From 17d418880b30a2c712ff3253819b3d720a29b4c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adan=20=C3=81lvarez?= Date: Tue, 24 Sep 2024 12:04:13 +0200 Subject: [PATCH] New events: CloudStrike - Cloud-Conscious Tactics, Techniques, and Procedures (TTPs) & UpdateSMLProvider research (#17) * UpdateSMLProvider Persistence research * fwd:cloudsec Cloud-Conscious TTPs --- docs/datadog_dashboard.json | 1374 ++++++++--------- docs/events.csv | 30 +- docs/events.json | 125 +- events/CloudTrail/DeleteTrail.json | 6 +- events/CloudTrail/UpdateTrail.json | 9 +- events/CloudWatch/DeleteAlarms.json | 4 + events/EC2/DeleteFlowLogs.json | 9 +- events/EC2/SendSSHPublicKey.json | 4 + events/EC2/SendSerialConsoleSSHPublicKey.json | 4 + events/GuardDuty/DeleteDetector.json | 4 + events/IAM/ListUsers.json | 4 + events/IAM/UpdateSAMLProvider.json | 30 + events/IAM/UpdateSAMLProvider.json.cloudtrail | 51 + events/Organizations/LeaveOrganization.json | 2 +- events/SSM/SendCommand.json | 4 + events/SecretsManager/GetSecretValue.json | 4 + events/SecretsManager/ListSecrets.json | 4 + .../GetCallerIdentity.json | 4 + .../GetFederationToken.json | 4 + events/SignIn/GetSigninToken.json | 29 + events/SignIn/GetSigninToken.json.cloudtrail | 54 + 21 files changed, 1046 insertions(+), 713 deletions(-) create mode 100644 events/IAM/UpdateSAMLProvider.json create mode 100644 events/IAM/UpdateSAMLProvider.json.cloudtrail create mode 100644 events/SignIn/GetSigninToken.json create mode 100644 events/SignIn/GetSigninToken.json.cloudtrail diff --git a/docs/datadog_dashboard.json b/docs/datadog_dashboard.json index 3df8e00..200a5b2 100644 --- a/docs/datadog_dashboard.json +++ b/docs/datadog_dashboard.json @@ -361,7 +361,7 @@ } }, { - "id": 3588297525, + "id": 2483282799, "definition": { "type": "group", "layout_type": "ordered", @@ -370,7 +370,7 @@ "show_title": true, "widgets": [ { - "id": 136735265, + "id": 928901889, "definition": { "type": "note", "content": "### [AssumeRoleWithWebIdentity](https://traildiscover.cloud/#STS-AssumeRoleWithWebIdentity)\n\n**Description:** Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider.\n\n**Related Research:**\n- [From GitHub To Account Takeover: Misconfigured Actions Place GCP & AWS Accounts At Risk](https://www.rezonate.io/blog/github-misconfigurations-put-gcp-aws-in-account-takeover-risk/)\n", @@ -389,7 +389,7 @@ } }, { - "id": 1788491321, + "id": 1720076224, "definition": { "title": "AssumeRoleWithWebIdentity", "title_size": "16", @@ -431,7 +431,7 @@ } }, { - "id": 839006797, + "id": 1035556850, "definition": { "type": "note", "content": "### [GetSessionToken](https://traildiscover.cloud/#STS-GetSessionToken)\n\n**Description:** Returns a set of temporary credentials for an AWS account or IAM user.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [AWS STS GetSessionToken Abuse](https://www.elastic.co/guide/en/security/7.17/aws-sts-getsessiontoken-abuse.html)\n", @@ -450,7 +450,7 @@ } }, { - "id": 343279205, + "id": 1826731185, "definition": { "title": "GetSessionToken", "title_size": "16", @@ -492,7 +492,7 @@ } }, { - "id": 3960622053, + "id": 798485141, "definition": { "type": "note", "content": "### [AssumeRole](https://traildiscover.cloud/#STS-AssumeRole)\n\n**Description:** Returns a set of temporary security credentials that you can use to access AWS resources.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n**Related Research:**\n- [Role Chain Juggling](https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/)\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -511,7 +511,7 @@ } }, { - "id": 1317410813, + "id": 3637804237, "definition": { "title": "AssumeRole", "title_size": "16", @@ -553,7 +553,7 @@ } }, { - "id": 1225062937, + "id": 1871891506, "definition": { "type": "note", "content": "### [AssumeRoleWithSAML](https://traildiscover.cloud/#STS-AssumeRoleWithSAML)\n\n**Description:** Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response.\n\n**Related Research:**\n- [AWS - STS Privesc](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc)\n", @@ -572,7 +572,7 @@ } }, { - "id": 729335345, + "id": 2663065841, "definition": { "title": "AssumeRoleWithSAML", "title_size": "16", @@ -614,7 +614,7 @@ } }, { - "id": 459735978, + "id": 1785925292, "definition": { "type": "note", "content": "### [PasswordRecoveryRequested ](https://traildiscover.cloud/#SignIn-PasswordRecoveryRequested )\n\n**Description:** This is the CloudTrail event generated when you request a password recovery.\n\n**Related Incidents:**\n- [An Ongoing AWS Phishing Campaign](https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/)\n- [Disclosure of Security Incidents on imToken](https://support.token.im/hc/en-us/articles/360005681954-Disclosure-of-Security-Incidents-on-imToken)\n", @@ -633,7 +633,7 @@ } }, { - "id": 4258975682, + "id": 2577099627, "definition": { "title": "PasswordRecoveryRequested ", "title_size": "16", @@ -675,7 +675,7 @@ } }, { - "id": 3283749503, + "id": 2228180044, "definition": { "type": "note", "content": "### [ConsoleLogin](https://traildiscover.cloud/#SignIn-ConsoleLogin)\n\n**Description:** This is the CloudTrail event generated when you sign-in.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Responding to an attack in AWS](https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac)\n- [Credential Phishing](https://ramimac.me/aws-phishing#credential-phishing)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies](https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/)\n**Related Research:**\n- [Compromising AWS Console credentials](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/compromising-aws-console-credentials/)\n- [Create a Console Session from IAM Credentials](https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n", @@ -694,7 +694,7 @@ } }, { - "id": 640538263, + "id": 3019354379, "definition": { "title": "ConsoleLogin", "title_size": "16", @@ -745,7 +745,7 @@ } }, { - "id": 2996386953, + "id": 4293430680, "definition": { "type": "group", "layout_type": "ordered", @@ -754,7 +754,7 @@ "show_title": true, "widgets": [ { - "id": 3323236379, + "id": 200319170, "definition": { "type": "note", "content": "### [SendCommand](https://traildiscover.cloud/#SSM-SendCommand)\n\n**Description:** Runs commands on one or more managed nodes.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Run Shell Commands on EC2 with Send Command or Session Manager](https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -773,7 +773,7 @@ } }, { - "id": 680025139, + "id": 991493505, "definition": { "title": "SendCommand", "title_size": "16", @@ -815,7 +815,7 @@ } }, { - "id": 3012716631, + "id": 901383045, "definition": { "type": "note", "content": "### [StartSession](https://traildiscover.cloud/#SSM-StartSession)\n\n**Description:** Initiates a connection to a target (for example, a managed node) for a Session Manager session.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Run Shell Commands on EC2 with Send Command or Session Manager](https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/)\n", @@ -834,7 +834,7 @@ } }, { - "id": 369505391, + "id": 1692557380, "definition": { "title": "StartSession", "title_size": "16", @@ -876,7 +876,7 @@ } }, { - "id": 2969203002, + "id": 2504595185, "definition": { "type": "note", "content": "### [ResumeSession](https://traildiscover.cloud/#SSM-ResumeSession)\n\n**Description:** Reconnects a session to a managed node after it has been disconnected.\n\n**Related Research:**\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -895,7 +895,7 @@ } }, { - "id": 2473475410, + "id": 3196430633, "definition": { "title": "ResumeSession", "title_size": "16", @@ -946,7 +946,7 @@ } }, { - "id": 1659333303, + "id": 591625653, "definition": { "type": "group", "layout_type": "ordered", @@ -955,7 +955,7 @@ "show_title": true, "widgets": [ { - "id": 3747166130, + "id": 4108714488, "definition": { "type": "note", "content": "### [GetFederationToken](https://traildiscover.cloud/#STS-GetFederationToken)\n\n**Description:** Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a user.\n\n**Related Incidents:**\n- [How Adversaries Can Persist with AWS User Federation](https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [Create a Console Session from IAM Credentials](https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/)\n- [Survive Access Key Deletion with sts:GetFederationToken](https://hackingthe.cloud/aws/post_exploitation/survive_access_key_deletion_with_sts_getfederationtoken/)\n", @@ -974,7 +974,7 @@ } }, { - "id": 3251438538, + "id": 604921527, "definition": { "title": "GetFederationToken", "title_size": "16", @@ -1016,7 +1016,7 @@ } }, { - "id": 3327941570, + "id": 761750385, "definition": { "type": "note", "content": "### [AssumeRole](https://traildiscover.cloud/#STS-AssumeRole)\n\n**Description:** Returns a set of temporary security credentials that you can use to access AWS resources.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n**Related Research:**\n- [Role Chain Juggling](https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/)\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -1035,7 +1035,7 @@ } }, { - "id": 684730330, + "id": 1552924720, "definition": { "title": "AssumeRole", "title_size": "16", @@ -1077,7 +1077,7 @@ } }, { - "id": 215583257, + "id": 2888390461, "definition": { "type": "note", "content": "### [CreateFunction20150331](https://traildiscover.cloud/#Lambda-CreateFunction20150331)\n\n**Description:** Creates a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -1096,7 +1096,7 @@ } }, { - "id": 1867339313, + "id": 1432742261, "definition": { "title": "CreateFunction20150331", "title_size": "16", @@ -1138,7 +1138,7 @@ } }, { - "id": 3112022501, + "id": 2610963901, "definition": { "type": "note", "content": "### [UpdateFunctionConfiguration20150331v2](https://traildiscover.cloud/#Lambda-UpdateFunctionConfiguration20150331v2)\n\n**Description:** Modify the version-specific settings of a Lambda function.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [LambdaSpy - Implanting the Lambda execution environment (Part two)](https://www.clearvector.com/blog/lambda-spy/)\n", @@ -1157,7 +1157,7 @@ } }, { - "id": 2616294909, + "id": 1254654588, "definition": { "title": "UpdateFunctionConfiguration20150331v2", "title_size": "16", @@ -1199,7 +1199,7 @@ } }, { - "id": 310072961, + "id": 2988377886, "definition": { "type": "note", "content": "### [UpdateFunctionCode20150331v2](https://traildiscover.cloud/#Lambda-UpdateFunctionCode20150331v2)\n\n**Description:** Updates a Lambda function's code. If code signing is enabled for the function, the code package must be signed by a trusted publisher.\n\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", @@ -1218,7 +1218,7 @@ } }, { - "id": 4109312665, + "id": 1632068573, "definition": { "title": "UpdateFunctionCode20150331v2", "title_size": "16", @@ -1260,7 +1260,7 @@ } }, { - "id": 369032707, + "id": 1916272657, "definition": { "type": "note", "content": "### [PutTargets](https://traildiscover.cloud/#events-PutTargets)\n\n**Description:** Adds the specified targets to the specified rule, or updates the targets if they are already associated with the rule.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -1279,7 +1279,7 @@ } }, { - "id": 4168272411, + "id": 559963344, "definition": { "title": "PutTargets", "title_size": "16", @@ -1321,7 +1321,7 @@ } }, { - "id": 4082383453, + "id": 854836271, "definition": { "type": "note", "content": "### [PutRule](https://traildiscover.cloud/#events-PutRule)\n\n**Description:** Creates or updates the specified rule.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -1340,7 +1340,7 @@ } }, { - "id": 3586655861, + "id": 1646010606, "definition": { "title": "PutRule", "title_size": "16", @@ -1382,7 +1382,7 @@ } }, { - "id": 2199122828, + "id": 2186590715, "definition": { "type": "note", "content": "### [CreateSAMLProvider](https://traildiscover.cloud/#IAM-CreateSAMLProvider)\n\n**Description:** Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", @@ -1401,7 +1401,7 @@ } }, { - "id": 1703395236, + "id": 2977765050, "definition": { "title": "CreateSAMLProvider", "title_size": "16", @@ -1443,7 +1443,7 @@ } }, { - "id": 3289875963, + "id": 648120166, "definition": { "type": "note", "content": "### [UpdateLoginProfile](https://traildiscover.cloud/#IAM-UpdateLoginProfile)\n\n**Description:** Changes the password for the specified IAM user. You can use the AWS CLI, the AWS API, or the Users page in the IAM console to change the password for any IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -1462,7 +1462,7 @@ } }, { - "id": 646664723, + "id": 3586778149, "definition": { "title": "UpdateLoginProfile", "title_size": "16", @@ -1504,7 +1504,7 @@ } }, { - "id": 2957385177, + "id": 4115675177, "definition": { "type": "note", "content": "### [UpdateAccessKey](https://traildiscover.cloud/#IAM-UpdateAccessKey)\n\n**Description:** Changes the status of the specified access key from Active to Inactive, or vice versa.\n\n**Related Research:**\n- [AWS - IAM Privesc](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc)\n", @@ -1523,7 +1523,7 @@ } }, { - "id": 2461657585, + "id": 611882216, "definition": { "title": "UpdateAccessKey", "title_size": "16", @@ -1565,7 +1565,7 @@ } }, { - "id": 986550266, + "id": 4019606745, "definition": { "type": "note", "content": "### [UpdateAssumeRolePolicy](https://traildiscover.cloud/#IAM-UpdateAssumeRolePolicy)\n\n**Description:** Updates the policy that grants an IAM entity permission to assume a role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", @@ -1584,7 +1584,7 @@ } }, { - "id": 2538967435, + "id": 515813784, "definition": { "title": "UpdateAssumeRolePolicy", "title_size": "16", @@ -1626,7 +1626,7 @@ } }, { - "id": 657542373, + "id": 3478608496, "definition": { "type": "note", "content": "### [CreateAccessKey](https://traildiscover.cloud/#IAM-CreateAccessKey)\n\n**Description:** Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", @@ -1645,7 +1645,7 @@ } }, { - "id": 2309298429, + "id": 2122299183, "definition": { "title": "CreateAccessKey", "title_size": "16", @@ -1687,7 +1687,7 @@ } }, { - "id": 756187096, + "id": 1560385805, "definition": { "type": "note", "content": "### [StartSSO](https://traildiscover.cloud/#SSO-StartSSO)\n\n**Description:** Initialize AWS IAM Identity Center\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", @@ -1706,7 +1706,7 @@ } }, { - "id": 2407943152, + "id": 2351560140, "definition": { "title": "StartSSO", "title_size": "16", @@ -1748,7 +1748,7 @@ } }, { - "id": 3123983699, + "id": 4063304169, "definition": { "type": "note", "content": "### [CreateOpenIDConnectProvider](https://traildiscover.cloud/#IAM-CreateOpenIDConnectProvider)\n\n**Description:** Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC)\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", @@ -1767,7 +1767,7 @@ } }, { - "id": 480772459, + "id": 2706994856, "definition": { "title": "CreateOpenIDConnectProvider", "title_size": "16", @@ -1809,7 +1809,7 @@ } }, { - "id": 2477981653, + "id": 3713623714, "definition": { "type": "note", "content": "### [AttachUserPolicy](https://traildiscover.cloud/#IAM-AttachUserPolicy)\n\n**Description:** Attaches the specified managed policy to the specified user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -1828,7 +1828,7 @@ } }, { - "id": 1982254061, + "id": 2257975514, "definition": { "title": "AttachUserPolicy", "title_size": "16", @@ -1870,7 +1870,7 @@ } }, { - "id": 1429413464, + "id": 2276576540, "definition": { "type": "note", "content": "### [PutUserPolicy](https://traildiscover.cloud/#IAM-PutUserPolicy)\n\n**Description:** Adds or updates an inline policy document that is embedded in the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -1889,7 +1889,7 @@ } }, { - "id": 933685872, + "id": 820928340, "definition": { "title": "PutUserPolicy", "title_size": "16", @@ -1931,7 +1931,7 @@ } }, { - "id": 1343372718, + "id": 3517210217, "definition": { "type": "note", "content": "### [ChangePassword](https://traildiscover.cloud/#IAM-ChangePassword)\n\n**Description:** Changes the password of the IAM user who is calling this operation.\n\n**Related Research:**\n- [AWS CloudTrail cheat sheet](https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet)\n- [IAM User Changes Alarm](https://asecure.cloud/a/cwalarm_iam_user_changes/)\n", @@ -1950,7 +1950,7 @@ } }, { - "id": 2995128774, + "id": 2160900904, "definition": { "title": "ChangePassword", "title_size": "16", @@ -1992,7 +1992,7 @@ } }, { - "id": 2796625157, + "id": 632302363, "definition": { "type": "note", "content": "### [CreateLoginProfile](https://traildiscover.cloud/#IAM-CreateLoginProfile)\n\n**Description:** Creates a password for the specified IAM user. A password allows an IAM user to access AWS services through the AWS Management Console.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", @@ -2011,7 +2011,7 @@ } }, { - "id": 2300897565, + "id": 3570960346, "definition": { "title": "CreateLoginProfile", "title_size": "16", @@ -2053,7 +2053,7 @@ } }, { - "id": 615394069, + "id": 430181746, "definition": { "type": "note", "content": "### [CreateUser](https://traildiscover.cloud/#IAM-CreateUser)\n\n**Description:** Creates a new IAM user for your AWS account.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Responding to an attack in AWS](https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Exposed long-lived access key resulted in unauthorized access](https://twitter.com/jhencinski/status/1578371249792724992?t=6oYeGYgGZq1B-LXFZzIqhQ)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [Insider Threat Risks to Flat Environments](https://www.mandiant.com/sites/default/files/2021-09/rpt-mtrends-2021-3.pdf)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Sendtech Pte. Ltd](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Sendtech-Pte-Ltd---220721.ashx?la=en)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [Creating a new IAM user](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/creating-new-iam-user/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -2072,7 +2072,7 @@ } }, { - "id": 119666477, + "id": 3368839729, "definition": { "title": "CreateUser", "title_size": "16", @@ -2114,7 +2114,7 @@ } }, { - "id": 2891451944, + "id": 265509136, "definition": { "type": "note", "content": "### [CreateRole](https://traildiscover.cloud/#IAM-CreateRole)\n\n**Description:** Creates a new role for your AWS account.\n\n**Related Incidents:**\n- [Attack Scenario 2: From Misconfigured Firewall to Cryptojacking Botnet](https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/unit42-cloud-threat-report-volume7.pdf)\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -2133,7 +2133,7 @@ } }, { - "id": 2395724352, + "id": 1056683471, "definition": { "title": "CreateRole", "title_size": "16", @@ -2175,7 +2175,7 @@ } }, { - "id": 2442492271, + "id": 4213709996, "definition": { "type": "note", "content": "### [UpdateGraphqlApi](https://traildiscover.cloud/#AppSync-UpdateGraphqlApi)\n\n**Description:** Updates a GraphqlApi object.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", @@ -2194,7 +2194,7 @@ } }, { - "id": 1946764679, + "id": 709917035, "definition": { "title": "UpdateGraphqlApi", "title_size": "16", @@ -2236,7 +2236,7 @@ } }, { - "id": 4246563145, + "id": 3069114504, "definition": { "type": "note", "content": "### [CreateApiKey](https://traildiscover.cloud/#AppSync-CreateApiKey)\n\n**Description:** Creates a unique key that you can distribute to clients who invoke your API.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", @@ -2255,7 +2255,7 @@ } }, { - "id": 3750835553, + "id": 1712805191, "definition": { "title": "CreateApiKey", "title_size": "16", @@ -2297,7 +2297,7 @@ } }, { - "id": 3439835315, + "id": 867377120, "definition": { "type": "note", "content": "### [UpdateResolver](https://traildiscover.cloud/#AppSync-UpdateResolver)\n\n**Description:** Updates a Resolver object.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", @@ -2316,7 +2316,7 @@ } }, { - "id": 2944107723, + "id": 1658551455, "definition": { "title": "UpdateResolver", "title_size": "16", @@ -2358,7 +2358,7 @@ } }, { - "id": 371316818, + "id": 2538234816, "definition": { "type": "note", "content": "### [StartInstances](https://traildiscover.cloud/#EC2-StartInstances)\n\n**Description:** Starts an Amazon EBS-backed instance that you've previously stopped.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -2377,7 +2377,7 @@ } }, { - "id": 1923733987, + "id": 1082586616, "definition": { "title": "StartInstances", "title_size": "16", @@ -2419,7 +2419,7 @@ } }, { - "id": 528933223, + "id": 2859503607, "definition": { "type": "note", "content": "### [CreateSecurityGroup](https://traildiscover.cloud/#EC2-CreateSecurityGroup)\n\n**Description:** Creates a security group.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -2438,7 +2438,7 @@ } }, { - "id": 33205631, + "id": 1503194294, "definition": { "title": "CreateSecurityGroup", "title_size": "16", @@ -2480,7 +2480,7 @@ } }, { - "id": 92199317, + "id": 3594157511, "definition": { "type": "note", "content": "### [CreateDefaultVpc](https://traildiscover.cloud/#EC2-CreateDefaultVpc)\n\n**Description:** Creates a default VPC with a size /16 IPv4 CIDR block and a default subnet in each Availability Zone.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -2499,7 +2499,7 @@ } }, { - "id": 3891439021, + "id": 2237848198, "definition": { "title": "CreateDefaultVpc", "title_size": "16", @@ -2541,7 +2541,7 @@ } }, { - "id": 230528264, + "id": 1520018841, "definition": { "type": "note", "content": "### [CreateNetworkAclEntry](https://traildiscover.cloud/#EC2-CreateNetworkAclEntry)\n\n**Description:** Creates an entry (a rule) in a network ACL with the specified rule number.\n\n**Related Research:**\n- [AWS EC2 Network Access Control List Creation](https://www.elastic.co/guide/en/security/current/aws-ec2-network-access-control-list-creation.html)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n", @@ -2560,7 +2560,7 @@ } }, { - "id": 4029767968, + "id": 2311193176, "definition": { "title": "CreateNetworkAclEntry", "title_size": "16", @@ -2602,7 +2602,7 @@ } }, { - "id": 3511201690, + "id": 1645614082, "definition": { "type": "note", "content": "### [CreateKeyPair](https://traildiscover.cloud/#EC2-CreateKeyPair)\n\n**Description:** Creates an ED25519 or 2048-bit RSA key pair with the specified name and in the specified PEM or PPK format.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -2621,7 +2621,7 @@ } }, { - "id": 3015474098, + "id": 289304769, "definition": { "title": "CreateKeyPair", "title_size": "16", @@ -2663,7 +2663,7 @@ } }, { - "id": 2142486532, + "id": 2851508683, "definition": { "type": "note", "content": "### [AuthorizeSecurityGroupIngress](https://traildiscover.cloud/#EC2-AuthorizeSecurityGroupIngress)\n\n**Description:** Adds the specified inbound (ingress) rules to a security group.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Finding evil in AWS](https://expel.com/blog/finding-evil-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [Opening a security group to the Internet](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/opening-security-group-port/)\n", @@ -2682,7 +2682,7 @@ } }, { - "id": 1646758940, + "id": 3642683018, "definition": { "title": "AuthorizeSecurityGroupIngress", "title_size": "16", @@ -2724,7 +2724,7 @@ } }, { - "id": 517938745, + "id": 3373286205, "definition": { "type": "note", "content": "### [RunInstances](https://traildiscover.cloud/#EC2-RunInstances)\n\n**Description:** Launches the specified number of instances using an AMI for which you have permissions.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [DXC spills AWS private keys on public GitHub](https://www.theregister.com/2017/11/14/dxc_github_aws_keys_leaked/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Clear and Uncommon Story About Overcoming Issues With AWS](https://topdigital.agency/clear-and-uncommon-story-about-overcoming-issues-with-aws/)\n- [onelogin 2017 Security Incident](https://web.archive.org/web/20210620180614/https://www.onelogin.com/blog/may-31-2017-security-incident)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [Launching EC2 instances](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/launching-ec2-instances/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -2743,7 +2743,7 @@ } }, { - "id": 2169694801, + "id": 2016976892, "definition": { "title": "RunInstances", "title_size": "16", @@ -2785,7 +2785,7 @@ } }, { - "id": 2044158600, + "id": 4002314738, "definition": { "type": "note", "content": "### [ImportKeyPair](https://traildiscover.cloud/#EC2-ImportKeyPair)\n\n**Description:** Imports the public key from an RSA or ED25519 key pair that you created with a third-party tool.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n", @@ -2804,7 +2804,7 @@ } }, { - "id": 3695914656, + "id": 2546666538, "definition": { "title": "ImportKeyPair", "title_size": "16", @@ -2855,7 +2855,7 @@ } }, { - "id": 1503107282, + "id": 2712861128, "definition": { "type": "group", "layout_type": "ordered", @@ -2864,7 +2864,7 @@ "show_title": true, "widgets": [ { - "id": 3505131373, + "id": 130541971, "definition": { "type": "note", "content": "### [AssumeRole](https://traildiscover.cloud/#STS-AssumeRole)\n\n**Description:** Returns a set of temporary security credentials that you can use to access AWS resources.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n**Related Research:**\n- [Role Chain Juggling](https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/)\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -2883,7 +2883,7 @@ } }, { - "id": 762581246, + "id": 921716306, "definition": { "title": "AssumeRole", "title_size": "16", @@ -2925,7 +2925,7 @@ } }, { - "id": 3447325670, + "id": 1858600894, "definition": { "type": "note", "content": "### [GetCredentialsForIdentity](https://traildiscover.cloud/#CognitoIdentity-GetCredentialsForIdentity)\n\n**Description:** Returns credentials for the provided identity ID. Any provided logins will be validated against supported login providers.\n\n**Related Research:**\n- [Overpermissioned AWS Cognito Identity Pools](https://hackingthe.cloud/aws/exploitation/cognito_identity_pool_excessive_privileges/#exploitation)\n", @@ -2944,7 +2944,7 @@ } }, { - "id": 2951598078, + "id": 502291581, "definition": { "title": "GetCredentialsForIdentity", "title_size": "16", @@ -2986,7 +2986,7 @@ } }, { - "id": 1481010747, + "id": 1905160783, "definition": { "type": "note", "content": "### [GetId](https://traildiscover.cloud/#CognitoIdentity-GetId)\n\n**Description:** Generates (or retrieves) IdentityID. Supplying multiple logins will create an implicit linked account.\n\n**Related Research:**\n- [Overpermissioned AWS Cognito Identity Pools](https://hackingthe.cloud/aws/exploitation/cognito_identity_pool_excessive_privileges/#exploitation)\n", @@ -3005,7 +3005,7 @@ } }, { - "id": 985283155, + "id": 2696335118, "definition": { "title": "GetId", "title_size": "16", @@ -3047,7 +3047,7 @@ } }, { - "id": 2540256708, + "id": 2257182047, "definition": { "type": "note", "content": "### [CreateFunction20150331](https://traildiscover.cloud/#Lambda-CreateFunction20150331)\n\n**Description:** Creates a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3066,7 +3066,7 @@ } }, { - "id": 4192012764, + "id": 3048356382, "definition": { "title": "CreateFunction20150331", "title_size": "16", @@ -3108,7 +3108,7 @@ } }, { - "id": 1935993835, + "id": 4271291546, "definition": { "type": "note", "content": "### [CreateEventSourceMapping20150331](https://traildiscover.cloud/#Lambda-CreateEventSourceMapping20150331)\n\n**Description:** Creates a mapping between an event source and an AWS Lambda function.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3127,7 +3127,7 @@ } }, { - "id": 1440266243, + "id": 668159698, "definition": { "title": "CreateEventSourceMapping20150331", "title_size": "16", @@ -3169,7 +3169,7 @@ } }, { - "id": 2062131361, + "id": 3289993669, "definition": { "type": "note", "content": "### [AddPermission20150331v2](https://traildiscover.cloud/#Lambda-AddPermission20150331v2)\n\n**Description:** Grants an AWS service, AWS account, or AWS organization permission to use a function.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3188,7 +3188,7 @@ } }, { - "id": 1566403769, + "id": 4081168004, "definition": { "title": "AddPermission20150331v2", "title_size": "16", @@ -3230,7 +3230,7 @@ } }, { - "id": 3455005799, + "id": 1474449902, "definition": { "type": "note", "content": "### [Invoke](https://traildiscover.cloud/#Lambda-Invoke)\n\n**Description:** Invokes a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3249,7 +3249,7 @@ } }, { - "id": 811794559, + "id": 2265624237, "definition": { "title": "Invoke", "title_size": "16", @@ -3291,7 +3291,7 @@ } }, { - "id": 4075956426, + "id": 3684348516, "definition": { "type": "note", "content": "### [UpdateEventSourceMapping20150331](https://traildiscover.cloud/#Lambda-UpdateEventSourceMapping20150331)\n\n**Description:** Updates an event source mapping. You can change the function that AWS Lambda invokes, or pause invocation and resume later from the same location.\n\n**Related Research:**\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n", @@ -3310,7 +3310,7 @@ } }, { - "id": 3580228834, + "id": 180555555, "definition": { "title": "UpdateEventSourceMapping20150331", "title_size": "16", @@ -3352,7 +3352,7 @@ } }, { - "id": 4156885466, + "id": 71456688, "definition": { "type": "note", "content": "### [DeleteRolePolicy](https://traildiscover.cloud/#IAM-DeleteRolePolicy)\n\n**Description:** Deletes the specified inline policy that is embedded in the specified IAM role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3371,7 +3371,7 @@ } }, { - "id": 3661157874, + "id": 3010114671, "definition": { "title": "DeleteRolePolicy", "title_size": "16", @@ -3413,7 +3413,7 @@ } }, { - "id": 3011860223, + "id": 850691001, "definition": { "type": "note", "content": "### [DetachRolePolicy](https://traildiscover.cloud/#IAM-DetachRolePolicy)\n\n**Description:** Removes the specified managed policy from the specified role.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3432,7 +3432,7 @@ } }, { - "id": 368648983, + "id": 1641865336, "definition": { "title": "DetachRolePolicy", "title_size": "16", @@ -3474,7 +3474,7 @@ } }, { - "id": 2073182094, + "id": 16911752, "definition": { "type": "note", "content": "### [UpdateLoginProfile](https://traildiscover.cloud/#IAM-UpdateLoginProfile)\n\n**Description:** Changes the password for the specified IAM user. You can use the AWS CLI, the AWS API, or the Users page in the IAM console to change the password for any IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3493,7 +3493,7 @@ } }, { - "id": 3724938150, + "id": 2955569735, "definition": { "title": "UpdateLoginProfile", "title_size": "16", @@ -3535,7 +3535,7 @@ } }, { - "id": 664961769, + "id": 1866629533, "definition": { "type": "note", "content": "### [AddUserToGroup](https://traildiscover.cloud/#IAM-AddUserToGroup)\n\n**Description:** Adds the specified user to the specified group.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3554,7 +3554,7 @@ } }, { - "id": 2316717825, + "id": 410981333, "definition": { "title": "AddUserToGroup", "title_size": "16", @@ -3596,7 +3596,7 @@ } }, { - "id": 3160163956, + "id": 1340253570, "definition": { "type": "note", "content": "### [UpdateAssumeRolePolicy](https://traildiscover.cloud/#IAM-UpdateAssumeRolePolicy)\n\n**Description:** Updates the policy that grants an IAM entity permission to assume a role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", @@ -3615,7 +3615,7 @@ } }, { - "id": 516952716, + "id": 2131427905, "definition": { "title": "UpdateAssumeRolePolicy", "title_size": "16", @@ -3657,7 +3657,7 @@ } }, { - "id": 2930494950, + "id": 2093800106, "definition": { "type": "note", "content": "### [CreateAccessKey](https://traildiscover.cloud/#IAM-CreateAccessKey)\n\n**Description:** Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", @@ -3676,7 +3676,7 @@ } }, { - "id": 2434767358, + "id": 638151906, "definition": { "title": "CreateAccessKey", "title_size": "16", @@ -3718,7 +3718,7 @@ } }, { - "id": 1629039534, + "id": 1539106903, "definition": { "type": "note", "content": "### [CreatePolicyVersion](https://traildiscover.cloud/#IAM-CreatePolicyVersion)\n\n**Description:** Creates a new version of the specified managed policy.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3737,7 +3737,7 @@ } }, { - "id": 3280795590, + "id": 2330281238, "definition": { "title": "CreatePolicyVersion", "title_size": "16", @@ -3779,7 +3779,7 @@ } }, { - "id": 1116737238, + "id": 2589982249, "definition": { "type": "note", "content": "### [DeleteUserPolicy](https://traildiscover.cloud/#IAM-DeleteUserPolicy)\n\n**Description:** Deletes the specified inline policy that is embedded in the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3798,7 +3798,7 @@ } }, { - "id": 2768493294, + "id": 3381156584, "definition": { "title": "DeleteUserPolicy", "title_size": "16", @@ -3840,7 +3840,7 @@ } }, { - "id": 3121902456, + "id": 1941351611, "definition": { "type": "note", "content": "### [PutRolePermissionsBoundary](https://traildiscover.cloud/#IAM-PutRolePermissionsBoundary)\n\n**Description:** Adds or updates the policy that is specified as the IAM role's permissions boundary.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3859,7 +3859,7 @@ } }, { - "id": 2626174864, + "id": 2732525946, "definition": { "title": "PutRolePermissionsBoundary", "title_size": "16", @@ -3901,7 +3901,7 @@ } }, { - "id": 2788531622, + "id": 368456013, "definition": { "type": "note", "content": "### [PutUserPermissionsBoundary](https://traildiscover.cloud/#IAM-PutUserPermissionsBoundary)\n\n**Description:** Adds or updates the policy that is specified as the IAM user's permissions boundary.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3920,7 +3920,7 @@ } }, { - "id": 2292804030, + "id": 1159630348, "definition": { "title": "PutUserPermissionsBoundary", "title_size": "16", @@ -3962,7 +3962,7 @@ } }, { - "id": 3301969340, + "id": 2697308265, "definition": { "type": "note", "content": "### [DeleteUserPermissionsBoundary](https://traildiscover.cloud/#IAM-DeleteUserPermissionsBoundary)\n\n**Description:** Deletes the permissions boundary for the specified IAM user.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3981,7 +3981,7 @@ } }, { - "id": 2806241748, + "id": 3488482600, "definition": { "title": "DeleteUserPermissionsBoundary", "title_size": "16", @@ -4023,7 +4023,7 @@ } }, { - "id": 2314784856, + "id": 2122900208, "definition": { "type": "note", "content": "### [AttachRolePolicy](https://traildiscover.cloud/#IAM-AttachRolePolicy)\n\n**Description:** Attaches the specified managed policy to the specified IAM role. When you attach a managed policy to a role, the managed policy becomes part of the role's permission (access) policy.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4042,7 +4042,7 @@ } }, { - "id": 1819057264, + "id": 2914074543, "definition": { "title": "AttachRolePolicy", "title_size": "16", @@ -4084,7 +4084,7 @@ } }, { - "id": 3597055404, + "id": 3101571871, "definition": { "type": "note", "content": "### [SetDefaultPolicyVersion](https://traildiscover.cloud/#IAM-SetDefaultPolicyVersion)\n\n**Description:** Sets the specified version of the specified policy as the policy's default (operative) version.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4103,7 +4103,7 @@ } }, { - "id": 3101327812, + "id": 1745262558, "definition": { "title": "SetDefaultPolicyVersion", "title_size": "16", @@ -4145,7 +4145,7 @@ } }, { - "id": 1261287784, + "id": 2229476437, "definition": { "type": "note", "content": "### [AttachUserPolicy](https://traildiscover.cloud/#IAM-AttachUserPolicy)\n\n**Description:** Attaches the specified managed policy to the specified user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4164,7 +4164,7 @@ } }, { - "id": 765560192, + "id": 3020650772, "definition": { "title": "AttachUserPolicy", "title_size": "16", @@ -4206,7 +4206,7 @@ } }, { - "id": 3613095787, + "id": 694788921, "definition": { "type": "note", "content": "### [CreateGroup](https://traildiscover.cloud/#IAM-CreateGroup)\n\n**Description:** Creates a new group.\n\n**Related Research:**\n- [AWS IAM Group Creation](https://www.elastic.co/guide/en/security/current/aws-iam-group-creation.html)\n", @@ -4225,7 +4225,7 @@ } }, { - "id": 969884547, + "id": 3534108017, "definition": { "title": "CreateGroup", "title_size": "16", @@ -4267,7 +4267,7 @@ } }, { - "id": 1554882393, + "id": 3792851774, "definition": { "type": "note", "content": "### [PutUserPolicy](https://traildiscover.cloud/#IAM-PutUserPolicy)\n\n**Description:** Adds or updates an inline policy document that is embedded in the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4286,7 +4286,7 @@ } }, { - "id": 3206638449, + "id": 2436542461, "definition": { "title": "PutUserPolicy", "title_size": "16", @@ -4328,7 +4328,7 @@ } }, { - "id": 4077155787, + "id": 363981275, "definition": { "type": "note", "content": "### [DeleteRolePermissionsBoundary](https://traildiscover.cloud/#IAM-DeleteRolePermissionsBoundary)\n\n**Description:** Deletes the permissions boundary for the specified IAM role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4347,7 +4347,7 @@ } }, { - "id": 3581428195, + "id": 1155155610, "definition": { "title": "DeleteRolePermissionsBoundary", "title_size": "16", @@ -4389,7 +4389,7 @@ } }, { - "id": 4059681117, + "id": 1574642711, "definition": { "type": "note", "content": "### [PutGroupPolicy](https://traildiscover.cloud/#IAM-PutGroupPolicy)\n\n**Description:** Adds or updates an inline policy document that is embedded in the specified IAM group.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4408,7 +4408,7 @@ } }, { - "id": 3563953525, + "id": 2266478159, "definition": { "title": "PutGroupPolicy", "title_size": "16", @@ -4450,7 +4450,7 @@ } }, { - "id": 3616325295, + "id": 4228164601, "definition": { "type": "note", "content": "### [ChangePassword](https://traildiscover.cloud/#IAM-ChangePassword)\n\n**Description:** Changes the password of the IAM user who is calling this operation.\n\n**Related Research:**\n- [AWS CloudTrail cheat sheet](https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet)\n- [IAM User Changes Alarm](https://asecure.cloud/a/cwalarm_iam_user_changes/)\n", @@ -4469,7 +4469,7 @@ } }, { - "id": 3120597703, + "id": 724371640, "definition": { "title": "ChangePassword", "title_size": "16", @@ -4511,7 +4511,7 @@ } }, { - "id": 2069155223, + "id": 2247916484, "definition": { "type": "note", "content": "### [CreateLoginProfile](https://traildiscover.cloud/#IAM-CreateLoginProfile)\n\n**Description:** Creates a password for the specified IAM user. A password allows an IAM user to access AWS services through the AWS Management Console.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", @@ -4530,7 +4530,7 @@ } }, { - "id": 1573427631, + "id": 792268284, "definition": { "title": "CreateLoginProfile", "title_size": "16", @@ -4572,7 +4572,7 @@ } }, { - "id": 3138128220, + "id": 2698290491, "definition": { "type": "note", "content": "### [DetachUserPolicy](https://traildiscover.cloud/#IAM-DetachUserPolicy)\n\n**Description:** Removes the specified managed policy from the specified user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4591,7 +4591,7 @@ } }, { - "id": 494916980, + "id": 1242642291, "definition": { "title": "DetachUserPolicy", "title_size": "16", @@ -4633,7 +4633,7 @@ } }, { - "id": 2176892204, + "id": 1789738917, "definition": { "type": "note", "content": "### [PutRolePolicy](https://traildiscover.cloud/#IAM-PutRolePolicy)\n\n**Description:** Adds or updates an inline policy document that is embedded in the specified IAM role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4652,7 +4652,7 @@ } }, { - "id": 1681164612, + "id": 2580913252, "definition": { "title": "PutRolePolicy", "title_size": "16", @@ -4694,7 +4694,7 @@ } }, { - "id": 3242141544, + "id": 2677993025, "definition": { "type": "note", "content": "### [AddRoleToInstanceProfile](https://traildiscover.cloud/#IAM-AddRoleToInstanceProfile)\n\n**Description:** Adds the specified IAM role to the specified instance profile.\n\n**Related Research:**\n- [Cloudgoat AWS CTF solution- Scenerio 5 (iam_privesc_by_attachment)](https://pswalia2u.medium.com/cloudgoat-aws-ctf-solution-scenerio-5-iam-privesc-by-attachment-22145650f5f5)\n", @@ -4713,7 +4713,7 @@ } }, { - "id": 2746413952, + "id": 3469167360, "definition": { "title": "AddRoleToInstanceProfile", "title_size": "16", @@ -4755,7 +4755,7 @@ } }, { - "id": 1701251402, + "id": 2657650809, "definition": { "type": "note", "content": "### [AttachGroupPolicy](https://traildiscover.cloud/#IAM-AttachGroupPolicy)\n\n**Description:** Attaches the specified managed policy to the specified IAM group.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4774,7 +4774,7 @@ } }, { - "id": 1106184923, + "id": 3448825144, "definition": { "title": "AttachGroupPolicy", "title_size": "16", @@ -4816,7 +4816,7 @@ } }, { - "id": 432184432, + "id": 867125675, "definition": { "type": "note", "content": "### [AssociateAccessPolicy](https://traildiscover.cloud/#EKS-AssociateAccessPolicy)\n\n**Description:** Associates an access policy and its scope to an access entry.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", @@ -4835,7 +4835,7 @@ } }, { - "id": 4231424136, + "id": 1658300010, "definition": { "title": "AssociateAccessPolicy", "title_size": "16", @@ -4877,7 +4877,7 @@ } }, { - "id": 1247675485, + "id": 785727516, "definition": { "type": "note", "content": "### [CreateAccessEntry](https://traildiscover.cloud/#EKS-CreateAccessEntry)\n\n**Description:** Creates an access entry.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", @@ -4896,7 +4896,7 @@ } }, { - "id": 2899431541, + "id": 1576901851, "definition": { "title": "CreateAccessEntry", "title_size": "16", @@ -4938,7 +4938,7 @@ } }, { - "id": 589398513, + "id": 636119502, "definition": { "type": "note", "content": "### [ModifyInstanceAttribute](https://traildiscover.cloud/#EC2-ModifyInstanceAttribute)\n\n**Description:** Modifies the specified attribute of the specified instance.\n\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [EC2 Privilege Escalation Through User Data](https://hackingthe.cloud/aws/exploitation/local_ec2_priv_esc_through_user_data/)\n- [User Data Script Persistence](https://hackingthe.cloud/aws/post_exploitation/user_data_script_persistence/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -4957,7 +4957,7 @@ } }, { - "id": 2241154569, + "id": 3574777485, "definition": { "title": "ModifyInstanceAttribute", "title_size": "16", @@ -4999,7 +4999,7 @@ } }, { - "id": 776907477, + "id": 962896145, "definition": { "type": "note", "content": "### [ReplaceIamInstanceProfileAssociation](https://traildiscover.cloud/#EC2-ReplaceIamInstanceProfileAssociation)\n\n**Description:** Replaces an IAM instance profile for the specified running instance.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n", @@ -5018,7 +5018,7 @@ } }, { - "id": 281179885, + "id": 3901554128, "definition": { "title": "ReplaceIamInstanceProfileAssociation", "title_size": "16", @@ -5060,7 +5060,7 @@ } }, { - "id": 3813985218, + "id": 2969896091, "definition": { "type": "note", "content": "### [CreateDevEndpoint](https://traildiscover.cloud/#Glue-CreateDevEndpoint)\n\n**Description:** Creates a new development endpoint.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -5079,7 +5079,7 @@ } }, { - "id": 3318257626, + "id": 3761070426, "definition": { "title": "CreateDevEndpoint", "title_size": "16", @@ -5121,7 +5121,7 @@ } }, { - "id": 3455897844, + "id": 2181454633, "definition": { "type": "note", "content": "### [UpdateJob](https://traildiscover.cloud/#Glue-UpdateJob)\n\n**Description:** Updates an existing job definition.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -5140,7 +5140,7 @@ } }, { - "id": 2960170252, + "id": 2972628968, "definition": { "title": "UpdateJob", "title_size": "16", @@ -5182,7 +5182,7 @@ } }, { - "id": 1009613561, + "id": 527460129, "definition": { "type": "note", "content": "### [CreateJob](https://traildiscover.cloud/#Glue-CreateJob)\n\n**Description:** Creates a new job definition.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -5201,7 +5201,7 @@ } }, { - "id": 513885969, + "id": 3466118112, "definition": { "title": "CreateJob", "title_size": "16", @@ -5243,7 +5243,7 @@ } }, { - "id": 3789170845, + "id": 3886066409, "definition": { "type": "note", "content": "### [UpdateDevEndpoint](https://traildiscover.cloud/#Glue-UpdateDevEndpoint)\n\n**Description:** Updates a specified development endpoint.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -5262,7 +5262,7 @@ } }, { - "id": 3293443253, + "id": 2529757096, "definition": { "title": "UpdateDevEndpoint", "title_size": "16", @@ -5313,7 +5313,7 @@ } }, { - "id": 239565790, + "id": 1025816392, "definition": { "type": "group", "layout_type": "ordered", @@ -5322,7 +5322,7 @@ "show_title": true, "widgets": [ { - "id": 1796173027, + "id": 2781646358, "definition": { "type": "note", "content": "### [InviteAccountToOrganization](https://traildiscover.cloud/#Organizations-InviteAccountToOrganization)\n\n**Description:** Sends an invitation to another account to join your organization as a member account.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", @@ -5341,7 +5341,7 @@ } }, { - "id": 3447929083, + "id": 3572820693, "definition": { "title": "InviteAccountToOrganization", "title_size": "16", @@ -5383,7 +5383,7 @@ } }, { - "id": 1096762342, + "id": 4125725449, "definition": { "type": "note", "content": "### [CreateAccount](https://traildiscover.cloud/#Organizations-CreateAccount)\n\n**Description:** Creates an AWS account that is automatically a member of the organization whose credentials made the request.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", @@ -5402,7 +5402,7 @@ } }, { - "id": 601034750, + "id": 621932488, "definition": { "title": "CreateAccount", "title_size": "16", @@ -5444,7 +5444,7 @@ } }, { - "id": 4273994413, + "id": 3806162142, "definition": { "type": "note", "content": "### [LeaveOrganization](https://traildiscover.cloud/#Organizations-LeaveOrganization)\n\n**Description:** Removes a member account from its parent organization.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [An AWS account attempted to leave the AWS Organization](hhttps://docs.datadoghq.com/security/default_rules/aws-organizations-leave-organization/)\n", @@ -5463,7 +5463,7 @@ } }, { - "id": 3778266821, + "id": 302369181, "definition": { "title": "LeaveOrganization", "title_size": "16", @@ -5505,7 +5505,7 @@ } }, { - "id": 4143205983, + "id": 654863569, "definition": { "type": "note", "content": "### [PutLogEvents](https://traildiscover.cloud/#CloudWatchLogs-PutLogEvents)\n\n**Description:** Uploads a batch of log events to the specified log stream.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -5524,7 +5524,7 @@ } }, { - "id": 3647478391, + "id": 1446037904, "definition": { "title": "PutLogEvents", "title_size": "16", @@ -5566,7 +5566,7 @@ } }, { - "id": 930548023, + "id": 480606216, "definition": { "type": "note", "content": "### [DeleteAlarms](https://traildiscover.cloud/#CloudWatch-DeleteAlarms)\n\n**Description:** Deletes the specified alarms. You can delete up to 100 alarms in one operation.\n\n**Related Research:**\n- [AWS CloudWatch Alarm Deletion](https://www.elastic.co/guide/en/security/current/aws-cloudwatch-alarm-deletion.html)\n", @@ -5585,7 +5585,7 @@ } }, { - "id": 2582304079, + "id": 3319925312, "definition": { "title": "DeleteAlarms", "title_size": "16", @@ -5627,7 +5627,7 @@ } }, { - "id": 1196300391, + "id": 163464031, "definition": { "type": "note", "content": "### [DeleteLogGroup](https://traildiscover.cloud/#CloudWatchLogs-DeleteLogGroup)\n\n**Description:** Deletes the specified log group and permanently deletes all the archived log events associated with the log group.\n\n**Related Research:**\n- [Penetration testing of aws-based environments](https://essay.utwente.nl/76955/1/Szabo_MSc_EEMCS.pdf)\n- [Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail](https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/)\n", @@ -5646,7 +5646,7 @@ } }, { - "id": 2748717560, + "id": 3102122014, "definition": { "title": "DeleteLogGroup", "title_size": "16", @@ -5688,7 +5688,7 @@ } }, { - "id": 2592249971, + "id": 2573358640, "definition": { "type": "note", "content": "### [DeleteLogStream](https://traildiscover.cloud/#CloudWatchLogs-DeleteLogStream)\n\n**Description:** Deletes the specified log stream and permanently deletes all the archived log events associated with the log stream.\n\n**Related Research:**\n- [Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail](https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/)\n", @@ -5707,7 +5707,7 @@ } }, { - "id": 4244006027, + "id": 3364532975, "definition": { "title": "DeleteLogStream", "title_size": "16", @@ -5749,7 +5749,7 @@ } }, { - "id": 4143205983, + "id": 654863569, "definition": { "type": "note", "content": "### [PutLogEvents](https://traildiscover.cloud/#CloudWatchLogs-PutLogEvents)\n\n**Description:** Uploads a batch of log events to the specified log stream.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -5768,7 +5768,7 @@ } }, { - "id": 3647478391, + "id": 1446037904, "definition": { "title": "PutLogEvents", "title_size": "16", @@ -5810,7 +5810,7 @@ } }, { - "id": 3659357783, + "id": 2267851753, "definition": { "type": "note", "content": "### [CreateLogStream](https://traildiscover.cloud/#CloudWatchLogs-CreateLogStream)\n\n**Description:** Creates a log stream for the specified log group.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -5829,7 +5829,7 @@ } }, { - "id": 3163630191, + "id": 3059026088, "definition": { "title": "CreateLogStream", "title_size": "16", @@ -5871,7 +5871,7 @@ } }, { - "id": 1925427135, + "id": 3949522498, "definition": { "type": "note", "content": "### [DeleteRule](https://traildiscover.cloud/#events-DeleteRule)\n\n**Description:** Deletes the specified rule.\n\n**Related Research:**\n- [AWS EventBridge Rule Disabled or Deleted](https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html)\n- [AWS EventBridge rule disabled or deleted](https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/)\n", @@ -5890,7 +5890,7 @@ } }, { - "id": 1429699543, + "id": 2593213185, "definition": { "title": "DeleteRule", "title_size": "16", @@ -5932,7 +5932,7 @@ } }, { - "id": 3281856696, + "id": 3521854388, "definition": { "type": "note", "content": "### [RemoveTargets](https://traildiscover.cloud/#events-RemoveTargets)\n\n**Description:** Removes the specified targets from the specified rule.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -5951,7 +5951,7 @@ } }, { - "id": 539306569, + "id": 2165545075, "definition": { "title": "RemoveTargets", "title_size": "16", @@ -5993,7 +5993,7 @@ } }, { - "id": 2989936191, + "id": 96879806, "definition": { "type": "note", "content": "### [DisableRule](https://traildiscover.cloud/#events-DisableRule)\n\n**Description:** Disables the specified rule.\n\n**Related Research:**\n- [AWS EventBridge Rule Disabled or Deleted](https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html)\n- [AWS EventBridge rule disabled or deleted](https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/)\n", @@ -6012,7 +6012,7 @@ } }, { - "id": 2494208599, + "id": 888054141, "definition": { "title": "DisableRule", "title_size": "16", @@ -6054,7 +6054,7 @@ } }, { - "id": 1358789946, + "id": 1987360265, "definition": { "type": "note", "content": "### [PutRule](https://traildiscover.cloud/#events-PutRule)\n\n**Description:** Creates or updates the specified rule.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -6073,7 +6073,7 @@ } }, { - "id": 3010546002, + "id": 631050952, "definition": { "title": "PutRule", "title_size": "16", @@ -6115,7 +6115,7 @@ } }, { - "id": 1784879835, + "id": 1482842697, "definition": { "type": "note", "content": "### [CreateInstances](https://traildiscover.cloud/#Lightsail-CreateInstances)\n\n**Description:** Creates one or more Amazon Lightsail instances.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -6134,7 +6134,7 @@ } }, { - "id": 3337297004, + "id": 126533384, "definition": { "title": "CreateInstances", "title_size": "16", @@ -6176,7 +6176,7 @@ } }, { - "id": 1386303468, + "id": 1662145325, "definition": { "type": "note", "content": "### [DeleteMembers](https://traildiscover.cloud/#SecurityHub-DeleteMembers)\n\n**Description:** Deletes the specified member accounts from Security Hub.\n\n**Related Research:**\n- [AWS CloudTrail cheat sheet](https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet)\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", @@ -6195,7 +6195,7 @@ } }, { - "id": 890575876, + "id": 2453319660, "definition": { "title": "DeleteMembers", "title_size": "16", @@ -6237,7 +6237,7 @@ } }, { - "id": 1115075537, + "id": 2025860587, "definition": { "type": "note", "content": "### [DetachRolePolicy](https://traildiscover.cloud/#IAM-DetachRolePolicy)\n\n**Description:** Removes the specified managed policy from the specified role.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -6256,7 +6256,7 @@ } }, { - "id": 619347945, + "id": 2817034922, "definition": { "title": "DetachRolePolicy", "title_size": "16", @@ -6298,7 +6298,7 @@ } }, { - "id": 1757321248, + "id": 2959830985, "definition": { "type": "note", "content": "### [DeleteUserPolicy](https://traildiscover.cloud/#IAM-DeleteUserPolicy)\n\n**Description:** Deletes the specified inline policy that is embedded in the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -6317,7 +6317,7 @@ } }, { - "id": 1261593656, + "id": 1603521672, "definition": { "title": "DeleteUserPolicy", "title_size": "16", @@ -6359,7 +6359,7 @@ } }, { - "id": 2054121412, + "id": 3163579862, "definition": { "type": "note", "content": "### [DeleteAccessKey](https://traildiscover.cloud/#IAM-DeleteAccessKey)\n\n**Description:** Deletes the access key pair associated with the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", @@ -6378,7 +6378,7 @@ } }, { - "id": 1558393820, + "id": 1807270549, "definition": { "title": "DeleteAccessKey", "title_size": "16", @@ -6420,7 +6420,7 @@ } }, { - "id": 240311568, + "id": 3645553691, "definition": { "type": "note", "content": "### [DeleteUser](https://traildiscover.cloud/#IAM-DeleteUser)\n\n**Description:** Deletes the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Insider Threat Risks to Flat Environments](https://www.mandiant.com/sites/default/files/2021-09/rpt-mtrends-2021-3.pdf)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", @@ -6439,7 +6439,7 @@ } }, { - "id": 1892067624, + "id": 141760730, "definition": { "title": "DeleteUser", "title_size": "16", @@ -6481,7 +6481,7 @@ } }, { - "id": 436022684, + "id": 3068139227, "definition": { "type": "note", "content": "### [DetachUserPolicy](https://traildiscover.cloud/#IAM-DetachUserPolicy)\n\n**Description:** Removes the specified managed policy from the specified user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -6500,7 +6500,7 @@ } }, { - "id": 4235262388, + "id": 3759974675, "definition": { "title": "DetachUserPolicy", "title_size": "16", @@ -6542,7 +6542,7 @@ } }, { - "id": 4124372733, + "id": 4052686111, "definition": { "type": "note", "content": "### [DeleteLoginProfile](https://traildiscover.cloud/#IAM-DeleteLoginProfile)\n\n**Description:** Deletes the password for the specified IAM user.\n\n**Related Incidents:**\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", @@ -6561,7 +6561,7 @@ } }, { - "id": 3628645141, + "id": 548893150, "definition": { "title": "DeleteLoginProfile", "title_size": "16", @@ -6603,7 +6603,7 @@ } }, { - "id": 3441702120, + "id": 1517888078, "definition": { "type": "note", "content": "### [DeactivateMFADevice](https://traildiscover.cloud/#IAM-DeactivateMFADevice)\n\n**Description:** Deactivates the specified MFA device and removes it from association with the user name for which it was originally enabled.\n\n**Related Research:**\n- [AWS IAM Deactivation of MFA Device](https://www.elastic.co/guide/en/security/current/aws-iam-deactivation-of-mfa-device.html)\n", @@ -6622,7 +6622,7 @@ } }, { - "id": 2945974528, + "id": 2309062413, "definition": { "title": "DeactivateMFADevice", "title_size": "16", @@ -6664,7 +6664,7 @@ } }, { - "id": 3972666051, + "id": 4002878676, "definition": { "type": "note", "content": "### [CreateRule](https://traildiscover.cloud/#ELBv2-CreateRule)\n\n**Description:** Creates a rule for the specified listener.\n\n**Related Research:**\n- [Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data](https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994)\n", @@ -6683,7 +6683,7 @@ } }, { - "id": 3476938459, + "id": 499085715, "definition": { "title": "CreateRule", "title_size": "16", @@ -6725,7 +6725,7 @@ } }, { - "id": 1762816202, + "id": 2128639493, "definition": { "type": "note", "content": "### [StopLogging](https://traildiscover.cloud/#CloudTrail-StopLogging)\n\n**Description:** Suspends the recording of AWS API calls and log file delivery for the specified trail.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Stopping a CloudTrail trail](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/stopping-cloudtrail-trail/)\n- [AWS Defense Evasion Stop Logging Cloudtrail](https://research.splunk.com/cloud/8a2f3ca2-4eb5-4389-a549-14063882e537/)\n- [AWS Defense Evasion and Centralized Multi-Account Logging](https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/)\n- [Disrupting AWS logging](https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n", @@ -6744,7 +6744,7 @@ } }, { - "id": 1167749723, + "id": 2919813828, "definition": { "title": "StopLogging", "title_size": "16", @@ -6786,7 +6786,7 @@ } }, { - "id": 4264104743, + "id": 1085979926, "definition": { "type": "note", "content": "### [UpdateTrail](https://traildiscover.cloud/#CloudTrail-UpdateTrail)\n\n**Description:** Updates trail settings that control what events you are logging, and how to handle log files.\n\n**Related Research:**\n- [AWS Defense Evasion and Centralized Multi-Account Logging](https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/)\n- [Disrupting AWS logging](https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594)\n", @@ -6805,7 +6805,7 @@ } }, { - "id": 3768377151, + "id": 4024637909, "definition": { "title": "UpdateTrail", "title_size": "16", @@ -6847,7 +6847,7 @@ } }, { - "id": 4221136133, + "id": 407233308, "definition": { "type": "note", "content": "### [DeleteTrail](https://traildiscover.cloud/#CloudTrail-DeleteTrail)\n\n**Description:** Deletes a trail.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [AWS Defense Evasion Delete Cloudtrail](https://research.splunk.com/cloud/82092925-9ca1-4e06-98b8-85a2d3889552/)\n- [Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail](https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/)\n- [Disrupting AWS logging](https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594)\n", @@ -6866,7 +6866,7 @@ } }, { - "id": 3725408541, + "id": 1198407643, "definition": { "title": "DeleteTrail", "title_size": "16", @@ -6908,7 +6908,7 @@ } }, { - "id": 900381533, + "id": 1584411909, "definition": { "type": "note", "content": "### [PutEventSelectors](https://traildiscover.cloud/#CloudTrail-PutEventSelectors)\n\n**Description:** Configures an event selector or advanced event selectors for your trail.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [cloudtrail_guardduty_bypass](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/cloudtrail_guardduty_bypass)\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -6927,7 +6927,7 @@ } }, { - "id": 404653941, + "id": 228102596, "definition": { "title": "PutEventSelectors", "title_size": "16", @@ -6969,7 +6969,7 @@ } }, { - "id": 1965721299, + "id": 1904205557, "definition": { "type": "note", "content": "### [UpdateGraphqlApi](https://traildiscover.cloud/#AppSync-UpdateGraphqlApi)\n\n**Description:** Updates a GraphqlApi object.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", @@ -6988,7 +6988,7 @@ } }, { - "id": 3617477355, + "id": 2695379892, "definition": { "title": "UpdateGraphqlApi", "title_size": "16", @@ -7030,7 +7030,7 @@ } }, { - "id": 1522969638, + "id": 1564930915, "definition": { "type": "note", "content": "### [CreateApiKey](https://traildiscover.cloud/#AppSync-CreateApiKey)\n\n**Description:** Creates a unique key that you can distribute to clients who invoke your API.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", @@ -7049,7 +7049,7 @@ } }, { - "id": 1027242046, + "id": 2356105250, "definition": { "title": "CreateApiKey", "title_size": "16", @@ -7091,7 +7091,7 @@ } }, { - "id": 3716664319, + "id": 2852839977, "definition": { "type": "note", "content": "### [UpdateResolver](https://traildiscover.cloud/#AppSync-UpdateResolver)\n\n**Description:** Updates a Resolver object.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", @@ -7110,7 +7110,7 @@ } }, { - "id": 3220936727, + "id": 3644014312, "definition": { "title": "UpdateResolver", "title_size": "16", @@ -7152,7 +7152,7 @@ } }, { - "id": 2783540918, + "id": 711784290, "definition": { "type": "note", "content": "### [DeleteBucketPolicy](https://traildiscover.cloud/#S3-DeleteBucketPolicy)\n\n**Description:** Deletes the policy of a specified bucket.\n\n**Related Research:**\n- [AWS S3 Bucket Configuration Deletion](https://www.elastic.co/guide/en/security/7.17/aws-s3-bucket-configuration-deletion.html)\n", @@ -7171,7 +7171,7 @@ } }, { - "id": 140329678, + "id": 1502958625, "definition": { "title": "DeleteBucketPolicy", "title_size": "16", @@ -7213,7 +7213,7 @@ } }, { - "id": 748439779, + "id": 203461421, "definition": { "type": "note", "content": "### [DeleteFlowLogs](https://traildiscover.cloud/#EC2-DeleteFlowLogs)\n\n**Description:** Deletes one or more flow logs.\n\n**Related Research:**\n- [Removing VPC flow logs](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/removing-vpc-flow-logs/)\n- [AWS Incident Response](https://github.com/easttimor/aws-incident-response)\n- [Proactive Cloud Security w/ AWS Organizations](https://witoff.medium.com/proactive-cloud-security-w-aws-organizations-d58695bcae16)\n", @@ -7232,7 +7232,7 @@ } }, { - "id": 2400195835, + "id": 994635756, "definition": { "title": "DeleteFlowLogs", "title_size": "16", @@ -7274,7 +7274,7 @@ } }, { - "id": 13689000, + "id": 3477910314, "definition": { "type": "note", "content": "### [DeleteNetworkAcl](https://traildiscover.cloud/#EC2-DeleteNetworkAcl)\n\n**Description:** Deletes the specified network ACL.\n\n**Related Research:**\n- [Ensure CloudWatch has an Alarm for Network ACL Changes](https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-network-acl-change)\n", @@ -7293,7 +7293,7 @@ } }, { - "id": 3812928704, + "id": 4269084649, "definition": { "title": "DeleteNetworkAcl", "title_size": "16", @@ -7335,7 +7335,7 @@ } }, { - "id": 2090706372, + "id": 896017343, "definition": { "type": "note", "content": "### [TerminateInstances](https://traildiscover.cloud/#EC2-TerminateInstances)\n\n**Description:** Shuts down the specified instances. This operation is idempotent; if you terminate an instance more than once, each call succeeds.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Former Cisco engineer sentenced to prison for deleting 16k Webex accounts](https://www.zdnet.com/article/former-cisco-engineer-sentenced-to-prison-for-deleting-16k-webex-accounts/)\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", @@ -7354,7 +7354,7 @@ } }, { - "id": 1594978780, + "id": 3834675326, "definition": { "title": "TerminateInstances", "title_size": "16", @@ -7396,7 +7396,7 @@ } }, { - "id": 3885009126, + "id": 4163629069, "definition": { "type": "note", "content": "### [DeleteNetworkAclEntry](https://traildiscover.cloud/#EC2-DeleteNetworkAclEntry)\n\n**Description:** Deletes the specified ingress or egress entry (rule) from the specified network ACL.\n\n**Related Research:**\n- [Ensure CloudWatch has an Alarm for Network ACL Changes](https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-network-acl-change)\n", @@ -7415,7 +7415,7 @@ } }, { - "id": 3389281534, + "id": 2807319756, "definition": { "title": "DeleteNetworkAclEntry", "title_size": "16", @@ -7457,7 +7457,7 @@ } }, { - "id": 3620923312, + "id": 1570515484, "definition": { "type": "note", "content": "### [StopInstances](https://traildiscover.cloud/#EC2-StopInstances)\n\n**Description:** Stops an Amazon EBS-backed instance.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -7476,7 +7476,7 @@ } }, { - "id": 3125195720, + "id": 214206171, "definition": { "title": "StopInstances", "title_size": "16", @@ -7518,7 +7518,7 @@ } }, { - "id": 1846118731, + "id": 4222736997, "definition": { "type": "note", "content": "### [AuthorizeDBSecurityGroupIngress](https://traildiscover.cloud/#RDS-AuthorizeDBSecurityGroupIngress)\n\n**Description:** Enables ingress to a DBSecurityGroup using one of two forms of authorization.\n\n**Related Research:**\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [Hunting AWS RDS security events with Sysdig](https://sysdig.com/blog/aws-rds-security-events-sysdig/)\n", @@ -7537,7 +7537,7 @@ } }, { - "id": 3497874787, + "id": 718944036, "definition": { "title": "AuthorizeDBSecurityGroupIngress", "title_size": "16", @@ -7579,7 +7579,7 @@ } }, { - "id": 1161222978, + "id": 3555839342, "definition": { "type": "note", "content": "### [ModifyActivityStream](https://traildiscover.cloud/#RDS-ModifyActivityStream)\n\n**Description:** Changes the audit policy state of a database activity stream to either locked (default) or unlocked.\n\n**Related Incidents:**\n- [Uncovering Hybrid Cloud Attacks Through Intelligence-Driven Incident Response: Part 3 \u2013 The Response](https://www.gem.security/post/uncovering-hybrid-cloud-attacks-through-intelligence-driven-incident-response-part-3-the-response)\n", @@ -7598,7 +7598,7 @@ } }, { - "id": 665495386, + "id": 52046381, "definition": { "title": "ModifyActivityStream", "title_size": "16", @@ -7640,7 +7640,7 @@ } }, { - "id": 2525508603, + "id": 863860253, "definition": { "type": "note", "content": "### [DeleteIdentity](https://traildiscover.cloud/#SES-DeleteIdentity)\n\n**Description:** Deletes the specified identity (an email address or a domain) from the list of verified identities.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -7659,7 +7659,7 @@ } }, { - "id": 4177264659, + "id": 3802518236, "definition": { "title": "DeleteIdentity", "title_size": "16", @@ -7701,7 +7701,7 @@ } }, { - "id": 2507555029, + "id": 3238013409, "definition": { "type": "note", "content": "### [UpdateIPSet](https://traildiscover.cloud/#GuardDuty-UpdateIPSet)\n\n**Description:** Updates the IPSet specified by the IPSet ID.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -7720,7 +7720,7 @@ } }, { - "id": 2011827437, + "id": 4029187744, "definition": { "title": "UpdateIPSet", "title_size": "16", @@ -7762,7 +7762,7 @@ } }, { - "id": 474787532, + "id": 1129441254, "definition": { "type": "note", "content": "### [DeleteInvitations](https://traildiscover.cloud/#GuardDuty-DeleteInvitations)\n\n**Description:** Deletes invitations sent to the current member account by AWS accounts specified by their account IDs.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n", @@ -7781,7 +7781,7 @@ } }, { - "id": 4274027236, + "id": 1920615589, "definition": { "title": "DeleteInvitations", "title_size": "16", @@ -7823,7 +7823,7 @@ } }, { - "id": 2548566192, + "id": 3565622358, "definition": { "type": "note", "content": "### [UpdateDetector](https://traildiscover.cloud/#GuardDuty-UpdateDetector)\n\n**Description:** Updates the GuardDuty detector specified by the detectorId.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -7842,7 +7842,7 @@ } }, { - "id": 2052838600, + "id": 2209313045, "definition": { "title": "UpdateDetector", "title_size": "16", @@ -7884,7 +7884,7 @@ } }, { - "id": 49388944, + "id": 239047933, "definition": { "type": "note", "content": "### [DeleteDetector](https://traildiscover.cloud/#GuardDuty-DeleteDetector)\n\n**Description:** Deletes an Amazon GuardDuty detector that is specified by the detector ID.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [AWS GuardDuty detector deleted](https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-guardduty-detector-deleted/)\n- [AWS GuardDuty Evasion](https://medium.com/@cloud_tips/aws-guardduty-evasion-c181e55f3af1)\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", @@ -7903,7 +7903,7 @@ } }, { - "id": 3848628648, + "id": 1030222268, "definition": { "title": "DeleteDetector", "title_size": "16", @@ -7945,7 +7945,7 @@ } }, { - "id": 1247994396, + "id": 1888017273, "definition": { "type": "note", "content": "### [DeletePublishingDestination](https://traildiscover.cloud/#GuardDuty-DeletePublishingDestination)\n\n**Description:** Deletes the publishing definition with the specified destinationId.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -7964,7 +7964,7 @@ } }, { - "id": 752266804, + "id": 531707960, "definition": { "title": "DeletePublishingDestination", "title_size": "16", @@ -8006,7 +8006,7 @@ } }, { - "id": 3544588116, + "id": 771202648, "definition": { "type": "note", "content": "### [DisassociateMembers](https://traildiscover.cloud/#GuardDuty-DisassociateMembers)\n\n**Description:** Disassociates GuardDuty member accounts (from the current administrator account) specified by the account IDs.\n\n**Related Research:**\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", @@ -8025,7 +8025,7 @@ } }, { - "id": 3048860524, + "id": 1562376983, "definition": { "title": "DisassociateMembers", "title_size": "16", @@ -8067,7 +8067,7 @@ } }, { - "id": 3378214177, + "id": 4117772514, "definition": { "type": "note", "content": "### [DisassociateFromMasterAccount](https://traildiscover.cloud/#GuardDuty-DisassociateFromMasterAccount)\n\n**Description:** Disassociates the current GuardDuty member account from its administrator account.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", @@ -8086,7 +8086,7 @@ } }, { - "id": 2882486585, + "id": 613979553, "definition": { "title": "DisassociateFromMasterAccount", "title_size": "16", @@ -8128,7 +8128,7 @@ } }, { - "id": 2001342468, + "id": 3777346244, "definition": { "type": "note", "content": "### [StopMonitoringMembers](https://traildiscover.cloud/#GuardDuty-StopMonitoringMembers)\n\n**Description:** Stops GuardDuty monitoring for the specified member accounts.\n\n**Related Research:**\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", @@ -8147,7 +8147,7 @@ } }, { - "id": 1505614876, + "id": 2321698044, "definition": { "title": "StopMonitoringMembers", "title_size": "16", @@ -8189,7 +8189,7 @@ } }, { - "id": 2417175810, + "id": 1051909199, "definition": { "type": "note", "content": "### [CreateIPSet](https://traildiscover.cloud/#GuardDuty-CreateIPSet)\n\n**Description:** Creates a new IPSet, which is called a trusted IP list in the console user interface.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -8208,7 +8208,7 @@ } }, { - "id": 3969592979, + "id": 1843083534, "definition": { "title": "CreateIPSet", "title_size": "16", @@ -8250,7 +8250,7 @@ } }, { - "id": 4247372559, + "id": 3367096639, "definition": { "type": "note", "content": "### [CreateFilter](https://traildiscover.cloud/#GuardDuty-CreateFilter)\n\n**Description:** Creates a filter using the specified finding criteria.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -8269,7 +8269,7 @@ } }, { - "id": 3751644967, + "id": 4158270974, "definition": { "title": "CreateFilter", "title_size": "16", @@ -8311,7 +8311,7 @@ } }, { - "id": 1386303468, + "id": 1662145325, "definition": { "type": "note", "content": "### [DeleteMembers](https://traildiscover.cloud/#GuardDuty-DeleteMembers)\n\n**Description:** Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.\n\n**Related Research:**\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", @@ -8330,7 +8330,7 @@ } }, { - "id": 890575876, + "id": 2453319660, "definition": { "title": "DeleteMembers", "title_size": "16", @@ -8372,7 +8372,7 @@ } }, { - "id": 3886323524, + "id": 1674061636, "definition": { "type": "note", "content": "### [DeleteConfigurationRecorder](https://traildiscover.cloud/#Config-DeleteConfigurationRecorder)\n\n**Description:** Deletes the configuration recorder.\n\n**Related Research:**\n- [AWS Config Resource Deletion](https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion)\n", @@ -8391,7 +8391,7 @@ } }, { - "id": 3390595932, + "id": 2465235971, "definition": { "title": "DeleteConfigurationRecorder", "title_size": "16", @@ -8433,7 +8433,7 @@ } }, { - "id": 3589652769, + "id": 517962646, "definition": { "type": "note", "content": "### [DeleteDeliveryChannel](https://traildiscover.cloud/#Config-DeleteDeliveryChannel)\n\n**Description:** Deletes the delivery channel.\n\n**Related Research:**\n- [AWS Config Resource Deletion](https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion)\n- [AWS Config modified](https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-config-disabled/)\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", @@ -8452,7 +8452,7 @@ } }, { - "id": 3093925177, + "id": 1309136981, "definition": { "title": "DeleteDeliveryChannel", "title_size": "16", @@ -8494,7 +8494,7 @@ } }, { - "id": 2404364544, + "id": 4113091124, "definition": { "type": "note", "content": "### [StopConfigurationRecorder](https://traildiscover.cloud/#Config-StopConfigurationRecorder)\n\n**Description:** Stops recording configurations of the AWS resources you have selected to record in your AWS account.\n\n**Related Research:**\n- [AWS Configuration Recorder Stopped](https://www.elastic.co/guide/en/security/current/prebuilt-rule-8-2-1-aws-configuration-recorder-stopped.html#prebuilt-rule-8-2-1-aws-configuration-recorder-stopped)\n- [AWS Config modified](https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-config-disabled/)\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", @@ -8513,7 +8513,7 @@ } }, { - "id": 3956781713, + "id": 609298163, "definition": { "title": "StopConfigurationRecorder", "title_size": "16", @@ -8555,7 +8555,7 @@ } }, { - "id": 4071211491, + "id": 3908732658, "definition": { "type": "note", "content": "### [DeleteConfigRule](https://traildiscover.cloud/#Config-DeleteConfigRule)\n\n**Description:** Deletes the specified AWS Config rule and all of its evaluation results.\n\n**Related Research:**\n- [AWS Config Resource Deletion](https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion)\n", @@ -8574,7 +8574,7 @@ } }, { - "id": 3575483899, + "id": 404939697, "definition": { "title": "DeleteConfigRule", "title_size": "16", @@ -8616,7 +8616,7 @@ } }, { - "id": 3334911921, + "id": 3196247064, "definition": { "type": "note", "content": "### [DeleteRuleGroup](https://traildiscover.cloud/#WAFV2-DeleteRuleGroup)\n\n**Description:** Deletes the specified RuleGroup.\n\n**Related Research:**\n- [AWS WAF Rule or Rule Group Deletion](https://www.elastic.co/guide/en/security/current/aws-waf-rule-or-rule-group-deletion.html)\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", @@ -8635,7 +8635,7 @@ } }, { - "id": 691700681, + "id": 3987421399, "definition": { "title": "DeleteRuleGroup", "title_size": "16", @@ -8677,7 +8677,7 @@ } }, { - "id": 2507555029, + "id": 3238013409, "definition": { "type": "note", "content": "### [UpdateIPSet](https://traildiscover.cloud/#WAFV2-UpdateIPSet)\n\n**Description:** Updates the specified IPSet.\n\n**Related Research:**\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", @@ -8696,7 +8696,7 @@ } }, { - "id": 2011827437, + "id": 4029187744, "definition": { "title": "UpdateIPSet", "title_size": "16", @@ -8738,7 +8738,7 @@ } }, { - "id": 1855668959, + "id": 2932663787, "definition": { "type": "note", "content": "### [DeleteWebACL](https://traildiscover.cloud/#WAFV2-DeleteWebACL)\n\n**Description:** Deletes the specified WebACL.\n\n**Related Research:**\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", @@ -8757,7 +8757,7 @@ } }, { - "id": 3507425015, + "id": 1576354474, "definition": { "title": "DeleteWebACL", "title_size": "16", @@ -8808,7 +8808,7 @@ } }, { - "id": 2801495301, + "id": 1276273861, "definition": { "type": "group", "layout_type": "ordered", @@ -8817,7 +8817,7 @@ "show_title": true, "widgets": [ { - "id": 989095754, + "id": 2299412126, "definition": { "type": "note", "content": "### [GetSecretValue](https://traildiscover.cloud/#SecretsManager-GetSecretValue)\n\n**Description:** Retrieves the contents of the encrypted fields SecretString or SecretBinary from the specified version of a secret, whichever contains content.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -8836,7 +8836,7 @@ } }, { - "id": 2640851810, + "id": 3090586461, "definition": { "title": "GetSecretValue", "title_size": "16", @@ -8878,7 +8878,7 @@ } }, { - "id": 2083908195, + "id": 4072211187, "definition": { "type": "note", "content": "### [DescribeSecret](https://traildiscover.cloud/#SecretsManager-DescribeSecret)\n\n**Description:** Retrieves the details of a secret.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -8897,7 +8897,7 @@ } }, { - "id": 1588180603, + "id": 568418226, "definition": { "title": "DescribeSecret", "title_size": "16", @@ -8939,7 +8939,7 @@ } }, { - "id": 1991721620, + "id": 3725919739, "definition": { "type": "note", "content": "### [ListSecrets](https://traildiscover.cloud/#SecretsManager-ListSecrets)\n\n**Description:** Lists the secrets that are stored by Secrets Manager in the AWS account, not including secrets that are marked for deletion.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n", @@ -8958,7 +8958,7 @@ } }, { - "id": 3544138789, + "id": 222126778, "definition": { "title": "ListSecrets", "title_size": "16", @@ -9000,7 +9000,7 @@ } }, { - "id": 3110371190, + "id": 1131721019, "definition": { "type": "note", "content": "### [GetPasswordData](https://traildiscover.cloud/#EC2-GetPasswordData)\n\n**Description:** Retrieves the encrypted administrator password for a running Windows instance.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -9019,7 +9019,7 @@ } }, { - "id": 2614643598, + "id": 1922895354, "definition": { "title": "GetPasswordData", "title_size": "16", @@ -9061,7 +9061,7 @@ } }, { - "id": 2465207795, + "id": 3568340222, "definition": { "type": "note", "content": "### [GetParameters](https://traildiscover.cloud/#SSM-GetParameters)\n\n**Description:** Get information about one or more parameters by specifying multiple parameter names.\n\n**Related Research:**\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -9080,7 +9080,7 @@ } }, { - "id": 1969480203, + "id": 4260175670, "definition": { "title": "GetParameters", "title_size": "16", @@ -9131,7 +9131,7 @@ } }, { - "id": 4085229456, + "id": 3104329684, "definition": { "type": "group", "layout_type": "ordered", @@ -9140,7 +9140,7 @@ "show_title": true, "widgets": [ { - "id": 927476832, + "id": 3324450798, "definition": { "type": "note", "content": "### [ListDomains](https://traildiscover.cloud/#route53domains-ListDomains)\n\n**Description:** This operation returns all the domain names registered with Amazon Route 53 for the current AWS account if no filtering conditions are used.\n\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -9159,7 +9159,7 @@ } }, { - "id": 2579232888, + "id": 1968141485, "definition": { "title": "ListDomains", "title_size": "16", @@ -9201,7 +9201,7 @@ } }, { - "id": 495879803, + "id": 1609086834, "definition": { "type": "note", "content": "### [GetHostedZoneCount](https://traildiscover.cloud/#Route53-GetHostedZoneCount)\n\n**Description:** Retrieves the number of hosted zones that are associated with the current AWS account.\n\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -9220,7 +9220,7 @@ } }, { - "id": 2048296972, + "id": 2400261169, "definition": { "title": "GetHostedZoneCount", "title_size": "16", @@ -9262,7 +9262,7 @@ } }, { - "id": 2406233899, + "id": 1350177911, "definition": { "type": "note", "content": "### [DescribeOrganization](https://traildiscover.cloud/#Organizations-DescribeOrganization)\n\n**Description:** Retrieves information about the organization that the user's account belongs to.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", @@ -9281,7 +9281,7 @@ } }, { - "id": 1910506307, + "id": 4288835894, "definition": { "title": "DescribeOrganization", "title_size": "16", @@ -9323,7 +9323,7 @@ } }, { - "id": 63116510, + "id": 1338071424, "definition": { "type": "note", "content": "### [ListOrganizationalUnitsForParent](https://traildiscover.cloud/#Organizations-ListOrganizationalUnitsForParent)\n\n**Description:** Lists the organizational units (OUs) in a parent organizational unit or root.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", @@ -9342,7 +9342,7 @@ } }, { - "id": 1714872566, + "id": 2129245759, "definition": { "title": "ListOrganizationalUnitsForParent", "title_size": "16", @@ -9384,7 +9384,7 @@ } }, { - "id": 1672416682, + "id": 3339711654, "definition": { "type": "note", "content": "### [ListAccounts](https://traildiscover.cloud/#Organizations-ListAccounts)\n\n**Description:** Lists all the accounts in the organization.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", @@ -9403,7 +9403,7 @@ } }, { - "id": 1176689090, + "id": 4130885989, "definition": { "title": "ListAccounts", "title_size": "16", @@ -9445,7 +9445,7 @@ } }, { - "id": 3821765345, + "id": 2179589162, "definition": { "type": "note", "content": "### [GetCallerIdentity](https://traildiscover.cloud/#STS-GetCallerIdentity)\n\n**Description:** Returns details about the IAM user or role whose credentials are used to call the operation.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [GotRoot! AWS root Account Takeover](https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n- [Enumerate AWS Account ID from an EC2 Instance](https://hackingthe.cloud/aws/enumeration/account_id_from_ec2/)\n", @@ -9464,7 +9464,7 @@ } }, { - "id": 1178554105, + "id": 2970763497, "definition": { "title": "GetCallerIdentity", "title_size": "16", @@ -9506,7 +9506,7 @@ } }, { - "id": 2572341001, + "id": 2664276019, "definition": { "type": "note", "content": "### [ListTopics](https://traildiscover.cloud/#SNS-ListTopics)\n\n**Description:** Returns a list of the requester's topics.\n\n**Related Research:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n", @@ -9525,7 +9525,7 @@ } }, { - "id": 2076613409, + "id": 1307966706, "definition": { "title": "ListTopics", "title_size": "16", @@ -9567,7 +9567,7 @@ } }, { - "id": 1765889080, + "id": 488367351, "definition": { "type": "note", "content": "### [ListSubscriptions](https://traildiscover.cloud/#SNS-ListSubscriptions)\n\n**Description:** Lists the calling AWS account's dedicated origination numbers and their metadata.\n\n**Related Research:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n", @@ -9586,7 +9586,7 @@ } }, { - "id": 3417645136, + "id": 3327686447, "definition": { "title": "ListSubscriptions", "title_size": "16", @@ -9628,7 +9628,7 @@ } }, { - "id": 1584917234, + "id": 4001233390, "definition": { "type": "note", "content": "### [ListOriginationNumbers](https://traildiscover.cloud/#SNS-ListOriginationNumbers)\n\n**Description:** Lists the calling AWS account's dedicated origination numbers and their metadata.\n\n**Related Research:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n", @@ -9647,7 +9647,7 @@ } }, { - "id": 1089189642, + "id": 497440429, "definition": { "title": "ListOriginationNumbers", "title_size": "16", @@ -9689,7 +9689,7 @@ } }, { - "id": 3623879345, + "id": 4163422655, "definition": { "type": "note", "content": "### [GetSMSAttributes](https://traildiscover.cloud/#SNS-GetSMSAttributes)\n\n**Description:** Returns the settings for sending SMS messages from your AWS account.\n\n**Related Incidents:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n- [Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -9708,7 +9708,7 @@ } }, { - "id": 3128151753, + "id": 659629694, "definition": { "title": "GetSMSAttributes", "title_size": "16", @@ -9750,7 +9750,7 @@ } }, { - "id": 1110822643, + "id": 1164298267, "definition": { "type": "note", "content": "### [GetSMSSandboxAccountStatus](https://traildiscover.cloud/#SNS-GetSMSSandboxAccountStatus)\n\n**Description:** Retrieves the SMS sandbox status for the calling AWS account in the target AWS Region.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/)\n**Related Research:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n", @@ -9769,7 +9769,7 @@ } }, { - "id": 2762578699, + "id": 1955472602, "definition": { "title": "GetSMSSandboxAccountStatus", "title_size": "16", @@ -9811,7 +9811,7 @@ } }, { - "id": 293867883, + "id": 1911124417, "definition": { "type": "note", "content": "### [IssueCertificate](https://traildiscover.cloud/#ACMPCA-IssueCertificate)\n\n**Description:** Uses your private certificate authority (CA), or one that has been shared with you, to issue a client certificate.\n\n**Related Research:**\n- [AWS API Call Hijacking via ACM-PCA](https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/)\n", @@ -9830,7 +9830,7 @@ } }, { - "id": 4093107587, + "id": 455476217, "definition": { "title": "IssueCertificate", "title_size": "16", @@ -9872,7 +9872,7 @@ } }, { - "id": 1373214416, + "id": 1795009814, "definition": { "type": "note", "content": "### [GetCertificate](https://traildiscover.cloud/#ACMPCA-GetCertificate)\n\n**Description:** Retrieves a certificate from your private CA or one that has been shared with you.\n\n**Related Research:**\n- [AWS API Call Hijacking via ACM-PCA](https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/)\n", @@ -9891,7 +9891,7 @@ } }, { - "id": 877486824, + "id": 2586184149, "definition": { "title": "GetCertificate", "title_size": "16", @@ -9933,7 +9933,7 @@ } }, { - "id": 2939479035, + "id": 185413157, "definition": { "type": "note", "content": "### [DescribeLogGroups](https://traildiscover.cloud/#CloudWatchLogs-DescribeLogGroups)\n\n**Description:** Lists the specified log groups.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -9952,7 +9952,7 @@ } }, { - "id": 2443751443, + "id": 976587492, "definition": { "title": "DescribeLogGroups", "title_size": "16", @@ -9994,7 +9994,7 @@ } }, { - "id": 1429874304, + "id": 473713320, "definition": { "type": "note", "content": "### [DescribeSubscriptionFilters](https://traildiscover.cloud/#CloudWatchLogs-DescribeSubscriptionFilters)\n\n**Description:** Lists the subscription filters for the specified log group.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -10013,7 +10013,7 @@ } }, { - "id": 934146712, + "id": 1264887655, "definition": { "title": "DescribeSubscriptionFilters", "title_size": "16", @@ -10055,7 +10055,7 @@ } }, { - "id": 258604026, + "id": 1032191498, "definition": { "type": "note", "content": "### [DescribeLogStreams](https://traildiscover.cloud/#CloudWatchLogs-DescribeLogStreams)\n\n**Description:** Lists the log streams for the specified log group.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -10074,7 +10074,7 @@ } }, { - "id": 4057843730, + "id": 1724026946, "definition": { "title": "DescribeLogStreams", "title_size": "16", @@ -10116,7 +10116,7 @@ } }, { - "id": 2401096688, + "id": 3495608235, "definition": { "type": "note", "content": "### [GetLogRecord](https://traildiscover.cloud/#CloudWatchLogs-GetLogRecord)\n\n**Description:** Retrieves all of the fields and values of a single log event.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -10135,7 +10135,7 @@ } }, { - "id": 4052852744, + "id": 2039960035, "definition": { "title": "GetLogRecord", "title_size": "16", @@ -10177,7 +10177,7 @@ } }, { - "id": 2645222389, + "id": 579906739, "definition": { "type": "note", "content": "### [GetQueryResults](https://traildiscover.cloud/#Athena-GetQueryResults)\n\n**Description:** Streams the results of a single query execution specified by QueryExecutionId from the Athena query results location in Amazon S3.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -10196,7 +10196,7 @@ } }, { - "id": 2149494797, + "id": 3419225835, "definition": { "title": "GetQueryResults", "title_size": "16", @@ -10238,7 +10238,7 @@ } }, { - "id": 1726063268, + "id": 1994107078, "definition": { "type": "note", "content": "### [ListTargetsByRule](https://traildiscover.cloud/#events-ListTargetsByRule)\n\n**Description:** Lists the targets assigned to the specified rule.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -10257,7 +10257,7 @@ } }, { - "id": 1230335676, + "id": 2785281413, "definition": { "title": "ListTargetsByRule", "title_size": "16", @@ -10299,7 +10299,7 @@ } }, { - "id": 694739578, + "id": 724689010, "definition": { "type": "note", "content": "### [ListRules](https://traildiscover.cloud/#events-ListRules)\n\n**Description:** Lists your Amazon EventBridge rules. You can either list all the rules or you can provide a prefix to match to the rule names.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -10318,7 +10318,7 @@ } }, { - "id": 199011986, + "id": 3663346993, "definition": { "title": "ListRules", "title_size": "16", @@ -10360,7 +10360,7 @@ } }, { - "id": 2223933067, + "id": 2993744141, "definition": { "type": "note", "content": "### [GetInstances](https://traildiscover.cloud/#LightSail-GetInstances)\n\n**Description:** Returns information about all Amazon Lightsail virtual private servers, or instances.\n\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -10379,7 +10379,7 @@ } }, { - "id": 3776350236, + "id": 1637434828, "definition": { "title": "GetInstances", "title_size": "16", @@ -10421,7 +10421,7 @@ } }, { - "id": 3259998869, + "id": 1140344834, "definition": { "type": "note", "content": "### [GetRegions](https://traildiscover.cloud/#LightSail-GetRegions)\n\n**Description:** Returns a list of all valid regions for Amazon Lightsail.\n\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -10440,7 +10440,7 @@ } }, { - "id": 616787629, + "id": 1931519169, "definition": { "title": "GetRegions", "title_size": "16", @@ -10482,7 +10482,7 @@ } }, { - "id": 309167822, + "id": 2690147089, "definition": { "type": "note", "content": "### [GetCostAndUsage](https://traildiscover.cloud/#CostExplorer-GetCostAndUsage)\n\n**Description:** Retrieves cost and usage metrics for your account.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", @@ -10501,7 +10501,7 @@ } }, { - "id": 4108407526, + "id": 1333837776, "definition": { "title": "GetCostAndUsage", "title_size": "16", @@ -10543,7 +10543,7 @@ } }, { - "id": 2407690150, + "id": 367059168, "definition": { "type": "note", "content": "### [ListGroupsForUser](https://traildiscover.cloud/#IAM-ListGroupsForUser)\n\n**Description:** Lists the IAM groups that the specified IAM user belongs to.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -10562,7 +10562,7 @@ } }, { - "id": 1911962558, + "id": 1158233503, "definition": { "title": "ListGroupsForUser", "title_size": "16", @@ -10604,7 +10604,7 @@ } }, { - "id": 1330779601, + "id": 4016243908, "definition": { "type": "note", "content": "### [ListAccessKeys](https://traildiscover.cloud/#IAM-ListAccessKeys)\n\n**Description:** Returns information about the access key IDs associated with the specified IAM user.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n", @@ -10623,7 +10623,7 @@ } }, { - "id": 835052009, + "id": 413112060, "definition": { "title": "ListAccessKeys", "title_size": "16", @@ -10665,7 +10665,7 @@ } }, { - "id": 392027869, + "id": 3561548426, "definition": { "type": "note", "content": "### [SimulatePrincipalPolicy](https://traildiscover.cloud/#IAM-SimulatePrincipalPolicy)\n\n**Description:** Simulate how a set of IAM policies attached to an IAM entity works with a list of API operations and AWS resources to determine the policies' effective permissions.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -10684,7 +10684,7 @@ } }, { - "id": 4191267573, + "id": 2205239113, "definition": { "title": "SimulatePrincipalPolicy", "title_size": "16", @@ -10726,7 +10726,7 @@ } }, { - "id": 684745936, + "id": 3360453112, "definition": { "type": "note", "content": "### [GetAccountAuthorizationDetails](https://traildiscover.cloud/#IAM-GetAccountAuthorizationDetails)\n\n**Description:** Retrieves information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another.\n\n**Related Research:**\n- [AWS - IAM Enum](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum)\n", @@ -10745,7 +10745,7 @@ } }, { - "id": 189018344, + "id": 4151627447, "definition": { "title": "GetAccountAuthorizationDetails", "title_size": "16", @@ -10787,7 +10787,7 @@ } }, { - "id": 1771123060, + "id": 2651296797, "definition": { "type": "note", "content": "### [ListGroups](https://traildiscover.cloud/#IAM-ListGroups)\n\n**Description:** Lists the IAM groups that have the specified path prefix.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n**Related Research:**\n- [AWS - IAM Enum](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum)\n", @@ -10806,7 +10806,7 @@ } }, { - "id": 1275395468, + "id": 3442471132, "definition": { "title": "ListGroups", "title_size": "16", @@ -10848,7 +10848,7 @@ } }, { - "id": 2831433364, + "id": 2050306798, "definition": { "type": "note", "content": "### [ListUsers](https://traildiscover.cloud/#IAM-ListUsers)\n\n**Description:** Lists the IAM users that have the specified path prefix. If no path prefix is specified, the operation returns all users in the AWS account.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -10867,7 +10867,7 @@ } }, { - "id": 2335705772, + "id": 693997485, "definition": { "title": "ListUsers", "title_size": "16", @@ -10909,7 +10909,7 @@ } }, { - "id": 663167908, + "id": 3674199047, "definition": { "type": "note", "content": "### [ListRoles](https://traildiscover.cloud/#IAM-ListRoles)\n\n**Description:** Lists the IAM roles that have the specified path prefix. \n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n**Related Research:**\n- [AWS - IAM Enum](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum)\n", @@ -10928,7 +10928,7 @@ } }, { - "id": 167440316, + "id": 71067199, "definition": { "title": "ListRoles", "title_size": "16", @@ -10970,7 +10970,7 @@ } }, { - "id": 3209544739, + "id": 489025859, "definition": { "type": "note", "content": "### [ListSAMLProviders](https://traildiscover.cloud/#IAM-ListSAMLProviders)\n\n**Description:** Lists the SAML provider resource objects defined in IAM in the account.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -10989,7 +10989,7 @@ } }, { - "id": 2713817147, + "id": 1280200194, "definition": { "title": "ListSAMLProviders", "title_size": "16", @@ -11031,7 +11031,7 @@ } }, { - "id": 3482641160, + "id": 1179716208, "definition": { "type": "note", "content": "### [GetUser](https://traildiscover.cloud/#IAM-GetUser)\n\n**Description:** Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN.\n\n**Related Incidents:**\n- [GotRoot! AWS root Account Takeover](https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n", @@ -11050,7 +11050,7 @@ } }, { - "id": 2986913568, + "id": 4118374191, "definition": { "title": "GetUser", "title_size": "16", @@ -11092,7 +11092,7 @@ } }, { - "id": 686427582, + "id": 101136074, "definition": { "type": "note", "content": "### [ListAttachedRolePolicies](https://traildiscover.cloud/#IAM-ListAttachedRolePolicies)\n\n**Description:** Lists all managed policies that are attached to the specified IAM role.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -11111,7 +11111,7 @@ } }, { - "id": 2338183638, + "id": 892310409, "definition": { "title": "ListAttachedRolePolicies", "title_size": "16", @@ -11153,7 +11153,7 @@ } }, { - "id": 22861042, + "id": 374496313, "definition": { "type": "note", "content": "### [ListServiceSpecificCredentials](https://traildiscover.cloud/#IAM-ListServiceSpecificCredentials)\n\n**Description:** Returns information about the service-specific credentials associated with the specified IAM user.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -11172,7 +11172,7 @@ } }, { - "id": 1674617098, + "id": 1066331761, "definition": { "title": "ListServiceSpecificCredentials", "title_size": "16", @@ -11214,7 +11214,7 @@ } }, { - "id": 1667098193, + "id": 3463746801, "definition": { "type": "note", "content": "### [ListRolePolicies](https://traildiscover.cloud/#IAM-ListRolePolicies)\n\n**Description:** Lists the names of the inline policies that are embedded in the specified IAM role.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -11233,7 +11233,7 @@ } }, { - "id": 1171370601, + "id": 2107437488, "definition": { "title": "ListRolePolicies", "title_size": "16", @@ -11275,7 +11275,7 @@ } }, { - "id": 3244621239, + "id": 2972397369, "definition": { "type": "note", "content": "### [ListSigningCertificates](https://traildiscover.cloud/#IAM-ListSigningCertificates)\n\n**Description:** Returns information about the signing certificates associated with the specified IAM user.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -11294,7 +11294,7 @@ } }, { - "id": 2748893647, + "id": 3763571704, "definition": { "title": "ListSigningCertificates", "title_size": "16", @@ -11336,7 +11336,7 @@ } }, { - "id": 1894985294, + "id": 1495418682, "definition": { "type": "note", "content": "### [ListInstanceProfiles](https://traildiscover.cloud/#IAM-ListInstanceProfiles)\n\n**Description:** Lists the instance profiles that have the specified path prefix. If there are none, the operation returns an empty list.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -11355,7 +11355,7 @@ } }, { - "id": 3546741350, + "id": 39770482, "definition": { "title": "ListInstanceProfiles", "title_size": "16", @@ -11397,7 +11397,7 @@ } }, { - "id": 1223352549, + "id": 345901806, "definition": { "type": "note", "content": "### [ListSSHPublicKeys](https://traildiscover.cloud/#IAM-ListSSHPublicKeys)\n\n**Description:** Returns information about the SSH public keys associated with the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -11416,7 +11416,7 @@ } }, { - "id": 2875108605, + "id": 1137076141, "definition": { "title": "ListSSHPublicKeys", "title_size": "16", @@ -11458,7 +11458,7 @@ } }, { - "id": 3170333080, + "id": 498956407, "definition": { "type": "note", "content": "### [ListOpenIDConnectProviders](https://traildiscover.cloud/#IAM-ListOpenIDConnectProviders)\n\n**Description:** Lists information about the IAM OpenID Connect (OIDC) provider resource objects defined in the AWS account.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -11477,7 +11477,7 @@ } }, { - "id": 2674605488, + "id": 1290130742, "definition": { "title": "ListOpenIDConnectProviders", "title_size": "16", @@ -11519,7 +11519,7 @@ } }, { - "id": 3509889957, + "id": 1321761019, "definition": { "type": "note", "content": "### [GetLoginProfile](https://traildiscover.cloud/#IAM-GetLoginProfile)\n\n**Description:** Retrieves the user name for the specified IAM user.\n\n**Related Incidents:**\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", @@ -11538,7 +11538,7 @@ } }, { - "id": 3014162365, + "id": 4260419002, "definition": { "title": "GetLoginProfile", "title_size": "16", @@ -11580,7 +11580,7 @@ } }, { - "id": 4266524810, + "id": 1864595117, "definition": { "type": "note", "content": "### [DescribeLoadBalancers](https://traildiscover.cloud/#ELBv2-DescribeLoadBalancers)\n\n**Description:** Describes the specified load balancers or all of your load balancers.\n\n**Related Research:**\n- [Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data](https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994)\n", @@ -11599,7 +11599,7 @@ } }, { - "id": 1623313570, + "id": 2655769452, "definition": { "title": "DescribeLoadBalancers", "title_size": "16", @@ -11641,7 +11641,7 @@ } }, { - "id": 2967311650, + "id": 3493270556, "definition": { "type": "note", "content": "### [DescribeListeners](https://traildiscover.cloud/#ELBv2-DescribeListeners)\n\n**Description:** Describes the specified listeners or the listeners for the specified Application Load Balancer, Network Load Balancer, or Gateway Load Balancer.\n\n**Related Research:**\n- [Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data](https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994)\n", @@ -11660,7 +11660,7 @@ } }, { - "id": 2471584058, + "id": 4284444891, "definition": { "title": "DescribeListeners", "title_size": "16", @@ -11702,7 +11702,7 @@ } }, { - "id": 2838727158, + "id": 3289557441, "definition": { "type": "note", "content": "### [ListAssociatedAccessPolicies](https://traildiscover.cloud/#EKS-ListAssociatedAccessPolicies)\n\n**Description:** Lists the access policies associated with an access entry.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", @@ -11721,7 +11721,7 @@ } }, { - "id": 195515918, + "id": 4080731776, "definition": { "title": "ListAssociatedAccessPolicies", "title_size": "16", @@ -11763,7 +11763,7 @@ } }, { - "id": 2962601625, + "id": 977803430, "definition": { "type": "note", "content": "### [ListClusters](https://traildiscover.cloud/#EKS-ListClusters)\n\n**Description:** Lists the Amazon EKS clusters in your AWS account in the specified AWS Region.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", @@ -11782,7 +11782,7 @@ } }, { - "id": 2466874033, + "id": 1768977765, "definition": { "title": "ListClusters", "title_size": "16", @@ -11824,7 +11824,7 @@ } }, { - "id": 3294347125, + "id": 187755141, "definition": { "type": "note", "content": "### [DescribeAccessEntry](https://traildiscover.cloud/#EKS-DescribeAccessEntry)\n\n**Description:** Describes an access entry.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", @@ -11843,7 +11843,7 @@ } }, { - "id": 651135885, + "id": 978929476, "definition": { "title": "DescribeAccessEntry", "title_size": "16", @@ -11885,7 +11885,7 @@ } }, { - "id": 3682970103, + "id": 2404515773, "definition": { "type": "note", "content": "### [DescribeCluster](https://traildiscover.cloud/#EKS-DescribeCluster)\n\n**Description:** Describes an Amazon EKS cluster.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", @@ -11904,7 +11904,7 @@ } }, { - "id": 1039758863, + "id": 3195690108, "definition": { "title": "DescribeCluster", "title_size": "16", @@ -11946,7 +11946,7 @@ } }, { - "id": 2188909473, + "id": 1680856104, "definition": { "type": "note", "content": "### [Search](https://traildiscover.cloud/#ResourceExplorer-Search)\n\n**Description:** Searches for resources and displays details about all resources that match the specified criteria.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -11965,7 +11965,7 @@ } }, { - "id": 1693181881, + "id": 324546791, "definition": { "title": "Search", "title_size": "16", @@ -12007,7 +12007,7 @@ } }, { - "id": 2826830915, + "id": 20140585, "definition": { "type": "note", "content": "### [LookupEvents](https://traildiscover.cloud/#CloudTrail-LookupEvents)\n\n**Description:** Looks up management events or CloudTrail Insights events that are captured by CloudTrail.\n\n**Related Incidents:**\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", @@ -12026,7 +12026,7 @@ } }, { - "id": 183619675, + "id": 2958798568, "definition": { "title": "LookupEvents", "title_size": "16", @@ -12068,7 +12068,7 @@ } }, { - "id": 1674068358, + "id": 4112788940, "definition": { "type": "note", "content": "### [GetIntrospectionSchema](https://traildiscover.cloud/#AppSync-GetIntrospectionSchema)\n\n**Description:** Retrieves the introspection schema for a GraphQL API.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", @@ -12087,7 +12087,7 @@ } }, { - "id": 1178340766, + "id": 608995979, "definition": { "title": "GetIntrospectionSchema", "title_size": "16", @@ -12129,7 +12129,7 @@ } }, { - "id": 3161333663, + "id": 2519092192, "definition": { "type": "note", "content": "### [GetBucketVersioning](https://traildiscover.cloud/#S3-GetBucketVersioning)\n\n**Description:** Returns the versioning state of a bucket.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -12148,7 +12148,7 @@ } }, { - "id": 518122423, + "id": 1162782879, "definition": { "title": "GetBucketVersioning", "title_size": "16", @@ -12190,7 +12190,7 @@ } }, { - "id": 855335418, + "id": 4008864881, "definition": { "type": "note", "content": "### [GetBucketLogging](https://traildiscover.cloud/#S3-GetBucketLogging)\n\n**Description:** Returns the logging status of a bucket and the permissions users have to view and modify that status.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -12209,7 +12209,7 @@ } }, { - "id": 359607826, + "id": 505071920, "definition": { "title": "GetBucketLogging", "title_size": "16", @@ -12251,7 +12251,7 @@ } }, { - "id": 2663611911, + "id": 1012569345, "definition": { "type": "note", "content": "### [GetBucketPolicy](https://traildiscover.cloud/#S3-GetBucketPolicy)\n\n**Description:** Returns the policy of a specified bucket.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -12270,7 +12270,7 @@ } }, { - "id": 2167884319, + "id": 1803743680, "definition": { "title": "GetBucketPolicy", "title_size": "16", @@ -12312,7 +12312,7 @@ } }, { - "id": 3729931024, + "id": 1298249304, "definition": { "type": "note", "content": "### [ListBuckets](https://traildiscover.cloud/#S3-ListBuckets)\n\n**Description:** Returns a list of all buckets owned by the authenticated sender of the request.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [A Technical Analysis of the Capital One Cloud Misconfiguration Breach](https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach)\n- [Enumerate AWS Account ID from a Public S3 Bucket](https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -12331,7 +12331,7 @@ } }, { - "id": 1086719784, + "id": 4236907287, "definition": { "title": "ListBuckets", "title_size": "16", @@ -12373,7 +12373,7 @@ } }, { - "id": 3795518780, + "id": 2467148890, "definition": { "type": "note", "content": "### [GetBucketReplication](https://traildiscover.cloud/#S3-GetBucketReplication)\n\n**Description:** Returns the replication configuration of a bucket.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -12392,7 +12392,7 @@ } }, { - "id": 1152307540, + "id": 3258323225, "definition": { "title": "GetBucketReplication", "title_size": "16", @@ -12434,7 +12434,7 @@ } }, { - "id": 1719319609, + "id": 2366208487, "definition": { "type": "note", "content": "### [GetBucketAcl](https://traildiscover.cloud/#S3-GetBucketAcl)\n\n**Description:** This implementation of the GET action uses the acl subresource to return the access control list (ACL) of a bucket.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n**Related Research:**\n- [Public S3 bucket through bucket ACL](https://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/s3-bucket-public-acl/)\n", @@ -12453,7 +12453,7 @@ } }, { - "id": 1223592017, + "id": 910560287, "definition": { "title": "GetBucketAcl", "title_size": "16", @@ -12495,7 +12495,7 @@ } }, { - "id": 3348940898, + "id": 542987767, "definition": { "type": "note", "content": "### [HeadObject](https://traildiscover.cloud/#S3-HeadObject)\n\n**Description:** The HEAD operation retrieves metadata from an object without returning the object itself.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -12514,7 +12514,7 @@ } }, { - "id": 705729658, + "id": 3382306863, "definition": { "title": "HeadObject", "title_size": "16", @@ -12556,7 +12556,7 @@ } }, { - "id": 3647618396, + "id": 3492709427, "definition": { "type": "note", "content": "### [ListVaults](https://traildiscover.cloud/#S3-ListVaults)\n\n**Description:** This operation lists all vaults owned by the calling user\u2019s account.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n", @@ -12575,7 +12575,7 @@ } }, { - "id": 1004407156, + "id": 4283883762, "definition": { "title": "ListVaults", "title_size": "16", @@ -12617,7 +12617,7 @@ } }, { - "id": 1762371059, + "id": 2975718471, "definition": { "type": "note", "content": "### [GetPublicAccessBlock](https://traildiscover.cloud/#S3-GetPublicAccessBlock)\n\n**Description:** Retrieves the PublicAccessBlock configuration for an Amazon S3 bucket.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -12636,7 +12636,7 @@ } }, { - "id": 3414127115, + "id": 1619409158, "definition": { "title": "GetPublicAccessBlock", "title_size": "16", @@ -12678,7 +12678,7 @@ } }, { - "id": 4206311696, + "id": 2560063378, "definition": { "type": "note", "content": "### [GetBucketTagging](https://traildiscover.cloud/#S3-GetBucketTagging)\n\n**Description:** Returns the tag set associated with the bucket.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -12697,7 +12697,7 @@ } }, { - "id": 1563100456, + "id": 3351237713, "definition": { "title": "GetBucketTagging", "title_size": "16", @@ -12739,7 +12739,7 @@ } }, { - "id": 3502252639, + "id": 353467891, "definition": { "type": "note", "content": "### [ListObjects](https://traildiscover.cloud/#S3-ListObjects)\n\n**Description:** Returns some or all (up to 1,000) of the objects in a bucket.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n", @@ -12758,7 +12758,7 @@ } }, { - "id": 859041399, + "id": 1144642226, "definition": { "title": "ListObjects", "title_size": "16", @@ -12800,7 +12800,7 @@ } }, { - "id": 1216775720, + "id": 2509087479, "definition": { "type": "note", "content": "### [InvokeModel](https://traildiscover.cloud/#Bedrock-InvokeModel)\n\n**Description:** Invokes the specified Amazon Bedrock model to run inference using the prompt and inference parameters provided in the request body.\n\n**Related Incidents:**\n- [LLMjacking: Stolen Cloud Credentials Used in New AI Attack](https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", @@ -12819,7 +12819,7 @@ } }, { - "id": 721048128, + "id": 3300261814, "definition": { "title": "InvokeModel", "title_size": "16", @@ -12861,7 +12861,7 @@ } }, { - "id": 1926676945, + "id": 2052892947, "definition": { "type": "note", "content": "### [GetUseCaseForModelAccess](https://traildiscover.cloud/#Bedrock-GetUseCaseForModelAccess)\n\n**Description:** Grants permission to retrieve a use case for model access.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -12880,7 +12880,7 @@ } }, { - "id": 1430949353, + "id": 2844067282, "definition": { "title": "GetUseCaseForModelAccess", "title_size": "16", @@ -12922,7 +12922,7 @@ } }, { - "id": 728697572, + "id": 2844902706, "definition": { "type": "note", "content": "### [ListProvisionedModelThroughputs](https://traildiscover.cloud/#Bedrock-ListProvisionedModelThroughputs)\n\n**Description:** Grants permission to list provisioned model throughputs that you created earlier.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -12941,7 +12941,7 @@ } }, { - "id": 232969980, + "id": 3636077041, "definition": { "title": "ListProvisionedModelThroughputs", "title_size": "16", @@ -12983,7 +12983,7 @@ } }, { - "id": 2544624624, + "id": 732127030, "definition": { "type": "note", "content": "### [GetFoundationModelAvailability](https://traildiscover.cloud/#Bedrock-GetFoundationModelAvailability)\n\n**Description:** Grants permission to get the availability of a foundation model.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -13002,7 +13002,7 @@ } }, { - "id": 4196380680, + "id": 3670785013, "definition": { "title": "GetFoundationModelAvailability", "title_size": "16", @@ -13044,7 +13044,7 @@ } }, { - "id": 1429187672, + "id": 1334131828, "definition": { "type": "note", "content": "### [ListFoundationModels](https://traildiscover.cloud/#Bedrock-ListFoundationModels)\n\n**Description:** Grants permission to list Bedrock foundation models that you can use.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -13063,7 +13063,7 @@ } }, { - "id": 933460080, + "id": 2125306163, "definition": { "title": "ListFoundationModels", "title_size": "16", @@ -13105,7 +13105,7 @@ } }, { - "id": 2186012141, + "id": 3224640640, "definition": { "type": "note", "content": "### [ListFoundationModelAgreementOffers](https://traildiscover.cloud/#Bedrock-ListFoundationModelAgreementOffers)\n\n**Description:** Grants permission to get a list of foundation model agreement offers.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -13124,7 +13124,7 @@ } }, { - "id": 1690284549, + "id": 4015814975, "definition": { "title": "ListFoundationModelAgreementOffers", "title_size": "16", @@ -13166,7 +13166,7 @@ } }, { - "id": 4048985172, + "id": 2463699740, "definition": { "type": "note", "content": "### [GetModelInvocationLoggingConfiguration](https://traildiscover.cloud/#Bedrock-GetModelInvocationLoggingConfiguration)\n\n**Description:** Get the current configuration values for model invocation logging.\n\n**Related Incidents:**\n- [LLMjacking: Stolen Cloud Credentials Used in New AI Attack](https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/)\n", @@ -13185,7 +13185,7 @@ } }, { - "id": 3553257580, + "id": 3254874075, "definition": { "title": "GetModelInvocationLoggingConfiguration", "title_size": "16", @@ -13227,7 +13227,7 @@ } }, { - "id": 851719321, + "id": 2929883320, "definition": { "type": "note", "content": "### [GetConsoleScreenshot](https://traildiscover.cloud/#EC2-GetConsoleScreenshot)\n\n**Description:** Retrieve a JPG-format screenshot of a running instance to help with troubleshooting.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13246,7 +13246,7 @@ } }, { - "id": 355991729, + "id": 3721057655, "definition": { "title": "GetConsoleScreenshot", "title_size": "16", @@ -13288,7 +13288,7 @@ } }, { - "id": 1784200847, + "id": 58913733, "definition": { "type": "note", "content": "### [DescribeSnapshotTierStatus](https://traildiscover.cloud/#EC2-DescribeSnapshotTierStatus)\n\n**Description:** Describes the storage tier status of one or more Amazon EBS snapshots.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13307,7 +13307,7 @@ } }, { - "id": 3435956903, + "id": 2997571716, "definition": { "title": "DescribeSnapshotTierStatus", "title_size": "16", @@ -13349,7 +13349,7 @@ } }, { - "id": 2407302489, + "id": 1712424655, "definition": { "type": "note", "content": "### [DescribeImages](https://traildiscover.cloud/#EC2-DescribeImages)\n\n**Description:** Describes the specified images (AMIs, AKIs, and ARIs) available to you or all of the images available to you.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13368,7 +13368,7 @@ } }, { - "id": 4059058545, + "id": 356115342, "definition": { "title": "DescribeImages", "title_size": "16", @@ -13410,7 +13410,7 @@ } }, { - "id": 447333718, + "id": 3606886001, "definition": { "type": "note", "content": "### [GetEbsDefaultKmsKeyId](https://traildiscover.cloud/#EC2-GetEbsDefaultKmsKeyId)\n\n**Description:** Describes the default AWS KMS key for EBS encryption by default for your account in this Region.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13429,7 +13429,7 @@ } }, { - "id": 2099089774, + "id": 103093040, "definition": { "title": "GetEbsDefaultKmsKeyId", "title_size": "16", @@ -13471,7 +13471,7 @@ } }, { - "id": 2177700075, + "id": 3650336627, "definition": { "type": "note", "content": "### [DescribeAvailabilityZones](https://traildiscover.cloud/#EC2-DescribeAvailabilityZones)\n\n**Description:** Describes the Availability Zones, Local Zones, and Wavelength Zones that are available to you.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13490,7 +13490,7 @@ } }, { - "id": 1681972483, + "id": 2294027314, "definition": { "title": "DescribeAvailabilityZones", "title_size": "16", @@ -13532,7 +13532,7 @@ } }, { - "id": 1750854589, + "id": 2615779471, "definition": { "type": "note", "content": "### [DescribeInstances](https://traildiscover.cloud/#EC2-DescribeInstances)\n\n**Description:** Describes the specified instances or all instances.\n\n**Related Incidents:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -13551,7 +13551,7 @@ } }, { - "id": 3402610645, + "id": 3406953806, "definition": { "title": "DescribeInstances", "title_size": "16", @@ -13593,7 +13593,7 @@ } }, { - "id": 1674884373, + "id": 3445343374, "definition": { "type": "note", "content": "### [GetTransitGatewayRouteTableAssociations](https://traildiscover.cloud/#EC2-GetTransitGatewayRouteTableAssociations)\n\n**Description:** Gets information about the associations for the specified transit gateway route table.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13612,7 +13612,7 @@ } }, { - "id": 3326640429, + "id": 4236517709, "definition": { "title": "GetTransitGatewayRouteTableAssociations", "title_size": "16", @@ -13654,7 +13654,7 @@ } }, { - "id": 1974150643, + "id": 775980331, "definition": { "type": "note", "content": "### [GetLaunchTemplateData](https://traildiscover.cloud/#EC2-GetLaunchTemplateData)\n\n**Description:** Retrieves the configuration data of the specified instance. You can use this data to create a launch template.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13673,7 +13673,7 @@ } }, { - "id": 3625906699, + "id": 3714638314, "definition": { "title": "GetLaunchTemplateData", "title_size": "16", @@ -13715,7 +13715,7 @@ } }, { - "id": 3984169003, + "id": 307020692, "definition": { "type": "note", "content": "### [DescribeKeyPairs](https://traildiscover.cloud/#EC2-DescribeKeyPairs)\n\n**Description:** Describes the specified key pairs or all of your key pairs.\n\n**Related Incidents:**\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n", @@ -13734,7 +13734,7 @@ } }, { - "id": 3488441411, + "id": 1098195027, "definition": { "title": "DescribeKeyPairs", "title_size": "16", @@ -13776,7 +13776,7 @@ } }, { - "id": 1215037625, + "id": 1404177040, "definition": { "type": "note", "content": "### [GetEbsEncryptionByDefault](https://traildiscover.cloud/#EC2-GetEbsEncryptionByDefault)\n\n**Description:** Describes whether EBS encryption by default is enabled for your account in the current Region.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13795,7 +13795,7 @@ } }, { - "id": 2866793681, + "id": 2195351375, "definition": { "title": "GetEbsEncryptionByDefault", "title_size": "16", @@ -13837,7 +13837,7 @@ } }, { - "id": 2449582744, + "id": 2963678311, "definition": { "type": "note", "content": "### [DescribeCarrierGateways](https://traildiscover.cloud/#EC2-DescribeCarrierGateways)\n\n**Description:** Describes one or more of your carrier gateways.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13856,7 +13856,7 @@ } }, { - "id": 1953855152, + "id": 3754852646, "definition": { "title": "DescribeCarrierGateways", "title_size": "16", @@ -13898,7 +13898,7 @@ } }, { - "id": 1024085491, + "id": 2365990093, "definition": { "type": "note", "content": "### [GetFlowLogsIntegrationTemplate](https://traildiscover.cloud/#EC2-GetFlowLogsIntegrationTemplate)\n\n**Description:** Generates a CloudFormation template that streamlines and automates the integration of VPC flow logs with Amazon Athena.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13917,7 +13917,7 @@ } }, { - "id": 528357899, + "id": 1009680780, "definition": { "title": "GetFlowLogsIntegrationTemplate", "title_size": "16", @@ -13959,7 +13959,7 @@ } }, { - "id": 2079785568, + "id": 1131218541, "definition": { "type": "note", "content": "### [DescribeTransitGatewayMulticastDomains](https://traildiscover.cloud/#EC2-DescribeTransitGatewayMulticastDomains)\n\n**Description:** Describes one or more transit gateway multicast domains.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13978,7 +13978,7 @@ } }, { - "id": 1584057976, + "id": 1922392876, "definition": { "title": "DescribeTransitGatewayMulticastDomains", "title_size": "16", @@ -14020,7 +14020,7 @@ } }, { - "id": 1480332684, + "id": 1643168668, "definition": { "type": "note", "content": "### [DescribeInstanceAttribute](https://traildiscover.cloud/#EC2-DescribeInstanceAttribute)\n\n**Description:** Describes the specified attribute of the specified instance. You can specify only one attribute at a time.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -14039,7 +14039,7 @@ } }, { - "id": 984605092, + "id": 187520468, "definition": { "title": "DescribeInstanceAttribute", "title_size": "16", @@ -14081,7 +14081,7 @@ } }, { - "id": 2194960944, + "id": 3549369541, "definition": { "type": "note", "content": "### [DescribeDhcpOptions](https://traildiscover.cloud/#EC2-DescribeDhcpOptions)\n\n**Description:** Describes one or more of your DHCP options sets.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -14100,7 +14100,7 @@ } }, { - "id": 3846717000, + "id": 45576580, "definition": { "title": "DescribeDhcpOptions", "title_size": "16", @@ -14142,7 +14142,7 @@ } }, { - "id": 4220565412, + "id": 3519782077, "definition": { "type": "note", "content": "### [DescribeVpcEndpointConnectionNotifications](https://traildiscover.cloud/#EC2-DescribeVpcEndpointConnectionNotifications)\n\n**Description:** Describes the connection notifications for VPC endpoints and VPC endpoint services.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -14161,7 +14161,7 @@ } }, { - "id": 3724837820, + "id": 2064133877, "definition": { "title": "DescribeVpcEndpointConnectionNotifications", "title_size": "16", @@ -14203,7 +14203,7 @@ } }, { - "id": 1594575055, + "id": 1891899587, "definition": { "type": "note", "content": "### [DescribeFlowLogs](https://traildiscover.cloud/#EC2-DescribeFlowLogs)\n\n**Description:** Describes one or more flow logs.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -14222,7 +14222,7 @@ } }, { - "id": 1098847463, + "id": 2683073922, "definition": { "title": "DescribeFlowLogs", "title_size": "16", @@ -14264,7 +14264,7 @@ } }, { - "id": 1072980804, + "id": 1705893306, "definition": { "type": "note", "content": "### [DescribeSnapshotAttribute](https://traildiscover.cloud/#EC2-DescribeSnapshotAttribute)\n\n**Description:** Describes the specified attribute of the specified snapshot.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -14283,7 +14283,7 @@ } }, { - "id": 2724736860, + "id": 2497067641, "definition": { "title": "DescribeSnapshotAttribute", "title_size": "16", @@ -14325,7 +14325,7 @@ } }, { - "id": 1482629875, + "id": 3098444066, "definition": { "type": "note", "content": "### [DescribeVolumesModifications](https://traildiscover.cloud/#EC2-DescribeVolumesModifications)\n\n**Description:** Describes the most recent volume modification request for the specified EBS volumes.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -14344,7 +14344,7 @@ } }, { - "id": 3134385931, + "id": 1642795866, "definition": { "title": "DescribeVolumesModifications", "title_size": "16", @@ -14386,7 +14386,7 @@ } }, { - "id": 4291115547, + "id": 2896422684, "definition": { "type": "note", "content": "### [DescribeRegions](https://traildiscover.cloud/#EC2-DescribeRegions)\n\n**Description:** Describes the Regions that are enabled for your account, or all Regions.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -14405,7 +14405,7 @@ } }, { - "id": 1647904307, + "id": 3687597019, "definition": { "title": "DescribeRegions", "title_size": "16", @@ -14447,7 +14447,7 @@ } }, { - "id": 136394874, + "id": 1764108750, "definition": { "type": "note", "content": "### [DescribeSecurityGroups](https://traildiscover.cloud/#EC2-DescribeSecurityGroups)\n\n**Description:** Describes the specified security groups or all of your security groups.\n\n**Related Incidents:**\n- [Case Study: Responding to an Attack in AWS](https://www.cadosecurity.com/case-study-responding-to-an-attack-in-aws/)\n", @@ -14466,7 +14466,7 @@ } }, { - "id": 3935634578, + "id": 407799437, "definition": { "title": "DescribeSecurityGroups", "title_size": "16", @@ -14508,7 +14508,7 @@ } }, { - "id": 2912024678, + "id": 1055596933, "definition": { "type": "note", "content": "### [DescribeVpcs](https://traildiscover.cloud/#EC2-DescribeVpcs)\n\n**Description:** Describes one or more of your VPCs.\n\n**Related Incidents:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -14527,7 +14527,7 @@ } }, { - "id": 2416297086, + "id": 3894916029, "definition": { "title": "DescribeVpcs", "title_size": "16", @@ -14569,7 +14569,7 @@ } }, { - "id": 2173834468, + "id": 400124116, "definition": { "type": "note", "content": "### [DescribeBundleTasks](https://traildiscover.cloud/#EC2-DescribeBundleTasks)\n\n**Description:** Describes the specified bundle tasks or all of your bundle tasks.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -14588,7 +14588,7 @@ } }, { - "id": 1678106876, + "id": 1191298451, "definition": { "title": "DescribeBundleTasks", "title_size": "16", @@ -14630,7 +14630,7 @@ } }, { - "id": 347048212, + "id": 655142069, "definition": { "type": "note", "content": "### [DescribeAccountAttributes](https://traildiscover.cloud/#EC2-DescribeAccountAttributes)\n\n**Description:** Describes attributes of your AWS account.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -14649,7 +14649,7 @@ } }, { - "id": 1998804268, + "id": 1446316404, "definition": { "title": "DescribeAccountAttributes", "title_size": "16", @@ -14691,7 +14691,7 @@ } }, { - "id": 3554878661, + "id": 432113519, "definition": { "type": "note", "content": "### [DescribeVolumes](https://traildiscover.cloud/#EC2-DescribeVolumes)\n\n**Description:** Describes the specified EBS volumes or all of your EBS volumes.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -14710,7 +14710,7 @@ } }, { - "id": 3059151069, + "id": 1223287854, "definition": { "title": "DescribeVolumes", "title_size": "16", @@ -14752,7 +14752,7 @@ } }, { - "id": 2785241595, + "id": 801145889, "definition": { "type": "note", "content": "### [DescribeInstanceTypes](https://traildiscover.cloud/#EC2-DescribeInstanceTypes)\n\n**Description:** Describes the details of the instance types that are offered in a location.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -14771,7 +14771,7 @@ } }, { - "id": 142030355, + "id": 3739803872, "definition": { "title": "DescribeInstanceTypes", "title_size": "16", @@ -14813,7 +14813,7 @@ } }, { - "id": 3411251269, + "id": 43474032, "definition": { "type": "note", "content": "### [DescribeClientVpnRoutes](https://traildiscover.cloud/#EC2-DescribeClientVpnRoutes)\n\n**Description:** Describes the routes for the specified Client VPN endpoint.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -14832,7 +14832,7 @@ } }, { - "id": 2915523677, + "id": 834648367, "definition": { "title": "DescribeClientVpnRoutes", "title_size": "16", @@ -14874,7 +14874,7 @@ } }, { - "id": 1974150643, + "id": 775980331, "definition": { "type": "note", "content": "### [GetLaunchTemplateData](https://traildiscover.cloud/#EC2-GetLaunchTemplateData)\n\n**Description:** Retrieves the configuration data of the specified instance. You can use this data to create a launch template.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -14893,7 +14893,7 @@ } }, { - "id": 3625906699, + "id": 3714638314, "definition": { "title": "GetLaunchTemplateData", "title_size": "16", @@ -14935,7 +14935,7 @@ } }, { - "id": 1583445586, + "id": 3439597738, "definition": { "type": "note", "content": "### [GetParameters](https://traildiscover.cloud/#SSM-GetParameters)\n\n**Description:** Get information about one or more parameters by specifying multiple parameter names.\n\n**Related Research:**\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -14954,7 +14954,7 @@ } }, { - "id": 3235201642, + "id": 4230772073, "definition": { "title": "GetParameters", "title_size": "16", @@ -14996,7 +14996,7 @@ } }, { - "id": 1047103533, + "id": 3516996441, "definition": { "type": "note", "content": "### [DescribeInstanceInformation](https://traildiscover.cloud/#SSM-DescribeInstanceInformation)\n\n**Description:** Provides information about one or more of your managed nodes, including the operating system platform, SSM Agent version, association status, and IP address.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -15015,7 +15015,7 @@ } }, { - "id": 551375941, + "id": 13203480, "definition": { "title": "DescribeInstanceInformation", "title_size": "16", @@ -15057,7 +15057,7 @@ } }, { - "id": 3453769540, + "id": 3342379225, "definition": { "type": "note", "content": "### [GetIdentityVerificationAttributes](https://traildiscover.cloud/#SES-GetIdentityVerificationAttributes)\n\n**Description:** Given a list of identities (email addresses and/or domains), returns the verification status and (for domain identities) the verification token for each identity.\n\n**Related Incidents:**\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n", @@ -15076,7 +15076,7 @@ } }, { - "id": 2958041948, + "id": 4034214673, "definition": { "title": "GetIdentityVerificationAttributes", "title_size": "16", @@ -15118,7 +15118,7 @@ } }, { - "id": 3004197099, + "id": 3061126927, "definition": { "type": "note", "content": "### [GetAccountSendingEnabled](https://traildiscover.cloud/#SES-GetAccountSendingEnabled)\n\n**Description:** Returns the email sending status of the Amazon SES account for the current Region.\n\n**Related Research:**\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n", @@ -15137,7 +15137,7 @@ } }, { - "id": 360985859, + "id": 3852301262, "definition": { "title": "GetAccountSendingEnabled", "title_size": "16", @@ -15179,7 +15179,7 @@ } }, { - "id": 3344584878, + "id": 4018309962, "definition": { "type": "note", "content": "### [ListIdentities](https://traildiscover.cloud/#SES-ListIdentities)\n\n**Description:** Returns a list containing all of the identities (email addresses and domains) for your AWS account in the current AWS Region, regardless of verification status.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -15198,7 +15198,7 @@ } }, { - "id": 701373638, + "id": 2662000649, "definition": { "title": "ListIdentities", "title_size": "16", @@ -15240,7 +15240,7 @@ } }, { - "id": 728155560, + "id": 1309597820, "definition": { "type": "note", "content": "### [GetSendQuota](https://traildiscover.cloud/#SES-GetSendQuota)\n\n**Description:** Provides the sending limits for the Amazon SES account.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -15259,7 +15259,7 @@ } }, { - "id": 2379911616, + "id": 4248255803, "definition": { "title": "GetSendQuota", "title_size": "16", @@ -15301,7 +15301,7 @@ } }, { - "id": 3400111730, + "id": 903367819, "definition": { "type": "note", "content": "### [GetAccount](https://traildiscover.cloud/#SES-GetAccount)\n\n**Description:** Lists the applied quota values for the specified AWS service.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -15320,7 +15320,7 @@ } }, { - "id": 756900490, + "id": 1595203267, "definition": { "title": "GetAccount", "title_size": "16", @@ -15362,7 +15362,7 @@ } }, { - "id": 2401881988, + "id": 3917464042, "definition": { "type": "note", "content": "### [GetFindings](https://traildiscover.cloud/#GuardDuty-GetFindings)\n\n**Description:** Returns a list of findings that match the specified criteria.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -15381,7 +15381,7 @@ } }, { - "id": 4053638044, + "id": 413671081, "definition": { "title": "GetFindings", "title_size": "16", @@ -15423,7 +15423,7 @@ } }, { - "id": 4083622940, + "id": 3128911365, "definition": { "type": "note", "content": "### [ListFindings](https://traildiscover.cloud/#GuardDuty-ListFindings)\n\n**Description:** Lists GuardDuty findings for the specified detector ID.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -15442,7 +15442,7 @@ } }, { - "id": 1440411700, + "id": 3920085700, "definition": { "title": "ListFindings", "title_size": "16", @@ -15484,7 +15484,7 @@ } }, { - "id": 1680488719, + "id": 4037568061, "definition": { "type": "note", "content": "### [ListDetectors](https://traildiscover.cloud/#GuardDuty-ListDetectors)\n\n**Description:** Lists detectorIds of all the existing Amazon GuardDuty detector resources.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -15503,7 +15503,7 @@ } }, { - "id": 1184761127, + "id": 533775100, "definition": { "title": "ListDetectors", "title_size": "16", @@ -15545,7 +15545,7 @@ } }, { - "id": 697449835, + "id": 641446752, "definition": { "type": "note", "content": "### [GetDetector](https://traildiscover.cloud/#GuardDuty-GetDetector)\n\n**Description:** Retrieves an Amazon GuardDuty detector specified by the detectorId.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -15564,7 +15564,7 @@ } }, { - "id": 2249867004, + "id": 1333282200, "definition": { "title": "GetDetector", "title_size": "16", @@ -15606,7 +15606,7 @@ } }, { - "id": 2325617110, + "id": 3274201905, "definition": { "type": "note", "content": "### [ListIPSets](https://traildiscover.cloud/#GuardDuty-ListIPSets)\n\n**Description:** Lists the IPSets of the GuardDuty service specified by the detector ID.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -15625,7 +15625,7 @@ } }, { - "id": 3977373166, + "id": 1917892592, "definition": { "title": "ListIPSets", "title_size": "16", @@ -15667,7 +15667,7 @@ } }, { - "id": 1002775488, + "id": 4169435660, "definition": { "type": "note", "content": "### [ListServiceQuotas](https://traildiscover.cloud/#ServiceQuotas-ListServiceQuotas)\n\n**Description:** Lists the applied quota values for the specified AWS service.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -15686,7 +15686,7 @@ } }, { - "id": 507047896, + "id": 665642699, "definition": { "title": "ListServiceQuotas", "title_size": "16", @@ -15737,7 +15737,7 @@ } }, { - "id": 46676597, + "id": 3839910763, "definition": { "type": "group", "layout_type": "ordered", @@ -15746,7 +15746,7 @@ "show_title": true, "widgets": [ { - "id": 3892793627, + "id": 2891411800, "definition": { "type": "note", "content": "### [AssumeRoleWithWebIdentity](https://traildiscover.cloud/#STS-AssumeRoleWithWebIdentity)\n\n**Description:** Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider.\n\n**Related Research:**\n- [From GitHub To Account Takeover: Misconfigured Actions Place GCP & AWS Accounts At Risk](https://www.rezonate.io/blog/github-misconfigurations-put-gcp-aws-in-account-takeover-risk/)\n", @@ -15765,7 +15765,7 @@ } }, { - "id": 3397066035, + "id": 1535102487, "definition": { "title": "AssumeRoleWithWebIdentity", "title_size": "16", @@ -15807,7 +15807,7 @@ } }, { - "id": 219147980, + "id": 3009148319, "definition": { "type": "note", "content": "### [SwitchRole](https://traildiscover.cloud/#SignIn-SwitchRole)\n\n**Description:** This event is recorded when a user manually switches to a different IAM role within the AWS Management Console.\n\n**Related Research:**\n- [AWS CloudTrail cheat sheet](https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet)\n", @@ -15826,7 +15826,7 @@ } }, { - "id": 4018387684, + "id": 3800322654, "definition": { "title": "SwitchRole", "title_size": "16", @@ -15868,7 +15868,7 @@ } }, { - "id": 2233376158, + "id": 3083934193, "definition": { "type": "note", "content": "### [EnableSerialConsoleAccess](https://traildiscover.cloud/#EC2-EnableSerialConsoleAccess)\n\n**Description:** Enables access to the EC2 serial console of all instances for your account.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [How to detect EC2 Serial Console enabled](https://sysdig.com/blog/ec2-serial-console-enabled/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -15887,7 +15887,7 @@ } }, { - "id": 3885132214, + "id": 1727624880, "definition": { "title": "EnableSerialConsoleAccess", "title_size": "16", @@ -15929,7 +15929,7 @@ } }, { - "id": 1020346991, + "id": 3707722643, "definition": { "type": "note", "content": "### [CreateVolume](https://traildiscover.cloud/#EC2-CreateVolume)\n\n**Description:** Creates an EBS volume that can be attached to an instance in the same Availability Zone.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n", @@ -15948,7 +15948,7 @@ } }, { - "id": 524619399, + "id": 203929682, "definition": { "title": "CreateVolume", "title_size": "16", @@ -15990,7 +15990,7 @@ } }, { - "id": 4013012331, + "id": 2711264626, "definition": { "type": "note", "content": "### [CreateSecurityGroup](https://traildiscover.cloud/#EC2-CreateSecurityGroup)\n\n**Description:** Creates a security group.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -16009,7 +16009,7 @@ } }, { - "id": 1369801091, + "id": 1255616426, "definition": { "title": "CreateSecurityGroup", "title_size": "16", @@ -16051,7 +16051,7 @@ } }, { - "id": 3578420879, + "id": 1408724917, "definition": { "type": "note", "content": "### [AuthorizeSecurityGroupIngress](https://traildiscover.cloud/#EC2-AuthorizeSecurityGroupIngress)\n\n**Description:** Adds the specified inbound (ingress) rules to a security group.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Finding evil in AWS](https://expel.com/blog/finding-evil-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [Opening a security group to the Internet](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/opening-security-group-port/)\n", @@ -16070,7 +16070,7 @@ } }, { - "id": 935209639, + "id": 2199899252, "definition": { "title": "AuthorizeSecurityGroupIngress", "title_size": "16", @@ -16112,7 +16112,7 @@ } }, { - "id": 1914100124, + "id": 2406685393, "definition": { "type": "note", "content": "### [SendSSHPublicKey](https://traildiscover.cloud/#EC2InstanceConnect-SendSSHPublicKey)\n\n**Description:** Pushes an SSH public key to the specified EC2 instance for use by the specified user.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -16131,7 +16131,7 @@ } }, { - "id": 3565856180, + "id": 3197859728, "definition": { "title": "SendSSHPublicKey", "title_size": "16", @@ -16173,7 +16173,7 @@ } }, { - "id": 1427557305, + "id": 3418900642, "definition": { "type": "note", "content": "### [CreateSnapshot](https://traildiscover.cloud/#EC2-CreateSnapshot)\n\n**Description:** Creates a snapshot of an EBS volume and stores it in Amazon S3.\n\n**Related Incidents:**\n- [CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Stealing an EBS snapshot by creating a snapshot and sharing it](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-ebs-snapshot/)\n- [Exfiltrate EBS Snapshot by Sharing It](https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/)\n", @@ -16192,7 +16192,7 @@ } }, { - "id": 931829713, + "id": 4210074977, "definition": { "title": "CreateSnapshot", "title_size": "16", @@ -16234,7 +16234,7 @@ } }, { - "id": 1100934229, + "id": 1930502439, "definition": { "type": "note", "content": "### [RunInstances](https://traildiscover.cloud/#EC2-RunInstances)\n\n**Description:** Launches the specified number of instances using an AMI for which you have permissions.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [DXC spills AWS private keys on public GitHub](https://www.theregister.com/2017/11/14/dxc_github_aws_keys_leaked/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Clear and Uncommon Story About Overcoming Issues With AWS](https://topdigital.agency/clear-and-uncommon-story-about-overcoming-issues-with-aws/)\n- [onelogin 2017 Security Incident](https://web.archive.org/web/20210620180614/https://www.onelogin.com/blog/may-31-2017-security-incident)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [Launching EC2 instances](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/launching-ec2-instances/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -16253,7 +16253,7 @@ } }, { - "id": 605206637, + "id": 2721676774, "definition": { "title": "RunInstances", "title_size": "16", @@ -16295,7 +16295,7 @@ } }, { - "id": 1266748354, + "id": 1236709882, "definition": { "type": "note", "content": "### [AttachVolume](https://traildiscover.cloud/#EC2-AttachVolume)\n\n**Description:** Attaches an EBS volume to a running or stopped instance and exposes it to the instance with the specified device name.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n", @@ -16314,7 +16314,7 @@ } }, { - "id": 771020762, + "id": 1928545330, "definition": { "title": "AttachVolume", "title_size": "16", @@ -16356,7 +16356,7 @@ } }, { - "id": 1724506417, + "id": 2490873554, "definition": { "type": "note", "content": "### [SendSerialConsoleSSHPublicKey](https://traildiscover.cloud/#EC2InstanceConnect-SendSerialConsoleSSHPublicKey)\n\n**Description:** Pushes an SSH public key to the specified EC2 instance.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n", @@ -16375,7 +16375,7 @@ } }, { - "id": 1228778825, + "id": 3282047889, "definition": { "title": "SendSerialConsoleSSHPublicKey", "title_size": "16", @@ -16417,7 +16417,7 @@ } }, { - "id": 1008468459, + "id": 2953363493, "definition": { "type": "note", "content": "### [SendCommand](https://traildiscover.cloud/#SSM-SendCommand)\n\n**Description:** Runs commands on one or more managed nodes.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Run Shell Commands on EC2 with Send Command or Session Manager](https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -16436,7 +16436,7 @@ } }, { - "id": 2660224515, + "id": 1497715293, "definition": { "title": "SendCommand", "title_size": "16", @@ -16478,7 +16478,7 @@ } }, { - "id": 697948711, + "id": 3654427368, "definition": { "type": "note", "content": "### [StartSession](https://traildiscover.cloud/#SSM-StartSession)\n\n**Description:** Initiates a connection to a target (for example, a managed node) for a Session Manager session.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Run Shell Commands on EC2 with Send Command or Session Manager](https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/)\n", @@ -16497,7 +16497,7 @@ } }, { - "id": 2349704767, + "id": 150634407, "definition": { "title": "StartSession", "title_size": "16", @@ -16539,7 +16539,7 @@ } }, { - "id": 654435082, + "id": 58012475, "definition": { "type": "note", "content": "### [ResumeSession](https://traildiscover.cloud/#SSM-ResumeSession)\n\n**Description:** Reconnects a session to a managed node after it has been disconnected.\n\n**Related Research:**\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -16558,7 +16558,7 @@ } }, { - "id": 158707490, + "id": 849186810, "definition": { "title": "ResumeSession", "title_size": "16", @@ -16609,7 +16609,7 @@ } }, { - "id": 2075694789, + "id": 297039110, "definition": { "type": "group", "layout_type": "ordered", @@ -16618,7 +16618,7 @@ "show_title": true, "widgets": [ { - "id": 1128526886, + "id": 3240133939, "definition": { "type": "note", "content": "### [UpdateFunctionCode20150331v2](https://traildiscover.cloud/#Lambda-UpdateFunctionCode20150331v2)\n\n**Description:** Updates a Lambda function's code. If code signing is enabled for the function, the code package must be signed by a trusted publisher.\n\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", @@ -16637,7 +16637,7 @@ } }, { - "id": 632799294, + "id": 4031308274, "definition": { "title": "UpdateFunctionCode20150331v2", "title_size": "16", @@ -16679,7 +16679,7 @@ } }, { - "id": 1733063769, + "id": 2725714872, "definition": { "type": "note", "content": "### [UpdateDistribution](https://traildiscover.cloud/#CloudFront-UpdateDistribution)\n\n**Description:** Updates the configuration for a CloudFront distribution.\n\n**Related Research:**\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", @@ -16698,7 +16698,7 @@ } }, { - "id": 1237336177, + "id": 1369405559, "definition": { "title": "UpdateDistribution", "title_size": "16", @@ -16740,7 +16740,7 @@ } }, { - "id": 3486738446, + "id": 2242666026, "definition": { "type": "note", "content": "### [PublishFunction](https://traildiscover.cloud/#CloudFront-PublishFunction)\n\n**Description:** Publishes a CloudFront function by copying the function code from the DEVELOPMENT stage to LIVE.\n\n**Related Research:**\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", @@ -16759,7 +16759,7 @@ } }, { - "id": 2991010854, + "id": 886356713, "definition": { "title": "PublishFunction", "title_size": "16", @@ -16801,7 +16801,7 @@ } }, { - "id": 4169330849, + "id": 3001247009, "definition": { "type": "note", "content": "### [CreateFunction](https://traildiscover.cloud/#CloudFront-CreateFunction)\n\n**Description:** Creates a CloudFront function.\n\n**Related Research:**\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", @@ -16820,7 +16820,7 @@ } }, { - "id": 1526119609, + "id": 1644937696, "definition": { "title": "CreateFunction", "title_size": "16", @@ -16862,7 +16862,7 @@ } }, { - "id": 1212981698, + "id": 2982203076, "definition": { "type": "note", "content": "### [CreateInstanceExportTask](https://traildiscover.cloud/#EC2-CreateInstanceExportTask)\n\n**Description:** Exports a running or stopped instance to an Amazon S3 bucket.\n\n**Related Research:**\n- [AWS EC2 VM Export Failure](https://www.elastic.co/guide/en/security/current/aws-ec2-vm-export-failure.html)\n", @@ -16881,7 +16881,7 @@ } }, { - "id": 717254106, + "id": 3773377411, "definition": { "title": "CreateInstanceExportTask", "title_size": "16", @@ -16923,7 +16923,7 @@ } }, { - "id": 1289093468, + "id": 3316774014, "definition": { "type": "note", "content": "### [CreateTrafficMirrorTarget](https://traildiscover.cloud/#EC2-CreateTrafficMirrorTarget)\n\n**Description:** Creates a target for your Traffic Mirror session.\n\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -16942,7 +16942,7 @@ } }, { - "id": 793365876, + "id": 4107948349, "definition": { "title": "CreateTrafficMirrorTarget", "title_size": "16", @@ -16984,7 +16984,7 @@ } }, { - "id": 4090532511, + "id": 2212626626, "definition": { "type": "note", "content": "### [CreateTrafficMirrorSession](https://traildiscover.cloud/#EC2-CreateTrafficMirrorSession)\n\n**Description:** Creates a Traffic Mirror session.\n\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -17003,7 +17003,7 @@ } }, { - "id": 1347982384, + "id": 3003800961, "definition": { "title": "CreateTrafficMirrorSession", "title_size": "16", @@ -17045,7 +17045,7 @@ } }, { - "id": 3883364668, + "id": 2494837091, "definition": { "type": "note", "content": "### [CreateRoute](https://traildiscover.cloud/#EC2-CreateRoute)\n\n**Description:** Creates a route in a route table within a VPC.\n\n**Related Research:**\n- [Ensure CloudWatch has an Alarm for Route Table Changes](https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-route-table-change)\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", @@ -17064,7 +17064,7 @@ } }, { - "id": 3387637076, + "id": 1138527778, "definition": { "title": "CreateRoute", "title_size": "16", @@ -17106,7 +17106,7 @@ } }, { - "id": 983226425, + "id": 3522001154, "definition": { "type": "note", "content": "### [CreateTrafficMirrorFilter](https://traildiscover.cloud/#EC2-CreateTrafficMirrorFilter)\n\n**Description:** Creates a Traffic Mirror filter.\n\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -17125,7 +17125,7 @@ } }, { - "id": 487498833, + "id": 18208193, "definition": { "title": "CreateTrafficMirrorFilter", "title_size": "16", @@ -17167,7 +17167,7 @@ } }, { - "id": 3625648979, + "id": 3764021599, "definition": { "type": "note", "content": "### [CreateTrafficMirrorFilterRule](https://traildiscover.cloud/#EC2-CreateTrafficMirrorFilterRule)\n\n**Description:** Creates a Traffic Mirror filter rule.\n\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -17186,7 +17186,7 @@ } }, { - "id": 982437739, + "id": 260228638, "definition": { "title": "CreateTrafficMirrorFilterRule", "title_size": "16", @@ -17237,7 +17237,7 @@ } }, { - "id": 3836151355, + "id": 2059309319, "definition": { "type": "group", "layout_type": "ordered", @@ -17246,7 +17246,7 @@ "show_title": true, "widgets": [ { - "id": 4250361592, + "id": 1653565958, "definition": { "type": "note", "content": "### [CreateUser](https://traildiscover.cloud/#TransferFamily-CreateUser)\n\n**Description:** Creates a user and associates them with an existing file transfer protocol-enabled server.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -17265,7 +17265,7 @@ } }, { - "id": 1607150352, + "id": 2444740293, "definition": { "title": "CreateUser", "title_size": "16", @@ -17307,7 +17307,7 @@ } }, { - "id": 1815835250, + "id": 480254477, "definition": { "type": "note", "content": "### [CreateServer](https://traildiscover.cloud/#TransferFamily-CreateServer)\n\n**Description:** Instantiates an auto-scaling virtual server based on the selected file transfer protocol in AWS.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -17326,7 +17326,7 @@ } }, { - "id": 1320107658, + "id": 1271428812, "definition": { "title": "CreateServer", "title_size": "16", @@ -17368,7 +17368,7 @@ } }, { - "id": 1613183828, + "id": 2599851790, "definition": { "type": "note", "content": "### [PutBucketPolicy](https://traildiscover.cloud/#S3-PutBucketPolicy)\n\n**Description:** Applies an Amazon S3 bucket policy to an Amazon S3 bucket.\n\n**Related Research:**\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -17387,7 +17387,7 @@ } }, { - "id": 3264939884, + "id": 3391026125, "definition": { "title": "PutBucketPolicy", "title_size": "16", @@ -17429,7 +17429,7 @@ } }, { - "id": 3886539421, + "id": 660700887, "definition": { "type": "note", "content": "### [PutBucketAcl](https://traildiscover.cloud/#S3-PutBucketAcl)\n\n**Description:** Sets the permissions on an existing bucket using access control lists (ACL).\n\n**Related Research:**\n- [AWS S3 Bucket ACL made public](https://docs.datadoghq.com/security/default_rules/aws-bucket-acl-made-public/)\n", @@ -17448,7 +17448,7 @@ } }, { - "id": 1243328181, + "id": 1451875222, "definition": { "title": "PutBucketAcl", "title_size": "16", @@ -17490,7 +17490,7 @@ } }, { - "id": 521040797, + "id": 2299909022, "definition": { "type": "note", "content": "### [PutBucketVersioning](https://traildiscover.cloud/#S3-PutBucketVersioning)\n\n**Description:** Sets the versioning state of an existing bucket.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n**Related Research:**\n- [Exfiltrating S3 Data with Bucket Replication Policies](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -17509,7 +17509,7 @@ } }, { - "id": 2172796853, + "id": 3091083357, "definition": { "title": "PutBucketVersioning", "title_size": "16", @@ -17551,7 +17551,7 @@ } }, { - "id": 2358023164, + "id": 1672000449, "definition": { "type": "note", "content": "### [PutBucketReplication](https://traildiscover.cloud/#S3-PutBucketReplication)\n\n**Description:** Creates a replication configuration or replaces an existing one.\n\n**Related Research:**\n- [Exfiltrating S3 Data with Bucket Replication Policies](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -17570,7 +17570,7 @@ } }, { - "id": 4009779220, + "id": 2463174784, "definition": { "title": "PutBucketReplication", "title_size": "16", @@ -17612,7 +17612,7 @@ } }, { - "id": 4161110225, + "id": 1181713149, "definition": { "type": "note", "content": "### [GetObject](https://traildiscover.cloud/#S3-GetObject)\n\n**Description:** Retrieves an object from Amazon S3.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Incident 2 - Additional details of the attack](https://support.lastpass.com/s/document-item?language=en_US&bundleId=lastpass&topicId=LastPass/incident-2-details.html&_LANG=enus)\n- [Aruba Central Security Incident](https://www.arubanetworks.com/support-services/security-bulletins/central-incident-faq/)\n- [Sendtech Pte. Ltd](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Sendtech-Pte-Ltd---220721.ashx?la=en)\n- [GotRoot! AWS root Account Takeover](https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1)\n- [A Technical Analysis of the Capital One Cloud Misconfiguration Breach](https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach)\n- [Chegg, Inc](https://www.ftc.gov/system/files/ftc_gov/pdf/2023151-Chegg-Complaint.pdf)\n- [Scattered Spider Attack Analysis](https://www.reliaquest.com/blog/scattered-spider-attack-analysis-account-compromise/)\n- [Enumerate AWS Account ID from a Public S3 Bucket](https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Data Exfiltration through S3 Server Access Logs](https://hackingthe.cloud/aws/exploitation/s3_server_access_logs/)\n- [S3 Streaming Copy](https://hackingthe.cloud/aws/exploitation/s3_streaming_copy/)\n", @@ -17631,7 +17631,7 @@ } }, { - "id": 3665382633, + "id": 1972887484, "definition": { "title": "GetObject", "title_size": "16", @@ -17673,7 +17673,7 @@ } }, { - "id": 2516671992, + "id": 414211272, "definition": { "type": "note", "content": "### [JobCreated](https://traildiscover.cloud/#S3-JobCreated)\n\n**Description:** When a Batch Operations job is created, it is recorded as a JobCreated event in CloudTrail.\n\n**Related Research:**\n- [Exfiltrating S3 Data with Bucket Replication Policies](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -17692,7 +17692,7 @@ } }, { - "id": 4168428048, + "id": 3253530368, "definition": { "title": "JobCreated", "title_size": "16", @@ -17734,7 +17734,7 @@ } }, { - "id": 377797664, + "id": 1199909084, "definition": { "type": "note", "content": "### [ModifySnapshotAttribute](https://traildiscover.cloud/#EC2-ModifySnapshotAttribute)\n\n**Description:** Adds or removes permission settings for the specified snapshot.\n\n**Related Incidents:**\n- [CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/)\n", @@ -17753,7 +17753,7 @@ } }, { - "id": 4177037368, + "id": 1991083419, "definition": { "title": "ModifySnapshotAttribute", "title_size": "16", @@ -17795,7 +17795,7 @@ } }, { - "id": 4144341096, + "id": 786028941, "definition": { "type": "note", "content": "### [SharedSnapshotCopyInitiated](https://traildiscover.cloud/#EC2-SharedSnapshotCopyInitiated)\n\n**Description:** Modifies the specified attribute of the specified instance.\n\n**Related Incidents:**\n- [M-Trends Report - 2020](https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf)\n- [Democratic National Committee hack](https://www.politico.com/f/?id=00000168-6161-de11-af7d-ef7327ea0000)\n**Related Research:**\n- [Detecting exfiltration of EBS snapshots in AWS](https://twitter.com/christophetd/status/1574681313218506753)\n", @@ -17814,7 +17814,7 @@ } }, { - "id": 3549274617, + "id": 1577203276, "definition": { "title": "SharedSnapshotCopyInitiated", "title_size": "16", @@ -17856,7 +17856,7 @@ } }, { - "id": 3836060413, + "id": 3737134635, "definition": { "type": "note", "content": "### [SharedSnapshotVolumeCreated](https://traildiscover.cloud/#EC2-SharedSnapshotVolumeCreated)\n\n**Description:** Modifies the specified attribute of the specified instance.\n\n**Related Incidents:**\n- [M-Trends Report - 2020](https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf)\n- [Democratic National Committee hack](https://www.politico.com/f/?id=00000168-6161-de11-af7d-ef7327ea0000)\n**Related Research:**\n- [Detecting exfiltration of EBS snapshots in AWS](https://twitter.com/christophetd/status/1574681313218506753)\n", @@ -17875,7 +17875,7 @@ } }, { - "id": 1192849173, + "id": 2380825322, "definition": { "title": "SharedSnapshotVolumeCreated", "title_size": "16", @@ -17917,7 +17917,7 @@ } }, { - "id": 3825268255, + "id": 1837719337, "definition": { "type": "note", "content": "### [CreateSnapshot](https://traildiscover.cloud/#EC2-CreateSnapshot)\n\n**Description:** Creates a snapshot of an EBS volume and stores it in Amazon S3.\n\n**Related Incidents:**\n- [CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Stealing an EBS snapshot by creating a snapshot and sharing it](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-ebs-snapshot/)\n- [Exfiltrate EBS Snapshot by Sharing It](https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/)\n", @@ -17936,7 +17936,7 @@ } }, { - "id": 3230201776, + "id": 2628893672, "definition": { "title": "CreateSnapshot", "title_size": "16", @@ -17978,7 +17978,7 @@ } }, { - "id": 1513071745, + "id": 3824362630, "definition": { "type": "note", "content": "### [CreateImage](https://traildiscover.cloud/#EC2-CreateImage)\n\n**Description:** Creates an Amazon EBS-backed AMI from an Amazon EBS-backed instance that is either running or stopped.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", @@ -17997,7 +17997,7 @@ } }, { - "id": 1017344153, + "id": 320569669, "definition": { "title": "CreateImage", "title_size": "16", @@ -18039,7 +18039,7 @@ } }, { - "id": 149699383, + "id": 2234105145, "definition": { "type": "note", "content": "### [AuthorizeSecurityGroupEgress](https://traildiscover.cloud/#EC2-AuthorizeSecurityGroupEgress)\n\n**Description:** Adds the specified outbound (egress) rules to a security group.\n\n**Related Incidents:**\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n", @@ -18058,7 +18058,7 @@ } }, { - "id": 3948939087, + "id": 778456945, "definition": { "title": "AuthorizeSecurityGroupEgress", "title_size": "16", @@ -18100,7 +18100,7 @@ } }, { - "id": 2481786377, + "id": 2012999804, "definition": { "type": "note", "content": "### [ModifyImageAttribute](https://traildiscover.cloud/#EC2-ModifyImageAttribute)\n\n**Description:** Modifies the specified attribute of the specified AMI.\n\n**Related Research:**\n- [AWS AMI Atttribute Modification for Exfiltration](https://research.splunk.com/cloud/f2132d74-cf81-4c5e-8799-ab069e67dc9f/)\n", @@ -18119,7 +18119,7 @@ } }, { - "id": 1986058785, + "id": 557351604, "definition": { "title": "ModifyImageAttribute", "title_size": "16", @@ -18161,7 +18161,7 @@ } }, { - "id": 2678746375, + "id": 1921494623, "definition": { "type": "note", "content": "### [ModifyDBSnapshotAttribute](https://traildiscover.cloud/#RDS-ModifyDBSnapshotAttribute)\n\n**Description:** Adds an attribute and values to, or removes an attribute and values from, a manual DB snapshot.\n\n**Related Incidents:**\n- [Imperva Security Update](https://www.imperva.com/blog/ceoblog/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Stealing an RDS database by creating a snapshot and sharing it](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-rds-snapshot/)\n- [Hunting AWS RDS security events with Sysdig](https://sysdig.com/blog/aws-rds-security-events-sysdig/)\n", @@ -18180,7 +18180,7 @@ } }, { - "id": 35535135, + "id": 465846423, "definition": { "title": "ModifyDBSnapshotAttribute", "title_size": "16", @@ -18222,7 +18222,7 @@ } }, { - "id": 3663015519, + "id": 3255720954, "definition": { "type": "note", "content": "### [StartExportTask](https://traildiscover.cloud/#RDS-StartExportTask)\n\n**Description:** Starts an export of DB snapshot or DB cluster data to Amazon S3.\n\n**Related Research:**\n- [AWS - RDS Post Exploitation](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation)\n", @@ -18241,7 +18241,7 @@ } }, { - "id": 3167287927, + "id": 4046895289, "definition": { "title": "StartExportTask", "title_size": "16", @@ -18283,7 +18283,7 @@ } }, { - "id": 535375034, + "id": 1998544548, "definition": { "type": "note", "content": "### [CreateDBSecurityGroup](https://traildiscover.cloud/#RDS-CreateDBSecurityGroup)\n\n**Description:** Creates a new DB security group. DB security groups control access to a DB instance.\n\n**Related Research:**\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [Hunting AWS RDS security events with Sysdig](https://sysdig.com/blog/aws-rds-security-events-sysdig/)\n", @@ -18302,7 +18302,7 @@ } }, { - "id": 2187131090, + "id": 2789718883, "definition": { "title": "CreateDBSecurityGroup", "title_size": "16", @@ -18344,7 +18344,7 @@ } }, { - "id": 790715096, + "id": 440288017, "definition": { "type": "note", "content": "### [CreateDBSnapshot](https://traildiscover.cloud/#RDS-CreateDBSnapshot)\n\n**Description:** Creates a snapshot of a DB instance.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [Stealing an RDS database by creating a snapshot and sharing it](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-rds-snapshot/)\n", @@ -18363,7 +18363,7 @@ } }, { - "id": 294987504, + "id": 1231462352, "definition": { "title": "CreateDBSnapshot", "title_size": "16", @@ -18414,7 +18414,7 @@ } }, { - "id": 3175029225, + "id": 3077630201, "definition": { "type": "group", "layout_type": "ordered", @@ -18423,7 +18423,7 @@ "show_title": true, "widgets": [ { - "id": 1381573792, + "id": 176385218, "definition": { "type": "note", "content": "### [ChangeResourceRecordSets](https://traildiscover.cloud/#Route53-ChangeResourceRecordSets)\n\n**Description:** Creates, changes, or deletes a resource record set, which contains authoritative DNS information for a specified domain name or subdomain name.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS API Call Hijacking via ACM-PCA](https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/)\n", @@ -18442,7 +18442,7 @@ } }, { - "id": 885846200, + "id": 967559553, "definition": { "title": "ChangeResourceRecordSets", "title_size": "16", @@ -18484,7 +18484,7 @@ } }, { - "id": 2465545814, + "id": 2997585099, "definition": { "type": "note", "content": "### [RegisterDomain](https://traildiscover.cloud/#route53domains-RegisterDomain)\n\n**Description:** This operation registers a domain. For some top-level domains (TLDs), this operation requires extra parameters.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -18503,7 +18503,7 @@ } }, { - "id": 1969818222, + "id": 3788759434, "definition": { "title": "RegisterDomain", "title_size": "16", @@ -18545,7 +18545,7 @@ } }, { - "id": 798815307, + "id": 265680826, "definition": { "type": "note", "content": "### [CreateHostedZone](https://traildiscover.cloud/#Route53-CreateHostedZone)\n\n**Description:** Creates a new public or private hosted zone. You create records in a public hosted zone to define how you want to route traffic on the internet for a domain, such as example.com, and its subdomains.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS API Call Hijacking via ACM-PCA](https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/)\n", @@ -18564,7 +18564,7 @@ } }, { - "id": 2450571363, + "id": 3204338809, "definition": { "title": "CreateHostedZone", "title_size": "16", @@ -18606,7 +18606,7 @@ } }, { - "id": 1234354365, + "id": 2178949527, "definition": { "type": "note", "content": "### [CreateStack](https://traildiscover.cloud/#CloudFormation-CreateStack)\n\n**Description:** Creates a stack as specified in the template.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", @@ -18625,7 +18625,7 @@ } }, { - "id": 738626773, + "id": 2970123862, "definition": { "title": "CreateStack", "title_size": "16", @@ -18667,7 +18667,7 @@ } }, { - "id": 1030189004, + "id": 10464804, "definition": { "type": "note", "content": "### [Publish](https://traildiscover.cloud/#SNS-Publish)\n\n**Description:** Sends a message to an Amazon SNS topic, a text message (SMS message) directly to a phone number, or a message to a mobile platform endpoint (when you specify the TargetArn).\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -18686,7 +18686,7 @@ } }, { - "id": 2681945060, + "id": 702300252, "definition": { "title": "Publish", "title_size": "16", @@ -18728,7 +18728,7 @@ } }, { - "id": 1617421009, + "id": 3756912199, "definition": { "type": "note", "content": "### [CreateFunction20150331](https://traildiscover.cloud/#Lambda-CreateFunction20150331)\n\n**Description:** Creates a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -18747,7 +18747,7 @@ } }, { - "id": 3269177065, + "id": 253119238, "definition": { "title": "CreateFunction20150331", "title_size": "16", @@ -18789,7 +18789,7 @@ } }, { - "id": 1711910713, + "id": 3856899624, "definition": { "type": "note", "content": "### [UpdateFunctionCode20150331v2](https://traildiscover.cloud/#Lambda-UpdateFunctionCode20150331v2)\n\n**Description:** Updates a Lambda function's code. If code signing is enabled for the function, the code package must be signed by a trusted publisher.\n\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", @@ -18808,7 +18808,7 @@ } }, { - "id": 3363666769, + "id": 2500590311, "definition": { "title": "UpdateFunctionCode20150331v2", "title_size": "16", @@ -18850,7 +18850,7 @@ } }, { - "id": 436407326, + "id": 2974180054, "definition": { "type": "note", "content": "### [Invoke](https://traildiscover.cloud/#Lambda-Invoke)\n\n**Description:** Invokes a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -18869,7 +18869,7 @@ } }, { - "id": 4235647030, + "id": 3765354389, "definition": { "title": "Invoke", "title_size": "16", @@ -18911,7 +18911,7 @@ } }, { - "id": 2752488647, + "id": 3791193314, "definition": { "type": "note", "content": "### [DeleteFileSystem](https://traildiscover.cloud/#elasticfilesystem-DeleteFileSystem)\n\n**Description:** Deletes a file system, permanently severing access to its contents.\n\n**Related Research:**\n- [AWS EFS File System or Mount Deleted](https://www.elastic.co/guide/en/security/7.17/aws-efs-file-system-or-mount-deleted.html)\n", @@ -18930,7 +18930,7 @@ } }, { - "id": 109277407, + "id": 2434884001, "definition": { "title": "DeleteFileSystem", "title_size": "16", @@ -18972,7 +18972,7 @@ } }, { - "id": 3118964136, + "id": 1404638253, "definition": { "type": "note", "content": "### [DeleteMountTarget](https://traildiscover.cloud/#elasticfilesystem-DeleteMountTarget)\n\n**Description:** Deletes the specified mount target.\n\n**Related Research:**\n- [AWS EFS File System or Mount Deleted](https://www.elastic.co/guide/en/security/7.17/aws-efs-file-system-or-mount-deleted.html)\n", @@ -18991,7 +18991,7 @@ } }, { - "id": 2623236544, + "id": 2096473701, "definition": { "title": "DeleteMountTarget", "title_size": "16", @@ -19033,7 +19033,7 @@ } }, { - "id": 1755891098, + "id": 784436618, "definition": { "type": "note", "content": "### [DeleteRule](https://traildiscover.cloud/#events-DeleteRule)\n\n**Description:** Deletes the specified rule.\n\n**Related Research:**\n- [AWS EventBridge Rule Disabled or Deleted](https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html)\n- [AWS EventBridge rule disabled or deleted](https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/)\n", @@ -19052,7 +19052,7 @@ } }, { - "id": 3308308267, + "id": 1575610953, "definition": { "title": "DeleteRule", "title_size": "16", @@ -19094,7 +19094,7 @@ } }, { - "id": 865498124, + "id": 356768508, "definition": { "type": "note", "content": "### [RemoveTargets](https://traildiscover.cloud/#events-RemoveTargets)\n\n**Description:** Removes the specified targets from the specified rule.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -19113,7 +19113,7 @@ } }, { - "id": 369770532, + "id": 1147942843, "definition": { "title": "RemoveTargets", "title_size": "16", @@ -19155,7 +19155,7 @@ } }, { - "id": 2820400154, + "id": 1226761222, "definition": { "type": "note", "content": "### [DisableRule](https://traildiscover.cloud/#events-DisableRule)\n\n**Description:** Disables the specified rule.\n\n**Related Research:**\n- [AWS EventBridge Rule Disabled or Deleted](https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html)\n- [AWS EventBridge rule disabled or deleted](https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/)\n", @@ -19174,7 +19174,7 @@ } }, { - "id": 2324672562, + "id": 2017935557, "definition": { "title": "DisableRule", "title_size": "16", @@ -19216,7 +19216,7 @@ } }, { - "id": 1189253909, + "id": 3922562531, "definition": { "type": "note", "content": "### [PutRule](https://traildiscover.cloud/#events-PutRule)\n\n**Description:** Creates or updates the specified rule.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -19235,7 +19235,7 @@ } }, { - "id": 693526317, + "id": 418769570, "definition": { "title": "PutRule", "title_size": "16", @@ -19277,7 +19277,7 @@ } }, { - "id": 3663488559, + "id": 1859124137, "definition": { "type": "note", "content": "### [CreateInstances](https://traildiscover.cloud/#Lightsail-CreateInstances)\n\n**Description:** Creates one or more Amazon Lightsail instances.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -19296,7 +19296,7 @@ } }, { - "id": 3167760967, + "id": 403475937, "definition": { "title": "CreateInstances", "title_size": "16", @@ -19338,7 +19338,7 @@ } }, { - "id": 2754892567, + "id": 687944961, "definition": { "type": "note", "content": "### [GenerateDataKeyWithoutPlaintext](https://traildiscover.cloud/#KMS-GenerateDataKeyWithoutPlaintext)\n\n**Description:** Returns a unique symmetric data key for use outside of AWS KMS.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -19357,7 +19357,7 @@ } }, { - "id": 2259164975, + "id": 3527264057, "definition": { "title": "GenerateDataKeyWithoutPlaintext", "title_size": "16", @@ -19399,7 +19399,7 @@ } }, { - "id": 4282158007, + "id": 1913078326, "definition": { "type": "note", "content": "### [ScheduleKeyDeletion](https://traildiscover.cloud/#KMS-ScheduleKeyDeletion)\n\n**Description:** Schedules the deletion of a KMS key.\n\n**Related Research:**\n- [ Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", @@ -19418,7 +19418,7 @@ } }, { - "id": 3786430415, + "id": 556769013, "definition": { "title": "ScheduleKeyDeletion", "title_size": "16", @@ -19460,7 +19460,7 @@ } }, { - "id": 613909860, + "id": 4074262425, "definition": { "type": "note", "content": "### [Encrypt](https://traildiscover.cloud/#KMS-Encrypt)\n\n**Description:** Encrypts plaintext of up to 4,096 bytes using a KMS key. \n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -19479,7 +19479,7 @@ } }, { - "id": 118182268, + "id": 570469464, "definition": { "title": "Encrypt", "title_size": "16", @@ -19521,7 +19521,7 @@ } }, { - "id": 525315290, + "id": 239889710, "definition": { "type": "note", "content": "### [PutObject](https://traildiscover.cloud/#S3-PutObject)\n\n**Description:** Adds an object to a bucket.\n\n**Related Incidents:**\n- [Incident Report: TaskRouter JS SDK Security Incident - July 19, 2020](https://www.twilio.com/en-us/blog/incident-report-taskrouter-js-sdk-july-2020)\n- [LA Times homicide website throttles cryptojacking attack](https://www.tripwire.com/state-of-security/la-times-website-cryptojacking-attack)\n", @@ -19540,7 +19540,7 @@ } }, { - "id": 29587698, + "id": 3178547693, "definition": { "title": "PutObject", "title_size": "16", @@ -19582,7 +19582,7 @@ } }, { - "id": 336055787, + "id": 4144251070, "definition": { "type": "note", "content": "### [PutBucketVersioning](https://traildiscover.cloud/#S3-PutBucketVersioning)\n\n**Description:** Sets the versioning state of an existing bucket.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n**Related Research:**\n- [Exfiltrating S3 Data with Bucket Replication Policies](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -19601,7 +19601,7 @@ } }, { - "id": 4135295491, + "id": 2787941757, "definition": { "title": "PutBucketVersioning", "title_size": "16", @@ -19643,7 +19643,7 @@ } }, { - "id": 1409542848, + "id": 3247770339, "definition": { "type": "note", "content": "### [PutBucketLifecycle](https://traildiscover.cloud/#S3-PutBucketLifecycle)\n\n**Description:** Creates a new lifecycle configuration for the bucket or replaces an existing lifecycle configuration.\n\n**Related Incidents:**\n- [USA VS Nickolas Sharp](https://www.justice.gov/usao-sdny/press-release/file/1452706/dl)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", @@ -19662,7 +19662,7 @@ } }, { - "id": 913815256, + "id": 1891461026, "definition": { "title": "PutBucketLifecycle", "title_size": "16", @@ -19704,7 +19704,7 @@ } }, { - "id": 2291261877, + "id": 2697834658, "definition": { "type": "note", "content": "### [DeleteBucket](https://traildiscover.cloud/#S3-DeleteBucket)\n\n**Description:** Deletes the S3 bucket.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", @@ -19723,7 +19723,7 @@ } }, { - "id": 1795534285, + "id": 1242186458, "definition": { "title": "DeleteBucket", "title_size": "16", @@ -19765,7 +19765,7 @@ } }, { - "id": 1545498035, + "id": 67070602, "definition": { "type": "note", "content": "### [DeleteObject](https://traildiscover.cloud/#S3-DeleteObject)\n\n**Description:** Removes an object from a bucket. The behavior depends on the bucket's versioning state.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [The attack on ONUS \u2013 A real-life case of the Log4Shell vulnerability](https://cystack.net/research/the-attack-on-onus-a-real-life-case-of-the-log4shell-vulnerability)\n- [20/20 Eye Care Network and Hearing Care Network notify 3,253,822 health plan members of breach that deleted contents of AWS buckets](https://www.databreaches.net/20-20-eye-care-network-and-hearing-care-network-notify-3253822-health-plan-members-of-breach-that-deleted-contents-of-aws-buckets/)\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", @@ -19784,7 +19784,7 @@ } }, { - "id": 1049770443, + "id": 2906389698, "definition": { "title": "DeleteObject", "title_size": "16", @@ -19826,7 +19826,7 @@ } }, { - "id": 545786594, + "id": 3816432166, "definition": { "type": "note", "content": "### [InvokeModel](https://traildiscover.cloud/#Bedrock-InvokeModel)\n\n**Description:** Invokes the specified Amazon Bedrock model to run inference using the prompt and inference parameters provided in the request body.\n\n**Related Incidents:**\n- [LLMjacking: Stolen Cloud Credentials Used in New AI Attack](https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", @@ -19845,7 +19845,7 @@ } }, { - "id": 50059002, + "id": 2360783966, "definition": { "title": "InvokeModel", "title_size": "16", @@ -19887,7 +19887,7 @@ } }, { - "id": 3578160285, + "id": 2564369406, "definition": { "type": "note", "content": "### [PutFoundationModelEntitlement](https://traildiscover.cloud/#Bedrock-PutFoundationModelEntitlement)\n\n**Description:** Grants permission to put entitlement to access a foundation model.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -19906,7 +19906,7 @@ } }, { - "id": 3082432693, + "id": 3355543741, "definition": { "title": "PutFoundationModelEntitlement", "title_size": "16", @@ -19948,7 +19948,7 @@ } }, { - "id": 2773585715, + "id": 1304224274, "definition": { "type": "note", "content": "### [InvokeModelWithResponseStream](https://traildiscover.cloud/#Bedrock-InvokeModelWithResponseStream)\n\n**Description:** Grants permission to invoke the specified Bedrock model to run inference using the input provided in the request body with streaming response.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", @@ -19967,7 +19967,7 @@ } }, { - "id": 2277858123, + "id": 2095398609, "definition": { "title": "InvokeModelWithResponseStream", "title_size": "16", @@ -20009,7 +20009,7 @@ } }, { - "id": 117938238, + "id": 2804895178, "definition": { "type": "note", "content": "### [PutUseCaseForModelAccess](https://traildiscover.cloud/#Bedrock-PutUseCaseForModelAccess)\n\n**Description:** Grants permission to put a use case for model access.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -20028,7 +20028,7 @@ } }, { - "id": 1769694294, + "id": 1448585865, "definition": { "title": "PutUseCaseForModelAccess", "title_size": "16", @@ -20070,7 +20070,7 @@ } }, { - "id": 965827571, + "id": 4014033637, "definition": { "type": "note", "content": "### [CreateFoundationModelAgreement](https://traildiscover.cloud/#Bedrock-CreateFoundationModelAgreement)\n\n**Description:** Grants permission to create a new foundation model agreement.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -20089,7 +20089,7 @@ } }, { - "id": 470099979, + "id": 2657724324, "definition": { "title": "CreateFoundationModelAgreement", "title_size": "16", @@ -20131,7 +20131,7 @@ } }, { - "id": 546345766, + "id": 1319981523, "definition": { "type": "note", "content": "### [DeleteVolume](https://traildiscover.cloud/#EC2-DeleteVolume)\n\n**Description:** Deletes the specified EBS volume. The volume must be in the available state (not attached to an instance).\n\n**Related Incidents:**\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", @@ -20150,7 +20150,7 @@ } }, { - "id": 50618174, + "id": 4258639506, "definition": { "title": "DeleteVolume", "title_size": "16", @@ -20192,7 +20192,7 @@ } }, { - "id": 3821299331, + "id": 3406756554, "definition": { "type": "note", "content": "### [StartInstances](https://traildiscover.cloud/#EC2-StartInstances)\n\n**Description:** Starts an Amazon EBS-backed instance that you've previously stopped.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -20211,7 +20211,7 @@ } }, { - "id": 3325571739, + "id": 4197930889, "definition": { "title": "StartInstances", "title_size": "16", @@ -20253,7 +20253,7 @@ } }, { - "id": 1494037069, + "id": 2414534488, "definition": { "type": "note", "content": "### [CreateDefaultVpc](https://traildiscover.cloud/#EC2-CreateDefaultVpc)\n\n**Description:** Creates a default VPC with a size /16 IPv4 CIDR block and a default subnet in each Availability Zone.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -20272,7 +20272,7 @@ } }, { - "id": 998309477, + "id": 3106369936, "definition": { "title": "CreateDefaultVpc", "title_size": "16", @@ -20314,7 +20314,7 @@ } }, { - "id": 3969315096, + "id": 2831219609, "definition": { "type": "note", "content": "### [TerminateInstances](https://traildiscover.cloud/#EC2-TerminateInstances)\n\n**Description:** Shuts down the specified instances. This operation is idempotent; if you terminate an instance more than once, each call succeeds.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Former Cisco engineer sentenced to prison for deleting 16k Webex accounts](https://www.zdnet.com/article/former-cisco-engineer-sentenced-to-prison-for-deleting-16k-webex-accounts/)\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", @@ -20333,7 +20333,7 @@ } }, { - "id": 3473587504, + "id": 3622393944, "definition": { "title": "TerminateInstances", "title_size": "16", @@ -20375,7 +20375,7 @@ } }, { - "id": 1204564740, + "id": 3505717750, "definition": { "type": "note", "content": "### [StopInstances](https://traildiscover.cloud/#EC2-StopInstances)\n\n**Description:** Stops an Amazon EBS-backed instance.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -20394,7 +20394,7 @@ } }, { - "id": 708837148, + "id": 1924789, "definition": { "title": "StopInstances", "title_size": "16", @@ -20436,7 +20436,7 @@ } }, { - "id": 653738419, + "id": 1783209482, "definition": { "type": "note", "content": "### [DeleteSnapshot](https://traildiscover.cloud/#EC2-DeleteSnapshot)\n\n**Description:** Deletes the specified snapshot.\n\n**Related Incidents:**\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", @@ -20455,7 +20455,7 @@ } }, { - "id": 2305494475, + "id": 2574383817, "definition": { "title": "DeleteSnapshot", "title_size": "16", @@ -20497,7 +20497,7 @@ } }, { - "id": 1919776497, + "id": 2193663182, "definition": { "type": "note", "content": "### [RunInstances](https://traildiscover.cloud/#EC2-RunInstances)\n\n**Description:** Launches the specified number of instances using an AMI for which you have permissions.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [DXC spills AWS private keys on public GitHub](https://www.theregister.com/2017/11/14/dxc_github_aws_keys_leaked/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Clear and Uncommon Story About Overcoming Issues With AWS](https://topdigital.agency/clear-and-uncommon-story-about-overcoming-issues-with-aws/)\n- [onelogin 2017 Security Incident](https://web.archive.org/web/20210620180614/https://www.onelogin.com/blog/may-31-2017-security-incident)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [Launching EC2 instances](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/launching-ec2-instances/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -20516,7 +20516,7 @@ } }, { - "id": 3571532553, + "id": 837353869, "definition": { "title": "RunInstances", "title_size": "16", @@ -20558,7 +20558,7 @@ } }, { - "id": 2853521926, + "id": 2637026401, "definition": { "type": "note", "content": "### [DeleteGlobalCluster](https://traildiscover.cloud/#RDS-DeleteGlobalCluster)\n\n**Description:** Deletes a global database cluster. The primary and secondary clusters must already be detached or destroyed first.\n\n**Related Research:**\n- [AWS Deletion of RDS Instance or Cluster](https://www.elastic.co/guide/en/security/current/aws-deletion-of-rds-instance-or-cluster.html)\n", @@ -20577,7 +20577,7 @@ } }, { - "id": 210310686, + "id": 3428200736, "definition": { "title": "DeleteGlobalCluster", "title_size": "16", @@ -20619,7 +20619,7 @@ } }, { - "id": 4180738741, + "id": 3322560955, "definition": { "type": "note", "content": "### [DeleteDBCluster](https://traildiscover.cloud/#RDS-DeleteDBCluster)\n\n**Description:** The DeleteDBCluster action deletes a previously provisioned DB cluster.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [Hunting AWS RDS security events with Sysdig](https://sysdig.com/blog/aws-rds-security-events-sysdig/)\n- [AWS Deletion of RDS Instance or Cluster](https://www.elastic.co/guide/en/security/current/aws-deletion-of-rds-instance-or-cluster.html)\n", @@ -20638,7 +20638,7 @@ } }, { - "id": 3685011149, + "id": 4113735290, "definition": { "title": "DeleteDBCluster", "title_size": "16", @@ -20680,7 +20680,7 @@ } }, { - "id": 3052675768, + "id": 4199571087, "definition": { "type": "note", "content": "### [DeleteDBInstance](https://traildiscover.cloud/#RDS-DeleteDBInstance)\n\n**Description:** Deletes a previously provisioned DB instance.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", @@ -20699,7 +20699,7 @@ } }, { - "id": 409464528, + "id": 2743922887, "definition": { "title": "DeleteDBInstance", "title_size": "16", @@ -20741,7 +20741,7 @@ } }, { - "id": 445471826, + "id": 492335656, "definition": { "type": "note", "content": "### [CreateEmailIdentity](https://traildiscover.cloud/#SES-CreateEmailIdentity)\n\n**Description:** Starts the process of verifying an email identity. An identity is an email address or domain that you use when you send email.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -20760,7 +20760,7 @@ } }, { - "id": 2097227882, + "id": 1283509991, "definition": { "title": "CreateEmailIdentity", "title_size": "16", @@ -20802,7 +20802,7 @@ } }, { - "id": 2575247221, + "id": 1600954419, "definition": { "type": "note", "content": "### [UpdateAccountSendingEnabled](https://traildiscover.cloud/#SES-UpdateAccountSendingEnabled)\n\n**Description:** Enables or disables email sending across your entire Amazon SES account in the current AWS Region.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n", @@ -20821,7 +20821,7 @@ } }, { - "id": 2079519629, + "id": 244645106, "definition": { "title": "UpdateAccountSendingEnabled", "title_size": "16", @@ -20863,7 +20863,7 @@ } }, { - "id": 545651970, + "id": 3660706662, "definition": { "type": "note", "content": "### [VerifyEmailIdentity](https://traildiscover.cloud/#SES-VerifyEmailIdentity)\n\n**Description:** Adds an email address to the list of identities for your Amazon SES account in the current AWS Region and attempts to verify it.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -20882,7 +20882,7 @@ } }, { - "id": 49924378, + "id": 2304397349, "definition": { "title": "VerifyEmailIdentity", "title_size": "16", @@ -20924,7 +20924,7 @@ } }, { - "id": 1612750806, + "id": 3914465906, "definition": { "type": "note", "content": "### [RegisterTaskDefinition](https://traildiscover.cloud/#ECS-RegisterTaskDefinition)\n\n**Description:** Registers a new task definition from the supplied family and containerDefinitions.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -20943,7 +20943,7 @@ } }, { - "id": 1117023214, + "id": 2558156593, "definition": { "title": "RegisterTaskDefinition", "title_size": "16", @@ -20985,7 +20985,7 @@ } }, { - "id": 26697223, + "id": 2784536966, "definition": { "type": "note", "content": "### [CreateService](https://traildiscover.cloud/#ECS-CreateService)\n\n**Description:** Runs and maintains your desired number of tasks from a specified task definition.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -21004,7 +21004,7 @@ } }, { - "id": 3825936927, + "id": 3575711301, "definition": { "title": "CreateService", "title_size": "16", @@ -21046,7 +21046,7 @@ } }, { - "id": 2344419161, + "id": 1042019315, "definition": { "type": "note", "content": "### [CreateCluster](https://traildiscover.cloud/#ECS-CreateCluster)\n\n**Description:** Creates a new Amazon ECS cluster.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", @@ -21065,7 +21065,7 @@ } }, { - "id": 1749352682, + "id": 1833193650, "definition": { "title": "CreateCluster", "title_size": "16", @@ -21107,7 +21107,7 @@ } }, { - "id": 3150920082, + "id": 1426156121, "definition": { "type": "note", "content": "### [RequestServiceQuotaIncrease](https://traildiscover.cloud/#ServiceQuotas-RequestServiceQuotaIncrease)\n\n**Description:** Submits a quota increase request for the specified quota at the account or resource level.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n", @@ -21126,7 +21126,7 @@ } }, { - "id": 2655192490, + "id": 2217330456, "definition": { "title": "RequestServiceQuotaIncrease", "title_size": "16", diff --git a/docs/events.csv b/docs/events.csv index 3cf37a9..70d4969 100644 --- a/docs/events.csv +++ b/docs/events.csv @@ -8,15 +8,15 @@ InviteAccountToOrganization,organizations.amazonaws.com,Organizations,Sends an i DescribeOrganization,organizations.amazonaws.com,Organizations,Retrieves information about the organization that the user's account belongs to.,TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]",[],Attackers might use DescribeOrganization to gather information about the structure and details of an AWS organization.,[],"[{""type"": ""commandLine"", ""value"": ""aws organizations describe-organization""}]",https://aws.permissions.cloud/iam/organizations#organizations-DescribeOrganization ListOrganizationalUnitsForParent,organizations.amazonaws.com,Organizations,Lists the organizational units (OUs) in a parent organizational unit or root.,TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]",[],Attackers might use ListOrganizationalUnitsForParent to map the structure of an organization's AWS environment for potential vulnerabilities.,[],"[{""type"": ""commandLine"", ""value"": ""aws organizations list-organizational-units-for-parent --parent-id r-traildiscover""}]",https://aws.permissions.cloud/iam/organizations#organizations-ListOrganizationalUnitsForParent CreateAccount,organizations.amazonaws.com,Organizations,Creates an AWS account that is automatically a member of the organization whose credentials made the request.,TA0005 - Defense Evasion,T1535 - Unused/Unsupported Cloud Regions,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],"Attackers might use CreateAccount to add a new account for defense evasion, resource hijacking.",[],"[{""type"": ""commandLine"", ""value"": ""aws organizations create-account --email traildiscover@example.com --account-name \""TrailDiscover Account\""""}]",https://aws.permissions.cloud/iam/organizations#organizations-CreateAccount -LeaveOrganization,organizations.amazonaws.com,Organizations,Removes a member account from its parent organization.,TA0005 - Defense Evasion,T1070 - Indicator Removal,False,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]","[{""description"": ""An AWS account attempted to leave the AWS Organization"", ""link"": ""hhttps://docs.datadoghq.com/security/default_rules/aws-organizations-leave-organization/""}]",Attackers might use LeaveOrganization to disassociate resources and disrupt the structure of AWS organizations.,[],"[{""type"": ""commandLine"", ""value"": ""aws organizations leave-organization""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.organizations-leave""}]",https://aws.permissions.cloud/iam/organizations#organizations-LeaveOrganization +LeaveOrganization,organizations.amazonaws.com,Organizations,Removes a member account from its parent organization.,TA0005 - Defense Evasion,T1070 - Indicator Removal,False,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]","[{""description"": ""An AWS account attempted to leave the AWS Organization"", ""link"": ""https://docs.datadoghq.com/security/default_rules/aws-organizations-leave-organization/""}]",Attackers might use LeaveOrganization to disassociate resources and disrupt the structure of AWS organizations.,[],"[{""type"": ""commandLine"", ""value"": ""aws organizations leave-organization""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.organizations-leave""}]",https://aws.permissions.cloud/iam/organizations#organizations-LeaveOrganization ListAccounts,organizations.amazonaws.com,Organizations,Lists all the accounts in the organization.,TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]",[],Attackers might use ListAccounts to gather information about the structure and resources of an organization's AWS environment.,[],"[{""type"": ""commandLine"", ""value"": ""aws organizations list-accounts""}]",https://aws.permissions.cloud/iam/organizations#organizations-ListAccounts CreateStack,cloudformation.amazonaws.com,CloudFormation,Creates a stack as specified in the template.,TA0040 - Impact,T1496 - Resource Hijacking,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],Attackers might use CreateStack to provision unauthorized resources,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/cloudformation#cloudformation-CreateStack AssumeRoleWithWebIdentity,sts.amazonaws.com,STS,Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider.,"TA0001 - Initial Access, TA0008 - Lateral Movement","T1199 - Trusted Relationship, T1550 - Use Alternate Authentication Material",False,[],"[{""description"": ""From GitHub To Account Takeover: Misconfigured Actions Place GCP & AWS Accounts At Risk"", ""link"": ""https://www.rezonate.io/blog/github-misconfigurations-put-gcp-aws-in-account-takeover-risk/""}]",Attackers might use AssumeRoleWithWebIdentity to impersonate legitimate users and gain unauthorized access to an AWS role.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/sts#sts-AssumeRoleWithWebIdentity -GetFederationToken,sts.amazonaws.com,STS,"Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a user.",TA0003 - Persistence,T1078 - Valid Accounts,True,"[{""description"": ""How Adversaries Can Persist with AWS User Federation"", ""link"": ""https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]","[{""description"": ""Create a Console Session from IAM Credentials"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/""}, {""description"": ""Survive Access Key Deletion with sts:GetFederationToken"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/survive_access_key_deletion_with_sts_getfederationtoken/""}]",Attackers might use GetFederationToken to gain temporary access credentials.,[],"[{""type"": ""commandLine"", ""value"": ""aws sts get-federation-token --name TrailDiscover --policy TrailDiscoverPolicy""}]",https://aws.permissions.cloud/iam/sts#sts-GetFederationToken +GetFederationToken,sts.amazonaws.com,STS,"Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a user.",TA0003 - Persistence,T1078 - Valid Accounts,True,"[{""description"": ""How Adversaries Can Persist with AWS User Federation"", ""link"": ""https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]","[{""description"": ""Create a Console Session from IAM Credentials"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/""}, {""description"": ""Survive Access Key Deletion with sts:GetFederationToken"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/survive_access_key_deletion_with_sts_getfederationtoken/""}]",Attackers might use GetFederationToken to gain temporary access credentials.,[],"[{""type"": ""commandLine"", ""value"": ""aws sts get-federation-token --name TrailDiscover --policy TrailDiscoverPolicy""}]",https://aws.permissions.cloud/iam/sts#sts-GetFederationToken GetSessionToken,sts.amazonaws.com,STS,Returns a set of temporary credentials for an AWS account or IAM user.,TA0001 - Initial Access,T1199 - Trusted Relationship,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]","[{""description"": ""AWS STS GetSessionToken Abuse"", ""link"": ""https://www.elastic.co/guide/en/security/7.17/aws-sts-getsessiontoken-abuse.html""}]",Attackers might use GetSessionToken to obtain temporary access credentials.,"[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws sts get-session-token --duration-seconds 900 --serial-number 'YourMFADeviceSerialNumber' --token-code 123456""}]",https://aws.permissions.cloud/iam/sts#sts-GetSessionToken AssumeRole,sts.amazonaws.com,STS,Returns a set of temporary security credentials that you can use to access AWS resources.,"TA0001 - Initial Access, TA0003 - Persistence, TA0004 - Privilege Escalation","T1199 - Trusted Relationship, T1078 - Valid Accounts",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Trouble in Paradise"", ""link"": ""https://blog.darklab.hk/2021/07/06/trouble-in-paradise/""}]","[{""description"": ""Role Chain Juggling"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/""}, {""description"": ""Detecting and removing risky actions out of your IAM security policies"", ""link"": ""https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/""}]","Attackers might use AssumeRole to gain unauthorized access to an AWS role. This might allow them to gain initial access, escalate privileges or in specific scenarios gain persistence.",[],"[{""type"": ""commandLine"", ""value"": ""aws sts assume-role --role-arn arn:aws:iam::123456789012:role/TrailDiscover --role-session-name TrailDiscover""}]",https://aws.permissions.cloud/iam/sts#sts-AssumeRole AssumeRoleWithSAML,sts.amazonaws.com,STS,Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response.,TA0001 - Initial Access,T1199 - Trusted Relationship,False,[],"[{""description"": ""AWS - STS Privesc"", ""link"": ""https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc""}]",Attackers might use AssumeRoleWithSAML to impersonate legitimate users and gain unauthorized access to an AWS role.,"[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml""}]","[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/sts#sts-AssumeRoleWithSAML -GetCallerIdentity,sts.amazonaws.com,STS,Returns details about the IAM user or role whose credentials are used to call the operation.,TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}, {""description"": ""GotRoot! AWS root Account Takeover"", ""link"": ""https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1""}, {""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}, {""description"": ""Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/""}, {""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}, {""description"": ""New attack vectors in EKS"", ""link"": ""https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features""}, {""description"": ""Enumerate AWS Account ID from an EC2 Instance"", ""link"": ""https://hackingthe.cloud/aws/enumeration/account_id_from_ec2/""}]",Attackers might use GetCallerIdentity to know what user or role are they using. This request does not need any permission.,[],"[{""type"": ""commandLine"", ""value"": ""aws sts get-caller-identity""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials""}]",https://aws.permissions.cloud/iam/sts#sts-GetCallerIdentity +GetCallerIdentity,sts.amazonaws.com,STS,Returns details about the IAM user or role whose credentials are used to call the operation.,TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}, {""description"": ""GotRoot! AWS root Account Takeover"", ""link"": ""https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1""}, {""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}, {""description"": ""Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/""}, {""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}, {""description"": ""New attack vectors in EKS"", ""link"": ""https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features""}, {""description"": ""Enumerate AWS Account ID from an EC2 Instance"", ""link"": ""https://hackingthe.cloud/aws/enumeration/account_id_from_ec2/""}]",Attackers might use GetCallerIdentity to know what user or role are they using. This request does not need any permission.,[],"[{""type"": ""commandLine"", ""value"": ""aws sts get-caller-identity""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials""}]",https://aws.permissions.cloud/iam/sts#sts-GetCallerIdentity ListTopics,sns.amazonaws.com,SNS,Returns a list of the requester's topics.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,False,[],"[{""description"": ""NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS"", ""link"": ""https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/""}]",Attackers might use ListTopics to identify potential SNS topics for unauthorized access or disruption.,[],"[{""type"": ""commandLine"", ""value"": ""aws sns list-topics""}]",https://aws.permissions.cloud/iam/sns#sns-ListTopics ListSubscriptions,sns.amazonaws.com,SNS,Lists the calling AWS account's dedicated origination numbers and their metadata.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,False,[],"[{""description"": ""NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS"", ""link"": ""https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/""}]",Attackers might use ListSubscriptions to identify origination numbers for potential smishing campaings.,[],"[{""type"": ""commandLine"", ""value"": ""aws sns list-subscriptions""}]",https://aws.permissions.cloud/iam/sns#sns-ListSubscriptions ListOriginationNumbers,sns.amazonaws.com,SNS,Lists the calling AWS account's dedicated origination numbers and their metadata.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,False,[],"[{""description"": ""NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS"", ""link"": ""https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/""}]",Attackers might use ListOriginationNumbers to identify origination numbers for potential smishing campaings.,[],"[{""type"": ""commandLine"", ""value"": ""aws sns list-origination-numbers""}]",https://aws.permissions.cloud/iam/sns#sns-ListOriginationNumbers @@ -29,7 +29,7 @@ GetCredentialsForIdentity,cognito-identity.amazonaws.com,CognitoIdentity,Returns GetId,cognito-identity.amazonaws.com,CognitoIdentity,Generates (or retrieves) IdentityID. Supplying multiple logins will create an implicit linked account.,TA0004 - Privilege Escalation,T1078 - Valid Accounts,False,[],"[{""description"": ""Overpermissioned AWS Cognito Identity Pools"", ""link"": ""https://hackingthe.cloud/aws/exploitation/cognito_identity_pool_excessive_privileges/#exploitation""}]",Attackers might use GetId to get an IdentityID that might be then used to get AWS credentials.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/cognito-identity#cognito-identity-GetId PutLogEvents,logs.amazonaws.com,CloudWatchLogs,Uploads a batch of log events to the specified log stream.,TA0005 - Defense Evasion,T1562 - Impair Defenses,True,"[{""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}]",[],"Attackers might use PutLogEvents to add benign log entries, effectively burying any signs of his malicious activities.",[],"[{""type"": ""commandLine"", ""value"": ""aws logs put-log-events --log-group-name my-logs --log-stream-name 20150601 --log-events timestamp=$(date +%s%3N),message='TrailDiscover'""}]",https://aws.permissions.cloud/iam/logs#logs-PutLogEvents DescribeLogGroups,logs.amazonaws.com,CloudWatchLogs,Lists the specified log groups.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeLogGroups to discover CloudWatch log configurations.,[],"[{""type"": ""commandLine"", ""value"": ""aws logs describe-log-groups --log-group-name-prefix TrailDiscover""}]",https://aws.permissions.cloud/iam/logs#logs-DescribeLogGroups -DeleteAlarms,monitoring.amazonaws.com,CloudWatch,Deletes the specified alarms. You can delete up to 100 alarms in one operation.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""AWS CloudWatch Alarm Deletion"", ""link"": ""https://www.elastic.co/guide/en/security/current/aws-cloudwatch-alarm-deletion.html""}]","Attackers might use DeleteAlarms to disable critical CloudWatch alerts, undermining AWS environment monitoring",[],"[{""type"": ""commandLine"", ""value"": ""aws cloudwatch delete-alarms --alarm-names TrailDiscoverAlarm""}]",https://aws.permissions.cloud/iam/cloudwatch#cloudwatch-DeleteAlarms +DeleteAlarms,monitoring.amazonaws.com,CloudWatch,Deletes the specified alarms. You can delete up to 100 alarms in one operation.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""AWS CloudWatch Alarm Deletion"", ""link"": ""https://www.elastic.co/guide/en/security/current/aws-cloudwatch-alarm-deletion.html""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]","Attackers might use DeleteAlarms to disable critical CloudWatch alerts, undermining AWS environment monitoring",[],"[{""type"": ""commandLine"", ""value"": ""aws cloudwatch delete-alarms --alarm-names TrailDiscoverAlarm""}]",https://aws.permissions.cloud/iam/cloudwatch#cloudwatch-DeleteAlarms DescribeSubscriptionFilters,logs.amazonaws.com,CloudWatchLogs,Lists the subscription filters for the specified log group.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeSubscriptionFilters to discover CloudWatch log configurations.,[],"[{""type"": ""commandLine"", ""value"": ""aws logs describe-subscription-filters --log-group-name TrailDiscoverLogGroupName""}]",https://aws.permissions.cloud/iam/logs#logs-DescribeSubscriptionFilters DeleteLogGroup,logs.amazonaws.com,CloudWatchLogs,Deletes the specified log group and permanently deletes all the archived log events associated with the log group.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""Penetration testing of aws-based environments"", ""link"": ""https://essay.utwente.nl/76955/1/Szabo_MSc_EEMCS.pdf""}, {""description"": ""Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail"", ""link"": ""https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/""}]","Attackers might use DeleteLogGroup to erase CloudWatch logs, erasing evidence of their activities within AWS.",[],"[{""type"": ""commandLine"", ""value"": ""aws logs delete-log-group --log-group-name TrailDiscoverLogGroup""}]",https://aws.permissions.cloud/iam/logs#logs-DeleteLogGroup DeleteLogStream,logs.amazonaws.com,CloudWatchLogs,Deletes the specified log stream and permanently deletes all the archived log events associated with the log stream.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail"", ""link"": ""https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/""}]","Attackers might use DeleteLogStream to erase CloudWatch logs, erasing evidence of their activities within AWS.",[],"[{""type"": ""commandLine"", ""value"": ""aws logs delete-log-stream --log-group-name TrailDiscoverLogGroupName --log-stream-name TrailDiscoverLogStreamName""}]",https://aws.permissions.cloud/iam/logs#logs-DeleteLogStream @@ -40,6 +40,7 @@ CreateLogStream,logs.amazonaws.com,CloudWatchLogs,Creates a log stream for the s PasswordRecoveryRequested ,signin.amazonaws.com,SignIn,This is the CloudTrail event generated when you request a password recovery.,TA0001 - Initial Access,T1078 - Valid Accounts,True,"[{""description"": ""An Ongoing AWS Phishing Campaign"", ""link"": ""https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/""}, {""description"": ""Disclosure of Security Incidents on imToken"", ""link"": ""https://support.token.im/hc/en-us/articles/360005681954-Disclosure-of-Security-Incidents-on-imToken""}]",[],Attackers might start a password recovery process to steal AWS access if they have compromised the email of the user.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",N/A SwitchRole,signin.amazonaws.com,SignIn,This event is recorded when a user manually switches to a different IAM role within the AWS Management Console.,TA0008 - Lateral Movement,T1021 - Remote Services,False,[],"[{""description"": ""AWS CloudTrail cheat sheet"", ""link"": ""https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet""}]",Attackers might use SwitchRole when using the console to escalate privileges and gain unauthorized access to AWS resources.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",N/A ConsoleLogin,signin.amazonaws.com,SignIn,This is the CloudTrail event generated when you sign-in.,TA0001 - Initial Access,T1078 - Valid Accounts,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Responding to an attack in AWS"", ""link"": ""https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac""}, {""description"": ""Credential Phishing"", ""link"": ""https://ramimac.me/aws-phishing#credential-phishing""}, {""description"": ""Incident report: From CLI to console, chasing an attacker in AWS"", ""link"": ""https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}, {""description"": ""Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies"", ""link"": ""https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/""}]","[{""description"": ""Compromising AWS Console credentials"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/compromising-aws-console-credentials/""}, {""description"": ""Create a Console Session from IAM Credentials"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/""}, {""description"": ""Enhancing Your Security Visibility and DetectionResponse Operations in AWS"", ""link"": ""https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf""}]",Attackers might access via AWS console (generating a ConsoleLogin event).,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-6""}, {""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-3""}]","[{""type"": ""commandLine"", ""value"": ""N/A""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.initial-access.console-login-without-mfa""}]",N/A +GetSigninToken,signin.amazonaws.com,SignIn,Generate a SigninToken that can be used to login to the the AWS Management Console.,TA0001 - Initial Access,T1078 - Valid Accounts,True,"[{""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]",[],Attackers might access via a Federated identity (such as AWS SSO) to the Management Console.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",N/A CreateFunction20150331,lambda.amazonaws.com,Lambda,Creates a Lambda function.,"TA0003 - Persistence, TA0004 - Privilege Escalation, TA0040 - Impact","T1098 - Account Manipulation, T1496 - Resource Hijacking",True,"[{""description"": ""Mining Crypto"", ""link"": ""https://twitter.com/jonnyplatt/status/1471453527390277638""}, {""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}]","[{""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use CreateFunction to deploy malicious code or functions, depending on the scenario this might allow the attacker to gain persistence, escalate privileges, or hijack resources.",[],"[{""type"": ""commandLine"", ""value"": ""aws lambda create-function --function-name my-function --runtime nodejs18.x --code S3Bucket=string --role arn:aws:iam::123456789012:role/service-role/MyTestFunction-role-tges6bf4""}]",https://aws.permissions.cloud/iam/lambda#lambda-CreateFunction CreateEventSourceMapping20150331,lambda.amazonaws.com,Lambda,Creates a mapping between an event source and an AWS Lambda function.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]",Attackers might use CreateEventSourceMapping to trigger unauthorized Lambda functions with malicious code.,[],"[{""type"": ""commandLine"", ""value"": ""aws lambda create-event-source-mapping --function-name my-function --batch-size 5 --event-source-arn arn:aws:sqs:us-west-2:123456789012:mySQSqueue""}]",https://aws.permissions.cloud/iam/lambda#lambda-CreateEventSourceMapping UpdateFunctionConfiguration20150331v2,lambda.amazonaws.com,Lambda,Modify the version-specific settings of a Lambda function.,TA0003 - Persistence,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}, {""description"": ""Enhancing Your Security Visibility and DetectionResponse Operations in AWS"", ""link"": ""https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf""}, {""description"": ""LambdaSpy - Implanting the Lambda execution environment (Part two)"", ""link"": ""https://www.clearvector.com/blog/lambda-spy/""}]","Attackers might use UpdateFunctionConfiguration to modify the behavior of Lambda functions, adding a layer that can allow persistence and/or data exfiltration.",[],"[{""type"": ""commandLine"", ""value"": ""aws lambda update-function-configuration --function-name my-function --memory-size 256""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-layer-extension""}]",https://aws.permissions.cloud/iam/lambda#lambda-UpdateFunctionConfiguration @@ -76,12 +77,13 @@ GetAccountAuthorizationDetails,iam.amazonaws.com,IAM,"Retrieves information abou AddUserToGroup,iam.amazonaws.com,IAM,Adds the specified user to the specified group.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use AddUserToGroup to add unauthorized users to privileged groups, gaining unauthorized access or escalating privileges.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam add-user-to-group --user-name TrailDiscover --group-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-AddUserToGroup ListGroups,iam.amazonaws.com,IAM,Lists the IAM groups that have the specified path prefix.,TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]","[{""description"": ""AWS - IAM Enum"", ""link"": ""https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum""}]",Attackers might use ListGroups to identify potential targets by gathering information about IAM groups and their permissions.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-groups""}]",https://aws.permissions.cloud/iam/iam#iam-ListGroups UpdateAccessKey,iam.amazonaws.com,IAM,"Changes the status of the specified access key from Active to Inactive, or vice versa.",TA0003 - Persistence,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS - IAM Privesc"", ""link"": ""https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc""}]","Attackers might use UpdateAccessKey to modify existing IAM user access keys, potentially gaining unauthorized access to AWS services.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam update-access-key --access-key-id AKIAIOSFODNN7EXAMPLE --status Inactive --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-UpdateAccessKey -ListUsers,iam.amazonaws.com,IAM,"Lists the IAM users that have the specified path prefix. If no path prefix is specified, the operation returns all users in the AWS account.",TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}, {""description"": ""Incident report: From CLI to console, chasing an attacker in AWS"", ""link"": ""https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]","Attackers might use ListUsers to enumerate IAM users for further attacks, such as adding keys or creating a login profile for persistence.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-users""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance""}]",https://aws.permissions.cloud/iam/iam#iam-ListUsers +ListUsers,iam.amazonaws.com,IAM,"Lists the IAM users that have the specified path prefix. If no path prefix is specified, the operation returns all users in the AWS account.",TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}, {""description"": ""Incident report: From CLI to console, chasing an attacker in AWS"", ""link"": ""https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]","Attackers might use ListUsers to enumerate IAM users for further attacks, such as adding keys or creating a login profile for persistence.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-users""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance""}]",https://aws.permissions.cloud/iam/iam#iam-ListUsers UpdateAssumeRolePolicy,iam.amazonaws.com,IAM,Updates the policy that grants an IAM entity permission to assume a role.,"TA0003 - Persistence, TA0004 - Privilege Escalation",T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}, {""description"": ""AWS IAM Persistence Methods"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/iam_persistence/""}]",Attackers might use UpdateAssumeRolePolicy to modify the assume role policy allowing access from an attacker compromised account.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam update-assume-role-policy --role-name TrailDiscover-Role --policy-document {}""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-backdoor-role""}]",https://aws.permissions.cloud/iam/iam#iam-UpdateAssumeRolePolicy CreateAccessKey,iam.amazonaws.com,IAM,Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active.,"TA0003 - Persistence, TA0004 - Privilege Escalation","T1136 - Create Account, T1078 - Valid Accounts",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Incident report: From CLI to console, chasing an attacker in AWS"", ""link"": ""https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/""}, {""description"": ""SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto"", ""link"": ""https://sysdig.com/blog/scarleteel-2-0/""}, {""description"": ""ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING"", ""link"": ""https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}, {""description"": ""BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability"", ""link"": ""https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/""}, {""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}]","[{""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}, {""description"": ""AWS IAM Persistence Methods"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/iam_persistence/""}]","Attackers might use CreateAccessKey to generate unauthorized access keys, enabling them to gain illicit access to AWS services and resources.","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml""}, {""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws iam create-access-key --user-name TrailDiscover""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-admin-user""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-backdoor-user""}]",https://aws.permissions.cloud/iam/iam#iam-CreateAccessKey CreatePolicyVersion,iam.amazonaws.com,IAM,Creates a new version of the specified managed policy.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use CreatePolicyVersion to modify IAM policies, potentially granting themselves elevated permissions.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam create-policy-version --policy-arn arn:aws:iam::123456789012:policy/TrailDiscover --policy-document {}""}]",https://aws.permissions.cloud/iam/iam#iam-CreatePolicyVersion DeleteUserPolicy,iam.amazonaws.com,IAM,Deletes the specified inline policy that is embedded in the specified IAM user.,"TA0005 - Defense Evasion, TA0004 - Privilege Escalation","T1578 - Modify Cloud Compute Infrastructure, T1098 - Account Manipulation",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}]","[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]",Attackers might use DeleteUserPolicy to remove security policies and gain unauthorized access to AWS resources.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam delete-user-policy --user-name TrailDiscover --policy-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-DeleteUserPolicy ListRoles,iam.amazonaws.com,IAM,Lists the IAM roles that have the specified path prefix. ,TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]","[{""description"": ""AWS - IAM Enum"", ""link"": ""https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum""}]",Attackers might use ListRoles to identify potential targets for privilege escalation attacks in AWS.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-roles""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance""}]",https://aws.permissions.cloud/iam/iam#iam-ListRoles +UpdateSAMLProvider,iam.amazonaws.com,IAM,Updates the metadata document for an existing SAML provider resource object.,"TA0003 - Persistence, TA0004 - Privilege Escalation",T1098 - Account Manipulation,False,[],"[{""description"": ""Gaining AWS Persistence by Updating a SAML Identity Provider"", ""link"": ""https://medium.com/@adan.alvarez/gaining-aws-persistence-by-updating-a-saml-identity-provider-ef57ebdc8db5""}]",Attackers might use UpdateSAMLProvider to change the metadata document from a SAML provider for latter being able to assume the roles that trust this provider.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam update-saml-provider --saml-metadata-document file://TrailDiscoverSAMLMetaData.xml --saml-provider-arn arn:aws:iam::123456789012:saml-provider/traildiscover""}]",https://aws.permissions.cloud/iam/iam#iam-UpdateSAMLProvider PutRolePermissionsBoundary,iam.amazonaws.com,IAM,Adds or updates the policy that is specified as the IAM role's permissions boundary.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use PutRolePermissionsBoundary to modify permissions boundaries, potentially escalating privileges or enabling unauthorized access.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam put-role-permissions-boundary --permissions-boundary arn:aws:iam::123456789012:policy/intern-boundary --role-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-PutRolePermissionsBoundary StartSSO,sso.amazonaws.com,SSO,Initialize AWS IAM Identity Center,TA0003 - Persistence,T1136 - Create Account,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]",[],Attackers use StartSSO to establish persistent footholds.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/sso#sso-StartSSO PutUserPermissionsBoundary,iam.amazonaws.com,IAM,Adds or updates the policy that is specified as the IAM user's permissions boundary.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use PutUserPermissionsBoundary to modify the permissions boundary for an IAM user, potentially escalating privileges or enabling unauthorized access.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam put-user-permissions-boundary --permissions-boundary arn:aws:iam::123456789012:policy/intern-boundary --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-PutUserPermissionsBoundary @@ -116,9 +118,9 @@ AddRoleToInstanceProfile,iam.amazonaws.com,IAM,Adds the specified IAM role to th DeactivateMFADevice,iam.amazonaws.com,IAM,Deactivates the specified MFA device and removes it from association with the user name for which it was originally enabled.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""AWS IAM Deactivation of MFA Device"", ""link"": ""https://www.elastic.co/guide/en/security/current/aws-iam-deactivation-of-mfa-device.html""}]","Attackers might use DeactivateMFADevice to disable multi-factor authentication, potentially weakening account security.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam deactivate-mfa-device --user-name TrailDiscover --serial-number arn:aws:iam::210987654321:mfa/BobsMFADevice""}]",https://aws.permissions.cloud/iam/iam#iam-DeactivateMFADevice AttachGroupPolicy,iam.amazonaws.com,IAM,Attaches the specified managed policy to the specified IAM group.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use AttachGroupPolicy to assign malicious policies to a group, escalating privileges or enabling unauthorized access.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/TrailDiscover --group-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-AttachGroupPolicy GetLoginProfile,iam.amazonaws.com,IAM,Retrieves the user name for the specified IAM user.,TA0007 - Discovery,T1087 - Account Discovery,True,"[{""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}]",[],Attackers might use GetLoginProfile to know if the account has a login profile or to get its user name.,"[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws iam get-login-profile --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-GetLoginProfile -GetSecretValue,secretsmanager.amazonaws.com,SecretsManager,"Retrieves the contents of the encrypted fields SecretString or SecretBinary from the specified version of a secret, whichever contains content.",TA0006 - Credential Access,T1555 - Credentials from Password Stores,True,"[{""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}, {""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],Attackers might use GetSecretValue to illicitly access sensitive information stored in the SecretsManager.,[],"[{""type"": ""commandLine"", ""value"": ""aws secretsmanager get-secret-value --secret-id TrailDiscoverSecretId""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.secretsmanager-batch-retrieve-secrets""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets""}]",https://aws.permissions.cloud/iam/secretsmanager#secretsmanager-GetSecretValue +GetSecretValue,secretsmanager.amazonaws.com,SecretsManager,"Retrieves the contents of the encrypted fields SecretString or SecretBinary from the specified version of a secret, whichever contains content.",TA0006 - Credential Access,T1555 - Credentials from Password Stores,True,"[{""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}, {""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]",[],Attackers might use GetSecretValue to illicitly access sensitive information stored in the SecretsManager.,[],"[{""type"": ""commandLine"", ""value"": ""aws secretsmanager get-secret-value --secret-id TrailDiscoverSecretId""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.secretsmanager-batch-retrieve-secrets""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets""}]",https://aws.permissions.cloud/iam/secretsmanager#secretsmanager-GetSecretValue DescribeSecret,secretsmanager.amazonaws.com,SecretsManager,Retrieves the details of a secret.,TA0006 - Credential Access,T1555 - Credentials from Password Stores,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],Attackers might use DescribeSecret to get more information about the secrets that are stored in Secrets Manager.,[],"[{""type"": ""commandLine"", ""value"": ""aws secretsmanager describe-secret --secret-id TrailDiscover""}]",https://aws.permissions.cloud/iam/secretsmanager#secretsmanager-DescribeSecret -ListSecrets,secretsmanager.amazonaws.com,SecretsManager,"Lists the secrets that are stored by Secrets Manager in the AWS account, not including secrets that are marked for deletion.",TA0006 - Credential Access,T1555 - Credentials from Password Stores,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}, {""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/""}]",[],Attackers might use ListSecrets to list all the secrets and potentially access to them later.,[],"[{""type"": ""commandLine"", ""value"": ""aws secretsmanager list-secrets""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets""}]",https://aws.permissions.cloud/iam/secretsmanager#secretsmanager-ListSecrets +ListSecrets,secretsmanager.amazonaws.com,SecretsManager,"Lists the secrets that are stored by Secrets Manager in the AWS account, not including secrets that are marked for deletion.",TA0006 - Credential Access,T1555 - Credentials from Password Stores,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}, {""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]",[],Attackers might use ListSecrets to list all the secrets and potentially access to them later.,[],"[{""type"": ""commandLine"", ""value"": ""aws secretsmanager list-secrets""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets""}]",https://aws.permissions.cloud/iam/secretsmanager#secretsmanager-ListSecrets CreateUser,transfer.amazonaws.com,TransferFamily,Creates a user and associates them with an existing file transfer protocol-enabled server.,TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],Attackers might use CreateUser to use the Transfer Family service.,[],"[{""type"": ""commandLine"", ""value"": ""aws transfer create-user --server-id s-1234567890abcdef0 --user-name TrailDiscover --role arn:aws:iam::123456789012:role/TrailDiscover --home-directory /TrailDiscover""}]",https://aws.permissions.cloud/iam/transfer#transfer-CreateUser CreateServer,transfer.amazonaws.com,TransferFamily,Instantiates an auto-scaling virtual server based on the selected file transfer protocol in AWS.,TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],Attackers might use CreateServer to create a server that allows to transfer files into and out of AWS storage services.,[],"[{""type"": ""commandLine"", ""value"": ""aws transfer create-server --protocols SFTP --endpoint-type PUBLIC --identity-provider-type SERVICE_MANAGED""}]",https://aws.permissions.cloud/iam/transfer#transfer-CreateServer DescribeLoadBalancers,elasticloadbalancing.amazonaws.com,ELBv2,Describes the specified load balancers or all of your load balancers.,TA0007 - Discovery,T1526 - Cloud Service Discovery,False,[],"[{""description"": ""Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data"", ""link"": ""https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994""}]",Attackers might use DescribeLoadBalancers to get information about the load balancers for potential future attacks.,[],"[{""type"": ""commandLine"", ""value"": ""aws elbv2 describe-load-balancers --names TrailDiscoverLoadBalancer""}]",https://aws.permissions.cloud/iam/elasticloadbalancing#elasticloadbalancing-DescribeLoadBalancers @@ -136,8 +138,8 @@ ScheduleKeyDeletion,kms.amazonaws.com,KMS,Schedules the deletion of a KMS key.,T Encrypt,kms.amazonaws.com,KMS,"Encrypts plaintext of up to 4,096 bytes using a KMS key. ",TA0040 - Impact,T1486 - Data Encrypted for Impact,True,"[{""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}]",[],Attackers might use Encrypt to encrypt data for ransom.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/kms#kms-Encrypt LookupEvents,cloudtrail.amazonaws.com,CloudTrail,Looks up management events or CloudTrail Insights events that are captured by CloudTrail.,TA0007 - Discovery,T1654 - Log Enumeration,True,"[{""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}]",[],Attackers might use LookupEvents to monitoring CloudTrail logs for changes that might affect the attack.,[],"[{""type"": ""commandLine"", ""value"": ""aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=TrailDiscover""}]",https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-LookupEvents StopLogging,cloudtrail.amazonaws.com,CloudTrail,Suspends the recording of AWS API calls and log file delivery for the specified trail.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,"[{""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}]","[{""description"": ""Stopping a CloudTrail trail"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/stopping-cloudtrail-trail/""}, {""description"": ""AWS Defense Evasion Stop Logging Cloudtrail"", ""link"": ""https://research.splunk.com/cloud/8a2f3ca2-4eb5-4389-a549-14063882e537/""}, {""description"": ""AWS Defense Evasion and Centralized Multi-Account Logging"", ""link"": ""https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/""}, {""description"": ""Disrupting AWS logging"", ""link"": ""https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594""}, {""description"": ""Enhancing Your Security Visibility and DetectionResponse Operations in AWS"", ""link"": ""https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf""}]",Attackers might use StopLogging to disrupting AWS logging.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-5""}, {""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws cloudtrail stop-logging --name TrailDiscover""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-stop""}]",https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-StopLogging -UpdateTrail,cloudtrail.amazonaws.com,CloudTrail,"Updates trail settings that control what events you are logging, and how to handle log files.",TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""AWS Defense Evasion and Centralized Multi-Account Logging"", ""link"": ""https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/""}, {""description"": ""Disrupting AWS logging"", ""link"": ""https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594""}]",Attackers might use UpdateTrail to disrupting AWS logging.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-5""}, {""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws cloudtrail update-trail --name TrailDiscoverName --s3-bucket-name TrailDiscoverBucketName""}]",https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-UpdateTrail -DeleteTrail,cloudtrail.amazonaws.com,CloudTrail,Deletes a trail.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,"[{""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}]","[{""description"": ""AWS Defense Evasion Delete Cloudtrail"", ""link"": ""https://research.splunk.com/cloud/82092925-9ca1-4e06-98b8-85a2d3889552/""}, {""description"": ""Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail"", ""link"": ""https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/""}, {""description"": ""Disrupting AWS logging"", ""link"": ""https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594""}]",Attackers might use DeleteTrail to disrupting AWS logging.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-5""}, {""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws cloudtrail delete-trail --name TrailDiscoverTrailName""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-delete""}]",https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-DeleteTrail +UpdateTrail,cloudtrail.amazonaws.com,CloudTrail,"Updates trail settings that control what events you are logging, and how to handle log files.",TA0005 - Defense Evasion,T1562 - Impair Defenses,True,"[{""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]","[{""description"": ""AWS Defense Evasion and Centralized Multi-Account Logging"", ""link"": ""https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/""}, {""description"": ""Disrupting AWS logging"", ""link"": ""https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594""}]",Attackers might use UpdateTrail to disrupting AWS logging.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-5""}, {""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws cloudtrail update-trail --name TrailDiscoverName --s3-bucket-name TrailDiscoverBucketName""}]",https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-UpdateTrail +DeleteTrail,cloudtrail.amazonaws.com,CloudTrail,Deletes a trail.,TA0005 - Defense Evasion,T1562 - Impair Defenses,True,"[{""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]","[{""description"": ""AWS Defense Evasion Delete Cloudtrail"", ""link"": ""https://research.splunk.com/cloud/82092925-9ca1-4e06-98b8-85a2d3889552/""}, {""description"": ""Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail"", ""link"": ""https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/""}, {""description"": ""Disrupting AWS logging"", ""link"": ""https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594""}]",Attackers might use DeleteTrail to disrupting AWS logging.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-5""}, {""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws cloudtrail delete-trail --name TrailDiscoverTrailName""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-delete""}]",https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-DeleteTrail PutEventSelectors,cloudtrail.amazonaws.com,CloudTrail,Configures an event selector or advanced event selectors for your trail.,TA0005 - Defense Evasion,T1562 - Impair Defenses,True,"[{""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]","[{""description"": ""cloudtrail_guardduty_bypass"", ""link"": ""https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/cloudtrail_guardduty_bypass""}, {""description"": ""Detecting and removing risky actions out of your IAM security policies"", ""link"": ""https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/""}]",Attackers might use PutEventSelectors to disrupting AWS logging.,[],"[{""type"": ""commandLine"", ""value"": ""aws cloudtrail put-event-selectors --trail-name TrailDiscover --event-selectors '[{\""ReadWriteType\"": \""All\"", \""IncludeManagementEvents\"":true, \""DataResources\"": [{\""Type\"": \""AWS::S3::Object\"", \""Values\"": [\""arn:aws:s3\""]}] }]'""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors""}]",https://aws.permissions.cloud/iam/cloudtrail#cloudtrail-PutEventSelectors UpdateGraphqlApi,appsync.amazonaws.com,AppSync,Updates a GraphqlApi object.,"TA0005 - Defense Evasion, TA0003 - Persistence","T1578 - Modify Cloud Compute Infrastructure, T1556 - Modify Authentication Process",False,[],"[{""description"": ""Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor"", ""link"": ""https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8""}]",Attackers might use UpdateGraphqlApi to add additional authentications options. Bypassing current authentication and potentially allowing persistent access to data.,[],"[{""type"": ""commandLine"", ""value"": ""aws appsync update-graphql-api --api-id TrailDiscoverApiId --name TrailDiscoverName --log-config cloudWatchLogsRoleArn=TrailDiscoverRoleArn,fieldLogLevel=TrailDiscoverLogLevel""}]",https://aws.permissions.cloud/iam/appsync#appsync-UpdateGraphqlApi CreateApiKey,appsync.amazonaws.com,AppSync,Creates a unique key that you can distribute to clients who invoke your API.,"TA0005 - Defense Evasion, TA0003 - Persistence","T1578 - Modify Cloud Compute Infrastructure, T1556 - Modify Authentication Process",False,[],"[{""description"": ""Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor"", ""link"": ""https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8""}]",Attackers might use CreateApiKey to add a key they control for authentication. Bypassing current authentication and potentially allowing persistent access to data.,[],"[{""type"": ""commandLine"", ""value"": ""aws appsync create-api-key --api-id TrailDiscoverApiId""}]",https://aws.permissions.cloud/iam/appsync#appsync-CreateApiKey @@ -194,7 +196,7 @@ DescribeInstances,ec2.amazonaws.com,EC2,Describes the specified instances or all GetTransitGatewayRouteTableAssociations,ec2.amazonaws.com,EC2,Gets information about the associations for the specified transit gateway route table.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use GetTransitGatewayRouteTableAssociations to examine the associations between transit gateway route tables and attached resources, potentially to understand network routing policies.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 get-transit-gateway-route-table-associations --transit-gateway-route-table-id tgw-rtb-0a823edbdeEXAMPLE""}]",https://aws.permissions.cloud/iam/ec2#ec2-GetTransitGatewayRouteTableAssociations ModifySnapshotAttribute,ec2.amazonaws.com,EC2,Adds or removes permission settings for the specified snapshot.,TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,True,"[{""description"": ""CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight"", ""link"": ""https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/""}]",[],"Attackers might use ModifySnapshotAttribute to change permissions on Amazon EBS snapshots, potentially making them accessible to unauthorized users or public.","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_snapshot_backup_exfiltration.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws ec2 modify-snapshot-attribute --snapshot-id snap-046281ab24d756c50 --attribute createVolumePermission --operation-type remove --user-ids 123456789012""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot""}]",https://aws.permissions.cloud/iam/ec2#ec2-ModifySnapshotAttribute CreateDefaultVpc,ec2.amazonaws.com,EC2,Creates a default VPC with a size /16 IPv4 CIDR block and a default subnet in each Availability Zone.,"TA0003 - Persistence, TA0040 - Impact","T1098 - Account Manipulation, T1496 - Resource Hijacking",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],Attackers might use CreateDefaultVpc to create a VPC and lauch EC2 instances.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 create-default-vpc""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateDefaultVpc -DeleteFlowLogs,ec2.amazonaws.com,EC2,Deletes one or more flow logs.,TA0005 - Defense Evasion,T1089 - Disabling Security Tools,False,[],"[{""description"": ""Removing VPC flow logs"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/removing-vpc-flow-logs/""}, {""description"": ""AWS Incident Response"", ""link"": ""https://github.com/easttimor/aws-incident-response""}, {""description"": ""Proactive Cloud Security w/ AWS Organizations"", ""link"": ""https://witoff.medium.com/proactive-cloud-security-w-aws-organizations-d58695bcae16""}]",Attackers might use DeleteFlowLogs to remove records of network traffic within AWS.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 delete-flow-logs --flow-log-ids TrailDiscoverFlowLogId""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs""}]",https://aws.permissions.cloud/iam/ec2#ec2-DeleteFlowLogs +DeleteFlowLogs,ec2.amazonaws.com,EC2,Deletes one or more flow logs.,TA0005 - Defense Evasion,T1089 - Disabling Security Tools,True,"[{""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]","[{""description"": ""Removing VPC flow logs"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/removing-vpc-flow-logs/""}, {""description"": ""AWS Incident Response"", ""link"": ""https://github.com/easttimor/aws-incident-response""}, {""description"": ""Proactive Cloud Security w/ AWS Organizations"", ""link"": ""https://witoff.medium.com/proactive-cloud-security-w-aws-organizations-d58695bcae16""}]",Attackers might use DeleteFlowLogs to remove records of network traffic within AWS.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 delete-flow-logs --flow-log-ids TrailDiscoverFlowLogId""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs""}]",https://aws.permissions.cloud/iam/ec2#ec2-DeleteFlowLogs GetLaunchTemplateData,ec2.amazonaws.com,EC2,Retrieves the configuration data of the specified instance. You can use this data to create a launch template.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use GetLaunchTemplateData to obtain configurations of EC2 launch templates, identifying predefined instance settings, network configurations.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 get-launch-template-data --instance-id TrailDiscoverInstanceId""}]",https://aws.permissions.cloud/iam/ec2#ec2-GetLaunchTemplateData CreateNetworkAclEntry,ec2.amazonaws.com,EC2,Creates an entry (a rule) in a network ACL with the specified rule number.,TA0003 - Persistence,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS EC2 Network Access Control List Creation"", ""link"": ""https://www.elastic.co/guide/en/security/current/aws-ec2-network-access-control-list-creation.html""}, {""description"": ""Enhancing Your Security Visibility and DetectionResponse Operations in AWS"", ""link"": ""https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf""}]",Attackers might use CreateNetworkAclEntry to allow traffic to the network from an IP they control.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-11""}]","[{""type"": ""commandLine"", ""value"": ""aws ec2 create-network-acl-entry --network-acl-id acl-5fb85d36 --ingress --rule-number 100 --protocol udp --port-range From=53,To=53 --cidr-block 0.0.0.0/0 --rule-action allow""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateNetworkAclEntry DescribeKeyPairs,ec2.amazonaws.com,EC2,Describes the specified key pairs or all of your key pairs.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Behind the scenes in the Expel SOC: Alert-to-fix in AWS"", ""link"": ""https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/""}]",[],Attackers might use DescribeKeyPairs to audit the SSH key pairs associated with EC2 instances,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-key-pairs --key-names TrailDiscoverKeyPair""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeKeyPairs @@ -215,7 +217,7 @@ DescribeDhcpOptions,ec2.amazonaws.com,EC2,Describes one or more of your DHCP opt AuthorizeSecurityGroupIngress,ec2.amazonaws.com,EC2,Adds the specified inbound (ingress) rules to a security group.,"TA0003 - Persistence, TA0008 - Lateral Movement","T1098 - Account Manipulation, T1021 - Remote Services",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Finding evil in AWS"", ""link"": ""https://expel.com/blog/finding-evil-in-aws/""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Behind the scenes in the Expel SOC: Alert-to-fix in AWS"", ""link"": ""https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/""}, {""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}, {""description"": ""BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability"", ""link"": ""https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/""}, {""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}]","[{""description"": ""Opening a security group to the Internet"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/opening-security-group-port/""}]",Attackers might use AuthorizeSecurityGroupIngress to allow access to resources to gain persistence or move laterally.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-10""}]","[{""type"": ""commandLine"", ""value"": ""aws ec2 authorize-security-group-ingress --group-id sg-0683fcf7a41c82593 --protocol tcp --port 22 --cidr 203.0.113.0/24""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-security-group-open-port-22-ingress""}]",https://aws.permissions.cloud/iam/ec2#ec2-AuthorizeSecurityGroupIngress DescribeVpcEndpointConnectionNotifications,ec2.amazonaws.com,EC2,Describes the connection notifications for VPC endpoints and VPC endpoint services.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeVpcEndpointConnectionNotifications to monitor notification configurations for VPC endpoints.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-vpc-endpoint-connection-notifications --connection-notification-id TrailDiscoverConnectionNotificationId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeVpcEndpointConnectionNotifications DescribeFlowLogs,ec2.amazonaws.com,EC2,Describes one or more flow logs.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use DescribeFlowLogs to review VPC flow log configurations, aiming to understand what network traffic is being logged.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-flow-logs --filter Name=resource-id,Values=TrailDiscoverResourceId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeFlowLogs -SendSSHPublicKey,ec2-instance-connect.amazonaws.com,EC2InstanceConnect,Pushes an SSH public key to the specified EC2 instance for use by the specified user.,TA0008 - Lateral Movement,T1021 - Remote Services,True,"[{""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}]","[{""description"": ""Attack Paths Into VMs in the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/""}]","Attackers might use SendSSHPublicKey to inject unauthorized SSH keys into EC2 instances, granting them access for remote control.",[],"[{""type"": ""commandLine"", ""value"": ""N/A""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.lateral-movement.ec2-instance-connect""}]",https://aws.permissions.cloud/iam/ec2-instance-connect#ec2-instance-connect-SendSSHPublicKey +SendSSHPublicKey,ec2-instance-connect.amazonaws.com,EC2InstanceConnect,Pushes an SSH public key to the specified EC2 instance for use by the specified user.,TA0008 - Lateral Movement,T1021 - Remote Services,True,"[{""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]","[{""description"": ""Attack Paths Into VMs in the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/""}]","Attackers might use SendSSHPublicKey to inject unauthorized SSH keys into EC2 instances, granting them access for remote control.",[],"[{""type"": ""commandLine"", ""value"": ""N/A""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.lateral-movement.ec2-instance-connect""}]",https://aws.permissions.cloud/iam/ec2-instance-connect#ec2-instance-connect-SendSSHPublicKey DescribeSnapshotAttribute,ec2.amazonaws.com,EC2,Describes the specified attribute of the specified snapshot.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use DescribeSnapshotAttribute to inspect attributes of EBS snapshots, such as permissions, aiming to find snapshots shared publicly or with broad access.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-snapshot-attribute --snapshot-id TrailDiscoverSnapshotId --attribute TrailDiscoverAttribute""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeSnapshotAttribute DescribeVolumesModifications,ec2.amazonaws.com,EC2,Describes the most recent volume modification request for the specified EBS volumes.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeVolumesModifications to track changes in EBS volumes.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-volumes-modifications --volume-ids TrailDiscoverVolumeId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeVolumesModifications DescribeRegions,ec2.amazonaws.com,EC2,"Describes the Regions that are enabled for your account, or all Regions.",TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]","Attackers might use DescribeRegions to identify all available AWS regions, possibly to explore regional deployment patterns and target specific regions where defenses might be weaker.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-regions""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeRegions @@ -238,7 +240,7 @@ DescribeClientVpnRoutes,ec2.amazonaws.com,EC2,Describes the routes for the speci GetLaunchTemplateData,ec2.amazonaws.com,EC2,Retrieves the configuration data of the specified instance. You can use this data to create a launch template.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use GetLaunchTemplateData to obtain configurations of EC2 launch templates, identifying predefined instance settings or network configuration.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 get-launch-template-data --instance-id TrailDiscoverInstanceId""}]",https://aws.permissions.cloud/iam/ec2#ec2-GetLaunchTemplateData CreateImage,ec2.amazonaws.com,EC2,Creates an Amazon EBS-backed AMI from an Amazon EBS-backed instance that is either running or stopped.,TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]",[],Attackers might use CreateImage to create images from running EC2s and use them after adding their own keys,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 create-image --instance-id TrailDiscoverInstanceId --name \""TrailDiscoverImageName\"" --description \""TrailDiscoverImageDescription\""""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateImage AuthorizeSecurityGroupEgress,ec2.amazonaws.com,EC2,Adds the specified outbound (egress) rules to a security group.,TA0010 - Exfiltration,T1048 - Exfiltration Over Alternative Protocol,True,"[{""description"": ""Trouble in Paradise"", ""link"": ""https://blog.darklab.hk/2021/07/06/trouble-in-paradise/""}]",[],Attackers might use AuthorizeSecurityGroupEgress to allow exfiltration.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-10""}]","[{""type"": ""commandLine"", ""value"": ""aws ec2 authorize-security-group-egress --group-id sg-1a2b3c4d --ip-permissions IpProtocol=tcp,FromPort=80,ToPort=80,IpRanges='[{CidrIp=10.0.0.0/16}]'""}]",https://aws.permissions.cloud/iam/ec2#ec2-AuthorizeSecurityGroupEgress -SendSerialConsoleSSHPublicKey,ec2-instance-connect.amazonaws.com,EC2InstanceConnect,Pushes an SSH public key to the specified EC2 instance.,TA0008 - Lateral Movement,T1021 - Remote Services,True,"[{""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}, {""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}]",[],"Attackers might use SendSerialConsoleSSHPublicKey to inject unauthorized SSH keys into EC2 instances, granting them access for remote control.",[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/ec2-instance-connect#ec2-instance-connect-SendSerialConsoleSSHPublicKey +SendSerialConsoleSSHPublicKey,ec2-instance-connect.amazonaws.com,EC2InstanceConnect,Pushes an SSH public key to the specified EC2 instance.,TA0008 - Lateral Movement,T1021 - Remote Services,True,"[{""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}, {""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]",[],"Attackers might use SendSerialConsoleSSHPublicKey to inject unauthorized SSH keys into EC2 instances, granting them access for remote control.",[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/ec2-instance-connect#ec2-instance-connect-SendSerialConsoleSSHPublicKey ModifyImageAttribute,ec2.amazonaws.com,EC2,Modifies the specified attribute of the specified AMI.,TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,False,[],"[{""description"": ""AWS AMI Atttribute Modification for Exfiltration"", ""link"": ""https://research.splunk.com/cloud/f2132d74-cf81-4c5e-8799-ab069e67dc9f/""}]","Attackers might use ModifyImageAttribute to alter permissions or settings of Amazon Machine Images (AMIs), potentially exposing them to unauthorized users or making them public.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 modify-image-attribute --image-id TrailDiscoverImageId --attribute TrailDiscoverAttribute --value TrailDiscoverValue""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami""}]",https://aws.permissions.cloud/iam/ec2#ec2-ModifyImageAttribute ModifyDBSnapshotAttribute,rds.amazonaws.com,RDS,"Adds an attribute and values to, or removes an attribute and values from, a manual DB snapshot.",TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,True,"[{""description"": ""Imperva Security Update"", ""link"": ""https://www.imperva.com/blog/ceoblog/""}, {""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]","[{""description"": ""Stealing an RDS database by creating a snapshot and sharing it"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-rds-snapshot/""}, {""description"": ""Hunting AWS RDS security events with Sysdig"", ""link"": ""https://sysdig.com/blog/aws-rds-security-events-sysdig/""}]","Attackers might use ModifyDBSnapshotAttribute to alter database snapshot permissions, potentially gaining unauthorized access to sensitive data via sharing it.",[],"[{""type"": ""commandLine"", ""value"": ""aws rds modify-db-snapshot-attribute --db-snapshot-identifier TrailDiscoverDBSnapshotIdentifier --attribute-name TrailDiscoverAttributeName --values-to-add TrailDiscoverValuesToAdd""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.rds-share-snapshot""}]",https://aws.permissions.cloud/iam/rds#rds-ModifyDBSnapshotAttribute AuthorizeDBSecurityGroupIngress,rds.amazonaws.com,RDS,Enables ingress to a DBSecurityGroup using one of two forms of authorization.,TA0005 - Defense Evasion,T1578 - Modify Cloud Compute Infrastructure,False,[],"[{""description"": ""Enhancing Your Security Visibility and DetectionResponse Operations in AWS"", ""link"": ""https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf""}, {""description"": ""Hunting AWS RDS security events with Sysdig"", ""link"": ""https://sysdig.com/blog/aws-rds-security-events-sysdig/""}]",Attackers might use AuthorizeDBSecurityGroupIngress to allow unauthorized access to the database by modifying security group rules.,[],"[{""type"": ""commandLine"", ""value"": ""aws rds authorize-db-security-group-ingress --db-security-group-name TrailDiscoverDBSecurityGroupName --cidrip TrailDiscoverCIDRIP""}]",https://aws.permissions.cloud/iam/rds#rds-AuthorizeDBSecurityGroupIngress @@ -253,7 +255,7 @@ CreateDevEndpoint,glue.amazonaws.com,Glue,Creates a new development endpoint.,TA UpdateJob,glue.amazonaws.com,Glue,Updates an existing job definition.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use UpdateJob to modify Glue job parameters, potentially disrupting data processing or injecting malicious code.",[],"[{""type"": ""commandLine"", ""value"": ""aws glue update-job --job-name TrailDiscoverJob --job-update '{\""Role\"": \""TrailDiscoverRole\"", \""Command\"": {\""Name\"": \""glueetl\"", \""ScriptLocation\"": \""s3://mybucket/myscript.py\""}}'""}]",https://aws.permissions.cloud/iam/glue#glue-UpdateJob CreateJob,glue.amazonaws.com,Glue,Creates a new job definition.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]",Attackers might use CreateJob to create a glue job with a role with higer privileges to gain these privileges.,[],"[{""type"": ""commandLine"", ""value"": ""aws glue create-job --name TrailDiscoverJob --role TrailDiscoverRole --command Name=pythonshell,ScriptLocation=s3://TrailDiscoverBucket/TrailDiscoverScript.py --default-arguments '{\""--job-language\"": \""python\""}'""}]",https://aws.permissions.cloud/iam/glue#glue-CreateJob UpdateDevEndpoint,glue.amazonaws.com,Glue,Updates a specified development endpoint.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use UpdateDevEndpoint to modify the settings of a development endpoint, potentially disrupting data processing tasks or gaining unauthorized access to data.","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws glue update-dev-endpoint --endpoint-name TrailDiscover""}]",https://aws.permissions.cloud/iam/glue#glue-UpdateDevEndpoint -SendCommand,ssm.amazonaws.com,SSM,Runs commands on one or more managed nodes.,"TA0008 - Lateral Movement, TA0002 - Execution","T1021 - Remote Services, T1651 - Cloud Administration Command",True,"[{""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}]","[{""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""Run Shell Commands on EC2 with Send Command or Session Manager"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/""}, {""description"": ""Attack Paths Into VMs in the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/""}]",Attackers might use SendCommand to execute malicious commands on managed instances.,[],"[{""type"": ""commandLine"", ""value"": ""aws ssm send-command --instance-ids \""TrailDiscoverInstanceID\"" --document-name \""AWS-RunShellScript\"" --parameters commands=ls --output text""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ssm-send-command""}]",https://aws.permissions.cloud/iam/ssm#ssm-SendCommand +SendCommand,ssm.amazonaws.com,SSM,Runs commands on one or more managed nodes.,"TA0008 - Lateral Movement, TA0002 - Execution","T1021 - Remote Services, T1651 - Cloud Administration Command",True,"[{""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]","[{""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""Run Shell Commands on EC2 with Send Command or Session Manager"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/""}, {""description"": ""Attack Paths Into VMs in the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/""}]",Attackers might use SendCommand to execute malicious commands on managed instances.,[],"[{""type"": ""commandLine"", ""value"": ""aws ssm send-command --instance-ids \""TrailDiscoverInstanceID\"" --document-name \""AWS-RunShellScript\"" --parameters commands=ls --output text""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ssm-send-command""}]",https://aws.permissions.cloud/iam/ssm#ssm-SendCommand GetParameters,ssm.amazonaws.com,SSM,Get information about one or more parameters by specifying multiple parameter names.,"TA0007 - Discovery, TA0006 - Credential Access","T1526 - Cloud Service Discovery, T1552 - Unsecured Credentials",False,[],"[{""description"": ""Detecting and removing risky actions out of your IAM security policies"", ""link"": ""https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/""}]",Attackers might use GetParameters to gather sensitive information such as api keys or other secrets.,[],"[{""type"": ""commandLine"", ""value"": ""aws ssm get-parameters --names TrailDiscoverParameters""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ssm-retrieve-securestring-parameters""}]",https://aws.permissions.cloud/iam/ssm#ssm-GetParameters StartSession,ssm.amazonaws.com,SSM,"Initiates a connection to a target (for example, a managed node) for a Session Manager session.","TA0008 - Lateral Movement, TA0002 - Execution","T1021 - Remote Services, T1651 - Cloud Administration Command",True,"[{""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}]","[{""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""Run Shell Commands on EC2 with Send Command or Session Manager"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/""}]",Attackers might use StartSession to gain unauthorized access to managed instances.,[],"[{""type"": ""commandLine"", ""value"": ""aws ssm start-session --target TrailDiscoverTarget""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ssm-start-session""}]",https://aws.permissions.cloud/iam/ssm#ssm-StartSession DescribeInstanceInformation,ssm.amazonaws.com,SSM,"Provides information about one or more of your managed nodes, including the operating system platform, SSM Agent version, association status, and IP address.",TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],"Attackers might use DescribeInstanceInformation to gather sensitive information about the instances, potentially leading to unauthorized access.",[],"[{""type"": ""commandLine"", ""value"": ""aws ssm describe-instance-information --instance-information-filter-list key=InstanceIds,valueSet=TrailDiscoverInstanceIds""}]",https://aws.permissions.cloud/iam/ssm#ssm-DescribeInstanceInformation @@ -273,7 +275,7 @@ UpdateDetector,guardduty.amazonaws.com,GuardDuty,Updates the GuardDuty detector GetFindings,guardduty.amazonaws.com,GuardDuty,Returns a list of findings that match the specified criteria.,TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],Attackers might use GetFindings to identify if previous actions generated alerts.,[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty get-findings --detector-id TrailDiscoverDetectorId --finding-ids TrailDiscoverFindingIds""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-GetFindings ListFindings,guardduty.amazonaws.com,GuardDuty,Lists GuardDuty findings for the specified detector ID.,TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],Attackers might use ListFindings to identify if previous actions generated alerts.,[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty list-findings --detector-id TrailDiscoverDetectorId""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-ListFindings ListDetectors,guardduty.amazonaws.com,GuardDuty,Lists detectorIds of all the existing Amazon GuardDuty detector resources.,TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]","[{""description"": ""Modify GuardDuty Configuration"", ""link"": ""https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/""}]",Attackers might use ListDetectors to identify active threat detection systems in AWS GuardDuty.,[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty list-detectors""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-ListDetectors -DeleteDetector,guardduty.amazonaws.com,GuardDuty,Deletes an Amazon GuardDuty detector that is specified by the detector ID.,TA0005 - Defense Evasion,T1562 - Impair Defenses,True,"[{""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}]","[{""description"": ""AWS GuardDuty detector deleted"", ""link"": ""https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-guardduty-detector-deleted/""}, {""description"": ""AWS GuardDuty Evasion"", ""link"": ""https://medium.com/@cloud_tips/aws-guardduty-evasion-c181e55f3af1""}, {""description"": ""Threat Hunting with CloudTrail and GuardDuty in Splunk"", ""link"": ""https://www.chrisfarris.com/post/reinforce-threat-hunting/""}]","Attackers might use DeleteDetector to disable GuardDuty, thereby evading detection of malicious activity.",[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty delete-detector --detector-id TrailDiscoverDetectorId""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-DeleteDetector +DeleteDetector,guardduty.amazonaws.com,GuardDuty,Deletes an Amazon GuardDuty detector that is specified by the detector ID.,TA0005 - Defense Evasion,T1562 - Impair Defenses,True,"[{""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}]","[{""description"": ""AWS GuardDuty detector deleted"", ""link"": ""https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-guardduty-detector-deleted/""}, {""description"": ""AWS GuardDuty Evasion"", ""link"": ""https://medium.com/@cloud_tips/aws-guardduty-evasion-c181e55f3af1""}, {""description"": ""Threat Hunting with CloudTrail and GuardDuty in Splunk"", ""link"": ""https://www.chrisfarris.com/post/reinforce-threat-hunting/""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}]","Attackers might use DeleteDetector to disable GuardDuty, thereby evading detection of malicious activity.",[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty delete-detector --detector-id TrailDiscoverDetectorId""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-DeleteDetector GetDetector,guardduty.amazonaws.com,GuardDuty,Retrieves an Amazon GuardDuty detector specified by the detectorId.,TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],Attackers might use GetDetector to identify active threat detection systems in AWS GuardDuty.,[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty get-detector --detector-id TrailDiscoverDetectorId""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-GetDetector DeletePublishingDestination,guardduty.amazonaws.com,GuardDuty,Deletes the publishing definition with the specified destinationId.,TA0005 - Defense Evasion,T1562 - Impair Defenses,False,[],"[{""description"": ""Modify GuardDuty Configuration"", ""link"": ""https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/""}]",Attackers might use DeletePublishingDestination to disrupt the security monitoring and incident response process in AWS GuardDuty.,[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty delete-publishing-destination --detector-id TrailDiscoverDetectorId --destination-id TrailDiscoverDestinationId""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-DeletePublishingDestination ListIPSets,guardduty.amazonaws.com,GuardDuty,Lists the IPSets of the GuardDuty service specified by the detector ID.,TA0007 - Discovery,T1526 - Cloud Service Discovery,False,[],"[{""description"": ""Modify GuardDuty Configuration"", ""link"": ""https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/""}]",Attackers might use ListIPSets to identify what IPs won't generate an alert.,[],"[{""type"": ""commandLine"", ""value"": ""aws guardduty list-ip-sets --detector-id TrailDiscoverDetectorId""}]",https://aws.permissions.cloud/iam/guardduty#guardduty-ListIPSets diff --git a/docs/events.json b/docs/events.json index 338100b..8186d35 100644 --- a/docs/events.json +++ b/docs/events.json @@ -291,7 +291,7 @@ "researchLinks": [ { "description": "An AWS account attempted to leave the AWS Organization", - "link": "hhttps://docs.datadoghq.com/security/default_rules/aws-organizations-leave-organization/" + "link": "https://docs.datadoghq.com/security/default_rules/aws-organizations-leave-organization/" } ], "securityImplications": "Attackers might use LeaveOrganization to disassociate resources and disrupt the structure of AWS organizations.", @@ -417,6 +417,10 @@ { "description": "New tactics and techniques for proactive threat detection", "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + }, + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" } ], "researchLinks": [ @@ -589,6 +593,10 @@ { "description": "Detecting AI resource-hijacking with Composite Alerts", "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + }, + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" } ], "researchLinks": [ @@ -1006,6 +1014,10 @@ { "description": "AWS CloudWatch Alarm Deletion", "link": "https://www.elastic.co/guide/en/security/current/aws-cloudwatch-alarm-deletion.html" + }, + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" } ], "securityImplications": "Attackers might use DeleteAlarms to disable critical CloudWatch alerts, undermining AWS environment monitoring", @@ -1366,6 +1378,35 @@ ], "permissions": "N/A" }, + { + "eventName": "GetSigninToken", + "eventSource": "signin.amazonaws.com", + "awsService": "SignIn", + "description": "Generate a SigninToken that can be used to login to the the AWS Management Console.", + "mitreAttackTactics": [ + "TA0001 - Initial Access" + ], + "mitreAttackTechniques": [ + "T1078 - Valid Accounts" + ], + "usedInWild": true, + "incidents": [ + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might access via a Federated identity (such as AWS SSO) to the Management Console.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "N/A" + } + ], + "permissions": "N/A" + }, { "eventName": "CreateFunction20150331", "eventSource": "lambda.amazonaws.com", @@ -2596,6 +2637,10 @@ { "description": "Muddled Libra\u2019s Evolution to the Cloud", "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" + }, + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" } ], "researchLinks": [ @@ -2858,6 +2903,36 @@ ], "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListRoles" }, + { + "eventName": "UpdateSAMLProvider", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Updates the metadata document for an existing SAML provider resource object.", + "mitreAttackTactics": [ + "TA0003 - Persistence", + "TA0004 - Privilege Escalation" + ], + "mitreAttackTechniques": [ + "T1098 - Account Manipulation" + ], + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "Gaining AWS Persistence by Updating a SAML Identity Provider", + "link": "https://medium.com/@adan.alvarez/gaining-aws-persistence-by-updating-a-saml-identity-provider-ef57ebdc8db5" + } + ], + "securityImplications": "Attackers might use UpdateSAMLProvider to change the metadata document from a SAML provider for latter being able to assume the roles that trust this provider.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws iam update-saml-provider --saml-metadata-document file://TrailDiscoverSAMLMetaData.xml --saml-provider-arn arn:aws:iam::123456789012:saml-provider/traildiscover" + } + ], + "permissions": "https://aws.permissions.cloud/iam/iam#iam-UpdateSAMLProvider" + }, { "eventName": "PutRolePermissionsBoundary", "eventSource": "iam.amazonaws.com", @@ -4123,6 +4198,10 @@ { "description": "Muddled Libra\u2019s Evolution to the Cloud", "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" + }, + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" } ], "researchLinks": [], @@ -4197,6 +4276,10 @@ { "description": "Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/" + }, + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" } ], "researchLinks": [], @@ -4757,8 +4840,13 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], - "usedInWild": false, - "incidents": [], + "usedInWild": true, + "incidents": [ + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" + } + ], "researchLinks": [ { "description": "AWS Defense Evasion and Centralized Multi-Account Logging", @@ -4799,11 +4887,15 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], - "usedInWild": false, + "usedInWild": true, "incidents": [ { "description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud" + }, + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" } ], "researchLinks": [ @@ -6854,8 +6946,13 @@ "mitreAttackTechniques": [ "T1089 - Disabling Security Tools" ], - "usedInWild": false, - "incidents": [], + "usedInWild": true, + "incidents": [ + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" + } + ], "researchLinks": [ { "description": "Removing VPC flow logs", @@ -7619,6 +7716,10 @@ { "description": "Navigating the Cloud: Exploring Lateral Movement Techniques", "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/" + }, + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" } ], "researchLinks": [ @@ -8423,6 +8524,10 @@ { "description": "Navigating the Cloud: Exploring Lateral Movement Techniques", "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/" + }, + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" } ], "researchLinks": [], @@ -8917,6 +9022,10 @@ { "description": "Navigating the Cloud: Exploring Lateral Movement Techniques", "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/" + }, + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" } ], "researchLinks": [ @@ -9621,6 +9730,10 @@ { "description": "Threat Hunting with CloudTrail and GuardDuty in Splunk", "link": "https://www.chrisfarris.com/post/reinforce-threat-hunting/" + }, + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" } ], "securityImplications": "Attackers might use DeleteDetector to disable GuardDuty, thereby evading detection of malicious activity.", diff --git a/events/CloudTrail/DeleteTrail.json b/events/CloudTrail/DeleteTrail.json index 8ef8b21..a03533d 100644 --- a/events/CloudTrail/DeleteTrail.json +++ b/events/CloudTrail/DeleteTrail.json @@ -9,11 +9,15 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], - "usedInWild": false, + "usedInWild": true, "incidents": [ { "description": "LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD", "link": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud" + }, + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" } ], "researchLinks": [ diff --git a/events/CloudTrail/UpdateTrail.json b/events/CloudTrail/UpdateTrail.json index 5c10778..05d84ad 100644 --- a/events/CloudTrail/UpdateTrail.json +++ b/events/CloudTrail/UpdateTrail.json @@ -9,8 +9,13 @@ "mitreAttackTechniques": [ "T1562 - Impair Defenses" ], - "usedInWild": false, - "incidents": [], + "usedInWild": true, + "incidents": [ + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" + } + ], "researchLinks": [ { "description": "AWS Defense Evasion and Centralized Multi-Account Logging", diff --git a/events/CloudWatch/DeleteAlarms.json b/events/CloudWatch/DeleteAlarms.json index 40278d0..9fae105 100644 --- a/events/CloudWatch/DeleteAlarms.json +++ b/events/CloudWatch/DeleteAlarms.json @@ -15,6 +15,10 @@ { "description": "AWS CloudWatch Alarm Deletion", "link": "https://www.elastic.co/guide/en/security/current/aws-cloudwatch-alarm-deletion.html" + }, + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" } ], "securityImplications": "Attackers might use DeleteAlarms to disable critical CloudWatch alerts, undermining AWS environment monitoring", diff --git a/events/EC2/DeleteFlowLogs.json b/events/EC2/DeleteFlowLogs.json index aaef94a..8ed872b 100644 --- a/events/EC2/DeleteFlowLogs.json +++ b/events/EC2/DeleteFlowLogs.json @@ -9,8 +9,13 @@ "mitreAttackTechniques": [ "T1089 - Disabling Security Tools" ], - "usedInWild": false, - "incidents": [], + "usedInWild": true, + "incidents": [ + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" + } + ], "researchLinks": [ { "description": "Removing VPC flow logs", diff --git a/events/EC2/SendSSHPublicKey.json b/events/EC2/SendSSHPublicKey.json index 7e5a468..aca3075 100644 --- a/events/EC2/SendSSHPublicKey.json +++ b/events/EC2/SendSSHPublicKey.json @@ -18,6 +18,10 @@ { "description": "Navigating the Cloud: Exploring Lateral Movement Techniques", "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/" + }, + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" } ], "researchLinks": [ diff --git a/events/EC2/SendSerialConsoleSSHPublicKey.json b/events/EC2/SendSerialConsoleSSHPublicKey.json index a265d97..49f5d9d 100644 --- a/events/EC2/SendSerialConsoleSSHPublicKey.json +++ b/events/EC2/SendSerialConsoleSSHPublicKey.json @@ -18,6 +18,10 @@ { "description": "Navigating the Cloud: Exploring Lateral Movement Techniques", "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/" + }, + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" } ], "researchLinks": [], diff --git a/events/GuardDuty/DeleteDetector.json b/events/GuardDuty/DeleteDetector.json index 5b497a0..efacc01 100644 --- a/events/GuardDuty/DeleteDetector.json +++ b/events/GuardDuty/DeleteDetector.json @@ -28,6 +28,10 @@ { "description": "Threat Hunting with CloudTrail and GuardDuty in Splunk", "link": "https://www.chrisfarris.com/post/reinforce-threat-hunting/" + }, + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" } ], "securityImplications": "Attackers might use DeleteDetector to disable GuardDuty, thereby evading detection of malicious activity.", diff --git a/events/IAM/ListUsers.json b/events/IAM/ListUsers.json index f4b44c6..2384fbc 100644 --- a/events/IAM/ListUsers.json +++ b/events/IAM/ListUsers.json @@ -30,6 +30,10 @@ { "description": "Muddled Libra\u2019s Evolution to the Cloud", "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" + }, + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" } ], "researchLinks": [ diff --git a/events/IAM/UpdateSAMLProvider.json b/events/IAM/UpdateSAMLProvider.json new file mode 100644 index 0000000..ea535b2 --- /dev/null +++ b/events/IAM/UpdateSAMLProvider.json @@ -0,0 +1,30 @@ +{ + "eventName": "UpdateSAMLProvider", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Updates the metadata document for an existing SAML provider resource object.", + "mitreAttackTactics": [ + "TA0003 - Persistence", + "TA0004 - Privilege Escalation" + ], + "mitreAttackTechniques": [ + "T1098 - Account Manipulation" + ], + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "Gaining AWS Persistence by Updating a SAML Identity Provider", + "link": "https://medium.com/@adan.alvarez/gaining-aws-persistence-by-updating-a-saml-identity-provider-ef57ebdc8db5" + } + ], + "securityImplications": "Attackers might use UpdateSAMLProvider to change the metadata document from a SAML provider for latter being able to assume the roles that trust this provider.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws iam update-saml-provider --saml-metadata-document file://TrailDiscoverSAMLMetaData.xml --saml-provider-arn arn:aws:iam::123456789012:saml-provider/traildiscover" + } + ], + "permissions": "https://aws.permissions.cloud/iam/iam#iam-UpdateSAMLProvider" +} \ No newline at end of file diff --git a/events/IAM/UpdateSAMLProvider.json.cloudtrail b/events/IAM/UpdateSAMLProvider.json.cloudtrail new file mode 100644 index 0000000..c2e79f0 --- /dev/null +++ b/events/IAM/UpdateSAMLProvider.json.cloudtrail @@ -0,0 +1,51 @@ +[ + { + "eventVersion": "1.10", + "userIdentity": { + "type": "AssumedRole", + "principalId": "AROATI5GJIISF5A6XXXXX:TrailDiscover", + "arn": "arn:aws:sts::123456789012:assumed-role/AWSReservedSSO_AdministratorAccess_6c63ce732f255555/TrailDiscover", + "accountId": "123456789012", + "accessKeyId": "ASIATI5GJIISLXXXXXXX", + "sessionContext": { + "sessionIssuer": { + "type": "Role", + "principalId": "AROATI5GJIISF5A6XXXXX", + "arn": "arn:aws:iam::123456789012:role/aws-reserved/sso.amazonaws.com/us-east-2/AWSReservedSSO_AdministratorAccess_6c63ce732f255555", + "accountId": "123456789012", + "userName": "AWSReservedSSO_AdministratorAccess_6c63ce732f255555" + }, + "attributes": { + "creationDate": "2024-09-22T10:03:09Z", + "mfaAuthenticated": "false" + } + } + }, + "eventTime": "2024-09-22T10:08:30Z", + "eventSource": "iam.amazonaws.com", + "eventName": "UpdateSAMLProvider", + "awsRegion": "us-east-1", + "sourceIPAddress": "1.1.1.1", + "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36", + "requestParameters": { + "sAMLMetadataDocument": "XXXXXurn:oasis:names:tc:SAML:2.0:nameid-format:transient", + "sAMLProviderArn": "arn:aws:iam::123456789012:saml-provider/AWSSSO_bafa1a00e8e55555_DO_NOT_DELETE" + }, + "responseElements": { + "sAMLProviderArn": "arn:aws:iam::123456789012:saml-provider/AWSSSO_bafa1a00e8e55555_DO_NOT_DELETE" + }, + "requestID": "f150e1e5-03aa-4d86-8e88-df9cdc749bc7", + "eventID": "8750c8bf-356a-4bda-bb78-1265a90b32a7", + "readOnly": false, + "eventType": "AwsApiCall", + "managementEvent": true, + "recipientAccountId": "123456789012", + "eventCategory": "Management", + "tlsDetails": { + "tlsVersion": "TLSv1.3", + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "iam.amazonaws.com" + }, + "sessionCredentialFromConsole": "true" + } +] \ No newline at end of file diff --git a/events/Organizations/LeaveOrganization.json b/events/Organizations/LeaveOrganization.json index 26f7d6e..d088f55 100644 --- a/events/Organizations/LeaveOrganization.json +++ b/events/Organizations/LeaveOrganization.json @@ -35,4 +35,4 @@ } ], "permissions": "https://aws.permissions.cloud/iam/organizations#organizations-LeaveOrganization" -} +} \ No newline at end of file diff --git a/events/SSM/SendCommand.json b/events/SSM/SendCommand.json index e88931f..b33b872 100644 --- a/events/SSM/SendCommand.json +++ b/events/SSM/SendCommand.json @@ -16,6 +16,10 @@ { "description": "Navigating the Cloud: Exploring Lateral Movement Techniques", "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/" + }, + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" } ], "researchLinks": [ diff --git a/events/SecretsManager/GetSecretValue.json b/events/SecretsManager/GetSecretValue.json index d0647a0..24ecd8e 100644 --- a/events/SecretsManager/GetSecretValue.json +++ b/events/SecretsManager/GetSecretValue.json @@ -18,6 +18,10 @@ { "description": "Muddled Libra\u2019s Evolution to the Cloud", "link": "https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" + }, + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" } ], "researchLinks": [], diff --git a/events/SecretsManager/ListSecrets.json b/events/SecretsManager/ListSecrets.json index 7abd9dd..5b2b0fa 100644 --- a/events/SecretsManager/ListSecrets.json +++ b/events/SecretsManager/ListSecrets.json @@ -22,6 +22,10 @@ { "description": "Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/" + }, + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" } ], "researchLinks": [], diff --git a/events/SecurityTokenService/GetCallerIdentity.json b/events/SecurityTokenService/GetCallerIdentity.json index c210ba6..b16b462 100644 --- a/events/SecurityTokenService/GetCallerIdentity.json +++ b/events/SecurityTokenService/GetCallerIdentity.json @@ -30,6 +30,10 @@ { "description": "Detecting AI resource-hijacking with Composite Alerts", "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + }, + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" } ], "researchLinks": [ diff --git a/events/SecurityTokenService/GetFederationToken.json b/events/SecurityTokenService/GetFederationToken.json index f1b958d..f2c17e3 100644 --- a/events/SecurityTokenService/GetFederationToken.json +++ b/events/SecurityTokenService/GetFederationToken.json @@ -18,6 +18,10 @@ { "description": "New tactics and techniques for proactive threat detection", "link": "https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf" + }, + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" } ], "researchLinks": [ diff --git a/events/SignIn/GetSigninToken.json b/events/SignIn/GetSigninToken.json new file mode 100644 index 0000000..fe74861 --- /dev/null +++ b/events/SignIn/GetSigninToken.json @@ -0,0 +1,29 @@ +{ + "eventName": "GetSigninToken", + "eventSource": "signin.amazonaws.com", + "awsService": "SignIn", + "description": "Generate a SigninToken that can be used to login to the the AWS Management Console.", + "mitreAttackTactics": [ + "TA0001 - Initial Access" + ], + "mitreAttackTechniques": [ + "T1078 - Valid Accounts" + ], + "usedInWild": true, + "incidents": [ + { + "description": "Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)", + "link": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might access via a Federated identity (such as AWS SSO) to the Management Console.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "N/A" + } + ], + "permissions": "N/A" +} \ No newline at end of file diff --git a/events/SignIn/GetSigninToken.json.cloudtrail b/events/SignIn/GetSigninToken.json.cloudtrail new file mode 100644 index 0000000..302216f --- /dev/null +++ b/events/SignIn/GetSigninToken.json.cloudtrail @@ -0,0 +1,54 @@ +[ + { + "eventVersion": "1.08", + "userIdentity": { + "type": "AssumedRole", + "principalId": "AROATI5GJIISF5AXXXXXX:TrailDiscover", + "arn": "arn:aws:sts::123456789012:assumed-role/AWSReservedSSO_AdministratorAccess_6c63ce732f555555/TrailDiscover", + "accountId": "123456789012", + "accessKeyId": "ASIATI5GJIISLXXXXXX", + "sessionContext": { + "sessionIssuer": { + "type": "Role", + "principalId": "AROATI5GJIISF5AXXXXXX", + "arn": "arn:aws:iam::123456789012:role/aws-reserved/sso.amazonaws.com/us-east-2/AWSReservedSSO_AdministratorAccess_6c63ce732f555555", + "accountId": "123456789012", + "userName": "AWSReservedSSO_AdministratorAccess_6c63ce732f555555" + }, + "webIdFederationData": {}, + "attributes": { + "creationDate": "2024-09-24T08:12:45Z", + "mfaAuthenticated": "false" + } + } + }, + "eventTime": "2024-09-24T08:12:45Z", + "eventSource": "signin.amazonaws.com", + "eventName": "GetSigninToken", + "awsRegion": "us-east-2", + "sourceIPAddress": "1.1.1.1", + "userAgent": "Jersey/${project.version} (HttpUrlConnection 17.0.12)", + "requestParameters": null, + "responseElements": { + "credentials": { + "accessKeyId": "ASIATI5GJIISLXXXXXX" + }, + "GetSigninToken": "Success" + }, + "additionalEventData": { + "MobileVersion": "No", + "MFAUsed": "No" + }, + "eventID": "56678442-08db-4d88-af47-f994dd706a15", + "readOnly": false, + "eventType": "AwsConsoleSignIn", + "managementEvent": true, + "recipientAccountId": "123456789012", + "eventCategory": "Management", + "tlsDetails": { + "tlsVersion": "TLSv1.3", + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "us-east-2.signin.aws.amazon.com" + } + } +] \ No newline at end of file