From c64c6dbbe42670aab4af43a6deee1f216f1d21a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adan=20=C3=81lvarez?= Date: Thu, 20 Jun 2024 08:59:49 +0200 Subject: [PATCH] new events from paloalto (#14) --- docs/datadog_dashboard.json | 1488 +++++++++++---------- docs/events.csv | 13 +- docs/events.json | 58 +- events/EC2/EnableSerialConsoleAccess.json | 4 + events/EC2/ModifyInstanceAttribute.json | 4 + events/EC2/SendSSHPublicKey.json | 7 +- events/EC2/StartInstances.json | 4 + events/EC2/StopInstances.json | 4 + events/SSM/ResumeSession.json | 31 + events/SSM/SendCommand.json | 4 + 10 files changed, 926 insertions(+), 691 deletions(-) create mode 100644 events/SSM/ResumeSession.json diff --git a/docs/datadog_dashboard.json b/docs/datadog_dashboard.json index e80fd22..c2839a7 100644 --- a/docs/datadog_dashboard.json +++ b/docs/datadog_dashboard.json @@ -166,7 +166,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:(AssumeRoleWithWebIdentity OR SwitchRole OR EnableSerialConsoleAccess OR CreateVolume OR CreateSecurityGroup OR AuthorizeSecurityGroupIngress OR SendSSHPublicKey OR CreateSnapshot OR RunInstances OR AttachVolume OR SendSerialConsoleSSHPublicKey OR SendCommand OR StartSession) $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:(AssumeRoleWithWebIdentity OR SwitchRole OR EnableSerialConsoleAccess OR CreateVolume OR CreateSecurityGroup OR AuthorizeSecurityGroupIngress OR SendSSHPublicKey OR CreateSnapshot OR RunInstances OR AttachVolume OR SendSerialConsoleSSHPublicKey OR SendCommand OR StartSession OR ResumeSession) $userIdentity.arn $network.client.ip $account" }, "group_by": [], "storage": "hot" @@ -256,7 +256,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:(SendCommand OR StartSession) $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:(SendCommand OR StartSession OR ResumeSession) $userIdentity.arn $network.client.ip $account" }, "group_by": [], "storage": "hot" @@ -361,7 +361,7 @@ } }, { - "id": 2305546044, + "id": 3776046879, "definition": { "type": "group", "layout_type": "ordered", @@ -370,7 +370,7 @@ "show_title": true, "widgets": [ { - "id": 3491346210, + "id": 1500168988, "definition": { "type": "note", "content": "### [AssumeRoleWithWebIdentity](https://traildiscover.cloud/#STS-AssumeRoleWithWebIdentity)\n\n**Description:** Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider.\n\n**Related Research:**\n- [From GitHub To Account Takeover: Misconfigured Actions Place GCP & AWS Accounts At Risk](https://www.rezonate.io/blog/github-misconfigurations-put-gcp-aws-in-account-takeover-risk/)\n", @@ -389,7 +389,7 @@ } }, { - "id": 348695679, + "id": 603671517, "definition": { "title": "AssumeRoleWithWebIdentity", "title_size": "16", @@ -431,7 +431,7 @@ } }, { - "id": 1994883157, + "id": 3677726936, "definition": { "type": "note", "content": "### [GetSessionToken](https://traildiscover.cloud/#STS-GetSessionToken)\n\n**Description:** Returns a set of temporary credentials for an AWS account or IAM user.\n\n**Related Research:**\n- [AWS STS GetSessionToken Abuse](https://www.elastic.co/guide/en/security/7.17/aws-sts-getsessiontoken-abuse.html)\n", @@ -450,7 +450,7 @@ } }, { - "id": 3147199922, + "id": 2781229465, "definition": { "title": "GetSessionToken", "title_size": "16", @@ -492,7 +492,7 @@ } }, { - "id": 2820178153, + "id": 2485052917, "definition": { "type": "note", "content": "### [AssumeRole](https://traildiscover.cloud/#STS-AssumeRole)\n\n**Description:** Returns a set of temporary security credentials that you can use to access AWS resources.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n**Related Research:**\n- [Role Chain Juggling](https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/)\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -511,7 +511,7 @@ } }, { - "id": 3972494918, + "id": 1687894333, "definition": { "title": "AssumeRole", "title_size": "16", @@ -553,7 +553,7 @@ } }, { - "id": 1948828461, + "id": 3675961305, "definition": { "type": "note", "content": "### [AssumeRoleWithSAML](https://traildiscover.cloud/#STS-AssumeRoleWithSAML)\n\n**Description:** Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response.\n\n**Related Research:**\n- [AWS - STS Privesc](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc)\n", @@ -572,7 +572,7 @@ } }, { - "id": 3101145226, + "id": 2779463834, "definition": { "title": "AssumeRoleWithSAML", "title_size": "16", @@ -614,7 +614,7 @@ } }, { - "id": 274518384, + "id": 3429512177, "definition": { "type": "note", "content": "### [PasswordRecoveryRequested ](https://traildiscover.cloud/#SignIn-PasswordRecoveryRequested )\n\n**Description:** This is the CloudTrail event generated when you request a password recovery.\n\n**Related Incidents:**\n- [An Ongoing AWS Phishing Campaign](https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/)\n- [Disclosure of Security Incidents on imToken](https://support.token.im/hc/en-us/articles/360005681954-Disclosure-of-Security-Incidents-on-imToken)\n", @@ -633,7 +633,7 @@ } }, { - "id": 1426835149, + "id": 2632353593, "definition": { "title": "PasswordRecoveryRequested ", "title_size": "16", @@ -675,7 +675,7 @@ } }, { - "id": 1478095130, + "id": 4246526173, "definition": { "type": "note", "content": "### [ConsoleLogin](https://traildiscover.cloud/#SignIn-ConsoleLogin)\n\n**Description:** This is the CloudTrail event generated when you sign-in.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Responding to an attack in AWS](https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac)\n- [Credential Phishing](https://ramimac.me/aws-phishing#credential-phishing)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies](https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/)\n**Related Research:**\n- [Compromising AWS Console credentials](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/compromising-aws-console-credentials/)\n- [Create a Console Session from IAM Credentials](https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n", @@ -694,7 +694,7 @@ } }, { - "id": 482928247, + "id": 3350028702, "definition": { "title": "ConsoleLogin", "title_size": "16", @@ -745,7 +745,7 @@ } }, { - "id": 2607244630, + "id": 1882811693, "definition": { "type": "group", "layout_type": "ordered", @@ -754,10 +754,10 @@ "show_title": true, "widgets": [ { - "id": 150527882, + "id": 3056149781, "definition": { "type": "note", - "content": "### [SendCommand](https://traildiscover.cloud/#SSM-SendCommand)\n\n**Description:** Runs commands on one or more managed nodes.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Run Shell Commands on EC2 with Send Command or Session Manager](https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/)\n", + "content": "### [SendCommand](https://traildiscover.cloud/#SSM-SendCommand)\n\n**Description:** Runs commands on one or more managed nodes.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Run Shell Commands on EC2 with Send Command or Session Manager](https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -773,7 +773,7 @@ } }, { - "id": 1302844647, + "id": 2159652310, "definition": { "title": "SendCommand", "title_size": "16", @@ -815,7 +815,7 @@ } }, { - "id": 3683856788, + "id": 1185364541, "definition": { "type": "note", "content": "### [StartSession](https://traildiscover.cloud/#SSM-StartSession)\n\n**Description:** Initiates a connection to a target (for example, a managed node) for a Session Manager session.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Run Shell Commands on EC2 with Send Command or Session Manager](https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/)\n", @@ -834,7 +834,7 @@ } }, { - "id": 541206257, + "id": 288867070, "definition": { "title": "StartSession", "title_size": "16", @@ -874,6 +874,67 @@ "width": 2, "height": 2 } + }, + { + "id": 2899053131, + "definition": { + "type": "note", + "content": "### [ResumeSession](https://traildiscover.cloud/#SSM-ResumeSession)\n\n**Description:** Reconnects a session to a managed node after it has been disconnected.\n\n**Related Research:**\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "has_padding": true + }, + "layout": { + "x": 8, + "y": 0, + "width": 2, + "height": 2 + } + }, + { + "id": 2002555660, + "definition": { + "title": "ResumeSession", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "search": { + "query": "source:cloudtrail @evt.name:ResumeSession $userIdentity.arn $network.client.ip $account" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 10, + "y": 0, + "width": 2, + "height": 2 + } } ] }, @@ -885,7 +946,7 @@ } }, { - "id": 1291511080, + "id": 160161285, "definition": { "type": "group", "layout_type": "ordered", @@ -894,7 +955,7 @@ "show_title": true, "widgets": [ { - "id": 2261720749, + "id": 2149206830, "definition": { "type": "note", "content": "### [GetFederationToken](https://traildiscover.cloud/#STS-GetFederationToken)\n\n**Description:** Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a user.\n\n**Related Incidents:**\n- [How Adversaries Can Persist with AWS User Federation](https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/)\n**Related Research:**\n- [Create a Console Session from IAM Credentials](https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/)\n- [Survive Access Key Deletion with sts:GetFederationToken](https://hackingthe.cloud/aws/post_exploitation/survive_access_key_deletion_with_sts_getfederationtoken/)\n", @@ -913,7 +974,7 @@ } }, { - "id": 3414037514, + "id": 1352048246, "definition": { "title": "GetFederationToken", "title_size": "16", @@ -955,7 +1016,7 @@ } }, { - "id": 3741862281, + "id": 2117445661, "definition": { "type": "note", "content": "### [AssumeRole](https://traildiscover.cloud/#STS-AssumeRole)\n\n**Description:** Returns a set of temporary security credentials that you can use to access AWS resources.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n**Related Research:**\n- [Role Chain Juggling](https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/)\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -974,7 +1035,7 @@ } }, { - "id": 599211750, + "id": 3467770725, "definition": { "title": "AssumeRole", "title_size": "16", @@ -1016,7 +1077,7 @@ } }, { - "id": 4050808580, + "id": 1835600702, "definition": { "type": "note", "content": "### [CreateFunction20150331](https://traildiscover.cloud/#Lambda-CreateFunction20150331)\n\n**Description:** Creates a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -1035,7 +1096,7 @@ } }, { - "id": 908158049, + "id": 1038442118, "definition": { "title": "CreateFunction20150331", "title_size": "16", @@ -1077,7 +1138,7 @@ } }, { - "id": 2908238946, + "id": 2429323935, "definition": { "type": "note", "content": "### [UpdateFunctionConfiguration20150331v2](https://traildiscover.cloud/#Lambda-UpdateFunctionConfiguration20150331v2)\n\n**Description:** Modify the version-specific settings of a Lambda function.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [LambdaSpy - Implanting the Lambda execution environment (Part two)](https://www.clearvector.com/blog/lambda-spy/)\n", @@ -1096,7 +1157,7 @@ } }, { - "id": 4060555711, + "id": 1532826464, "definition": { "title": "UpdateFunctionConfiguration20150331v2", "title_size": "16", @@ -1138,7 +1199,7 @@ } }, { - "id": 1224643528, + "id": 3385787293, "definition": { "type": "note", "content": "### [UpdateFunctionCode20150331v2](https://traildiscover.cloud/#Lambda-UpdateFunctionCode20150331v2)\n\n**Description:** Updates a Lambda function's code. If code signing is enabled for the function, the code package must be signed by a trusted publisher.\n\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", @@ -1157,7 +1218,7 @@ } }, { - "id": 2376960293, + "id": 341806174, "definition": { "title": "UpdateFunctionCode20150331v2", "title_size": "16", @@ -1199,7 +1260,7 @@ } }, { - "id": 3709412435, + "id": 4127557336, "definition": { "type": "note", "content": "### [PutTargets](https://traildiscover.cloud/#events-PutTargets)\n\n**Description:** Adds the specified targets to the specified rule, or updates the targets if they are already associated with the rule.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -1218,7 +1279,7 @@ } }, { - "id": 566761904, + "id": 1083576217, "definition": { "title": "PutTargets", "title_size": "16", @@ -1260,7 +1321,7 @@ } }, { - "id": 2926859224, + "id": 3547405139, "definition": { "type": "note", "content": "### [PutRule](https://traildiscover.cloud/#events-PutRule)\n\n**Description:** Creates or updates the specified rule.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -1279,7 +1340,7 @@ } }, { - "id": 4079175989, + "id": 503424020, "definition": { "title": "PutRule", "title_size": "16", @@ -1321,7 +1382,7 @@ } }, { - "id": 3742947155, + "id": 2471966862, "definition": { "type": "note", "content": "### [UpdateLoginProfile](https://traildiscover.cloud/#IAM-UpdateLoginProfile)\n\n**Description:** Changes the password for the specified IAM user. You can use the AWS CLI, the AWS API, or the Users page in the IAM console to change the password for any IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -1340,7 +1401,7 @@ } }, { - "id": 2747780272, + "id": 3722953039, "definition": { "title": "UpdateLoginProfile", "title_size": "16", @@ -1382,7 +1443,7 @@ } }, { - "id": 2506869502, + "id": 3916644791, "definition": { "type": "note", "content": "### [UpdateAccessKey](https://traildiscover.cloud/#IAM-UpdateAccessKey)\n\n**Description:** Changes the status of the specified access key from Active to Inactive, or vice versa.\n\n**Related Research:**\n- [AWS - IAM Privesc](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc)\n", @@ -1401,7 +1462,7 @@ } }, { - "id": 3659186267, + "id": 872663672, "definition": { "title": "UpdateAccessKey", "title_size": "16", @@ -1443,7 +1504,7 @@ } }, { - "id": 3880712585, + "id": 3770888334, "definition": { "type": "note", "content": "### [UpdateAssumeRolePolicy](https://traildiscover.cloud/#IAM-UpdateAssumeRolePolicy)\n\n**Description:** Updates the policy that grants an IAM entity permission to assume a role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", @@ -1462,7 +1523,7 @@ } }, { - "id": 2885545702, + "id": 2874390863, "definition": { "title": "UpdateAssumeRolePolicy", "title_size": "16", @@ -1504,7 +1565,7 @@ } }, { - "id": 809260393, + "id": 3311550092, "definition": { "type": "note", "content": "### [CreateAccessKey](https://traildiscover.cloud/#IAM-CreateAccessKey)\n\n**Description:** Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", @@ -1523,7 +1584,7 @@ } }, { - "id": 1961577158, + "id": 267568973, "definition": { "title": "CreateAccessKey", "title_size": "16", @@ -1565,7 +1626,7 @@ } }, { - "id": 1571428179, + "id": 4216541587, "definition": { "type": "note", "content": "### [AttachUserPolicy](https://traildiscover.cloud/#IAM-AttachUserPolicy)\n\n**Description:** Attaches the specified managed policy to the specified user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -1584,7 +1645,7 @@ } }, { - "id": 576261296, + "id": 1172560468, "definition": { "title": "AttachUserPolicy", "title_size": "16", @@ -1626,7 +1687,7 @@ } }, { - "id": 2527323352, + "id": 2021964796, "definition": { "type": "note", "content": "### [PutUserPolicy](https://traildiscover.cloud/#IAM-PutUserPolicy)\n\n**Description:** Adds or updates an inline policy document that is embedded in the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -1645,7 +1706,7 @@ } }, { - "id": 3679640117, + "id": 1224806212, "definition": { "title": "PutUserPolicy", "title_size": "16", @@ -1687,7 +1748,7 @@ } }, { - "id": 2677314770, + "id": 2542301040, "definition": { "type": "note", "content": "### [ChangePassword](https://traildiscover.cloud/#IAM-ChangePassword)\n\n**Description:** Changes the password of the IAM user who is calling this operation.\n\n**Related Research:**\n- [AWS CloudTrail cheat sheet](https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet)\n- [IAM User Changes Alarm](https://asecure.cloud/a/cwalarm_iam_user_changes/)\n", @@ -1706,7 +1767,7 @@ } }, { - "id": 3829631535, + "id": 3793287217, "definition": { "title": "ChangePassword", "title_size": "16", @@ -1748,7 +1809,7 @@ } }, { - "id": 1801519944, + "id": 1459178230, "definition": { "type": "note", "content": "### [CreateLoginProfile](https://traildiscover.cloud/#IAM-CreateLoginProfile)\n\n**Description:** Creates a password for the specified IAM user. A password allows an IAM user to access AWS services through the AWS Management Console.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", @@ -1767,7 +1828,7 @@ } }, { - "id": 2953836709, + "id": 2809503294, "definition": { "title": "CreateLoginProfile", "title_size": "16", @@ -1809,7 +1870,7 @@ } }, { - "id": 3791463020, + "id": 2792039541, "definition": { "type": "note", "content": "### [CreateUser](https://traildiscover.cloud/#IAM-CreateUser)\n\n**Description:** Creates a new IAM user for your AWS account.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Responding to an attack in AWS](https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Exposed long-lived access key resulted in unauthorized access](https://twitter.com/jhencinski/status/1578371249792724992?t=6oYeGYgGZq1B-LXFZzIqhQ)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [Insider Threat Risks to Flat Environments](https://www.mandiant.com/sites/default/files/2021-09/rpt-mtrends-2021-3.pdf)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Sendtech Pte. Ltd](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Sendtech-Pte-Ltd---220721.ashx?la=en)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [Creating a new IAM user](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/creating-new-iam-user/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -1828,7 +1889,7 @@ } }, { - "id": 648812489, + "id": 1994880957, "definition": { "title": "CreateUser", "title_size": "16", @@ -1870,7 +1931,7 @@ } }, { - "id": 3328402698, + "id": 3159772453, "definition": { "type": "note", "content": "### [CreateRole](https://traildiscover.cloud/#IAM-CreateRole)\n\n**Description:** Creates a new role for your AWS account.\n\n**Related Incidents:**\n- [Attack Scenario 2: From Misconfigured Firewall to Cryptojacking Botnet](https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/unit42-cloud-threat-report-volume7.pdf)\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -1889,7 +1950,7 @@ } }, { - "id": 185752167, + "id": 2362613869, "definition": { "title": "CreateRole", "title_size": "16", @@ -1931,7 +1992,7 @@ } }, { - "id": 3651029906, + "id": 1417641780, "definition": { "type": "note", "content": "### [UpdateGraphqlApi](https://traildiscover.cloud/#AppSync-UpdateGraphqlApi)\n\n**Description:** Updates a GraphqlApi object.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", @@ -1950,7 +2011,7 @@ } }, { - "id": 508379375, + "id": 521144309, "definition": { "title": "UpdateGraphqlApi", "title_size": "16", @@ -1992,7 +2053,7 @@ } }, { - "id": 4184628886, + "id": 3343520255, "definition": { "type": "note", "content": "### [CreateApiKey](https://traildiscover.cloud/#AppSync-CreateApiKey)\n\n**Description:** Creates a unique key that you can distribute to clients who invoke your API.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", @@ -2011,7 +2072,7 @@ } }, { - "id": 3189462003, + "id": 299539136, "definition": { "title": "CreateApiKey", "title_size": "16", @@ -2053,7 +2114,7 @@ } }, { - "id": 569273645, + "id": 2268449601, "definition": { "type": "note", "content": "### [UpdateResolver](https://traildiscover.cloud/#AppSync-UpdateResolver)\n\n**Description:** Updates a Resolver object.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", @@ -2072,7 +2133,7 @@ } }, { - "id": 3869074058, + "id": 1371952130, "definition": { "title": "UpdateResolver", "title_size": "16", @@ -2114,10 +2175,10 @@ } }, { - "id": 4071215149, + "id": 1323074939, "definition": { "type": "note", - "content": "### [StartInstances](https://traildiscover.cloud/#EC2-StartInstances)\n\n**Description:** Starts an Amazon EBS-backed instance that you've previously stopped.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n", + "content": "### [StartInstances](https://traildiscover.cloud/#EC2-StartInstances)\n\n**Description:** Starts an Amazon EBS-backed instance that you've previously stopped.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -2133,7 +2194,7 @@ } }, { - "id": 3175387153, + "id": 2574061116, "definition": { "title": "StartInstances", "title_size": "16", @@ -2175,7 +2236,7 @@ } }, { - "id": 2449401408, + "id": 75974345, "definition": { "type": "note", "content": "### [CreateSecurityGroup](https://traildiscover.cloud/#EC2-CreateSecurityGroup)\n\n**Description:** Creates a security group.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -2194,7 +2255,7 @@ } }, { - "id": 3601718173, + "id": 1426299409, "definition": { "title": "CreateSecurityGroup", "title_size": "16", @@ -2236,7 +2297,7 @@ } }, { - "id": 2494312977, + "id": 2686206523, "definition": { "type": "note", "content": "### [CreateDefaultVpc](https://traildiscover.cloud/#EC2-CreateDefaultVpc)\n\n**Description:** Creates a default VPC with a size /16 IPv4 CIDR block and a default subnet in each Availability Zone.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -2255,7 +2316,7 @@ } }, { - "id": 3646629742, + "id": 3937192700, "definition": { "title": "CreateDefaultVpc", "title_size": "16", @@ -2297,7 +2358,7 @@ } }, { - "id": 1374668656, + "id": 2033716540, "definition": { "type": "note", "content": "### [CreateNetworkAclEntry](https://traildiscover.cloud/#EC2-CreateNetworkAclEntry)\n\n**Description:** Creates an entry (a rule) in a network ACL with the specified rule number.\n\n**Related Research:**\n- [AWS EC2 Network Access Control List Creation](https://www.elastic.co/guide/en/security/current/aws-ec2-network-access-control-list-creation.html)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n", @@ -2316,7 +2377,7 @@ } }, { - "id": 478840660, + "id": 1137219069, "definition": { "title": "CreateNetworkAclEntry", "title_size": "16", @@ -2358,7 +2419,7 @@ } }, { - "id": 1017776000, + "id": 572259551, "definition": { "type": "note", "content": "### [CreateKeyPair](https://traildiscover.cloud/#EC2-CreateKeyPair)\n\n**Description:** Creates an ED25519 or 2048-bit RSA key pair with the specified name and in the specified PEM or PPK format.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -2377,7 +2438,7 @@ } }, { - "id": 2170092765, + "id": 1823245728, "definition": { "title": "CreateKeyPair", "title_size": "16", @@ -2419,7 +2480,7 @@ } }, { - "id": 2217450574, + "id": 1911142039, "definition": { "type": "note", "content": "### [AuthorizeSecurityGroupIngress](https://traildiscover.cloud/#EC2-AuthorizeSecurityGroupIngress)\n\n**Description:** Adds the specified inbound (ingress) rules to a security group.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Finding evil in AWS](https://expel.com/blog/finding-evil-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Opening a security group to the Internet](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/opening-security-group-port/)\n", @@ -2438,7 +2499,7 @@ } }, { - "id": 3369767339, + "id": 3162128216, "definition": { "title": "AuthorizeSecurityGroupIngress", "title_size": "16", @@ -2480,7 +2541,7 @@ } }, { - "id": 4176218924, + "id": 3126092237, "definition": { "type": "note", "content": "### [RunInstances](https://traildiscover.cloud/#EC2-RunInstances)\n\n**Description:** Launches the specified number of instances using an AMI for which you have permissions.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [DXC spills AWS private keys on public GitHub](https://www.theregister.com/2017/11/14/dxc_github_aws_keys_leaked/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Clear and Uncommon Story About Overcoming Issues With AWS](https://topdigital.agency/clear-and-uncommon-story-about-overcoming-issues-with-aws/)\n- [onelogin 2017 Security Incident](https://web.archive.org/web/20210620180614/https://www.onelogin.com/blog/may-31-2017-security-incident)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Launching EC2 instances](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/launching-ec2-instances/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -2499,7 +2560,7 @@ } }, { - "id": 1033568393, + "id": 2229594766, "definition": { "title": "RunInstances", "title_size": "16", @@ -2541,7 +2602,7 @@ } }, { - "id": 285173680, + "id": 2833764934, "definition": { "type": "note", "content": "### [ImportKeyPair](https://traildiscover.cloud/#EC2-ImportKeyPair)\n\n**Description:** Imports the public key from an RSA or ED25519 key pair that you created with a third-party tool.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n", @@ -2560,7 +2621,7 @@ } }, { - "id": 3584974093, + "id": 2036606350, "definition": { "title": "ImportKeyPair", "title_size": "16", @@ -2611,7 +2672,7 @@ } }, { - "id": 3620396430, + "id": 3798791322, "definition": { "type": "group", "layout_type": "ordered", @@ -2620,7 +2681,7 @@ "show_title": true, "widgets": [ { - "id": 3635543550, + "id": 1022588847, "definition": { "type": "note", "content": "### [AssumeRole](https://traildiscover.cloud/#STS-AssumeRole)\n\n**Description:** Returns a set of temporary security credentials that you can use to access AWS resources.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n**Related Research:**\n- [Role Chain Juggling](https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/)\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -2639,7 +2700,7 @@ } }, { - "id": 492893019, + "id": 126091376, "definition": { "title": "AssumeRole", "title_size": "16", @@ -2681,7 +2742,7 @@ } }, { - "id": 3478776177, + "id": 3663175269, "definition": { "type": "note", "content": "### [GetCredentialsForIdentity](https://traildiscover.cloud/#CognitoIdentity-GetCredentialsForIdentity)\n\n**Description:** Returns credentials for the provided identity ID. Any provided logins will be validated against supported login providers.\n\n**Related Research:**\n- [Overpermissioned AWS Cognito Identity Pools](https://hackingthe.cloud/aws/exploitation/cognito_identity_pool_excessive_privileges/#exploitation)\n", @@ -2700,7 +2761,7 @@ } }, { - "id": 336125646, + "id": 619194150, "definition": { "title": "GetCredentialsForIdentity", "title_size": "16", @@ -2742,7 +2803,7 @@ } }, { - "id": 4266873809, + "id": 772163590, "definition": { "type": "note", "content": "### [GetId](https://traildiscover.cloud/#CognitoIdentity-GetId)\n\n**Description:** Generates (or retrieves) IdentityID. Supplying multiple logins will create an implicit linked account.\n\n**Related Research:**\n- [Overpermissioned AWS Cognito Identity Pools](https://hackingthe.cloud/aws/exploitation/cognito_identity_pool_excessive_privileges/#exploitation)\n", @@ -2761,7 +2822,7 @@ } }, { - "id": 1124223278, + "id": 2122488654, "definition": { "title": "GetId", "title_size": "16", @@ -2803,7 +2864,7 @@ } }, { - "id": 454843403, + "id": 4230390334, "definition": { "type": "note", "content": "### [CreateFunction20150331](https://traildiscover.cloud/#Lambda-CreateFunction20150331)\n\n**Description:** Creates a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -2822,7 +2883,7 @@ } }, { - "id": 1607160168, + "id": 1186409215, "definition": { "title": "CreateFunction20150331", "title_size": "16", @@ -2864,7 +2925,7 @@ } }, { - "id": 1617084941, + "id": 4049156439, "definition": { "type": "note", "content": "### [CreateEventSourceMapping20150331](https://traildiscover.cloud/#Lambda-CreateEventSourceMapping20150331)\n\n**Description:** Creates a mapping between an event source and an AWS Lambda function.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -2883,7 +2944,7 @@ } }, { - "id": 2769401706, + "id": 3152658968, "definition": { "title": "CreateEventSourceMapping20150331", "title_size": "16", @@ -2925,7 +2986,7 @@ } }, { - "id": 3613423707, + "id": 1028994391, "definition": { "type": "note", "content": "### [AddPermission20150331v2](https://traildiscover.cloud/#Lambda-AddPermission20150331v2)\n\n**Description:** Grants an AWS service, AWS account, or AWS organization permission to use a function.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -2944,7 +3005,7 @@ } }, { - "id": 470773176, + "id": 132496920, "definition": { "title": "AddPermission20150331v2", "title_size": "16", @@ -2986,7 +3047,7 @@ } }, { - "id": 3537020288, + "id": 3944799601, "definition": { "type": "note", "content": "### [Invoke](https://traildiscover.cloud/#Lambda-Invoke)\n\n**Description:** Invokes a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3005,7 +3066,7 @@ } }, { - "id": 394369757, + "id": 900818482, "definition": { "title": "Invoke", "title_size": "16", @@ -3047,7 +3108,7 @@ } }, { - "id": 1078140744, + "id": 726455443, "definition": { "type": "note", "content": "### [UpdateEventSourceMapping20150331](https://traildiscover.cloud/#Lambda-UpdateEventSourceMapping20150331)\n\n**Description:** Updates an event source mapping. You can change the function that AWS Lambda invokes, or pause invocation and resume later from the same location.\n\n**Related Research:**\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n", @@ -3066,7 +3127,7 @@ } }, { - "id": 2230457509, + "id": 1977441620, "definition": { "title": "UpdateEventSourceMapping20150331", "title_size": "16", @@ -3108,7 +3169,7 @@ } }, { - "id": 706663821, + "id": 1736143798, "definition": { "type": "note", "content": "### [DeleteRolePolicy](https://traildiscover.cloud/#IAM-DeleteRolePolicy)\n\n**Description:** Deletes the specified inline policy that is embedded in the specified IAM role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3127,7 +3188,7 @@ } }, { - "id": 1858980586, + "id": 839646327, "definition": { "title": "DeleteRolePolicy", "title_size": "16", @@ -3169,7 +3230,7 @@ } }, { - "id": 2922328661, + "id": 2604161271, "definition": { "type": "note", "content": "### [DetachRolePolicy](https://traildiscover.cloud/#IAM-DetachRolePolicy)\n\n**Description:** Removes the specified managed policy from the specified role.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3188,7 +3249,7 @@ } }, { - "id": 4074645426, + "id": 3954486335, "definition": { "title": "DetachRolePolicy", "title_size": "16", @@ -3230,7 +3291,7 @@ } }, { - "id": 2294465626, + "id": 1277771161, "definition": { "type": "note", "content": "### [UpdateLoginProfile](https://traildiscover.cloud/#IAM-UpdateLoginProfile)\n\n**Description:** Changes the password for the specified IAM user. You can use the AWS CLI, the AWS API, or the Users page in the IAM console to change the password for any IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3249,7 +3310,7 @@ } }, { - "id": 3446782391, + "id": 2628096225, "definition": { "title": "UpdateLoginProfile", "title_size": "16", @@ -3291,7 +3352,7 @@ } }, { - "id": 1637103716, + "id": 3378992563, "definition": { "type": "note", "content": "### [AddUserToGroup](https://traildiscover.cloud/#IAM-AddUserToGroup)\n\n**Description:** Adds the specified user to the specified group.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3310,7 +3371,7 @@ } }, { - "id": 641936833, + "id": 434350331, "definition": { "title": "AddUserToGroup", "title_size": "16", @@ -3352,7 +3413,7 @@ } }, { - "id": 3675054967, + "id": 3918855431, "definition": { "type": "note", "content": "### [UpdateAssumeRolePolicy](https://traildiscover.cloud/#IAM-UpdateAssumeRolePolicy)\n\n**Description:** Updates the policy that grants an IAM entity permission to assume a role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", @@ -3371,7 +3432,7 @@ } }, { - "id": 532404436, + "id": 974213199, "definition": { "title": "UpdateAssumeRolePolicy", "title_size": "16", @@ -3413,7 +3474,7 @@ } }, { - "id": 1508262512, + "id": 1312033541, "definition": { "type": "note", "content": "### [CreateAccessKey](https://traildiscover.cloud/#IAM-CreateAccessKey)\n\n**Description:** Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", @@ -3432,7 +3493,7 @@ } }, { - "id": 2660579277, + "id": 415536070, "definition": { "title": "CreateAccessKey", "title_size": "16", @@ -3474,7 +3535,7 @@ } }, { - "id": 4173891056, + "id": 876152976, "definition": { "type": "note", "content": "### [CreatePolicyVersion](https://traildiscover.cloud/#IAM-CreatePolicyVersion)\n\n**Description:** Creates a new version of the specified managed policy.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3493,7 +3554,7 @@ } }, { - "id": 1031240525, + "id": 4274622801, "definition": { "title": "CreatePolicyVersion", "title_size": "16", @@ -3535,7 +3596,7 @@ } }, { - "id": 2669461823, + "id": 2757754426, "definition": { "type": "note", "content": "### [DeleteUserPolicy](https://traildiscover.cloud/#IAM-DeleteUserPolicy)\n\n**Description:** Deletes the specified inline policy that is embedded in the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3554,7 +3615,7 @@ } }, { - "id": 3821778588, + "id": 1861256955, "definition": { "title": "DeleteUserPolicy", "title_size": "16", @@ -3596,7 +3657,7 @@ } }, { - "id": 1261829161, + "id": 2463989380, "definition": { "type": "note", "content": "### [PutRolePermissionsBoundary](https://traildiscover.cloud/#IAM-PutRolePermissionsBoundary)\n\n**Description:** Adds or updates the policy that is specified as the IAM role's permissions boundary.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3615,7 +3676,7 @@ } }, { - "id": 2414145926, + "id": 1666830796, "definition": { "title": "PutRolePermissionsBoundary", "title_size": "16", @@ -3657,7 +3718,7 @@ } }, { - "id": 3078967908, + "id": 2028811793, "definition": { "type": "note", "content": "### [PutUserPermissionsBoundary](https://traildiscover.cloud/#IAM-PutUserPermissionsBoundary)\n\n**Description:** Adds or updates the policy that is specified as the IAM user's permissions boundary.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3676,7 +3737,7 @@ } }, { - "id": 2083801025, + "id": 3379136857, "definition": { "title": "PutUserPermissionsBoundary", "title_size": "16", @@ -3718,7 +3779,7 @@ } }, { - "id": 3395458907, + "id": 4137699138, "definition": { "type": "note", "content": "### [DeleteUserPermissionsBoundary](https://traildiscover.cloud/#IAM-DeleteUserPermissionsBoundary)\n\n**Description:** Deletes the permissions boundary for the specified IAM user.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3737,7 +3798,7 @@ } }, { - "id": 2499630911, + "id": 3241201667, "definition": { "title": "DeleteUserPermissionsBoundary", "title_size": "16", @@ -3779,7 +3840,7 @@ } }, { - "id": 2840256312, + "id": 793876953, "definition": { "type": "note", "content": "### [AttachRolePolicy](https://traildiscover.cloud/#IAM-AttachRolePolicy)\n\n**Description:** Attaches the specified managed policy to the specified IAM role. When you attach a managed policy to a role, the managed policy becomes part of the role's permission (access) policy.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3798,7 +3859,7 @@ } }, { - "id": 3992573077, + "id": 4291685665, "definition": { "title": "AttachRolePolicy", "title_size": "16", @@ -3840,7 +3901,7 @@ } }, { - "id": 2795847456, + "id": 2401893401, "definition": { "type": "note", "content": "### [SetDefaultPolicyVersion](https://traildiscover.cloud/#IAM-SetDefaultPolicyVersion)\n\n**Description:** Sets the specified version of the specified policy as the policy's default (operative) version.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3859,7 +3920,7 @@ } }, { - "id": 1800680573, + "id": 3652879578, "definition": { "title": "SetDefaultPolicyVersion", "title_size": "16", @@ -3901,7 +3962,7 @@ } }, { - "id": 122946650, + "id": 2217025036, "definition": { "type": "note", "content": "### [AttachUserPolicy](https://traildiscover.cloud/#IAM-AttachUserPolicy)\n\n**Description:** Attaches the specified managed policy to the specified user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3920,7 +3981,7 @@ } }, { - "id": 1275263415, + "id": 1320527565, "definition": { "title": "AttachUserPolicy", "title_size": "16", @@ -3962,7 +4023,7 @@ } }, { - "id": 2844439662, + "id": 128062396, "definition": { "type": "note", "content": "### [CreateGroup](https://traildiscover.cloud/#IAM-CreateGroup)\n\n**Description:** Creates a new group.\n\n**Related Research:**\n- [AWS IAM Group Creation](https://www.elastic.co/guide/en/security/current/aws-iam-group-creation.html)\n", @@ -3981,7 +4042,7 @@ } }, { - "id": 3996756427, + "id": 3526532221, "definition": { "title": "CreateGroup", "title_size": "16", @@ -4023,7 +4084,7 @@ } }, { - "id": 3226325471, + "id": 3074591630, "definition": { "type": "note", "content": "### [PutUserPolicy](https://traildiscover.cloud/#IAM-PutUserPolicy)\n\n**Description:** Adds or updates an inline policy document that is embedded in the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4042,7 +4103,7 @@ } }, { - "id": 83674940, + "id": 2178094159, "definition": { "title": "PutUserPolicy", "title_size": "16", @@ -4084,7 +4145,7 @@ } }, { - "id": 3632991319, + "id": 3485725353, "definition": { "type": "note", "content": "### [DeleteRolePermissionsBoundary](https://traildiscover.cloud/#IAM-DeleteRolePermissionsBoundary)\n\n**Description:** Deletes the permissions boundary for the specified IAM role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4103,7 +4164,7 @@ } }, { - "id": 490340788, + "id": 2688566769, "definition": { "title": "DeleteRolePermissionsBoundary", "title_size": "16", @@ -4145,7 +4206,7 @@ } }, { - "id": 2092486700, + "id": 1941781999, "definition": { "type": "note", "content": "### [PutGroupPolicy](https://traildiscover.cloud/#IAM-PutGroupPolicy)\n\n**Description:** Adds or updates an inline policy document that is embedded in the specified IAM group.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4164,7 +4225,7 @@ } }, { - "id": 3244803465, + "id": 1045284528, "definition": { "title": "PutGroupPolicy", "title_size": "16", @@ -4206,7 +4267,7 @@ } }, { - "id": 324173504, + "id": 2690268137, "definition": { "type": "note", "content": "### [ChangePassword](https://traildiscover.cloud/#IAM-ChangePassword)\n\n**Description:** Changes the password of the IAM user who is calling this operation.\n\n**Related Research:**\n- [AWS CloudTrail cheat sheet](https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet)\n- [IAM User Changes Alarm](https://asecure.cloud/a/cwalarm_iam_user_changes/)\n", @@ -4225,7 +4286,7 @@ } }, { - "id": 1575829156, + "id": 1893109553, "definition": { "title": "ChangePassword", "title_size": "16", @@ -4267,7 +4328,7 @@ } }, { - "id": 3743345974, + "id": 364321416, "definition": { "type": "note", "content": "### [CreateLoginProfile](https://traildiscover.cloud/#IAM-CreateLoginProfile)\n\n**Description:** Creates a password for the specified IAM user. A password allows an IAM user to access AWS services through the AWS Management Console.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", @@ -4286,7 +4347,7 @@ } }, { - "id": 2748179091, + "id": 1615307593, "definition": { "title": "CreateLoginProfile", "title_size": "16", @@ -4328,7 +4389,7 @@ } }, { - "id": 1386370371, + "id": 2382868047, "definition": { "type": "note", "content": "### [DetachUserPolicy](https://traildiscover.cloud/#IAM-DetachUserPolicy)\n\n**Description:** Removes the specified managed policy from the specified user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4347,7 +4408,7 @@ } }, { - "id": 2538687136, + "id": 3633854224, "definition": { "title": "DetachUserPolicy", "title_size": "16", @@ -4389,7 +4450,7 @@ } }, { - "id": 2397887293, + "id": 878879657, "definition": { "type": "note", "content": "### [PutRolePolicy](https://traildiscover.cloud/#IAM-PutRolePolicy)\n\n**Description:** Adds or updates an inline policy document that is embedded in the specified IAM role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4408,7 +4469,7 @@ } }, { - "id": 1502059297, + "id": 81721073, "definition": { "title": "PutRolePolicy", "title_size": "16", @@ -4450,7 +4511,7 @@ } }, { - "id": 2391670859, + "id": 2046949308, "definition": { "type": "note", "content": "### [AddRoleToInstanceProfile](https://traildiscover.cloud/#IAM-AddRoleToInstanceProfile)\n\n**Description:** Adds the specified IAM role to the specified instance profile.\n\n**Related Research:**\n- [Cloudgoat AWS CTF solution- Scenerio 5 (iam_privesc_by_attachment)](https://pswalia2u.medium.com/cloudgoat-aws-ctf-solution-scenerio-5-iam-privesc-by-attachment-22145650f5f5)\n", @@ -4469,7 +4530,7 @@ } }, { - "id": 3543987624, + "id": 1249790724, "definition": { "title": "AddRoleToInstanceProfile", "title_size": "16", @@ -4511,7 +4572,7 @@ } }, { - "id": 3005978953, + "id": 418621141, "definition": { "type": "note", "content": "### [AttachGroupPolicy](https://traildiscover.cloud/#IAM-AttachGroupPolicy)\n\n**Description:** Attaches the specified managed policy to the specified IAM group.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4530,7 +4591,7 @@ } }, { - "id": 4158295718, + "id": 3916429853, "definition": { "title": "AttachGroupPolicy", "title_size": "16", @@ -4572,7 +4633,7 @@ } }, { - "id": 2791793192, + "id": 2613734707, "definition": { "type": "note", "content": "### [AssociateAccessPolicy](https://traildiscover.cloud/#EKS-AssociateAccessPolicy)\n\n**Description:** Associates an access policy and its scope to an access entry.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", @@ -4591,7 +4652,7 @@ } }, { - "id": 1796626309, + "id": 3964059771, "definition": { "title": "AssociateAccessPolicy", "title_size": "16", @@ -4633,7 +4694,7 @@ } }, { - "id": 81100443, + "id": 1408794526, "definition": { "type": "note", "content": "### [CreateAccessEntry](https://traildiscover.cloud/#EKS-CreateAccessEntry)\n\n**Description:** Creates an access entry.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", @@ -4652,7 +4713,7 @@ } }, { - "id": 3480239743, + "id": 2659780703, "definition": { "title": "CreateAccessEntry", "title_size": "16", @@ -4694,10 +4755,10 @@ } }, { - "id": 789655559, + "id": 1095923573, "definition": { "type": "note", - "content": "### [ModifyInstanceAttribute](https://traildiscover.cloud/#EC2-ModifyInstanceAttribute)\n\n**Description:** Modifies the specified attribute of the specified instance.\n\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [EC2 Privilege Escalation Through User Data](https://hackingthe.cloud/aws/exploitation/local_ec2_priv_esc_through_user_data/)\n- [User Data Script Persistence](https://hackingthe.cloud/aws/post_exploitation/user_data_script_persistence/)\n", + "content": "### [ModifyInstanceAttribute](https://traildiscover.cloud/#EC2-ModifyInstanceAttribute)\n\n**Description:** Modifies the specified attribute of the specified instance.\n\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [EC2 Privilege Escalation Through User Data](https://hackingthe.cloud/aws/exploitation/local_ec2_priv_esc_through_user_data/)\n- [User Data Script Persistence](https://hackingthe.cloud/aws/post_exploitation/user_data_script_persistence/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -4713,7 +4774,7 @@ } }, { - "id": 1941972324, + "id": 298764989, "definition": { "title": "ModifyInstanceAttribute", "title_size": "16", @@ -4755,7 +4816,7 @@ } }, { - "id": 422947410, + "id": 1174376961, "definition": { "type": "note", "content": "### [ReplaceIamInstanceProfileAssociation](https://traildiscover.cloud/#EC2-ReplaceIamInstanceProfileAssociation)\n\n**Description:** Replaces an IAM instance profile for the specified running instance.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n", @@ -4774,7 +4835,7 @@ } }, { - "id": 1575264175, + "id": 277879490, "definition": { "title": "ReplaceIamInstanceProfileAssociation", "title_size": "16", @@ -4816,7 +4877,7 @@ } }, { - "id": 1329373299, + "id": 3663011709, "definition": { "type": "note", "content": "### [CreateDevEndpoint](https://traildiscover.cloud/#Glue-CreateDevEndpoint)\n\n**Description:** Creates a new development endpoint.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4835,7 +4896,7 @@ } }, { - "id": 2481690064, + "id": 2766514238, "definition": { "title": "CreateDevEndpoint", "title_size": "16", @@ -4877,7 +4938,7 @@ } }, { - "id": 2917725298, + "id": 1191496113, "definition": { "type": "note", "content": "### [UpdateJob](https://traildiscover.cloud/#Glue-UpdateJob)\n\n**Description:** Updates an existing job definition.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4896,7 +4957,7 @@ } }, { - "id": 4070042063, + "id": 2541821177, "definition": { "title": "UpdateJob", "title_size": "16", @@ -4938,7 +4999,7 @@ } }, { - "id": 3556919903, + "id": 721514547, "definition": { "type": "note", "content": "### [CreateJob](https://traildiscover.cloud/#Glue-CreateJob)\n\n**Description:** Creates a new job definition.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4957,7 +5018,7 @@ } }, { - "id": 414269372, + "id": 4119984372, "definition": { "title": "CreateJob", "title_size": "16", @@ -4999,7 +5060,7 @@ } }, { - "id": 4281622123, + "id": 1749441289, "definition": { "type": "note", "content": "### [UpdateDevEndpoint](https://traildiscover.cloud/#Glue-UpdateDevEndpoint)\n\n**Description:** Updates a specified development endpoint.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -5018,7 +5079,7 @@ } }, { - "id": 1138971592, + "id": 852943818, "definition": { "title": "UpdateDevEndpoint", "title_size": "16", @@ -5069,7 +5130,7 @@ } }, { - "id": 1419859719, + "id": 451105512, "definition": { "type": "group", "layout_type": "ordered", @@ -5078,7 +5139,7 @@ "show_title": true, "widgets": [ { - "id": 3615433886, + "id": 3599067378, "definition": { "type": "note", "content": "### [LeaveOrganization](https://traildiscover.cloud/#Organizations-LeaveOrganization)\n\n**Description:** Removes a member account from its parent organization.\n\n**Related Research:**\n- [An AWS account attempted to leave the AWS Organization](hhttps://docs.datadoghq.com/security/default_rules/aws-organizations-leave-organization/)\n", @@ -5097,7 +5158,7 @@ } }, { - "id": 472783355, + "id": 555086259, "definition": { "title": "LeaveOrganization", "title_size": "16", @@ -5139,7 +5200,7 @@ } }, { - "id": 138789732, + "id": 1000802182, "definition": { "type": "note", "content": "### [PutLogEvents](https://traildiscover.cloud/#CloudWatchLogs-PutLogEvents)\n\n**Description:** Uploads a batch of log events to the specified log stream.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -5158,7 +5219,7 @@ } }, { - "id": 1291106497, + "id": 104304711, "definition": { "title": "PutLogEvents", "title_size": "16", @@ -5200,7 +5261,7 @@ } }, { - "id": 3985876409, + "id": 2211101291, "definition": { "type": "note", "content": "### [DeleteAlarms](https://traildiscover.cloud/#CloudWatch-DeleteAlarms)\n\n**Description:** Deletes the specified alarms. You can delete up to 100 alarms in one operation.\n\n**Related Research:**\n- [AWS CloudWatch Alarm Deletion](https://www.elastic.co/guide/en/security/current/aws-cloudwatch-alarm-deletion.html)\n", @@ -5219,7 +5280,7 @@ } }, { - "id": 843225878, + "id": 3462087468, "definition": { "title": "DeleteAlarms", "title_size": "16", @@ -5261,7 +5322,7 @@ } }, { - "id": 1396748618, + "id": 3675344909, "definition": { "type": "note", "content": "### [DeleteLogGroup](https://traildiscover.cloud/#CloudWatchLogs-DeleteLogGroup)\n\n**Description:** Deletes the specified log group and permanently deletes all the archived log events associated with the log group.\n\n**Related Research:**\n- [Penetration testing of aws-based environments](https://essay.utwente.nl/76955/1/Szabo_MSc_EEMCS.pdf)\n- [Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail](https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/)\n", @@ -5280,7 +5341,7 @@ } }, { - "id": 500920622, + "id": 2878186325, "definition": { "title": "DeleteLogGroup", "title_size": "16", @@ -5322,7 +5383,7 @@ } }, { - "id": 2956408489, + "id": 3488845796, "definition": { "type": "note", "content": "### [DeleteLogStream](https://traildiscover.cloud/#CloudWatchLogs-DeleteLogStream)\n\n**Description:** Deletes the specified log stream and permanently deletes all the archived log events associated with the log stream.\n\n**Related Research:**\n- [Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail](https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/)\n", @@ -5341,7 +5402,7 @@ } }, { - "id": 1961241606, + "id": 444864677, "definition": { "title": "DeleteLogStream", "title_size": "16", @@ -5383,7 +5444,7 @@ } }, { - "id": 138789732, + "id": 1000802182, "definition": { "type": "note", "content": "### [PutLogEvents](https://traildiscover.cloud/#CloudWatchLogs-PutLogEvents)\n\n**Description:** Uploads a batch of log events to the specified log stream.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -5402,7 +5463,7 @@ } }, { - "id": 1291106497, + "id": 104304711, "definition": { "title": "PutLogEvents", "title_size": "16", @@ -5444,7 +5505,7 @@ } }, { - "id": 1636686788, + "id": 953648751, "definition": { "type": "note", "content": "### [CreateLogStream](https://traildiscover.cloud/#CloudWatchLogs-CreateLogStream)\n\n**Description:** Creates a log stream for the specified log group.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -5463,7 +5524,7 @@ } }, { - "id": 641519905, + "id": 2303973815, "definition": { "title": "CreateLogStream", "title_size": "16", @@ -5505,7 +5566,7 @@ } }, { - "id": 3226170033, + "id": 1145075169, "definition": { "type": "note", "content": "### [DeleteRule](https://traildiscover.cloud/#events-DeleteRule)\n\n**Description:** Deletes the specified rule.\n\n**Related Research:**\n- [AWS EventBridge Rule Disabled or Deleted](https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html)\n- [AWS EventBridge rule disabled or deleted](https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/)\n", @@ -5524,7 +5585,7 @@ } }, { - "id": 2231003150, + "id": 248577698, "definition": { "title": "DeleteRule", "title_size": "16", @@ -5566,7 +5627,7 @@ } }, { - "id": 832260164, + "id": 235544294, "definition": { "type": "note", "content": "### [RemoveTargets](https://traildiscover.cloud/#events-RemoveTargets)\n\n**Description:** Removes the specified targets from the specified rule.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -5585,7 +5646,7 @@ } }, { - "id": 2083915816, + "id": 1486530471, "definition": { "title": "RemoveTargets", "title_size": "16", @@ -5627,7 +5688,7 @@ } }, { - "id": 228318563, + "id": 2882275028, "definition": { "type": "note", "content": "### [DisableRule](https://traildiscover.cloud/#events-DisableRule)\n\n**Description:** Disables the specified rule.\n\n**Related Research:**\n- [AWS EventBridge Rule Disabled or Deleted](https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html)\n- [AWS EventBridge rule disabled or deleted](https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/)\n", @@ -5646,7 +5707,7 @@ } }, { - "id": 1380635328, + "id": 4232600092, "definition": { "title": "DisableRule", "title_size": "16", @@ -5688,7 +5749,7 @@ } }, { - "id": 3370810517, + "id": 2024893808, "definition": { "type": "note", "content": "### [PutRule](https://traildiscover.cloud/#events-PutRule)\n\n**Description:** Creates or updates the specified rule.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -5707,7 +5768,7 @@ } }, { - "id": 2375643634, + "id": 3275879985, "definition": { "title": "PutRule", "title_size": "16", @@ -5749,7 +5810,7 @@ } }, { - "id": 1080338480, + "id": 2146705797, "definition": { "type": "note", "content": "### [CreateInstances](https://traildiscover.cloud/#Lightsail-CreateInstances)\n\n**Description:** Creates one or more Amazon Lightsail instances.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -5768,7 +5829,7 @@ } }, { - "id": 2232655245, + "id": 1349547213, "definition": { "title": "CreateInstances", "title_size": "16", @@ -5810,7 +5871,7 @@ } }, { - "id": 4225812764, + "id": 3141459334, "definition": { "type": "note", "content": "### [DeleteMembers](https://traildiscover.cloud/#SecurityHub-DeleteMembers)\n\n**Description:** Deletes the specified member accounts from Security Hub.\n\n**Related Research:**\n- [AWS CloudTrail cheat sheet](https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet)\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", @@ -5829,7 +5890,7 @@ } }, { - "id": 1083162233, + "id": 2344300750, "definition": { "title": "DeleteMembers", "title_size": "16", @@ -5871,7 +5932,7 @@ } }, { - "id": 3472598685, + "id": 3081166491, "definition": { "type": "note", "content": "### [DetachRolePolicy](https://traildiscover.cloud/#IAM-DetachRolePolicy)\n\n**Description:** Removes the specified managed policy from the specified role.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -5890,7 +5951,7 @@ } }, { - "id": 329948154, + "id": 37185372, "definition": { "title": "DetachRolePolicy", "title_size": "16", @@ -5932,7 +5993,7 @@ } }, { - "id": 3219731847, + "id": 3988359622, "definition": { "type": "note", "content": "### [DeleteUserPolicy](https://traildiscover.cloud/#IAM-DeleteUserPolicy)\n\n**Description:** Deletes the specified inline policy that is embedded in the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -5951,7 +6012,7 @@ } }, { - "id": 77081316, + "id": 3191201038, "definition": { "title": "DeleteUserPolicy", "title_size": "16", @@ -5993,7 +6054,7 @@ } }, { - "id": 3217013267, + "id": 3266556253, "definition": { "type": "note", "content": "### [DeleteAccessKey](https://traildiscover.cloud/#IAM-DeleteAccessKey)\n\n**Description:** Deletes the access key pair associated with the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", @@ -6012,7 +6073,7 @@ } }, { - "id": 74362736, + "id": 2469397669, "definition": { "title": "DeleteAccessKey", "title_size": "16", @@ -6054,7 +6115,7 @@ } }, { - "id": 3197822741, + "id": 906666856, "definition": { "type": "note", "content": "### [DeleteUser](https://traildiscover.cloud/#IAM-DeleteUser)\n\n**Description:** Deletes the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Insider Threat Risks to Flat Environments](https://www.mandiant.com/sites/default/files/2021-09/rpt-mtrends-2021-3.pdf)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", @@ -6073,7 +6134,7 @@ } }, { - "id": 55172210, + "id": 2157653033, "definition": { "title": "DeleteUser", "title_size": "16", @@ -6115,7 +6176,7 @@ } }, { - "id": 1936640395, + "id": 3712812130, "definition": { "type": "note", "content": "### [DetachUserPolicy](https://traildiscover.cloud/#IAM-DetachUserPolicy)\n\n**Description:** Removes the specified managed policy from the specified user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -6134,7 +6195,7 @@ } }, { - "id": 3088957160, + "id": 2816314659, "definition": { "title": "DetachUserPolicy", "title_size": "16", @@ -6176,7 +6237,7 @@ } }, { - "id": 2622597357, + "id": 2577115472, "definition": { "type": "note", "content": "### [DeleteLoginProfile](https://traildiscover.cloud/#IAM-DeleteLoginProfile)\n\n**Description:** Deletes the password for the specified IAM user.\n\n**Related Incidents:**\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", @@ -6195,7 +6256,7 @@ } }, { - "id": 1726769361, + "id": 3927440536, "definition": { "title": "DeleteLoginProfile", "title_size": "16", @@ -6237,7 +6298,7 @@ } }, { - "id": 4256292384, + "id": 1207995952, "definition": { "type": "note", "content": "### [DeactivateMFADevice](https://traildiscover.cloud/#IAM-DeactivateMFADevice)\n\n**Description:** Deactivates the specified MFA device and removes it from association with the user name for which it was originally enabled.\n\n**Related Research:**\n- [AWS IAM Deactivation of MFA Device](https://www.elastic.co/guide/en/security/current/aws-iam-deactivation-of-mfa-device.html)\n", @@ -6256,7 +6317,7 @@ } }, { - "id": 3261125501, + "id": 2458982129, "definition": { "title": "DeactivateMFADevice", "title_size": "16", @@ -6298,7 +6359,7 @@ } }, { - "id": 1822364192, + "id": 944820825, "definition": { "type": "note", "content": "### [CreateRule](https://traildiscover.cloud/#ELBv2-CreateRule)\n\n**Description:** Creates a rule for the specified listener.\n\n**Related Research:**\n- [Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data](https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994)\n", @@ -6317,7 +6378,7 @@ } }, { - "id": 827197309, + "id": 48323354, "definition": { "title": "CreateRule", "title_size": "16", @@ -6359,7 +6420,7 @@ } }, { - "id": 3797635986, + "id": 3873333191, "definition": { "type": "note", "content": "### [StopLogging](https://traildiscover.cloud/#CloudTrail-StopLogging)\n\n**Description:** Suspends the recording of AWS API calls and log file delivery for the specified trail.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Stopping a CloudTrail trail](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/stopping-cloudtrail-trail/)\n- [AWS Defense Evasion Stop Logging Cloudtrail](https://research.splunk.com/cloud/8a2f3ca2-4eb5-4389-a549-14063882e537/)\n- [AWS Defense Evasion and Centralized Multi-Account Logging](https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/)\n- [Disrupting AWS logging](https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n", @@ -6378,7 +6439,7 @@ } }, { - "id": 654985455, + "id": 2976835720, "definition": { "title": "StopLogging", "title_size": "16", @@ -6420,7 +6481,7 @@ } }, { - "id": 760964452, + "id": 973914164, "definition": { "type": "note", "content": "### [UpdateTrail](https://traildiscover.cloud/#CloudTrail-UpdateTrail)\n\n**Description:** Updates trail settings that control what events you are logging, and how to handle log files.\n\n**Related Research:**\n- [AWS Defense Evasion and Centralized Multi-Account Logging](https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/)\n- [Disrupting AWS logging](https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594)\n", @@ -6439,7 +6500,7 @@ } }, { - "id": 1913281217, + "id": 176755580, "definition": { "title": "UpdateTrail", "title_size": "16", @@ -6481,7 +6542,7 @@ } }, { - "id": 4156332028, + "id": 1520975350, "definition": { "type": "note", "content": "### [DeleteTrail](https://traildiscover.cloud/#CloudTrail-DeleteTrail)\n\n**Description:** Deletes a trail.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [AWS Defense Evasion Delete Cloudtrail](https://research.splunk.com/cloud/82092925-9ca1-4e06-98b8-85a2d3889552/)\n- [Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail](https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/)\n- [Disrupting AWS logging](https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594)\n", @@ -6500,7 +6561,7 @@ } }, { - "id": 3260504032, + "id": 624477879, "definition": { "title": "DeleteTrail", "title_size": "16", @@ -6542,7 +6603,7 @@ } }, { - "id": 3691107237, + "id": 2457597046, "definition": { "type": "note", "content": "### [PutEventSelectors](https://traildiscover.cloud/#CloudTrail-PutEventSelectors)\n\n**Description:** Configures an event selector or advanced event selectors for your trail.\n\n**Related Research:**\n- [cloudtrail_guardduty_bypass](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/cloudtrail_guardduty_bypass)\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -6561,7 +6622,7 @@ } }, { - "id": 2695940354, + "id": 1660438462, "definition": { "title": "PutEventSelectors", "title_size": "16", @@ -6603,7 +6664,7 @@ } }, { - "id": 605334753, + "id": 700451299, "definition": { "type": "note", "content": "### [UpdateGraphqlApi](https://traildiscover.cloud/#AppSync-UpdateGraphqlApi)\n\n**Description:** Updates a GraphqlApi object.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", @@ -6622,7 +6683,7 @@ } }, { - "id": 1757651518, + "id": 4098921124, "definition": { "title": "UpdateGraphqlApi", "title_size": "16", @@ -6664,7 +6725,7 @@ } }, { - "id": 3286417381, + "id": 1821008924, "definition": { "type": "note", "content": "### [CreateApiKey](https://traildiscover.cloud/#AppSync-CreateApiKey)\n\n**Description:** Creates a unique key that you can distribute to clients who invoke your API.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", @@ -6683,7 +6744,7 @@ } }, { - "id": 143766850, + "id": 924511453, "definition": { "title": "CreateApiKey", "title_size": "16", @@ -6725,7 +6786,7 @@ } }, { - "id": 3160708586, + "id": 1551259120, "definition": { "type": "note", "content": "### [UpdateResolver](https://traildiscover.cloud/#AppSync-UpdateResolver)\n\n**Description:** Updates a Resolver object.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", @@ -6744,7 +6805,7 @@ } }, { - "id": 18058055, + "id": 654761649, "definition": { "title": "UpdateResolver", "title_size": "16", @@ -6786,7 +6847,7 @@ } }, { - "id": 1253847467, + "id": 3522343928, "definition": { "type": "note", "content": "### [DeleteBucketPolicy](https://traildiscover.cloud/#S3-DeleteBucketPolicy)\n\n**Description:** Deletes the policy of a specified bucket.\n\n**Related Research:**\n- [AWS S3 Bucket Configuration Deletion](https://www.elastic.co/guide/en/security/7.17/aws-s3-bucket-configuration-deletion.html)\n", @@ -6805,7 +6866,7 @@ } }, { - "id": 2406164232, + "id": 2625846457, "definition": { "title": "DeleteBucketPolicy", "title_size": "16", @@ -6847,7 +6908,7 @@ } }, { - "id": 1220548357, + "id": 3394609593, "definition": { "type": "note", "content": "### [DeleteFlowLogs](https://traildiscover.cloud/#EC2-DeleteFlowLogs)\n\n**Description:** Deletes one or more flow logs.\n\n**Related Research:**\n- [Removing VPC flow logs](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/removing-vpc-flow-logs/)\n- [AWS Incident Response](https://github.com/easttimor/aws-incident-response)\n- [Proactive Cloud Security w/ AWS Organizations](https://witoff.medium.com/proactive-cloud-security-w-aws-organizations-d58695bcae16)\n", @@ -6866,7 +6927,7 @@ } }, { - "id": 2372865122, + "id": 2498112122, "definition": { "title": "DeleteFlowLogs", "title_size": "16", @@ -6908,7 +6969,7 @@ } }, { - "id": 1616214649, + "id": 1605891909, "definition": { "type": "note", "content": "### [DeleteNetworkAcl](https://traildiscover.cloud/#EC2-DeleteNetworkAcl)\n\n**Description:** Deletes the specified network ACL.\n\n**Related Research:**\n- [Ensure CloudWatch has an Alarm for Network ACL Changes](https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-network-acl-change)\n", @@ -6927,7 +6988,7 @@ } }, { - "id": 720386653, + "id": 808733325, "definition": { "title": "DeleteNetworkAcl", "title_size": "16", @@ -6969,7 +7030,7 @@ } }, { - "id": 3663303647, + "id": 1335732021, "definition": { "type": "note", "content": "### [TerminateInstances](https://traildiscover.cloud/#EC2-TerminateInstances)\n\n**Description:** Shuts down the specified instances. This operation is idempotent; if you terminate an instance more than once, each call succeeds.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Former Cisco engineer sentenced to prison for deleting 16k Webex accounts](https://www.zdnet.com/article/former-cisco-engineer-sentenced-to-prison-for-deleting-16k-webex-accounts/)\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", @@ -6988,7 +7049,7 @@ } }, { - "id": 520653116, + "id": 439234550, "definition": { "title": "TerminateInstances", "title_size": "16", @@ -7030,7 +7091,7 @@ } }, { - "id": 85484638, + "id": 3588964608, "definition": { "type": "note", "content": "### [DeleteNetworkAclEntry](https://traildiscover.cloud/#EC2-DeleteNetworkAclEntry)\n\n**Description:** Deletes the specified ingress or egress entry (rule) from the specified network ACL.\n\n**Related Research:**\n- [Ensure CloudWatch has an Alarm for Network ACL Changes](https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-network-acl-change)\n", @@ -7049,7 +7110,7 @@ } }, { - "id": 1237801403, + "id": 644322376, "definition": { "title": "DeleteNetworkAclEntry", "title_size": "16", @@ -7091,10 +7152,10 @@ } }, { - "id": 1329084293, + "id": 2397989545, "definition": { "type": "note", - "content": "### [StopInstances](https://traildiscover.cloud/#EC2-StopInstances)\n\n**Description:** Stops an Amazon EBS-backed instance.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n", + "content": "### [StopInstances](https://traildiscover.cloud/#EC2-StopInstances)\n\n**Description:** Stops an Amazon EBS-backed instance.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -7110,7 +7171,7 @@ } }, { - "id": 2481401058, + "id": 3648975722, "definition": { "title": "StopInstances", "title_size": "16", @@ -7152,7 +7213,7 @@ } }, { - "id": 1112093472, + "id": 2066824311, "definition": { "type": "note", "content": "### [AuthorizeDBSecurityGroupIngress](https://traildiscover.cloud/#RDS-AuthorizeDBSecurityGroupIngress)\n\n**Description:** Enables ingress to a DBSecurityGroup using one of two forms of authorization.\n\n**Related Research:**\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [Hunting AWS RDS security events with Sysdig](https://sysdig.com/blog/aws-rds-security-events-sysdig/)\n", @@ -7171,7 +7232,7 @@ } }, { - "id": 116926589, + "id": 1170326840, "definition": { "title": "AuthorizeDBSecurityGroupIngress", "title_size": "16", @@ -7213,7 +7274,7 @@ } }, { - "id": 3917339320, + "id": 691446361, "definition": { "type": "note", "content": "### [ModifyActivityStream](https://traildiscover.cloud/#RDS-ModifyActivityStream)\n\n**Description:** Changes the audit policy state of a database activity stream to either locked (default) or unlocked.\n\n**Related Incidents:**\n- [Uncovering Hybrid Cloud Attacks Through Intelligence-Driven Incident Response: Part 3 \u2013 The Response](https://www.gem.security/post/uncovering-hybrid-cloud-attacks-through-intelligence-driven-incident-response-part-3-the-response)\n", @@ -7232,7 +7293,7 @@ } }, { - "id": 774688789, + "id": 4089916186, "definition": { "title": "ModifyActivityStream", "title_size": "16", @@ -7274,7 +7335,7 @@ } }, { - "id": 3667336123, + "id": 1131935934, "definition": { "type": "note", "content": "### [DeleteIdentity](https://traildiscover.cloud/#SES-DeleteIdentity)\n\n**Description:** Deletes the specified identity (an email address or a domain) from the list of verified identities.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -7293,7 +7354,7 @@ } }, { - "id": 2771508127, + "id": 235438463, "definition": { "title": "DeleteIdentity", "title_size": "16", @@ -7335,7 +7396,7 @@ } }, { - "id": 1659659058, + "id": 2632151139, "definition": { "type": "note", "content": "### [UpdateIPSet](https://traildiscover.cloud/#GuardDuty-UpdateIPSet)\n\n**Description:** Updates the IPSet specified by the IPSet ID.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -7354,7 +7415,7 @@ } }, { - "id": 664492175, + "id": 1735653668, "definition": { "title": "UpdateIPSet", "title_size": "16", @@ -7396,7 +7457,7 @@ } }, { - "id": 3107456459, + "id": 2950858544, "definition": { "type": "note", "content": "### [DeleteInvitations](https://traildiscover.cloud/#GuardDuty-DeleteInvitations)\n\n**Description:** Deletes invitations sent to the current member account by AWS accounts specified by their account IDs.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n", @@ -7415,7 +7476,7 @@ } }, { - "id": 4259773224, + "id": 4201844721, "definition": { "title": "DeleteInvitations", "title_size": "16", @@ -7457,7 +7518,7 @@ } }, { - "id": 3348331096, + "id": 4219024324, "definition": { "type": "note", "content": "### [UpdateDetector](https://traildiscover.cloud/#GuardDuty-UpdateDetector)\n\n**Description:** Updates the GuardDuty detector specified by the detectorId.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -7476,7 +7537,7 @@ } }, { - "id": 205680565, + "id": 1175043205, "definition": { "title": "UpdateDetector", "title_size": "16", @@ -7518,7 +7579,7 @@ } }, { - "id": 3966179776, + "id": 3342185937, "definition": { "type": "note", "content": "### [DeleteDetector](https://traildiscover.cloud/#GuardDuty-DeleteDetector)\n\n**Description:** Deletes an Amazon GuardDuty detector that is specified by the detector ID.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [AWS GuardDuty detector deleted](https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-guardduty-detector-deleted/)\n- [AWS GuardDuty Evasion](https://medium.com/@cloud_tips/aws-guardduty-evasion-c181e55f3af1)\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", @@ -7537,7 +7598,7 @@ } }, { - "id": 823529245, + "id": 298204818, "definition": { "title": "DeleteDetector", "title_size": "16", @@ -7579,7 +7640,7 @@ } }, { - "id": 3099131540, + "id": 3704162379, "definition": { "type": "note", "content": "### [DeletePublishingDestination](https://traildiscover.cloud/#GuardDuty-DeletePublishingDestination)\n\n**Description:** Deletes the publishing definition with the specified destinationId.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -7598,7 +7659,7 @@ } }, { - "id": 55819896, + "id": 2907003795, "definition": { "title": "DeletePublishingDestination", "title_size": "16", @@ -7640,7 +7701,7 @@ } }, { - "id": 2180186887, + "id": 2755555653, "definition": { "type": "note", "content": "### [DisassociateMembers](https://traildiscover.cloud/#GuardDuty-DisassociateMembers)\n\n**Description:** Disassociates GuardDuty member accounts (from the current administrator account) specified by the account IDs.\n\n**Related Research:**\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", @@ -7659,7 +7720,7 @@ } }, { - "id": 1185020004, + "id": 1859058182, "definition": { "title": "DisassociateMembers", "title_size": "16", @@ -7701,7 +7762,7 @@ } }, { - "id": 4129584718, + "id": 3951473060, "definition": { "type": "note", "content": "### [DisassociateFromMasterAccount](https://traildiscover.cloud/#GuardDuty-DisassociateFromMasterAccount)\n\n**Description:** Disassociates the current GuardDuty member account from its administrator account.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", @@ -7720,7 +7781,7 @@ } }, { - "id": 3134417835, + "id": 3054975589, "definition": { "title": "DisassociateFromMasterAccount", "title_size": "16", @@ -7762,7 +7823,7 @@ } }, { - "id": 3028066159, + "id": 4129137026, "definition": { "type": "note", "content": "### [StopMonitoringMembers](https://traildiscover.cloud/#GuardDuty-StopMonitoringMembers)\n\n**Description:** Stops GuardDuty monitoring for the specified member accounts.\n\n**Related Research:**\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", @@ -7781,7 +7842,7 @@ } }, { - "id": 4180382924, + "id": 3232639555, "definition": { "title": "StopMonitoringMembers", "title_size": "16", @@ -7823,7 +7884,7 @@ } }, { - "id": 1723025343, + "id": 3701284337, "definition": { "type": "note", "content": "### [CreateIPSet](https://traildiscover.cloud/#GuardDuty-CreateIPSet)\n\n**Description:** Creates a new IPSet, which is called a trusted IP list in the console user interface.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -7842,7 +7903,7 @@ } }, { - "id": 727858460, + "id": 657303218, "definition": { "title": "CreateIPSet", "title_size": "16", @@ -7884,7 +7945,7 @@ } }, { - "id": 2472785033, + "id": 2331921959, "definition": { "type": "note", "content": "### [CreateFilter](https://traildiscover.cloud/#GuardDuty-CreateFilter)\n\n**Description:** Creates a filter using the specified finding criteria.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -7903,7 +7964,7 @@ } }, { - "id": 1477618150, + "id": 1435424488, "definition": { "title": "CreateFilter", "title_size": "16", @@ -7945,7 +8006,7 @@ } }, { - "id": 4225812764, + "id": 3141459334, "definition": { "type": "note", "content": "### [DeleteMembers](https://traildiscover.cloud/#GuardDuty-DeleteMembers)\n\n**Description:** Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.\n\n**Related Research:**\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", @@ -7964,7 +8025,7 @@ } }, { - "id": 1083162233, + "id": 2344300750, "definition": { "title": "DeleteMembers", "title_size": "16", @@ -8006,7 +8067,7 @@ } }, { - "id": 3176498380, + "id": 2329752639, "definition": { "type": "note", "content": "### [DeleteConfigurationRecorder](https://traildiscover.cloud/#Config-DeleteConfigurationRecorder)\n\n**Description:** Deletes the configuration recorder.\n\n**Related Research:**\n- [AWS Config Resource Deletion](https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion)\n", @@ -8025,7 +8086,7 @@ } }, { - "id": 2280670384, + "id": 1433255168, "definition": { "title": "DeleteConfigurationRecorder", "title_size": "16", @@ -8067,7 +8128,7 @@ } }, { - "id": 1603011318, + "id": 3276191920, "definition": { "type": "note", "content": "### [DeleteDeliveryChannel](https://traildiscover.cloud/#Config-DeleteDeliveryChannel)\n\n**Description:** Deletes the delivery channel.\n\n**Related Research:**\n- [AWS Config Resource Deletion](https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion)\n- [AWS Config modified](https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-config-disabled/)\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", @@ -8086,7 +8147,7 @@ } }, { - "id": 2755328083, + "id": 2379694449, "definition": { "title": "DeleteDeliveryChannel", "title_size": "16", @@ -8128,7 +8189,7 @@ } }, { - "id": 2139801981, + "id": 3231226590, "definition": { "type": "note", "content": "### [StopConfigurationRecorder](https://traildiscover.cloud/#Config-StopConfigurationRecorder)\n\n**Description:** Stops recording configurations of the AWS resources you have selected to record in your AWS account.\n\n**Related Research:**\n- [AWS Configuration Recorder Stopped](https://www.elastic.co/guide/en/security/current/prebuilt-rule-8-2-1-aws-configuration-recorder-stopped.html#prebuilt-rule-8-2-1-aws-configuration-recorder-stopped)\n- [AWS Config modified](https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-config-disabled/)\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", @@ -8147,7 +8208,7 @@ } }, { - "id": 3292118746, + "id": 2334729119, "definition": { "title": "StopConfigurationRecorder", "title_size": "16", @@ -8189,7 +8250,7 @@ } }, { - "id": 254748162, + "id": 3056072165, "definition": { "type": "note", "content": "### [DeleteConfigRule](https://traildiscover.cloud/#Config-DeleteConfigRule)\n\n**Description:** Deletes the specified AWS Config rule and all of its evaluation results.\n\n**Related Research:**\n- [AWS Config Resource Deletion](https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion)\n", @@ -8208,7 +8269,7 @@ } }, { - "id": 1407064927, + "id": 12091046, "definition": { "title": "DeleteConfigRule", "title_size": "16", @@ -8250,7 +8311,7 @@ } }, { - "id": 1964279299, + "id": 416662789, "definition": { "type": "note", "content": "### [DeleteRuleGroup](https://traildiscover.cloud/#WAFV2-DeleteRuleGroup)\n\n**Description:** Deletes the specified RuleGroup.\n\n**Related Research:**\n- [AWS WAF Rule or Rule Group Deletion](https://www.elastic.co/guide/en/security/current/aws-waf-rule-or-rule-group-deletion.html)\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", @@ -8269,7 +8330,7 @@ } }, { - "id": 3116596064, + "id": 3815132614, "definition": { "title": "DeleteRuleGroup", "title_size": "16", @@ -8311,7 +8372,7 @@ } }, { - "id": 1659659058, + "id": 2632151139, "definition": { "type": "note", "content": "### [UpdateIPSet](https://traildiscover.cloud/#WAFV2-UpdateIPSet)\n\n**Description:** Updates the specified IPSet.\n\n**Related Research:**\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", @@ -8330,7 +8391,7 @@ } }, { - "id": 664492175, + "id": 1735653668, "definition": { "title": "UpdateIPSet", "title_size": "16", @@ -8372,7 +8433,7 @@ } }, { - "id": 3458730973, + "id": 2184422100, "definition": { "type": "note", "content": "### [DeleteWebACL](https://traildiscover.cloud/#WAFV2-DeleteWebACL)\n\n**Description:** Deletes the specified WebACL.\n\n**Related Research:**\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", @@ -8391,7 +8452,7 @@ } }, { - "id": 2463564090, + "id": 1287924629, "definition": { "title": "DeleteWebACL", "title_size": "16", @@ -8442,7 +8503,7 @@ } }, { - "id": 2255177241, + "id": 2119893646, "definition": { "type": "group", "layout_type": "ordered", @@ -8451,7 +8512,7 @@ "show_title": true, "widgets": [ { - "id": 4139293494, + "id": 4289833058, "definition": { "type": "note", "content": "### [GetSecretValue](https://traildiscover.cloud/#SecretsManager-GetSecretValue)\n\n**Description:** Retrieves the contents of the encrypted fields SecretString or SecretBinary from the specified version of a secret, whichever contains content.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -8470,7 +8531,7 @@ } }, { - "id": 996642963, + "id": 1345190826, "definition": { "title": "GetSecretValue", "title_size": "16", @@ -8512,7 +8573,7 @@ } }, { - "id": 3270553457, + "id": 778128748, "definition": { "type": "note", "content": "### [DescribeSecret](https://traildiscover.cloud/#SecretsManager-DescribeSecret)\n\n**Description:** Retrieves the details of a secret.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -8531,7 +8592,7 @@ } }, { - "id": 227241813, + "id": 2029114925, "definition": { "title": "DescribeSecret", "title_size": "16", @@ -8573,10 +8634,10 @@ } }, { - "id": 3126797330, + "id": 3896099814, "definition": { "type": "note", - "content": "### [ListSecrets](https://traildiscover.cloud/#SecretsManager-ListSecrets)\n\n**Description:** Lists the secrets that are stored by Secrets Manager in the AWS account, not including secrets that are marked for deletion.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", + "content": "### [ListSecrets](https://traildiscover.cloud/#SecretsManager-ListSecrets)\n\n**Description:** Lists the secrets that are stored by Secrets Manager in the AWS account, not including secrets that are marked for deletion.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -8592,7 +8653,7 @@ } }, { - "id": 4279114095, + "id": 852118695, "definition": { "title": "ListSecrets", "title_size": "16", @@ -8634,7 +8695,7 @@ } }, { - "id": 3987651574, + "id": 769701111, "definition": { "type": "note", "content": "### [GetPasswordData](https://traildiscover.cloud/#EC2-GetPasswordData)\n\n**Description:** Retrieves the encrypted administrator password for a running Windows instance.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -8653,7 +8714,7 @@ } }, { - "id": 3091823578, + "id": 4168170936, "definition": { "title": "GetPasswordData", "title_size": "16", @@ -8695,7 +8756,7 @@ } }, { - "id": 1823367419, + "id": 2917714153, "definition": { "type": "note", "content": "### [GetParameters](https://traildiscover.cloud/#SSM-GetParameters)\n\n**Description:** Get information about one or more parameters by specifying multiple parameter names.\n\n**Related Research:**\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -8714,7 +8775,7 @@ } }, { - "id": 2975684184, + "id": 4268039217, "definition": { "title": "GetParameters", "title_size": "16", @@ -8765,7 +8826,7 @@ } }, { - "id": 2809353276, + "id": 3339707903, "definition": { "type": "group", "layout_type": "ordered", @@ -8774,7 +8835,7 @@ "show_title": true, "widgets": [ { - "id": 1574419485, + "id": 2166760335, "definition": { "type": "note", "content": "### [ListDomains](https://traildiscover.cloud/#route53domains-ListDomains)\n\n**Description:** This operation returns all the domain names registered with Amazon Route 53 for the current AWS account if no filtering conditions are used.\n\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -8793,7 +8854,7 @@ } }, { - "id": 2726736250, + "id": 3417746512, "definition": { "title": "ListDomains", "title_size": "16", @@ -8835,7 +8896,7 @@ } }, { - "id": 1497110209, + "id": 1103695674, "definition": { "type": "note", "content": "### [GetHostedZoneCount](https://traildiscover.cloud/#Route53-GetHostedZoneCount)\n\n**Description:** Retrieves the number of hosted zones that are associated with the current AWS account.\n\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -8854,7 +8915,7 @@ } }, { - "id": 2748765861, + "id": 207198203, "definition": { "title": "GetHostedZoneCount", "title_size": "16", @@ -8896,7 +8957,7 @@ } }, { - "id": 2499610890, + "id": 620441155, "definition": { "type": "note", "content": "### [DescribeOrganization](https://traildiscover.cloud/#Organizations-DescribeOrganization)\n\n**Description:** Retrieves information about the organization that the user's account belongs to.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", @@ -8915,7 +8976,7 @@ } }, { - "id": 3651927655, + "id": 1970766219, "definition": { "title": "DescribeOrganization", "title_size": "16", @@ -8957,7 +9018,7 @@ } }, { - "id": 1083277918, + "id": 2225317205, "definition": { "type": "note", "content": "### [ListOrganizationalUnitsForParent](https://traildiscover.cloud/#Organizations-ListOrganizationalUnitsForParent)\n\n**Description:** Lists the organizational units (OUs) in a parent organizational unit or root.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", @@ -8976,7 +9037,7 @@ } }, { - "id": 2235594683, + "id": 3476303382, "definition": { "title": "ListOrganizationalUnitsForParent", "title_size": "16", @@ -9018,7 +9079,7 @@ } }, { - "id": 3934788164, + "id": 2371447929, "definition": { "type": "note", "content": "### [ListAccounts](https://traildiscover.cloud/#Organizations-ListAccounts)\n\n**Description:** Lists all the accounts in the organization.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", @@ -9037,7 +9098,7 @@ } }, { - "id": 792137633, + "id": 3721772993, "definition": { "title": "ListAccounts", "title_size": "16", @@ -9079,7 +9140,7 @@ } }, { - "id": 977932852, + "id": 3720591129, "definition": { "type": "note", "content": "### [GetCallerIdentity](https://traildiscover.cloud/#STS-GetCallerIdentity)\n\n**Description:** Returns details about the IAM user or role whose credentials are used to call the operation.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [GotRoot! AWS root Account Takeover](https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n- [Enumerate AWS Account ID from an EC2 Instance](https://hackingthe.cloud/aws/enumeration/account_id_from_ec2/)\n", @@ -9098,7 +9159,7 @@ } }, { - "id": 4277733265, + "id": 2824093658, "definition": { "title": "GetCallerIdentity", "title_size": "16", @@ -9140,7 +9201,7 @@ } }, { - "id": 2194008888, + "id": 390036627, "definition": { "type": "note", "content": "### [ListTopics](https://traildiscover.cloud/#SNS-ListTopics)\n\n**Description:** Returns a list of the requester's topics.\n\n**Related Research:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n", @@ -9159,7 +9220,7 @@ } }, { - "id": 3346325653, + "id": 1740361691, "definition": { "title": "ListTopics", "title_size": "16", @@ -9201,7 +9262,7 @@ } }, { - "id": 2118806723, + "id": 875045655, "definition": { "type": "note", "content": "### [ListSubscriptions](https://traildiscover.cloud/#SNS-ListSubscriptions)\n\n**Description:** Lists the calling AWS account's dedicated origination numbers and their metadata.\n\n**Related Research:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n", @@ -9220,7 +9281,7 @@ } }, { - "id": 3271123488, + "id": 4273515480, "definition": { "title": "ListSubscriptions", "title_size": "16", @@ -9262,7 +9323,7 @@ } }, { - "id": 1659617102, + "id": 2712495972, "definition": { "type": "note", "content": "### [ListOriginationNumbers](https://traildiscover.cloud/#SNS-ListOriginationNumbers)\n\n**Description:** Lists the calling AWS account's dedicated origination numbers and their metadata.\n\n**Related Research:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n", @@ -9281,7 +9342,7 @@ } }, { - "id": 2811933867, + "id": 3963482149, "definition": { "title": "ListOriginationNumbers", "title_size": "16", @@ -9323,7 +9384,7 @@ } }, { - "id": 3008754088, + "id": 2191299201, "definition": { "type": "note", "content": "### [GetSMSAttributes](https://traildiscover.cloud/#SNS-GetSMSAttributes)\n\n**Description:** Returns the settings for sending SMS messages from your AWS account.\n\n**Related Incidents:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n- [Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -9342,7 +9403,7 @@ } }, { - "id": 2112926092, + "id": 3442285378, "definition": { "title": "GetSMSAttributes", "title_size": "16", @@ -9384,7 +9445,7 @@ } }, { - "id": 532827574, + "id": 116899444, "definition": { "type": "note", "content": "### [GetSMSSandboxAccountStatus](https://traildiscover.cloud/#SNS-GetSMSSandboxAccountStatus)\n\n**Description:** Retrieves the SMS sandbox status for the calling AWS account in the target AWS Region.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/)\n**Related Research:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n", @@ -9403,7 +9464,7 @@ } }, { - "id": 1685144339, + "id": 1467224508, "definition": { "title": "GetSMSSandboxAccountStatus", "title_size": "16", @@ -9445,7 +9506,7 @@ } }, { - "id": 1670193951, + "id": 172713557, "definition": { "type": "note", "content": "### [IssueCertificate](https://traildiscover.cloud/#ACMPCA-IssueCertificate)\n\n**Description:** Uses your private certificate authority (CA), or one that has been shared with you, to issue a client certificate.\n\n**Related Research:**\n- [AWS API Call Hijacking via ACM-PCA](https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/)\n", @@ -9464,7 +9525,7 @@ } }, { - "id": 2822510716, + "id": 1423699734, "definition": { "title": "IssueCertificate", "title_size": "16", @@ -9506,7 +9567,7 @@ } }, { - "id": 65642924, + "id": 2317017543, "definition": { "type": "note", "content": "### [GetCertificate](https://traildiscover.cloud/#ACMPCA-GetCertificate)\n\n**Description:** Retrieves a certificate from your private CA or one that has been shared with you.\n\n**Related Research:**\n- [AWS API Call Hijacking via ACM-PCA](https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/)\n", @@ -9525,7 +9586,7 @@ } }, { - "id": 3365443337, + "id": 3568003720, "definition": { "title": "GetCertificate", "title_size": "16", @@ -9567,7 +9628,7 @@ } }, { - "id": 2341870513, + "id": 3971786134, "definition": { "type": "note", "content": "### [DescribeLogGroups](https://traildiscover.cloud/#CloudWatchLogs-DescribeLogGroups)\n\n**Description:** Lists the specified log groups.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -9586,7 +9647,7 @@ } }, { - "id": 3494187278, + "id": 1027143902, "definition": { "title": "DescribeLogGroups", "title_size": "16", @@ -9628,7 +9689,7 @@ } }, { - "id": 2772076345, + "id": 4141695623, "definition": { "type": "note", "content": "### [DescribeSubscriptionFilters](https://traildiscover.cloud/#CloudWatchLogs-DescribeSubscriptionFilters)\n\n**Description:** Lists the subscription filters for the specified log group.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -9647,7 +9708,7 @@ } }, { - "id": 3924393110, + "id": 3245198152, "definition": { "title": "DescribeSubscriptionFilters", "title_size": "16", @@ -9689,7 +9750,7 @@ } }, { - "id": 1275363037, + "id": 1236414765, "definition": { "type": "note", "content": "### [DescribeLogStreams](https://traildiscover.cloud/#CloudWatchLogs-DescribeLogStreams)\n\n**Description:** Lists the log streams for the specified log group.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -9708,7 +9769,7 @@ } }, { - "id": 2427679802, + "id": 2586739829, "definition": { "title": "DescribeLogStreams", "title_size": "16", @@ -9750,7 +9811,7 @@ } }, { - "id": 4058738414, + "id": 1805975682, "definition": { "type": "note", "content": "### [GetLogRecord](https://traildiscover.cloud/#CloudWatchLogs-GetLogRecord)\n\n**Description:** Retrieves all of the fields and values of a single log event.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -9769,7 +9830,7 @@ } }, { - "id": 916087883, + "id": 3056961859, "definition": { "title": "GetLogRecord", "title_size": "16", @@ -9811,7 +9872,7 @@ } }, { - "id": 4108240915, + "id": 3004926268, "definition": { "type": "note", "content": "### [GetQueryResults](https://traildiscover.cloud/#Athena-GetQueryResults)\n\n**Description:** Streams the results of a single query execution specified by QueryExecutionId from the Athena query results location in Amazon S3.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -9830,7 +9891,7 @@ } }, { - "id": 3113074032, + "id": 60284036, "definition": { "title": "GetQueryResults", "title_size": "16", @@ -9872,7 +9933,7 @@ } }, { - "id": 1943636581, + "id": 2078260762, "definition": { "type": "note", "content": "### [ListTargetsByRule](https://traildiscover.cloud/#events-ListTargetsByRule)\n\n**Description:** Lists the targets assigned to the specified rule.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -9891,7 +9952,7 @@ } }, { - "id": 948469698, + "id": 3329246939, "definition": { "title": "ListTargetsByRule", "title_size": "16", @@ -9933,7 +9994,7 @@ } }, { - "id": 3729853872, + "id": 3790587870, "definition": { "type": "note", "content": "### [ListRules](https://traildiscover.cloud/#events-ListRules)\n\n**Description:** Lists your Amazon EventBridge rules. You can either list all the rules or you can provide a prefix to match to the rule names.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -9952,7 +10013,7 @@ } }, { - "id": 587203341, + "id": 746606751, "definition": { "title": "ListRules", "title_size": "16", @@ -9994,7 +10055,7 @@ } }, { - "id": 2846329407, + "id": 2981294360, "definition": { "type": "note", "content": "### [GetInstances](https://traildiscover.cloud/#LightSail-GetInstances)\n\n**Description:** Returns information about all Amazon Lightsail virtual private servers, or instances.\n\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -10013,7 +10074,7 @@ } }, { - "id": 3998646172, + "id": 4232280537, "definition": { "title": "GetInstances", "title_size": "16", @@ -10055,7 +10116,7 @@ } }, { - "id": 1624898930, + "id": 3836392548, "definition": { "type": "note", "content": "### [GetRegions](https://traildiscover.cloud/#LightSail-GetRegions)\n\n**Description:** Returns a list of all valid regions for Amazon Lightsail.\n\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -10074,7 +10135,7 @@ } }, { - "id": 2777215695, + "id": 2939895077, "definition": { "title": "GetRegions", "title_size": "16", @@ -10116,7 +10177,7 @@ } }, { - "id": 711261372, + "id": 2226430374, "definition": { "type": "note", "content": "### [GetCostAndUsage](https://traildiscover.cloud/#CostExplorer-GetCostAndUsage)\n\n**Description:** Retrieves cost and usage metrics for your account.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", @@ -10135,7 +10196,7 @@ } }, { - "id": 4011061785, + "id": 1329932903, "definition": { "title": "GetCostAndUsage", "title_size": "16", @@ -10177,7 +10238,7 @@ } }, { - "id": 148513238, + "id": 1238084299, "definition": { "type": "note", "content": "### [ListGroupsForUser](https://traildiscover.cloud/#IAM-ListGroupsForUser)\n\n**Description:** Lists the IAM groups that the specified IAM user belongs to.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -10196,7 +10257,7 @@ } }, { - "id": 3448313651, + "id": 341586828, "definition": { "title": "ListGroupsForUser", "title_size": "16", @@ -10238,7 +10299,7 @@ } }, { - "id": 4160400719, + "id": 3840848699, "definition": { "type": "note", "content": "### [ListAccessKeys](https://traildiscover.cloud/#IAM-ListAccessKeys)\n\n**Description:** Returns information about the access key IDs associated with the specified IAM user.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n", @@ -10257,7 +10318,7 @@ } }, { - "id": 1017750188, + "id": 796867580, "definition": { "title": "ListAccessKeys", "title_size": "16", @@ -10299,7 +10360,7 @@ } }, { - "id": 4283555985, + "id": 1763058883, "definition": { "type": "note", "content": "### [SimulatePrincipalPolicy](https://traildiscover.cloud/#IAM-SimulatePrincipalPolicy)\n\n**Description:** Simulate how a set of IAM policies attached to an IAM entity works with a list of API operations and AWS resources to determine the policies' effective permissions.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -10318,7 +10379,7 @@ } }, { - "id": 3288389102, + "id": 866561412, "definition": { "title": "SimulatePrincipalPolicy", "title_size": "16", @@ -10360,7 +10421,7 @@ } }, { - "id": 2500683915, + "id": 1756221725, "definition": { "type": "note", "content": "### [GetAccountAuthorizationDetails](https://traildiscover.cloud/#IAM-GetAccountAuthorizationDetails)\n\n**Description:** Retrieves information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another.\n\n**Related Research:**\n- [AWS - IAM Enum](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum)\n", @@ -10379,7 +10440,7 @@ } }, { - "id": 3653000680, + "id": 859724254, "definition": { "title": "GetAccountAuthorizationDetails", "title_size": "16", @@ -10421,7 +10482,7 @@ } }, { - "id": 1517898140, + "id": 2239982274, "definition": { "type": "note", "content": "### [ListGroups](https://traildiscover.cloud/#IAM-ListGroups)\n\n**Description:** Lists the IAM groups that have the specified path prefix.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n**Related Research:**\n- [AWS - IAM Enum](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum)\n", @@ -10440,7 +10501,7 @@ } }, { - "id": 2670214905, + "id": 3490968451, "definition": { "title": "ListGroups", "title_size": "16", @@ -10482,7 +10543,7 @@ } }, { - "id": 541547302, + "id": 585522248, "definition": { "type": "note", "content": "### [ListUsers](https://traildiscover.cloud/#IAM-ListUsers)\n\n**Description:** Lists the IAM users that have the specified path prefix. If no path prefix is specified, the operation returns all users in the AWS account.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -10501,7 +10562,7 @@ } }, { - "id": 1693864067, + "id": 1836508425, "definition": { "title": "ListUsers", "title_size": "16", @@ -10543,7 +10604,7 @@ } }, { - "id": 1877880964, + "id": 1151269100, "definition": { "type": "note", "content": "### [ListRoles](https://traildiscover.cloud/#IAM-ListRoles)\n\n**Description:** Lists the IAM roles that have the specified path prefix. \n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n**Related Research:**\n- [AWS - IAM Enum](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum)\n", @@ -10562,7 +10623,7 @@ } }, { - "id": 3129536616, + "id": 2402255277, "definition": { "title": "ListRoles", "title_size": "16", @@ -10604,7 +10665,7 @@ } }, { - "id": 1896408385, + "id": 1583049918, "definition": { "type": "note", "content": "### [ListSAMLProviders](https://traildiscover.cloud/#IAM-ListSAMLProviders)\n\n**Description:** Lists the SAML provider resource objects defined in IAM in the account.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -10623,7 +10684,7 @@ } }, { - "id": 3048725150, + "id": 2834036095, "definition": { "title": "ListSAMLProviders", "title_size": "16", @@ -10665,10 +10726,10 @@ } }, { - "id": 1121978303, + "id": 1995955526, "definition": { "type": "note", - "content": "### [GetUser](https://traildiscover.cloud/#IAM-GetUser)\n\n**Description:** Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN.\n\n**Related Incidents:**\n- [GotRoot! AWS root Account Takeover](https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1)\n", + "content": "### [GetUser](https://traildiscover.cloud/#IAM-GetUser)\n\n**Description:** Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN.\n\n**Related Incidents:**\n- [GotRoot! AWS root Account Takeover](https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -10684,7 +10745,7 @@ } }, { - "id": 2274295068, + "id": 1198796942, "definition": { "title": "GetUser", "title_size": "16", @@ -10726,7 +10787,7 @@ } }, { - "id": 222446345, + "id": 3078441750, "definition": { "type": "note", "content": "### [ListAttachedRolePolicies](https://traildiscover.cloud/#IAM-ListAttachedRolePolicies)\n\n**Description:** Lists all managed policies that are attached to the specified IAM role.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -10745,7 +10806,7 @@ } }, { - "id": 1374763110, + "id": 2181944279, "definition": { "title": "ListAttachedRolePolicies", "title_size": "16", @@ -10787,7 +10848,7 @@ } }, { - "id": 2563369332, + "id": 1073597487, "definition": { "type": "note", "content": "### [ListServiceSpecificCredentials](https://traildiscover.cloud/#IAM-ListServiceSpecificCredentials)\n\n**Description:** Returns information about the service-specific credentials associated with the specified IAM user.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -10806,7 +10867,7 @@ } }, { - "id": 1568202449, + "id": 177100016, "definition": { "title": "ListServiceSpecificCredentials", "title_size": "16", @@ -10848,7 +10909,7 @@ } }, { - "id": 3965761915, + "id": 1033038014, "definition": { "type": "note", "content": "### [ListRolePolicies](https://traildiscover.cloud/#IAM-ListRolePolicies)\n\n**Description:** Lists the names of the inline policies that are embedded in the specified IAM role.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -10867,7 +10928,7 @@ } }, { - "id": 2970595032, + "id": 2284024191, "definition": { "title": "ListRolePolicies", "title_size": "16", @@ -10909,7 +10970,7 @@ } }, { - "id": 3664143556, + "id": 2323391907, "definition": { "type": "note", "content": "### [ListSigningCertificates](https://traildiscover.cloud/#IAM-ListSigningCertificates)\n\n**Description:** Returns information about the signing certificates associated with the specified IAM user.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -10928,7 +10989,7 @@ } }, { - "id": 521493025, + "id": 3574378084, "definition": { "title": "ListSigningCertificates", "title_size": "16", @@ -10970,7 +11031,7 @@ } }, { - "id": 2669272389, + "id": 505865206, "definition": { "type": "note", "content": "### [ListInstanceProfiles](https://traildiscover.cloud/#IAM-ListInstanceProfiles)\n\n**Description:** Lists the instance profiles that have the specified path prefix. If there are none, the operation returns an empty list.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -10989,7 +11050,7 @@ } }, { - "id": 3821589154, + "id": 1856190270, "definition": { "title": "ListInstanceProfiles", "title_size": "16", @@ -11031,7 +11092,7 @@ } }, { - "id": 2778268874, + "id": 3125349314, "definition": { "type": "note", "content": "### [ListSSHPublicKeys](https://traildiscover.cloud/#IAM-ListSSHPublicKeys)\n\n**Description:** Returns information about the SSH public keys associated with the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -11050,7 +11111,7 @@ } }, { - "id": 3930585639, + "id": 2228851843, "definition": { "title": "ListSSHPublicKeys", "title_size": "16", @@ -11092,7 +11153,7 @@ } }, { - "id": 3343780166, + "id": 2997432385, "definition": { "type": "note", "content": "### [ListOpenIDConnectProviders](https://traildiscover.cloud/#IAM-ListOpenIDConnectProviders)\n\n**Description:** Lists information about the IAM OpenID Connect (OIDC) provider resource objects defined in the AWS account.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -11111,7 +11172,7 @@ } }, { - "id": 201129635, + "id": 2100934914, "definition": { "title": "ListOpenIDConnectProviders", "title_size": "16", @@ -11153,7 +11214,7 @@ } }, { - "id": 158484250, + "id": 940481350, "definition": { "type": "note", "content": "### [GetLoginProfile](https://traildiscover.cloud/#IAM-GetLoginProfile)\n\n**Description:** Retrieves the user name for the specified IAM user.\n\n**Related Incidents:**\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", @@ -11172,7 +11233,7 @@ } }, { - "id": 1310801015, + "id": 43983879, "definition": { "title": "GetLoginProfile", "title_size": "16", @@ -11214,7 +11275,7 @@ } }, { - "id": 3854606886, + "id": 3879727335, "definition": { "type": "note", "content": "### [DescribeLoadBalancers](https://traildiscover.cloud/#ELBv2-DescribeLoadBalancers)\n\n**Description:** Describes the specified load balancers or all of your load balancers.\n\n**Related Research:**\n- [Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data](https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994)\n", @@ -11233,7 +11294,7 @@ } }, { - "id": 2859440003, + "id": 2983229864, "definition": { "title": "DescribeLoadBalancers", "title_size": "16", @@ -11275,7 +11336,7 @@ } }, { - "id": 3615225178, + "id": 452359856, "definition": { "type": "note", "content": "### [DescribeListeners](https://traildiscover.cloud/#ELBv2-DescribeListeners)\n\n**Description:** Describes the specified listeners or the listeners for the specified Application Load Balancer, Network Load Balancer, or Gateway Load Balancer.\n\n**Related Research:**\n- [Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data](https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994)\n", @@ -11294,7 +11355,7 @@ } }, { - "id": 472574647, + "id": 1703346033, "definition": { "title": "DescribeListeners", "title_size": "16", @@ -11336,7 +11397,7 @@ } }, { - "id": 3030818489, + "id": 1440622466, "definition": { "type": "note", "content": "### [ListAssociatedAccessPolicies](https://traildiscover.cloud/#EKS-ListAssociatedAccessPolicies)\n\n**Description:** Lists the access policies associated with an access entry.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", @@ -11355,7 +11416,7 @@ } }, { - "id": 4282474141, + "id": 2691608643, "definition": { "title": "ListAssociatedAccessPolicies", "title_size": "16", @@ -11397,7 +11458,7 @@ } }, { - "id": 35150401, + "id": 748624162, "definition": { "type": "note", "content": "### [ListClusters](https://traildiscover.cloud/#EKS-ListClusters)\n\n**Description:** Lists the Amazon EKS clusters in your AWS account in the specified AWS Region.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", @@ -11416,7 +11477,7 @@ } }, { - "id": 1187467166, + "id": 1999610339, "definition": { "title": "ListClusters", "title_size": "16", @@ -11458,7 +11519,7 @@ } }, { - "id": 3749222947, + "id": 1913972320, "definition": { "type": "note", "content": "### [DescribeAccessEntry](https://traildiscover.cloud/#EKS-DescribeAccessEntry)\n\n**Description:** Describes an access entry.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", @@ -11477,7 +11538,7 @@ } }, { - "id": 606572416, + "id": 3264297384, "definition": { "title": "DescribeAccessEntry", "title_size": "16", @@ -11519,7 +11580,7 @@ } }, { - "id": 3423652015, + "id": 2962882972, "definition": { "type": "note", "content": "### [DescribeCluster](https://traildiscover.cloud/#EKS-DescribeCluster)\n\n**Description:** Describes an Amazon EKS cluster.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", @@ -11538,7 +11599,7 @@ } }, { - "id": 281001484, + "id": 2066385501, "definition": { "title": "DescribeCluster", "title_size": "16", @@ -11580,7 +11641,7 @@ } }, { - "id": 3055678531, + "id": 3655930893, "definition": { "type": "note", "content": "### [Search](https://traildiscover.cloud/#ResourceExplorer-Search)\n\n**Description:** Searches for resources and displays details about all resources that match the specified criteria.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -11599,7 +11660,7 @@ } }, { - "id": 4207995296, + "id": 2759433422, "definition": { "title": "Search", "title_size": "16", @@ -11641,7 +11702,7 @@ } }, { - "id": 4276413408, + "id": 3956939809, "definition": { "type": "note", "content": "### [LookupEvents](https://traildiscover.cloud/#CloudTrail-LookupEvents)\n\n**Description:** Looks up management events or CloudTrail Insights events that are captured by CloudTrail.\n\n**Related Incidents:**\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", @@ -11660,7 +11721,7 @@ } }, { - "id": 1233101764, + "id": 3159781225, "definition": { "title": "LookupEvents", "title_size": "16", @@ -11702,7 +11763,7 @@ } }, { - "id": 2101882562, + "id": 2062015313, "definition": { "type": "note", "content": "### [GetIntrospectionSchema](https://traildiscover.cloud/#AppSync-GetIntrospectionSchema)\n\n**Description:** Retrieves the introspection schema for a GraphQL API.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", @@ -11721,7 +11782,7 @@ } }, { - "id": 1206054566, + "id": 3412340377, "definition": { "title": "GetIntrospectionSchema", "title_size": "16", @@ -11763,7 +11824,7 @@ } }, { - "id": 1644299184, + "id": 977037714, "definition": { "type": "note", "content": "### [GetBucketVersioning](https://traildiscover.cloud/#S3-GetBucketVersioning)\n\n**Description:** Returns the versioning state of a bucket.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -11782,7 +11843,7 @@ } }, { - "id": 649132301, + "id": 80540243, "definition": { "title": "GetBucketVersioning", "title_size": "16", @@ -11824,7 +11885,7 @@ } }, { - "id": 2867622739, + "id": 2723088777, "definition": { "type": "note", "content": "### [GetBucketLogging](https://traildiscover.cloud/#S3-GetBucketLogging)\n\n**Description:** Returns the logging status of a bucket and the permissions users have to view and modify that status.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -11843,7 +11904,7 @@ } }, { - "id": 4019939504, + "id": 3974074954, "definition": { "title": "GetBucketLogging", "title_size": "16", @@ -11885,7 +11946,7 @@ } }, { - "id": 516023662, + "id": 2834770088, "definition": { "type": "note", "content": "### [GetBucketPolicy](https://traildiscover.cloud/#S3-GetBucketPolicy)\n\n**Description:** Returns the policy of a specified bucket.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -11904,7 +11965,7 @@ } }, { - "id": 1668340427, + "id": 4085756265, "definition": { "title": "GetBucketPolicy", "title_size": "16", @@ -11946,10 +12007,10 @@ } }, { - "id": 3989991665, + "id": 1453453823, "definition": { "type": "note", - "content": "### [ListBuckets](https://traildiscover.cloud/#S3-ListBuckets)\n\n**Description:** Returns a list of all buckets owned by the authenticated sender of the request.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [A Technical Analysis of the Capital One Cloud Misconfiguration Breach](https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach)\n- [Enumerate AWS Account ID from a Public S3 Bucket](https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", + "content": "### [ListBuckets](https://traildiscover.cloud/#S3-ListBuckets)\n\n**Description:** Returns a list of all buckets owned by the authenticated sender of the request.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [A Technical Analysis of the Capital One Cloud Misconfiguration Breach](https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach)\n- [Enumerate AWS Account ID from a Public S3 Bucket](https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11965,7 +12026,7 @@ } }, { - "id": 847341134, + "id": 556956352, "definition": { "title": "ListBuckets", "title_size": "16", @@ -12007,7 +12068,7 @@ } }, { - "id": 4013131947, + "id": 3689558247, "definition": { "type": "note", "content": "### [GetBucketReplication](https://traildiscover.cloud/#S3-GetBucketReplication)\n\n**Description:** Returns the replication configuration of a bucket.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -12026,7 +12087,7 @@ } }, { - "id": 870481416, + "id": 2892399663, "definition": { "title": "GetBucketReplication", "title_size": "16", @@ -12068,7 +12129,7 @@ } }, { - "id": 673297245, + "id": 1503565511, "definition": { "type": "note", "content": "### [GetBucketAcl](https://traildiscover.cloud/#S3-GetBucketAcl)\n\n**Description:** This implementation of the GET action uses the acl subresource to return the access control list (ACL) of a bucket.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n**Related Research:**\n- [Public S3 bucket through bucket ACL](https://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/s3-bucket-public-acl/)\n", @@ -12087,7 +12148,7 @@ } }, { - "id": 1825614010, + "id": 607068040, "definition": { "title": "GetBucketAcl", "title_size": "16", @@ -12129,7 +12190,7 @@ } }, { - "id": 1730397231, + "id": 4247324509, "definition": { "type": "note", "content": "### [HeadObject](https://traildiscover.cloud/#S3-HeadObject)\n\n**Description:** The HEAD operation retrieves metadata from an object without returning the object itself.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -12148,7 +12209,7 @@ } }, { - "id": 2882713996, + "id": 3350827038, "definition": { "title": "HeadObject", "title_size": "16", @@ -12190,10 +12251,10 @@ } }, { - "id": 1813076601, + "id": 2932175251, "definition": { "type": "note", - "content": "### [ListVaults](https://traildiscover.cloud/#S3-ListVaults)\n\n**Description:** This operation lists all vaults owned by the calling user\u2019s account.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", + "content": "### [ListVaults](https://traildiscover.cloud/#S3-ListVaults)\n\n**Description:** This operation lists all vaults owned by the calling user\u2019s account.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12209,7 +12270,7 @@ } }, { - "id": 2965393366, + "id": 4183161428, "definition": { "title": "ListVaults", "title_size": "16", @@ -12251,7 +12312,7 @@ } }, { - "id": 3419831742, + "id": 509343099, "definition": { "type": "note", "content": "### [GetPublicAccessBlock](https://traildiscover.cloud/#S3-GetPublicAccessBlock)\n\n**Description:** Retrieves the PublicAccessBlock configuration for an Amazon S3 bucket.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -12270,7 +12331,7 @@ } }, { - "id": 2424664859, + "id": 4007151811, "definition": { "title": "GetPublicAccessBlock", "title_size": "16", @@ -12312,7 +12373,7 @@ } }, { - "id": 1767324024, + "id": 2235686895, "definition": { "type": "note", "content": "### [GetBucketTagging](https://traildiscover.cloud/#S3-GetBucketTagging)\n\n**Description:** Returns the tag set associated with the bucket.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -12331,7 +12392,7 @@ } }, { - "id": 871496028, + "id": 3586011959, "definition": { "title": "GetBucketTagging", "title_size": "16", @@ -12373,10 +12434,10 @@ } }, { - "id": 2578939188, + "id": 3016782802, "definition": { "type": "note", - "content": "### [ListObjects](https://traildiscover.cloud/#S3-ListObjects)\n\n**Description:** Returns some or all (up to 1,000) of the objects in a bucket.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", + "content": "### [ListObjects](https://traildiscover.cloud/#S3-ListObjects)\n\n**Description:** Returns some or all (up to 1,000) of the objects in a bucket.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12392,7 +12453,7 @@ } }, { - "id": 3731255953, + "id": 4267768979, "definition": { "title": "ListObjects", "title_size": "16", @@ -12434,7 +12495,7 @@ } }, { - "id": 804860995, + "id": 1373183296, "definition": { "type": "note", "content": "### [InvokeModel](https://traildiscover.cloud/#Bedrock-InvokeModel)\n\n**Description:** Invokes the specified Amazon Bedrock model to run inference using the prompt and inference parameters provided in the request body.\n\n**Related Incidents:**\n- [LLMjacking: Stolen Cloud Credentials Used in New AI Attack](https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -12453,7 +12514,7 @@ } }, { - "id": 1957177760, + "id": 576024712, "definition": { "title": "InvokeModel", "title_size": "16", @@ -12495,7 +12556,7 @@ } }, { - "id": 241152572, + "id": 1849728252, "definition": { "type": "note", "content": "### [GetUseCaseForModelAccess](https://traildiscover.cloud/#Bedrock-GetUseCaseForModelAccess)\n\n**Description:** Grants permission to retrieve a use case for model access.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -12514,7 +12575,7 @@ } }, { - "id": 1393469337, + "id": 3100714429, "definition": { "title": "GetUseCaseForModelAccess", "title_size": "16", @@ -12556,7 +12617,7 @@ } }, { - "id": 4229982919, + "id": 468681246, "definition": { "type": "note", "content": "### [ListProvisionedModelThroughputs](https://traildiscover.cloud/#Bedrock-ListProvisionedModelThroughputs)\n\n**Description:** Grants permission to list provisioned model throughputs that you created earlier.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -12575,7 +12636,7 @@ } }, { - "id": 3234816036, + "id": 3867151071, "definition": { "title": "ListProvisionedModelThroughputs", "title_size": "16", @@ -12617,7 +12678,7 @@ } }, { - "id": 3824159325, + "id": 805408665, "definition": { "type": "note", "content": "### [GetFoundationModelAvailability](https://traildiscover.cloud/#Bedrock-GetFoundationModelAvailability)\n\n**Description:** Grants permission to get the availability of a foundation model.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -12636,7 +12697,7 @@ } }, { - "id": 681508794, + "id": 4203878490, "definition": { "title": "GetFoundationModelAvailability", "title_size": "16", @@ -12678,7 +12739,7 @@ } }, { - "id": 3523230495, + "id": 476984695, "definition": { "type": "note", "content": "### [ListFoundationModels](https://traildiscover.cloud/#Bedrock-ListFoundationModels)\n\n**Description:** Grants permission to list Bedrock foundation models that you can use.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -12697,7 +12758,7 @@ } }, { - "id": 2528063612, + "id": 1827309759, "definition": { "title": "ListFoundationModels", "title_size": "16", @@ -12739,7 +12800,7 @@ } }, { - "id": 399206512, + "id": 1508160524, "definition": { "type": "note", "content": "### [ListFoundationModelAgreementOffers](https://traildiscover.cloud/#Bedrock-ListFoundationModelAgreementOffers)\n\n**Description:** Grants permission to get a list of foundation model agreement offers.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -12758,7 +12819,7 @@ } }, { - "id": 3699006925, + "id": 2759146701, "definition": { "title": "ListFoundationModelAgreementOffers", "title_size": "16", @@ -12800,7 +12861,7 @@ } }, { - "id": 959991228, + "id": 3119397726, "definition": { "type": "note", "content": "### [GetModelInvocationLoggingConfiguration](https://traildiscover.cloud/#Bedrock-GetModelInvocationLoggingConfiguration)\n\n**Description:** Get the current configuration values for model invocation logging.\n\n**Related Incidents:**\n- [LLMjacking: Stolen Cloud Credentials Used in New AI Attack](https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/)\n", @@ -12819,7 +12880,7 @@ } }, { - "id": 2112307993, + "id": 2322239142, "definition": { "title": "GetModelInvocationLoggingConfiguration", "title_size": "16", @@ -12861,7 +12922,7 @@ } }, { - "id": 2920920314, + "id": 243160157, "definition": { "type": "note", "content": "### [GetConsoleScreenshot](https://traildiscover.cloud/#EC2-GetConsoleScreenshot)\n\n**Description:** Retrieve a JPG-format screenshot of a running instance to help with troubleshooting.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -12880,7 +12941,7 @@ } }, { - "id": 4073237079, + "id": 1494146334, "definition": { "title": "GetConsoleScreenshot", "title_size": "16", @@ -12922,7 +12983,7 @@ } }, { - "id": 1039014705, + "id": 2383734567, "definition": { "type": "note", "content": "### [DescribeSnapshotTierStatus](https://traildiscover.cloud/#EC2-DescribeSnapshotTierStatus)\n\n**Description:** Describes the storage tier status of one or more Amazon EBS snapshots.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -12941,7 +13002,7 @@ } }, { - "id": 2290670357, + "id": 1487237096, "definition": { "title": "DescribeSnapshotTierStatus", "title_size": "16", @@ -12983,7 +13044,7 @@ } }, { - "id": 1996783841, + "id": 271560324, "definition": { "type": "note", "content": "### [DescribeImages](https://traildiscover.cloud/#EC2-DescribeImages)\n\n**Description:** Describes the specified images (AMIs, AKIs, and ARIs) available to you or all of the images available to you.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13002,7 +13063,7 @@ } }, { - "id": 3149100606, + "id": 1621885388, "definition": { "title": "DescribeImages", "title_size": "16", @@ -13044,7 +13105,7 @@ } }, { - "id": 3454559687, + "id": 3942992307, "definition": { "type": "note", "content": "### [GetEbsDefaultKmsKeyId](https://traildiscover.cloud/#EC2-GetEbsDefaultKmsKeyId)\n\n**Description:** Describes the default AWS KMS key for EBS encryption by default for your account in this Region.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13063,7 +13124,7 @@ } }, { - "id": 2459392804, + "id": 3046494836, "definition": { "title": "GetEbsDefaultKmsKeyId", "title_size": "16", @@ -13105,7 +13166,7 @@ } }, { - "id": 2777796249, + "id": 1805108174, "definition": { "type": "note", "content": "### [DescribeAvailabilityZones](https://traildiscover.cloud/#EC2-DescribeAvailabilityZones)\n\n**Description:** Describes the Availability Zones, Local Zones, and Wavelength Zones that are available to you.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13124,7 +13185,7 @@ } }, { - "id": 1782629366, + "id": 908610703, "definition": { "title": "DescribeAvailabilityZones", "title_size": "16", @@ -13166,7 +13227,7 @@ } }, { - "id": 1968811106, + "id": 2722185596, "definition": { "type": "note", "content": "### [DescribeInstances](https://traildiscover.cloud/#EC2-DescribeInstances)\n\n**Description:** Describes the specified instances or all instances.\n\n**Related Incidents:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -13185,7 +13246,7 @@ } }, { - "id": 973644223, + "id": 4072510660, "definition": { "title": "DescribeInstances", "title_size": "16", @@ -13227,7 +13288,7 @@ } }, { - "id": 1027571976, + "id": 1083224209, "definition": { "type": "note", "content": "### [GetTransitGatewayRouteTableAssociations](https://traildiscover.cloud/#EC2-GetTransitGatewayRouteTableAssociations)\n\n**Description:** Gets information about the associations for the specified transit gateway route table.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13246,7 +13307,7 @@ } }, { - "id": 32405093, + "id": 2433549273, "definition": { "title": "GetTransitGatewayRouteTableAssociations", "title_size": "16", @@ -13288,7 +13349,7 @@ } }, { - "id": 1614564929, + "id": 920256565, "definition": { "type": "note", "content": "### [GetLaunchTemplateData](https://traildiscover.cloud/#EC2-GetLaunchTemplateData)\n\n**Description:** Retrieves the configuration data of the specified instance. You can use this data to create a launch template.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13307,7 +13368,7 @@ } }, { - "id": 2866220581, + "id": 23759094, "definition": { "title": "GetLaunchTemplateData", "title_size": "16", @@ -13349,7 +13410,7 @@ } }, { - "id": 2052873, + "id": 3047543624, "definition": { "type": "note", "content": "### [DescribeKeyPairs](https://traildiscover.cloud/#EC2-DescribeKeyPairs)\n\n**Description:** Describes the specified key pairs or all of your key pairs.\n\n**Related Incidents:**\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n", @@ -13368,7 +13429,7 @@ } }, { - "id": 1154369638, + "id": 2151046153, "definition": { "title": "DescribeKeyPairs", "title_size": "16", @@ -13410,7 +13471,7 @@ } }, { - "id": 920937750, + "id": 509755626, "definition": { "type": "note", "content": "### [GetEbsEncryptionByDefault](https://traildiscover.cloud/#EC2-GetEbsEncryptionByDefault)\n\n**Description:** Describes whether EBS encryption by default is enabled for your account in the current Region.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13429,7 +13490,7 @@ } }, { - "id": 2073254515, + "id": 3908225451, "definition": { "title": "GetEbsEncryptionByDefault", "title_size": "16", @@ -13471,7 +13532,7 @@ } }, { - "id": 418809083, + "id": 1451529101, "definition": { "type": "note", "content": "### [DescribeCarrierGateways](https://traildiscover.cloud/#EC2-DescribeCarrierGateways)\n\n**Description:** Describes one or more of your carrier gateways.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13490,7 +13551,7 @@ } }, { - "id": 1571125848, + "id": 654370517, "definition": { "title": "DescribeCarrierGateways", "title_size": "16", @@ -13532,7 +13593,7 @@ } }, { - "id": 1297829153, + "id": 1571792984, "definition": { "type": "note", "content": "### [GetFlowLogsIntegrationTemplate](https://traildiscover.cloud/#EC2-GetFlowLogsIntegrationTemplate)\n\n**Description:** Generates a CloudFormation template that streamlines and automates the integration of VPC flow logs with Amazon Athena.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13551,7 +13612,7 @@ } }, { - "id": 2450145918, + "id": 675295513, "definition": { "title": "GetFlowLogsIntegrationTemplate", "title_size": "16", @@ -13593,7 +13654,7 @@ } }, { - "id": 794227152, + "id": 1873188405, "definition": { "type": "note", "content": "### [DescribeTransitGatewayMulticastDomains](https://traildiscover.cloud/#EC2-DescribeTransitGatewayMulticastDomains)\n\n**Description:** Describes one or more transit gateway multicast domains.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13612,7 +13673,7 @@ } }, { - "id": 2045882804, + "id": 3223513469, "definition": { "title": "DescribeTransitGatewayMulticastDomains", "title_size": "16", @@ -13654,7 +13715,7 @@ } }, { - "id": 2937204831, + "id": 3011918395, "definition": { "type": "note", "content": "### [DescribeInstanceAttribute](https://traildiscover.cloud/#EC2-DescribeInstanceAttribute)\n\n**Description:** Describes the specified attribute of the specified instance. You can specify only one attribute at a time.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13673,7 +13734,7 @@ } }, { - "id": 1942037948, + "id": 2214759811, "definition": { "title": "DescribeInstanceAttribute", "title_size": "16", @@ -13715,7 +13776,7 @@ } }, { - "id": 1214234100, + "id": 372977278, "definition": { "type": "note", "content": "### [DescribeDhcpOptions](https://traildiscover.cloud/#EC2-DescribeDhcpOptions)\n\n**Description:** Describes one or more of your DHCP options sets.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13734,7 +13795,7 @@ } }, { - "id": 2366550865, + "id": 3771447103, "definition": { "title": "DescribeDhcpOptions", "title_size": "16", @@ -13776,7 +13837,7 @@ } }, { - "id": 3482928187, + "id": 2692824372, "definition": { "type": "note", "content": "### [DescribeVpcEndpointConnectionNotifications](https://traildiscover.cloud/#EC2-DescribeVpcEndpointConnectionNotifications)\n\n**Description:** Describes the connection notifications for VPC endpoints and VPC endpoint services.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13795,7 +13856,7 @@ } }, { - "id": 439616543, + "id": 3943810549, "definition": { "title": "DescribeVpcEndpointConnectionNotifications", "title_size": "16", @@ -13837,7 +13898,7 @@ } }, { - "id": 3701424289, + "id": 2069704131, "definition": { "type": "note", "content": "### [DescribeFlowLogs](https://traildiscover.cloud/#EC2-DescribeFlowLogs)\n\n**Description:** Describes one or more flow logs.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13856,7 +13917,7 @@ } }, { - "id": 558773758, + "id": 3320690308, "definition": { "title": "DescribeFlowLogs", "title_size": "16", @@ -13898,7 +13959,7 @@ } }, { - "id": 4293797841, + "id": 3241675597, "definition": { "type": "note", "content": "### [DescribeSnapshotAttribute](https://traildiscover.cloud/#EC2-DescribeSnapshotAttribute)\n\n**Description:** Describes the specified attribute of the specified snapshot.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13917,7 +13978,7 @@ } }, { - "id": 1151147310, + "id": 2444517013, "definition": { "title": "DescribeSnapshotAttribute", "title_size": "16", @@ -13959,7 +14020,7 @@ } }, { - "id": 43509712, + "id": 1146483962, "definition": { "type": "note", "content": "### [DescribeVolumesModifications](https://traildiscover.cloud/#EC2-DescribeVolumesModifications)\n\n**Description:** Describes the most recent volume modification request for the specified EBS volumes.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -13978,7 +14039,7 @@ } }, { - "id": 1195826477, + "id": 2397470139, "definition": { "title": "DescribeVolumesModifications", "title_size": "16", @@ -14020,7 +14081,7 @@ } }, { - "id": 530142578, + "id": 3410362403, "definition": { "type": "note", "content": "### [DescribeRegions](https://traildiscover.cloud/#EC2-DescribeRegions)\n\n**Description:** Describes the Regions that are enabled for your account, or all Regions.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -14039,7 +14100,7 @@ } }, { - "id": 3829942991, + "id": 2513864932, "definition": { "title": "DescribeRegions", "title_size": "16", @@ -14081,7 +14142,7 @@ } }, { - "id": 1044084443, + "id": 631357616, "definition": { "type": "note", "content": "### [DescribeSecurityGroups](https://traildiscover.cloud/#EC2-DescribeSecurityGroups)\n\n**Description:** Describes the specified security groups or all of your security groups.\n\n**Related Incidents:**\n- [Case Study: Responding to an Attack in AWS](https://www.cadosecurity.com/case-study-responding-to-an-attack-in-aws/)\n", @@ -14100,7 +14161,7 @@ } }, { - "id": 2295740095, + "id": 1981682680, "definition": { "title": "DescribeSecurityGroups", "title_size": "16", @@ -14142,7 +14203,7 @@ } }, { - "id": 1397154556, + "id": 3276082997, "definition": { "type": "note", "content": "### [DescribeVpcs](https://traildiscover.cloud/#EC2-DescribeVpcs)\n\n**Description:** Describes one or more of your VPCs.\n\n**Related Incidents:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -14161,7 +14222,7 @@ } }, { - "id": 2549471321, + "id": 2379585526, "definition": { "title": "DescribeVpcs", "title_size": "16", @@ -14203,7 +14264,7 @@ } }, { - "id": 4144227523, + "id": 974369643, "definition": { "type": "note", "content": "### [DescribeBundleTasks](https://traildiscover.cloud/#EC2-DescribeBundleTasks)\n\n**Description:** Describes the specified bundle tasks or all of your bundle tasks.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -14222,7 +14283,7 @@ } }, { - "id": 1001576992, + "id": 177211059, "definition": { "title": "DescribeBundleTasks", "title_size": "16", @@ -14264,7 +14325,7 @@ } }, { - "id": 3759744382, + "id": 2939725483, "definition": { "type": "note", "content": "### [DescribeAccountAttributes](https://traildiscover.cloud/#EC2-DescribeAccountAttributes)\n\n**Description:** Describes attributes of your AWS account.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -14283,7 +14344,7 @@ } }, { - "id": 617093851, + "id": 4190711660, "definition": { "title": "DescribeAccountAttributes", "title_size": "16", @@ -14325,7 +14386,7 @@ } }, { - "id": 2257989220, + "id": 3145664446, "definition": { "type": "note", "content": "### [DescribeVolumes](https://traildiscover.cloud/#EC2-DescribeVolumes)\n\n**Description:** Describes the specified EBS volumes or all of your EBS volumes.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -14344,7 +14405,7 @@ } }, { - "id": 3410305985, + "id": 101683327, "definition": { "title": "DescribeVolumes", "title_size": "16", @@ -14386,7 +14447,7 @@ } }, { - "id": 3718328418, + "id": 2189351799, "definition": { "type": "note", "content": "### [DescribeInstanceTypes](https://traildiscover.cloud/#EC2-DescribeInstanceTypes)\n\n**Description:** Describes the details of the instance types that are offered in a location.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -14405,7 +14466,7 @@ } }, { - "id": 2723161535, + "id": 1292854328, "definition": { "title": "DescribeInstanceTypes", "title_size": "16", @@ -14447,7 +14508,7 @@ } }, { - "id": 1620848168, + "id": 3245350028, "definition": { "type": "note", "content": "### [DescribeClientVpnRoutes](https://traildiscover.cloud/#EC2-DescribeClientVpnRoutes)\n\n**Description:** Describes the routes for the specified Client VPN endpoint.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -14466,7 +14527,7 @@ } }, { - "id": 2773164933, + "id": 201368909, "definition": { "title": "DescribeClientVpnRoutes", "title_size": "16", @@ -14508,7 +14569,7 @@ } }, { - "id": 1614564929, + "id": 920256565, "definition": { "type": "note", "content": "### [GetLaunchTemplateData](https://traildiscover.cloud/#EC2-GetLaunchTemplateData)\n\n**Description:** Retrieves the configuration data of the specified instance. You can use this data to create a launch template.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -14527,7 +14588,7 @@ } }, { - "id": 2866220581, + "id": 23759094, "definition": { "title": "GetLaunchTemplateData", "title_size": "16", @@ -14569,7 +14630,7 @@ } }, { - "id": 3836354831, + "id": 1729196389, "definition": { "type": "note", "content": "### [GetParameters](https://traildiscover.cloud/#SSM-GetParameters)\n\n**Description:** Get information about one or more parameters by specifying multiple parameter names.\n\n**Related Research:**\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -14588,7 +14649,7 @@ } }, { - "id": 2940526835, + "id": 2980182566, "definition": { "title": "GetParameters", "title_size": "16", @@ -14630,7 +14691,7 @@ } }, { - "id": 355705245, + "id": 1410726190, "definition": { "type": "note", "content": "### [DescribeInstanceInformation](https://traildiscover.cloud/#SSM-DescribeInstanceInformation)\n\n**Description:** Provides information about one or more of your managed nodes, including the operating system platform, SSM Agent version, association status, and IP address.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -14649,7 +14710,7 @@ } }, { - "id": 3655505658, + "id": 2761051254, "definition": { "title": "DescribeInstanceInformation", "title_size": "16", @@ -14691,7 +14752,7 @@ } }, { - "id": 2237589255, + "id": 3950798414, "definition": { "type": "note", "content": "### [GetIdentityVerificationAttributes](https://traildiscover.cloud/#SES-GetIdentityVerificationAttributes)\n\n**Description:** Given a list of identities (email addresses and/or domains), returns the verification status and (for domain identities) the verification token for each identity.\n\n**Related Incidents:**\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n", @@ -14710,7 +14771,7 @@ } }, { - "id": 3389906020, + "id": 906817295, "definition": { "title": "GetIdentityVerificationAttributes", "title_size": "16", @@ -14752,7 +14813,7 @@ } }, { - "id": 4156064423, + "id": 349194343, "definition": { "type": "note", "content": "### [GetAccountSendingEnabled](https://traildiscover.cloud/#SES-GetAccountSendingEnabled)\n\n**Description:** Returns the email sending status of the Amazon SES account for the current Region.\n\n**Related Research:**\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n", @@ -14771,7 +14832,7 @@ } }, { - "id": 1013413892, + "id": 3747664168, "definition": { "title": "GetAccountSendingEnabled", "title_size": "16", @@ -14813,7 +14874,7 @@ } }, { - "id": 1966194931, + "id": 473067023, "definition": { "type": "note", "content": "### [ListIdentities](https://traildiscover.cloud/#SES-ListIdentities)\n\n**Description:** Returns a list containing all of the identities (email addresses and domains) for your AWS account in the current AWS Region, regardless of verification status.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -14832,7 +14893,7 @@ } }, { - "id": 3118511696, + "id": 1724053200, "definition": { "title": "ListIdentities", "title_size": "16", @@ -14874,7 +14935,7 @@ } }, { - "id": 126693309, + "id": 4012214486, "definition": { "type": "note", "content": "### [GetSendQuota](https://traildiscover.cloud/#SES-GetSendQuota)\n\n**Description:** Provides the sending limits for the Amazon SES account.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -14893,7 +14954,7 @@ } }, { - "id": 1279010074, + "id": 968233367, "definition": { "title": "GetSendQuota", "title_size": "16", @@ -14935,7 +14996,7 @@ } }, { - "id": 1265328695, + "id": 1948908313, "definition": { "type": "note", "content": "### [GetAccount](https://traildiscover.cloud/#SES-GetAccount)\n\n**Description:** Lists the applied quota values for the specified AWS service.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -14954,7 +15015,7 @@ } }, { - "id": 2417645460, + "id": 3199894490, "definition": { "title": "GetAccount", "title_size": "16", @@ -14996,7 +15057,7 @@ } }, { - "id": 2069865321, + "id": 2788285747, "definition": { "type": "note", "content": "### [GetFindings](https://traildiscover.cloud/#GuardDuty-GetFindings)\n\n**Description:** Returns a list of findings that match the specified criteria.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -15015,7 +15076,7 @@ } }, { - "id": 3222182086, + "id": 1991127163, "definition": { "title": "GetFindings", "title_size": "16", @@ -15057,7 +15118,7 @@ } }, { - "id": 1157804491, + "id": 501615106, "definition": { "type": "note", "content": "### [ListFindings](https://traildiscover.cloud/#GuardDuty-ListFindings)\n\n**Description:** Lists GuardDuty findings for the specified detector ID.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -15076,7 +15137,7 @@ } }, { - "id": 2310121256, + "id": 3900084931, "definition": { "title": "ListFindings", "title_size": "16", @@ -15118,7 +15179,7 @@ } }, { - "id": 3673658512, + "id": 1593269003, "definition": { "type": "note", "content": "### [ListDetectors](https://traildiscover.cloud/#GuardDuty-ListDetectors)\n\n**Description:** Lists detectorIds of all the existing Amazon GuardDuty detector resources.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -15137,7 +15198,7 @@ } }, { - "id": 2777830516, + "id": 696771532, "definition": { "title": "ListDetectors", "title_size": "16", @@ -15179,7 +15240,7 @@ } }, { - "id": 1329327892, + "id": 930619286, "definition": { "type": "note", "content": "### [GetDetector](https://traildiscover.cloud/#GuardDuty-GetDetector)\n\n**Description:** Retrieves an Amazon GuardDuty detector specified by the detectorId.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -15198,7 +15259,7 @@ } }, { - "id": 2481644657, + "id": 2280944350, "definition": { "title": "GetDetector", "title_size": "16", @@ -15240,7 +15301,7 @@ } }, { - "id": 2067987388, + "id": 653525461, "definition": { "type": "note", "content": "### [ListIPSets](https://traildiscover.cloud/#GuardDuty-ListIPSets)\n\n**Description:** Lists the IPSets of the GuardDuty service specified by the detector ID.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -15259,7 +15320,7 @@ } }, { - "id": 3220304153, + "id": 1904511638, "definition": { "title": "ListIPSets", "title_size": "16", @@ -15301,7 +15362,7 @@ } }, { - "id": 3752311997, + "id": 2547173999, "definition": { "type": "note", "content": "### [ListServiceQuotas](https://traildiscover.cloud/#ServiceQuotas-ListServiceQuotas)\n\n**Description:** Lists the applied quota values for the specified AWS service.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -15320,7 +15381,7 @@ } }, { - "id": 609661466, + "id": 3798160176, "definition": { "title": "ListServiceQuotas", "title_size": "16", @@ -15371,7 +15432,7 @@ } }, { - "id": 1265058145, + "id": 2748250833, "definition": { "type": "group", "layout_type": "ordered", @@ -15380,7 +15441,7 @@ "show_title": true, "widgets": [ { - "id": 3155965209, + "id": 282053377, "definition": { "type": "note", "content": "### [AssumeRoleWithWebIdentity](https://traildiscover.cloud/#STS-AssumeRoleWithWebIdentity)\n\n**Description:** Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider.\n\n**Related Research:**\n- [From GitHub To Account Takeover: Misconfigured Actions Place GCP & AWS Accounts At Risk](https://www.rezonate.io/blog/github-misconfigurations-put-gcp-aws-in-account-takeover-risk/)\n", @@ -15399,7 +15460,7 @@ } }, { - "id": 13314678, + "id": 1533039554, "definition": { "title": "AssumeRoleWithWebIdentity", "title_size": "16", @@ -15441,7 +15502,7 @@ } }, { - "id": 3674619485, + "id": 3711302722, "definition": { "type": "note", "content": "### [SwitchRole](https://traildiscover.cloud/#SignIn-SwitchRole)\n\n**Description:** This event is recorded when a user manually switches to a different IAM role within the AWS Management Console.\n\n**Related Research:**\n- [AWS CloudTrail cheat sheet](https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet)\n", @@ -15460,7 +15521,7 @@ } }, { - "id": 631307841, + "id": 766660490, "definition": { "title": "SwitchRole", "title_size": "16", @@ -15502,10 +15563,10 @@ } }, { - "id": 3735938906, + "id": 3753350775, "definition": { "type": "note", - "content": "### [EnableSerialConsoleAccess](https://traildiscover.cloud/#EC2-EnableSerialConsoleAccess)\n\n**Description:** Enables access to the EC2 serial console of all instances for your account.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [How to detect EC2 Serial Console enabled](https://sysdig.com/blog/ec2-serial-console-enabled/)\n", + "content": "### [EnableSerialConsoleAccess](https://traildiscover.cloud/#EC2-EnableSerialConsoleAccess)\n\n**Description:** Enables access to the EC2 serial console of all instances for your account.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [How to detect EC2 Serial Console enabled](https://sysdig.com/blog/ec2-serial-console-enabled/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15521,7 +15582,7 @@ } }, { - "id": 2740772023, + "id": 709369656, "definition": { "title": "EnableSerialConsoleAccess", "title_size": "16", @@ -15563,7 +15624,7 @@ } }, { - "id": 186912491, + "id": 2351983240, "definition": { "type": "note", "content": "### [CreateVolume](https://traildiscover.cloud/#EC2-CreateVolume)\n\n**Description:** Creates an EBS volume that can be attached to an instance in the same Availability Zone.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n", @@ -15582,7 +15643,7 @@ } }, { - "id": 1339229256, + "id": 1455485769, "definition": { "title": "CreateVolume", "title_size": "16", @@ -15624,7 +15685,7 @@ } }, { - "id": 1144718266, + "id": 1372949638, "definition": { "type": "note", "content": "### [CreateSecurityGroup](https://traildiscover.cloud/#EC2-CreateSecurityGroup)\n\n**Description:** Creates a security group.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -15643,7 +15704,7 @@ } }, { - "id": 2297035031, + "id": 2623935815, "definition": { "title": "CreateSecurityGroup", "title_size": "16", @@ -15685,7 +15746,7 @@ } }, { - "id": 3913189943, + "id": 961294797, "definition": { "type": "note", "content": "### [AuthorizeSecurityGroupIngress](https://traildiscover.cloud/#EC2-AuthorizeSecurityGroupIngress)\n\n**Description:** Adds the specified inbound (ingress) rules to a security group.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Finding evil in AWS](https://expel.com/blog/finding-evil-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Opening a security group to the Internet](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/opening-security-group-port/)\n", @@ -15704,7 +15765,7 @@ } }, { - "id": 2918023060, + "id": 2212280974, "definition": { "title": "AuthorizeSecurityGroupIngress", "title_size": "16", @@ -15746,10 +15807,10 @@ } }, { - "id": 2006471867, + "id": 2364717797, "definition": { "type": "note", - "content": "### [SendSSHPublicKey](https://traildiscover.cloud/#EC2InstanceConnect-SendSSHPublicKey)\n\n**Description:** Pushes an SSH public key to the specified EC2 instance for use by the specified user.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n", + "content": "### [SendSSHPublicKey](https://traildiscover.cloud/#EC2InstanceConnect-SendSSHPublicKey)\n\n**Description:** Pushes an SSH public key to the specified EC2 instance for use by the specified user.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15765,7 +15826,7 @@ } }, { - "id": 3158788632, + "id": 1468220326, "definition": { "title": "SendSSHPublicKey", "title_size": "16", @@ -15807,7 +15868,7 @@ } }, { - "id": 3948593755, + "id": 3921422600, "definition": { "type": "note", "content": "### [CreateSnapshot](https://traildiscover.cloud/#EC2-CreateSnapshot)\n\n**Description:** Creates a snapshot of an EBS volume and stores it in Amazon S3.\n\n**Related Incidents:**\n- [CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Stealing an EBS snapshot by creating a snapshot and sharing it](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-ebs-snapshot/)\n- [Exfiltrate EBS Snapshot by Sharing It](https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/)\n", @@ -15826,7 +15887,7 @@ } }, { - "id": 805943224, + "id": 877441481, "definition": { "title": "CreateSnapshot", "title_size": "16", @@ -15868,7 +15929,7 @@ } }, { - "id": 2871535782, + "id": 2176244995, "definition": { "type": "note", "content": "### [RunInstances](https://traildiscover.cloud/#EC2-RunInstances)\n\n**Description:** Launches the specified number of instances using an AMI for which you have permissions.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [DXC spills AWS private keys on public GitHub](https://www.theregister.com/2017/11/14/dxc_github_aws_keys_leaked/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Clear and Uncommon Story About Overcoming Issues With AWS](https://topdigital.agency/clear-and-uncommon-story-about-overcoming-issues-with-aws/)\n- [onelogin 2017 Security Incident](https://web.archive.org/web/20210620180614/https://www.onelogin.com/blog/may-31-2017-security-incident)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Launching EC2 instances](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/launching-ec2-instances/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -15887,7 +15948,7 @@ } }, { - "id": 1975707786, + "id": 1279747524, "definition": { "title": "RunInstances", "title_size": "16", @@ -15929,7 +15990,7 @@ } }, { - "id": 656619766, + "id": 3738972907, "definition": { "type": "note", "content": "### [AttachVolume](https://traildiscover.cloud/#EC2-AttachVolume)\n\n**Description:** Attaches an EBS volume to a running or stopped instance and exposes it to the instance with the specified device name.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n", @@ -15948,7 +16009,7 @@ } }, { - "id": 1808936531, + "id": 694991788, "definition": { "title": "AttachVolume", "title_size": "16", @@ -15990,7 +16051,7 @@ } }, { - "id": 769538665, + "id": 84198124, "definition": { "type": "note", "content": "### [SendSerialConsoleSSHPublicKey](https://traildiscover.cloud/#EC2InstanceConnect-SendSerialConsoleSSHPublicKey)\n\n**Description:** Pushes an SSH public key to the specified EC2 instance.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n", @@ -16009,7 +16070,7 @@ } }, { - "id": 1921855430, + "id": 3482667949, "definition": { "title": "SendSerialConsoleSSHPublicKey", "title_size": "16", @@ -16051,10 +16112,10 @@ } }, { - "id": 1218100242, + "id": 3169641218, "definition": { "type": "note", - "content": "### [SendCommand](https://traildiscover.cloud/#SSM-SendCommand)\n\n**Description:** Runs commands on one or more managed nodes.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Run Shell Commands on EC2 with Send Command or Session Manager](https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/)\n", + "content": "### [SendCommand](https://traildiscover.cloud/#SSM-SendCommand)\n\n**Description:** Runs commands on one or more managed nodes.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Run Shell Commands on EC2 with Send Command or Session Manager](https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -16070,7 +16131,7 @@ } }, { - "id": 2370417007, + "id": 125660099, "definition": { "title": "SendCommand", "title_size": "16", @@ -16112,7 +16173,7 @@ } }, { - "id": 2504606613, + "id": 2692739650, "definition": { "type": "note", "content": "### [StartSession](https://traildiscover.cloud/#SSM-StartSession)\n\n**Description:** Initiates a connection to a target (for example, a managed node) for a Session Manager session.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Run Shell Commands on EC2 with Send Command or Session Manager](https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/)\n", @@ -16131,7 +16192,7 @@ } }, { - "id": 3656923378, + "id": 1796242179, "definition": { "title": "StartSession", "title_size": "16", @@ -16171,6 +16232,67 @@ "width": 2, "height": 2 } + }, + { + "id": 2258944592, + "definition": { + "type": "note", + "content": "### [ResumeSession](https://traildiscover.cloud/#SSM-ResumeSession)\n\n**Description:** Reconnects a session to a managed node after it has been disconnected.\n\n**Related Research:**\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "has_padding": true + }, + "layout": { + "x": 4, + "y": 8, + "width": 2, + "height": 2 + } + }, + { + "id": 3509930769, + "definition": { + "title": "ResumeSession", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "search": { + "query": "source:cloudtrail @evt.name:ResumeSession $userIdentity.arn $network.client.ip $account" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 6, + "y": 8, + "width": 2, + "height": 2 + } } ] }, @@ -16182,7 +16304,7 @@ } }, { - "id": 2740224450, + "id": 56148282, "definition": { "type": "group", "layout_type": "ordered", @@ -16191,7 +16313,7 @@ "show_title": true, "widgets": [ { - "id": 2479697957, + "id": 392915107, "definition": { "type": "note", "content": "### [UpdateFunctionCode20150331v2](https://traildiscover.cloud/#Lambda-UpdateFunctionCode20150331v2)\n\n**Description:** Updates a Lambda function's code. If code signing is enabled for the function, the code package must be signed by a trusted publisher.\n\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", @@ -16210,7 +16332,7 @@ } }, { - "id": 3632014722, + "id": 3791384932, "definition": { "title": "UpdateFunctionCode20150331v2", "title_size": "16", @@ -16252,7 +16374,7 @@ } }, { - "id": 2922798347, + "id": 2787280443, "definition": { "type": "note", "content": "### [UpdateDistribution](https://traildiscover.cloud/#CloudFront-UpdateDistribution)\n\n**Description:** Updates the configuration for a CloudFront distribution.\n\n**Related Research:**\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", @@ -16271,7 +16393,7 @@ } }, { - "id": 2026970351, + "id": 1890782972, "definition": { "title": "UpdateDistribution", "title_size": "16", @@ -16313,7 +16435,7 @@ } }, { - "id": 597054238, + "id": 4009592935, "definition": { "type": "note", "content": "### [PublishFunction](https://traildiscover.cloud/#CloudFront-PublishFunction)\n\n**Description:** Publishes a CloudFront function by copying the function code from the DEVELOPMENT stage to LIVE.\n\n**Related Research:**\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", @@ -16332,7 +16454,7 @@ } }, { - "id": 3996193538, + "id": 3113095464, "definition": { "title": "PublishFunction", "title_size": "16", @@ -16374,7 +16496,7 @@ } }, { - "id": 268403312, + "id": 3561755502, "definition": { "type": "note", "content": "### [CreateFunction](https://traildiscover.cloud/#CloudFront-CreateFunction)\n\n**Description:** Creates a CloudFront function.\n\n**Related Research:**\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", @@ -16393,7 +16515,7 @@ } }, { - "id": 1420720077, + "id": 617113270, "definition": { "title": "CreateFunction", "title_size": "16", @@ -16435,7 +16557,7 @@ } }, { - "id": 1617120094, + "id": 4184762204, "definition": { "type": "note", "content": "### [CreateInstanceExportTask](https://traildiscover.cloud/#EC2-CreateInstanceExportTask)\n\n**Description:** Exports a running or stopped instance to an Amazon S3 bucket.\n\n**Related Research:**\n- [AWS EC2 VM Export Failure](https://www.elastic.co/guide/en/security/current/aws-ec2-vm-export-failure.html)\n", @@ -16454,7 +16576,7 @@ } }, { - "id": 621953211, + "id": 3387603620, "definition": { "title": "CreateInstanceExportTask", "title_size": "16", @@ -16496,7 +16618,7 @@ } }, { - "id": 2075590302, + "id": 2427879147, "definition": { "type": "note", "content": "### [CreateTrafficMirrorTarget](https://traildiscover.cloud/#EC2-CreateTrafficMirrorTarget)\n\n**Description:** Creates a target for your Traffic Mirror session.\n\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -16515,7 +16637,7 @@ } }, { - "id": 3227907067, + "id": 1531381676, "definition": { "title": "CreateTrafficMirrorTarget", "title_size": "16", @@ -16557,7 +16679,7 @@ } }, { - "id": 2375206853, + "id": 700146825, "definition": { "type": "note", "content": "### [CreateTrafficMirrorSession](https://traildiscover.cloud/#EC2-CreateTrafficMirrorSession)\n\n**Description:** Creates a Traffic Mirror session.\n\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -16576,7 +16698,7 @@ } }, { - "id": 3527523618, + "id": 4197955537, "definition": { "title": "CreateTrafficMirrorSession", "title_size": "16", @@ -16618,7 +16740,7 @@ } }, { - "id": 1583187997, + "id": 3321447678, "definition": { "type": "note", "content": "### [CreateRoute](https://traildiscover.cloud/#EC2-CreateRoute)\n\n**Description:** Creates a route in a route table within a VPC.\n\n**Related Research:**\n- [Ensure CloudWatch has an Alarm for Route Table Changes](https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-route-table-change)\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", @@ -16637,7 +16759,7 @@ } }, { - "id": 588021114, + "id": 376805446, "definition": { "title": "CreateRoute", "title_size": "16", @@ -16679,7 +16801,7 @@ } }, { - "id": 1214662766, + "id": 2501452591, "definition": { "type": "note", "content": "### [CreateTrafficMirrorFilter](https://traildiscover.cloud/#EC2-CreateTrafficMirrorFilter)\n\n**Description:** Creates a Traffic Mirror filter.\n\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -16698,7 +16820,7 @@ } }, { - "id": 2366979531, + "id": 1604955120, "definition": { "title": "CreateTrafficMirrorFilter", "title_size": "16", @@ -16740,7 +16862,7 @@ } }, { - "id": 182780845, + "id": 2582972755, "definition": { "type": "note", "content": "### [CreateTrafficMirrorFilterRule](https://traildiscover.cloud/#EC2-CreateTrafficMirrorFilterRule)\n\n**Description:** Creates a Traffic Mirror filter rule.\n\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -16759,7 +16881,7 @@ } }, { - "id": 1335097610, + "id": 3833958932, "definition": { "title": "CreateTrafficMirrorFilterRule", "title_size": "16", @@ -16810,7 +16932,7 @@ } }, { - "id": 1484581200, + "id": 753313892, "definition": { "type": "group", "layout_type": "ordered", @@ -16819,7 +16941,7 @@ "show_title": true, "widgets": [ { - "id": 4066522757, + "id": 3467042405, "definition": { "type": "note", "content": "### [CreateUser](https://traildiscover.cloud/#TransferFamily-CreateUser)\n\n**Description:** Creates a user and associates them with an existing file transfer protocol-enabled server.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -16838,7 +16960,7 @@ } }, { - "id": 923872226, + "id": 2570544934, "definition": { "title": "CreateUser", "title_size": "16", @@ -16880,7 +17002,7 @@ } }, { - "id": 2477161762, + "id": 2547883252, "definition": { "type": "note", "content": "### [CreateServer](https://traildiscover.cloud/#TransferFamily-CreateServer)\n\n**Description:** Instantiates an auto-scaling virtual server based on the selected file transfer protocol in AWS.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -16899,7 +17021,7 @@ } }, { - "id": 3629478527, + "id": 3898208316, "definition": { "title": "CreateServer", "title_size": "16", @@ -16941,7 +17063,7 @@ } }, { - "id": 1671028668, + "id": 2869571706, "definition": { "type": "note", "content": "### [PutBucketPolicy](https://traildiscover.cloud/#S3-PutBucketPolicy)\n\n**Description:** Applies an Amazon S3 bucket policy to an Amazon S3 bucket.\n\n**Related Research:**\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -16960,7 +17082,7 @@ } }, { - "id": 675861785, + "id": 1973074235, "definition": { "title": "PutBucketPolicy", "title_size": "16", @@ -17002,7 +17124,7 @@ } }, { - "id": 4102340993, + "id": 2653918871, "definition": { "type": "note", "content": "### [PutBucketAcl](https://traildiscover.cloud/#S3-PutBucketAcl)\n\n**Description:** Sets the permissions on an existing bucket using access control lists (ACL).\n\n**Related Research:**\n- [AWS S3 Bucket ACL made public](https://docs.datadoghq.com/security/default_rules/aws-bucket-acl-made-public/)\n", @@ -17021,7 +17143,7 @@ } }, { - "id": 959690462, + "id": 3904905048, "definition": { "title": "PutBucketAcl", "title_size": "16", @@ -17063,7 +17185,7 @@ } }, { - "id": 1185497486, + "id": 4046737660, "definition": { "type": "note", "content": "### [PutBucketVersioning](https://traildiscover.cloud/#S3-PutBucketVersioning)\n\n**Description:** Sets the versioning state of an existing bucket.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n**Related Research:**\n- [Exfiltrating S3 Data with Bucket Replication Policies](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -17082,7 +17204,7 @@ } }, { - "id": 190330603, + "id": 1002756541, "definition": { "title": "PutBucketVersioning", "title_size": "16", @@ -17124,7 +17246,7 @@ } }, { - "id": 1954827617, + "id": 913373397, "definition": { "type": "note", "content": "### [PutBucketReplication](https://traildiscover.cloud/#S3-PutBucketReplication)\n\n**Description:** Creates a replication configuration or replaces an existing one.\n\n**Related Research:**\n- [Exfiltrating S3 Data with Bucket Replication Policies](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -17143,7 +17265,7 @@ } }, { - "id": 959660734, + "id": 116214813, "definition": { "title": "PutBucketReplication", "title_size": "16", @@ -17185,7 +17307,7 @@ } }, { - "id": 214311814, + "id": 4180112710, "definition": { "type": "note", "content": "### [GetObject](https://traildiscover.cloud/#S3-GetObject)\n\n**Description:** Retrieves an object from Amazon S3.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Incident 2 - Additional details of the attack](https://support.lastpass.com/s/document-item?language=en_US&bundleId=lastpass&topicId=LastPass/incident-2-details.html&_LANG=enus)\n- [Aruba Central Security Incident](https://www.arubanetworks.com/support-services/security-bulletins/central-incident-faq/)\n- [Sendtech Pte. Ltd](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Sendtech-Pte-Ltd---220721.ashx?la=en)\n- [GotRoot! AWS root Account Takeover](https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1)\n- [A Technical Analysis of the Capital One Cloud Misconfiguration Breach](https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach)\n- [Chegg, Inc](https://www.ftc.gov/system/files/ftc_gov/pdf/2023151-Chegg-Complaint.pdf)\n- [Scattered Spider Attack Analysis](https://www.reliaquest.com/blog/scattered-spider-attack-analysis-account-compromise/)\n- [Enumerate AWS Account ID from a Public S3 Bucket](https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Data Exfiltration through S3 Server Access Logs](https://hackingthe.cloud/aws/exploitation/s3_server_access_logs/)\n- [S3 Streaming Copy](https://hackingthe.cloud/aws/exploitation/s3_streaming_copy/)\n", @@ -17204,7 +17326,7 @@ } }, { - "id": 1366628579, + "id": 3382954126, "definition": { "title": "GetObject", "title_size": "16", @@ -17246,7 +17368,7 @@ } }, { - "id": 3381914906, + "id": 596242029, "definition": { "type": "note", "content": "### [JobCreated](https://traildiscover.cloud/#S3-JobCreated)\n\n**Description:** When a Batch Operations job is created, it is recorded as a JobCreated event in CloudTrail.\n\n**Related Research:**\n- [Exfiltrating S3 Data with Bucket Replication Policies](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -17265,7 +17387,7 @@ } }, { - "id": 239264375, + "id": 1847228206, "definition": { "title": "JobCreated", "title_size": "16", @@ -17307,7 +17429,7 @@ } }, { - "id": 2573594233, + "id": 2205086822, "definition": { "type": "note", "content": "### [ModifySnapshotAttribute](https://traildiscover.cloud/#EC2-ModifySnapshotAttribute)\n\n**Description:** Adds or removes permission settings for the specified snapshot.\n\n**Related Incidents:**\n- [CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/)\n", @@ -17326,7 +17448,7 @@ } }, { - "id": 3725910998, + "id": 3456072999, "definition": { "title": "ModifySnapshotAttribute", "title_size": "16", @@ -17368,7 +17490,7 @@ } }, { - "id": 2613037585, + "id": 1517596163, "definition": { "type": "note", "content": "### [SharedSnapshotCopyInitiated](https://traildiscover.cloud/#EC2-SharedSnapshotCopyInitiated)\n\n**Description:** Modifies the specified attribute of the specified instance.\n\n**Related Incidents:**\n- [M-Trends Report - 2020](https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf)\n- [Democratic National Committee hack](https://www.politico.com/f/?id=00000168-6161-de11-af7d-ef7327ea0000)\n**Related Research:**\n- [Detecting exfiltration of EBS snapshots in AWS](https://twitter.com/christophetd/status/1574681313218506753)\n", @@ -17387,7 +17509,7 @@ } }, { - "id": 1717209589, + "id": 621098692, "definition": { "title": "SharedSnapshotCopyInitiated", "title_size": "16", @@ -17429,7 +17551,7 @@ } }, { - "id": 2439169962, + "id": 2633206184, "definition": { "type": "note", "content": "### [SharedSnapshotVolumeCreated](https://traildiscover.cloud/#EC2-SharedSnapshotVolumeCreated)\n\n**Description:** Modifies the specified attribute of the specified instance.\n\n**Related Incidents:**\n- [M-Trends Report - 2020](https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf)\n- [Democratic National Committee hack](https://www.politico.com/f/?id=00000168-6161-de11-af7d-ef7327ea0000)\n**Related Research:**\n- [Detecting exfiltration of EBS snapshots in AWS](https://twitter.com/christophetd/status/1574681313218506753)\n", @@ -17448,7 +17570,7 @@ } }, { - "id": 1543341966, + "id": 1736708713, "definition": { "title": "SharedSnapshotVolumeCreated", "title_size": "16", @@ -17490,7 +17612,7 @@ } }, { - "id": 1939351301, + "id": 1151966523, "definition": { "type": "note", "content": "### [CreateSnapshot](https://traildiscover.cloud/#EC2-CreateSnapshot)\n\n**Description:** Creates a snapshot of an EBS volume and stores it in Amazon S3.\n\n**Related Incidents:**\n- [CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Stealing an EBS snapshot by creating a snapshot and sharing it](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-ebs-snapshot/)\n- [Exfiltrate EBS Snapshot by Sharing It](https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/)\n", @@ -17509,7 +17631,7 @@ } }, { - "id": 3191006953, + "id": 2402952700, "definition": { "title": "CreateSnapshot", "title_size": "16", @@ -17551,7 +17673,7 @@ } }, { - "id": 955927362, + "id": 273854776, "definition": { "type": "note", "content": "### [CreateImage](https://traildiscover.cloud/#EC2-CreateImage)\n\n**Description:** Creates an Amazon EBS-backed AMI from an Amazon EBS-backed instance that is either running or stopped.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", @@ -17570,7 +17692,7 @@ } }, { - "id": 2108244127, + "id": 3672324601, "definition": { "title": "CreateImage", "title_size": "16", @@ -17612,7 +17734,7 @@ } }, { - "id": 1897141242, + "id": 1126713681, "definition": { "type": "note", "content": "### [AuthorizeSecurityGroupEgress](https://traildiscover.cloud/#EC2-AuthorizeSecurityGroupEgress)\n\n**Description:** Adds the specified outbound (egress) rules to a security group.\n\n**Related Incidents:**\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n", @@ -17631,7 +17753,7 @@ } }, { - "id": 901974359, + "id": 2477038745, "definition": { "title": "AuthorizeSecurityGroupEgress", "title_size": "16", @@ -17673,7 +17795,7 @@ } }, { - "id": 1610677501, + "id": 2294943691, "definition": { "type": "note", "content": "### [ModifyImageAttribute](https://traildiscover.cloud/#EC2-ModifyImageAttribute)\n\n**Description:** Modifies the specified attribute of the specified AMI.\n\n**Related Research:**\n- [AWS AMI Atttribute Modification for Exfiltration](https://research.splunk.com/cloud/f2132d74-cf81-4c5e-8799-ab069e67dc9f/)\n", @@ -17692,7 +17814,7 @@ } }, { - "id": 2762994266, + "id": 1398446220, "definition": { "title": "ModifyImageAttribute", "title_size": "16", @@ -17734,7 +17856,7 @@ } }, { - "id": 2394786179, + "id": 802045896, "definition": { "type": "note", "content": "### [ModifyDBSnapshotAttribute](https://traildiscover.cloud/#RDS-ModifyDBSnapshotAttribute)\n\n**Description:** Adds an attribute and values to, or removes an attribute and values from, a manual DB snapshot.\n\n**Related Incidents:**\n- [Imperva Security Update](https://www.imperva.com/blog/ceoblog/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Stealing an RDS database by creating a snapshot and sharing it](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-rds-snapshot/)\n- [Hunting AWS RDS security events with Sysdig](https://sysdig.com/blog/aws-rds-security-events-sysdig/)\n", @@ -17753,7 +17875,7 @@ } }, { - "id": 1399619296, + "id": 4887312, "definition": { "title": "ModifyDBSnapshotAttribute", "title_size": "16", @@ -17795,7 +17917,7 @@ } }, { - "id": 4280186467, + "id": 1858844037, "definition": { "type": "note", "content": "### [StartExportTask](https://traildiscover.cloud/#RDS-StartExportTask)\n\n**Description:** Starts an export of DB snapshot or DB cluster data to Amazon S3.\n\n**Related Research:**\n- [AWS - RDS Post Exploitation](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation)\n", @@ -17814,7 +17936,7 @@ } }, { - "id": 1137535936, + "id": 962346566, "definition": { "title": "StartExportTask", "title_size": "16", @@ -17856,7 +17978,7 @@ } }, { - "id": 644428514, + "id": 1685648118, "definition": { "type": "note", "content": "### [CreateDBSecurityGroup](https://traildiscover.cloud/#RDS-CreateDBSecurityGroup)\n\n**Description:** Creates a new DB security group. DB security groups control access to a DB instance.\n\n**Related Research:**\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [Hunting AWS RDS security events with Sysdig](https://sysdig.com/blog/aws-rds-security-events-sysdig/)\n", @@ -17875,7 +17997,7 @@ } }, { - "id": 1896084166, + "id": 2936634295, "definition": { "title": "CreateDBSecurityGroup", "title_size": "16", @@ -17917,7 +18039,7 @@ } }, { - "id": 3781499919, + "id": 1701948889, "definition": { "type": "note", "content": "### [CreateDBSnapshot](https://traildiscover.cloud/#RDS-CreateDBSnapshot)\n\n**Description:** Creates a snapshot of a DB instance.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Stealing an RDS database by creating a snapshot and sharing it](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-rds-snapshot/)\n", @@ -17936,7 +18058,7 @@ } }, { - "id": 638849388, + "id": 904790305, "definition": { "title": "CreateDBSnapshot", "title_size": "16", @@ -17987,7 +18109,7 @@ } }, { - "id": 1647298795, + "id": 3668429027, "definition": { "type": "group", "layout_type": "ordered", @@ -17996,7 +18118,7 @@ "show_title": true, "widgets": [ { - "id": 23280865, + "id": 1048861228, "definition": { "type": "note", "content": "### [ChangeResourceRecordSets](https://traildiscover.cloud/#Route53-ChangeResourceRecordSets)\n\n**Description:** Creates, changes, or deletes a resource record set, which contains authoritative DNS information for a specified domain name or subdomain name.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS API Call Hijacking via ACM-PCA](https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/)\n", @@ -18015,7 +18137,7 @@ } }, { - "id": 1274936517, + "id": 2399186292, "definition": { "title": "ChangeResourceRecordSets", "title_size": "16", @@ -18057,7 +18179,7 @@ } }, { - "id": 182858425, + "id": 3153665777, "definition": { "type": "note", "content": "### [RegisterDomain](https://traildiscover.cloud/#route53domains-RegisterDomain)\n\n**Description:** This operation registers a domain. For some top-level domains (TLDs), this operation requires extra parameters.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -18076,7 +18198,7 @@ } }, { - "id": 1434514077, + "id": 2356507193, "definition": { "title": "RegisterDomain", "title_size": "16", @@ -18118,7 +18240,7 @@ } }, { - "id": 2530618011, + "id": 1279906025, "definition": { "type": "note", "content": "### [CreateHostedZone](https://traildiscover.cloud/#Route53-CreateHostedZone)\n\n**Description:** Creates a new public or private hosted zone. You create records in a public hosted zone to define how you want to route traffic on the internet for a domain, such as example.com, and its subdomains.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS API Call Hijacking via ACM-PCA](https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/)\n", @@ -18137,7 +18259,7 @@ } }, { - "id": 1535451128, + "id": 2630231089, "definition": { "title": "CreateHostedZone", "title_size": "16", @@ -18179,7 +18301,7 @@ } }, { - "id": 617893909, + "id": 1519101507, "definition": { "type": "note", "content": "### [Publish](https://traildiscover.cloud/#SNS-Publish)\n\n**Description:** Sends a message to an Amazon SNS topic, a text message (SMS message) directly to a phone number, or a message to a mobile platform endpoint (when you specify the TargetArn).\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -18198,7 +18320,7 @@ } }, { - "id": 3917694322, + "id": 622604036, "definition": { "title": "Publish", "title_size": "16", @@ -18240,7 +18362,7 @@ } }, { - "id": 4136917460, + "id": 1759272292, "definition": { "type": "note", "content": "### [CreateFunction20150331](https://traildiscover.cloud/#Lambda-CreateFunction20150331)\n\n**Description:** Creates a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -18259,7 +18381,7 @@ } }, { - "id": 994266929, + "id": 862774821, "definition": { "title": "CreateFunction20150331", "title_size": "16", @@ -18301,7 +18423,7 @@ } }, { - "id": 2163691271, + "id": 1867957198, "definition": { "type": "note", "content": "### [UpdateFunctionCode20150331v2](https://traildiscover.cloud/#Lambda-UpdateFunctionCode20150331v2)\n\n**Description:** Updates a Lambda function's code. If code signing is enabled for the function, the code package must be signed by a trusted publisher.\n\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", @@ -18320,7 +18442,7 @@ } }, { - "id": 3316008036, + "id": 1070798614, "definition": { "title": "UpdateFunctionCode20150331v2", "title_size": "16", @@ -18362,7 +18484,7 @@ } }, { - "id": 1629582264, + "id": 3521826320, "definition": { "type": "note", "content": "### [Invoke](https://traildiscover.cloud/#Lambda-Invoke)\n\n**Description:** Invokes a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -18381,7 +18503,7 @@ } }, { - "id": 733754268, + "id": 577184088, "definition": { "title": "Invoke", "title_size": "16", @@ -18423,7 +18545,7 @@ } }, { - "id": 2427054594, + "id": 2543627143, "definition": { "type": "note", "content": "### [DeleteFileSystem](https://traildiscover.cloud/#elasticfilesystem-DeleteFileSystem)\n\n**Description:** Deletes a file system, permanently severing access to its contents.\n\n**Related Research:**\n- [AWS EFS File System or Mount Deleted](https://www.elastic.co/guide/en/security/7.17/aws-efs-file-system-or-mount-deleted.html)\n", @@ -18442,7 +18564,7 @@ } }, { - "id": 1431887711, + "id": 3794613320, "definition": { "title": "DeleteFileSystem", "title_size": "16", @@ -18484,7 +18606,7 @@ } }, { - "id": 674658683, + "id": 3730719242, "definition": { "type": "note", "content": "### [DeleteMountTarget](https://traildiscover.cloud/#elasticfilesystem-DeleteMountTarget)\n\n**Description:** Deletes the specified mount target.\n\n**Related Research:**\n- [AWS EFS File System or Mount Deleted](https://www.elastic.co/guide/en/security/7.17/aws-efs-file-system-or-mount-deleted.html)\n", @@ -18503,7 +18625,7 @@ } }, { - "id": 1826975448, + "id": 2834221771, "definition": { "title": "DeleteMountTarget", "title_size": "16", @@ -18545,7 +18667,7 @@ } }, { - "id": 2915945633, + "id": 344435555, "definition": { "type": "note", "content": "### [DeleteRule](https://traildiscover.cloud/#events-DeleteRule)\n\n**Description:** Deletes the specified rule.\n\n**Related Research:**\n- [AWS EventBridge Rule Disabled or Deleted](https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html)\n- [AWS EventBridge rule disabled or deleted](https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/)\n", @@ -18564,7 +18686,7 @@ } }, { - "id": 2020117637, + "id": 3742905380, "definition": { "title": "DeleteRule", "title_size": "16", @@ -18606,7 +18728,7 @@ } }, { - "id": 2768858299, + "id": 2924551126, "definition": { "type": "note", "content": "### [RemoveTargets](https://traildiscover.cloud/#events-RemoveTargets)\n\n**Description:** Removes the specified targets from the specified rule.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -18625,7 +18747,7 @@ } }, { - "id": 3921175064, + "id": 2028053655, "definition": { "title": "RemoveTargets", "title_size": "16", @@ -18667,7 +18789,7 @@ } }, { - "id": 822753900, + "id": 3376180199, "definition": { "type": "note", "content": "### [DisableRule](https://traildiscover.cloud/#events-DisableRule)\n\n**Description:** Disables the specified rule.\n\n**Related Research:**\n- [AWS EventBridge Rule Disabled or Deleted](https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html)\n- [AWS EventBridge rule disabled or deleted](https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/)\n", @@ -18686,7 +18808,7 @@ } }, { - "id": 4122554313, + "id": 431537967, "definition": { "title": "DisableRule", "title_size": "16", @@ -18728,7 +18850,7 @@ } }, { - "id": 1718423319, + "id": 1224254194, "definition": { "type": "note", "content": "### [PutRule](https://traildiscover.cloud/#events-PutRule)\n\n**Description:** Creates or updates the specified rule.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -18747,7 +18869,7 @@ } }, { - "id": 2970078971, + "id": 2475240371, "definition": { "title": "PutRule", "title_size": "16", @@ -18789,7 +18911,7 @@ } }, { - "id": 2163997752, + "id": 1346066183, "definition": { "type": "note", "content": "### [CreateInstances](https://traildiscover.cloud/#Lightsail-CreateInstances)\n\n**Description:** Creates one or more Amazon Lightsail instances.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -18808,7 +18930,7 @@ } }, { - "id": 3316314517, + "id": 548907599, "definition": { "title": "CreateInstances", "title_size": "16", @@ -18850,7 +18972,7 @@ } }, { - "id": 1544174115, + "id": 2452739824, "definition": { "type": "note", "content": "### [GenerateDataKeyWithoutPlaintext](https://traildiscover.cloud/#KMS-GenerateDataKeyWithoutPlaintext)\n\n**Description:** Returns a unique symmetric data key for use outside of AWS KMS.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -18869,7 +18991,7 @@ } }, { - "id": 648346119, + "id": 3703726001, "definition": { "title": "GenerateDataKeyWithoutPlaintext", "title_size": "16", @@ -18911,7 +19033,7 @@ } }, { - "id": 1080834123, + "id": 874165561, "definition": { "type": "note", "content": "### [ScheduleKeyDeletion](https://traildiscover.cloud/#KMS-ScheduleKeyDeletion)\n\n**Description:** Schedules the deletion of a KMS key.\n\n**Related Research:**\n- [ Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", @@ -18930,7 +19052,7 @@ } }, { - "id": 2233150888, + "id": 4272635386, "definition": { "title": "ScheduleKeyDeletion", "title_size": "16", @@ -18972,7 +19094,7 @@ } }, { - "id": 1884107117, + "id": 2389472753, "definition": { "type": "note", "content": "### [Encrypt](https://traildiscover.cloud/#KMS-Encrypt)\n\n**Description:** Encrypts plaintext of up to 4,096 bytes using a KMS key. \n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -18991,7 +19113,7 @@ } }, { - "id": 888940234, + "id": 1592314169, "definition": { "title": "Encrypt", "title_size": "16", @@ -19033,7 +19155,7 @@ } }, { - "id": 1197105405, + "id": 2391682787, "definition": { "type": "note", "content": "### [PutObject](https://traildiscover.cloud/#S3-PutObject)\n\n**Description:** Adds an object to a bucket.\n\n**Related Incidents:**\n- [Incident Report: TaskRouter JS SDK Security Incident - July 19, 2020](https://www.twilio.com/en-us/blog/incident-report-taskrouter-js-sdk-july-2020)\n- [LA Times homicide website throttles cryptojacking attack](https://www.tripwire.com/state-of-security/la-times-website-cryptojacking-attack)\n", @@ -19052,7 +19174,7 @@ } }, { - "id": 2349422170, + "id": 1594524203, "definition": { "title": "PutObject", "title_size": "16", @@ -19094,7 +19216,7 @@ } }, { - "id": 1044164642, + "id": 1048583851, "definition": { "type": "note", "content": "### [PutBucketVersioning](https://traildiscover.cloud/#S3-PutBucketVersioning)\n\n**Description:** Sets the versioning state of an existing bucket.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n**Related Research:**\n- [Exfiltrating S3 Data with Bucket Replication Policies](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -19113,7 +19235,7 @@ } }, { - "id": 2196481407, + "id": 251425267, "definition": { "title": "PutBucketVersioning", "title_size": "16", @@ -19155,7 +19277,7 @@ } }, { - "id": 3136691529, + "id": 3536115423, "definition": { "type": "note", "content": "### [PutBucketLifecycle](https://traildiscover.cloud/#S3-PutBucketLifecycle)\n\n**Description:** Creates a new lifecycle configuration for the bucket or replaces an existing lifecycle configuration.\n\n**Related Incidents:**\n- [USA VS Nickolas Sharp](https://www.justice.gov/usao-sdny/press-release/file/1452706/dl)\n", @@ -19174,7 +19296,7 @@ } }, { - "id": 4289008294, + "id": 2639617952, "definition": { "title": "PutBucketLifecycle", "title_size": "16", @@ -19216,7 +19338,7 @@ } }, { - "id": 960280068, + "id": 4171771703, "definition": { "type": "note", "content": "### [DeleteObject](https://traildiscover.cloud/#S3-DeleteObject)\n\n**Description:** Removes an object from a bucket. The behavior depends on the bucket's versioning state.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [The attack on ONUS \u2013 A real-life case of the Log4Shell vulnerability](https://cystack.net/research/the-attack-on-onus-a-real-life-case-of-the-log4shell-vulnerability)\n- [20/20 Eye Care Network and Hearing Care Network notify 3,253,822 health plan members of breach that deleted contents of AWS buckets](https://www.databreaches.net/20-20-eye-care-network-and-hearing-care-network-notify-3253822-health-plan-members-of-breach-that-deleted-contents-of-aws-buckets/)\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", @@ -19235,7 +19357,7 @@ } }, { - "id": 4260080481, + "id": 3275274232, "definition": { "title": "DeleteObject", "title_size": "16", @@ -19277,7 +19399,7 @@ } }, { - "id": 920510554, + "id": 431858764, "definition": { "type": "note", "content": "### [InvokeModel](https://traildiscover.cloud/#Bedrock-InvokeModel)\n\n**Description:** Invokes the specified Amazon Bedrock model to run inference using the prompt and inference parameters provided in the request body.\n\n**Related Incidents:**\n- [LLMjacking: Stolen Cloud Credentials Used in New AI Attack](https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -19296,7 +19418,7 @@ } }, { - "id": 2072827319, + "id": 3830328589, "definition": { "title": "InvokeModel", "title_size": "16", @@ -19338,7 +19460,7 @@ } }, { - "id": 338916093, + "id": 1356053040, "definition": { "type": "note", "content": "### [PutFoundationModelEntitlement](https://traildiscover.cloud/#Bedrock-PutFoundationModelEntitlement)\n\n**Description:** Grants permission to put entitlement to access a foundation model.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -19357,7 +19479,7 @@ } }, { - "id": 3638716506, + "id": 2607039217, "definition": { "title": "PutFoundationModelEntitlement", "title_size": "16", @@ -19399,7 +19521,7 @@ } }, { - "id": 838334444, + "id": 4054649061, "definition": { "type": "note", "content": "### [InvokeModelWithResponseStream](https://traildiscover.cloud/#Bedrock-InvokeModelWithResponseStream)\n\n**Description:** Grants permission to invoke the specified Bedrock model to run inference using the input provided in the request body with streaming response.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -19418,7 +19540,7 @@ } }, { - "id": 1990651209, + "id": 1010667942, "definition": { "title": "InvokeModelWithResponseStream", "title_size": "16", @@ -19460,7 +19582,7 @@ } }, { - "id": 251972295, + "id": 807938940, "definition": { "type": "note", "content": "### [PutUseCaseForModelAccess](https://traildiscover.cloud/#Bedrock-PutUseCaseForModelAccess)\n\n**Description:** Grants permission to put a use case for model access.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -19479,7 +19601,7 @@ } }, { - "id": 1404289060, + "id": 4206408765, "definition": { "title": "PutUseCaseForModelAccess", "title_size": "16", @@ -19521,7 +19643,7 @@ } }, { - "id": 1095394099, + "id": 2934951439, "definition": { "type": "note", "content": "### [CreateFoundationModelAgreement](https://traildiscover.cloud/#Bedrock-CreateFoundationModelAgreement)\n\n**Description:** Grants permission to create a new foundation model agreement.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", @@ -19540,7 +19662,7 @@ } }, { - "id": 199566103, + "id": 2038453968, "definition": { "title": "CreateFoundationModelAgreement", "title_size": "16", @@ -19582,7 +19704,7 @@ } }, { - "id": 2911106376, + "id": 3483481384, "definition": { "type": "note", "content": "### [DeleteVolume](https://traildiscover.cloud/#EC2-DeleteVolume)\n\n**Description:** Deletes the specified EBS volume. The volume must be in the available state (not attached to an instance).\n\n**Related Incidents:**\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", @@ -19601,7 +19723,7 @@ } }, { - "id": 4063423141, + "id": 2586983913, "definition": { "title": "DeleteVolume", "title_size": "16", @@ -19643,10 +19765,10 @@ } }, { - "id": 2109179268, + "id": 3294891290, "definition": { "type": "note", - "content": "### [StartInstances](https://traildiscover.cloud/#EC2-StartInstances)\n\n**Description:** Starts an Amazon EBS-backed instance that you've previously stopped.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n", + "content": "### [StartInstances](https://traildiscover.cloud/#EC2-StartInstances)\n\n**Description:** Starts an Amazon EBS-backed instance that you've previously stopped.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19662,7 +19784,7 @@ } }, { - "id": 1114012385, + "id": 350249058, "definition": { "title": "StartInstances", "title_size": "16", @@ -19704,7 +19826,7 @@ } }, { - "id": 1385215959, + "id": 363055578, "definition": { "type": "note", "content": "### [CreateDefaultVpc](https://traildiscover.cloud/#EC2-CreateDefaultVpc)\n\n**Description:** Creates a default VPC with a size /16 IPv4 CIDR block and a default subnet in each Availability Zone.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -19723,7 +19845,7 @@ } }, { - "id": 2537532724, + "id": 1713380642, "definition": { "title": "CreateDefaultVpc", "title_size": "16", @@ -19765,7 +19887,7 @@ } }, { - "id": 1257316473, + "id": 3925399966, "definition": { "type": "note", "content": "### [TerminateInstances](https://traildiscover.cloud/#EC2-TerminateInstances)\n\n**Description:** Shuts down the specified instances. This operation is idempotent; if you terminate an instance more than once, each call succeeds.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Former Cisco engineer sentenced to prison for deleting 16k Webex accounts](https://www.zdnet.com/article/former-cisco-engineer-sentenced-to-prison-for-deleting-16k-webex-accounts/)\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", @@ -19784,7 +19906,7 @@ } }, { - "id": 2409633238, + "id": 3128241382, "definition": { "title": "TerminateInstances", "title_size": "16", @@ -19826,10 +19948,10 @@ } }, { - "id": 2412743565, + "id": 1597349931, "definition": { "type": "note", - "content": "### [StopInstances](https://traildiscover.cloud/#EC2-StopInstances)\n\n**Description:** Stops an Amazon EBS-backed instance.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n", + "content": "### [StopInstances](https://traildiscover.cloud/#EC2-StopInstances)\n\n**Description:** Stops an Amazon EBS-backed instance.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -19845,7 +19967,7 @@ } }, { - "id": 1417576682, + "id": 2848336108, "definition": { "title": "StopInstances", "title_size": "16", @@ -19887,7 +20009,7 @@ } }, { - "id": 3755853141, + "id": 2996720459, "definition": { "type": "note", "content": "### [DeleteSnapshot](https://traildiscover.cloud/#EC2-DeleteSnapshot)\n\n**Description:** Deletes the specified snapshot.\n\n**Related Incidents:**\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", @@ -19906,7 +20028,7 @@ } }, { - "id": 2760686258, + "id": 2100222988, "definition": { "title": "DeleteSnapshot", "title_size": "16", @@ -19948,7 +20070,7 @@ } }, { - "id": 919638258, + "id": 3755745790, "definition": { "type": "note", "content": "### [RunInstances](https://traildiscover.cloud/#EC2-RunInstances)\n\n**Description:** Launches the specified number of instances using an AMI for which you have permissions.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [DXC spills AWS private keys on public GitHub](https://www.theregister.com/2017/11/14/dxc_github_aws_keys_leaked/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Clear and Uncommon Story About Overcoming Issues With AWS](https://topdigital.agency/clear-and-uncommon-story-about-overcoming-issues-with-aws/)\n- [onelogin 2017 Security Incident](https://web.archive.org/web/20210620180614/https://www.onelogin.com/blog/may-31-2017-security-incident)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Launching EC2 instances](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/launching-ec2-instances/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -19967,7 +20089,7 @@ } }, { - "id": 4219438671, + "id": 711764671, "definition": { "title": "RunInstances", "title_size": "16", @@ -20009,7 +20131,7 @@ } }, { - "id": 3208574611, + "id": 3873481830, "definition": { "type": "note", "content": "### [DeleteGlobalCluster](https://traildiscover.cloud/#RDS-DeleteGlobalCluster)\n\n**Description:** Deletes a global database cluster. The primary and secondary clusters must already be detached or destroyed first.\n\n**Related Research:**\n- [AWS Deletion of RDS Instance or Cluster](https://www.elastic.co/guide/en/security/current/aws-deletion-of-rds-instance-or-cluster.html)\n", @@ -20028,7 +20150,7 @@ } }, { - "id": 2213407728, + "id": 829500711, "definition": { "title": "DeleteGlobalCluster", "title_size": "16", @@ -20070,7 +20192,7 @@ } }, { - "id": 199212645, + "id": 3461963518, "definition": { "type": "note", "content": "### [DeleteDBCluster](https://traildiscover.cloud/#RDS-DeleteDBCluster)\n\n**Description:** The DeleteDBCluster action deletes a previously provisioned DB cluster.\n\n**Related Research:**\n- [Hunting AWS RDS security events with Sysdig](https://sysdig.com/blog/aws-rds-security-events-sysdig/)\n- [AWS Deletion of RDS Instance or Cluster](https://www.elastic.co/guide/en/security/current/aws-deletion-of-rds-instance-or-cluster.html)\n", @@ -20089,7 +20211,7 @@ } }, { - "id": 3598351945, + "id": 2565466047, "definition": { "title": "DeleteDBCluster", "title_size": "16", @@ -20131,7 +20253,7 @@ } }, { - "id": 1308502558, + "id": 3302819324, "definition": { "type": "note", "content": "### [CreateEmailIdentity](https://traildiscover.cloud/#SES-CreateEmailIdentity)\n\n**Description:** Starts the process of verifying an email identity. An identity is an email address or domain that you use when you send email.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -20150,7 +20272,7 @@ } }, { - "id": 2460819323, + "id": 358177092, "definition": { "title": "CreateEmailIdentity", "title_size": "16", @@ -20192,7 +20314,7 @@ } }, { - "id": 1465410112, + "id": 3484192527, "definition": { "type": "note", "content": "### [UpdateAccountSendingEnabled](https://traildiscover.cloud/#SES-UpdateAccountSendingEnabled)\n\n**Description:** Enables or disables email sending across your entire Amazon SES account in the current AWS Region.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n", @@ -20211,7 +20333,7 @@ } }, { - "id": 470243229, + "id": 2687033943, "definition": { "title": "UpdateAccountSendingEnabled", "title_size": "16", @@ -20253,7 +20375,7 @@ } }, { - "id": 1540403909, + "id": 2950706983, "definition": { "type": "note", "content": "### [VerifyEmailIdentity](https://traildiscover.cloud/#SES-VerifyEmailIdentity)\n\n**Description:** Adds an email address to the list of identities for your Amazon SES account in the current AWS Region and attempts to verify it.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -20272,7 +20394,7 @@ } }, { - "id": 2692720674, + "id": 2054209512, "definition": { "title": "VerifyEmailIdentity", "title_size": "16", @@ -20314,7 +20436,7 @@ } }, { - "id": 2600603895, + "id": 4248834813, "definition": { "type": "note", "content": "### [RegisterTaskDefinition](https://traildiscover.cloud/#ECS-RegisterTaskDefinition)\n\n**Description:** Registers a new task definition from the supplied family and containerDefinitions.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -20333,7 +20455,7 @@ } }, { - "id": 3752920660, + "id": 3352337342, "definition": { "title": "RegisterTaskDefinition", "title_size": "16", @@ -20375,7 +20497,7 @@ } }, { - "id": 1139286011, + "id": 3073408598, "definition": { "type": "note", "content": "### [CreateService](https://traildiscover.cloud/#ECS-CreateService)\n\n**Description:** Runs and maintains your desired number of tasks from a specified task definition.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -20394,7 +20516,7 @@ } }, { - "id": 2291602776, + "id": 2176911127, "definition": { "title": "CreateService", "title_size": "16", @@ -20436,7 +20558,7 @@ } }, { - "id": 2097559092, + "id": 164320414, "definition": { "type": "note", "content": "### [CreateCluster](https://traildiscover.cloud/#ECS-CreateCluster)\n\n**Description:** Creates a new Amazon ECS cluster.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -20455,7 +20577,7 @@ } }, { - "id": 3249875857, + "id": 3562790239, "definition": { "title": "CreateCluster", "title_size": "16", @@ -20497,7 +20619,7 @@ } }, { - "id": 92227541, + "id": 2531828626, "definition": { "type": "note", "content": "### [RequestServiceQuotaIncrease](https://traildiscover.cloud/#ServiceQuotas-RequestServiceQuotaIncrease)\n\n**Description:** Submits a quota increase request for the specified quota at the account or resource level.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n", @@ -20516,7 +20638,7 @@ } }, { - "id": 3392027954, + "id": 3882153690, "definition": { "title": "RequestServiceQuotaIncrease", "title_size": "16", diff --git a/docs/events.csv b/docs/events.csv index 538b83b..0340c8a 100644 --- a/docs/events.csv +++ b/docs/events.csv @@ -174,14 +174,14 @@ GetConsoleScreenshot,ec2.amazonaws.com,EC2,Retrieve a JPG-format screenshot of a DeleteVolume,ec2.amazonaws.com,EC2,Deletes the specified EBS volume. The volume must be in the available state (not attached to an instance).,TA0040 - Impact,T1485 - Data Destruction,True,"[{""description"": ""Hacker Puts Hosting Service Code Spaces Out of Business"", ""link"": ""https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/""}]",[],"Attackers might use DeleteVolume to remove Elastic Block Store (EBS) volumes, leading to data loss and potentially disrupting operations.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 delete-volume --volume-id TrailDiscoverVolumeId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DeleteVolume DescribeSnapshotTierStatus,ec2.amazonaws.com,EC2,Describes the storage tier status of one or more Amazon EBS snapshots.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use DescribeSnapshotTierStatus to assess the tiering status and potential lifecycle transitions of EBS snapshots, seeking to identify snapshots that are less frequently accessed or potentially unmonitored.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-snapshot-tier-status""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeSnapshotTierStatus DescribeImages,ec2.amazonaws.com,EC2,"Describes the specified images (AMIs, AKIs, and ARIs) available to you or all of the images available to you.",TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeImages to identify AMIs (Amazon Machine Images) within AWS.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-images --filters Name=name,Values=TrailDiscover""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeImages -ModifyInstanceAttribute,ec2.amazonaws.com,EC2,Modifies the specified attribute of the specified instance.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""Executing commands through EC2 user data"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/""}, {""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""EC2 Privilege Escalation Through User Data"", ""link"": ""https://hackingthe.cloud/aws/exploitation/local_ec2_priv_esc_through_user_data/""}, {""description"": ""User Data Script Persistence"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/user_data_script_persistence/""}]",Attackers might use ModifyInstanceAttribute to change configurations of EC2 instances or overwrite the user data of an EC2 instance to have it execute malicious commands when the instance starts.,"[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_ec2_startup_script_change.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws ec2 modify-instance-attribute --instance-id TrailDiscoverInstanceId --attribute TrailDiscoverAttribute --value TrailDiscoverValue""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ec2-user-data""}]",https://aws.permissions.cloud/iam/ec2#ec2-ModifyInstanceAttribute +ModifyInstanceAttribute,ec2.amazonaws.com,EC2,Modifies the specified attribute of the specified instance.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""Executing commands through EC2 user data"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/""}, {""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""EC2 Privilege Escalation Through User Data"", ""link"": ""https://hackingthe.cloud/aws/exploitation/local_ec2_priv_esc_through_user_data/""}, {""description"": ""User Data Script Persistence"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/user_data_script_persistence/""}, {""description"": ""Attack Paths Into VMs in the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/""}]",Attackers might use ModifyInstanceAttribute to change configurations of EC2 instances or overwrite the user data of an EC2 instance to have it execute malicious commands when the instance starts.,"[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_ec2_startup_script_change.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws ec2 modify-instance-attribute --instance-id TrailDiscoverInstanceId --attribute TrailDiscoverAttribute --value TrailDiscoverValue""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ec2-user-data""}]",https://aws.permissions.cloud/iam/ec2#ec2-ModifyInstanceAttribute GetEbsDefaultKmsKeyId,ec2.amazonaws.com,EC2,Describes the default AWS KMS key for EBS encryption by default for your account in this Region.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use GetEbsDefaultKmsKeyId to identify the default AWS Key Management Service (KMS) key used for encrypting new Amazon EBS volumes.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 get-ebs-default-kms-key-id""}]",https://aws.permissions.cloud/iam/ec2#ec2-GetEbsDefaultKmsKeyId -EnableSerialConsoleAccess,ec2.amazonaws.com,EC2,Enables access to the EC2 serial console of all instances for your account.,TA0008 - Lateral Movement,T1021 - Remote Services,True,"[{""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}]","[{""description"": ""How to detect EC2 Serial Console enabled"", ""link"": ""https://sysdig.com/blog/ec2-serial-console-enabled/""}]",Attackers might use EnableSerialConsoleAccess to enable the serial console access and bypass security group rules and gain access to EC2 instances.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 enable-serial-console-access""}]",https://aws.permissions.cloud/iam/ec2#ec2-EnableSerialConsoleAccess +EnableSerialConsoleAccess,ec2.amazonaws.com,EC2,Enables access to the EC2 serial console of all instances for your account.,TA0008 - Lateral Movement,T1021 - Remote Services,True,"[{""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}]","[{""description"": ""How to detect EC2 Serial Console enabled"", ""link"": ""https://sysdig.com/blog/ec2-serial-console-enabled/""}, {""description"": ""Attack Paths Into VMs in the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/""}]",Attackers might use EnableSerialConsoleAccess to enable the serial console access and bypass security group rules and gain access to EC2 instances.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 enable-serial-console-access""}]",https://aws.permissions.cloud/iam/ec2#ec2-EnableSerialConsoleAccess DescribeAvailabilityZones,ec2.amazonaws.com,EC2,"Describes the Availability Zones, Local Zones, and Wavelength Zones that are available to you.",TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeAvailabilityZones to map the deployment regions of an AWS environment.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-availability-zones --filters Name=region-name,Values=TrailDiscoverRegion""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeAvailabilityZones GetPasswordData,ec2.amazonaws.com,EC2,Retrieves the encrypted administrator password for a running Windows instance.,TA0006 - Credential Access,T1555 - Credentials from Password Stores,True,"[{""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Behind the scenes in the Expel SOC: Alert-to-fix in AWS"", ""link"": ""https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/""}, {""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}, {""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use GetPasswordData to retrieve the password data for Windows instances, allowing unauthorized access.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 get-password-data --instance-id TrailDiscoverInstanceId""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data""}]",https://aws.permissions.cloud/iam/ec2#ec2-GetPasswordData CreateTrafficMirrorTarget,ec2.amazonaws.com,EC2,Creates a target for your Traffic Mirror session.,TA0009 - Collection,T1074 - Data Staged,False,[],"[{""description"": ""Abusing VPC Traffic Mirroring in AWS"", ""link"": ""https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/""}]","Attackers might use CreateTrafficMirrorTarget to establish destinations for mirrored traffic, potentially facilitating the unauthorized observation or capture of sensitive information.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 create-traffic-mirror-target --description TrailDiscoverDescription --network-interface-id TrailDiscoverNetworkInterfaceId --network-load-balancer-arn TrailDiscoverNetworkLoadBalancerArn""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateTrafficMirrorTarget CreateVolume,ec2.amazonaws.com,EC2,Creates an EBS volume that can be attached to an instance in the same Availability Zone.,TA0008 - Lateral Movement,T1021 - Remote Services,True,"[{""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}]",[],Attackers might use CreateVolume to create a volume from a snapshot and mount it to an EC2 instance under their control.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 create-volume --size 80 --availability-zone us-east-1a""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateVolume -StartInstances,ec2.amazonaws.com,EC2,Starts an Amazon EBS-backed instance that you've previously stopped.,"TA0003 - Persistence, TA0040 - Impact","T1098 - Account Manipulation, T1496 - Resource Hijacking",True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]","[{""description"": ""Executing commands through EC2 user data"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/""}]",Attackers might use StartInstances to reactivate dormant EC2 instances or after having modified the user data for execution of commands.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 start-instances --instance-ids TrailDiscoverInstanceID""}]",https://aws.permissions.cloud/iam/ec2#ec2-StartInstances +StartInstances,ec2.amazonaws.com,EC2,Starts an Amazon EBS-backed instance that you've previously stopped.,"TA0003 - Persistence, TA0040 - Impact","T1098 - Account Manipulation, T1496 - Resource Hijacking",True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]","[{""description"": ""Executing commands through EC2 user data"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/""}, {""description"": ""Attack Paths Into VMs in the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/""}]",Attackers might use StartInstances to reactivate dormant EC2 instances or after having modified the user data for execution of commands.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 start-instances --instance-ids TrailDiscoverInstanceID""}]",https://aws.permissions.cloud/iam/ec2#ec2-StartInstances CreateSecurityGroup,ec2.amazonaws.com,EC2,Creates a security group.,"TA0003 - Persistence, TA0008 - Lateral Movement","T1098 - Account Manipulation, T1021 - Remote Services",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Behind the scenes in the Expel SOC: Alert-to-fix in AWS"", ""link"": ""https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/""}, {""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}, {""description"": ""ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING"", ""link"": ""https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}, {""description"": ""Abusing VPC Traffic Mirroring in AWS"", ""link"": ""https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/""}]","Attackers might use CreateSecurityGroup to establish new security groups with lax rules, facilitating unauthorized access or resource exploitation within AWS environments.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-10""}]","[{""type"": ""commandLine"", ""value"": ""aws ec2 create-security-group --group-name TrailDiscoverGroupName --description \""TrailDiscoverDescription\""""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateSecurityGroup DescribeInstances,ec2.amazonaws.com,EC2,Describes the specified instances or all instances.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]","[{""description"": ""Abusing VPC Traffic Mirroring in AWS"", ""link"": ""https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/""}]",Attackers might use DescribeInstances to inventory EC2 instances within an AWS environment.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-instances --instance-ids TrailDiscoverInstanceID""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeInstances GetTransitGatewayRouteTableAssociations,ec2.amazonaws.com,EC2,Gets information about the associations for the specified transit gateway route table.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use GetTransitGatewayRouteTableAssociations to examine the associations between transit gateway route tables and attached resources, potentially to understand network routing policies.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 get-transit-gateway-route-table-associations --transit-gateway-route-table-id tgw-rtb-0a823edbdeEXAMPLE""}]",https://aws.permissions.cloud/iam/ec2#ec2-GetTransitGatewayRouteTableAssociations @@ -202,13 +202,13 @@ DeleteNetworkAclEntry,ec2.amazonaws.com,EC2,Deletes the specified ingress or egr CreateRoute,ec2.amazonaws.com,EC2,Creates a route in a route table within a VPC.,TA0009 - Collection,T1074 - Data Staged,False,[],"[{""description"": ""Ensure CloudWatch has an Alarm for Route Table Changes"", ""link"": ""https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-route-table-change""}, {""description"": ""AWS Incident Response"", ""link"": ""https://easttimor.github.io/aws-incident-response/""}]",Attackers might use CreateRoute to redirect network traffic within AWS VPCs to eavesdrop or exfiltrate data.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-13""}]","[{""type"": ""commandLine"", ""value"": ""aws ec2 create-route --route-table-id TrailDiscoverRouteTableId --destination-cidr-block TrailDiscoverDestinationCidrBlock --gateway-id TrailDiscoverGatewayId""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateRoute GetFlowLogsIntegrationTemplate,ec2.amazonaws.com,EC2,Generates a CloudFormation template that streamlines and automates the integration of VPC flow logs with Amazon Athena.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use GetFlowLogsIntegrationTemplate to create templates for integrating VPC flow logs with external monitoring solutions, potentially to configure exfiltration pathways for gathered data or to understand security monitoring setups.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 get-flow-logs-integration-template --flow-log-id fl-1234567890abcdef0 --config-delivery-s3-destination-arn arn:aws:s3:::DOC-EXAMPLE-BUCKET --integrate-services AthenaIntegrations='[{IntegrationResultS3DestinationArn=arn:aws:s3:::DOC-EXAMPLE-BUCKET,PartitionLoadFrequency=none,PartitionStartDate=2021-07-21T00:40:00,PartitionEndDate=2021-07-21T00:42:00},{IntegrationResultS3DestinationArn=arn:aws:s3:::DOC-EXAMPLE-BUCKET,PartitionLoadFrequency=none,PartitionStartDate=2021-07-21T00:40:00,PartitionEndDate=2021-07-21T00:42:00}]'""}]",https://aws.permissions.cloud/iam/ec2#ec2-GetFlowLogsIntegrationTemplate DescribeTransitGatewayMulticastDomains,ec2.amazonaws.com,EC2,Describes one or more transit gateway multicast domains.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use DescribeTransitGatewayMulticastDomains to obtain details on multicast domains within AWS Transit Gateways, identifying network segments and multicast configurations.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-transit-gateway-multicast-domains --transit-gateway-multicast-domain-ids TrailDiscoverTransitGatewayMulticastDomainId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeTransitGatewayMulticastDomains -StopInstances,ec2.amazonaws.com,EC2,Stops an Amazon EBS-backed instance.,"TA0040 - Impact, TA0005 - Defense Evasion","T1499 - Endpoint Denial of Service, T1578 - Modify Cloud Compute Infrastructure",True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]","[{""description"": ""Executing commands through EC2 user data"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/""}]",Attackers might use StopInstances to avoid being detected or to do changes that will be executed when the EC2 is started.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 stop-instances --instance-ids TrailDiscoverInstanceID""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ec2-user-data""}]",https://aws.permissions.cloud/iam/ec2#ec2-StopInstances +StopInstances,ec2.amazonaws.com,EC2,Stops an Amazon EBS-backed instance.,"TA0040 - Impact, TA0005 - Defense Evasion","T1499 - Endpoint Denial of Service, T1578 - Modify Cloud Compute Infrastructure",True,"[{""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}]","[{""description"": ""Executing commands through EC2 user data"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/""}, {""description"": ""Attack Paths Into VMs in the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/""}]",Attackers might use StopInstances to avoid being detected or to do changes that will be executed when the EC2 is started.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 stop-instances --instance-ids TrailDiscoverInstanceID""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ec2-user-data""}]",https://aws.permissions.cloud/iam/ec2#ec2-StopInstances DescribeInstanceAttribute,ec2.amazonaws.com,EC2,Describes the specified attribute of the specified instance. You can specify only one attribute at a time.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeInstanceAttribute to inspect detailed configurations of EC2 instances.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-instance-attribute --instance-id TrailDiscoverInstanceId --attribute TrailDiscoverAttribute""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-download-user-data""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeInstanceAttribute DescribeDhcpOptions,ec2.amazonaws.com,EC2,Describes one or more of your DHCP options sets.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeDhcpOptions to inspect DHCP configurations in an AWS VPC.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-dhcp-options --dhcp-options-ids TrailDiscoverDhcpOptionsId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeDhcpOptions AuthorizeSecurityGroupIngress,ec2.amazonaws.com,EC2,Adds the specified inbound (ingress) rules to a security group.,"TA0003 - Persistence, TA0008 - Lateral Movement","T1098 - Account Manipulation, T1021 - Remote Services",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Finding evil in AWS"", ""link"": ""https://expel.com/blog/finding-evil-in-aws/""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Behind the scenes in the Expel SOC: Alert-to-fix in AWS"", ""link"": ""https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/""}, {""description"": ""When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability"", ""link"": ""https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}, {""description"": ""BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability"", ""link"": ""https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/""}, {""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}]","[{""description"": ""Opening a security group to the Internet"", ""link"": ""https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/opening-security-group-port/""}]",Attackers might use AuthorizeSecurityGroupIngress to allow access to resources to gain persistence or move laterally.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-10""}]","[{""type"": ""commandLine"", ""value"": ""aws ec2 authorize-security-group-ingress --group-id sg-0683fcf7a41c82593 --protocol tcp --port 22 --cidr 203.0.113.0/24""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-security-group-open-port-22-ingress""}]",https://aws.permissions.cloud/iam/ec2#ec2-AuthorizeSecurityGroupIngress DescribeVpcEndpointConnectionNotifications,ec2.amazonaws.com,EC2,Describes the connection notifications for VPC endpoints and VPC endpoint services.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeVpcEndpointConnectionNotifications to monitor notification configurations for VPC endpoints.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-vpc-endpoint-connection-notifications --connection-notification-id TrailDiscoverConnectionNotificationId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeVpcEndpointConnectionNotifications DescribeFlowLogs,ec2.amazonaws.com,EC2,Describes one or more flow logs.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use DescribeFlowLogs to review VPC flow log configurations, aiming to understand what network traffic is being logged.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-flow-logs --filter Name=resource-id,Values=TrailDiscoverResourceId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeFlowLogs -SendSSHPublicKey,ec2-instance-connect.amazonaws.com,EC2InstanceConnect,Pushes an SSH public key to the specified EC2 instance for use by the specified user.,TA0008 - Lateral Movement,T1021 - Remote Services,True,"[{""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}]",[],"Attackers might use SendSSHPublicKey to inject unauthorized SSH keys into EC2 instances, granting them access for remote control.",[],"[{""type"": ""commandLine"", ""value"": ""N/A""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.lateral-movement.ec2-instance-connect""}]",https://aws.permissions.cloud/iam/ec2-instance-connect#ec2-instance-connect-SendSSHPublicKey +SendSSHPublicKey,ec2-instance-connect.amazonaws.com,EC2InstanceConnect,Pushes an SSH public key to the specified EC2 instance for use by the specified user.,TA0008 - Lateral Movement,T1021 - Remote Services,True,"[{""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}]","[{""description"": ""Attack Paths Into VMs in the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/""}]","Attackers might use SendSSHPublicKey to inject unauthorized SSH keys into EC2 instances, granting them access for remote control.",[],"[{""type"": ""commandLine"", ""value"": ""N/A""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.lateral-movement.ec2-instance-connect""}]",https://aws.permissions.cloud/iam/ec2-instance-connect#ec2-instance-connect-SendSSHPublicKey DescribeSnapshotAttribute,ec2.amazonaws.com,EC2,Describes the specified attribute of the specified snapshot.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use DescribeSnapshotAttribute to inspect attributes of EBS snapshots, such as permissions, aiming to find snapshots shared publicly or with broad access.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-snapshot-attribute --snapshot-id TrailDiscoverSnapshotId --attribute TrailDiscoverAttribute""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeSnapshotAttribute DescribeVolumesModifications,ec2.amazonaws.com,EC2,Describes the most recent volume modification request for the specified EBS volumes.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use DescribeVolumesModifications to track changes in EBS volumes.,[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-volumes-modifications --volume-ids TrailDiscoverVolumeId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeVolumesModifications DescribeRegions,ec2.amazonaws.com,EC2,"Describes the Regions that are enabled for your account, or all Regions.",TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]","Attackers might use DescribeRegions to identify all available AWS regions, possibly to explore regional deployment patterns and target specific regions where defenses might be weaker.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 describe-regions""}]",https://aws.permissions.cloud/iam/ec2#ec2-DescribeRegions @@ -245,10 +245,11 @@ CreateDevEndpoint,glue.amazonaws.com,Glue,Creates a new development endpoint.,TA UpdateJob,glue.amazonaws.com,Glue,Updates an existing job definition.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use UpdateJob to modify Glue job parameters, potentially disrupting data processing or injecting malicious code.",[],"[{""type"": ""commandLine"", ""value"": ""aws glue update-job --job-name TrailDiscoverJob --job-update '{\""Role\"": \""TrailDiscoverRole\"", \""Command\"": {\""Name\"": \""glueetl\"", \""ScriptLocation\"": \""s3://mybucket/myscript.py\""}}'""}]",https://aws.permissions.cloud/iam/glue#glue-UpdateJob CreateJob,glue.amazonaws.com,Glue,Creates a new job definition.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]",Attackers might use CreateJob to create a glue job with a role with higer privileges to gain these privileges.,[],"[{""type"": ""commandLine"", ""value"": ""aws glue create-job --name TrailDiscoverJob --role TrailDiscoverRole --command Name=pythonshell,ScriptLocation=s3://TrailDiscoverBucket/TrailDiscoverScript.py --default-arguments '{\""--job-language\"": \""python\""}'""}]",https://aws.permissions.cloud/iam/glue#glue-CreateJob UpdateDevEndpoint,glue.amazonaws.com,Glue,Updates a specified development endpoint.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use UpdateDevEndpoint to modify the settings of a development endpoint, potentially disrupting data processing tasks or gaining unauthorized access to data.","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws glue update-dev-endpoint --endpoint-name TrailDiscover""}]",https://aws.permissions.cloud/iam/glue#glue-UpdateDevEndpoint -SendCommand,ssm.amazonaws.com,SSM,Runs commands on one or more managed nodes.,"TA0008 - Lateral Movement, TA0002 - Execution","T1021 - Remote Services, T1651 - Cloud Administration Command",True,"[{""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}]","[{""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""Run Shell Commands on EC2 with Send Command or Session Manager"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/""}]",Attackers might use SendCommand to execute malicious commands on managed instances.,[],"[{""type"": ""commandLine"", ""value"": ""aws ssm send-command --instance-ids \""TrailDiscoverInstanceID\"" --document-name \""AWS-RunShellScript\"" --parameters commands=ls --output text""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ssm-send-command""}]",https://aws.permissions.cloud/iam/ssm#ssm-SendCommand +SendCommand,ssm.amazonaws.com,SSM,Runs commands on one or more managed nodes.,"TA0008 - Lateral Movement, TA0002 - Execution","T1021 - Remote Services, T1651 - Cloud Administration Command",True,"[{""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}]","[{""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""Run Shell Commands on EC2 with Send Command or Session Manager"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/""}, {""description"": ""Attack Paths Into VMs in the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/""}]",Attackers might use SendCommand to execute malicious commands on managed instances.,[],"[{""type"": ""commandLine"", ""value"": ""aws ssm send-command --instance-ids \""TrailDiscoverInstanceID\"" --document-name \""AWS-RunShellScript\"" --parameters commands=ls --output text""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ssm-send-command""}]",https://aws.permissions.cloud/iam/ssm#ssm-SendCommand GetParameters,ssm.amazonaws.com,SSM,Get information about one or more parameters by specifying multiple parameter names.,"TA0007 - Discovery, TA0006 - Credential Access","T1526 - Cloud Service Discovery, T1552 - Unsecured Credentials",False,[],"[{""description"": ""Detecting and removing risky actions out of your IAM security policies"", ""link"": ""https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/""}]",Attackers might use GetParameters to gather sensitive information such as api keys or other secrets.,[],"[{""type"": ""commandLine"", ""value"": ""aws ssm get-parameters --names TrailDiscoverParameters""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ssm-retrieve-securestring-parameters""}]",https://aws.permissions.cloud/iam/ssm#ssm-GetParameters StartSession,ssm.amazonaws.com,SSM,"Initiates a connection to a target (for example, a managed node) for a Session Manager session.","TA0008 - Lateral Movement, TA0002 - Execution","T1021 - Remote Services, T1651 - Cloud Administration Command",True,"[{""description"": ""Navigating the Cloud: Exploring Lateral Movement Techniques"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/""}]","[{""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""Run Shell Commands on EC2 with Send Command or Session Manager"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/""}]",Attackers might use StartSession to gain unauthorized access to managed instances.,[],"[{""type"": ""commandLine"", ""value"": ""aws ssm start-session --target TrailDiscoverTarget""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ssm-start-session""}]",https://aws.permissions.cloud/iam/ssm#ssm-StartSession DescribeInstanceInformation,ssm.amazonaws.com,SSM,"Provides information about one or more of your managed nodes, including the operating system platform, SSM Agent version, association status, and IP address.",TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],"Attackers might use DescribeInstanceInformation to gather sensitive information about the instances, potentially leading to unauthorized access.",[],"[{""type"": ""commandLine"", ""value"": ""aws ssm describe-instance-information --instance-information-filter-list key=InstanceIds,valueSet=TrailDiscoverInstanceIds""}]",https://aws.permissions.cloud/iam/ssm#ssm-DescribeInstanceInformation +ResumeSession,ssm.amazonaws.com,SSM,Reconnects a session to a managed node after it has been disconnected.,"TA0008 - Lateral Movement, TA0002 - Execution","T1021 - Remote Services, T1651 - Cloud Administration Command",False,[],"[{""description"": ""Attack Paths Into VMs in the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/""}]",Attackers might use ResumeSession to gain unauthorized access to managed instances.,[],"[{""type"": ""commandLine"", ""value"": ""aws ssm resume-session --session-id TrailDiscoverTarget""}]",https://aws.permissions.cloud/iam/ssm#ssm-ResumeSession CreateEmailIdentity,ses.amazonaws.com,SES,Starts the process of verifying an email identity. An identity is an email address or domain that you use when you send email.,TA0040 - Impact,T1496 - Resource Hijacking,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],Attackers use CreateEmailIdentity to create its own identity for sending spam or phishing emails later.,[],"[{""type"": ""commandLine"", ""value"": ""aws sesv2 create-email-identity --email-identity cloudtrail.cloud""}]",https://aws.permissions.cloud/iam/ses#ses-CreateEmailIdentity GetIdentityVerificationAttributes,ses.amazonaws.com,SES,"Given a list of identities (email addresses and/or domains), returns the verification status and (for domain identities) the verification token for each identity.",TA0007 - Discovery,T1526 - Cloud Service Discovery,True,"[{""description"": ""SES-PIONAGE"", ""link"": ""https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/""}]",[],Attackers might use GetIdentityVerificationAttributes to gather sensitive information about the verification status of email addresses and domains.,[],"[{""type"": ""commandLine"", ""value"": ""aws ses get-identity-verification-attributes --identities TrailDiscoverIdentity""}]",https://aws.permissions.cloud/iam/ses#ses-GetIdentityVerificationAttributes UpdateAccountSendingEnabled,ses.amazonaws.com,SES,Enables or disables email sending across your entire Amazon SES account in the current AWS Region.,TA0040 - Impact,T1496 - Resource Hijacking,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}, {""description"": ""SES-PIONAGE"", ""link"": ""https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/""}]",[],"Attackers might use UpdateAccountSendingEnabled to enable sending from compromised AWS accounts, facilitating spam or phishing campaigns.",[],"[{""type"": ""commandLine"", ""value"": ""aws ses update-account-sending-enabled""}]",https://aws.permissions.cloud/iam/ses#ses-UpdateAccountSendingEnabled diff --git a/docs/events.json b/docs/events.json index 87a5954..9b621f9 100644 --- a/docs/events.json +++ b/docs/events.json @@ -6144,6 +6144,10 @@ { "description": "User Data Script Persistence", "link": "https://hackingthe.cloud/aws/post_exploitation/user_data_script_persistence/" + }, + { + "description": "Attack Paths Into VMs in the Cloud", + "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/" } ], "securityImplications": "Attackers might use ModifyInstanceAttribute to change configurations of EC2 instances or overwrite the user data of an EC2 instance to have it execute malicious commands when the instance starts.", @@ -6216,6 +6220,10 @@ { "description": "How to detect EC2 Serial Console enabled", "link": "https://sysdig.com/blog/ec2-serial-console-enabled/" + }, + { + "description": "Attack Paths Into VMs in the Cloud", + "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/" } ], "securityImplications": "Attackers might use EnableSerialConsoleAccess to enable the serial console access and bypass security group rules and gain access to EC2 instances.", @@ -6384,6 +6392,10 @@ { "description": "Executing commands through EC2 user data", "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/" + }, + { + "description": "Attack Paths Into VMs in the Cloud", + "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/" } ], "securityImplications": "Attackers might use StartInstances to reactivate dormant EC2 instances or after having modified the user data for execution of commands.", @@ -7132,6 +7144,10 @@ { "description": "Executing commands through EC2 user data", "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/" + }, + { + "description": "Attack Paths Into VMs in the Cloud", + "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/" } ], "securityImplications": "Attackers might use StopInstances to avoid being detected or to do changes that will be executed when the EC2 is started.", @@ -7363,7 +7379,12 @@ "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/" } ], - "researchLinks": [], + "researchLinks": [ + { + "description": "Attack Paths Into VMs in the Cloud", + "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/" + } + ], "securityImplications": "Attackers might use SendSSHPublicKey to inject unauthorized SSH keys into EC2 instances, granting them access for remote control.", "alerting": [], "simulation": [ @@ -8622,6 +8643,10 @@ { "description": "Run Shell Commands on EC2 with Send Command or Session Manager", "link": "https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/" + }, + { + "description": "Attack Paths Into VMs in the Cloud", + "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/" } ], "securityImplications": "Attackers might use SendCommand to execute malicious commands on managed instances.", @@ -8746,6 +8771,37 @@ ], "permissions": "https://aws.permissions.cloud/iam/ssm#ssm-DescribeInstanceInformation" }, + { + "eventName": "ResumeSession", + "eventSource": "ssm.amazonaws.com", + "awsService": "SSM", + "description": "Reconnects a session to a managed node after it has been disconnected.", + "mitreAttackTactics": [ + "TA0008 - Lateral Movement", + "TA0002 - Execution" + ], + "mitreAttackTechniques": [ + "T1021 - Remote Services", + "T1651 - Cloud Administration Command" + ], + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "Attack Paths Into VMs in the Cloud", + "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/" + } + ], + "securityImplications": "Attackers might use ResumeSession to gain unauthorized access to managed instances.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws ssm resume-session --session-id TrailDiscoverTarget" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ssm#ssm-ResumeSession" + }, { "eventName": "CreateEmailIdentity", "eventSource": "ses.amazonaws.com", diff --git a/events/EC2/EnableSerialConsoleAccess.json b/events/EC2/EnableSerialConsoleAccess.json index da49d96..521a589 100644 --- a/events/EC2/EnableSerialConsoleAccess.json +++ b/events/EC2/EnableSerialConsoleAccess.json @@ -20,6 +20,10 @@ { "description": "How to detect EC2 Serial Console enabled", "link": "https://sysdig.com/blog/ec2-serial-console-enabled/" + }, + { + "description": "Attack Paths Into VMs in the Cloud", + "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/" } ], "securityImplications": "Attackers might use EnableSerialConsoleAccess to enable the serial console access and bypass security group rules and gain access to EC2 instances.", diff --git a/events/EC2/ModifyInstanceAttribute.json b/events/EC2/ModifyInstanceAttribute.json index 94b4250..2fbeebb 100644 --- a/events/EC2/ModifyInstanceAttribute.json +++ b/events/EC2/ModifyInstanceAttribute.json @@ -27,6 +27,10 @@ { "description": "User Data Script Persistence", "link": "https://hackingthe.cloud/aws/post_exploitation/user_data_script_persistence/" + }, + { + "description": "Attack Paths Into VMs in the Cloud", + "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/" } ], "securityImplications": "Attackers might use ModifyInstanceAttribute to change configurations of EC2 instances or overwrite the user data of an EC2 instance to have it execute malicious commands when the instance starts.", diff --git a/events/EC2/SendSSHPublicKey.json b/events/EC2/SendSSHPublicKey.json index 2ddbd5e..7e5a468 100644 --- a/events/EC2/SendSSHPublicKey.json +++ b/events/EC2/SendSSHPublicKey.json @@ -20,7 +20,12 @@ "link": "https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/" } ], - "researchLinks": [], + "researchLinks": [ + { + "description": "Attack Paths Into VMs in the Cloud", + "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/" + } + ], "securityImplications": "Attackers might use SendSSHPublicKey to inject unauthorized SSH keys into EC2 instances, granting them access for remote control.", "alerting": [], "simulation": [ diff --git a/events/EC2/StartInstances.json b/events/EC2/StartInstances.json index e68d902..7f6f39c 100644 --- a/events/EC2/StartInstances.json +++ b/events/EC2/StartInstances.json @@ -22,6 +22,10 @@ { "description": "Executing commands through EC2 user data", "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/" + }, + { + "description": "Attack Paths Into VMs in the Cloud", + "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/" } ], "securityImplications": "Attackers might use StartInstances to reactivate dormant EC2 instances or after having modified the user data for execution of commands.", diff --git a/events/EC2/StopInstances.json b/events/EC2/StopInstances.json index faa7459..46fbc7b 100644 --- a/events/EC2/StopInstances.json +++ b/events/EC2/StopInstances.json @@ -22,6 +22,10 @@ { "description": "Executing commands through EC2 user data", "link": "https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/" + }, + { + "description": "Attack Paths Into VMs in the Cloud", + "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/" } ], "securityImplications": "Attackers might use StopInstances to avoid being detected or to do changes that will be executed when the EC2 is started.", diff --git a/events/SSM/ResumeSession.json b/events/SSM/ResumeSession.json new file mode 100644 index 0000000..c7d3da4 --- /dev/null +++ b/events/SSM/ResumeSession.json @@ -0,0 +1,31 @@ +{ + "eventName": "ResumeSession", + "eventSource": "ssm.amazonaws.com", + "awsService": "SSM", + "description": "Reconnects a session to a managed node after it has been disconnected.", + "mitreAttackTactics": [ + "TA0008 - Lateral Movement", + "TA0002 - Execution" + ], + "mitreAttackTechniques": [ + "T1021 - Remote Services", + "T1651 - Cloud Administration Command" + ], + "usedInWild": false, + "incidents": [], + "researchLinks": [ + { + "description": "Attack Paths Into VMs in the Cloud", + "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/" + } + ], + "securityImplications": "Attackers might use ResumeSession to gain unauthorized access to managed instances.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws ssm resume-session --session-id TrailDiscoverTarget" + } + ], + "permissions": "https://aws.permissions.cloud/iam/ssm#ssm-ResumeSession" +} \ No newline at end of file diff --git a/events/SSM/SendCommand.json b/events/SSM/SendCommand.json index 937523c..e88931f 100644 --- a/events/SSM/SendCommand.json +++ b/events/SSM/SendCommand.json @@ -26,6 +26,10 @@ { "description": "Run Shell Commands on EC2 with Send Command or Session Manager", "link": "https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/" + }, + { + "description": "Attack Paths Into VMs in the Cloud", + "link": "https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/" } ], "securityImplications": "Attackers might use SendCommand to execute malicious commands on managed instances.",