new events from paloalto (#14)

docs/events.json

@@ -6144,6 +6144,10 @@
             {
                 "description": "User Data Script Persistence",
                 "link": "https://hackingthe.cloud/aws/post_exploitation/user_data_script_persistence/"
+            },
+            {
+                "description": "Attack Paths Into VMs in the Cloud",
+                "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/"
             }
         ],
         "securityImplications": "Attackers might use ModifyInstanceAttribute to change configurations of EC2 instances or overwrite the user data of an EC2 instance to have it execute malicious commands when the instance starts.",
@@ -6216,6 +6220,10 @@
             {
                 "description": "How to detect EC2 Serial Console enabled",
                 "link": "https://sysdig.com/blog/ec2-serial-console-enabled/"
+            },
+            {
+                "description": "Attack Paths Into VMs in the Cloud",
+                "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/"
             }
         ],
         "securityImplications": "Attackers might use EnableSerialConsoleAccess to enable the serial console access and bypass security group rules and gain access to EC2 instances.",
@@ -6384,6 +6392,10 @@
             {
                 "description": "Executing commands through EC2 user data",
                 "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/"
+            },
+            {
+                "description": "Attack Paths Into VMs in the Cloud",
+                "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/"
             }
         ],
         "securityImplications": "Attackers might use StartInstances to reactivate dormant EC2 instances or after having modified the user data for execution of commands.",
@@ -7132,6 +7144,10 @@
             {
                 "description": "Executing commands through EC2 user data",
                 "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/"
+            },
+            {
+                "description": "Attack Paths Into VMs in the Cloud",
+                "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/"
             }
         ],
         "securityImplications": "Attackers might use StopInstances to avoid being detected or to do changes that will be executed when the EC2 is started.",
@@ -7363,7 +7379,12 @@
                 "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/"
             }
         ],
-        "researchLinks": [],
+        "researchLinks": [
+            {
+                "description": "Attack Paths Into VMs in the Cloud",
+                "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/"
+            }
+        ],
         "securityImplications": "Attackers might use SendSSHPublicKey to inject unauthorized SSH keys into EC2 instances, granting them access for remote control.",
         "alerting": [],
         "simulation": [
@@ -8622,6 +8643,10 @@
             {
                 "description": "Run Shell Commands on EC2 with Send Command or Session Manager",
                 "link": "https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/"
+            },
+            {
+                "description": "Attack Paths Into VMs in the Cloud",
+                "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/"
             }
         ],
         "securityImplications": "Attackers might use SendCommand to execute malicious commands on managed instances.",
@@ -8746,6 +8771,37 @@
         ],
         "permissions": "https://aws.permissions.cloud/iam/ssm#ssm-DescribeInstanceInformation"
     },
+    {
+        "eventName": "ResumeSession",
+        "eventSource": "ssm.amazonaws.com",
+        "awsService": "SSM",
+        "description": "Reconnects a session to a managed node after it has been disconnected.",
+        "mitreAttackTactics": [
+            "TA0008 - Lateral Movement",
+            "TA0002 - Execution"
+        ],
+        "mitreAttackTechniques": [
+            "T1021 - Remote Services",
+            "T1651 - Cloud Administration Command"
+        ],
+        "usedInWild": false,
+        "incidents": [],
+        "researchLinks": [
+            {
+                "description": "Attack Paths Into VMs in the Cloud",
+                "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/"
+            }
+        ],
+        "securityImplications": "Attackers might use ResumeSession to gain unauthorized access to managed instances.",
+        "alerting": [],
+        "simulation": [
+            {
+                "type": "commandLine",
+                "value": "aws ssm resume-session --session-id TrailDiscoverTarget"
+            }
+        ],
+        "permissions": "https://aws.permissions.cloud/iam/ssm#ssm-ResumeSession"
+    },
     {
         "eventName": "CreateEmailIdentity",
         "eventSource": "ses.amazonaws.com",

events/EC2/EnableSerialConsoleAccess.json

@@ -20,6 +20,10 @@
         {
             "description": "How to detect EC2 Serial Console enabled",
             "link": "https://sysdig.com/blog/ec2-serial-console-enabled/"
+        },
+        {
+            "description": "Attack Paths Into VMs in the Cloud",
+            "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/"
         }
     ],
     "securityImplications": "Attackers might use EnableSerialConsoleAccess to enable the serial console access and bypass security group rules and gain access to EC2 instances.",

events/EC2/ModifyInstanceAttribute.json

@@ -27,6 +27,10 @@
         {
             "description": "User Data Script Persistence",
             "link": "https://hackingthe.cloud/aws/post_exploitation/user_data_script_persistence/"
+        },
+        {
+            "description": "Attack Paths Into VMs in the Cloud",
+            "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/"
         }
     ],
     "securityImplications": "Attackers might use ModifyInstanceAttribute to change configurations of EC2 instances or overwrite the user data of an EC2 instance to have it execute malicious commands when the instance starts.",

events/EC2/SendSSHPublicKey.json

@@ -20,7 +20,12 @@
             "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/"
         }
     ],
-    "researchLinks": [],
+    "researchLinks": [
+        {
+            "description": "Attack Paths Into VMs in the Cloud",
+            "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/"
+        }
+    ],
     "securityImplications": "Attackers might use SendSSHPublicKey to inject unauthorized SSH keys into EC2 instances, granting them access for remote control.",
     "alerting": [],
     "simulation": [

events/EC2/StartInstances.json

@@ -22,6 +22,10 @@
         {
             "description": "Executing commands through EC2 user data",
             "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/"
+        },
+        {
+            "description": "Attack Paths Into VMs in the Cloud",
+            "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/"
         }
     ],
     "securityImplications": "Attackers might use StartInstances to reactivate dormant EC2 instances or after having modified the user data for execution of commands.",

events/EC2/StopInstances.json

@@ -22,6 +22,10 @@
         {
             "description": "Executing commands through EC2 user data",
             "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/"
+        },
+        {
+            "description": "Attack Paths Into VMs in the Cloud",
+            "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/"
         }
     ],
     "securityImplications": "Attackers might use StopInstances to avoid being detected or to do changes that will be executed when the EC2 is started.",

events/SSM/ResumeSession.json

@@ -0,0 +1,31 @@
+{
+    "eventName": "ResumeSession",
+    "eventSource": "ssm.amazonaws.com",
+    "awsService": "SSM",
+    "description": "Reconnects a session to a managed node after it has been disconnected.",
+    "mitreAttackTactics": [
+        "TA0008 - Lateral Movement",
+        "TA0002 - Execution"
+    ],
+    "mitreAttackTechniques": [
+        "T1021 - Remote Services",
+        "T1651 - Cloud Administration Command"
+    ],
+    "usedInWild": false,
+    "incidents": [],
+    "researchLinks": [
+        {
+            "description": "Attack Paths Into VMs in the Cloud",
+            "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/"
+        }
+    ],
+    "securityImplications": "Attackers might use ResumeSession to gain unauthorized access to managed instances.",
+    "alerting": [],
+    "simulation": [
+        {
+            "type": "commandLine",
+            "value": "aws ssm resume-session --session-id TrailDiscoverTarget"
+        }
+    ],
+    "permissions": "https://aws.permissions.cloud/iam/ssm#ssm-ResumeSession"
+}

events/SSM/SendCommand.json

@@ -26,6 +26,10 @@
         {
             "description": "Run Shell Commands on EC2 with Send Command or Session Manager",
             "link": "https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/"
+        },
+        {
+            "description": "Attack Paths Into VMs in the Cloud",
+            "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/"
         }
     ],
     "securityImplications": "Attackers might use SendCommand to execute malicious commands on managed instances.",