New events: Datadog threat roundup: top insights for Q4 2024 (#27)

* update events and add new events from pepperclipp blog post * update events and add new events from datadog 2024-q4-threat-roundup
adanalvarez · Feb 15, 2025 · 6b702dc · 6b702dc
1 parent e575af3
commit 6b702dc
Show file tree

Hide file tree

Showing 19 changed files with 1,859 additions and 1,063 deletions.
diff --git a/docs/datadog_dashboard.json b/docs/datadog_dashboard.json
diff --git a/docs/events.csv b/docs/events.csv
diff --git a/docs/events.json b/docs/events.json
@@ -3706,6 +3706,37 @@
         ],
         "permissions": "https://aws.permissions.cloud/iam/iam#iam-DetachRolePolicy"
     },
+    {
+        "eventName": "ListUserPolicies",
+        "eventSource": "iam.amazonaws.com",
+        "awsService": "IAM",
+        "description": "Lists the names of the inline policies embedded in the specified IAM user.",
+        "mitreAttackTactics": [
+            "TA0007 - Discovery"
+        ],
+        "mitreAttackTechniques": [
+            "T1087 - Account Discovery"
+        ],
+        "mitreAttackSubTechniques": [],
+        "unverifiedMitreAttackTechniques": [],
+        "usedInWild": true,
+        "incidents": [
+            {
+                "description": "Datadog threat roundup: top insights for Q4 2024",
+                "link": "https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/"
+            }
+        ],
+        "researchLinks": [],
+        "securityImplications": "Attackers might use ListUserPolicies to identify permissions associated with various users in AWS.",
+        "alerting": [],
+        "simulation": [
+            {
+                "type": "commandLine",
+                "value": "aws iam list-user-policies --user-name TrailDiscover"
+            }
+        ],
+        "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListUserPolicies"
+    },
     {
         "eventName": "UpdateLoginProfile",
         "eventSource": "iam.amazonaws.com",
@@ -4077,6 +4108,10 @@
             {
                 "description": "Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments",
                 "link": "https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/"
+            },
+            {
+                "description": "Datadog threat roundup: top insights for Q4 2024",
+                "link": "https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/"
             }
         ],
         "researchLinks": [
@@ -4350,6 +4385,39 @@
         ],
         "permissions": "https://aws.permissions.cloud/iam/iam#iam-DeleteUserPolicy"
     },
+    {
+        "eventName": "ListAttachedUserPolicies",
+        "eventSource": "iam.amazonaws.com",
+        "awsService": "IAM",
+        "description": "Lists all managed policies that are attached to the specified IAM user.",
+        "mitreAttackTactics": [
+            "TA0007 - Discovery"
+        ],
+        "mitreAttackTechniques": [
+            "T1087 - Account Discovery"
+        ],
+        "mitreAttackSubTechniques": [
+            "T1087.004 - Account Discovery: Cloud Account"
+        ],
+        "unverifiedMitreAttackTechniques": [],
+        "usedInWild": true,
+        "incidents": [
+            {
+                "description": "Datadog threat roundup: top insights for Q4 2024",
+                "link": "https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/"
+            }
+        ],
+        "researchLinks": [],
+        "securityImplications": "Attackers might use ListAttachedUserPolicies to identify and exploit permissions associated with various users in AWS.",
+        "alerting": [],
+        "simulation": [
+            {
+                "type": "commandLine",
+                "value": "aws iam list-attached-user-policies --user-name TrailDiscover"
+            }
+        ],
+        "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListAttachedUserPolicies"
+    },
     {
         "eventName": "ListRoles",
         "eventSource": "iam.amazonaws.com",
@@ -4689,6 +4757,10 @@
             {
                 "description": "Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets",
                 "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/"
+            },
+            {
+                "description": "Datadog threat roundup: top insights for Q4 2024",
+                "link": "https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/"
             }
         ],
         "researchLinks": [],
@@ -5265,6 +5337,10 @@
             {
                 "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild",
                 "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab"
+            },
+            {
+                "description": "Datadog threat roundup: top insights for Q4 2024",
+                "link": "https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/"
             }
         ],
         "researchLinks": [],
@@ -9248,6 +9324,10 @@
             {
                 "description": "New Developments in LLM Hijacking Activity",
                 "link": "https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws"
+            },
+            {
+                "description": "Datadog threat roundup: top insights for Q4 2024",
+                "link": "https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/"
             }
         ],
         "researchLinks": [],
@@ -9257,6 +9337,10 @@
             {
                 "type": "commandLine",
                 "value": "N/A"
+            },
+            {
+                "type": "stratusRedTeam",
+                "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.bedrock-invoke-model"
             }
         ],
         "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-InvokeModel"
@@ -9417,6 +9501,10 @@
             {
                 "type": "commandLine",
                 "value": "N/A"
+            },
+            {
+                "type": "stratusRedTeam",
+                "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.bedrock-invoke-model"
             }
         ],
         "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-PutFoundationModelEntitlement"
@@ -9516,6 +9604,10 @@
             {
                 "description": "New Developments in LLM Hijacking Activity",
                 "link": "https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws"
+            },
+            {
+                "description": "Datadog threat roundup: top insights for Q4 2024",
+                "link": "https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/"
             }
         ],
         "researchLinks": [],
@@ -9525,6 +9617,10 @@
             {
                 "type": "commandLine",
                 "value": "N/A"
+            },
+            {
+                "type": "stratusRedTeam",
+                "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.bedrock-invoke-model"
             }
         ],
         "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-PutUseCaseForModelAccess"
@@ -9560,6 +9656,10 @@
             {
                 "description": "When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying",
                 "link": "https://permiso.io/blog/exploiting-hosted-models"
+            },
+            {
+                "description": "Datadog threat roundup: top insights for Q4 2024",
+                "link": "https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/"
             }
         ],
         "researchLinks": [],
@@ -9569,6 +9669,10 @@
             {
                 "type": "commandLine",
                 "value": "N/A"
+            },
+            {
+                "type": "stratusRedTeam",
+                "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.bedrock-invoke-model"
             }
         ],
         "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-GetFoundationModelAvailability"
@@ -9612,6 +9716,10 @@
             {
                 "description": "Detecting AI resource-hijacking with Composite Alerts",
                 "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"
+            },
+            {
+                "description": "Datadog threat roundup: top insights for Q4 2024",
+                "link": "https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/"
             }
         ],
         "researchLinks": [],
@@ -9665,6 +9773,10 @@
             {
                 "type": "commandLine",
                 "value": "N/A"
+            },
+            {
+                "type": "stratusRedTeam",
+                "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.bedrock-invoke-model"
             }
         ],
         "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-ListFoundationModelAgreementOffers"
@@ -9769,6 +9881,10 @@
             {
                 "type": "commandLine",
                 "value": "N/A"
+            },
+            {
+                "type": "stratusRedTeam",
+                "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.bedrock-invoke-model"
             }
         ],
         "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-CreateFoundationModelAgreement"

diff --git a/docs/logExamples/ListAttachedUserPolicies.json.cloudtrail b/docs/logExamples/ListAttachedUserPolicies.json.cloudtrail
@@ -0,0 +1,49 @@
+[
+   {
+      "awsRegion": "us-east-1",
+      "errorCode": "NoSuchEntityException",
+      "errorMessage": "The user with name TrailDiscover cannot be found.",
+      "eventCategory": "Management",
+      "eventID": "9a396e10-d67f-4f05-9f32-859ae5cade36",
+      "eventName": "ListAttachedUserPolicies",
+      "eventSource": "iam.amazonaws.com",
+      "eventTime": "2025-02-15T15:40:57Z",
+      "eventType": "AwsApiCall",
+      "eventVersion": "1.10",
+      "managementEvent": true,
+      "readOnly": true,
+      "recipientAccountId": "345594607949",
+      "requestID": "20de2ce1-33ee-4bb4-943b-2ff84ecfda78",
+      "requestParameters": {
+         "userName": "TrailDiscover"
+      },
+      "responseElements": null,
+      "sourceIPAddress": "46.6.38.8",
+      "tlsDetails": {
+         "cipherSuite": "TLS_AES_128_GCM_SHA256",
+         "clientProvidedHostHeader": "iam.amazonaws.com",
+         "tlsVersion": "TLSv1.3"
+      },
+      "userAgent": "aws-cli/2.17.32 md/awscrt#0.21.2 ua/2.0 os/linux#5.15.153.1-microsoft-standard-WSL2 md/arch#x86_64 lang/python#3.11.9 md/pyimpl#CPython exec-env/grimoire_2801d487-3878-4c1f-983f-84915804c148 cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#iam.list-attached-user-policies",
+      "userIdentity": {
+         "accessKeyId": "ASIAVA5YLHFG22UNOASA",
+         "accountId": "345594607949",
+         "arn": "arn:aws:sts::345594607949:assumed-role/AWSReservedSSO_ReadOnlyAccess_ff7f8c5c5851db50/AdanAlvarez",
+         "principalId": "AROAVA5YLHFGXTTEWKGQX:AdanAlvarez",
+         "sessionContext": {
+            "attributes": {
+               "creationDate": "2025-02-15T14:50:08Z",
+               "mfaAuthenticated": "false"
+            },
+            "sessionIssuer": {
+               "accountId": "345594607949",
+               "arn": "arn:aws:iam::345594607949:role/aws-reserved/sso.amazonaws.com/us-east-2/AWSReservedSSO_ReadOnlyAccess_ff7f8c5c5851db50",
+               "principalId": "AROAVA5YLHFGXTTEWKGQX",
+               "type": "Role",
+               "userName": "AWSReservedSSO_ReadOnlyAccess_ff7f8c5c5851db50"
+            }
+         },
+         "type": "AssumedRole"
+      }
+   }
+]
diff --git a/docs/logExamples/ListUserPolicies.json.cloudtrail b/docs/logExamples/ListUserPolicies.json.cloudtrail
@@ -0,0 +1,49 @@
+[
+   {
+      "awsRegion": "us-east-1",
+      "errorCode": "NoSuchEntityException",
+      "errorMessage": "The user with name TrailDiscover cannot be found.",
+      "eventCategory": "Management",
+      "eventID": "0da25550-3bef-4363-b108-ce251458810b",
+      "eventName": "ListUserPolicies",
+      "eventSource": "iam.amazonaws.com",
+      "eventTime": "2025-02-15T15:43:34Z",
+      "eventType": "AwsApiCall",
+      "eventVersion": "1.10",
+      "managementEvent": true,
+      "readOnly": true,
+      "recipientAccountId": "345594607949",
+      "requestID": "defb94d0-1b25-4aff-a0c7-4a504d404c51",
+      "requestParameters": {
+         "userName": "TrailDiscover"
+      },
+      "responseElements": null,
+      "sourceIPAddress": "46.6.38.8",
+      "tlsDetails": {
+         "cipherSuite": "TLS_AES_128_GCM_SHA256",
+         "clientProvidedHostHeader": "iam.amazonaws.com",
+         "tlsVersion": "TLSv1.3"
+      },
+      "userAgent": "aws-cli/2.17.32 md/awscrt#0.21.2 ua/2.0 os/linux#5.15.153.1-microsoft-standard-WSL2 md/arch#x86_64 lang/python#3.11.9 md/pyimpl#CPython exec-env/grimoire_6d40e0be-ce78-4b14-9c52-518635abb5cb cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#iam.list-user-policies",
+      "userIdentity": {
+         "accessKeyId": "ASIAVA5YLHFG22UNOASA",
+         "accountId": "345594607949",
+         "arn": "arn:aws:sts::345594607949:assumed-role/AWSReservedSSO_ReadOnlyAccess_ff7f8c5c5851db50/AdanAlvarez",
+         "principalId": "AROAVA5YLHFGXTTEWKGQX:AdanAlvarez",
+         "sessionContext": {
+            "attributes": {
+               "creationDate": "2025-02-15T14:50:08Z",
+               "mfaAuthenticated": "false"
+            },
+            "sessionIssuer": {
+               "accountId": "345594607949",
+               "arn": "arn:aws:iam::345594607949:role/aws-reserved/sso.amazonaws.com/us-east-2/AWSReservedSSO_ReadOnlyAccess_ff7f8c5c5851db50",
+               "principalId": "AROAVA5YLHFGXTTEWKGQX",
+               "type": "Role",
+               "userName": "AWSReservedSSO_ReadOnlyAccess_ff7f8c5c5851db50"
+            }
+         },
+         "type": "AssumedRole"
+      }
+   }
+]
diff --git a/events/Bedrock/CreateFoundationModelAgreement.json b/events/Bedrock/CreateFoundationModelAgreement.json
@@ -38,6 +38,10 @@
         {
             "type": "commandLine",
             "value": "N/A"
+        },
+        {
+            "type": "stratusRedTeam",
+            "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.bedrock-invoke-model"
         }
     ],
     "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-CreateFoundationModelAgreement"

diff --git a/events/Bedrock/GetFoundationModelAvailability.json b/events/Bedrock/GetFoundationModelAvailability.json
@@ -29,6 +29,10 @@
         {
             "description": "When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying",
             "link": "https://permiso.io/blog/exploiting-hosted-models"
+        },
+        {
+            "description": "Datadog threat roundup: top insights for Q4 2024",
+            "link": "https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/"
         }
     ],
     "researchLinks": [],
@@ -38,6 +42,10 @@
         {
             "type": "commandLine",
             "value": "N/A"
+        },
+        {
+            "type": "stratusRedTeam",
+            "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.bedrock-invoke-model"
         }
     ],
     "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-GetFoundationModelAvailability"

diff --git a/events/Bedrock/InvokeModel.json b/events/Bedrock/InvokeModel.json
@@ -47,6 +47,10 @@
         {
             "description": "New Developments in LLM Hijacking Activity",
             "link": "https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws"
+        },
+        {
+            "description": "Datadog threat roundup: top insights for Q4 2024",
+            "link": "https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/"
         }
     ],
     "researchLinks": [],
@@ -56,6 +60,10 @@
         {
             "type": "commandLine",
             "value": "N/A"
+        },
+        {
+            "type": "stratusRedTeam",
+            "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.bedrock-invoke-model"
         }
     ],
     "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-InvokeModel"

diff --git a/events/Bedrock/ListFoundationModelAgreementOffers.json b/events/Bedrock/ListFoundationModelAgreementOffers.json
@@ -38,6 +38,10 @@
         {
             "type": "commandLine",
             "value": "N/A"
+        },
+        {
+            "type": "stratusRedTeam",
+            "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.bedrock-invoke-model"
         }
     ],
     "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-ListFoundationModelAgreementOffers"

diff --git a/events/Bedrock/ListFoundationModels.json b/events/Bedrock/ListFoundationModels.json
@@ -37,6 +37,10 @@
         {
             "description": "Detecting AI resource-hijacking with Composite Alerts",
             "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts"
+        },
+        {
+            "description": "Datadog threat roundup: top insights for Q4 2024",
+            "link": "https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/"
         }
     ],
     "researchLinks": [],