Vendor: Amazon

Product: AWS CloudTrail

Rules	Models	MITRE ATT&CK® TTPs	Activity Types	Parsers
138	78	29	78	24

Use-Case	Activity Types(Legacy Event Type)/Parsers	MITRE ATT&CK® TTP	Content
Abnormal Authentication & Access	app-activity:success(app-activity) ↳amazon-awscloudtrail-cef-app-activity-awsapicall ↳amazon-awscloudtrail-cef-app-activity-assumedrole ↳amazon-awscloudtrail-json-app-activity-success-getrolecredentials ↳amazon-awscloudtrail-json-app-activity-success-awsapicall app-login:success(app-login) ↳amazon-awscloudtrail-json-app-login-awsconsolesignin vpn-login:success(authentication-successful) ↳amazon-awscloudtrail-json-app-success-activityauthentication app-login:fail(failed-app-login) ↳amazon-awscloudtrail-json-app-login-awsconsolesignin	T1078 - Valid Accounts T1133 - External Remote Services	15 Rules 4 Models
Account Manipulation	app-activity:success(app-activity) ↳amazon-awscloudtrail-cef-app-activity-awsapicall ↳amazon-awscloudtrail-cef-app-activity-assumedrole ↳amazon-awscloudtrail-json-app-activity-success-getrolecredentials ↳amazon-awscloudtrail-json-app-activity-success-awsapicall	T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models
Cryptomining	endpoint-create:success(aws-instance-create) ↳amazon-awscloudtrail-json-endpoint-create-runinstances	T1074 - Data Staged T1496 - Resource Hijacking	1 Rules 1 Models
Lateral Movement	app-login:success(app-login) ↳amazon-awscloudtrail-json-app-login-awsconsolesignin vpn-login:success(authentication-successful) ↳amazon-awscloudtrail-json-app-success-activityauthentication app-login:fail(failed-app-login) ↳amazon-awscloudtrail-json-app-login-awsconsolesignin	T1078 - Valid Accounts T1090 - Proxy T1090.003 - Proxy: Multi-hop Proxy	2 Rules
Ransomware	app-login:success(app-login) ↳amazon-awscloudtrail-json-app-login-awsconsolesignin vpn-login:success(authentication-successful) ↳amazon-awscloudtrail-json-app-success-activityauthentication app-login:fail(failed-app-login) ↳amazon-awscloudtrail-json-app-login-awsconsolesignin	T1078 - Valid Accounts	2 Rules
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
External Remote Services Valid Accounts Valid Accounts: Cloud Accounts Exploit Public Fasing Application	User Execution	Boot or Logon Initialization Scripts External Remote Services Valid Accounts Account Manipulation Account Manipulation: Exchange Email Delegate Permissions	Boot or Logon Initialization Scripts Valid Accounts	Valid Accounts Unused/Unsupported Cloud Regions		Account Discovery		Screen Capture Data from Information Repositories Email Collection Data from Cloud Storage Object Data Staged Email Collection: Email Forwarding Rule	Proxy: Multi-hop Proxy Proxy		Resource Hijacking

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ds_amazon_aws_cloudtrail.md

ds_amazon_aws_cloudtrail.md

Vendor: Amazon

Product: AWS CloudTrail

MITRE ATT&CK® Framework for Enterprise

Files

ds_amazon_aws_cloudtrail.md

Latest commit

History

ds_amazon_aws_cloudtrail.md

File metadata and controls

Vendor: Amazon

Product: AWS CloudTrail

MITRE ATT&CK® Framework for Enterprise