New events: CloudStrike - Cloud-Conscious Tactics, Techniques, and Pr…

…ocedures (TTPs) & UpdateSMLProvider research (#17)

* UpdateSMLProvider Persistence research

* fwd:cloudsec Cloud-Conscious TTPs

docs/events.json

@@ -291,7 +291,7 @@
         "researchLinks": [
             {
                 "description": "An AWS account attempted to leave the AWS Organization",
-                "link": "hhttps://docs.datadoghq.com/security/default_rules/aws-organizations-leave-organization/"
+                "link": "https://docs.datadoghq.com/security/default_rules/aws-organizations-leave-organization/"
             }
         ],
         "securityImplications": "Attackers might use LeaveOrganization to disassociate resources and disrupt the structure of AWS organizations.",
@@ -417,6 +417,10 @@
             {
                 "description": "New tactics and techniques for proactive threat detection",
                 "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"
+            },
+            {
+                "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)",
+                "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"
             }
         ],
         "researchLinks": [
@@ -589,6 +593,10 @@
             {
                 "description": "Detecting AI resource-hijacking with Composite Alerts",
                 "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"
+            },
+            {
+                "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)",
+                "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"
             }
         ],
         "researchLinks": [
@@ -1006,6 +1014,10 @@
             {
                 "description": "AWS CloudWatch Alarm Deletion",
                 "link": "https://www.elastic.co/guide/en/security/current/aws-cloudwatch-alarm-deletion.html"
+            },
+            {
+                "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)",
+                "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"
             }
         ],
         "securityImplications": "Attackers might use DeleteAlarms to disable critical CloudWatch alerts, undermining AWS environment monitoring",
@@ -1366,6 +1378,35 @@
         ],
         "permissions": "N/A"
     },
+    {
+        "eventName": "GetSigninToken",
+        "eventSource": "signin.amazonaws.com",
+        "awsService": "SignIn",
+        "description": "Generate a SigninToken that can be used to login to the the AWS Management Console.",
+        "mitreAttackTactics": [
+            "TA0001 - Initial Access"
+        ],
+        "mitreAttackTechniques": [
+            "T1078 - Valid Accounts"
+        ],
+        "usedInWild": true,
+        "incidents": [
+            {
+                "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)",
+                "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"
+            }
+        ],
+        "researchLinks": [],
+        "securityImplications": "Attackers might access via a Federated identity (such as AWS SSO) to the Management Console.",
+        "alerting": [],
+        "simulation": [
+            {
+                "type": "commandLine",
+                "value": "N/A"
+            }
+        ],
+        "permissions": "N/A"
+    },
     {
         "eventName": "CreateFunction20150331",
         "eventSource": "lambda.amazonaws.com",
@@ -2596,6 +2637,10 @@
             {
                 "description": "Muddled Libra\u2019s Evolution to the Cloud",
                 "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"
+            },
+            {
+                "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)",
+                "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"
             }
         ],
         "researchLinks": [
@@ -2858,6 +2903,36 @@
         ],
         "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListRoles"
     },
+    {
+        "eventName": "UpdateSAMLProvider",
+        "eventSource": "iam.amazonaws.com",
+        "awsService": "IAM",
+        "description": "Updates the metadata document for an existing SAML provider resource object.",
+        "mitreAttackTactics": [
+            "TA0003 - Persistence",
+            "TA0004 - Privilege Escalation"
+        ],
+        "mitreAttackTechniques": [
+            "T1098 - Account Manipulation"
+        ],
+        "usedInWild": false,
+        "incidents": [],
+        "researchLinks": [
+            {
+                "description": "Gaining AWS Persistence by Updating a SAML Identity Provider",
+                "link": "https://medium.com/@adan.alvarez/gaining-aws-persistence-by-updating-a-saml-identity-provider-ef57ebdc8db5"
+            }
+        ],
+        "securityImplications": "Attackers might use UpdateSAMLProvider to change the metadata document from a SAML provider for latter being able to assume the roles that trust this provider.",
+        "alerting": [],
+        "simulation": [
+            {
+                "type": "commandLine",
+                "value": "aws iam update-saml-provider --saml-metadata-document file://TrailDiscoverSAMLMetaData.xml --saml-provider-arn arn:aws:iam::123456789012:saml-provider/traildiscover"
+            }
+        ],
+        "permissions": "https://aws.permissions.cloud/iam/iam#iam-UpdateSAMLProvider"
+    },
     {
         "eventName": "PutRolePermissionsBoundary",
         "eventSource": "iam.amazonaws.com",
@@ -4123,6 +4198,10 @@
             {
                 "description": "Muddled Libra\u2019s Evolution to the Cloud",
                 "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"
+            },
+            {
+                "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)",
+                "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"
             }
         ],
         "researchLinks": [],
@@ -4197,6 +4276,10 @@
             {
                 "description": "Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets",
                 "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/"
+            },
+            {
+                "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)",
+                "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"
             }
         ],
         "researchLinks": [],
@@ -4757,8 +4840,13 @@
         "mitreAttackTechniques": [
             "T1562 - Impair Defenses"
         ],
-        "usedInWild": false,
-        "incidents": [],
+        "usedInWild": true,
+        "incidents": [
+            {
+                "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)",
+                "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"
+            }
+        ],
         "researchLinks": [
             {
                 "description": "AWS Defense Evasion and Centralized Multi-Account Logging",
@@ -4799,11 +4887,15 @@
         "mitreAttackTechniques": [
             "T1562 - Impair Defenses"
         ],
-        "usedInWild": false,
+        "usedInWild": true,
         "incidents": [
             {
                 "description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD",
                 "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud"
+            },
+            {
+                "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)",
+                "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"
             }
         ],
         "researchLinks": [
@@ -6854,8 +6946,13 @@
         "mitreAttackTechniques": [
             "T1089 - Disabling Security Tools"
         ],
-        "usedInWild": false,
-        "incidents": [],
+        "usedInWild": true,
+        "incidents": [
+            {
+                "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)",
+                "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"
+            }
+        ],
         "researchLinks": [
             {
                 "description": "Removing VPC flow logs",
@@ -7619,6 +7716,10 @@
             {
                 "description": "Navigating the Cloud: Exploring Lateral Movement Techniques",
                 "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/"
+            },
+            {
+                "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)",
+                "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"
             }
         ],
         "researchLinks": [
@@ -8423,6 +8524,10 @@
             {
                 "description": "Navigating the Cloud: Exploring Lateral Movement Techniques",
                 "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/"
+            },
+            {
+                "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)",
+                "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"
             }
         ],
         "researchLinks": [],
@@ -8917,6 +9022,10 @@
             {
                 "description": "Navigating the Cloud: Exploring Lateral Movement Techniques",
                 "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/"
+            },
+            {
+                "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)",
+                "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"
             }
         ],
         "researchLinks": [
@@ -9621,6 +9730,10 @@
             {
                 "description": "Threat Hunting with CloudTrail and GuardDuty in Splunk",
                 "link": "https://www.chrisfarris.com/post/reinforce-threat-hunting/"
+            },
+            {
+                "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)",
+                "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"
             }
         ],
         "securityImplications": "Attackers might use DeleteDetector to disable GuardDuty, thereby evading detection of malicious activity.",

events/CloudTrail/DeleteTrail.json

@@ -9,11 +9,15 @@
     "mitreAttackTechniques": [
         "T1562 - Impair Defenses"
     ],
-    "usedInWild": false,
+    "usedInWild": true,
     "incidents": [
         {
             "description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD",
             "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud"
+        },
+        {
+            "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)",
+            "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"
         }
     ],
     "researchLinks": [

events/CloudTrail/UpdateTrail.json

@@ -9,8 +9,13 @@
     "mitreAttackTechniques": [
         "T1562 - Impair Defenses"
     ],
-    "usedInWild": false,
-    "incidents": [],
+    "usedInWild": true,
+    "incidents": [
+        {
+            "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)",
+            "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"
+        }
+    ],
     "researchLinks": [
         {
             "description": "AWS Defense Evasion and Centralized Multi-Account Logging",

events/CloudWatch/DeleteAlarms.json

@@ -15,6 +15,10 @@
         {
             "description": "AWS CloudWatch Alarm Deletion",
             "link": "https://www.elastic.co/guide/en/security/current/aws-cloudwatch-alarm-deletion.html"
+        },
+        {
+            "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)",
+            "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"
         }
     ],
     "securityImplications": "Attackers might use DeleteAlarms to disable critical CloudWatch alerts, undermining AWS environment monitoring",

events/EC2/DeleteFlowLogs.json

@@ -9,8 +9,13 @@
     "mitreAttackTechniques": [
         "T1089 - Disabling Security Tools"
     ],
-    "usedInWild": false,
-    "incidents": [],
+    "usedInWild": true,
+    "incidents": [
+        {
+            "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)",
+            "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"
+        }
+    ],
     "researchLinks": [
         {
             "description": "Removing VPC flow logs",

events/EC2/SendSSHPublicKey.json

@@ -18,6 +18,10 @@
         {
             "description": "Navigating the Cloud: Exploring Lateral Movement Techniques",
             "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/"
+        },
+        {
+            "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)",
+            "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"
         }
     ],
     "researchLinks": [

events/EC2/SendSerialConsoleSSHPublicKey.json

@@ -18,6 +18,10 @@
         {
             "description": "Navigating the Cloud: Exploring Lateral Movement Techniques",
             "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/"
+        },
+        {
+            "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)",
+            "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"
         }
     ],
     "researchLinks": [],

events/GuardDuty/DeleteDetector.json

@@ -28,6 +28,10 @@
         {
             "description": "Threat Hunting with CloudTrail and GuardDuty in Splunk",
             "link": "https://www.chrisfarris.com/post/reinforce-threat-hunting/"
+        },
+        {
+            "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)",
+            "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"
         }
     ],
     "securityImplications": "Attackers might use DeleteDetector to disable GuardDuty, thereby evading detection of malicious activity.",

events/IAM/ListUsers.json

@@ -30,6 +30,10 @@
         {
             "description": "Muddled Libra\u2019s Evolution to the Cloud",
             "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"
+        },
+        {
+            "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)",
+            "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf"
         }
     ],
     "researchLinks": [

events/IAM/UpdateSAMLProvider.json

@@ -0,0 +1,30 @@
+{
+    "eventName": "UpdateSAMLProvider",
+    "eventSource": "iam.amazonaws.com",
+    "awsService": "IAM",
+    "description": "Updates the metadata document for an existing SAML provider resource object.",
+    "mitreAttackTactics": [
+        "TA0003 - Persistence",
+        "TA0004 - Privilege Escalation"
+    ],
+    "mitreAttackTechniques": [
+        "T1098 - Account Manipulation"
+    ],
+    "usedInWild": false,
+    "incidents": [],
+    "researchLinks": [
+        {
+            "description": "Gaining AWS Persistence by Updating a SAML Identity Provider",
+            "link": "https://medium.com/@adan.alvarez/gaining-aws-persistence-by-updating-a-saml-identity-provider-ef57ebdc8db5"
+        }
+    ],
+    "securityImplications": "Attackers might use UpdateSAMLProvider to change the metadata document from a SAML provider for latter being able to assume the roles that trust this provider.",
+    "alerting": [],
+    "simulation": [
+        {
+            "type": "commandLine",
+            "value": "aws iam update-saml-provider --saml-metadata-document file://TrailDiscoverSAMLMetaData.xml --saml-provider-arn arn:aws:iam::123456789012:saml-provider/traildiscover"
+        }
+    ],
+    "permissions": "https://aws.permissions.cloud/iam/iam#iam-UpdateSAMLProvider"
+}