UpdateDataClassifier"] @@ -10,9 +10,11 @@ def rule(event): def title(event): + actor = wiz_actor(event) + return ( f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " - f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + f"performed by {actor.get('type')} [{actor.get('name')}]" ) diff --git a/rules/wiz_rules/wiz_image_integrity_validator_updated_or_deleted.py b/rules/wiz_rules/wiz_image_integrity_validator_updated_or_deleted.py index 6d770523f..2926fe968 100644 --- a/rules/wiz_rules/wiz_image_integrity_validator_updated_or_deleted.py +++ b/rules/wiz_rules/wiz_image_integrity_validator_updated_or_deleted.py @@ -1,4 +1,4 @@ -from panther_wiz_helpers import wiz_alert_context, wiz_success +from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success SUSPICIOUS_ACTIONS = ["DeleteImageIntegrityValidator", "UpdateImageIntegrityValidator"] @@ -10,9 +10,11 @@ def rule(event): def title(event): + actor = wiz_actor(event) + return ( f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " - f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + f"performed by {actor.get('type')} [{actor.get('name')}]" ) diff --git a/rules/wiz_rules/wiz_integration_updated_or_deleted.py b/rules/wiz_rules/wiz_integration_updated_or_deleted.py index 8fa56f2aa..1873b6c90 100644 --- a/rules/wiz_rules/wiz_integration_updated_or_deleted.py +++ b/rules/wiz_rules/wiz_integration_updated_or_deleted.py @@ -1,4 +1,4 @@ -from panther_wiz_helpers import wiz_alert_context, wiz_success +from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success SUSPICIOUS_ACTIONS = ["DeleteIntegration", "UpdateIntegration"] @@ -10,9 +10,11 @@ def rule(event): def title(event): + actor = wiz_actor(event) + return ( f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " - f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + f"performed by {actor.get('type')} [{actor.get('name')}]" ) diff --git a/rules/wiz_rules/wiz_revoke_user_sessions.py b/rules/wiz_rules/wiz_revoke_user_sessions.py index 79a05c4cd..1287af330 100644 --- a/rules/wiz_rules/wiz_revoke_user_sessions.py +++ b/rules/wiz_rules/wiz_revoke_user_sessions.py @@ -1,4 +1,4 @@ -from panther_wiz_helpers import wiz_alert_context, wiz_success +from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success def rule(event): @@ -8,9 +8,11 @@ def rule(event): def title(event): + actor = wiz_actor(event) + return ( f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " - f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + f"performed by {actor.get('type')} [{actor.get('name')}]" ) diff --git a/rules/wiz_rules/wiz_rotate_service_account_secret.py b/rules/wiz_rules/wiz_rotate_service_account_secret.py index 9577440df..076286c81 100644 --- a/rules/wiz_rules/wiz_rotate_service_account_secret.py +++ b/rules/wiz_rules/wiz_rotate_service_account_secret.py @@ -1,4 +1,4 @@ -from panther_wiz_helpers import wiz_alert_context, wiz_success +from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success def rule(event): @@ -8,9 +8,11 @@ def rule(event): def title(event): + actor = wiz_actor(event) + return ( f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " - f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + f"performed by {actor.get('type')} [{actor.get('name')}]" ) diff --git a/rules/wiz_rules/wiz_rule_change.py b/rules/wiz_rules/wiz_rule_change.py index 153fb0a3a..34b6112a5 100644 --- a/rules/wiz_rules/wiz_rule_change.py +++ b/rules/wiz_rules/wiz_rule_change.py @@ -1,4 +1,4 @@ -from panther_wiz_helpers import wiz_alert_context, wiz_success +from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success SUSPICIOUS_ACTIONS = [ "DeleteAutomationRule", @@ -24,9 +24,11 @@ def rule(event): def title(event): + actor = wiz_actor(event) + return ( f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " - f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + f"performed by {actor.get('type')} [{actor.get('name')}]" ) diff --git a/rules/wiz_rules/wiz_saml_identity_provider_change.py b/rules/wiz_rules/wiz_saml_identity_provider_change.py index d183ed51b..b79de176c 100644 --- a/rules/wiz_rules/wiz_saml_identity_provider_change.py +++ b/rules/wiz_rules/wiz_saml_identity_provider_change.py @@ -1,4 +1,4 @@ -from panther_wiz_helpers import wiz_alert_context, wiz_success +from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success SUSPICIOUS_ACTIONS = [ "UpdateSAMLIdentityProvider", @@ -15,9 +15,11 @@ def rule(event): def title(event): + actor = wiz_actor(event) + return ( f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " - f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + f"performed by {actor.get('type')} [{actor.get('name')}]" ) diff --git a/rules/wiz_rules/wiz_service_account_change.py b/rules/wiz_rules/wiz_service_account_change.py index b8faba6fd..474837cc6 100644 --- a/rules/wiz_rules/wiz_service_account_change.py +++ b/rules/wiz_rules/wiz_service_account_change.py @@ -1,4 +1,4 @@ -from panther_wiz_helpers import wiz_alert_context, wiz_success +from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success SUSPICIOUS_ACTIONS = [ "CreateServiceAccount", @@ -14,9 +14,11 @@ def rule(event): def title(event): + actor = wiz_actor(event) + return ( f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " - f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + f"performed by {actor.get('type')} [{actor.get('name')}]" ) diff --git a/rules/wiz_rules/wiz_update_ip_restrictions.py b/rules/wiz_rules/wiz_update_ip_restrictions.py index 85337be52..98fc53b5f 100644 --- a/rules/wiz_rules/wiz_update_ip_restrictions.py +++ b/rules/wiz_rules/wiz_update_ip_restrictions.py @@ -1,4 +1,4 @@ -from panther_wiz_helpers import wiz_alert_context, wiz_success +from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success def rule(event): @@ -8,9 +8,11 @@ def rule(event): def title(event): + actor = wiz_actor(event) + return ( f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " - f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + f"performed by {actor.get('type')} [{actor.get('name')}]" ) diff --git a/rules/wiz_rules/wiz_update_login_settings.py b/rules/wiz_rules/wiz_update_login_settings.py index b5cb8ddf1..9498a607a 100644 --- a/rules/wiz_rules/wiz_update_login_settings.py +++ b/rules/wiz_rules/wiz_update_login_settings.py @@ -1,4 +1,4 @@ -from panther_wiz_helpers import wiz_alert_context, wiz_success +from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success def rule(event): @@ -8,9 +8,11 @@ def rule(event): def title(event): + actor = wiz_actor(event) + return ( f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " - f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + f"performed by {actor.get('type')} [{actor.get('name')}]" ) diff --git a/rules/wiz_rules/wiz_update_scanner_settings.py b/rules/wiz_rules/wiz_update_scanner_settings.py index b033999ab..0d9b61ee1 100644 --- a/rules/wiz_rules/wiz_update_scanner_settings.py +++ b/rules/wiz_rules/wiz_update_scanner_settings.py @@ -1,4 +1,4 @@ -from panther_wiz_helpers import wiz_alert_context, wiz_success +from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success def rule(event): @@ -8,9 +8,11 @@ def rule(event): def title(event): + actor = wiz_actor(event) + return ( f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " - f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + f"performed by {actor.get('type')} [{actor.get('name')}]" ) diff --git a/rules/wiz_rules/wiz_update_support_contact_list.py b/rules/wiz_rules/wiz_update_support_contact_list.py index 00e65ae67..e0bde5d1a 100644 --- a/rules/wiz_rules/wiz_update_support_contact_list.py +++ b/rules/wiz_rules/wiz_update_support_contact_list.py @@ -1,4 +1,4 @@ -from panther_wiz_helpers import wiz_alert_context, wiz_success +from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success def rule(event): @@ -8,9 +8,11 @@ def rule(event): def title(event): + actor = wiz_actor(event) + return ( f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " - f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + f"performed by {actor.get('type')} [{actor.get('name')}]" ) diff --git a/rules/wiz_rules/wiz_user_created_or_deleted.py b/rules/wiz_rules/wiz_user_created_or_deleted.py index 32dd14cfd..e6e38998d 100644 --- a/rules/wiz_rules/wiz_user_created_or_deleted.py +++ b/rules/wiz_rules/wiz_user_created_or_deleted.py @@ -1,4 +1,4 @@ -from panther_wiz_helpers import wiz_alert_context, wiz_success +from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success SUSPICIOUS_ACTIONS = ["CreateUser", "DeleteUser"] @@ -10,9 +10,11 @@ def rule(event): def title(event): + actor = wiz_actor(event) + return ( f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " - f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + f"performed by {actor.get('type')} [{actor.get('name')}]" ) diff --git a/rules/wiz_rules/wiz_user_role_updated_or_deleted.py b/rules/wiz_rules/wiz_user_role_updated_or_deleted.py index ce336fe37..99bc6c61a 100644 --- a/rules/wiz_rules/wiz_user_role_updated_or_deleted.py +++ b/rules/wiz_rules/wiz_user_role_updated_or_deleted.py @@ -1,4 +1,4 @@ -from panther_wiz_helpers import wiz_alert_context, wiz_success +from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success SUSPICIOUS_ACTIONS = ["DeleteUserRole", "UpdateUserRole"] @@ -10,9 +10,11 @@ def rule(event): def title(event): + actor = wiz_actor(event) + return ( f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " - f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + f"performed by {actor.get('type')} [{actor.get('name')}]" ) diff --git a/rules/zscaler_rules/zia/zia_account_access_removal.py b/rules/zscaler_rules/zia/zia_account_access_removal.py new file mode 100644 index 000000000..6d437d232 --- /dev/null +++ b/rules/zscaler_rules/zia/zia_account_access_removal.py @@ -0,0 +1,24 @@ +from panther_zscaler_helpers import zia_alert_context, zia_success + +SENSITIVE_CATEGORIES = ["ADMINISTRATOR_MANAGEMENT", "ROLE_MANAGEMENT"] + + +def rule(event): + if not zia_success(event): + return False + event_data = event.get("event", {}) + return ( + event_data.get("action", "ACTION_NOT_FOUND") == "DELETE" + and event_data.get("category", "CATEGORY_NOT_FOUND") in SENSITIVE_CATEGORIES + ) + + +def title(event): + return ( + f"[Zscaler.ZIA]: Admin account was deleted by admin with id " + f"[{event.deep_get('event', 'adminid', default='')}]" + ) + + +def alert_context(event): + return zia_alert_context(event) diff --git a/rules/zscaler_rules/zia/zia_account_access_removal.yml b/rules/zscaler_rules/zia/zia_account_access_removal.yml new file mode 100644 index 000000000..b5806a435 --- /dev/null +++ b/rules/zscaler_rules/zia/zia_account_access_removal.yml @@ -0,0 +1,324 @@ +AnalysisType: rule +RuleID: ZIA.Account.Access.Removed +Description: This rule detects when admin user/role was deleted. +DisplayName: ZIA Account Access Removed +Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again. +Reference: https://help.zscaler.com/zia/authentication-administration/administrator-role-management +Enabled: true +Filename: zia_account_access_removal.py +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0040:T1531 # Account Access removal +LogTypes: + - Zscaler.ZIA.AdminAuditLog +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: Administration > User Management > Add User, remove from Service Admin group + ExpectedResult: false + Log: + { + "event": { + "action": "UPDATE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "USER_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { + "adminUser": false, + "department": { + "id": 19752838, + "isDeleted": false, + "isForUnauthenticatedUser": false, + "isNonEditable": false, + "name": "test" + }, + "email": "johndoe@dev-company.com", + "groups": [ + { + "id": 19631231, + "isNonEditable": false, + "name": "test" + } + ], + "id": 19752821, + "isNonEditable": false, + "miscflags": 0, + "name": "johndoe", + "systemDefinedGroups": [ ] + }, + "preaction": { + "adminUser": false, + "authType": "SAFECHANNEL_DIR", + "department": { + "id": 16991313, + "isDeleted": false, + "isForUnauthenticatedUser": false, + "isNonEditable": false, + "name": "Service Admin" + }, + "email": "johndoe@dev-company.com", + "groups": [ + { + "id": 16991312, + "isNonEditable": false, + "name": "Service Admin" + } + ], + "id": 19752821, + "miscflags": 268435456, + "name": "johndoe" + }, + "recordid": "324", + "resource": "johndoe", + "result": "SUCCESS", + "subcategory": "USER", + "time": "2024-10-22 22:01:28.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Administration Management > Administrators > Edit Administrator, delete administrator + ExpectedResult: true + Log: + { + "event": { + "action": "DELETE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "ADMINISTRATOR_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { }, + "preaction": { + "adminScope": { + "scopeEntities": [ ], + "scopeGroupMemberEntities": [ ], + "type": "ORGANIZATION" + }, + "disabled": false, + "email": "johndoe@company.com", + "id": 19752821, + "isExecMobileAppEnabled": true, + "isPasswordLoginAllowed": true, + "loginName": "johndoe@dev-company.com", + "pwdLastModifiedTime": 1729634767, + "role": { + "deleted": false, + "extensions": { + "adminRank": "0", + "roleType": "EXEC_INSIGHT_AND_ORG_ADMIN" + }, + "id": 24354, + "isNameL10nTag": true, + "name": "Super Admin" + }, + "userName": "johndoe1123" + }, + "recordid": "327", + "resource": "johndoe1123", + "result": "SUCCESS", + "subcategory": "ADMINISTRATOR_ADMIN_USER", + "time": "2024-10-22 22:09:01.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Administration Management > Auditors > Edit Auditor, delete auditor + ExpectedResult: true + Log: + { + "event": { + "action": "DELETE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "ADMINISTRATOR_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { }, + "preaction": { + "disabled": false, + "id": 19752860, + "isAuditor": true, + "loginName": "arieeel@dev-company.com", + "newLocationCreateAllowed": false, + "pwdLastModifiedTime": 0, + "role": { + "deleted": false, + "id": 30510, + "isNameL10nTag": false, + "name": "Auditor" + }, + "userName": "areiiiel" + }, + "recordid": "329", + "resource": "areiiiel", + "result": "SUCCESS", + "subcategory": "ADMINISTRATOR_AUDITOR", + "time": "2024-10-22 22:11:56.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Administration > Role Management > Edit Administrator Role, delete role + ExpectedResult: true + Log: + { + "event": { + "action": "DELETE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "ROLE_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { }, + "preaction": { + "adminAcctAccess": "READ_WRITE", + "alertingAccess": "READ_WRITE", + "analysisAccess": "READ_ONLY", + "dashboardAccess": "READ_WRITE", + "deviceInfoAccess": "READ_ONLY", + "id": 32780, + "logsLimit": "Unrestricted", + "name": "mega admin", + "permissions": [ + "SECURE", + "COMPLY", + "SSL_POLICY", + "ADVANCED_SETTINGS", + "FIREWALL_DNS", + "NSS_CONFIGURATION", + "VZEN_CONFIGURATION", + "LOCATIONS", + "HOSTED_PAC_FILES", + "EZ_AGENT_CONFIGURATIONS", + "SECURE_AGENT_NOTIFICATIONS", + "VPN_CREDENTIALS", + "AUTHENTICATION_SETTINGS", + "IDENTITY_PROXY_SETTINGS", + "USER_MANAGEMENT", + "APIKEY_MANAGEMENT", + "PARTNER_INTEGRATION", + "POLICY_RESOURCE_MANAGEMENT", + "CUSTOM_URL_CAT", + "OVERRIDE_EXISTING_CAT", + "PROXY_GATEWAY", + "TENANT_PROFILE_MANAGEMENT", + "STATIC_IPS", + "REMOTE_ASSISTANCE_MANAGEMENT", + "GRE_TUNNELS", + "CLIENT_CONNECTOR_PORTAL", + "SUBCLOUDS" + ], + "policyAccess": "READ_WRITE", + "rank": 7, + "reportAccess": "READ_WRITE", + "reportTimeDuration": -1, + "roleType": "EXEC_INSIGHT_AND_ORG_ADMIN", + "usernameAccess": "READ_ONLY" + }, + "recordid": "342", + "resource": "mega admin", + "result": "SUCCESS", + "subcategory": "ADMINISTRATOR_ROLE", + "time": "2024-10-22 22:31:35.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Administration > Role Management > Edit SD-WAN Partner API Role, delete role + ExpectedResult: true + Log: + { + "event": { + "action": "DELETE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "ROLE_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { }, + "preaction": { + "adminAcctAccess": "NONE", + "alertingAccess": "READ_ONLY", + "analysisAccess": "NONE", + "dashboardAccess": "NONE", + "deviceInfoAccess": "NONE", + "id": 32781, + "name": "wanny", + "permissions": [ + "STATIC_IPS", + "LOCATIONS", + "GRE_TUNNELS", + "VPN_CREDENTIALS" + ], + "policyAccess": "READ_WRITE", + "rank": 7, + "reportAccess": "NONE", + "reportTimeDuration": -1, + "roleType": "SDWAN", + "usernameAccess": "NONE" + }, + "recordid": "345", + "resource": "wanny", + "result": "SUCCESS", + "subcategory": "ADMINISTRATOR_ROLE", + "time": "2024-10-22 22:34:58.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Administration > Role Management > Edit API Role, delete role + ExpectedResult: true + Log: + { + "event": { + "action": "DELETE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "ROLE_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { }, + "preaction": { + "adminAcctAccess": "READ_WRITE", + "alertingAccess": "NONE", + "analysisAccess": "NONE", + "dashboardAccess": "NONE", + "deviceInfoAccess": "NONE", + "id": 32782, + "logsLimit": "Unrestricted", + "name": "bad API", + "permissions": [ + "SECURE", + "COMPLY", + "SSL_POLICY", + "ADVANCED_SETTINGS", + "FIREWALL_DNS", + "LOCATIONS", + "VPN_CREDENTIALS", + "USER_MANAGEMENT", + "POLICY_RESOURCE_MANAGEMENT", + "CUSTOM_URL_CAT", + "OVERRIDE_EXISTING_CAT", + "STATIC_IPS", + "GRE_TUNNELS" + ], + "policyAccess": "READ_WRITE", + "rank": 7, + "reportAccess": "NONE", + "reportTimeDuration": -1, + "roleType": "PUBLIC_API", + "usernameAccess": "NONE" + }, + "recordid": "346", + "resource": "bad API", + "result": "SUCCESS", + "subcategory": "ADMINISTRATOR_ROLE", + "time": "2024-10-22 22:35:06.000000000" + }, + "sourcetype": "zscalernss-audit" + } diff --git a/rules/zscaler_rules/zia/zia_additional_cloud_roles.py b/rules/zscaler_rules/zia/zia_additional_cloud_roles.py new file mode 100644 index 000000000..c0867aa54 --- /dev/null +++ b/rules/zscaler_rules/zia/zia_additional_cloud_roles.py @@ -0,0 +1,22 @@ +from panther_zscaler_helpers import zia_alert_context, zia_success + + +def rule(event): + if not zia_success(event): + return False + event_data = event.get("event", {}) + return ( + event_data.get("action", "ACTION_NOT_FOUND") == "CREATE" + and event_data.get("category", "CATEGORY_NOT_FOUND") == "ROLE_MANAGEMENT" + ) + + +def title(event): + return ( + f"[Zscaler.ZIA]: Additional cloud role was created by admin with id " + f"[{event.deep_get('event', 'adminid', default='')}]" + ) + + +def alert_context(event): + return zia_alert_context(event) diff --git a/rules/zscaler_rules/zia/zia_additional_cloud_roles.yml b/rules/zscaler_rules/zia/zia_additional_cloud_roles.yml new file mode 100644 index 000000000..538d97536 --- /dev/null +++ b/rules/zscaler_rules/zia/zia_additional_cloud_roles.yml @@ -0,0 +1,327 @@ +AnalysisType: rule +RuleID: ZIA.Additional.Cloud.Roles +Description: This rule detects when an additional cloud role was created. +DisplayName: ZIA Additional Cloud Roles +Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again. +Reference: https://help.zscaler.com/zia/about-role-management +Enabled: true +Filename: zia_additional_cloud_roles.py +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0003:T1098.003 # Persistence: Additional Cloud Roles + - TA0004:T1098.003 # Priv Escalation: Additional Cloud Roles +LogTypes: + - Zscaler.ZIA.AdminAuditLog +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: Administration > User Management > Add User, assign to Service Admin group + ExpectedResult: false + Log: + { + "event": { + "action": "UPDATE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "USER_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { + "adminUser": false, + "department": { + "id": 19752838, + "isDeleted": false, + "isForUnauthenticatedUser": false, + "isNonEditable": false, + "name": "test" + }, + "email": "johndoe@dev-company.com", + "groups": [ + { + "id": 16991312, + "isNonEditable": true, + "name": "Service Admin" + }, + { + "id": 19631231, + "isNonEditable": false, + "name": "test" + } + ], + "id": 19752821, + "isNonEditable": false, + "miscflags": 0, + "name": "johndoe", + "systemDefinedGroups": [ ] + }, + "preaction": { + "adminUser": false, + "authType": "SAFECHANNEL_DIR", + "department": { + "id": 19752838, + "isDeleted": false, + "isForUnauthenticatedUser": false, + "isNonEditable": false, + "name": "test" + }, + "email": "johndoe@dev-company.com", + "groups": [ + { + "id": 19631231, + "isNonEditable": false, + "name": "test" + } + ], + "id": 19752821, + "miscflags": 268435456, + "name": "johndoe" + }, + "recordid": "325", + "resource": "johndoe", + "result": "SUCCESS", + "subcategory": "USER", + "time": "2024-10-22 22:02:29.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Administration > Role Management > Add Administrator Role, all permissions + ExpectedResult: true + Log: + { + "event": { + "action": "CREATE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "ROLE_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { + "adminAcctAccess": "READ_WRITE", + "alertingAccess": "READ_WRITE", + "analysisAccess": "READ_ONLY", + "dashboardAccess": "READ_WRITE", + "deviceInfoAccess": "READ_ONLY", + "id": 32780, + "logsLimit": "Unrestricted", + "name": "mega admin", + "permissions": [ + "ADVANCED_SETTINGS", + "COMPLY", + "FIREWALL_DNS", + "NSS_CONFIGURATION", + "SECURE", + "SSL_POLICY", + "VZEN_CONFIGURATION", + "PARTNER_INTEGRATION", + "REMOTE_ASSISTANCE_MANAGEMENT", + "LOCATIONS", + "VPN_CREDENTIALS", + "HOSTED_PAC_FILES", + "EZ_AGENT_CONFIGURATIONS", + "SECURE_AGENT_NOTIFICATIONS", + "PROXY_GATEWAY", + "STATIC_IPS", + "GRE_TUNNELS", + "SUBCLOUDS", + "AUTHENTICATION_SETTINGS", + "USER_MANAGEMENT", + "IDENTITY_PROXY_SETTINGS", + "APIKEY_MANAGEMENT", + "POLICY_RESOURCE_MANAGEMENT", + "CLIENT_CONNECTOR_PORTAL", + "CUSTOM_URL_CAT", + "OVERRIDE_EXISTING_CAT", + "TENANT_PROFILE_MANAGEMENT" + ], + "policyAccess": "READ_WRITE", + "rank": 7, + "reportAccess": "READ_WRITE", + "reportTimeDuration": -1, + "roleType": "EXEC_INSIGHT_AND_ORG_ADMIN", + "usernameAccess": "READ_ONLY" + }, + "preaction": { + "adminAcctAccess": "READ_WRITE", + "alertingAccess": "READ_WRITE", + "analysisAccess": "READ_ONLY", + "dashboardAccess": "READ_WRITE", + "deviceInfoAccess": "READ_ONLY", + "id": 0, + "isAuditor": false, + "isNonEditable": false, + "logsLimit": "Unrestricted", + "name": "mega admin", + "permissions": [ + "ADVANCED_SETTINGS", + "COMPLY", + "FIREWALL_DNS", + "NSS_CONFIGURATION", + "SECURE", + "SSL_POLICY", + "VZEN_CONFIGURATION", + "PARTNER_INTEGRATION", + "REMOTE_ASSISTANCE_MANAGEMENT", + "LOCATIONS", + "VPN_CREDENTIALS", + "HOSTED_PAC_FILES", + "EZ_AGENT_CONFIGURATIONS", + "SECURE_AGENT_NOTIFICATIONS", + "PROXY_GATEWAY", + "STATIC_IPS", + "GRE_TUNNELS", + "SUBCLOUDS", + "AUTHENTICATION_SETTINGS", + "USER_MANAGEMENT", + "IDENTITY_PROXY_SETTINGS", + "APIKEY_MANAGEMENT", + "POLICY_RESOURCE_MANAGEMENT", + "CLIENT_CONNECTOR_PORTAL", + "CUSTOM_URL_CAT", + "OVERRIDE_EXISTING_CAT", + "TENANT_PROFILE_MANAGEMENT" + ], + "policyAccess": "READ_WRITE", + "rank": 7, + "reportAccess": "READ_WRITE", + "reportTimeDuration": -1, + "roleType": "EXEC_INSIGHT_AND_ORG_ADMIN", + "usernameAccess": "READ_ONLY" + }, + "recordid": "341", + "resource": "mega admin", + "result": "SUCCESS", + "subcategory": "ADMINISTRATOR_ROLE", + "time": "2024-10-22 22:19:57.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Administration > Role Management > Add SD-WAN Partner API Role, all permissions + ExpectedResult: true + Log: + { + "event": { + "action": "CREATE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "ROLE_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { + "adminAcctAccess": "NONE", + "alertingAccess": "READ_ONLY", + "analysisAccess": "NONE", + "dashboardAccess": "NONE", + "deviceInfoAccess": "NONE", + "id": 32781, + "name": "wanny", + "permissions": [ + "LOCATIONS", + "VPN_CREDENTIALS", + "STATIC_IPS", + "GRE_TUNNELS" + ], + "policyAccess": "READ_WRITE", + "rank": 7, + "reportAccess": "NONE", + "reportTimeDuration": -1, + "roleType": "SDWAN", + "usernameAccess": "NONE" + }, + "preaction": { + "id": 0, + "name": "wanny", + "policyAccess": "READ_WRITE", + "rank": 7, + "reportTimeDuration": -1, + "roleType": "SDWAN" + }, + "recordid": "343", + "resource": "wanny", + "result": "SUCCESS", + "subcategory": "ADMINISTRATOR_ROLE", + "time": "2024-10-22 22:31:46.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Administration > Role Management > Add API Role, all permissions + ExpectedResult: true + Log: + { + "event": { + "action": "CREATE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "ROLE_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { + "adminAcctAccess": "READ_WRITE", + "alertingAccess": "NONE", + "analysisAccess": "NONE", + "dashboardAccess": "NONE", + "deviceInfoAccess": "NONE", + "id": 32782, + "logsLimit": "Unrestricted", + "name": "bad API", + "permissions": [ + "ADVANCED_SETTINGS", + "COMPLY", + "FIREWALL_DNS", + "SECURE", + "SSL_POLICY", + "LOCATIONS", + "VPN_CREDENTIALS", + "STATIC_IPS", + "GRE_TUNNELS", + "USER_MANAGEMENT", + "POLICY_RESOURCE_MANAGEMENT", + "CUSTOM_URL_CAT", + "OVERRIDE_EXISTING_CAT" + ], + "policyAccess": "READ_WRITE", + "rank": 7, + "reportAccess": "NONE", + "reportTimeDuration": -1, + "roleType": "PUBLIC_API", + "usernameAccess": "NONE" + }, + "preaction": { + "adminAcctAccess": "READ_WRITE", + "id": 0, + "isAuditor": false, + "isNonEditable": false, + "logsLimit": "Unrestricted", + "name": "bad API", + "permissions": [ + "ADVANCED_SETTINGS", + "COMPLY", + "FIREWALL_DNS", + "SECURE", + "SSL_POLICY", + "LOCATIONS", + "VPN_CREDENTIALS", + "STATIC_IPS", + "GRE_TUNNELS", + "USER_MANAGEMENT", + "POLICY_RESOURCE_MANAGEMENT", + "CUSTOM_URL_CAT", + "OVERRIDE_EXISTING_CAT" + ], + "policyAccess": "READ_WRITE", + "rank": 7, + "reportTimeDuration": -1, + "roleType": "PUBLIC_API" + }, + "recordid": "344", + "resource": "bad API", + "result": "SUCCESS", + "subcategory": "ADMINISTRATOR_ROLE", + "time": "2024-10-22 22:34:34.000000000" + }, + "sourcetype": "zscalernss-audit" + } diff --git a/rules/zscaler_rules/zia/zia_create_cloud_account.py b/rules/zscaler_rules/zia/zia_create_cloud_account.py new file mode 100644 index 000000000..56d8bfa6d --- /dev/null +++ b/rules/zscaler_rules/zia/zia_create_cloud_account.py @@ -0,0 +1,29 @@ +from panther_zscaler_helpers import zia_alert_context, zia_success + + +def rule(event): + if not zia_success(event): + return False + action = event.deep_get("event", "action", default="ACTION_NOT_FOUND") + category = event.deep_get("event", "category", default="CATEGORY_NOT_FOUND") + role_name = event.deep_get( + "event", "postaction", "role", "name", default="" + ).lower() + if ( + action == "CREATE" + and category == "ADMINISTRATOR_MANAGEMENT" + and ("admin" in role_name or "audit" in role_name) + ): + return True + return False + + +def title(event): + return ( + f"[Zscaler.ZIA]: New admin role was created by admin with id " + f"[{event.deep_get('event', 'adminid', default='')}]" + ) + + +def alert_context(event): + return zia_alert_context(event) diff --git a/rules/zscaler_rules/zia/zia_create_cloud_account.yml b/rules/zscaler_rules/zia/zia_create_cloud_account.yml new file mode 100644 index 000000000..81a82aa73 --- /dev/null +++ b/rules/zscaler_rules/zia/zia_create_cloud_account.yml @@ -0,0 +1,202 @@ +AnalysisType: rule +RuleID: ZIA.Cloud.Account.Created +Description: This rule detects when new cloud account was created. +DisplayName: ZIA Cloud Account Created +Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again. +Reference: https://help.zscaler.com/zia/choosing-provisioning-and-authentication-methods +Enabled: true +Filename: zia_create_cloud_account.py +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0003:T1136.003 # Persistence: Create Cloud Account +LogTypes: + - Zscaler.ZIA.AdminAuditLog +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: Administration > User Management > Add User, Service Admin group + ExpectedResult: false + Log: + { + "event": { + "action": "CREATE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "USER_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { + "department": { + "id": 16991313, + "isDeleted": false, + "isForUnauthenticatedUser": false, + "isNonEditable": true, + "name": "Service Admin" + }, + "email": "johndoe@dev-company.com", + "groups": [ + { + "id": 16991312, + "isNonEditable": true, + "name": "Service Admin" + } + ], + "id": 19752821, + "miscflags": 0, + "name": "johndoe", + "password": "*****", + "systemDefinedGroups": [] + }, + "preaction": { + "department": { + "id": 16991313, + "isDeleted": false, + "isForUnauthenticatedUser": false, + "isNonEditable": true, + "name": "Service Admin" + }, + "email": "johndoe@dev-company.com", + "groups": [ + { + "id": 16991312, + "isNonEditable": true, + "name": "Service Admin" + } + ], + "id": 19752821, + "miscflags": 0, + "name": "johndoe", + "password": "*****", + "systemDefinedGroups": [] + }, + "recordid": "321", + "resource": "johndoe", + "result": "SUCCESS", + "subcategory": "USER", + "time": "2024-10-22 21:57:58.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Administration Management > Administrators > Add Administrator + ExpectedResult: true + Log: + { + "event": { + "action": "CREATE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "ADMINISTRATOR_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { + "adminScope": { + "scopeEntities": [], + "scopeGroupMemberEntities": [], + "type": "ORGANIZATION" + }, + "disabled": false, + "email": "ajohndoe@company.com", + "id": 19752821, + "isExecMobileAppEnabled": true, + "isPasswordLoginAllowed": true, + "loginName": "johndoe@dev-company.com", + "pwdLastModifiedTime": 1729634767, + "role": { + "deleted": false, + "extensions": { + "adminRank": "0", + "roleType": "EXEC_INSIGHT_AND_ORG_ADMIN" + }, + "id": 24354, + "isNameL10nTag": true, + "name": "Super Admin" + }, + "userName": "johndoe1123" + }, + "preaction": { + "adminScope": { + "scopeEntities": [], + "scopeGroupMemberEntities": [], + "type": "ORGANIZATION" + }, + "disabled": false, + "email": "johndoe@company.com", + "id": 0, + "isAuditor": false, + "isDefaultAdmin": false, + "isExecMobileAppEnabled": true, + "isPasswordExpired": false, + "isPasswordLoginAllowed": true, + "loginName": "johndoe@dev-company.com", + "newLocationCreateAllowed": false, + "password": "*****", + "pwdLastModifiedTime": 0, + "role": { + "deleted": false, + "id": 24354, + "isNameL10nTag": false, + "name": "Super Admin" + }, + "userName": "johndoe1123" + }, + "recordid": "326", + "resource": "johndoe1123", + "result": "SUCCESS", + "subcategory": "ADMINISTRATOR_ADMIN_USER", + "time": "2024-10-22 22:06:04.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Administration Management > Auditors > Add Auditor + ExpectedResult: true + Log: + { + "event": { + "action": "CREATE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "ADMINISTRATOR_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { + "disabled": false, + "id": 19752860, + "isAuditor": true, + "loginName": "arieeel@dev-company.com", + "newLocationCreateAllowed": false, + "pwdLastModifiedTime": 0, + "role": { + "deleted": false, + "id": 30510, + "isNameL10nTag": false, + "name": "Auditor" + }, + "userName": "areiiiel" + }, + "preaction": { + "adminScope": { + "scopeEntities": [], + "scopeGroupMemberEntities": [], + "type": "ORGANIZATION" + }, + "disabled": false, + "id": 0, + "isAuditor": true, + "loginName": "arieeel@dev-company.com", + "newLocationCreateAllowed": false, + "password": "*****", + "pwdLastModifiedTime": 0, + "userName": "areiiiel" + }, + "recordid": "328", + "resource": "areiiiel", + "result": "SUCCESS", + "subcategory": "ADMINISTRATOR_AUDITOR", + "time": "2024-10-22 22:10:28.000000000" + }, + "sourcetype": "zscalernss-audit" + } diff --git a/rules/zscaler_rules/zia/zia_password_expiration.py b/rules/zscaler_rules/zia/zia_password_expiration.py new file mode 100644 index 000000000..5f33d2de8 --- /dev/null +++ b/rules/zscaler_rules/zia/zia_password_expiration.py @@ -0,0 +1,34 @@ +from panther_zscaler_helpers import zia_alert_context, zia_success + + +def rule(event): + if not zia_success(event): + return False + action = event.deep_get("event", "action", default="ACTION_NOT_FOUND") + category = event.deep_get("event", "category", default="CATEGORY_NOT_FOUND") + password_exp_pre = event.deep_get( + "event", + "preaction", + "passwordExpirationEnabled", + default="", + ) + password_exp_post = event.deep_get( + "event", + "postaction", + "passwordExpirationEnabled", + default="", + ) + if action == "UPDATE" and category == "LOGIN" and password_exp_pre != password_exp_post: + return True + return False + + +def title(event): + return ( + f"[Zscaler.ZIA]: SAML configuration was changed by admin with id " + f"[{event.deep_get('event', 'adminid', default='')}]" + ) + + +def alert_context(event): + return zia_alert_context(event) diff --git a/rules/zscaler_rules/zia/zia_password_expiration.yml b/rules/zscaler_rules/zia/zia_password_expiration.yml new file mode 100644 index 000000000..cc1556218 --- /dev/null +++ b/rules/zscaler_rules/zia/zia_password_expiration.yml @@ -0,0 +1,73 @@ +AnalysisType: rule +RuleID: ZIA.Password.Expiration +Description: This rule detects when password expiration eas set/removed. +DisplayName: ZIA Password Expiration +Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again. +Reference: https://help.zscaler.com/zia/configuring-password-expiration +Enabled: true +Filename: zia_password_expiration.py +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0007:T1201 # Password Policy Discovery +LogTypes: + - Zscaler.ZIA.AdminAuditLog +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: Administration Management > Administrator Management > Set Password Expriration 180 days + ExpectedResult: true + Log: + { + "event": { + "action": "UPDATE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "LOGIN", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { + "passwordExpirationEnabled": true, + "passwordExpiryDays": 180 + }, + "preaction": { + "passwordExpirationEnabled": false, + "passwordExpiryDays": 180 + }, + "recordid": "331", + "resource": "None", + "result": "SUCCESS", + "subcategory": "PASSWORD_EXPIRY", + "time": "2024-10-22 22:12:25.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Administration Management > Administrator Management > Remove Password Expriration + ExpectedResult: true + Log: + { + "event": { + "action": "UPDATE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "LOGIN", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { + "passwordExpirationEnabled": false, + "passwordExpiryDays": 180 + }, + "preaction": { + "passwordExpirationEnabled": true, + "passwordExpiryDays": 180 + }, + "recordid": "331", + "resource": "None", + "result": "SUCCESS", + "subcategory": "PASSWORD_EXPIRY", + "time": "2024-10-22 22:12:25.000000000" + }, + "sourcetype": "zscalernss-audit" + } diff --git a/rules/zscaler_rules/zia/zia_trust_modification.py b/rules/zscaler_rules/zia/zia_trust_modification.py new file mode 100644 index 000000000..5a65491fd --- /dev/null +++ b/rules/zscaler_rules/zia/zia_trust_modification.py @@ -0,0 +1,32 @@ +from panther_zscaler_helpers import zia_alert_context, zia_success + + +def rule(event): + if not zia_success(event): + return False + action = event.deep_get("event", "action", default="ACTION_NOT_FOUND") + category = event.deep_get("event", "category", default="CATEGORY_NOT_FOUND") + saml_enabled_pre = event.deep_get( + "event", "preaction", "samlEnabled", default="" + ) + saml_enabled_post = event.deep_get( + "event", "postaction", "samlEnabled", default="" + ) + if ( + action == "UPDATE" + and category == "ADMINISTRATOR_MANAGEMENT" + and saml_enabled_pre != saml_enabled_post + ): + return True + return False + + +def title(event): + return ( + f"[Zscaler.ZIA]: SAML configuration was changed by admin with id " + f"[{event.deep_get('event', 'adminid', default='')}]" + ) + + +def alert_context(event): + return zia_alert_context(event) diff --git a/rules/zscaler_rules/zia/zia_trust_modification.yml b/rules/zscaler_rules/zia/zia_trust_modification.yml new file mode 100644 index 000000000..97a383264 --- /dev/null +++ b/rules/zscaler_rules/zia/zia_trust_modification.yml @@ -0,0 +1,75 @@ +AnalysisType: rule +RuleID: ZIA.Trust.Modification +Description: This rule detects when SAML authentication was enabled/disabled. +DisplayName: ZIA Trust Modification +Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again. +Reference: https://help.zscaler.com/zia/configuring-saml +Enabled: true +Filename: zia_trust_modification.py +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0004:T1484.002 # Domain or Tenant Policy Modification: Trust Modification +LogTypes: + - Zscaler.ZIA.AdminAuditLog +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: Administration > Administration Management > Enable SAML Authentication + ExpectedResult: true + Log: + { + "event": { + "action": "UPDATE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "ADMINISTRATOR_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { + "certFilename": "abc.crt", + "productId": 0, + "samlEnabled": true + }, + "preaction": { + "productId": 0, + "samlEnabled": false + }, + "recordid": "332", + "resource": "None", + "result": "SUCCESS", + "subcategory": "ADMINISTRATOR_SAML", + "time": "2024-10-22 22:13:23.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Administration > Administration Management > Disable SAML Authentication + ExpectedResult: true + Log: + { + "event": { + "action": "UPDATE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "ADMINISTRATOR_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { + "certFilename": "abc.crt", + "productId": 0, + "samlEnabled": false + }, + "preaction": { + "productId": 0, + "samlEnabled": true + }, + "recordid": "332", + "resource": "None", + "result": "SUCCESS", + "subcategory": "ADMINISTRATOR_SAML", + "time": "2024-10-22 22:13:23.000000000" + }, + "sourcetype": "zscalernss-audit" + }