From 6b702dcfdc254a713c9aa94ff73cfa995b1d5995 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adan=20=C3=81lvarez?= Date: Sat, 15 Feb 2025 16:57:31 +0100 Subject: [PATCH] New events: Datadog threat roundup: top insights for Q4 2024 (#27) * update events and add new events from pepperclipp blog post * update events and add new events from datadog 2024-q4-threat-roundup --- docs/datadog_dashboard.json | 2472 ++++++++++------- docs/events.csv | 22 +- docs/events.json | 116 + .../ListAttachedUserPolicies.json.cloudtrail | 49 + .../ListUserPolicies.json.cloudtrail | 49 + .../CreateFoundationModelAgreement.json | 4 + .../GetFoundationModelAvailability.json | 8 + events/Bedrock/InvokeModel.json | 8 + .../ListFoundationModelAgreementOffers.json | 4 + events/Bedrock/ListFoundationModels.json | 4 + .../PutFoundationModelEntitlement.json | 4 + events/Bedrock/PutUseCaseForModelAccess.json | 8 + events/IAM/GetUser.json | 4 + events/IAM/ListAttachedUserPolicies.json | 33 + .../ListAttachedUserPolicies.json.cloudtrail | 49 + events/IAM/ListRolePolicies.json | 4 + events/IAM/ListUserPolicies.json | 31 + events/IAM/ListUserPolicies.json.cloudtrail | 49 + events/IAM/ListUsers.json | 4 + 19 files changed, 1859 insertions(+), 1063 deletions(-) create mode 100644 docs/logExamples/ListAttachedUserPolicies.json.cloudtrail create mode 100644 docs/logExamples/ListUserPolicies.json.cloudtrail create mode 100644 events/IAM/ListAttachedUserPolicies.json create mode 100644 events/IAM/ListAttachedUserPolicies.json.cloudtrail create mode 100644 events/IAM/ListUserPolicies.json create mode 100644 events/IAM/ListUserPolicies.json.cloudtrail diff --git a/docs/datadog_dashboard.json b/docs/datadog_dashboard.json index 9c856ca..fba27c4 100644 --- a/docs/datadog_dashboard.json +++ b/docs/datadog_dashboard.json @@ -106,7 +106,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:(ChangeResourceRecordSets OR RegisterDomain OR CreateHostedZone OR CreateStack OR Publish OR CreateFunction20150331 OR UpdateFunctionCode20150331v2 OR Invoke OR DeleteFileSystem OR DeleteMountTarget OR DeleteRule OR RemoveTargets OR DisableRule OR PutRule OR CreateInstances OR GenerateDataKeyWithoutPlaintext OR ScheduleKeyDeletion OR Encrypt OR PutObject OR PutBucketVersioning OR PutBucketLifecycle OR DeleteBucket OR DeleteObject OR InvokeModel OR PutFoundationModelEntitlement OR InvokeModelWithResponseStream OR PutUseCaseForModelAccess OR CreateFoundationModelAgreement OR DeleteVolume OR StartInstances OR CreateDefaultVpc OR TerminateInstances OR StopInstances OR DeleteSnapshot OR RunInstances OR DeleteGlobalCluster OR DeleteDBCluster OR DeleteDBInstance OR CreateEmailIdentity OR UpdateAccountSendingEnabled OR VerifyEmailIdentity OR RegisterTaskDefinition OR CreateService OR CreateCluster OR RequestServiceQuotaIncrease) $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:(ChangeResourceRecordSets OR RegisterDomain OR CreateHostedZone OR CreateStack OR Publish OR CreateFunction20150331 OR UpdateFunctionCode20150331v2 OR Invoke OR DeleteFileSystem OR DeleteMountTarget OR DeleteRule OR RemoveTargets OR DisableRule OR PutRule OR CreateInstances OR GenerateDataKeyWithoutPlaintext OR PutKeyPolicy OR ScheduleKeyDeletion OR Encrypt OR CreateKey OR PutObject OR PutBucketVersioning OR PutBucketLifecycle OR DeleteBucket OR PutBucketEncryption OR DeleteObject OR InvokeModel OR PutFoundationModelEntitlement OR InvokeModelWithResponseStream OR PutUseCaseForModelAccess OR CreateFoundationModelAgreement OR DeleteVolume OR StartInstances OR CreateDefaultVpc OR TerminateInstances OR StopInstances OR DeleteSnapshot OR RunInstances OR DeleteGlobalCluster OR DeleteDBCluster OR DeleteDBInstance OR CreateEmailIdentity OR UpdateAccountSendingEnabled OR VerifyEmailIdentity OR RegisterTaskDefinition OR CreateService OR CreateCluster OR RequestServiceQuotaIncrease) $userIdentity.arn $network.client.ip $account" }, "group_by": [], "storage": "hot" @@ -121,7 +121,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:(ListDomains OR GetHostedZoneCount OR DescribeOrganization OR ListOrganizationalUnitsForParent OR ListAccounts OR GetCallerIdentity OR ListTopics OR ListSubscriptions OR ListOriginationNumbers OR GetSMSAttributes OR GetSMSSandboxAccountStatus OR IssueCertificate OR GetCertificate OR DescribeLogGroups OR DescribeSubscriptionFilters OR DescribeLogStreams OR GetLogRecord OR GetQueryResults OR ListTargetsByRule OR ListRules OR GetInstances OR GetRegions OR GetCostAndUsage OR ListGroupsForUser OR ListAccessKeys OR SimulatePrincipalPolicy OR GetAccountAuthorizationDetails OR ListGroups OR ListUsers OR ListRoles OR ListSAMLProviders OR GetUser OR ListAttachedRolePolicies OR ListServiceSpecificCredentials OR ListRolePolicies OR ListSigningCertificates OR ListInstanceProfiles OR ListSSHPublicKeys OR ListOpenIDConnectProviders OR GetLoginProfile OR DescribeLoadBalancers OR DescribeListeners OR ListAssociatedAccessPolicies OR ListClusters OR DescribeAccessEntry OR DescribeCluster OR Search OR LookupEvents OR GetIntrospectionSchema OR GetBucketVersioning OR GetBucketAccelerateConfiguration OR GetBucketLogging OR GetObjectLockConfiguration OR GetBucketPolicy OR GetBucketOwnershipControls OR ListBuckets OR GetBucketReplication OR GetBucketLocation OR GetBucketAcl OR HeadObject OR ListVaults OR GetBucketLifecycle OR GetPublicAccessBlock OR GetBucketTagging OR GetBucketRequestPayment OR ListObjects OR InvokeModel OR GetUseCaseForModelAccess OR ListProvisionedModelThroughputs OR GetFoundationModelAvailability OR ListFoundationModels OR ListFoundationModelAgreementOffers OR GetModelInvocationLoggingConfiguration OR GetConsoleScreenshot OR DescribeSnapshotTierStatus OR DescribeImages OR GetEbsDefaultKmsKeyId OR DescribeAvailabilityZones OR DescribeInstances OR GetTransitGatewayRouteTableAssociations OR GetLaunchTemplateData OR DescribeKeyPairs OR GetEbsEncryptionByDefault OR DescribeCarrierGateways OR GetFlowLogsIntegrationTemplate OR DescribeTransitGatewayMulticastDomains OR DescribeInstanceAttribute OR DescribeDhcpOptions OR DescribeVpcEndpointConnectionNotifications OR DescribeFlowLogs OR DescribeSnapshotAttribute OR DescribeVolumesModifications OR DescribeRegions OR DescribeSecurityGroups OR DescribeVpcs OR DescribeBundleTasks OR DescribeAccountAttributes OR DescribeVolumes OR DescribeInstanceTypes OR DescribeClientVpnRoutes OR GetLaunchTemplateData OR GetParameters OR DescribeInstanceInformation OR ListEmailIdentities OR GetIdentityVerificationAttributes OR GetAccountSendingEnabled OR ListIdentities OR GetSendQuota OR GetAccount OR GetFindings OR ListFindings OR ListDetectors OR GetDetector OR ListIPSets OR ListServiceQuotas) $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:(ListDomains OR GetHostedZoneCount OR DescribeOrganization OR ListOrganizationalUnitsForParent OR ListAccounts OR GetCallerIdentity OR ListTopics OR ListSubscriptions OR ListOriginationNumbers OR GetSMSAttributes OR GetSMSSandboxAccountStatus OR IssueCertificate OR GetCertificate OR DescribeLogGroups OR DescribeSubscriptionFilters OR DescribeLogStreams OR GetLogRecord OR GetQueryResults OR ListTargetsByRule OR ListRules OR GetInstances OR GetRegions OR GetCostAndUsage OR ListGroupsForUser OR ListAccessKeys OR ListUserPolicies OR SimulatePrincipalPolicy OR GetAccountAuthorizationDetails OR ListGroups OR ListUsers OR ListAttachedUserPolicies OR ListRoles OR ListSAMLProviders OR GetUser OR ListAttachedRolePolicies OR ListServiceSpecificCredentials OR ListRolePolicies OR ListSigningCertificates OR ListInstanceProfiles OR ListSSHPublicKeys OR ListOpenIDConnectProviders OR GetLoginProfile OR DescribeLoadBalancers OR DescribeListeners OR ListAssociatedAccessPolicies OR ListClusters OR DescribeAccessEntry OR DescribeCluster OR Search OR DescribeKey OR LookupEvents OR GetIntrospectionSchema OR GetBucketVersioning OR GetBucketAccelerateConfiguration OR GetBucketLogging OR GetObjectLockConfiguration OR GetBucketPolicy OR GetBucketOwnershipControls OR ListBuckets OR GetBucketReplication OR GetBucketLocation OR GetBucketAcl OR HeadObject OR ListVaults OR GetBucketLifecycle OR GetPublicAccessBlock OR GetBucketTagging OR GetBucketRequestPayment OR ListObjects OR InvokeModel OR GetUseCaseForModelAccess OR ListProvisionedModelThroughputs OR GetFoundationModelAvailability OR ListFoundationModels OR ListFoundationModelAgreementOffers OR GetModelInvocationLoggingConfiguration OR GetConsoleScreenshot OR DescribeSnapshotTierStatus OR DescribeImages OR GetEbsDefaultKmsKeyId OR DescribeAvailabilityZones OR DescribeInstances OR GetTransitGatewayRouteTableAssociations OR GetLaunchTemplateData OR DescribeKeyPairs OR GetEbsEncryptionByDefault OR DescribeCarrierGateways OR GetFlowLogsIntegrationTemplate OR DescribeTransitGatewayMulticastDomains OR DescribeInstanceAttribute OR DescribeDhcpOptions OR DescribeVpcEndpointConnectionNotifications OR DescribeFlowLogs OR DescribeSnapshotAttribute OR DescribeVolumesModifications OR DescribeRegions OR DescribeSecurityGroups OR DescribeVpcs OR DescribeBundleTasks OR DescribeAccountAttributes OR DescribeVolumes OR DescribeInstanceTypes OR DescribeClientVpnRoutes OR GetLaunchTemplateData OR GetParameters OR DescribeInstanceInformation OR ListEmailIdentities OR GetIdentityVerificationAttributes OR GetAccountSendingEnabled OR ListIdentities OR GetSendQuota OR GetAccount OR GetFindings OR ListFindings OR ListDetectors OR GetDetector OR ListIPSets OR ListServiceQuotas) $userIdentity.arn $network.client.ip $account" }, "group_by": [], "storage": "hot" @@ -309,7 +309,7 @@ } ], "search": { - "query": "source:cloudtrail @evt.name:(ChangeResourceRecordSets OR RegisterDomain OR CreateHostedZone OR InviteAccountToOrganization OR CreateAccount OR DescribeOrganization OR ListOrganizationalUnitsForParent OR ListAccounts OR CreateStack OR GetFederationToken OR GetSessionToken OR AssumeRole OR GetCallerIdentity OR GetSMSAttributes OR Publish OR GetSMSSandboxAccountStatus OR PutLogEvents OR DescribeLogGroups OR DescribeSubscriptionFilters OR DescribeLogStreams OR GetLogRecord OR CreateLogStream OR PasswordRecoveryRequested OR SwitchRole OR ConsoleLogin OR GetSigninToken OR CreateFunction20150331 OR Invoke OR GetQueryResults OR PutTargets OR PutRule OR CreateInstances OR GetCostAndUsage OR ListGroupsForUser OR CreateSAMLProvider OR ListAccessKeys OR DetachRolePolicy OR UpdateLoginProfile OR SimulatePrincipalPolicy OR CreatePolicy OR ListGroups OR ListUsers OR CreateAccessKey OR DeleteUserPolicy OR ListRoles OR StartSSO OR ListSAMLProviders OR GetUser OR DeleteAccessKey OR DeleteUser OR AttachRolePolicy OR CreateOpenIDConnectProvider OR AttachUserPolicy OR ListAttachedRolePolicies OR PutUserPolicy OR ListServiceSpecificCredentials OR ListRolePolicies OR CreateLoginProfile OR CreateUser OR ListSigningCertificates OR ListInstanceProfiles OR DetachUserPolicy OR ListSSHPublicKeys OR ListOpenIDConnectProviders OR CreateRole OR DeleteLoginProfile OR GetLoginProfile OR GetSecretValue OR DescribeSecret OR ListSecrets OR CreateUser OR CreateServer OR Search OR GenerateDataKeyWithoutPlaintext OR Encrypt OR LookupEvents OR UpdateTrail OR DeleteTrail OR PutEventSelectors OR PutObject OR GetBucketVersioning OR PutBucketVersioning OR GetBucketAccelerateConfiguration OR GetBucketLogging OR GetObjectLockConfiguration OR GetBucketPolicy OR GetBucketOwnershipControls OR ListBuckets OR GetBucketReplication OR GetObject OR GetBucketLocation OR PutBucketLifecycle OR DeleteBucket OR GetBucketAcl OR HeadObject OR ListVaults OR GetBucketLifecycle OR GetPublicAccessBlock OR GetBucketTagging OR DeleteObject OR GetBucketRequestPayment OR ListObjects OR InvokeModel OR GetUseCaseForModelAccess OR ListProvisionedModelThroughputs OR PutFoundationModelEntitlement OR InvokeModelWithResponseStream OR PutUseCaseForModelAccess OR GetFoundationModelAvailability OR ListFoundationModels OR ListFoundationModelAgreementOffers OR GetModelInvocationLoggingConfiguration OR CreateFoundationModelAgreement OR GetConsoleScreenshot OR DeleteVolume OR DescribeSnapshotTierStatus OR DescribeImages OR GetEbsDefaultKmsKeyId OR EnableSerialConsoleAccess OR DescribeAvailabilityZones OR GetPasswordData OR CreateVolume OR StartInstances OR CreateSecurityGroup OR DescribeInstances OR GetTransitGatewayRouteTableAssociations OR ModifySnapshotAttribute OR CreateDefaultVpc OR DeleteFlowLogs OR GetLaunchTemplateData OR DescribeKeyPairs OR GetEbsEncryptionByDefault OR CreateKeyPair OR SharedSnapshotCopyInitiated OR DescribeCarrierGateways OR TerminateInstances OR GetFlowLogsIntegrationTemplate OR DescribeTransitGatewayMulticastDomains OR StopInstances OR DescribeInstanceAttribute OR DescribeDhcpOptions OR AuthorizeSecurityGroupIngress OR DescribeVpcEndpointConnectionNotifications OR DescribeFlowLogs OR SendSSHPublicKey OR DescribeSnapshotAttribute OR DescribeVolumesModifications OR DescribeRegions OR DeleteSnapshot OR SharedSnapshotVolumeCreated OR CreateSnapshot OR ReplaceIamInstanceProfileAssociation OR RunInstances OR DescribeSecurityGroups OR DescribeVpcs OR AttachVolume OR ImportKeyPair OR DescribeBundleTasks OR DescribeAccountAttributes OR DescribeVolumes OR DescribeInstanceTypes OR DescribeClientVpnRoutes OR GetLaunchTemplateData OR CreateImage OR AuthorizeSecurityGroupEgress OR SendSerialConsoleSSHPublicKey OR ModifyDBSnapshotAttribute OR DeleteDBCluster OR DeleteDBInstance OR CreateDBSnapshot OR ModifyActivityStream OR SendCommand OR StartSession OR DescribeInstanceInformation OR ListEmailIdentities OR CreateEmailIdentity OR GetIdentityVerificationAttributes OR UpdateAccountSendingEnabled OR GetAccountSendingEnabled OR ListIdentities OR GetSendQuota OR VerifyEmailIdentity OR GetAccount OR DeleteIdentity OR DeleteInvitations OR GetFindings OR ListFindings OR ListDetectors OR DeleteDetector OR GetDetector OR DisassociateFromMasterAccount OR RegisterTaskDefinition OR CreateService OR CreateCluster OR ListServiceQuotas OR RequestServiceQuotaIncrease) $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:(ChangeResourceRecordSets OR RegisterDomain OR CreateHostedZone OR InviteAccountToOrganization OR CreateAccount OR DescribeOrganization OR ListOrganizationalUnitsForParent OR ListAccounts OR CreateStack OR GetFederationToken OR GetSessionToken OR AssumeRole OR GetCallerIdentity OR GetSMSAttributes OR Publish OR GetSMSSandboxAccountStatus OR PutLogEvents OR DescribeLogGroups OR DescribeSubscriptionFilters OR DescribeLogStreams OR GetLogRecord OR CreateLogStream OR PasswordRecoveryRequested OR SwitchRole OR ConsoleLogin OR GetSigninToken OR CreateFunction20150331 OR Invoke OR GetQueryResults OR PutTargets OR PutRule OR CreateInstances OR GetCostAndUsage OR ListGroupsForUser OR CreateSAMLProvider OR ListAccessKeys OR DetachRolePolicy OR ListUserPolicies OR UpdateLoginProfile OR SimulatePrincipalPolicy OR CreatePolicy OR ListGroups OR ListUsers OR CreateAccessKey OR DeleteUserPolicy OR ListAttachedUserPolicies OR ListRoles OR StartSSO OR ListSAMLProviders OR GetUser OR DeleteAccessKey OR DeleteUser OR AttachRolePolicy OR CreateOpenIDConnectProvider OR AttachUserPolicy OR ListAttachedRolePolicies OR PutUserPolicy OR ListServiceSpecificCredentials OR ListRolePolicies OR CreateLoginProfile OR CreateUser OR ListSigningCertificates OR ListInstanceProfiles OR DetachUserPolicy OR ListSSHPublicKeys OR ListOpenIDConnectProviders OR CreateRole OR DeleteLoginProfile OR GetLoginProfile OR GetSecretValue OR DescribeSecret OR ListSecrets OR CreateUser OR CreateServer OR Search OR GenerateDataKeyWithoutPlaintext OR Encrypt OR LookupEvents OR UpdateTrail OR DeleteTrail OR PutEventSelectors OR PutObject OR GetBucketVersioning OR PutBucketVersioning OR GetBucketAccelerateConfiguration OR GetBucketLogging OR GetObjectLockConfiguration OR GetBucketPolicy OR GetBucketOwnershipControls OR ListBuckets OR GetBucketReplication OR GetObject OR GetBucketLocation OR PutBucketLifecycle OR DeleteBucket OR GetBucketAcl OR HeadObject OR ListVaults OR GetBucketLifecycle OR GetPublicAccessBlock OR GetBucketTagging OR DeleteObject OR GetBucketRequestPayment OR ListObjects OR InvokeModel OR GetUseCaseForModelAccess OR ListProvisionedModelThroughputs OR PutFoundationModelEntitlement OR InvokeModelWithResponseStream OR PutUseCaseForModelAccess OR GetFoundationModelAvailability OR ListFoundationModels OR ListFoundationModelAgreementOffers OR GetModelInvocationLoggingConfiguration OR CreateFoundationModelAgreement OR GetConsoleScreenshot OR DeleteVolume OR DescribeSnapshotTierStatus OR DescribeImages OR GetEbsDefaultKmsKeyId OR EnableSerialConsoleAccess OR DescribeAvailabilityZones OR GetPasswordData OR CreateVolume OR StartInstances OR CreateSecurityGroup OR DescribeInstances OR GetTransitGatewayRouteTableAssociations OR ModifySnapshotAttribute OR CreateDefaultVpc OR DeleteFlowLogs OR GetLaunchTemplateData OR DescribeKeyPairs OR GetEbsEncryptionByDefault OR CreateKeyPair OR SharedSnapshotCopyInitiated OR DescribeCarrierGateways OR TerminateInstances OR GetFlowLogsIntegrationTemplate OR DescribeTransitGatewayMulticastDomains OR StopInstances OR DescribeInstanceAttribute OR DescribeDhcpOptions OR AuthorizeSecurityGroupIngress OR DescribeVpcEndpointConnectionNotifications OR DescribeFlowLogs OR SendSSHPublicKey OR DescribeSnapshotAttribute OR DescribeVolumesModifications OR DescribeRegions OR DeleteSnapshot OR SharedSnapshotVolumeCreated OR CreateSnapshot OR ReplaceIamInstanceProfileAssociation OR RunInstances OR DescribeSecurityGroups OR DescribeVpcs OR AttachVolume OR ImportKeyPair OR DescribeBundleTasks OR DescribeAccountAttributes OR DescribeVolumes OR DescribeInstanceTypes OR DescribeClientVpnRoutes OR GetLaunchTemplateData OR CreateImage OR AuthorizeSecurityGroupEgress OR SendSerialConsoleSSHPublicKey OR ModifyDBSnapshotAttribute OR DeleteDBCluster OR DeleteDBInstance OR CreateDBSnapshot OR ModifyActivityStream OR SendCommand OR StartSession OR DescribeInstanceInformation OR ListEmailIdentities OR CreateEmailIdentity OR GetIdentityVerificationAttributes OR UpdateAccountSendingEnabled OR GetAccountSendingEnabled OR ListIdentities OR GetSendQuota OR VerifyEmailIdentity OR GetAccount OR DeleteIdentity OR DeleteInvitations OR GetFindings OR ListFindings OR ListDetectors OR DeleteDetector OR GetDetector OR DisassociateFromMasterAccount OR RegisterTaskDefinition OR CreateService OR CreateCluster OR ListServiceQuotas OR RequestServiceQuotaIncrease) $userIdentity.arn $network.client.ip $account" } } ], @@ -361,7 +361,7 @@ } }, { - "id": 3156000549, + "id": 2527330596, "definition": { "type": "group", "layout_type": "ordered", @@ -370,7 +370,7 @@ "show_title": true, "widgets": [ { - "id": 1011520161, + "id": 2634246708, "definition": { "type": "note", "content": "### [AssumeRoleWithWebIdentity](https://traildiscover.cloud/#STS-AssumeRoleWithWebIdentity)\n\n**Description:** Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider.\n\n**Related Research:**\n- [From GitHub To Account Takeover: Misconfigured Actions Place GCP & AWS Accounts At Risk](https://www.rezonate.io/blog/github-misconfigurations-put-gcp-aws-in-account-takeover-risk/)\n", @@ -389,7 +389,7 @@ } }, { - "id": 2201771567, + "id": 2429752757, "definition": { "title": "AssumeRoleWithWebIdentity", "title_size": "16", @@ -431,7 +431,7 @@ } }, { - "id": 571619006, + "id": 406832293, "definition": { "type": "note", "content": "### [GetSessionToken](https://traildiscover.cloud/#STS-GetSessionToken)\n\n**Description:** Returns a set of temporary credentials for an AWS account or IAM user.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [AWS STS GetSessionToken Abuse](https://www.elastic.co/guide/en/security/7.17/aws-sts-getsessiontoken-abuse.html)\n", @@ -450,7 +450,7 @@ } }, { - "id": 3909354060, + "id": 102999455, "definition": { "title": "GetSessionToken", "title_size": "16", @@ -492,7 +492,7 @@ } }, { - "id": 772640080, + "id": 2290964487, "definition": { "type": "note", "content": "### [AssumeRole](https://traildiscover.cloud/#STS-AssumeRole)\n\n**Description:** Returns a set of temporary security credentials that you can use to access AWS resources.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n- [Tales from the cloud trenches: Unwanted visitor](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-unwanted-visitor/)\n**Related Research:**\n- [Role Chain Juggling](https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/)\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -511,7 +511,7 @@ } }, { - "id": 4110375134, + "id": 2086470536, "definition": { "title": "AssumeRole", "title_size": "16", @@ -553,7 +553,7 @@ } }, { - "id": 413831250, + "id": 3942708061, "definition": { "type": "note", "content": "### [AssumeRoleWithSAML](https://traildiscover.cloud/#STS-AssumeRoleWithSAML)\n\n**Description:** Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response.\n\n**Related Research:**\n- [AWS - STS Privesc](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc)\n", @@ -572,7 +572,7 @@ } }, { - "id": 3652227417, + "id": 3638875223, "definition": { "title": "AssumeRoleWithSAML", "title_size": "16", @@ -614,7 +614,7 @@ } }, { - "id": 119339473, + "id": 2175681784, "definition": { "type": "note", "content": "### [PasswordRecoveryRequested](https://traildiscover.cloud/#SignIn-PasswordRecoveryRequested)\n\n**Description:** This is the CloudTrail event generated when you request a password recovery.\n\n**Related Incidents:**\n- [An Ongoing AWS Phishing Campaign](https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/)\n- [Disclosure of Security Incidents on imToken](https://support.token.im/hc/en-us/articles/360005681954-Disclosure-of-Security-Incidents-on-imToken)\n", @@ -633,7 +633,7 @@ } }, { - "id": 1309590879, + "id": 1971187833, "definition": { "title": "PasswordRecoveryRequested", "title_size": "16", @@ -675,7 +675,7 @@ } }, { - "id": 1678669026, + "id": 2934175878, "definition": { "type": "note", "content": "### [ConsoleLogin](https://traildiscover.cloud/#SignIn-ConsoleLogin)\n\n**Description:** This is the CloudTrail event generated when you sign-in.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Responding to an attack in AWS](https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac)\n- [Credential Phishing](https://ramimac.me/aws-phishing#credential-phishing)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies](https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/)\n- [Tales from the cloud trenches: Unwanted visitor](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-unwanted-visitor/)\n**Related Research:**\n- [Compromising AWS Console credentials](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/compromising-aws-console-credentials/)\n- [Create a Console Session from IAM Credentials](https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n", @@ -694,7 +694,7 @@ } }, { - "id": 2769581545, + "id": 582198279, "definition": { "title": "ConsoleLogin", "title_size": "16", @@ -736,7 +736,7 @@ } }, { - "id": 1379085043, + "id": 1785999300, "definition": { "type": "note", "content": "### [GetSigninToken](https://traildiscover.cloud/#SignIn-GetSigninToken)\n\n**Description:** Generate a SigninToken that can be used to login to the the AWS Management Console.\n\n**Related Incidents:**\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n- [Tales from the cloud trenches: Unwanted visitor](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-unwanted-visitor/)\n", @@ -755,7 +755,7 @@ } }, { - "id": 2569336449, + "id": 3629650110, "definition": { "title": "GetSigninToken", "title_size": "16", @@ -806,7 +806,7 @@ } }, { - "id": 103304237, + "id": 427127937, "definition": { "type": "group", "layout_type": "ordered", @@ -815,7 +815,7 @@ "show_title": true, "widgets": [ { - "id": 1830211100, + "id": 3279768645, "definition": { "type": "note", "content": "### [SendCommand](https://traildiscover.cloud/#SSM-SendCommand)\n\n**Description:** Runs commands on one or more managed nodes.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Run Shell Commands on EC2 with Send Command or Session Manager](https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -834,7 +834,7 @@ } }, { - "id": 3020462506, + "id": 3075274694, "definition": { "title": "SendCommand", "title_size": "16", @@ -876,7 +876,7 @@ } }, { - "id": 4141302322, + "id": 746545810, "definition": { "type": "note", "content": "### [StartSession](https://traildiscover.cloud/#SSM-StartSession)\n\n**Description:** Initiates a connection to a target (for example, a managed node) for a Session Manager session.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Run Shell Commands on EC2 with Send Command or Session Manager](https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -895,7 +895,7 @@ } }, { - "id": 1036586432, + "id": 542051859, "definition": { "title": "StartSession", "title_size": "16", @@ -937,7 +937,7 @@ } }, { - "id": 1031045650, + "id": 355850583, "definition": { "type": "note", "content": "### [ResumeSession](https://traildiscover.cloud/#SSM-ResumeSession)\n\n**Description:** Reconnects a session to a managed node after it has been disconnected.\n\n**Related Research:**\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -956,7 +956,7 @@ } }, { - "id": 2121958169, + "id": 2199501393, "definition": { "title": "ResumeSession", "title_size": "16", @@ -1007,7 +1007,7 @@ } }, { - "id": 1931710446, + "id": 892594531, "definition": { "type": "group", "layout_type": "ordered", @@ -1016,7 +1016,7 @@ "show_title": true, "widgets": [ { - "id": 1466483691, + "id": 1311801563, "definition": { "type": "note", "content": "### [GetFederationToken](https://traildiscover.cloud/#STS-GetFederationToken)\n\n**Description:** Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a user.\n\n**Related Incidents:**\n- [How Adversaries Can Persist with AWS User Federation](https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n- [Tales from the cloud trenches: Unwanted visitor](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-unwanted-visitor/)\n**Related Research:**\n- [Create a Console Session from IAM Credentials](https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/)\n- [Survive Access Key Deletion with sts:GetFederationToken](https://hackingthe.cloud/aws/post_exploitation/survive_access_key_deletion_with_sts_getfederationtoken/)\n", @@ -1035,7 +1035,7 @@ } }, { - "id": 2656735097, + "id": 1107307612, "definition": { "title": "GetFederationToken", "title_size": "16", @@ -1077,7 +1077,7 @@ } }, { - "id": 151515437, + "id": 2763565599, "definition": { "type": "note", "content": "### [AssumeRole](https://traildiscover.cloud/#STS-AssumeRole)\n\n**Description:** Returns a set of temporary security credentials that you can use to access AWS resources.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n- [Tales from the cloud trenches: Unwanted visitor](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-unwanted-visitor/)\n**Related Research:**\n- [Role Chain Juggling](https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/)\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -1096,7 +1096,7 @@ } }, { - "id": 3489250491, + "id": 312249113, "definition": { "title": "AssumeRole", "title_size": "16", @@ -1138,7 +1138,7 @@ } }, { - "id": 1538776080, + "id": 1175286017, "definition": { "type": "note", "content": "### [CreateFunction20150331](https://traildiscover.cloud/#Lambda-CreateFunction20150331)\n\n**Description:** Creates a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -1157,7 +1157,7 @@ } }, { - "id": 2629688599, + "id": 3118275714, "definition": { "title": "CreateFunction20150331", "title_size": "16", @@ -1199,7 +1199,7 @@ } }, { - "id": 3166838863, + "id": 542607879, "definition": { "type": "note", "content": "### [UpdateFunctionConfiguration20150331v2](https://traildiscover.cloud/#Lambda-UpdateFunctionConfiguration20150331v2)\n\n**Description:** Modify the version-specific settings of a Lambda function.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [LambdaSpy - Implanting the Lambda execution environment (Part two)](https://www.clearvector.com/blog/lambda-spy/)\n", @@ -1218,7 +1218,7 @@ } }, { - "id": 2209606621, + "id": 2386258689, "definition": { "title": "UpdateFunctionConfiguration20150331v2", "title_size": "16", @@ -1260,7 +1260,7 @@ } }, { - "id": 1245462418, + "id": 2915547932, "definition": { "type": "note", "content": "### [UpdateFunctionCode20150331v2](https://traildiscover.cloud/#Lambda-UpdateFunctionCode20150331v2)\n\n**Description:** Updates a Lambda function's code. If code signing is enabled for the function, the code package must be signed by a trusted publisher.\n\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", @@ -1279,7 +1279,7 @@ } }, { - "id": 2435713824, + "id": 2711053981, "definition": { "title": "UpdateFunctionCode20150331v2", "title_size": "16", @@ -1321,7 +1321,7 @@ } }, { - "id": 2160289971, + "id": 461625128, "definition": { "type": "note", "content": "### [PutTargets](https://traildiscover.cloud/#events-PutTargets)\n\n**Description:** Adds the specified targets to the specified rule, or updates the targets if they are already associated with the rule.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -1340,7 +1340,7 @@ } }, { - "id": 1203057729, + "id": 2404614825, "definition": { "title": "PutTargets", "title_size": "16", @@ -1382,7 +1382,7 @@ } }, { - "id": 804762406, + "id": 529788374, "definition": { "type": "note", "content": "### [PutRule](https://traildiscover.cloud/#events-PutRule)\n\n**Description:** Creates or updates the specified rule.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -1401,7 +1401,7 @@ } }, { - "id": 4142497460, + "id": 2373439184, "definition": { "title": "PutRule", "title_size": "16", @@ -1443,7 +1443,7 @@ } }, { - "id": 630553294, + "id": 3745144052, "definition": { "type": "note", "content": "### [CreateSAMLProvider](https://traildiscover.cloud/#IAM-CreateSAMLProvider)\n\n**Description:** Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", @@ -1462,7 +1462,7 @@ } }, { - "id": 3968288348, + "id": 3540650101, "definition": { "title": "CreateSAMLProvider", "title_size": "16", @@ -1504,7 +1504,7 @@ } }, { - "id": 1588568673, + "id": 3488231159, "definition": { "type": "note", "content": "### [UpdateLoginProfile](https://traildiscover.cloud/#IAM-UpdateLoginProfile)\n\n**Description:** Changes the password for the specified IAM user. You can use the AWS CLI, the AWS API, or the Users page in the IAM console to change the password for any IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -1523,7 +1523,7 @@ } }, { - "id": 2679481192, + "id": 3184398321, "definition": { "title": "UpdateLoginProfile", "title_size": "16", @@ -1565,7 +1565,7 @@ } }, { - "id": 2448314977, + "id": 3775680098, "definition": { "type": "note", "content": "### [UpdateAccessKey](https://traildiscover.cloud/#IAM-UpdateAccessKey)\n\n**Description:** Changes the status of the specified access key from Active to Inactive, or vice versa.\n\n**Related Research:**\n- [AWS - IAM Privesc](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc)\n", @@ -1584,7 +1584,7 @@ } }, { - "id": 1491082735, + "id": 3571186147, "definition": { "title": "UpdateAccessKey", "title_size": "16", @@ -1626,7 +1626,7 @@ } }, { - "id": 983981791, + "id": 3159137201, "definition": { "type": "note", "content": "### [UpdateAssumeRolePolicy](https://traildiscover.cloud/#IAM-UpdateAssumeRolePolicy)\n\n**Description:** Updates the policy that grants an IAM entity permission to assume a role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", @@ -1645,7 +1645,7 @@ } }, { - "id": 26749549, + "id": 2954643250, "definition": { "title": "UpdateAssumeRolePolicy", "title_size": "16", @@ -1687,7 +1687,7 @@ } }, { - "id": 824528205, + "id": 2303553871, "definition": { "type": "note", "content": "### [CreateAccessKey](https://traildiscover.cloud/#IAM-CreateAccessKey)\n\n**Description:** Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [New Developments in LLM Hijacking Activity](https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", @@ -1706,7 +1706,7 @@ } }, { - "id": 4062924372, + "id": 2099059920, "definition": { "title": "CreateAccessKey", "title_size": "16", @@ -1748,7 +1748,7 @@ } }, { - "id": 3191762440, + "id": 3922489667, "definition": { "type": "note", "content": "### [UpdateSAMLProvider](https://traildiscover.cloud/#IAM-UpdateSAMLProvider)\n\n**Description:** Updates the metadata document for an existing SAML provider resource object.\n\n**Related Research:**\n- [Gaining AWS Persistence by Updating a SAML Identity Provider](https://medium.com/@adan.alvarez/gaining-aws-persistence-by-updating-a-saml-identity-provider-ef57ebdc8db5)\n", @@ -1767,7 +1767,7 @@ } }, { - "id": 2234530198, + "id": 3717995716, "definition": { "title": "UpdateSAMLProvider", "title_size": "16", @@ -1809,7 +1809,7 @@ } }, { - "id": 92839483, + "id": 324148266, "definition": { "type": "note", "content": "### [StartSSO](https://traildiscover.cloud/#SSO-StartSSO)\n\n**Description:** Initialize AWS IAM Identity Center\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", @@ -1828,7 +1828,7 @@ } }, { - "id": 1283090889, + "id": 119654315, "definition": { "title": "StartSSO", "title_size": "16", @@ -1870,7 +1870,7 @@ } }, { - "id": 379207656, + "id": 1056392425, "definition": { "type": "note", "content": "### [CreateOpenIDConnectProvider](https://traildiscover.cloud/#IAM-CreateOpenIDConnectProvider)\n\n**Description:** Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC)\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", @@ -1889,7 +1889,7 @@ } }, { - "id": 3617603823, + "id": 851898474, "definition": { "title": "CreateOpenIDConnectProvider", "title_size": "16", @@ -1931,7 +1931,7 @@ } }, { - "id": 1252287241, + "id": 3266803307, "definition": { "type": "note", "content": "### [AttachUserPolicy](https://traildiscover.cloud/#IAM-AttachUserPolicy)\n\n**Description:** Attaches the specified managed policy to the specified user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [Tales from the cloud trenches: Unwanted visitor](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-unwanted-visitor/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -1950,7 +1950,7 @@ } }, { - "id": 295054999, + "id": 3062309356, "definition": { "title": "AttachUserPolicy", "title_size": "16", @@ -1992,7 +1992,7 @@ } }, { - "id": 2000201102, + "id": 107300280, "definition": { "type": "note", "content": "### [PutUserPolicy](https://traildiscover.cloud/#IAM-PutUserPolicy)\n\n**Description:** Adds or updates an inline policy document that is embedded in the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -2011,7 +2011,7 @@ } }, { - "id": 943629973, + "id": 4197773625, "definition": { "title": "PutUserPolicy", "title_size": "16", @@ -2053,7 +2053,7 @@ } }, { - "id": 34505987, + "id": 3699331535, "definition": { "type": "note", "content": "### [ChangePassword](https://traildiscover.cloud/#IAM-ChangePassword)\n\n**Description:** Changes the password of the IAM user who is calling this operation.\n\n**Related Research:**\n- [AWS CloudTrail cheat sheet](https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet)\n- [IAM User Changes Alarm](https://asecure.cloud/a/cwalarm_iam_user_changes/)\n", @@ -2072,7 +2072,7 @@ } }, { - "id": 1224757393, + "id": 1248015049, "definition": { "title": "ChangePassword", "title_size": "16", @@ -2114,7 +2114,7 @@ } }, { - "id": 3659055844, + "id": 2336006981, "definition": { "type": "note", "content": "### [CreateLoginProfile](https://traildiscover.cloud/#IAM-CreateLoginProfile)\n\n**Description:** Creates a password for the specified IAM user. A password allows an IAM user to access AWS services through the AWS Management Console.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [Tales from the cloud trenches: Unwanted visitor](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-unwanted-visitor/)\n- [New Developments in LLM Hijacking Activity](https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", @@ -2133,7 +2133,7 @@ } }, { - "id": 554339954, + "id": 4278996678, "definition": { "title": "CreateLoginProfile", "title_size": "16", @@ -2175,7 +2175,7 @@ } }, { - "id": 1761324146, + "id": 2629395100, "definition": { "type": "note", "content": "### [CreateUser](https://traildiscover.cloud/#IAM-CreateUser)\n\n**Description:** Creates a new IAM user for your AWS account.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Responding to an attack in AWS](https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Exposed long-lived access key resulted in unauthorized access](https://twitter.com/jhencinski/status/1578371249792724992?t=6oYeGYgGZq1B-LXFZzIqhQ)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [Insider Threat Risks to Flat Environments](https://www.mandiant.com/sites/default/files/2021-09/rpt-mtrends-2021-3.pdf)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Sendtech Pte. Ltd](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Sendtech-Pte-Ltd---220721.ashx?la=en)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [Tales from the cloud trenches: Unwanted visitor](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-unwanted-visitor/)\n- [New Developments in LLM Hijacking Activity](https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws)\n**Related Research:**\n- [Creating a new IAM user](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/creating-new-iam-user/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -2194,7 +2194,7 @@ } }, { - "id": 2852236665, + "id": 277417501, "definition": { "title": "CreateUser", "title_size": "16", @@ -2236,7 +2236,7 @@ } }, { - "id": 3264422539, + "id": 643215453, "definition": { "type": "note", "content": "### [CreateRole](https://traildiscover.cloud/#IAM-CreateRole)\n\n**Description:** Creates a new role for your AWS account.\n\n**Related Incidents:**\n- [Attack Scenario 2: From Misconfigured Firewall to Cryptojacking Botnet](https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/unit42-cloud-threat-report-volume7.pdf)\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Tales from the cloud trenches: Unwanted visitor](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-unwanted-visitor/)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n", @@ -2255,7 +2255,7 @@ } }, { - "id": 2307190297, + "id": 438721502, "definition": { "title": "CreateRole", "title_size": "16", @@ -2297,7 +2297,7 @@ } }, { - "id": 555586145, + "id": 632036401, "definition": { "type": "note", "content": "### [UpdateGraphqlApi](https://traildiscover.cloud/#AppSync-UpdateGraphqlApi)\n\n**Description:** Updates a GraphqlApi object.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", @@ -2316,7 +2316,7 @@ } }, { - "id": 3793982312, + "id": 2575026098, "definition": { "title": "UpdateGraphqlApi", "title_size": "16", @@ -2358,7 +2358,7 @@ } }, { - "id": 3063292032, + "id": 3293832592, "definition": { "type": "note", "content": "### [CreateApiKey](https://traildiscover.cloud/#AppSync-CreateApiKey)\n\n**Description:** Creates a unique key that you can distribute to clients who invoke your API.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", @@ -2377,7 +2377,7 @@ } }, { - "id": 4154204551, + "id": 2989999754, "definition": { "title": "CreateApiKey", "title_size": "16", @@ -2419,7 +2419,7 @@ } }, { - "id": 776865742, + "id": 2088002004, "definition": { "type": "note", "content": "### [UpdateResolver](https://traildiscover.cloud/#AppSync-UpdateResolver)\n\n**Description:** Updates a Resolver object.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", @@ -2438,7 +2438,7 @@ } }, { - "id": 1967117148, + "id": 4030991701, "definition": { "title": "UpdateResolver", "title_size": "16", @@ -2480,7 +2480,7 @@ } }, { - "id": 465952698, + "id": 2044965366, "definition": { "type": "note", "content": "### [StartInstances](https://traildiscover.cloud/#EC2-StartInstances)\n\n**Description:** Starts an Amazon EBS-backed instance that you've previously stopped.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -2499,7 +2499,7 @@ } }, { - "id": 3704348865, + "id": 3987955063, "definition": { "title": "StartInstances", "title_size": "16", @@ -2541,7 +2541,7 @@ } }, { - "id": 204913695, + "id": 395315355, "definition": { "type": "note", "content": "### [CreateSecurityGroup](https://traildiscover.cloud/#EC2-CreateSecurityGroup)\n\n**Description:** Creates a security group.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -2560,7 +2560,7 @@ } }, { - "id": 1395165101, + "id": 2338305052, "definition": { "title": "CreateSecurityGroup", "title_size": "16", @@ -2602,7 +2602,7 @@ } }, { - "id": 1332676503, + "id": 3402776909, "definition": { "type": "note", "content": "### [CreateDefaultVpc](https://traildiscover.cloud/#EC2-CreateDefaultVpc)\n\n**Description:** Creates a default VPC with a size /16 IPv4 CIDR block and a default subnet in each Availability Zone.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -2621,7 +2621,7 @@ } }, { - "id": 2522927909, + "id": 3198282958, "definition": { "title": "CreateDefaultVpc", "title_size": "16", @@ -2663,7 +2663,7 @@ } }, { - "id": 1989852236, + "id": 2927697888, "definition": { "type": "note", "content": "### [CreateNetworkAclEntry](https://traildiscover.cloud/#EC2-CreateNetworkAclEntry)\n\n**Description:** Creates an entry (a rule) in a network ACL with the specified rule number.\n\n**Related Research:**\n- [AWS EC2 Network Access Control List Creation](https://www.elastic.co/guide/en/security/current/aws-ec2-network-access-control-list-creation.html)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n", @@ -2682,7 +2682,7 @@ } }, { - "id": 1032619994, + "id": 575720289, "definition": { "title": "CreateNetworkAclEntry", "title_size": "16", @@ -2724,7 +2724,7 @@ } }, { - "id": 1325718454, + "id": 2409676063, "definition": { "type": "note", "content": "### [CreateKeyPair](https://traildiscover.cloud/#EC2-CreateKeyPair)\n\n**Description:** Creates an ED25519 or 2048-bit RSA key pair with the specified name and in the specified PEM or PPK format.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -2743,7 +2743,7 @@ } }, { - "id": 2416630973, + "id": 2105843225, "definition": { "title": "CreateKeyPair", "title_size": "16", @@ -2785,7 +2785,7 @@ } }, { - "id": 2773079173, + "id": 1695457210, "definition": { "type": "note", "content": "### [AuthorizeSecurityGroupIngress](https://traildiscover.cloud/#EC2-AuthorizeSecurityGroupIngress)\n\n**Description:** Adds the specified inbound (ingress) rules to a security group.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Finding evil in AWS](https://expel.com/blog/finding-evil-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n**Related Research:**\n- [Opening a security group to the Internet](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/opening-security-group-port/)\n", @@ -2804,7 +2804,7 @@ } }, { - "id": 1716508044, + "id": 1490963259, "definition": { "title": "AuthorizeSecurityGroupIngress", "title_size": "16", @@ -2846,7 +2846,7 @@ } }, { - "id": 286541952, + "id": 3917353031, "definition": { "type": "note", "content": "### [RunInstances](https://traildiscover.cloud/#EC2-RunInstances)\n\n**Description:** Launches the specified number of instances using an AMI for which you have permissions.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [DXC spills AWS private keys on public GitHub](https://www.theregister.com/2017/11/14/dxc_github_aws_keys_leaked/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Clear and Uncommon Story About Overcoming Issues With AWS](https://topdigital.agency/clear-and-uncommon-story-about-overcoming-issues-with-aws/)\n- [onelogin 2017 Security Incident](https://web.archive.org/web/20210620180614/https://www.onelogin.com/blog/may-31-2017-security-incident)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n**Related Research:**\n- [Launching EC2 instances](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/launching-ec2-instances/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -2865,7 +2865,7 @@ } }, { - "id": 3524938119, + "id": 1466036545, "definition": { "title": "RunInstances", "title_size": "16", @@ -2907,7 +2907,7 @@ } }, { - "id": 4257619669, + "id": 2373870545, "definition": { "type": "note", "content": "### [ImportKeyPair](https://traildiscover.cloud/#EC2-ImportKeyPair)\n\n**Description:** Imports the public key from an RSA or ED25519 key pair that you created with a third-party tool.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n", @@ -2926,7 +2926,7 @@ } }, { - "id": 1053564892, + "id": 2070037707, "definition": { "title": "ImportKeyPair", "title_size": "16", @@ -2977,7 +2977,7 @@ } }, { - "id": 324795852, + "id": 1825291626, "definition": { "type": "group", "layout_type": "ordered", @@ -2986,7 +2986,7 @@ "show_title": true, "widgets": [ { - "id": 3615462920, + "id": 2993786592, "definition": { "type": "note", "content": "### [AssumeRole](https://traildiscover.cloud/#STS-AssumeRole)\n\n**Description:** Returns a set of temporary security credentials that you can use to access AWS resources.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n- [Tales from the cloud trenches: Unwanted visitor](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-unwanted-visitor/)\n**Related Research:**\n- [Role Chain Juggling](https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/)\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -3005,7 +3005,7 @@ } }, { - "id": 411408143, + "id": 2789292641, "definition": { "title": "AssumeRole", "title_size": "16", @@ -3047,7 +3047,7 @@ } }, { - "id": 2550036148, + "id": 4060596228, "definition": { "type": "note", "content": "### [GetCredentialsForIdentity](https://traildiscover.cloud/#CognitoIdentity-GetCredentialsForIdentity)\n\n**Description:** Returns credentials for the provided identity ID. Any provided logins will be validated against supported login providers.\n\n**Related Research:**\n- [Overpermissioned AWS Cognito Identity Pools](https://hackingthe.cloud/aws/exploitation/cognito_identity_pool_excessive_privileges/#exploitation)\n", @@ -3066,7 +3066,7 @@ } }, { - "id": 1493465019, + "id": 3756763390, "definition": { "title": "GetCredentialsForIdentity", "title_size": "16", @@ -3108,7 +3108,7 @@ } }, { - "id": 3812348724, + "id": 3639883989, "definition": { "type": "note", "content": "### [GetId](https://traildiscover.cloud/#CognitoIdentity-GetId)\n\n**Description:** Generates (or retrieves) IdentityID. Supplying multiple logins will create an implicit linked account.\n\n**Related Research:**\n- [Overpermissioned AWS Cognito Identity Pools](https://hackingthe.cloud/aws/exploitation/cognito_identity_pool_excessive_privileges/#exploitation)\n", @@ -3127,7 +3127,7 @@ } }, { - "id": 2755777595, + "id": 3435390038, "definition": { "title": "GetId", "title_size": "16", @@ -3169,7 +3169,7 @@ } }, { - "id": 608417380, + "id": 2258445873, "definition": { "type": "note", "content": "### [CreateFunction20150331](https://traildiscover.cloud/#Lambda-CreateFunction20150331)\n\n**Description:** Creates a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3188,7 +3188,7 @@ } }, { - "id": 3946152434, + "id": 2053951922, "definition": { "title": "CreateFunction20150331", "title_size": "16", @@ -3230,7 +3230,7 @@ } }, { - "id": 2760588248, + "id": 1605070439, "definition": { "type": "note", "content": "### [CreateEventSourceMapping20150331](https://traildiscover.cloud/#Lambda-CreateEventSourceMapping20150331)\n\n**Description:** Creates a mapping between an event source and an AWS Lambda function.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3249,7 +3249,7 @@ } }, { - "id": 1704017119, + "id": 1400576488, "definition": { "title": "CreateEventSourceMapping20150331", "title_size": "16", @@ -3291,7 +3291,7 @@ } }, { - "id": 838653067, + "id": 3045649922, "definition": { "type": "note", "content": "### [AddPermission20150331v2](https://traildiscover.cloud/#Lambda-AddPermission20150331v2)\n\n**Description:** Grants an AWS service, AWS account, or AWS organization permission to use a function.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3310,7 +3310,7 @@ } }, { - "id": 4077049234, + "id": 2841155971, "definition": { "title": "AddPermission20150331v2", "title_size": "16", @@ -3352,7 +3352,7 @@ } }, { - "id": 84349718, + "id": 4147654200, "definition": { "type": "note", "content": "### [Invoke](https://traildiscover.cloud/#Lambda-Invoke)\n\n**Description:** Invokes a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3371,7 +3371,7 @@ } }, { - "id": 1175262237, + "id": 3943160249, "definition": { "title": "Invoke", "title_size": "16", @@ -3413,7 +3413,7 @@ } }, { - "id": 1671680108, + "id": 1280467792, "definition": { "type": "note", "content": "### [UpdateEventSourceMapping20150331](https://traildiscover.cloud/#Lambda-UpdateEventSourceMapping20150331)\n\n**Description:** Updates an event source mapping. You can change the function that AWS Lambda invokes, or pause invocation and resume later from the same location.\n\n**Related Research:**\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n", @@ -3432,7 +3432,7 @@ } }, { - "id": 615108979, + "id": 1075973841, "definition": { "title": "UpdateEventSourceMapping20150331", "title_size": "16", @@ -3474,7 +3474,7 @@ } }, { - "id": 2575125777, + "id": 2707295453, "definition": { "type": "note", "content": "### [DeleteRolePolicy](https://traildiscover.cloud/#IAM-DeleteRolePolicy)\n\n**Description:** Deletes the specified inline policy that is embedded in the specified IAM role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3493,7 +3493,7 @@ } }, { - "id": 1617893535, + "id": 255978967, "definition": { "title": "DeleteRolePolicy", "title_size": "16", @@ -3535,7 +3535,7 @@ } }, { - "id": 886379223, + "id": 30441522, "definition": { "type": "note", "content": "### [DetachRolePolicy](https://traildiscover.cloud/#IAM-DetachRolePolicy)\n\n**Description:** Removes the specified managed policy from the specified role.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3554,7 +3554,7 @@ } }, { - "id": 1977291742, + "id": 4120914867, "definition": { "title": "DetachRolePolicy", "title_size": "16", @@ -3596,7 +3596,7 @@ } }, { - "id": 705827986, + "id": 2913131302, "definition": { "type": "note", "content": "### [UpdateLoginProfile](https://traildiscover.cloud/#IAM-UpdateLoginProfile)\n\n**Description:** Changes the password for the specified IAM user. You can use the AWS CLI, the AWS API, or the Users page in the IAM console to change the password for any IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3615,7 +3615,7 @@ } }, { - "id": 1796740505, + "id": 561153703, "definition": { "title": "UpdateLoginProfile", "title_size": "16", @@ -3657,7 +3657,7 @@ } }, { - "id": 3605420071, + "id": 2293433184, "definition": { "type": "note", "content": "### [CreatePolicy](https://traildiscover.cloud/#IAM-CreatePolicy)\n\n**Description:** Creates a new managed policy for your AWS account.\n\n**Related Incidents:**\n- [New Developments in LLM Hijacking Activity](https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws)\n", @@ -3676,7 +3676,7 @@ } }, { - "id": 401365294, + "id": 2088939233, "definition": { "title": "CreatePolicy", "title_size": "16", @@ -3718,7 +3718,7 @@ } }, { - "id": 4233905871, + "id": 3258357903, "definition": { "type": "note", "content": "### [AddUserToGroup](https://traildiscover.cloud/#IAM-AddUserToGroup)\n\n**Description:** Adds the specified user to the specified group.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3737,7 +3737,7 @@ } }, { - "id": 1129189981, + "id": 3053863952, "definition": { "title": "AddUserToGroup", "title_size": "16", @@ -3779,7 +3779,7 @@ } }, { - "id": 2348063639, + "id": 2584037344, "definition": { "type": "note", "content": "### [UpdateAssumeRolePolicy](https://traildiscover.cloud/#IAM-UpdateAssumeRolePolicy)\n\n**Description:** Updates the policy that grants an IAM entity permission to assume a role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", @@ -3798,7 +3798,7 @@ } }, { - "id": 3438976158, + "id": 2379543393, "definition": { "title": "UpdateAssumeRolePolicy", "title_size": "16", @@ -3840,7 +3840,7 @@ } }, { - "id": 3383815951, + "id": 2533774864, "definition": { "type": "note", "content": "### [CreateAccessKey](https://traildiscover.cloud/#IAM-CreateAccessKey)\n\n**Description:** Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [New Developments in LLM Hijacking Activity](https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", @@ -3859,7 +3859,7 @@ } }, { - "id": 2426583709, + "id": 2329280913, "definition": { "title": "CreateAccessKey", "title_size": "16", @@ -3901,7 +3901,7 @@ } }, { - "id": 3742380617, + "id": 3764864783, "definition": { "type": "note", "content": "### [CreatePolicyVersion](https://traildiscover.cloud/#IAM-CreatePolicyVersion)\n\n**Description:** Creates a new version of the specified managed policy.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3920,7 +3920,7 @@ } }, { - "id": 2685809488, + "id": 3560370832, "definition": { "title": "CreatePolicyVersion", "title_size": "16", @@ -3962,7 +3962,7 @@ } }, { - "id": 1272751720, + "id": 3486934549, "definition": { "type": "note", "content": "### [DeleteUserPolicy](https://traildiscover.cloud/#IAM-DeleteUserPolicy)\n\n**Description:** Deletes the specified inline policy that is embedded in the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -3981,7 +3981,7 @@ } }, { - "id": 2363664239, + "id": 3183101711, "definition": { "title": "DeleteUserPolicy", "title_size": "16", @@ -4023,7 +4023,7 @@ } }, { - "id": 1066197842, + "id": 4200328673, "definition": { "type": "note", "content": "### [UpdateSAMLProvider](https://traildiscover.cloud/#IAM-UpdateSAMLProvider)\n\n**Description:** Updates the metadata document for an existing SAML provider resource object.\n\n**Related Research:**\n- [Gaining AWS Persistence by Updating a SAML Identity Provider](https://medium.com/@adan.alvarez/gaining-aws-persistence-by-updating-a-saml-identity-provider-ef57ebdc8db5)\n", @@ -4042,7 +4042,7 @@ } }, { - "id": 2157110361, + "id": 3995834722, "definition": { "title": "UpdateSAMLProvider", "title_size": "16", @@ -4084,7 +4084,7 @@ } }, { - "id": 2852957201, + "id": 1477609566, "definition": { "type": "note", "content": "### [PutRolePermissionsBoundary](https://traildiscover.cloud/#IAM-PutRolePermissionsBoundary)\n\n**Description:** Adds or updates the policy that is specified as the IAM role's permissions boundary.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4103,7 +4103,7 @@ } }, { - "id": 4043208607, + "id": 3321260376, "definition": { "title": "PutRolePermissionsBoundary", "title_size": "16", @@ -4145,7 +4145,7 @@ } }, { - "id": 780756080, + "id": 1125166568, "definition": { "type": "note", "content": "### [PutUserPermissionsBoundary](https://traildiscover.cloud/#IAM-PutUserPermissionsBoundary)\n\n**Description:** Adds or updates the policy that is specified as the IAM user's permissions boundary.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4164,7 +4164,7 @@ } }, { - "id": 1871668599, + "id": 3068156265, "definition": { "title": "PutUserPermissionsBoundary", "title_size": "16", @@ -4206,7 +4206,7 @@ } }, { - "id": 1889367741, + "id": 3691183212, "definition": { "type": "note", "content": "### [DeleteUserPermissionsBoundary](https://traildiscover.cloud/#IAM-DeleteUserPermissionsBoundary)\n\n**Description:** Deletes the permissions boundary for the specified IAM user.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4225,7 +4225,7 @@ } }, { - "id": 832796612, + "id": 1339205613, "definition": { "title": "DeleteUserPermissionsBoundary", "title_size": "16", @@ -4267,7 +4267,7 @@ } }, { - "id": 3265289143, + "id": 33870544, "definition": { "type": "note", "content": "### [AttachRolePolicy](https://traildiscover.cloud/#IAM-AttachRolePolicy)\n\n**Description:** Attaches the specified managed policy to the specified IAM role. When you attach a managed policy to a role, the managed policy becomes part of the role's permission (access) policy.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Tales from the cloud trenches: Unwanted visitor](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-unwanted-visitor/)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4286,7 +4286,7 @@ } }, { - "id": 2308056901, + "id": 1976860241, "definition": { "title": "AttachRolePolicy", "title_size": "16", @@ -4328,7 +4328,7 @@ } }, { - "id": 1692307170, + "id": 2596805822, "definition": { "type": "note", "content": "### [SetDefaultPolicyVersion](https://traildiscover.cloud/#IAM-SetDefaultPolicyVersion)\n\n**Description:** Sets the specified version of the specified policy as the policy's default (operative) version.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4347,7 +4347,7 @@ } }, { - "id": 2783219689, + "id": 2392311871, "definition": { "title": "SetDefaultPolicyVersion", "title_size": "16", @@ -4389,7 +4389,7 @@ } }, { - "id": 3421689939, + "id": 1448879539, "definition": { "type": "note", "content": "### [AttachUserPolicy](https://traildiscover.cloud/#IAM-AttachUserPolicy)\n\n**Description:** Attaches the specified managed policy to the specified user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [Tales from the cloud trenches: Unwanted visitor](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-unwanted-visitor/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4408,7 +4408,7 @@ } }, { - "id": 217635162, + "id": 3292530349, "definition": { "title": "AttachUserPolicy", "title_size": "16", @@ -4450,7 +4450,7 @@ } }, { - "id": 149643786, + "id": 1285598326, "definition": { "type": "note", "content": "### [CreateGroup](https://traildiscover.cloud/#IAM-CreateGroup)\n\n**Description:** Creates a new group.\n\n**Related Research:**\n- [AWS IAM Group Creation](https://www.elastic.co/guide/en/security/current/aws-iam-group-creation.html)\n", @@ -4469,7 +4469,7 @@ } }, { - "id": 3487378840, + "id": 3228588023, "definition": { "title": "CreateGroup", "title_size": "16", @@ -4511,7 +4511,7 @@ } }, { - "id": 1117460415, + "id": 2584343808, "definition": { "type": "note", "content": "### [PutUserPolicy](https://traildiscover.cloud/#IAM-PutUserPolicy)\n\n**Description:** Adds or updates an inline policy document that is embedded in the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4530,7 +4530,7 @@ } }, { - "id": 2307711821, + "id": 2379849857, "definition": { "title": "PutUserPolicy", "title_size": "16", @@ -4572,7 +4572,7 @@ } }, { - "id": 980997642, + "id": 596032617, "definition": { "type": "note", "content": "### [DeleteRolePermissionsBoundary](https://traildiscover.cloud/#IAM-DeleteRolePermissionsBoundary)\n\n**Description:** Deletes the permissions boundary for the specified IAM role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4591,7 +4591,7 @@ } }, { - "id": 23765400, + "id": 2539022314, "definition": { "title": "DeleteRolePermissionsBoundary", "title_size": "16", @@ -4633,7 +4633,7 @@ } }, { - "id": 3897514850, + "id": 2612288785, "definition": { "type": "note", "content": "### [PutGroupPolicy](https://traildiscover.cloud/#IAM-PutGroupPolicy)\n\n**Description:** Adds or updates an inline policy document that is embedded in the specified IAM group.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4652,7 +4652,7 @@ } }, { - "id": 2940282608, + "id": 160972299, "definition": { "title": "PutGroupPolicy", "title_size": "16", @@ -4694,7 +4694,7 @@ } }, { - "id": 2203908685, + "id": 2635007743, "definition": { "type": "note", "content": "### [ChangePassword](https://traildiscover.cloud/#IAM-ChangePassword)\n\n**Description:** Changes the password of the IAM user who is calling this operation.\n\n**Related Research:**\n- [AWS CloudTrail cheat sheet](https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet)\n- [IAM User Changes Alarm](https://asecure.cloud/a/cwalarm_iam_user_changes/)\n", @@ -4713,7 +4713,7 @@ } }, { - "id": 1147337556, + "id": 2430513792, "definition": { "title": "ChangePassword", "title_size": "16", @@ -4755,7 +4755,7 @@ } }, { - "id": 1533491246, + "id": 1760907124, "definition": { "type": "note", "content": "### [CreateLoginProfile](https://traildiscover.cloud/#IAM-CreateLoginProfile)\n\n**Description:** Creates a password for the specified IAM user. A password allows an IAM user to access AWS services through the AWS Management Console.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [Tales from the cloud trenches: Unwanted visitor](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-unwanted-visitor/)\n- [New Developments in LLM Hijacking Activity](https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [AWS IAM Persistence Methods](https://hackingthe.cloud/aws/post_exploitation/iam_persistence/)\n", @@ -4774,7 +4774,7 @@ } }, { - "id": 476920117, + "id": 3703896821, "definition": { "title": "CreateLoginProfile", "title_size": "16", @@ -4816,7 +4816,7 @@ } }, { - "id": 1940982334, + "id": 2054685580, "definition": { "type": "note", "content": "### [DetachUserPolicy](https://traildiscover.cloud/#IAM-DetachUserPolicy)\n\n**Description:** Removes the specified managed policy from the specified user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4835,7 +4835,7 @@ } }, { - "id": 983750092, + "id": 1750852742, "definition": { "title": "DetachUserPolicy", "title_size": "16", @@ -4877,7 +4877,7 @@ } }, { - "id": 3761636737, + "id": 3821821418, "definition": { "type": "note", "content": "### [PutRolePolicy](https://traildiscover.cloud/#IAM-PutRolePolicy)\n\n**Description:** Adds or updates an inline policy document that is embedded in the specified IAM role.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -4896,7 +4896,7 @@ } }, { - "id": 656920847, + "id": 1370504932, "definition": { "title": "PutRolePolicy", "title_size": "16", @@ -4938,7 +4938,7 @@ } }, { - "id": 1099096212, + "id": 3615958897, "definition": { "type": "note", "content": "### [AddRoleToInstanceProfile](https://traildiscover.cloud/#IAM-AddRoleToInstanceProfile)\n\n**Description:** Adds the specified IAM role to the specified instance profile.\n\n**Related Research:**\n- [Cloudgoat AWS CTF solution- Scenerio 5 (iam_privesc_by_attachment)](https://pswalia2u.medium.com/cloudgoat-aws-ctf-solution-scenerio-5-iam-privesc-by-attachment-22145650f5f5)\n", @@ -4957,7 +4957,7 @@ } }, { - "id": 2289347618, + "id": 3411464946, "definition": { "title": "AddRoleToInstanceProfile", "title_size": "16", @@ -4999,7 +4999,7 @@ } }, { - "id": 1259159971, + "id": 931394490, "definition": { "type": "note", "content": "### [AttachGroupPolicy](https://traildiscover.cloud/#IAM-AttachGroupPolicy)\n\n**Description:** Attaches the specified managed policy to the specified IAM group.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -5018,7 +5018,7 @@ } }, { - "id": 301927729, + "id": 726900539, "definition": { "title": "AttachGroupPolicy", "title_size": "16", @@ -5060,7 +5060,7 @@ } }, { - "id": 1980846306, + "id": 3623178818, "definition": { "type": "note", "content": "### [AssociateAccessPolicy](https://traildiscover.cloud/#EKS-AssociateAccessPolicy)\n\n**Description:** Associates an access policy and its scope to an access entry.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", @@ -5079,7 +5079,7 @@ } }, { - "id": 924275177, + "id": 3418684867, "definition": { "title": "AssociateAccessPolicy", "title_size": "16", @@ -5121,7 +5121,7 @@ } }, { - "id": 2613512704, + "id": 2476750421, "definition": { "type": "note", "content": "### [CreateAccessEntry](https://traildiscover.cloud/#EKS-CreateAccessEntry)\n\n**Description:** Creates an access entry.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", @@ -5140,7 +5140,7 @@ } }, { - "id": 3704425223, + "id": 2172917583, "definition": { "title": "CreateAccessEntry", "title_size": "16", @@ -5182,7 +5182,7 @@ } }, { - "id": 3600506459, + "id": 1172388098, "definition": { "type": "note", "content": "### [ModifyInstanceAttribute](https://traildiscover.cloud/#EC2-ModifyInstanceAttribute)\n\n**Description:** Modifies the specified attribute of the specified instance.\n\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [EC2 Privilege Escalation Through User Data](https://hackingthe.cloud/aws/exploitation/local_ec2_priv_esc_through_user_data/)\n- [User Data Script Persistence](https://hackingthe.cloud/aws/post_exploitation/user_data_script_persistence/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -5201,7 +5201,7 @@ } }, { - "id": 2643274217, + "id": 967894147, "definition": { "title": "ModifyInstanceAttribute", "title_size": "16", @@ -5243,7 +5243,7 @@ } }, { - "id": 880871042, + "id": 2636960761, "definition": { "type": "note", "content": "### [ReplaceIamInstanceProfileAssociation](https://traildiscover.cloud/#EC2-ReplaceIamInstanceProfileAssociation)\n\n**Description:** Replaces an IAM instance profile for the specified running instance.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n", @@ -5262,7 +5262,7 @@ } }, { - "id": 1971783561, + "id": 284983162, "definition": { "title": "ReplaceIamInstanceProfileAssociation", "title_size": "16", @@ -5304,7 +5304,7 @@ } }, { - "id": 1297335303, + "id": 1259883934, "definition": { "type": "note", "content": "### [CreateDevEndpoint](https://traildiscover.cloud/#Glue-CreateDevEndpoint)\n\n**Description:** Creates a new development endpoint.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -5323,7 +5323,7 @@ } }, { - "id": 2487586709, + "id": 3103534744, "definition": { "title": "CreateDevEndpoint", "title_size": "16", @@ -5365,7 +5365,7 @@ } }, { - "id": 1653147215, + "id": 2263159184, "definition": { "type": "note", "content": "### [UpdateJob](https://traildiscover.cloud/#Glue-UpdateJob)\n\n**Description:** Updates an existing job definition.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -5384,7 +5384,7 @@ } }, { - "id": 695914973, + "id": 4206148881, "definition": { "title": "UpdateJob", "title_size": "16", @@ -5426,7 +5426,7 @@ } }, { - "id": 1839421227, + "id": 3895037614, "definition": { "type": "note", "content": "### [CreateJob](https://traildiscover.cloud/#Glue-CreateJob)\n\n**Description:** Creates a new job definition.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -5445,7 +5445,7 @@ } }, { - "id": 2930333746, + "id": 1443721128, "definition": { "title": "CreateJob", "title_size": "16", @@ -5487,7 +5487,7 @@ } }, { - "id": 1909388832, + "id": 1025022787, "definition": { "type": "note", "content": "### [UpdateDevEndpoint](https://traildiscover.cloud/#Glue-UpdateDevEndpoint)\n\n**Description:** Updates a specified development endpoint.\n\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -5506,7 +5506,7 @@ } }, { - "id": 852817703, + "id": 2868673597, "definition": { "title": "UpdateDevEndpoint", "title_size": "16", @@ -5557,7 +5557,7 @@ } }, { - "id": 2817437039, + "id": 4198166536, "definition": { "type": "group", "layout_type": "ordered", @@ -5566,7 +5566,7 @@ "show_title": true, "widgets": [ { - "id": 1283933028, + "id": 3959533527, "definition": { "type": "note", "content": "### [InviteAccountToOrganization](https://traildiscover.cloud/#Organizations-InviteAccountToOrganization)\n\n**Description:** Sends an invitation to another account to join your organization as a member account.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", @@ -5585,7 +5585,7 @@ } }, { - "id": 227361899, + "id": 3655700689, "definition": { "title": "InviteAccountToOrganization", "title_size": "16", @@ -5627,7 +5627,7 @@ } }, { - "id": 1914459307, + "id": 1437116039, "definition": { "type": "note", "content": "### [CreateAccount](https://traildiscover.cloud/#Organizations-CreateAccount)\n\n**Description:** Creates an AWS account that is automatically a member of the organization whose credentials made the request.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", @@ -5646,7 +5646,7 @@ } }, { - "id": 857888178, + "id": 3280766849, "definition": { "title": "CreateAccount", "title_size": "16", @@ -5688,7 +5688,7 @@ } }, { - "id": 62443509, + "id": 2007958754, "definition": { "type": "note", "content": "### [LeaveOrganization](https://traildiscover.cloud/#Organizations-LeaveOrganization)\n\n**Description:** Removes a member account from its parent organization.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [An AWS account attempted to leave the AWS Organization](https://docs.datadoghq.com/security/default_rules/aws-organizations-leave-organization/)\n", @@ -5707,7 +5707,7 @@ } }, { - "id": 3400178563, + "id": 1803464803, "definition": { "title": "LeaveOrganization", "title_size": "16", @@ -5749,7 +5749,7 @@ } }, { - "id": 2212447744, + "id": 897850974, "definition": { "type": "note", "content": "### [PutLogEvents](https://traildiscover.cloud/#CloudWatchLogs-PutLogEvents)\n\n**Description:** Uploads a batch of log events to the specified log stream.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -5768,7 +5768,7 @@ } }, { - "id": 1155876615, + "id": 693357023, "definition": { "title": "PutLogEvents", "title_size": "16", @@ -5810,7 +5810,7 @@ } }, { - "id": 1624840675, + "id": 1537887587, "definition": { "type": "note", "content": "### [DeleteAlarms](https://traildiscover.cloud/#CloudWatch-DeleteAlarms)\n\n**Description:** Deletes the specified alarms. You can delete up to 100 alarms in one operation.\n\n**Related Research:**\n- [AWS CloudWatch Alarm Deletion](https://www.elastic.co/guide/en/security/current/aws-cloudwatch-alarm-deletion.html)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n", @@ -5829,7 +5829,7 @@ } }, { - "id": 568269546, + "id": 1333393636, "definition": { "title": "DeleteAlarms", "title_size": "16", @@ -5871,7 +5871,7 @@ } }, { - "id": 3308018901, + "id": 4154073478, "definition": { "type": "note", "content": "### [DeleteLogGroup](https://traildiscover.cloud/#CloudWatchLogs-DeleteLogGroup)\n\n**Description:** Deletes the specified log group and permanently deletes all the archived log events associated with the log group.\n\n**Related Research:**\n- [Penetration testing of aws-based environments](https://essay.utwente.nl/76955/1/Szabo_MSc_EEMCS.pdf)\n- [Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail](https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/)\n", @@ -5890,7 +5890,7 @@ } }, { - "id": 2350786659, + "id": 3949579527, "definition": { "title": "DeleteLogGroup", "title_size": "16", @@ -5932,7 +5932,7 @@ } }, { - "id": 2298821706, + "id": 1358635647, "definition": { "type": "note", "content": "### [DeleteLogStream](https://traildiscover.cloud/#CloudWatchLogs-DeleteLogStream)\n\n**Description:** Deletes the specified log stream and permanently deletes all the archived log events associated with the log stream.\n\n**Related Research:**\n- [Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail](https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/)\n", @@ -5951,7 +5951,7 @@ } }, { - "id": 3489073112, + "id": 1154141696, "definition": { "title": "DeleteLogStream", "title_size": "16", @@ -5993,7 +5993,7 @@ } }, { - "id": 1325464177, + "id": 643119593, "definition": { "type": "note", "content": "### [CreateLogStream](https://traildiscover.cloud/#CloudWatchLogs-CreateLogStream)\n\n**Description:** Creates a log stream for the specified log group.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -6012,7 +6012,7 @@ } }, { - "id": 2416376696, + "id": 438625642, "definition": { "title": "CreateLogStream", "title_size": "16", @@ -6054,7 +6054,7 @@ } }, { - "id": 112338248, + "id": 55480193, "definition": { "type": "note", "content": "### [DeleteRule](https://traildiscover.cloud/#events-DeleteRule)\n\n**Description:** Deletes the specified rule.\n\n**Related Research:**\n- [AWS EventBridge Rule Disabled or Deleted](https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html)\n- [AWS EventBridge rule disabled or deleted](https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/)\n", @@ -6073,7 +6073,7 @@ } }, { - "id": 3450073302, + "id": 4046614651, "definition": { "title": "DeleteRule", "title_size": "16", @@ -6115,7 +6115,7 @@ } }, { - "id": 1617869215, + "id": 2656431959, "definition": { "type": "note", "content": "### [RemoveTargets](https://traildiscover.cloud/#events-RemoveTargets)\n\n**Description:** Removes the specified targets from the specified rule.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -6134,7 +6134,7 @@ } }, { - "id": 2708781734, + "id": 205115473, "definition": { "title": "RemoveTargets", "title_size": "16", @@ -6176,7 +6176,7 @@ } }, { - "id": 621257302, + "id": 3592683882, "definition": { "type": "note", "content": "### [DisableRule](https://traildiscover.cloud/#events-DisableRule)\n\n**Description:** Disables the specified rule.\n\n**Related Research:**\n- [AWS EventBridge Rule Disabled or Deleted](https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html)\n- [AWS EventBridge rule disabled or deleted](https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/)\n", @@ -6195,7 +6195,7 @@ } }, { - "id": 3859653469, + "id": 3388189931, "definition": { "title": "DisableRule", "title_size": "16", @@ -6237,7 +6237,7 @@ } }, { - "id": 3492298507, + "id": 669925267, "definition": { "type": "note", "content": "### [PutRule](https://traildiscover.cloud/#events-PutRule)\n\n**Description:** Creates or updates the specified rule.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -6256,7 +6256,7 @@ } }, { - "id": 387582617, + "id": 366092429, "definition": { "title": "PutRule", "title_size": "16", @@ -6298,7 +6298,7 @@ } }, { - "id": 4254047298, + "id": 3645295977, "definition": { "type": "note", "content": "### [CreateInstances](https://traildiscover.cloud/#Lightsail-CreateInstances)\n\n**Description:** Creates one or more Amazon Lightsail instances.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -6317,7 +6317,7 @@ } }, { - "id": 3197476169, + "id": 3440802026, "definition": { "title": "CreateInstances", "title_size": "16", @@ -6359,7 +6359,7 @@ } }, { - "id": 2953727747, + "id": 680172389, "definition": { "type": "note", "content": "### [DeleteMembers](https://traildiscover.cloud/#SecurityHub-DeleteMembers)\n\n**Description:** Deletes the specified member accounts from Security Hub.\n\n**Related Research:**\n- [AWS CloudTrail cheat sheet](https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet)\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", @@ -6378,7 +6378,7 @@ } }, { - "id": 4143979153, + "id": 475678438, "definition": { "title": "DeleteMembers", "title_size": "16", @@ -6420,7 +6420,7 @@ } }, { - "id": 915288691, + "id": 3746100783, "definition": { "type": "note", "content": "### [DetachRolePolicy](https://traildiscover.cloud/#IAM-DetachRolePolicy)\n\n**Description:** Removes the specified managed policy from the specified role.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -6439,7 +6439,7 @@ } }, { - "id": 4253023745, + "id": 1294784297, "definition": { "title": "DetachRolePolicy", "title_size": "16", @@ -6481,7 +6481,7 @@ } }, { - "id": 2596205973, + "id": 1955348764, "definition": { "type": "note", "content": "### [DeleteUserPolicy](https://traildiscover.cloud/#IAM-DeleteUserPolicy)\n\n**Description:** Deletes the specified inline policy that is embedded in the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -6500,7 +6500,7 @@ } }, { - "id": 3786457379, + "id": 3898338461, "definition": { "title": "DeleteUserPolicy", "title_size": "16", @@ -6542,7 +6542,7 @@ } }, { - "id": 3708718480, + "id": 514325555, "definition": { "type": "note", "content": "### [DeleteAccessKey](https://traildiscover.cloud/#IAM-DeleteAccessKey)\n\n**Description:** Deletes the access key pair associated with the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", @@ -6561,7 +6561,7 @@ } }, { - "id": 2751486238, + "id": 2357976365, "definition": { "title": "DeleteAccessKey", "title_size": "16", @@ -6603,7 +6603,7 @@ } }, { - "id": 720938547, + "id": 871816472, "definition": { "type": "note", "content": "### [DeleteUser](https://traildiscover.cloud/#IAM-DeleteUser)\n\n**Description:** Deletes the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Insider Threat Risks to Flat Environments](https://www.mandiant.com/sites/default/files/2021-09/rpt-mtrends-2021-3.pdf)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", @@ -6622,7 +6622,7 @@ } }, { - "id": 1911189953, + "id": 667322521, "definition": { "title": "DeleteUser", "title_size": "16", @@ -6664,7 +6664,7 @@ } }, { - "id": 3411393487, + "id": 1376038658, "definition": { "type": "note", "content": "### [DetachUserPolicy](https://traildiscover.cloud/#IAM-DetachUserPolicy)\n\n**Description:** Removes the specified managed policy from the specified user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -6683,7 +6683,7 @@ } }, { - "id": 207338710, + "id": 1171544707, "definition": { "title": "DetachUserPolicy", "title_size": "16", @@ -6725,7 +6725,7 @@ } }, { - "id": 1881099585, + "id": 3538470104, "definition": { "type": "note", "content": "### [DeleteLoginProfile](https://traildiscover.cloud/#IAM-DeleteLoginProfile)\n\n**Description:** Deletes the password for the specified IAM user.\n\n**Related Incidents:**\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", @@ -6744,7 +6744,7 @@ } }, { - "id": 3071350991, + "id": 3333976153, "definition": { "title": "DeleteLoginProfile", "title_size": "16", @@ -6786,7 +6786,7 @@ } }, { - "id": 4195548128, + "id": 394502462, "definition": { "type": "note", "content": "### [DeactivateMFADevice](https://traildiscover.cloud/#IAM-DeactivateMFADevice)\n\n**Description:** Deactivates the specified MFA device and removes it from association with the user name for which it was originally enabled.\n\n**Related Research:**\n- [AWS IAM Deactivation of MFA Device](https://www.elastic.co/guide/en/security/current/aws-iam-deactivation-of-mfa-device.html)\n", @@ -6805,7 +6805,7 @@ } }, { - "id": 3138976999, + "id": 190008511, "definition": { "title": "DeactivateMFADevice", "title_size": "16", @@ -6847,7 +6847,7 @@ } }, { - "id": 207419628, + "id": 4087357708, "definition": { "type": "note", "content": "### [CreateRule](https://traildiscover.cloud/#ELBv2-CreateRule)\n\n**Description:** Creates a rule for the specified listener.\n\n**Related Research:**\n- [Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data](https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994)\n", @@ -6866,7 +6866,7 @@ } }, { - "id": 3445815795, + "id": 1636041222, "definition": { "title": "CreateRule", "title_size": "16", @@ -6908,7 +6908,7 @@ } }, { - "id": 372261920, + "id": 66616069, "definition": { "type": "note", "content": "### [StopLogging](https://traildiscover.cloud/#CloudTrail-StopLogging)\n\n**Description:** Suspends the recording of AWS API calls and log file delivery for the specified trail.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Stopping a CloudTrail trail](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/stopping-cloudtrail-trail/)\n- [AWS Defense Evasion Stop Logging Cloudtrail](https://research.splunk.com/cloud/8a2f3ca2-4eb5-4389-a549-14063882e537/)\n- [AWS Defense Evasion and Centralized Multi-Account Logging](https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/)\n- [Disrupting AWS logging](https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n", @@ -6927,7 +6927,7 @@ } }, { - "id": 1463174439, + "id": 2009605766, "definition": { "title": "StopLogging", "title_size": "16", @@ -6969,7 +6969,7 @@ } }, { - "id": 3519041967, + "id": 1221706484, "definition": { "type": "note", "content": "### [UpdateTrail](https://traildiscover.cloud/#CloudTrail-UpdateTrail)\n\n**Description:** Updates trail settings that control what events you are logging, and how to handle log files.\n\n**Related Incidents:**\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n**Related Research:**\n- [AWS Defense Evasion and Centralized Multi-Account Logging](https://logrhythm.com/blog/aws-defense-evasion-and-centralized-multi-account-logging/)\n- [Disrupting AWS logging](https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594)\n", @@ -6988,7 +6988,7 @@ } }, { - "id": 2462470838, + "id": 3164696181, "definition": { "title": "UpdateTrail", "title_size": "16", @@ -7030,7 +7030,7 @@ } }, { - "id": 2010722176, + "id": 554277367, "definition": { "type": "note", "content": "### [DeleteTrail](https://traildiscover.cloud/#CloudTrail-DeleteTrail)\n\n**Description:** Deletes a trail.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n**Related Research:**\n- [AWS Defense Evasion Delete Cloudtrail](https://research.splunk.com/cloud/82092925-9ca1-4e06-98b8-85a2d3889552/)\n- [Generate Strong Security Signals with Sumo Logic & AWS Cloudtrail](https://expel.com/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/)\n- [Disrupting AWS logging](https://medium.com/daniel-grzelak/disrupting-aws-logging-a42e437d6594)\n", @@ -7049,7 +7049,7 @@ } }, { - "id": 954151047, + "id": 349783416, "definition": { "title": "DeleteTrail", "title_size": "16", @@ -7091,7 +7091,7 @@ } }, { - "id": 1580396397, + "id": 3209783278, "definition": { "type": "note", "content": "### [PutEventSelectors](https://traildiscover.cloud/#CloudTrail-PutEventSelectors)\n\n**Description:** Configures an event selector or advanced event selectors for your trail.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [cloudtrail_guardduty_bypass](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/cloudtrail_guardduty_bypass)\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -7110,7 +7110,7 @@ } }, { - "id": 523825268, + "id": 758466792, "definition": { "title": "PutEventSelectors", "title_size": "16", @@ -7152,7 +7152,7 @@ } }, { - "id": 4096061109, + "id": 1625112157, "definition": { "type": "note", "content": "### [UpdateGraphqlApi](https://traildiscover.cloud/#AppSync-UpdateGraphqlApi)\n\n**Description:** Updates a GraphqlApi object.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", @@ -7171,7 +7171,7 @@ } }, { - "id": 892006332, + "id": 1420618206, "definition": { "title": "UpdateGraphqlApi", "title_size": "16", @@ -7213,7 +7213,7 @@ } }, { - "id": 161316052, + "id": 1286485837, "definition": { "type": "note", "content": "### [CreateApiKey](https://traildiscover.cloud/#AppSync-CreateApiKey)\n\n**Description:** Creates a unique key that you can distribute to clients who invoke your API.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", @@ -7232,7 +7232,7 @@ } }, { - "id": 1252228571, + "id": 3130136647, "definition": { "title": "CreateApiKey", "title_size": "16", @@ -7274,7 +7274,7 @@ } }, { - "id": 1316918195, + "id": 3081077760, "definition": { "type": "note", "content": "### [UpdateResolver](https://traildiscover.cloud/#AppSync-UpdateResolver)\n\n**Description:** Updates a Resolver object.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", @@ -7293,7 +7293,7 @@ } }, { - "id": 359685953, + "id": 629761274, "definition": { "title": "UpdateResolver", "title_size": "16", @@ -7335,7 +7335,7 @@ } }, { - "id": 3582979446, + "id": 2330561443, "definition": { "type": "note", "content": "### [DeleteBucketPolicy](https://traildiscover.cloud/#S3-DeleteBucketPolicy)\n\n**Description:** Deletes the policy of a specified bucket.\n\n**Related Research:**\n- [AWS S3 Bucket Configuration Deletion](https://www.elastic.co/guide/en/security/7.17/aws-s3-bucket-configuration-deletion.html)\n", @@ -7354,7 +7354,7 @@ } }, { - "id": 2526408317, + "id": 2126067492, "definition": { "title": "DeleteBucketPolicy", "title_size": "16", @@ -7396,7 +7396,7 @@ } }, { - "id": 678063356, + "id": 2407857602, "definition": { "type": "note", "content": "### [DeleteFlowLogs](https://traildiscover.cloud/#EC2-DeleteFlowLogs)\n\n**Description:** Deletes one or more flow logs.\n\n**Related Incidents:**\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n**Related Research:**\n- [Removing VPC flow logs](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/removing-vpc-flow-logs/)\n- [AWS Incident Response](https://github.com/easttimor/aws-incident-response)\n- [Proactive Cloud Security w/ AWS Organizations](https://witoff.medium.com/proactive-cloud-security-w-aws-organizations-d58695bcae16)\n", @@ -7415,7 +7415,7 @@ } }, { - "id": 3916459523, + "id": 55880003, "definition": { "title": "DeleteFlowLogs", "title_size": "16", @@ -7457,7 +7457,7 @@ } }, { - "id": 1703145906, + "id": 3613520233, "definition": { "type": "note", "content": "### [DeleteNetworkAcl](https://traildiscover.cloud/#EC2-DeleteNetworkAcl)\n\n**Description:** Deletes the specified network ACL.\n\n**Related Research:**\n- [Ensure CloudWatch has an Alarm for Network ACL Changes](https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-network-acl-change)\n", @@ -7476,7 +7476,7 @@ } }, { - "id": 2893397312, + "id": 1162203747, "definition": { "title": "DeleteNetworkAcl", "title_size": "16", @@ -7518,7 +7518,7 @@ } }, { - "id": 2315315698, + "id": 3753081812, "definition": { "type": "note", "content": "### [TerminateInstances](https://traildiscover.cloud/#EC2-TerminateInstances)\n\n**Description:** Shuts down the specified instances. This operation is idempotent; if you terminate an instance more than once, each call succeeds.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Former Cisco engineer sentenced to prison for deleting 16k Webex accounts](https://www.zdnet.com/article/former-cisco-engineer-sentenced-to-prison-for-deleting-16k-webex-accounts/)\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", @@ -7537,7 +7537,7 @@ } }, { - "id": 1258744569, + "id": 3548587861, "definition": { "title": "TerminateInstances", "title_size": "16", @@ -7579,7 +7579,7 @@ } }, { - "id": 226841876, + "id": 792950542, "definition": { "type": "note", "content": "### [DeleteNetworkAclEntry](https://traildiscover.cloud/#EC2-DeleteNetworkAclEntry)\n\n**Description:** Deletes the specified ingress or egress entry (rule) from the specified network ACL.\n\n**Related Research:**\n- [Ensure CloudWatch has an Alarm for Network ACL Changes](https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-network-acl-change)\n", @@ -7598,7 +7598,7 @@ } }, { - "id": 1417093282, + "id": 2636601352, "definition": { "title": "DeleteNetworkAclEntry", "title_size": "16", @@ -7640,7 +7640,7 @@ } }, { - "id": 2784291190, + "id": 1078876381, "definition": { "type": "note", "content": "### [StopInstances](https://traildiscover.cloud/#EC2-StopInstances)\n\n**Description:** Stops an Amazon EBS-backed instance.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -7659,7 +7659,7 @@ } }, { - "id": 3875203709, + "id": 874382430, "definition": { "title": "StopInstances", "title_size": "16", @@ -7701,7 +7701,7 @@ } }, { - "id": 1849735214, + "id": 3912756417, "definition": { "type": "note", "content": "### [AuthorizeDBSecurityGroupIngress](https://traildiscover.cloud/#RDS-AuthorizeDBSecurityGroupIngress)\n\n**Description:** Enables ingress to a DBSecurityGroup using one of two forms of authorization.\n\n**Related Research:**\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [Hunting AWS RDS security events with Sysdig](https://sysdig.com/blog/aws-rds-security-events-sysdig/)\n", @@ -7720,7 +7720,7 @@ } }, { - "id": 892502972, + "id": 1461439931, "definition": { "title": "AuthorizeDBSecurityGroupIngress", "title_size": "16", @@ -7762,7 +7762,7 @@ } }, { - "id": 3405478633, + "id": 2152266758, "definition": { "type": "note", "content": "### [ModifyActivityStream](https://traildiscover.cloud/#RDS-ModifyActivityStream)\n\n**Description:** Changes the audit policy state of a database activity stream to either locked (default) or unlocked.\n\n**Related Incidents:**\n- [Uncovering Hybrid Cloud Attacks Through Intelligence-Driven Incident Response: Part 3 \u2013 The Response](https://www.gem.security/post/uncovering-hybrid-cloud-attacks-through-intelligence-driven-incident-response-part-3-the-response)\n", @@ -7781,7 +7781,7 @@ } }, { - "id": 2348907504, + "id": 1848433920, "definition": { "title": "ModifyActivityStream", "title_size": "16", @@ -7823,7 +7823,7 @@ } }, { - "id": 3038767135, + "id": 3608032790, "definition": { "type": "note", "content": "### [DeleteIdentity](https://traildiscover.cloud/#SES-DeleteIdentity)\n\n**Description:** Deletes the specified identity (an email address or a domain) from the list of verified identities.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -7842,7 +7842,7 @@ } }, { - "id": 2081534893, + "id": 3403538839, "definition": { "title": "DeleteIdentity", "title_size": "16", @@ -7884,7 +7884,7 @@ } }, { - "id": 3377503114, + "id": 2232182246, "definition": { "type": "note", "content": "### [UpdateIPSet](https://traildiscover.cloud/#GuardDuty-UpdateIPSet)\n\n**Description:** Updates the IPSet specified by the IPSet ID.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -7903,7 +7903,7 @@ } }, { - "id": 2320931985, + "id": 4075833056, "definition": { "title": "UpdateIPSet", "title_size": "16", @@ -7945,7 +7945,7 @@ } }, { - "id": 3686121483, + "id": 2046526257, "definition": { "type": "note", "content": "### [DeleteInvitations](https://traildiscover.cloud/#GuardDuty-DeleteInvitations)\n\n**Description:** Deletes invitations sent to the current member account by AWS accounts specified by their account IDs.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n", @@ -7964,7 +7964,7 @@ } }, { - "id": 482066706, + "id": 3989515954, "definition": { "title": "DeleteInvitations", "title_size": "16", @@ -8006,7 +8006,7 @@ } }, { - "id": 2396118256, + "id": 2573483072, "definition": { "type": "note", "content": "### [UpdateDetector](https://traildiscover.cloud/#GuardDuty-UpdateDetector)\n\n**Description:** Updates the GuardDuty detector specified by the detectorId.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -8025,7 +8025,7 @@ } }, { - "id": 3586369662, + "id": 2368989121, "definition": { "title": "UpdateDetector", "title_size": "16", @@ -8067,7 +8067,7 @@ } }, { - "id": 1569583789, + "id": 663333340, "definition": { "type": "note", "content": "### [DeleteDetector](https://traildiscover.cloud/#GuardDuty-DeleteDetector)\n\n**Description:** Deletes an Amazon GuardDuty detector that is specified by the detector ID.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [AWS GuardDuty detector deleted](https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-guardduty-detector-deleted/)\n- [AWS GuardDuty Evasion](https://medium.com/@cloud_tips/aws-guardduty-evasion-c181e55f3af1)\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n", @@ -8086,7 +8086,7 @@ } }, { - "id": 513012660, + "id": 2506984150, "definition": { "title": "DeleteDetector", "title_size": "16", @@ -8128,7 +8128,7 @@ } }, { - "id": 1833432816, + "id": 973493647, "definition": { "type": "note", "content": "### [DeletePublishingDestination](https://traildiscover.cloud/#GuardDuty-DeletePublishingDestination)\n\n**Description:** Deletes the publishing definition with the specified destinationId.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -8147,7 +8147,7 @@ } }, { - "id": 876200574, + "id": 768999696, "definition": { "title": "DeletePublishingDestination", "title_size": "16", @@ -8189,7 +8189,7 @@ } }, { - "id": 369582418, + "id": 4010957703, "definition": { "type": "note", "content": "### [DisassociateMembers](https://traildiscover.cloud/#GuardDuty-DisassociateMembers)\n\n**Description:** Disassociates GuardDuty member accounts (from the current administrator account) specified by the account IDs.\n\n**Related Research:**\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", @@ -8208,7 +8208,7 @@ } }, { - "id": 1460494937, + "id": 1559641217, "definition": { "title": "DisassociateMembers", "title_size": "16", @@ -8250,7 +8250,7 @@ } }, { - "id": 4007961771, + "id": 112225834, "definition": { "type": "note", "content": "### [DisassociateFromMasterAccount](https://traildiscover.cloud/#GuardDuty-DisassociateFromMasterAccount)\n\n**Description:** Disassociates the current GuardDuty member account from its administrator account.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", @@ -8269,7 +8269,7 @@ } }, { - "id": 803906994, + "id": 1955876644, "definition": { "title": "DisassociateFromMasterAccount", "title_size": "16", @@ -8311,7 +8311,7 @@ } }, { - "id": 1754657426, + "id": 3810226770, "definition": { "type": "note", "content": "### [StopMonitoringMembers](https://traildiscover.cloud/#GuardDuty-StopMonitoringMembers)\n\n**Description:** Stops GuardDuty monitoring for the specified member accounts.\n\n**Related Research:**\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", @@ -8330,7 +8330,7 @@ } }, { - "id": 797425184, + "id": 1458249171, "definition": { "title": "StopMonitoringMembers", "title_size": "16", @@ -8372,7 +8372,7 @@ } }, { - "id": 4029270440, + "id": 278368793, "definition": { "type": "note", "content": "### [CreateIPSet](https://traildiscover.cloud/#GuardDuty-CreateIPSet)\n\n**Description:** Creates a new IPSet, which is called a trusted IP list in the console user interface.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -8391,7 +8391,7 @@ } }, { - "id": 2972699311, + "id": 4269503251, "definition": { "title": "CreateIPSet", "title_size": "16", @@ -8433,7 +8433,7 @@ } }, { - "id": 1778087612, + "id": 815410055, "definition": { "type": "note", "content": "### [CreateFilter](https://traildiscover.cloud/#GuardDuty-CreateFilter)\n\n**Description:** Creates a filter using the specified finding criteria.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -8452,7 +8452,7 @@ } }, { - "id": 2869000131, + "id": 2758399752, "definition": { "title": "CreateFilter", "title_size": "16", @@ -8494,7 +8494,7 @@ } }, { - "id": 2953727747, + "id": 680172389, "definition": { "type": "note", "content": "### [DeleteMembers](https://traildiscover.cloud/#GuardDuty-DeleteMembers)\n\n**Description:** Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.\n\n**Related Research:**\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", @@ -8513,7 +8513,7 @@ } }, { - "id": 4143979153, + "id": 475678438, "definition": { "title": "DeleteMembers", "title_size": "16", @@ -8555,7 +8555,7 @@ } }, { - "id": 3077727574, + "id": 2516729012, "definition": { "type": "note", "content": "### [DeleteConfigurationRecorder](https://traildiscover.cloud/#Config-DeleteConfigurationRecorder)\n\n**Description:** Deletes the configuration recorder.\n\n**Related Research:**\n- [AWS Config Resource Deletion](https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion)\n", @@ -8574,7 +8574,7 @@ } }, { - "id": 2021156445, + "id": 164751413, "definition": { "title": "DeleteConfigurationRecorder", "title_size": "16", @@ -8616,7 +8616,7 @@ } }, { - "id": 2858615428, + "id": 1700107687, "definition": { "type": "note", "content": "### [DeleteDeliveryChannel](https://traildiscover.cloud/#Config-DeleteDeliveryChannel)\n\n**Description:** Deletes the delivery channel.\n\n**Related Research:**\n- [AWS Config Resource Deletion](https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion)\n- [AWS Config modified](https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-config-disabled/)\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", @@ -8635,7 +8635,7 @@ } }, { - "id": 3949527947, + "id": 3643097384, "definition": { "title": "DeleteDeliveryChannel", "title_size": "16", @@ -8677,7 +8677,7 @@ } }, { - "id": 3768267801, + "id": 1484549864, "definition": { "type": "note", "content": "### [StopConfigurationRecorder](https://traildiscover.cloud/#Config-StopConfigurationRecorder)\n\n**Description:** Stops recording configurations of the AWS resources you have selected to record in your AWS account.\n\n**Related Research:**\n- [AWS Configuration Recorder Stopped](https://www.elastic.co/guide/en/security/current/prebuilt-rule-8-2-1-aws-configuration-recorder-stopped.html#prebuilt-rule-8-2-1-aws-configuration-recorder-stopped)\n- [AWS Config modified](https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-config-disabled/)\n- [Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", @@ -8696,7 +8696,7 @@ } }, { - "id": 564213024, + "id": 1180717026, "definition": { "title": "StopConfigurationRecorder", "title_size": "16", @@ -8738,7 +8738,7 @@ } }, { - "id": 3884452566, + "id": 3496202189, "definition": { "type": "note", "content": "### [DeleteConfigRule](https://traildiscover.cloud/#Config-DeleteConfigRule)\n\n**Description:** Deletes the specified AWS Config rule and all of its evaluation results.\n\n**Related Research:**\n- [AWS Config Resource Deletion](https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-aws-config-resource-deletion.html#prebuilt-rule-7-16-4-aws-config-resource-deletion)\n", @@ -8757,7 +8757,7 @@ } }, { - "id": 680397789, + "id": 1044885703, "definition": { "title": "DeleteConfigRule", "title_size": "16", @@ -8799,7 +8799,7 @@ } }, { - "id": 1303148672, + "id": 1701782203, "definition": { "type": "note", "content": "### [DeleteRuleGroup](https://traildiscover.cloud/#WAFV2-DeleteRuleGroup)\n\n**Description:** Deletes the specified RuleGroup.\n\n**Related Research:**\n- [AWS WAF Rule or Rule Group Deletion](https://www.elastic.co/guide/en/security/current/aws-waf-rule-or-rule-group-deletion.html)\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", @@ -8818,7 +8818,7 @@ } }, { - "id": 2394061191, + "id": 1497288252, "definition": { "title": "DeleteRuleGroup", "title_size": "16", @@ -8860,7 +8860,7 @@ } }, { - "id": 3377503114, + "id": 2232182246, "definition": { "type": "note", "content": "### [UpdateIPSet](https://traildiscover.cloud/#WAFV2-UpdateIPSet)\n\n**Description:** Updates the specified IPSet.\n\n**Related Research:**\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", @@ -8879,7 +8879,7 @@ } }, { - "id": 2320931985, + "id": 4075833056, "definition": { "title": "UpdateIPSet", "title_size": "16", @@ -8921,7 +8921,7 @@ } }, { - "id": 2391467962, + "id": 3463969051, "definition": { "type": "note", "content": "### [DeleteWebACL](https://traildiscover.cloud/#WAFV2-DeleteWebACL)\n\n**Description:** Deletes the specified WebACL.\n\n**Related Research:**\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", @@ -8940,7 +8940,7 @@ } }, { - "id": 1334896833, + "id": 3160136213, "definition": { "title": "DeleteWebACL", "title_size": "16", @@ -8991,7 +8991,7 @@ } }, { - "id": 112513900, + "id": 1677775651, "definition": { "type": "group", "layout_type": "ordered", @@ -9000,7 +9000,7 @@ "show_title": true, "widgets": [ { - "id": 295462063, + "id": 1770773685, "definition": { "type": "note", "content": "### [GetSecretValue](https://traildiscover.cloud/#SecretsManager-GetSecretValue)\n\n**Description:** Retrieves the contents of the encrypted fields SecretString or SecretBinary from the specified version of a secret, whichever contains content.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n", @@ -9019,7 +9019,7 @@ } }, { - "id": 3633197117, + "id": 1566279734, "definition": { "title": "GetSecretValue", "title_size": "16", @@ -9061,7 +9061,7 @@ } }, { - "id": 1484718054, + "id": 2094411704, "definition": { "type": "note", "content": "### [DescribeSecret](https://traildiscover.cloud/#SecretsManager-DescribeSecret)\n\n**Description:** Retrieves the details of a secret.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -9080,7 +9080,7 @@ } }, { - "id": 527485812, + "id": 1889917753, "definition": { "title": "DescribeSecret", "title_size": "16", @@ -9122,7 +9122,7 @@ } }, { - "id": 438474214, + "id": 3216641510, "definition": { "type": "note", "content": "### [ListSecrets](https://traildiscover.cloud/#SecretsManager-ListSecrets)\n\n**Description:** Lists the secrets that are stored by Secrets Manager in the AWS account, not including secrets that are marked for deletion.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n", @@ -9141,7 +9141,7 @@ } }, { - "id": 3676870381, + "id": 2912808672, "definition": { "title": "ListSecrets", "title_size": "16", @@ -9183,7 +9183,7 @@ } }, { - "id": 3350615664, + "id": 3360269692, "definition": { "type": "note", "content": "### [GetPasswordData](https://traildiscover.cloud/#EC2-GetPasswordData)\n\n**Description:** Retrieves the encrypted administrator password for a running Windows instance.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -9202,7 +9202,7 @@ } }, { - "id": 2294044535, + "id": 908953206, "definition": { "title": "GetPasswordData", "title_size": "16", @@ -9244,7 +9244,7 @@ } }, { - "id": 1730277382, + "id": 4254758232, "definition": { "type": "note", "content": "### [GetParameters](https://traildiscover.cloud/#SSM-GetParameters)\n\n**Description:** Get information about one or more parameters by specifying multiple parameter names.\n\n**Related Research:**\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -9263,7 +9263,7 @@ } }, { - "id": 2821189901, + "id": 4050264281, "definition": { "title": "GetParameters", "title_size": "16", @@ -9314,7 +9314,7 @@ } }, { - "id": 3104971640, + "id": 1460856349, "definition": { "type": "group", "layout_type": "ordered", @@ -9323,7 +9323,7 @@ "show_title": true, "widgets": [ { - "id": 1545675887, + "id": 1946676326, "definition": { "type": "note", "content": "### [ListDomains](https://traildiscover.cloud/#route53domains-ListDomains)\n\n**Description:** This operation returns all the domain names registered with Amazon Route 53 for the current AWS account if no filtering conditions are used.\n\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -9342,7 +9342,7 @@ } }, { - "id": 2636588406, + "id": 1642843488, "definition": { "title": "ListDomains", "title_size": "16", @@ -9384,7 +9384,7 @@ } }, { - "id": 3205860481, + "id": 3329584755, "definition": { "type": "note", "content": "### [GetHostedZoneCount](https://traildiscover.cloud/#Route53-GetHostedZoneCount)\n\n**Description:** Retrieves the number of hosted zones that are associated with the current AWS account.\n\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -9403,7 +9403,7 @@ } }, { - "id": 2248628239, + "id": 977607156, "definition": { "title": "GetHostedZoneCount", "title_size": "16", @@ -9445,7 +9445,7 @@ } }, { - "id": 1576518400, + "id": 3947953096, "definition": { "type": "note", "content": "### [DescribeOrganization](https://traildiscover.cloud/#Organizations-DescribeOrganization)\n\n**Description:** Retrieves information about the organization that the user's account belongs to.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", @@ -9464,7 +9464,7 @@ } }, { - "id": 2667430919, + "id": 1595975497, "definition": { "title": "DescribeOrganization", "title_size": "16", @@ -9506,7 +9506,7 @@ } }, { - "id": 1452653925, + "id": 798287096, "definition": { "type": "note", "content": "### [ListOrganizationalUnitsForParent](https://traildiscover.cloud/#Organizations-ListOrganizationalUnitsForParent)\n\n**Description:** Lists the organizational units (OUs) in a parent organizational unit or root.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", @@ -9525,7 +9525,7 @@ } }, { - "id": 396082796, + "id": 2741276793, "definition": { "title": "ListOrganizationalUnitsForParent", "title_size": "16", @@ -9567,7 +9567,7 @@ } }, { - "id": 1568029402, + "id": 1283773607, "definition": { "type": "note", "content": "### [ListAccounts](https://traildiscover.cloud/#Organizations-ListAccounts)\n\n**Description:** Lists all the accounts in the organization.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", @@ -9586,7 +9586,7 @@ } }, { - "id": 2758280808, + "id": 1079279656, "definition": { "title": "ListAccounts", "title_size": "16", @@ -9628,7 +9628,7 @@ } }, { - "id": 5107873, + "id": 1701292298, "definition": { "type": "note", "content": "### [GetCallerIdentity](https://traildiscover.cloud/#STS-GetCallerIdentity)\n\n**Description:** Returns details about the IAM user or role whose credentials are used to call the operation.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [GotRoot! AWS root Account Takeover](https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n- [Enumerate AWS Account ID from an EC2 Instance](https://hackingthe.cloud/aws/enumeration/account_id_from_ec2/)\n", @@ -9647,7 +9647,7 @@ } }, { - "id": 1096020392, + "id": 1496798347, "definition": { "title": "GetCallerIdentity", "title_size": "16", @@ -9689,7 +9689,7 @@ } }, { - "id": 982409756, + "id": 727248243, "definition": { "type": "note", "content": "### [ListTopics](https://traildiscover.cloud/#SNS-ListTopics)\n\n**Description:** Returns a list of the requester's topics.\n\n**Related Research:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n", @@ -9708,7 +9708,7 @@ } }, { - "id": 4220805923, + "id": 2670237940, "definition": { "title": "ListTopics", "title_size": "16", @@ -9750,7 +9750,7 @@ } }, { - "id": 754225058, + "id": 4146202358, "definition": { "type": "note", "content": "### [ListSubscriptions](https://traildiscover.cloud/#SNS-ListSubscriptions)\n\n**Description:** Lists the calling AWS account's dedicated origination numbers and their metadata.\n\n**Related Research:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n", @@ -9769,7 +9769,7 @@ } }, { - "id": 4091960112, + "id": 1794224759, "definition": { "title": "ListSubscriptions", "title_size": "16", @@ -9811,7 +9811,7 @@ } }, { - "id": 1860643575, + "id": 1738989864, "definition": { "type": "note", "content": "### [ListOriginationNumbers](https://traildiscover.cloud/#SNS-ListOriginationNumbers)\n\n**Description:** Lists the calling AWS account's dedicated origination numbers and their metadata.\n\n**Related Research:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n", @@ -9830,7 +9830,7 @@ } }, { - "id": 3050894981, + "id": 1534495913, "definition": { "title": "ListOriginationNumbers", "title_size": "16", @@ -9872,7 +9872,7 @@ } }, { - "id": 373088506, + "id": 3284829232, "definition": { "type": "note", "content": "### [GetSMSAttributes](https://traildiscover.cloud/#SNS-GetSMSAttributes)\n\n**Description:** Returns the settings for sending SMS messages from your AWS account.\n\n**Related Incidents:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n- [Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -9891,7 +9891,7 @@ } }, { - "id": 1563339912, + "id": 3080335281, "definition": { "title": "GetSMSAttributes", "title_size": "16", @@ -9933,7 +9933,7 @@ } }, { - "id": 1054644381, + "id": 2756844759, "definition": { "type": "note", "content": "### [GetSMSSandboxAccountStatus](https://traildiscover.cloud/#SNS-GetSMSSandboxAccountStatus)\n\n**Description:** Retrieves the SMS sandbox status for the calling AWS account in the target AWS Region.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/)\n**Related Research:**\n- [NEW PHONE, WHO DIS? HOW CLOUD ENVIRONMENTS ARE EXPLOITED FOR SMISHING CAMPAIGNS](https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/)\n", @@ -9952,7 +9952,7 @@ } }, { - "id": 2145556900, + "id": 305528273, "definition": { "title": "GetSMSSandboxAccountStatus", "title_size": "16", @@ -9994,7 +9994,7 @@ } }, { - "id": 573668689, + "id": 537695077, "definition": { "type": "note", "content": "### [IssueCertificate](https://traildiscover.cloud/#ACMPCA-IssueCertificate)\n\n**Description:** Uses your private certificate authority (CA), or one that has been shared with you, to issue a client certificate.\n\n**Related Research:**\n- [AWS API Call Hijacking via ACM-PCA](https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/)\n", @@ -10013,7 +10013,7 @@ } }, { - "id": 3812064856, + "id": 2381345887, "definition": { "title": "IssueCertificate", "title_size": "16", @@ -10055,7 +10055,7 @@ } }, { - "id": 1915890067, + "id": 2639065741, "definition": { "type": "note", "content": "### [GetCertificate](https://traildiscover.cloud/#ACMPCA-GetCertificate)\n\n**Description:** Retrieves a certificate from your private CA or one that has been shared with you.\n\n**Related Research:**\n- [AWS API Call Hijacking via ACM-PCA](https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/)\n", @@ -10074,7 +10074,7 @@ } }, { - "id": 3006802586, + "id": 287088142, "definition": { "title": "GetCertificate", "title_size": "16", @@ -10116,7 +10116,7 @@ } }, { - "id": 1864057156, + "id": 1886799369, "definition": { "type": "note", "content": "### [DescribeLogGroups](https://traildiscover.cloud/#CloudWatchLogs-DescribeLogGroups)\n\n**Description:** Lists the specified log groups.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -10135,7 +10135,7 @@ } }, { - "id": 2954969675, + "id": 1682305418, "definition": { "title": "DescribeLogGroups", "title_size": "16", @@ -10177,7 +10177,7 @@ } }, { - "id": 873786691, + "id": 3751383631, "definition": { "type": "note", "content": "### [DescribeSubscriptionFilters](https://traildiscover.cloud/#CloudWatchLogs-DescribeSubscriptionFilters)\n\n**Description:** Lists the subscription filters for the specified log group.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -10196,7 +10196,7 @@ } }, { - "id": 4112182858, + "id": 1300067145, "definition": { "title": "DescribeSubscriptionFilters", "title_size": "16", @@ -10238,7 +10238,7 @@ } }, { - "id": 2054186686, + "id": 1988340086, "definition": { "type": "note", "content": "### [DescribeLogStreams](https://traildiscover.cloud/#CloudWatchLogs-DescribeLogStreams)\n\n**Description:** Lists the log streams for the specified log group.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -10257,7 +10257,7 @@ } }, { - "id": 997615557, + "id": 3931329783, "definition": { "title": "DescribeLogStreams", "title_size": "16", @@ -10299,7 +10299,7 @@ } }, { - "id": 754375096, + "id": 945240980, "definition": { "type": "note", "content": "### [GetLogRecord](https://traildiscover.cloud/#CloudWatchLogs-GetLogRecord)\n\n**Description:** Retrieves all of the fields and values of a single log event.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -10318,7 +10318,7 @@ } }, { - "id": 4092110150, + "id": 740747029, "definition": { "title": "GetLogRecord", "title_size": "16", @@ -10360,7 +10360,7 @@ } }, { - "id": 3099598751, + "id": 2265090819, "definition": { "type": "note", "content": "### [GetQueryResults](https://traildiscover.cloud/#Athena-GetQueryResults)\n\n**Description:** Streams the results of a single query execution specified by QueryExecutionId from the Athena query results location in Amazon S3.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -10379,7 +10379,7 @@ } }, { - "id": 4289850157, + "id": 4208080516, "definition": { "title": "GetQueryResults", "title_size": "16", @@ -10421,7 +10421,7 @@ } }, { - "id": 2972822529, + "id": 3326519579, "definition": { "type": "note", "content": "### [ListTargetsByRule](https://traildiscover.cloud/#events-ListTargetsByRule)\n\n**Description:** Lists the targets assigned to the specified rule.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -10440,7 +10440,7 @@ } }, { - "id": 4163073935, + "id": 3122025628, "definition": { "title": "ListTargetsByRule", "title_size": "16", @@ -10482,7 +10482,7 @@ } }, { - "id": 1937434596, + "id": 4269233854, "definition": { "type": "note", "content": "### [ListRules](https://traildiscover.cloud/#events-ListRules)\n\n**Description:** Lists your Amazon EventBridge rules. You can either list all the rules or you can provide a prefix to match to the rule names.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -10501,7 +10501,7 @@ } }, { - "id": 3028347115, + "id": 3965401016, "definition": { "title": "ListRules", "title_size": "16", @@ -10543,7 +10543,7 @@ } }, { - "id": 2999638554, + "id": 3955587979, "definition": { "type": "note", "content": "### [GetInstances](https://traildiscover.cloud/#LightSail-GetInstances)\n\n**Description:** Returns information about all Amazon Lightsail virtual private servers, or instances.\n\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -10562,7 +10562,7 @@ } }, { - "id": 4090551073, + "id": 1504271493, "definition": { "title": "GetInstances", "title_size": "16", @@ -10604,7 +10604,7 @@ } }, { - "id": 493167139, + "id": 2331118353, "definition": { "type": "note", "content": "### [GetRegions](https://traildiscover.cloud/#LightSail-GetRegions)\n\n**Description:** Returns a list of all valid regions for Amazon Lightsail.\n\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", @@ -10623,7 +10623,7 @@ } }, { - "id": 1584079658, + "id": 2027285515, "definition": { "title": "GetRegions", "title_size": "16", @@ -10665,7 +10665,7 @@ } }, { - "id": 812717245, + "id": 1248796810, "definition": { "type": "note", "content": "### [GetCostAndUsage](https://traildiscover.cloud/#CostExplorer-GetCostAndUsage)\n\n**Description:** Retrieves cost and usage metrics for your account.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", @@ -10684,7 +10684,7 @@ } }, { - "id": 2002968651, + "id": 1044302859, "definition": { "title": "GetCostAndUsage", "title_size": "16", @@ -10726,7 +10726,7 @@ } }, { - "id": 1868924573, + "id": 1356499999, "definition": { "type": "note", "content": "### [ListGroupsForUser](https://traildiscover.cloud/#IAM-ListGroupsForUser)\n\n**Description:** Lists the IAM groups that the specified IAM user belongs to.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -10745,7 +10745,7 @@ } }, { - "id": 911692331, + "id": 1152006048, "definition": { "title": "ListGroupsForUser", "title_size": "16", @@ -10787,7 +10787,7 @@ } }, { - "id": 3680481269, + "id": 4122139707, "definition": { "type": "note", "content": "### [ListAccessKeys](https://traildiscover.cloud/#IAM-ListAccessKeys)\n\n**Description:** Returns information about the access key IDs associated with the specified IAM user.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n", @@ -10806,7 +10806,7 @@ } }, { - "id": 2623910140, + "id": 3818306869, "definition": { "title": "ListAccessKeys", "title_size": "16", @@ -10848,10 +10848,10 @@ } }, { - "id": 3496847779, + "id": 3923357473, "definition": { "type": "note", - "content": "### [SimulatePrincipalPolicy](https://traildiscover.cloud/#IAM-SimulatePrincipalPolicy)\n\n**Description:** Simulate how a set of IAM policies attached to an IAM entity works with a list of API operations and AWS resources to determine the policies' effective permissions.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", + "content": "### [ListUserPolicies](https://traildiscover.cloud/#IAM-ListUserPolicies)\n\n**Description:** Lists the names of the inline policies embedded in the specified IAM user.\n\n**Related Incidents:**\n- [Datadog threat roundup: top insights for Q4 2024](https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -10867,9 +10867,9 @@ } }, { - "id": 2440276650, + "id": 3718863522, "definition": { - "title": "SimulatePrincipalPolicy", + "title": "ListUserPolicies", "title_size": "16", "title_align": "left", "type": "query_value", @@ -10887,7 +10887,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:SimulatePrincipalPolicy $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListUserPolicies $userIdentity.arn $network.client.ip $account" } } ], @@ -10909,10 +10909,10 @@ } }, { - "id": 2889811885, + "id": 1851574869, "definition": { "type": "note", - "content": "### [GetAccountAuthorizationDetails](https://traildiscover.cloud/#IAM-GetAccountAuthorizationDetails)\n\n**Description:** Retrieves information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another.\n\n**Related Research:**\n- [AWS - IAM Enum](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum)\n", + "content": "### [SimulatePrincipalPolicy](https://traildiscover.cloud/#IAM-SimulatePrincipalPolicy)\n\n**Description:** Simulate how a set of IAM policies attached to an IAM entity works with a list of API operations and AWS resources to determine the policies' effective permissions.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -10928,9 +10928,9 @@ } }, { - "id": 3980724404, + "id": 1647080918, "definition": { - "title": "GetAccountAuthorizationDetails", + "title": "SimulatePrincipalPolicy", "title_size": "16", "title_align": "left", "type": "query_value", @@ -10948,7 +10948,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetAccountAuthorizationDetails $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:SimulatePrincipalPolicy $userIdentity.arn $network.client.ip $account" } } ], @@ -10970,10 +10970,10 @@ } }, { - "id": 3328720371, + "id": 1862758115, "definition": { "type": "note", - "content": "### [ListGroups](https://traildiscover.cloud/#IAM-ListGroups)\n\n**Description:** Lists the IAM groups that have the specified path prefix.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n**Related Research:**\n- [AWS - IAM Enum](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum)\n", + "content": "### [GetAccountAuthorizationDetails](https://traildiscover.cloud/#IAM-GetAccountAuthorizationDetails)\n\n**Description:** Retrieves information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another.\n\n**Related Research:**\n- [AWS - IAM Enum](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -10989,9 +10989,9 @@ } }, { - "id": 2371488129, + "id": 1658264164, "definition": { - "title": "ListGroups", + "title": "GetAccountAuthorizationDetails", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11009,7 +11009,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListGroups $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetAccountAuthorizationDetails $userIdentity.arn $network.client.ip $account" } } ], @@ -11031,10 +11031,10 @@ } }, { - "id": 834205587, + "id": 3020293223, "definition": { "type": "note", - "content": "### [ListUsers](https://traildiscover.cloud/#IAM-ListUsers)\n\n**Description:** Lists the IAM users that have the specified path prefix. If no path prefix is specified, the operation returns all users in the AWS account.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", + "content": "### [ListGroups](https://traildiscover.cloud/#IAM-ListGroups)\n\n**Description:** Lists the IAM groups that have the specified path prefix.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n**Related Research:**\n- [AWS - IAM Enum](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11050,9 +11050,9 @@ } }, { - "id": 1925118106, + "id": 2815799272, "definition": { - "title": "ListUsers", + "title": "ListGroups", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11070,7 +11070,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListUsers $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListGroups $userIdentity.arn $network.client.ip $account" } } ], @@ -11092,10 +11092,10 @@ } }, { - "id": 3634734585, + "id": 2443747472, "definition": { "type": "note", - "content": "### [ListRoles](https://traildiscover.cloud/#IAM-ListRoles)\n\n**Description:** Lists the IAM roles that have the specified path prefix. \n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n**Related Research:**\n- [AWS - IAM Enum](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum)\n", + "content": "### [ListUsers](https://traildiscover.cloud/#IAM-ListUsers)\n\n**Description:** Lists the IAM users that have the specified path prefix. If no path prefix is specified, the operation returns all users in the AWS account.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n- [Datadog threat roundup: top insights for Q4 2024](https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11111,9 +11111,9 @@ } }, { - "id": 2677502343, + "id": 91769873, "definition": { - "title": "ListRoles", + "title": "ListUsers", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11131,7 +11131,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListRoles $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListUsers $userIdentity.arn $network.client.ip $account" } } ], @@ -11153,10 +11153,10 @@ } }, { - "id": 3240434235, + "id": 3969288169, "definition": { "type": "note", - "content": "### [ListSAMLProviders](https://traildiscover.cloud/#IAM-ListSAMLProviders)\n\n**Description:** Lists the SAML provider resource objects defined in IAM in the account.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", + "content": "### [ListAttachedUserPolicies](https://traildiscover.cloud/#IAM-ListAttachedUserPolicies)\n\n**Description:** Lists all managed policies that are attached to the specified IAM user.\n\n**Related Incidents:**\n- [Datadog threat roundup: top insights for Q4 2024](https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11172,9 +11172,9 @@ } }, { - "id": 36379458, + "id": 1617310570, "definition": { - "title": "ListSAMLProviders", + "title": "ListAttachedUserPolicies", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11192,7 +11192,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListSAMLProviders $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListAttachedUserPolicies $userIdentity.arn $network.client.ip $account" } } ], @@ -11214,10 +11214,10 @@ } }, { - "id": 2224965070, + "id": 3859453834, "definition": { "type": "note", - "content": "### [GetUser](https://traildiscover.cloud/#IAM-GetUser)\n\n**Description:** Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN.\n\n**Related Incidents:**\n- [GotRoot! AWS root Account Takeover](https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n", + "content": "### [ListRoles](https://traildiscover.cloud/#IAM-ListRoles)\n\n**Description:** Lists the IAM roles that have the specified path prefix. \n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n**Related Research:**\n- [AWS - IAM Enum](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11233,9 +11233,9 @@ } }, { - "id": 1267732828, + "id": 3654959883, "definition": { - "title": "GetUser", + "title": "ListRoles", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11253,7 +11253,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetUser $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListRoles $userIdentity.arn $network.client.ip $account" } } ], @@ -11275,10 +11275,10 @@ } }, { - "id": 2439399618, + "id": 791346769, "definition": { "type": "note", - "content": "### [ListAttachedRolePolicies](https://traildiscover.cloud/#IAM-ListAttachedRolePolicies)\n\n**Description:** Lists all managed policies that are attached to the specified IAM role.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [ListSAMLProviders](https://traildiscover.cloud/#IAM-ListSAMLProviders)\n\n**Description:** Lists the SAML provider resource objects defined in IAM in the account.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11294,9 +11294,9 @@ } }, { - "id": 1482167376, + "id": 586852818, "definition": { - "title": "ListAttachedRolePolicies", + "title": "ListSAMLProviders", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11314,7 +11314,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListAttachedRolePolicies $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListSAMLProviders $userIdentity.arn $network.client.ip $account" } } ], @@ -11336,10 +11336,10 @@ } }, { - "id": 895838360, + "id": 1736638107, "definition": { "type": "note", - "content": "### [ListServiceSpecificCredentials](https://traildiscover.cloud/#IAM-ListServiceSpecificCredentials)\n\n**Description:** Returns information about the service-specific credentials associated with the specified IAM user.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", + "content": "### [GetUser](https://traildiscover.cloud/#IAM-GetUser)\n\n**Description:** Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN.\n\n**Related Incidents:**\n- [GotRoot! AWS root Account Takeover](https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n- [Datadog threat roundup: top insights for Q4 2024](https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11355,9 +11355,9 @@ } }, { - "id": 4233573414, + "id": 1532144156, "definition": { - "title": "ListServiceSpecificCredentials", + "title": "GetUser", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11375,7 +11375,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListServiceSpecificCredentials $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetUser $userIdentity.arn $network.client.ip $account" } } ], @@ -11397,10 +11397,10 @@ } }, { - "id": 3929695115, + "id": 3486075529, "definition": { "type": "note", - "content": "### [ListRolePolicies](https://traildiscover.cloud/#IAM-ListRolePolicies)\n\n**Description:** Lists the names of the inline policies that are embedded in the specified IAM role.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [ListAttachedRolePolicies](https://traildiscover.cloud/#IAM-ListAttachedRolePolicies)\n\n**Description:** Lists all managed policies that are attached to the specified IAM role.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11416,9 +11416,9 @@ } }, { - "id": 2873123986, + "id": 1134097930, "definition": { - "title": "ListRolePolicies", + "title": "ListAttachedRolePolicies", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11436,7 +11436,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListRolePolicies $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListAttachedRolePolicies $userIdentity.arn $network.client.ip $account" } } ], @@ -11458,10 +11458,10 @@ } }, { - "id": 2530051152, + "id": 682015333, "definition": { "type": "note", - "content": "### [ListSigningCertificates](https://traildiscover.cloud/#IAM-ListSigningCertificates)\n\n**Description:** Returns information about the signing certificates associated with the specified IAM user.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", + "content": "### [ListServiceSpecificCredentials](https://traildiscover.cloud/#IAM-ListServiceSpecificCredentials)\n\n**Description:** Returns information about the service-specific credentials associated with the specified IAM user.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11477,9 +11477,9 @@ } }, { - "id": 3620963671, + "id": 2525666143, "definition": { - "title": "ListSigningCertificates", + "title": "ListServiceSpecificCredentials", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11497,7 +11497,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListSigningCertificates $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListServiceSpecificCredentials $userIdentity.arn $network.client.ip $account" } } ], @@ -11519,10 +11519,10 @@ } }, { - "id": 1477347673, + "id": 886347585, "definition": { "type": "note", - "content": "### [ListInstanceProfiles](https://traildiscover.cloud/#IAM-ListInstanceProfiles)\n\n**Description:** Lists the instance profiles that have the specified path prefix. If there are none, the operation returns an empty list.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", + "content": "### [ListRolePolicies](https://traildiscover.cloud/#IAM-ListRolePolicies)\n\n**Description:** Lists the names of the inline policies that are embedded in the specified IAM role.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Datadog threat roundup: top insights for Q4 2024](https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11538,9 +11538,9 @@ } }, { - "id": 520115431, + "id": 2829337282, "definition": { - "title": "ListInstanceProfiles", + "title": "ListRolePolicies", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11558,7 +11558,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListInstanceProfiles $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListRolePolicies $userIdentity.arn $network.client.ip $account" } } ], @@ -11580,10 +11580,10 @@ } }, { - "id": 1686281631, + "id": 3717278268, "definition": { "type": "note", - "content": "### [ListSSHPublicKeys](https://traildiscover.cloud/#IAM-ListSSHPublicKeys)\n\n**Description:** Returns information about the SSH public keys associated with the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", + "content": "### [ListSigningCertificates](https://traildiscover.cloud/#IAM-ListSigningCertificates)\n\n**Description:** Returns information about the signing certificates associated with the specified IAM user.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11599,9 +11599,9 @@ } }, { - "id": 2777194150, + "id": 3512784317, "definition": { - "title": "ListSSHPublicKeys", + "title": "ListSigningCertificates", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11619,7 +11619,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListSSHPublicKeys $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListSigningCertificates $userIdentity.arn $network.client.ip $account" } } ], @@ -11641,10 +11641,10 @@ } }, { - "id": 3063230615, + "id": 862158392, "definition": { "type": "note", - "content": "### [ListOpenIDConnectProviders](https://traildiscover.cloud/#IAM-ListOpenIDConnectProviders)\n\n**Description:** Lists information about the IAM OpenID Connect (OIDC) provider resource objects defined in the AWS account.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", + "content": "### [ListInstanceProfiles](https://traildiscover.cloud/#IAM-ListInstanceProfiles)\n\n**Description:** Lists the instance profiles that have the specified path prefix. If there are none, the operation returns an empty list.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11660,9 +11660,9 @@ } }, { - "id": 2006659486, + "id": 2805148089, "definition": { - "title": "ListOpenIDConnectProviders", + "title": "ListInstanceProfiles", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11680,7 +11680,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListOpenIDConnectProviders $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListInstanceProfiles $userIdentity.arn $network.client.ip $account" } } ], @@ -11702,10 +11702,10 @@ } }, { - "id": 959645483, + "id": 3618444072, "definition": { "type": "note", - "content": "### [GetLoginProfile](https://traildiscover.cloud/#IAM-GetLoginProfile)\n\n**Description:** Retrieves the user name for the specified IAM user.\n\n**Related Incidents:**\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", + "content": "### [ListSSHPublicKeys](https://traildiscover.cloud/#IAM-ListSSHPublicKeys)\n\n**Description:** Returns information about the SSH public keys associated with the specified IAM user.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11721,9 +11721,9 @@ } }, { - "id": 4198041650, + "id": 3413950121, "definition": { - "title": "GetLoginProfile", + "title": "ListSSHPublicKeys", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11741,7 +11741,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetLoginProfile $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListSSHPublicKeys $userIdentity.arn $network.client.ip $account" } } ], @@ -11763,10 +11763,10 @@ } }, { - "id": 448167256, + "id": 3999469187, "definition": { "type": "note", - "content": "### [DescribeLoadBalancers](https://traildiscover.cloud/#ELBv2-DescribeLoadBalancers)\n\n**Description:** Describes the specified load balancers or all of your load balancers.\n\n**Related Research:**\n- [Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data](https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994)\n", + "content": "### [ListOpenIDConnectProviders](https://traildiscover.cloud/#IAM-ListOpenIDConnectProviders)\n\n**Description:** Lists information about the IAM OpenID Connect (OIDC) provider resource objects defined in the AWS account.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11782,9 +11782,9 @@ } }, { - "id": 1638418662, + "id": 3794975236, "definition": { - "title": "DescribeLoadBalancers", + "title": "ListOpenIDConnectProviders", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11802,7 +11802,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeLoadBalancers $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListOpenIDConnectProviders $userIdentity.arn $network.client.ip $account" } } ], @@ -11824,10 +11824,10 @@ } }, { - "id": 4239115263, + "id": 501959930, "definition": { "type": "note", - "content": "### [DescribeListeners](https://traildiscover.cloud/#ELBv2-DescribeListeners)\n\n**Description:** Describes the specified listeners or the listeners for the specified Application Load Balancer, Network Load Balancer, or Gateway Load Balancer.\n\n**Related Research:**\n- [Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data](https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994)\n", + "content": "### [GetLoginProfile](https://traildiscover.cloud/#IAM-GetLoginProfile)\n\n**Description:** Retrieves the user name for the specified IAM user.\n\n**Related Incidents:**\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11843,9 +11843,9 @@ } }, { - "id": 1035060486, + "id": 297465979, "definition": { - "title": "DescribeListeners", + "title": "GetLoginProfile", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11863,7 +11863,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeListeners $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetLoginProfile $userIdentity.arn $network.client.ip $account" } } ], @@ -11885,10 +11885,10 @@ } }, { - "id": 3060174608, + "id": 1248756874, "definition": { "type": "note", - "content": "### [ListAssociatedAccessPolicies](https://traildiscover.cloud/#EKS-ListAssociatedAccessPolicies)\n\n**Description:** Lists the access policies associated with an access entry.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", + "content": "### [DescribeLoadBalancers](https://traildiscover.cloud/#ELBv2-DescribeLoadBalancers)\n\n**Description:** Describes the specified load balancers or all of your load balancers.\n\n**Related Research:**\n- [Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data](https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11904,9 +11904,9 @@ } }, { - "id": 4151087127, + "id": 3191746571, "definition": { - "title": "ListAssociatedAccessPolicies", + "title": "DescribeLoadBalancers", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11924,7 +11924,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListAssociatedAccessPolicies $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeLoadBalancers $userIdentity.arn $network.client.ip $account" } } ], @@ -11946,10 +11946,10 @@ } }, { - "id": 401277949, + "id": 1334332711, "definition": { "type": "note", - "content": "### [ListClusters](https://traildiscover.cloud/#EKS-ListClusters)\n\n**Description:** Lists the Amazon EKS clusters in your AWS account in the specified AWS Region.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", + "content": "### [DescribeListeners](https://traildiscover.cloud/#ELBv2-DescribeListeners)\n\n**Description:** Describes the specified listeners or the listeners for the specified Application Load Balancer, Network Load Balancer, or Gateway Load Balancer.\n\n**Related Research:**\n- [Rigging the Rules: Manipulating AWS ALB to Mine Sensitive Data](https://medium.com/@adan.alvarez/rigging-the-rules-manipulating-aws-alb-to-mine-sensitive-data-20e33dbc4994)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -11965,9 +11965,9 @@ } }, { - "id": 1492190468, + "id": 1030499873, "definition": { - "title": "ListClusters", + "title": "DescribeListeners", "title_size": "16", "title_align": "left", "type": "query_value", @@ -11985,7 +11985,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListClusters $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeListeners $userIdentity.arn $network.client.ip $account" } } ], @@ -12007,10 +12007,10 @@ } }, { - "id": 3777632492, + "id": 404161284, "definition": { "type": "note", - "content": "### [DescribeAccessEntry](https://traildiscover.cloud/#EKS-DescribeAccessEntry)\n\n**Description:** Describes an access entry.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", + "content": "### [ListAssociatedAccessPolicies](https://traildiscover.cloud/#EKS-ListAssociatedAccessPolicies)\n\n**Description:** Lists the access policies associated with an access entry.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12026,9 +12026,9 @@ } }, { - "id": 672916602, + "id": 2347150981, "definition": { - "title": "DescribeAccessEntry", + "title": "ListAssociatedAccessPolicies", "title_size": "16", "title_align": "left", "type": "query_value", @@ -12046,7 +12046,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeAccessEntry $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListAssociatedAccessPolicies $userIdentity.arn $network.client.ip $account" } } ], @@ -12068,10 +12068,10 @@ } }, { - "id": 1849157267, + "id": 3534545537, "definition": { "type": "note", - "content": "### [DescribeCluster](https://traildiscover.cloud/#EKS-DescribeCluster)\n\n**Description:** Describes an Amazon EKS cluster.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", + "content": "### [ListClusters](https://traildiscover.cloud/#EKS-ListClusters)\n\n**Description:** Lists the Amazon EKS clusters in your AWS account in the specified AWS Region.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12087,9 +12087,9 @@ } }, { - "id": 3039408673, + "id": 1083229051, "definition": { - "title": "DescribeCluster", + "title": "ListClusters", "title_size": "16", "title_align": "left", "type": "query_value", @@ -12107,7 +12107,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeCluster $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListClusters $userIdentity.arn $network.client.ip $account" } } ], @@ -12129,10 +12129,10 @@ } }, { - "id": 4140523207, + "id": 3818392771, "definition": { "type": "note", - "content": "### [Search](https://traildiscover.cloud/#ResourceExplorer-Search)\n\n**Description:** Searches for resources and displays details about all resources that match the specified criteria.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", + "content": "### [DescribeAccessEntry](https://traildiscover.cloud/#EKS-DescribeAccessEntry)\n\n**Description:** Describes an access entry.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12148,9 +12148,9 @@ } }, { - "id": 1035807317, + "id": 1466415172, "definition": { - "title": "Search", + "title": "DescribeAccessEntry", "title_size": "16", "title_align": "left", "type": "query_value", @@ -12168,7 +12168,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:Search $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeAccessEntry $userIdentity.arn $network.client.ip $account" } } ], @@ -12190,10 +12190,10 @@ } }, { - "id": 850507266, + "id": 1850963615, "definition": { "type": "note", - "content": "### [LookupEvents](https://traildiscover.cloud/#CloudTrail-LookupEvents)\n\n**Description:** Looks up management events or CloudTrail Insights events that are captured by CloudTrail.\n\n**Related Incidents:**\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", + "content": "### [DescribeCluster](https://traildiscover.cloud/#EKS-DescribeCluster)\n\n**Description:** Describes an Amazon EKS cluster.\n\n**Related Research:**\n- [New attack vectors in EKS](https://www.wiz.io/blog/new-attack-vectors-emerge-via-recent-eks-access-entries-and-pod-identity-features)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12209,9 +12209,9 @@ } }, { - "id": 4088903433, + "id": 1547130777, "definition": { - "title": "LookupEvents", + "title": "DescribeCluster", "title_size": "16", "title_align": "left", "type": "query_value", @@ -12229,7 +12229,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:LookupEvents $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeCluster $userIdentity.arn $network.client.ip $account" } } ], @@ -12251,10 +12251,10 @@ } }, { - "id": 2941037382, + "id": 4057653683, "definition": { "type": "note", - "content": "### [GetIntrospectionSchema](https://traildiscover.cloud/#AppSync-GetIntrospectionSchema)\n\n**Description:** Retrieves the introspection schema for a GraphQL API.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", + "content": "### [Search](https://traildiscover.cloud/#ResourceExplorer-Search)\n\n**Description:** Searches for resources and displays details about all resources that match the specified criteria.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12270,9 +12270,9 @@ } }, { - "id": 4031949901, + "id": 1606337197, "definition": { - "title": "GetIntrospectionSchema", + "title": "Search", "title_size": "16", "title_align": "left", "type": "query_value", @@ -12290,7 +12290,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetIntrospectionSchema $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:Search $userIdentity.arn $network.client.ip $account" } } ], @@ -12312,10 +12312,10 @@ } }, { - "id": 2305913850, + "id": 4111625794, "definition": { "type": "note", - "content": "### [GetBucketVersioning](https://traildiscover.cloud/#S3-GetBucketVersioning)\n\n**Description:** Returns the versioning state of a bucket.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n", + "content": "### [DescribeKey](https://traildiscover.cloud/#KMS-DescribeKey)\n\n**Description:** Provides detailed information about a KMS key.\n\n**Related Research:**\n- [Encrypting buckets for compliance and ransom - How Attackers Can Use KMS to Ransomware S3 Buckets](https://blog.pepperclipp.com/pepperclipp-public/encrypting-buckets-for-compliance-and-ransom-how-attackers-can-use-kms-to-ransomware-s3-buckets)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12331,9 +12331,9 @@ } }, { - "id": 1249342721, + "id": 3907131843, "definition": { - "title": "GetBucketVersioning", + "title": "DescribeKey", "title_size": "16", "title_align": "left", "type": "query_value", @@ -12351,7 +12351,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetBucketVersioning $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeKey $userIdentity.arn $network.client.ip $account" } } ], @@ -12373,10 +12373,10 @@ } }, { - "id": 1769037376, + "id": 4069175026, "definition": { "type": "note", - "content": "### [GetBucketAccelerateConfiguration](https://traildiscover.cloud/#S3-GetBucketAccelerateConfiguration)\n\n**Description:** This implementation of the GET action uses the accelerate subresource to return the Transfer Acceleration state of a bucket, which is either Enabled or Suspended.\n\n**Related Incidents:**\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n", + "content": "### [LookupEvents](https://traildiscover.cloud/#CloudTrail-LookupEvents)\n\n**Description:** Looks up management events or CloudTrail Insights events that are captured by CloudTrail.\n\n**Related Incidents:**\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12392,9 +12392,9 @@ } }, { - "id": 2959288782, + "id": 1617858540, "definition": { - "title": "GetBucketAccelerateConfiguration", + "title": "LookupEvents", "title_size": "16", "title_align": "left", "type": "query_value", @@ -12412,7 +12412,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetBucketAccelerateConfiguration $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:LookupEvents $userIdentity.arn $network.client.ip $account" } } ], @@ -12434,10 +12434,10 @@ } }, { - "id": 1579185876, + "id": 3714751207, "definition": { "type": "note", - "content": "### [GetBucketLogging](https://traildiscover.cloud/#S3-GetBucketLogging)\n\n**Description:** Returns the logging status of a bucket and the permissions users have to view and modify that status.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n", + "content": "### [GetIntrospectionSchema](https://traildiscover.cloud/#AppSync-GetIntrospectionSchema)\n\n**Description:** Retrieves the introspection schema for a GraphQL API.\n\n**Related Research:**\n- [Distorting the Sync: How AWS AppSync Can Be Turned into an Attacker\u2019s Backdoor](https://medium.com/@adan.alvarez/distorting-the-sync-how-aws-appsync-can-be-turned-into-an-attackers-backdoor-8c015b8e52b8)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12453,9 +12453,9 @@ } }, { - "id": 522614747, + "id": 3510257256, "definition": { - "title": "GetBucketLogging", + "title": "GetIntrospectionSchema", "title_size": "16", "title_align": "left", "type": "query_value", @@ -12473,7 +12473,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetBucketLogging $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetIntrospectionSchema $userIdentity.arn $network.client.ip $account" } } ], @@ -12495,10 +12495,10 @@ } }, { - "id": 1997262425, + "id": 2769069321, "definition": { "type": "note", - "content": "### [GetObjectLockConfiguration](https://traildiscover.cloud/#S3-GetObjectLockConfiguration)\n\n**Description:** Gets the Object Lock configuration for a bucket.\n\n**Related Incidents:**\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n", + "content": "### [GetBucketVersioning](https://traildiscover.cloud/#S3-GetBucketVersioning)\n\n**Description:** Returns the versioning state of a bucket.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12514,9 +12514,9 @@ } }, { - "id": 1040030183, + "id": 317752835, "definition": { - "title": "GetObjectLockConfiguration", + "title": "GetBucketVersioning", "title_size": "16", "title_align": "left", "type": "query_value", @@ -12534,7 +12534,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetObjectLockConfiguration $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetBucketVersioning $userIdentity.arn $network.client.ip $account" } } ], @@ -12556,10 +12556,10 @@ } }, { - "id": 4127218646, + "id": 4036089927, "definition": { "type": "note", - "content": "### [GetBucketPolicy](https://traildiscover.cloud/#S3-GetBucketPolicy)\n\n**Description:** Returns the policy of a specified bucket.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", + "content": "### [GetBucketAccelerateConfiguration](https://traildiscover.cloud/#S3-GetBucketAccelerateConfiguration)\n\n**Description:** This implementation of the GET action uses the accelerate subresource to return the Transfer Acceleration state of a bucket, which is either Enabled or Suspended.\n\n**Related Incidents:**\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12575,9 +12575,9 @@ } }, { - "id": 3070647517, + "id": 1584773441, "definition": { - "title": "GetBucketPolicy", + "title": "GetBucketAccelerateConfiguration", "title_size": "16", "title_align": "left", "type": "query_value", @@ -12595,7 +12595,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetBucketPolicy $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetBucketAccelerateConfiguration $userIdentity.arn $network.client.ip $account" } } ], @@ -12617,10 +12617,10 @@ } }, { - "id": 2702650348, + "id": 1238170167, "definition": { "type": "note", - "content": "### [GetBucketOwnershipControls](https://traildiscover.cloud/#S3-GetBucketOwnershipControls)\n\n**Description:** Retrieves OwnershipControls for an Amazon S3 bucket.\n\n**Related Incidents:**\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n", + "content": "### [GetBucketLogging](https://traildiscover.cloud/#S3-GetBucketLogging)\n\n**Description:** Returns the logging status of a bucket and the permissions users have to view and modify that status.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12636,9 +12636,9 @@ } }, { - "id": 3793562867, + "id": 3081820977, "definition": { - "title": "GetBucketOwnershipControls", + "title": "GetBucketLogging", "title_size": "16", "title_align": "left", "type": "query_value", @@ -12656,7 +12656,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetBucketOwnershipControls $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetBucketLogging $userIdentity.arn $network.client.ip $account" } } ], @@ -12678,10 +12678,10 @@ } }, { - "id": 1320031178, + "id": 1519756871, "definition": { "type": "note", - "content": "### [ListBuckets](https://traildiscover.cloud/#S3-ListBuckets)\n\n**Description:** Returns a list of all buckets owned by the authenticated sender of the request.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [A Technical Analysis of the Capital One Cloud Misconfiguration Breach](https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach)\n- [Enumerate AWS Account ID from a Public S3 Bucket](https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", + "content": "### [GetObjectLockConfiguration](https://traildiscover.cloud/#S3-GetObjectLockConfiguration)\n\n**Description:** Gets the Object Lock configuration for a bucket.\n\n**Related Incidents:**\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12697,9 +12697,9 @@ } }, { - "id": 2510282584, + "id": 3363407681, "definition": { - "title": "ListBuckets", + "title": "GetObjectLockConfiguration", "title_size": "16", "title_align": "left", "type": "query_value", @@ -12717,7 +12717,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListBuckets $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetObjectLockConfiguration $userIdentity.arn $network.client.ip $account" } } ], @@ -12739,10 +12739,10 @@ } }, { - "id": 81063197, + "id": 3051757797, "definition": { "type": "note", - "content": "### [GetBucketReplication](https://traildiscover.cloud/#S3-GetBucketReplication)\n\n**Description:** Returns the replication configuration of a bucket.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n", + "content": "### [GetBucketPolicy](https://traildiscover.cloud/#S3-GetBucketPolicy)\n\n**Description:** Returns the policy of a specified bucket.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12758,9 +12758,9 @@ } }, { - "id": 3319459364, + "id": 2847263846, "definition": { - "title": "GetBucketReplication", + "title": "GetBucketPolicy", "title_size": "16", "title_align": "left", "type": "query_value", @@ -12778,7 +12778,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetBucketReplication $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetBucketPolicy $userIdentity.arn $network.client.ip $account" } } ], @@ -12800,10 +12800,10 @@ } }, { - "id": 2851903525, + "id": 2076173157, "definition": { "type": "note", - "content": "### [GetBucketLocation](https://traildiscover.cloud/#S3-GetBucketLocation)\n\n**Description:** Returns the Region the bucket resides in.\n\n**Related Incidents:**\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n", + "content": "### [GetBucketOwnershipControls](https://traildiscover.cloud/#S3-GetBucketOwnershipControls)\n\n**Description:** Retrieves OwnershipControls for an Amazon S3 bucket.\n\n**Related Incidents:**\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12819,9 +12819,9 @@ } }, { - "id": 1894671283, + "id": 3919823967, "definition": { - "title": "GetBucketLocation", + "title": "GetBucketOwnershipControls", "title_size": "16", "title_align": "left", "type": "query_value", @@ -12839,7 +12839,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetBucketLocation $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetBucketOwnershipControls $userIdentity.arn $network.client.ip $account" } } ], @@ -12861,10 +12861,10 @@ } }, { - "id": 2048637606, + "id": 2643162699, "definition": { "type": "note", - "content": "### [GetBucketAcl](https://traildiscover.cloud/#S3-GetBucketAcl)\n\n**Description:** This implementation of the GET action uses the acl subresource to return the access control list (ACL) of a bucket.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n**Related Research:**\n- [Public S3 bucket through bucket ACL](https://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/s3-bucket-public-acl/)\n", + "content": "### [ListBuckets](https://traildiscover.cloud/#S3-ListBuckets)\n\n**Description:** Returns a list of all buckets owned by the authenticated sender of the request.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [A Technical Analysis of the Capital One Cloud Misconfiguration Breach](https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach)\n- [Enumerate AWS Account ID from a Public S3 Bucket](https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12880,9 +12880,9 @@ } }, { - "id": 3139550125, + "id": 2438668748, "definition": { - "title": "GetBucketAcl", + "title": "ListBuckets", "title_size": "16", "title_align": "left", "type": "query_value", @@ -12900,7 +12900,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetBucketAcl $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListBuckets $userIdentity.arn $network.client.ip $account" } } ], @@ -12922,10 +12922,10 @@ } }, { - "id": 2163560653, + "id": 2420783056, "definition": { "type": "note", - "content": "### [HeadObject](https://traildiscover.cloud/#S3-HeadObject)\n\n**Description:** The HEAD operation retrieves metadata from an object without returning the object itself.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", + "content": "### [GetBucketReplication](https://traildiscover.cloud/#S3-GetBucketReplication)\n\n**Description:** Returns the replication configuration of a bucket.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -12941,9 +12941,9 @@ } }, { - "id": 1206328411, + "id": 2216289105, "definition": { - "title": "HeadObject", + "title": "GetBucketReplication", "title_size": "16", "title_align": "left", "type": "query_value", @@ -12961,7 +12961,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:HeadObject $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetBucketReplication $userIdentity.arn $network.client.ip $account" } } ], @@ -12983,10 +12983,10 @@ } }, { - "id": 3341328680, + "id": 346502853, "definition": { "type": "note", - "content": "### [ListVaults](https://traildiscover.cloud/#S3-ListVaults)\n\n**Description:** This operation lists all vaults owned by the calling user\u2019s account.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n", + "content": "### [GetBucketLocation](https://traildiscover.cloud/#S3-GetBucketLocation)\n\n**Description:** Returns the Region the bucket resides in.\n\n**Related Incidents:**\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13002,9 +13002,9 @@ } }, { - "id": 137273903, + "id": 2289492550, "definition": { - "title": "ListVaults", + "title": "GetBucketLocation", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13022,7 +13022,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListVaults $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetBucketLocation $userIdentity.arn $network.client.ip $account" } } ], @@ -13044,10 +13044,10 @@ } }, { - "id": 1264444224, + "id": 2968801981, "definition": { "type": "note", - "content": "### [GetBucketLifecycle](https://traildiscover.cloud/#S3-GetBucketLifecycle)\n\n**Description:** Returns the lifecycle configuration information set on the bucket.\n\n**Related Incidents:**\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n", + "content": "### [GetBucketAcl](https://traildiscover.cloud/#S3-GetBucketAcl)\n\n**Description:** This implementation of the GET action uses the acl subresource to return the access control list (ACL) of a bucket.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n**Related Research:**\n- [Public S3 bucket through bucket ACL](https://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/s3-bucket-public-acl/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13063,9 +13063,9 @@ } }, { - "id": 207873095, + "id": 2764308030, "definition": { - "title": "GetBucketLifecycle", + "title": "GetBucketAcl", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13083,7 +13083,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetBucketLifecycle $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetBucketAcl $userIdentity.arn $network.client.ip $account" } } ], @@ -13105,10 +13105,10 @@ } }, { - "id": 2286534098, + "id": 1083948468, "definition": { "type": "note", - "content": "### [GetPublicAccessBlock](https://traildiscover.cloud/#S3-GetPublicAccessBlock)\n\n**Description:** Retrieves the PublicAccessBlock configuration for an Amazon S3 bucket.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n", + "content": "### [HeadObject](https://traildiscover.cloud/#S3-HeadObject)\n\n**Description:** The HEAD operation retrieves metadata from an object without returning the object itself.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13124,9 +13124,9 @@ } }, { - "id": 3377446617, + "id": 879454517, "definition": { - "title": "GetPublicAccessBlock", + "title": "HeadObject", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13144,7 +13144,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetPublicAccessBlock $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:HeadObject $userIdentity.arn $network.client.ip $account" } } ], @@ -13166,10 +13166,10 @@ } }, { - "id": 970529948, + "id": 2731443009, "definition": { "type": "note", - "content": "### [GetBucketTagging](https://traildiscover.cloud/#S3-GetBucketTagging)\n\n**Description:** Returns the tag set associated with the bucket.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", + "content": "### [ListVaults](https://traildiscover.cloud/#S3-ListVaults)\n\n**Description:** This operation lists all vaults owned by the calling user\u2019s account.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13185,9 +13185,9 @@ } }, { - "id": 13297706, + "id": 280126523, "definition": { - "title": "GetBucketTagging", + "title": "ListVaults", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13205,7 +13205,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetBucketTagging $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListVaults $userIdentity.arn $network.client.ip $account" } } ], @@ -13227,10 +13227,10 @@ } }, { - "id": 3618420199, + "id": 3390968417, "definition": { "type": "note", - "content": "### [GetBucketRequestPayment](https://traildiscover.cloud/#S3-GetBucketRequestPayment)\n\n**Description:** Returns the request payment configuration of a bucket.\n\n**Related Incidents:**\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n", + "content": "### [GetBucketLifecycle](https://traildiscover.cloud/#S3-GetBucketLifecycle)\n\n**Description:** Returns the lifecycle configuration information set on the bucket.\n\n**Related Incidents:**\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13246,9 +13246,9 @@ } }, { - "id": 414365422, + "id": 939651931, "definition": { - "title": "GetBucketRequestPayment", + "title": "GetBucketLifecycle", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13266,7 +13266,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetBucketRequestPayment $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetBucketLifecycle $userIdentity.arn $network.client.ip $account" } } ], @@ -13288,10 +13288,10 @@ } }, { - "id": 1720096311, + "id": 922257459, "definition": { "type": "note", - "content": "### [ListObjects](https://traildiscover.cloud/#S3-ListObjects)\n\n**Description:** Returns some or all (up to 1,000) of the objects in a bucket.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n", + "content": "### [GetPublicAccessBlock](https://traildiscover.cloud/#S3-GetPublicAccessBlock)\n\n**Description:** Retrieves the PublicAccessBlock configuration for an Amazon S3 bucket.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13307,9 +13307,9 @@ } }, { - "id": 663525182, + "id": 2865247156, "definition": { - "title": "ListObjects", + "title": "GetPublicAccessBlock", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13327,7 +13327,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListObjects $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetPublicAccessBlock $userIdentity.arn $network.client.ip $account" } } ], @@ -13349,10 +13349,10 @@ } }, { - "id": 777805446, + "id": 1499248781, "definition": { "type": "note", - "content": "### [InvokeModel](https://traildiscover.cloud/#Bedrock-InvokeModel)\n\n**Description:** Invokes the specified Amazon Bedrock model to run inference using the prompt and inference parameters provided in the request body.\n\n**Related Incidents:**\n- [LLMjacking: Stolen Cloud Credentials Used in New AI Attack](https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n- [When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying](https://permiso.io/blog/exploiting-hosted-models)\n- [New Developments in LLM Hijacking Activity](https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws)\n", + "content": "### [GetBucketTagging](https://traildiscover.cloud/#S3-GetBucketTagging)\n\n**Description:** Returns the tag set associated with the bucket.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13368,9 +13368,9 @@ } }, { - "id": 4115540500, + "id": 3342899591, "definition": { - "title": "InvokeModel", + "title": "GetBucketTagging", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13388,7 +13388,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:InvokeModel $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetBucketTagging $userIdentity.arn $network.client.ip $account" } } ], @@ -13410,10 +13410,10 @@ } }, { - "id": 1850803774, + "id": 2312530203, "definition": { "type": "note", - "content": "### [GetUseCaseForModelAccess](https://traildiscover.cloud/#Bedrock-GetUseCaseForModelAccess)\n\n**Description:** Grants permission to retrieve a use case for model access.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying](https://permiso.io/blog/exploiting-hosted-models)\n", + "content": "### [GetBucketRequestPayment](https://traildiscover.cloud/#S3-GetBucketRequestPayment)\n\n**Description:** Returns the request payment configuration of a bucket.\n\n**Related Incidents:**\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13429,9 +13429,9 @@ } }, { - "id": 794232645, + "id": 4156181013, "definition": { - "title": "GetUseCaseForModelAccess", + "title": "GetBucketRequestPayment", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13449,7 +13449,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetUseCaseForModelAccess $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetBucketRequestPayment $userIdentity.arn $network.client.ip $account" } } ], @@ -13471,10 +13471,10 @@ } }, { - "id": 146132105, + "id": 2979680208, "definition": { "type": "note", - "content": "### [ListProvisionedModelThroughputs](https://traildiscover.cloud/#Bedrock-ListProvisionedModelThroughputs)\n\n**Description:** Grants permission to list provisioned model throughputs that you created earlier.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", + "content": "### [ListObjects](https://traildiscover.cloud/#S3-ListObjects)\n\n**Description:** Returns some or all (up to 1,000) of the objects in a bucket.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n- [Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13490,9 +13490,9 @@ } }, { - "id": 3483867159, + "id": 627702609, "definition": { - "title": "ListProvisionedModelThroughputs", + "title": "ListObjects", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13510,7 +13510,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListProvisionedModelThroughputs $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListObjects $userIdentity.arn $network.client.ip $account" } } ], @@ -13532,10 +13532,10 @@ } }, { - "id": 2847018181, + "id": 377794045, "definition": { "type": "note", - "content": "### [GetFoundationModelAvailability](https://traildiscover.cloud/#Bedrock-GetFoundationModelAvailability)\n\n**Description:** Grants permission to get the availability of a foundation model.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying](https://permiso.io/blog/exploiting-hosted-models)\n", + "content": "### [InvokeModel](https://traildiscover.cloud/#Bedrock-InvokeModel)\n\n**Description:** Invokes the specified Amazon Bedrock model to run inference using the prompt and inference parameters provided in the request body.\n\n**Related Incidents:**\n- [LLMjacking: Stolen Cloud Credentials Used in New AI Attack](https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n- [When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying](https://permiso.io/blog/exploiting-hosted-models)\n- [New Developments in LLM Hijacking Activity](https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws)\n- [Datadog threat roundup: top insights for Q4 2024](https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13551,9 +13551,9 @@ } }, { - "id": 3937930700, + "id": 2221444855, "definition": { - "title": "GetFoundationModelAvailability", + "title": "InvokeModel", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13571,7 +13571,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetFoundationModelAvailability $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:InvokeModel $userIdentity.arn $network.client.ip $account" } } ], @@ -13593,10 +13593,10 @@ } }, { - "id": 2705798613, + "id": 3629245304, "definition": { "type": "note", - "content": "### [ListFoundationModels](https://traildiscover.cloud/#Bedrock-ListFoundationModels)\n\n**Description:** Grants permission to list Bedrock foundation models that you can use.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", + "content": "### [GetUseCaseForModelAccess](https://traildiscover.cloud/#Bedrock-GetUseCaseForModelAccess)\n\n**Description:** Grants permission to retrieve a use case for model access.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying](https://permiso.io/blog/exploiting-hosted-models)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13612,9 +13612,9 @@ } }, { - "id": 1748566371, + "id": 3424751353, "definition": { - "title": "ListFoundationModels", + "title": "GetUseCaseForModelAccess", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13632,7 +13632,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListFoundationModels $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetUseCaseForModelAccess $userIdentity.arn $network.client.ip $account" } } ], @@ -13654,10 +13654,10 @@ } }, { - "id": 4282089739, + "id": 1383366465, "definition": { "type": "note", - "content": "### [ListFoundationModelAgreementOffers](https://traildiscover.cloud/#Bedrock-ListFoundationModelAgreementOffers)\n\n**Description:** Grants permission to get a list of foundation model agreement offers.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", + "content": "### [ListProvisionedModelThroughputs](https://traildiscover.cloud/#Bedrock-ListProvisionedModelThroughputs)\n\n**Description:** Grants permission to list provisioned model throughputs that you created earlier.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13673,9 +13673,9 @@ } }, { - "id": 3225518610, + "id": 3227017275, "definition": { - "title": "ListFoundationModelAgreementOffers", + "title": "ListProvisionedModelThroughputs", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13693,7 +13693,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListFoundationModelAgreementOffers $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListProvisionedModelThroughputs $userIdentity.arn $network.client.ip $account" } } ], @@ -13715,10 +13715,10 @@ } }, { - "id": 4208792156, + "id": 972391848, "definition": { "type": "note", - "content": "### [GetModelInvocationLoggingConfiguration](https://traildiscover.cloud/#Bedrock-GetModelInvocationLoggingConfiguration)\n\n**Description:** Get the current configuration values for model invocation logging.\n\n**Related Incidents:**\n- [LLMjacking: Stolen Cloud Credentials Used in New AI Attack](https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/)\n- [New Developments in LLM Hijacking Activity](https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws)\n", + "content": "### [GetFoundationModelAvailability](https://traildiscover.cloud/#Bedrock-GetFoundationModelAvailability)\n\n**Description:** Grants permission to get the availability of a foundation model.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying](https://permiso.io/blog/exploiting-hosted-models)\n- [Datadog threat roundup: top insights for Q4 2024](https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13734,9 +13734,9 @@ } }, { - "id": 1004737379, + "id": 2915381545, "definition": { - "title": "GetModelInvocationLoggingConfiguration", + "title": "GetFoundationModelAvailability", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13754,7 +13754,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetModelInvocationLoggingConfiguration $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetFoundationModelAvailability $userIdentity.arn $network.client.ip $account" } } ], @@ -13776,10 +13776,10 @@ } }, { - "id": 2471368066, + "id": 3872187567, "definition": { "type": "note", - "content": "### [GetConsoleScreenshot](https://traildiscover.cloud/#EC2-GetConsoleScreenshot)\n\n**Description:** Retrieve a JPG-format screenshot of a running instance to help with troubleshooting.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [ListFoundationModels](https://traildiscover.cloud/#Bedrock-ListFoundationModels)\n\n**Description:** Grants permission to list Bedrock foundation models that you can use.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [Datadog threat roundup: top insights for Q4 2024](https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13795,9 +13795,9 @@ } }, { - "id": 3562280585, + "id": 3667693616, "definition": { - "title": "GetConsoleScreenshot", + "title": "ListFoundationModels", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13815,7 +13815,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetConsoleScreenshot $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListFoundationModels $userIdentity.arn $network.client.ip $account" } } ], @@ -13837,10 +13837,10 @@ } }, { - "id": 3803752867, + "id": 1482959119, "definition": { "type": "note", - "content": "### [DescribeSnapshotTierStatus](https://traildiscover.cloud/#EC2-DescribeSnapshotTierStatus)\n\n**Description:** Describes the storage tier status of one or more Amazon EBS snapshots.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [ListFoundationModelAgreementOffers](https://traildiscover.cloud/#Bedrock-ListFoundationModelAgreementOffers)\n\n**Description:** Grants permission to get a list of foundation model agreement offers.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13856,9 +13856,9 @@ } }, { - "id": 599698090, + "id": 1278465168, "definition": { - "title": "DescribeSnapshotTierStatus", + "title": "ListFoundationModelAgreementOffers", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13876,7 +13876,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeSnapshotTierStatus $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListFoundationModelAgreementOffers $userIdentity.arn $network.client.ip $account" } } ], @@ -13898,10 +13898,10 @@ } }, { - "id": 901308461, + "id": 2240951590, "definition": { "type": "note", - "content": "### [DescribeImages](https://traildiscover.cloud/#EC2-DescribeImages)\n\n**Description:** Describes the specified images (AMIs, AKIs, and ARIs) available to you or all of the images available to you.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [GetModelInvocationLoggingConfiguration](https://traildiscover.cloud/#Bedrock-GetModelInvocationLoggingConfiguration)\n\n**Description:** Get the current configuration values for model invocation logging.\n\n**Related Incidents:**\n- [LLMjacking: Stolen Cloud Credentials Used in New AI Attack](https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/)\n- [New Developments in LLM Hijacking Activity](https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13917,9 +13917,9 @@ } }, { - "id": 1992220980, + "id": 4183941287, "definition": { - "title": "DescribeImages", + "title": "GetModelInvocationLoggingConfiguration", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13937,7 +13937,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeImages $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetModelInvocationLoggingConfiguration $userIdentity.arn $network.client.ip $account" } } ], @@ -13959,10 +13959,10 @@ } }, { - "id": 3553601714, + "id": 3203197117, "definition": { "type": "note", - "content": "### [GetEbsDefaultKmsKeyId](https://traildiscover.cloud/#EC2-GetEbsDefaultKmsKeyId)\n\n**Description:** Describes the default AWS KMS key for EBS encryption by default for your account in this Region.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [GetConsoleScreenshot](https://traildiscover.cloud/#EC2-GetConsoleScreenshot)\n\n**Description:** Retrieve a JPG-format screenshot of a running instance to help with troubleshooting.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -13978,9 +13978,9 @@ } }, { - "id": 349546937, + "id": 751880631, "definition": { - "title": "GetEbsDefaultKmsKeyId", + "title": "GetConsoleScreenshot", "title_size": "16", "title_align": "left", "type": "query_value", @@ -13998,7 +13998,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetEbsDefaultKmsKeyId $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetConsoleScreenshot $userIdentity.arn $network.client.ip $account" } } ], @@ -14020,10 +14020,10 @@ } }, { - "id": 474641864, + "id": 193363509, "definition": { "type": "note", - "content": "### [DescribeAvailabilityZones](https://traildiscover.cloud/#EC2-DescribeAvailabilityZones)\n\n**Description:** Describes the Availability Zones, Local Zones, and Wavelength Zones that are available to you.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [DescribeSnapshotTierStatus](https://traildiscover.cloud/#EC2-DescribeSnapshotTierStatus)\n\n**Description:** Describes the storage tier status of one or more Amazon EBS snapshots.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -14039,9 +14039,9 @@ } }, { - "id": 1565554383, + "id": 2037014319, "definition": { - "title": "DescribeAvailabilityZones", + "title": "DescribeSnapshotTierStatus", "title_size": "16", "title_align": "left", "type": "query_value", @@ -14059,7 +14059,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeAvailabilityZones $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeSnapshotTierStatus $userIdentity.arn $network.client.ip $account" } } ], @@ -14081,10 +14081,10 @@ } }, { - "id": 2906479043, + "id": 248586109, "definition": { "type": "note", - "content": "### [DescribeInstances](https://traildiscover.cloud/#EC2-DescribeInstances)\n\n**Description:** Describes the specified instances or all instances.\n\n**Related Incidents:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", + "content": "### [DescribeImages](https://traildiscover.cloud/#EC2-DescribeImages)\n\n**Description:** Describes the specified images (AMIs, AKIs, and ARIs) available to you or all of the images available to you.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -14100,9 +14100,9 @@ } }, { - "id": 1949246801, + "id": 4239720567, "definition": { - "title": "DescribeInstances", + "title": "DescribeImages", "title_size": "16", "title_align": "left", "type": "query_value", @@ -14120,7 +14120,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeInstances $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeImages $userIdentity.arn $network.client.ip $account" } } ], @@ -14142,10 +14142,10 @@ } }, { - "id": 3184150382, + "id": 701978413, "definition": { "type": "note", - "content": "### [GetTransitGatewayRouteTableAssociations](https://traildiscover.cloud/#EC2-GetTransitGatewayRouteTableAssociations)\n\n**Description:** Gets information about the associations for the specified transit gateway route table.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [GetEbsDefaultKmsKeyId](https://traildiscover.cloud/#EC2-GetEbsDefaultKmsKeyId)\n\n**Description:** Describes the default AWS KMS key for EBS encryption by default for your account in this Region.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -14161,9 +14161,9 @@ } }, { - "id": 2127579253, + "id": 2644968110, "definition": { - "title": "GetTransitGatewayRouteTableAssociations", + "title": "GetEbsDefaultKmsKeyId", "title_size": "16", "title_align": "left", "type": "query_value", @@ -14181,7 +14181,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetTransitGatewayRouteTableAssociations $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetEbsDefaultKmsKeyId $userIdentity.arn $network.client.ip $account" } } ], @@ -14203,10 +14203,10 @@ } }, { - "id": 1965443205, + "id": 839858024, "definition": { "type": "note", - "content": "### [GetLaunchTemplateData](https://traildiscover.cloud/#EC2-GetLaunchTemplateData)\n\n**Description:** Retrieves the configuration data of the specified instance. You can use this data to create a launch template.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [DescribeAvailabilityZones](https://traildiscover.cloud/#EC2-DescribeAvailabilityZones)\n\n**Description:** Describes the Availability Zones, Local Zones, and Wavelength Zones that are available to you.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -14222,9 +14222,9 @@ } }, { - "id": 908872076, + "id": 2782847721, "definition": { - "title": "GetLaunchTemplateData", + "title": "DescribeAvailabilityZones", "title_size": "16", "title_align": "left", "type": "query_value", @@ -14242,7 +14242,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetLaunchTemplateData $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeAvailabilityZones $userIdentity.arn $network.client.ip $account" } } ], @@ -14264,10 +14264,10 @@ } }, { - "id": 3932470382, + "id": 4177922683, "definition": { "type": "note", - "content": "### [DescribeKeyPairs](https://traildiscover.cloud/#EC2-DescribeKeyPairs)\n\n**Description:** Describes the specified key pairs or all of your key pairs.\n\n**Related Incidents:**\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n", + "content": "### [DescribeInstances](https://traildiscover.cloud/#EC2-DescribeInstances)\n\n**Description:** Describes the specified instances or all instances.\n\n**Related Incidents:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -14283,9 +14283,9 @@ } }, { - "id": 728415605, + "id": 1825945084, "definition": { - "title": "DescribeKeyPairs", + "title": "DescribeInstances", "title_size": "16", "title_align": "left", "type": "query_value", @@ -14303,7 +14303,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeKeyPairs $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeInstances $userIdentity.arn $network.client.ip $account" } } ], @@ -14325,10 +14325,10 @@ } }, { - "id": 1052075418, + "id": 3562318832, "definition": { "type": "note", - "content": "### [GetEbsEncryptionByDefault](https://traildiscover.cloud/#EC2-GetEbsEncryptionByDefault)\n\n**Description:** Describes whether EBS encryption by default is enabled for your account in the current Region.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [GetTransitGatewayRouteTableAssociations](https://traildiscover.cloud/#EC2-GetTransitGatewayRouteTableAssociations)\n\n**Description:** Gets information about the associations for the specified transit gateway route table.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -14344,9 +14344,9 @@ } }, { - "id": 4290471585, + "id": 3258485994, "definition": { - "title": "GetEbsEncryptionByDefault", + "title": "GetTransitGatewayRouteTableAssociations", "title_size": "16", "title_align": "left", "type": "query_value", @@ -14364,7 +14364,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetEbsEncryptionByDefault $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetTransitGatewayRouteTableAssociations $userIdentity.arn $network.client.ip $account" } } ], @@ -14386,10 +14386,10 @@ } }, { - "id": 2705889820, + "id": 827618741, "definition": { "type": "note", - "content": "### [DescribeCarrierGateways](https://traildiscover.cloud/#EC2-DescribeCarrierGateways)\n\n**Description:** Describes one or more of your carrier gateways.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [GetLaunchTemplateData](https://traildiscover.cloud/#EC2-GetLaunchTemplateData)\n\n**Description:** Retrieves the configuration data of the specified instance. You can use this data to create a launch template.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -14405,9 +14405,9 @@ } }, { - "id": 3896141226, + "id": 2671269551, "definition": { - "title": "DescribeCarrierGateways", + "title": "GetLaunchTemplateData", "title_size": "16", "title_align": "left", "type": "query_value", @@ -14425,7 +14425,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeCarrierGateways $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetLaunchTemplateData $userIdentity.arn $network.client.ip $account" } } ], @@ -14447,10 +14447,10 @@ } }, { - "id": 185121767, + "id": 588284486, "definition": { "type": "note", - "content": "### [GetFlowLogsIntegrationTemplate](https://traildiscover.cloud/#EC2-GetFlowLogsIntegrationTemplate)\n\n**Description:** Generates a CloudFormation template that streamlines and automates the integration of VPC flow logs with Amazon Athena.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [DescribeKeyPairs](https://traildiscover.cloud/#EC2-DescribeKeyPairs)\n\n**Description:** Describes the specified key pairs or all of your key pairs.\n\n**Related Incidents:**\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -14466,9 +14466,9 @@ } }, { - "id": 1276034286, + "id": 383790535, "definition": { - "title": "GetFlowLogsIntegrationTemplate", + "title": "DescribeKeyPairs", "title_size": "16", "title_align": "left", "type": "query_value", @@ -14486,7 +14486,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetFlowLogsIntegrationTemplate $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeKeyPairs $userIdentity.arn $network.client.ip $account" } } ], @@ -14508,10 +14508,10 @@ } }, { - "id": 76449156, + "id": 493318603, "definition": { "type": "note", - "content": "### [DescribeTransitGatewayMulticastDomains](https://traildiscover.cloud/#EC2-DescribeTransitGatewayMulticastDomains)\n\n**Description:** Describes one or more transit gateway multicast domains.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [GetEbsEncryptionByDefault](https://traildiscover.cloud/#EC2-GetEbsEncryptionByDefault)\n\n**Description:** Describes whether EBS encryption by default is enabled for your account in the current Region.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -14527,9 +14527,9 @@ } }, { - "id": 1266700562, + "id": 288824652, "definition": { - "title": "DescribeTransitGatewayMulticastDomains", + "title": "GetEbsEncryptionByDefault", "title_size": "16", "title_align": "left", "type": "query_value", @@ -14547,7 +14547,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeTransitGatewayMulticastDomains $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetEbsEncryptionByDefault $userIdentity.arn $network.client.ip $account" } } ], @@ -14569,10 +14569,10 @@ } }, { - "id": 2974938257, + "id": 2471477427, "definition": { "type": "note", - "content": "### [DescribeInstanceAttribute](https://traildiscover.cloud/#EC2-DescribeInstanceAttribute)\n\n**Description:** Describes the specified attribute of the specified instance. You can specify only one attribute at a time.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [DescribeCarrierGateways](https://traildiscover.cloud/#EC2-DescribeCarrierGateways)\n\n**Description:** Describes one or more of your carrier gateways.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -14588,9 +14588,9 @@ } }, { - "id": 4165189663, + "id": 2167644589, "definition": { - "title": "DescribeInstanceAttribute", + "title": "DescribeCarrierGateways", "title_size": "16", "title_align": "left", "type": "query_value", @@ -14608,7 +14608,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeInstanceAttribute $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeCarrierGateways $userIdentity.arn $network.client.ip $account" } } ], @@ -14630,10 +14630,10 @@ } }, { - "id": 2506242920, + "id": 3698243907, "definition": { "type": "note", - "content": "### [DescribeDhcpOptions](https://traildiscover.cloud/#EC2-DescribeDhcpOptions)\n\n**Description:** Describes one or more of your DHCP options sets.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [GetFlowLogsIntegrationTemplate](https://traildiscover.cloud/#EC2-GetFlowLogsIntegrationTemplate)\n\n**Description:** Generates a CloudFormation template that streamlines and automates the integration of VPC flow logs with Amazon Athena.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -14649,9 +14649,9 @@ } }, { - "id": 3696494326, + "id": 3394411069, "definition": { - "title": "DescribeDhcpOptions", + "title": "GetFlowLogsIntegrationTemplate", "title_size": "16", "title_align": "left", "type": "query_value", @@ -14669,7 +14669,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeDhcpOptions $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetFlowLogsIntegrationTemplate $userIdentity.arn $network.client.ip $account" } } ], @@ -14691,10 +14691,10 @@ } }, { - "id": 1485174672, + "id": 1784636456, "definition": { "type": "note", - "content": "### [DescribeVpcEndpointConnectionNotifications](https://traildiscover.cloud/#EC2-DescribeVpcEndpointConnectionNotifications)\n\n**Description:** Describes the connection notifications for VPC endpoints and VPC endpoint services.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [DescribeTransitGatewayMulticastDomains](https://traildiscover.cloud/#EC2-DescribeTransitGatewayMulticastDomains)\n\n**Description:** Describes one or more transit gateway multicast domains.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -14710,9 +14710,9 @@ } }, { - "id": 428603543, + "id": 1580142505, "definition": { - "title": "DescribeVpcEndpointConnectionNotifications", + "title": "DescribeTransitGatewayMulticastDomains", "title_size": "16", "title_align": "left", "type": "query_value", @@ -14730,7 +14730,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeVpcEndpointConnectionNotifications $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeTransitGatewayMulticastDomains $userIdentity.arn $network.client.ip $account" } } ], @@ -14752,10 +14752,10 @@ } }, { - "id": 3161294668, + "id": 3794697885, "definition": { "type": "note", - "content": "### [DescribeFlowLogs](https://traildiscover.cloud/#EC2-DescribeFlowLogs)\n\n**Description:** Describes one or more flow logs.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [DescribeInstanceAttribute](https://traildiscover.cloud/#EC2-DescribeInstanceAttribute)\n\n**Description:** Describes the specified attribute of the specified instance. You can specify only one attribute at a time.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -14771,9 +14771,9 @@ } }, { - "id": 4252207187, + "id": 3590203934, "definition": { - "title": "DescribeFlowLogs", + "title": "DescribeInstanceAttribute", "title_size": "16", "title_align": "left", "type": "query_value", @@ -14791,7 +14791,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeFlowLogs $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeInstanceAttribute $userIdentity.arn $network.client.ip $account" } } ], @@ -14813,10 +14813,10 @@ } }, { - "id": 277842694, + "id": 1358307688, "definition": { "type": "note", - "content": "### [DescribeSnapshotAttribute](https://traildiscover.cloud/#EC2-DescribeSnapshotAttribute)\n\n**Description:** Describes the specified attribute of the specified snapshot.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [DescribeDhcpOptions](https://traildiscover.cloud/#EC2-DescribeDhcpOptions)\n\n**Description:** Describes one or more of your DHCP options sets.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -14832,9 +14832,9 @@ } }, { - "id": 1468094100, + "id": 1153813737, "definition": { - "title": "DescribeSnapshotAttribute", + "title": "DescribeDhcpOptions", "title_size": "16", "title_align": "left", "type": "query_value", @@ -14852,7 +14852,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeSnapshotAttribute $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeDhcpOptions $userIdentity.arn $network.client.ip $account" } } ], @@ -14874,10 +14874,10 @@ } }, { - "id": 913730034, + "id": 3659032230, "definition": { "type": "note", - "content": "### [DescribeVolumesModifications](https://traildiscover.cloud/#EC2-DescribeVolumesModifications)\n\n**Description:** Describes the most recent volume modification request for the specified EBS volumes.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [DescribeVpcEndpointConnectionNotifications](https://traildiscover.cloud/#EC2-DescribeVpcEndpointConnectionNotifications)\n\n**Description:** Describes the connection notifications for VPC endpoints and VPC endpoint services.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -14893,9 +14893,9 @@ } }, { - "id": 4152126201, + "id": 3454538279, "definition": { - "title": "DescribeVolumesModifications", + "title": "DescribeVpcEndpointConnectionNotifications", "title_size": "16", "title_align": "left", "type": "query_value", @@ -14913,7 +14913,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeVolumesModifications $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeVpcEndpointConnectionNotifications $userIdentity.arn $network.client.ip $account" } } ], @@ -14935,10 +14935,10 @@ } }, { - "id": 2756064019, + "id": 3056022568, "definition": { "type": "note", - "content": "### [DescribeRegions](https://traildiscover.cloud/#EC2-DescribeRegions)\n\n**Description:** Describes the Regions that are enabled for your account, or all Regions.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", + "content": "### [DescribeFlowLogs](https://traildiscover.cloud/#EC2-DescribeFlowLogs)\n\n**Description:** Describes one or more flow logs.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -14954,9 +14954,9 @@ } }, { - "id": 1699492890, + "id": 2752189730, "definition": { - "title": "DescribeRegions", + "title": "DescribeFlowLogs", "title_size": "16", "title_align": "left", "type": "query_value", @@ -14974,7 +14974,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeRegions $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeFlowLogs $userIdentity.arn $network.client.ip $account" } } ], @@ -14996,10 +14996,10 @@ } }, { - "id": 3851306923, + "id": 762784123, "definition": { "type": "note", - "content": "### [DescribeSecurityGroups](https://traildiscover.cloud/#EC2-DescribeSecurityGroups)\n\n**Description:** Describes the specified security groups or all of your security groups.\n\n**Related Incidents:**\n- [Case Study: Responding to an Attack in AWS](https://www.cadosecurity.com/case-study-responding-to-an-attack-in-aws/)\n", + "content": "### [DescribeSnapshotAttribute](https://traildiscover.cloud/#EC2-DescribeSnapshotAttribute)\n\n**Description:** Describes the specified attribute of the specified snapshot.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15015,9 +15015,9 @@ } }, { - "id": 647252146, + "id": 2705773820, "definition": { - "title": "DescribeSecurityGroups", + "title": "DescribeSnapshotAttribute", "title_size": "16", "title_align": "left", "type": "query_value", @@ -15035,7 +15035,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeSecurityGroups $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeSnapshotAttribute $userIdentity.arn $network.client.ip $account" } } ], @@ -15057,10 +15057,10 @@ } }, { - "id": 2021309169, + "id": 2133223958, "definition": { "type": "note", - "content": "### [DescribeVpcs](https://traildiscover.cloud/#EC2-DescribeVpcs)\n\n**Description:** Describes one or more of your VPCs.\n\n**Related Incidents:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", + "content": "### [DescribeVolumesModifications](https://traildiscover.cloud/#EC2-DescribeVolumesModifications)\n\n**Description:** Describes the most recent volume modification request for the specified EBS volumes.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15076,9 +15076,9 @@ } }, { - "id": 1064076927, + "id": 1928730007, "definition": { - "title": "DescribeVpcs", + "title": "DescribeVolumesModifications", "title_size": "16", "title_align": "left", "type": "query_value", @@ -15096,7 +15096,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeVpcs $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeVolumesModifications $userIdentity.arn $network.client.ip $account" } } ], @@ -15118,10 +15118,10 @@ } }, { - "id": 1715914924, + "id": 2777862627, "definition": { "type": "note", - "content": "### [DescribeBundleTasks](https://traildiscover.cloud/#EC2-DescribeBundleTasks)\n\n**Description:** Describes the specified bundle tasks or all of your bundle tasks.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [DescribeRegions](https://traildiscover.cloud/#EC2-DescribeRegions)\n\n**Description:** Describes the Regions that are enabled for your account, or all Regions.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15137,9 +15137,9 @@ } }, { - "id": 758682682, + "id": 2573368676, "definition": { - "title": "DescribeBundleTasks", + "title": "DescribeRegions", "title_size": "16", "title_align": "left", "type": "query_value", @@ -15157,7 +15157,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeBundleTasks $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeRegions $userIdentity.arn $network.client.ip $account" } } ], @@ -15179,10 +15179,10 @@ } }, { - "id": 3529665621, + "id": 2719183212, "definition": { "type": "note", - "content": "### [DescribeAccountAttributes](https://traildiscover.cloud/#EC2-DescribeAccountAttributes)\n\n**Description:** Describes attributes of your AWS account.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [DescribeSecurityGroups](https://traildiscover.cloud/#EC2-DescribeSecurityGroups)\n\n**Description:** Describes the specified security groups or all of your security groups.\n\n**Related Incidents:**\n- [Case Study: Responding to an Attack in AWS](https://www.cadosecurity.com/case-study-responding-to-an-attack-in-aws/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15198,9 +15198,9 @@ } }, { - "id": 424949731, + "id": 2514689261, "definition": { - "title": "DescribeAccountAttributes", + "title": "DescribeSecurityGroups", "title_size": "16", "title_align": "left", "type": "query_value", @@ -15218,7 +15218,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeAccountAttributes $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeSecurityGroups $userIdentity.arn $network.client.ip $account" } } ], @@ -15240,10 +15240,10 @@ } }, { - "id": 3465718414, + "id": 1427351012, "definition": { "type": "note", - "content": "### [DescribeVolumes](https://traildiscover.cloud/#EC2-DescribeVolumes)\n\n**Description:** Describes the specified EBS volumes or all of your EBS volumes.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [DescribeVpcs](https://traildiscover.cloud/#EC2-DescribeVpcs)\n\n**Description:** Describes one or more of your VPCs.\n\n**Related Incidents:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15259,9 +15259,9 @@ } }, { - "id": 2508486172, + "id": 3271001822, "definition": { - "title": "DescribeVolumes", + "title": "DescribeVpcs", "title_size": "16", "title_align": "left", "type": "query_value", @@ -15279,7 +15279,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeVolumes $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeVpcs $userIdentity.arn $network.client.ip $account" } } ], @@ -15301,10 +15301,10 @@ } }, { - "id": 817068572, + "id": 3050975685, "definition": { "type": "note", - "content": "### [DescribeInstanceTypes](https://traildiscover.cloud/#EC2-DescribeInstanceTypes)\n\n**Description:** Describes the details of the instance types that are offered in a location.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [DescribeBundleTasks](https://traildiscover.cloud/#EC2-DescribeBundleTasks)\n\n**Description:** Describes the specified bundle tasks or all of your bundle tasks.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15320,9 +15320,9 @@ } }, { - "id": 4055464739, + "id": 698998086, "definition": { - "title": "DescribeInstanceTypes", + "title": "DescribeBundleTasks", "title_size": "16", "title_align": "left", "type": "query_value", @@ -15340,7 +15340,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeInstanceTypes $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeBundleTasks $userIdentity.arn $network.client.ip $account" } } ], @@ -15362,10 +15362,10 @@ } }, { - "id": 604288766, + "id": 2640521118, "definition": { "type": "note", - "content": "### [DescribeClientVpnRoutes](https://traildiscover.cloud/#EC2-DescribeClientVpnRoutes)\n\n**Description:** Describes the routes for the specified Client VPN endpoint.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [DescribeAccountAttributes](https://traildiscover.cloud/#EC2-DescribeAccountAttributes)\n\n**Description:** Describes attributes of your AWS account.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15381,9 +15381,9 @@ } }, { - "id": 3942023820, + "id": 288543519, "definition": { - "title": "DescribeClientVpnRoutes", + "title": "DescribeAccountAttributes", "title_size": "16", "title_align": "left", "type": "query_value", @@ -15401,7 +15401,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeClientVpnRoutes $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeAccountAttributes $userIdentity.arn $network.client.ip $account" } } ], @@ -15423,10 +15423,10 @@ } }, { - "id": 1965443205, + "id": 4062422191, "definition": { "type": "note", - "content": "### [GetLaunchTemplateData](https://traildiscover.cloud/#EC2-GetLaunchTemplateData)\n\n**Description:** Retrieves the configuration data of the specified instance. You can use this data to create a launch template.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", + "content": "### [DescribeVolumes](https://traildiscover.cloud/#EC2-DescribeVolumes)\n\n**Description:** Describes the specified EBS volumes or all of your EBS volumes.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15442,9 +15442,9 @@ } }, { - "id": 908872076, + "id": 1710444592, "definition": { - "title": "GetLaunchTemplateData", + "title": "DescribeVolumes", "title_size": "16", "title_align": "left", "type": "query_value", @@ -15462,7 +15462,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetLaunchTemplateData $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeVolumes $userIdentity.arn $network.client.ip $account" } } ], @@ -15484,10 +15484,10 @@ } }, { - "id": 1679196143, + "id": 3519263783, "definition": { "type": "note", - "content": "### [GetParameters](https://traildiscover.cloud/#SSM-GetParameters)\n\n**Description:** Get information about one or more parameters by specifying multiple parameter names.\n\n**Related Research:**\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", + "content": "### [DescribeInstanceTypes](https://traildiscover.cloud/#EC2-DescribeInstanceTypes)\n\n**Description:** Describes the details of the instance types that are offered in a location.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15503,9 +15503,9 @@ } }, { - "id": 2770108662, + "id": 3314769832, "definition": { - "title": "GetParameters", + "title": "DescribeInstanceTypes", "title_size": "16", "title_align": "left", "type": "query_value", @@ -15523,7 +15523,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetParameters $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeInstanceTypes $userIdentity.arn $network.client.ip $account" } } ], @@ -15545,10 +15545,10 @@ } }, { - "id": 3743632670, + "id": 506182844, "definition": { "type": "note", - "content": "### [DescribeInstanceInformation](https://traildiscover.cloud/#SSM-DescribeInstanceInformation)\n\n**Description:** Provides information about one or more of your managed nodes, including the operating system platform, SSM Agent version, association status, and IP address.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", + "content": "### [DescribeClientVpnRoutes](https://traildiscover.cloud/#EC2-DescribeClientVpnRoutes)\n\n**Description:** Describes the routes for the specified Client VPN endpoint.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15564,9 +15564,9 @@ } }, { - "id": 539577893, + "id": 301688893, "definition": { - "title": "DescribeInstanceInformation", + "title": "DescribeClientVpnRoutes", "title_size": "16", "title_align": "left", "type": "query_value", @@ -15584,7 +15584,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:DescribeInstanceInformation $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeClientVpnRoutes $userIdentity.arn $network.client.ip $account" } } ], @@ -15606,10 +15606,10 @@ } }, { - "id": 2216775640, + "id": 827618741, "definition": { "type": "note", - "content": "### [ListEmailIdentities](https://traildiscover.cloud/#SES-ListEmailIdentities)\n\n**Description:** Returns a list of all of the email identities that are associated with your AWS account.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Unwanted visitor](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-unwanted-visitor/)\n", + "content": "### [GetLaunchTemplateData](https://traildiscover.cloud/#EC2-GetLaunchTemplateData)\n\n**Description:** Retrieves the configuration data of the specified instance. You can use this data to create a launch template.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15625,9 +15625,9 @@ } }, { - "id": 3407027046, + "id": 2671269551, "definition": { - "title": "ListEmailIdentities", + "title": "GetLaunchTemplateData", "title_size": "16", "title_align": "left", "type": "query_value", @@ -15645,7 +15645,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListEmailIdentities $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetLaunchTemplateData $userIdentity.arn $network.client.ip $account" } } ], @@ -15667,10 +15667,10 @@ } }, { - "id": 2725443871, + "id": 1196864185, "definition": { "type": "note", - "content": "### [GetIdentityVerificationAttributes](https://traildiscover.cloud/#SES-GetIdentityVerificationAttributes)\n\n**Description:** Given a list of identities (email addresses and/or domains), returns the verification status and (for domain identities) the verification token for each identity.\n\n**Related Incidents:**\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n", + "content": "### [GetParameters](https://traildiscover.cloud/#SSM-GetParameters)\n\n**Description:** Get information about one or more parameters by specifying multiple parameter names.\n\n**Related Research:**\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15686,9 +15686,9 @@ } }, { - "id": 1768211629, + "id": 992370234, "definition": { - "title": "GetIdentityVerificationAttributes", + "title": "GetParameters", "title_size": "16", "title_align": "left", "type": "query_value", @@ -15706,7 +15706,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetIdentityVerificationAttributes $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetParameters $userIdentity.arn $network.client.ip $account" } } ], @@ -15728,10 +15728,10 @@ } }, { - "id": 3340623476, + "id": 2475135762, "definition": { "type": "note", - "content": "### [GetAccountSendingEnabled](https://traildiscover.cloud/#SES-GetAccountSendingEnabled)\n\n**Description:** Returns the email sending status of the Amazon SES account for the current Region.\n\n**Related Incidents:**\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n**Related Research:**\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n", + "content": "### [DescribeInstanceInformation](https://traildiscover.cloud/#SSM-DescribeInstanceInformation)\n\n**Description:** Provides information about one or more of your managed nodes, including the operating system platform, SSM Agent version, association status, and IP address.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15747,9 +15747,9 @@ } }, { - "id": 2284052347, + "id": 23819276, "definition": { - "title": "GetAccountSendingEnabled", + "title": "DescribeInstanceInformation", "title_size": "16", "title_align": "left", "type": "query_value", @@ -15767,7 +15767,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetAccountSendingEnabled $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:DescribeInstanceInformation $userIdentity.arn $network.client.ip $account" } } ], @@ -15789,10 +15789,10 @@ } }, { - "id": 401549901, + "id": 2431713409, "definition": { "type": "note", - "content": "### [ListIdentities](https://traildiscover.cloud/#SES-ListIdentities)\n\n**Description:** Returns a list containing all of the identities (email addresses and domains) for your AWS account in the current AWS Region, regardless of verification status.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", + "content": "### [ListEmailIdentities](https://traildiscover.cloud/#SES-ListEmailIdentities)\n\n**Description:** Returns a list of all of the email identities that are associated with your AWS account.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Unwanted visitor](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-unwanted-visitor/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15808,9 +15808,9 @@ } }, { - "id": 1492462420, + "id": 79735810, "definition": { - "title": "ListIdentities", + "title": "ListEmailIdentities", "title_size": "16", "title_align": "left", "type": "query_value", @@ -15828,7 +15828,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListIdentities $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListEmailIdentities $userIdentity.arn $network.client.ip $account" } } ], @@ -15850,10 +15850,10 @@ } }, { - "id": 2198437529, + "id": 1745509223, "definition": { "type": "note", - "content": "### [GetSendQuota](https://traildiscover.cloud/#SES-GetSendQuota)\n\n**Description:** Provides the sending limits for the Amazon SES account.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n- [Tales from the cloud trenches: Unwanted visitor](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-unwanted-visitor/)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", + "content": "### [GetIdentityVerificationAttributes](https://traildiscover.cloud/#SES-GetIdentityVerificationAttributes)\n\n**Description:** Given a list of identities (email addresses and/or domains), returns the verification status and (for domain identities) the verification token for each identity.\n\n**Related Incidents:**\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15869,9 +15869,9 @@ } }, { - "id": 1141866400, + "id": 1541015272, "definition": { - "title": "GetSendQuota", + "title": "GetIdentityVerificationAttributes", "title_size": "16", "title_align": "left", "type": "query_value", @@ -15889,7 +15889,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetSendQuota $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetIdentityVerificationAttributes $userIdentity.arn $network.client.ip $account" } } ], @@ -15911,10 +15911,10 @@ } }, { - "id": 153299173, + "id": 1294836584, "definition": { "type": "note", - "content": "### [GetAccount](https://traildiscover.cloud/#SES-GetAccount)\n\n**Description:** Obtain information about the email-sending status and capabilities of your Amazon SES account in the current AWS Region.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n- [Tales from the cloud trenches: Unwanted visitor](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-unwanted-visitor/)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", + "content": "### [GetAccountSendingEnabled](https://traildiscover.cloud/#SES-GetAccountSendingEnabled)\n\n**Description:** Returns the email sending status of the Amazon SES account for the current Region.\n\n**Related Incidents:**\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n**Related Research:**\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15930,9 +15930,9 @@ } }, { - "id": 1244211692, + "id": 1090342633, "definition": { - "title": "GetAccount", + "title": "GetAccountSendingEnabled", "title_size": "16", "title_align": "left", "type": "query_value", @@ -15950,7 +15950,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetAccount $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetAccountSendingEnabled $userIdentity.arn $network.client.ip $account" } } ], @@ -15972,10 +15972,10 @@ } }, { - "id": 3430367812, + "id": 718679077, "definition": { "type": "note", - "content": "### [GetFindings](https://traildiscover.cloud/#GuardDuty-GetFindings)\n\n**Description:** Returns a list of findings that match the specified criteria.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", + "content": "### [ListIdentities](https://traildiscover.cloud/#SES-ListIdentities)\n\n**Description:** Returns a list containing all of the identities (email addresses and domains) for your AWS account in the current AWS Region, regardless of verification status.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -15991,9 +15991,9 @@ } }, { - "id": 2473135570, + "id": 514185126, "definition": { - "title": "GetFindings", + "title": "ListIdentities", "title_size": "16", "title_align": "left", "type": "query_value", @@ -16011,7 +16011,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetFindings $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListIdentities $userIdentity.arn $network.client.ip $account" } } ], @@ -16033,10 +16033,10 @@ } }, { - "id": 55664792, + "id": 3913152278, "definition": { "type": "note", - "content": "### [ListFindings](https://traildiscover.cloud/#GuardDuty-ListFindings)\n\n**Description:** Lists GuardDuty findings for the specified detector ID.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", + "content": "### [GetSendQuota](https://traildiscover.cloud/#SES-GetSendQuota)\n\n**Description:** Provides the sending limits for the Amazon SES account.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n- [Tales from the cloud trenches: Unwanted visitor](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-unwanted-visitor/)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -16052,9 +16052,9 @@ } }, { - "id": 1245916198, + "id": 3708658327, "definition": { - "title": "ListFindings", + "title": "GetSendQuota", "title_size": "16", "title_align": "left", "type": "query_value", @@ -16072,7 +16072,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListFindings $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetSendQuota $userIdentity.arn $network.client.ip $account" } } ], @@ -16094,10 +16094,10 @@ } }, { - "id": 3504680610, + "id": 2224411156, "definition": { "type": "note", - "content": "### [ListDetectors](https://traildiscover.cloud/#GuardDuty-ListDetectors)\n\n**Description:** Lists detectorIds of all the existing Amazon GuardDuty detector resources.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", + "content": "### [GetAccount](https://traildiscover.cloud/#SES-GetAccount)\n\n**Description:** Obtain information about the email-sending status and capabilities of your Amazon SES account in the current AWS Region.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n- [Tales from the cloud trenches: Unwanted visitor](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-unwanted-visitor/)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -16113,9 +16113,9 @@ } }, { - "id": 300625833, + "id": 4068061966, "definition": { - "title": "ListDetectors", + "title": "GetAccount", "title_size": "16", "title_align": "left", "type": "query_value", @@ -16133,7 +16133,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListDetectors $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetAccount $userIdentity.arn $network.client.ip $account" } } ], @@ -16155,10 +16155,10 @@ } }, { - "id": 3115857373, + "id": 590316864, "definition": { "type": "note", - "content": "### [GetDetector](https://traildiscover.cloud/#GuardDuty-GetDetector)\n\n**Description:** Retrieves an Amazon GuardDuty detector specified by the detectorId.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", + "content": "### [GetFindings](https://traildiscover.cloud/#GuardDuty-GetFindings)\n\n**Description:** Returns a list of findings that match the specified criteria.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -16174,9 +16174,9 @@ } }, { - "id": 2158625131, + "id": 385822913, "definition": { - "title": "GetDetector", + "title": "GetFindings", "title_size": "16", "title_align": "left", "type": "query_value", @@ -16194,7 +16194,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:GetDetector $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:GetFindings $userIdentity.arn $network.client.ip $account" } } ], @@ -16216,10 +16216,10 @@ } }, { - "id": 3808341340, + "id": 1326546449, "definition": { "type": "note", - "content": "### [ListIPSets](https://traildiscover.cloud/#GuardDuty-ListIPSets)\n\n**Description:** Lists the IPSets of the GuardDuty service specified by the detector ID.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", + "content": "### [ListFindings](https://traildiscover.cloud/#GuardDuty-ListFindings)\n\n**Description:** Lists GuardDuty findings for the specified detector ID.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -16235,9 +16235,9 @@ } }, { - "id": 2751770211, + "id": 3269536146, "definition": { - "title": "ListIPSets", + "title": "ListFindings", "title_size": "16", "title_align": "left", "type": "query_value", @@ -16255,7 +16255,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ListIPSets $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ListFindings $userIdentity.arn $network.client.ip $account" } } ], @@ -16277,10 +16277,10 @@ } }, { - "id": 851239548, + "id": 3282629334, "definition": { "type": "note", - "content": "### [ListServiceQuotas](https://traildiscover.cloud/#ServiceQuotas-ListServiceQuotas)\n\n**Description:** Lists the applied quota values for the specified AWS service.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", + "content": "### [ListDetectors](https://traildiscover.cloud/#GuardDuty-ListDetectors)\n\n**Description:** Lists detectorIds of all the existing Amazon GuardDuty detector resources.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -16296,7 +16296,190 @@ } }, { - "id": 4188974602, + "id": 2978796496, + "definition": { + "title": "ListDetectors", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "search": { + "query": "source:cloudtrail @evt.name:ListDetectors $userIdentity.arn $network.client.ip $account" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 76, + "width": 2, + "height": 2 + } + }, + { + "id": 2431752119, + "definition": { + "type": "note", + "content": "### [GetDetector](https://traildiscover.cloud/#GuardDuty-GetDetector)\n\n**Description:** Retrieves an Amazon GuardDuty detector specified by the detectorId.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "has_padding": true + }, + "layout": { + "x": 4, + "y": 76, + "width": 2, + "height": 2 + } + }, + { + "id": 79774520, + "definition": { + "title": "GetDetector", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "search": { + "query": "source:cloudtrail @evt.name:GetDetector $userIdentity.arn $network.client.ip $account" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 6, + "y": 76, + "width": 2, + "height": 2 + } + }, + { + "id": 319118692, + "definition": { + "type": "note", + "content": "### [ListIPSets](https://traildiscover.cloud/#GuardDuty-ListIPSets)\n\n**Description:** Lists the IPSets of the GuardDuty service specified by the detector ID.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "has_padding": true + }, + "layout": { + "x": 8, + "y": 76, + "width": 2, + "height": 2 + } + }, + { + "id": 114624741, + "definition": { + "title": "ListIPSets", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "search": { + "query": "source:cloudtrail @evt.name:ListIPSets $userIdentity.arn $network.client.ip $account" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 10, + "y": 76, + "width": 2, + "height": 2 + } + }, + { + "id": 3166173951, + "definition": { + "type": "note", + "content": "### [ListServiceQuotas](https://traildiscover.cloud/#ServiceQuotas-ListServiceQuotas)\n\n**Description:** Lists the applied quota values for the specified AWS service.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "has_padding": true + }, + "layout": { + "x": 0, + "y": 78, + "width": 2, + "height": 2 + } + }, + { + "id": 714857465, "definition": { "title": "ListServiceQuotas", "title_size": "16", @@ -16332,7 +16515,7 @@ }, "layout": { "x": 2, - "y": 76, + "y": 78, "width": 2, "height": 2 } @@ -16343,11 +16526,11 @@ "x": 0, "y": 117, "width": 12, - "height": 80 + "height": 82 } }, { - "id": 1672172502, + "id": 285222422, "definition": { "type": "group", "layout_type": "ordered", @@ -16356,7 +16539,7 @@ "show_title": true, "widgets": [ { - "id": 669027267, + "id": 2890638461, "definition": { "type": "note", "content": "### [AssumeRoleWithWebIdentity](https://traildiscover.cloud/#STS-AssumeRoleWithWebIdentity)\n\n**Description:** Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider.\n\n**Related Research:**\n- [From GitHub To Account Takeover: Misconfigured Actions Place GCP & AWS Accounts At Risk](https://www.rezonate.io/blog/github-misconfigurations-put-gcp-aws-in-account-takeover-risk/)\n", @@ -16375,7 +16558,7 @@ } }, { - "id": 4006762321, + "id": 439321975, "definition": { "title": "AssumeRoleWithWebIdentity", "title_size": "16", @@ -16417,7 +16600,7 @@ } }, { - "id": 2815396234, + "id": 1034974854, "definition": { "type": "note", "content": "### [SwitchRole](https://traildiscover.cloud/#SignIn-SwitchRole)\n\n**Description:** This event is recorded when a user manually switches to a different IAM role within the AWS Management Console.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Unwanted visitor](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-unwanted-visitor/)\n**Related Research:**\n- [AWS CloudTrail cheat sheet](https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet)\n", @@ -16436,7 +16619,7 @@ } }, { - "id": 1858163992, + "id": 2878625664, "definition": { "title": "SwitchRole", "title_size": "16", @@ -16478,7 +16661,7 @@ } }, { - "id": 3379902946, + "id": 1085452903, "definition": { "type": "note", "content": "### [EnableSerialConsoleAccess](https://traildiscover.cloud/#EC2-EnableSerialConsoleAccess)\n\n**Description:** Enables access to the EC2 serial console of all instances for your account.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n**Related Research:**\n- [How to detect EC2 Serial Console enabled](https://sysdig.com/blog/ec2-serial-console-enabled/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -16497,7 +16680,7 @@ } }, { - "id": 2422670704, + "id": 2929103713, "definition": { "title": "EnableSerialConsoleAccess", "title_size": "16", @@ -16539,7 +16722,7 @@ } }, { - "id": 1895413281, + "id": 1173998223, "definition": { "type": "note", "content": "### [CreateVolume](https://traildiscover.cloud/#EC2-CreateVolume)\n\n**Description:** Creates an EBS volume that can be attached to an instance in the same Availability Zone.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n", @@ -16558,7 +16741,7 @@ } }, { - "id": 838842152, + "id": 870165385, "definition": { "title": "CreateVolume", "title_size": "16", @@ -16600,7 +16783,7 @@ } }, { - "id": 1778090229, + "id": 1936704596, "definition": { "type": "note", "content": "### [CreateSecurityGroup](https://traildiscover.cloud/#EC2-CreateSecurityGroup)\n\n**Description:** Creates a security group.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n**Related Research:**\n- [Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild](https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -16619,7 +16802,7 @@ } }, { - "id": 820857987, + "id": 3780355406, "definition": { "title": "CreateSecurityGroup", "title_size": "16", @@ -16661,7 +16844,7 @@ } }, { - "id": 1393451209, + "id": 184703066, "definition": { "type": "note", "content": "### [AuthorizeSecurityGroupIngress](https://traildiscover.cloud/#EC2-AuthorizeSecurityGroupIngress)\n\n**Description:** Adds the specified inbound (ingress) rules to a security group.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Finding evil in AWS](https://expel.com/blog/finding-evil-in-aws/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n**Related Research:**\n- [Opening a security group to the Internet](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/opening-security-group-port/)\n", @@ -16680,7 +16863,7 @@ } }, { - "id": 336880080, + "id": 4275176411, "definition": { "title": "AuthorizeSecurityGroupIngress", "title_size": "16", @@ -16722,7 +16905,7 @@ } }, { - "id": 1671570472, + "id": 1853883181, "definition": { "type": "note", "content": "### [SendSSHPublicKey](https://traildiscover.cloud/#EC2InstanceConnect-SendSSHPublicKey)\n\n**Description:** Pushes an SSH public key to the specified EC2 instance for use by the specified user.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n**Related Research:**\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -16741,7 +16924,7 @@ } }, { - "id": 2861821878, + "id": 3796872878, "definition": { "title": "SendSSHPublicKey", "title_size": "16", @@ -16783,7 +16966,7 @@ } }, { - "id": 3350691267, + "id": 2790551181, "definition": { "type": "note", "content": "### [CreateSnapshot](https://traildiscover.cloud/#EC2-CreateSnapshot)\n\n**Description:** Creates a snapshot of an EBS volume and stores it in Amazon S3.\n\n**Related Incidents:**\n- [CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Stealing an EBS snapshot by creating a snapshot and sharing it](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-ebs-snapshot/)\n- [Exfiltrate EBS Snapshot by Sharing It](https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/)\n", @@ -16802,7 +16985,7 @@ } }, { - "id": 146636490, + "id": 438573582, "definition": { "title": "CreateSnapshot", "title_size": "16", @@ -16844,7 +17027,7 @@ } }, { - "id": 1859718486, + "id": 159776352, "definition": { "type": "note", "content": "### [RunInstances](https://traildiscover.cloud/#EC2-RunInstances)\n\n**Description:** Launches the specified number of instances using an AMI for which you have permissions.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [DXC spills AWS private keys on public GitHub](https://www.theregister.com/2017/11/14/dxc_github_aws_keys_leaked/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Clear and Uncommon Story About Overcoming Issues With AWS](https://topdigital.agency/clear-and-uncommon-story-about-overcoming-issues-with-aws/)\n- [onelogin 2017 Security Incident](https://web.archive.org/web/20210620180614/https://www.onelogin.com/blog/may-31-2017-security-incident)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n**Related Research:**\n- [Launching EC2 instances](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/launching-ec2-instances/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -16863,7 +17046,7 @@ } }, { - "id": 902486244, + "id": 4250249697, "definition": { "title": "RunInstances", "title_size": "16", @@ -16905,7 +17088,7 @@ } }, { - "id": 2115034736, + "id": 111539854, "definition": { "type": "note", "content": "### [AttachVolume](https://traildiscover.cloud/#EC2-AttachVolume)\n\n**Description:** Attaches an EBS volume to a running or stopped instance and exposes it to the instance with the specified device name.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n", @@ -16924,7 +17107,7 @@ } }, { - "id": 1157802494, + "id": 4102674312, "definition": { "title": "AttachVolume", "title_size": "16", @@ -16966,7 +17149,7 @@ } }, { - "id": 832292680, + "id": 3409423333, "definition": { "type": "note", "content": "### [SendSerialConsoleSSHPublicKey](https://traildiscover.cloud/#EC2InstanceConnect-SendSerialConsoleSSHPublicKey)\n\n**Description:** Pushes an SSH public key to the specified EC2 instance.\n\n**Related Incidents:**\n- [LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD](https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n**Related Research:**\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -16985,7 +17168,7 @@ } }, { - "id": 4170027734, + "id": 1057445734, "definition": { "title": "SendSerialConsoleSSHPublicKey", "title_size": "16", @@ -17027,7 +17210,7 @@ } }, { - "id": 2951396956, + "id": 2408086705, "definition": { "type": "note", "content": "### [SendCommand](https://traildiscover.cloud/#SSM-SendCommand)\n\n**Description:** Runs commands on one or more managed nodes.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)](https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Run Shell Commands on EC2 with Send Command or Session Manager](https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -17046,7 +17229,7 @@ } }, { - "id": 4042309475, + "id": 2104253867, "definition": { "title": "SendCommand", "title_size": "16", @@ -17088,7 +17271,7 @@ } }, { - "id": 1772841732, + "id": 1923008631, "definition": { "type": "note", "content": "### [StartSession](https://traildiscover.cloud/#SSM-StartSession)\n\n**Description:** Initiates a connection to a target (for example, a managed node) for a Session Manager session.\n\n**Related Incidents:**\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [Run Shell Commands on EC2 with Send Command or Session Manager](https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -17107,7 +17290,7 @@ } }, { - "id": 815609490, + "id": 3865998328, "definition": { "title": "StartSession", "title_size": "16", @@ -17149,7 +17332,7 @@ } }, { - "id": 810068708, + "id": 2874476202, "definition": { "type": "note", "content": "### [ResumeSession](https://traildiscover.cloud/#SSM-ResumeSession)\n\n**Description:** Reconnects a session to a managed node after it has been disconnected.\n\n**Related Research:**\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -17168,7 +17351,7 @@ } }, { - "id": 4048464875, + "id": 423159716, "definition": { "title": "ResumeSession", "title_size": "16", @@ -17213,13 +17396,13 @@ }, "layout": { "x": 0, - "y": 197, + "y": 199, "width": 12, "height": 12 } }, { - "id": 1319331900, + "id": 317668087, "definition": { "type": "group", "layout_type": "ordered", @@ -17228,7 +17411,7 @@ "show_title": true, "widgets": [ { - "id": 3707128600, + "id": 3593415956, "definition": { "type": "note", "content": "### [UpdateFunctionCode20150331v2](https://traildiscover.cloud/#Lambda-UpdateFunctionCode20150331v2)\n\n**Description:** Updates a Lambda function's code. If code signing is enabled for the function, the code package must be signed by a trusted publisher.\n\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", @@ -17247,7 +17430,7 @@ } }, { - "id": 503073823, + "id": 3388922005, "definition": { "title": "UpdateFunctionCode20150331v2", "title_size": "16", @@ -17289,7 +17472,7 @@ } }, { - "id": 4078717034, + "id": 1544335433, "definition": { "type": "note", "content": "### [UpdateDistribution](https://traildiscover.cloud/#CloudFront-UpdateDistribution)\n\n**Description:** Updates the configuration for a CloudFront distribution.\n\n**Related Research:**\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", @@ -17308,7 +17491,7 @@ } }, { - "id": 3022145905, + "id": 1339841482, "definition": { "title": "UpdateDistribution", "title_size": "16", @@ -17350,7 +17533,7 @@ } }, { - "id": 1701424891, + "id": 3239487386, "definition": { "type": "note", "content": "### [PublishFunction](https://traildiscover.cloud/#CloudFront-PublishFunction)\n\n**Description:** Publishes a CloudFront function by copying the function code from the DEVELOPMENT stage to LIVE.\n\n**Related Research:**\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", @@ -17369,7 +17552,7 @@ } }, { - "id": 744192649, + "id": 3034993435, "definition": { "title": "PublishFunction", "title_size": "16", @@ -17411,7 +17594,7 @@ } }, { - "id": 541085213, + "id": 1240245912, "definition": { "type": "note", "content": "### [CreateFunction](https://traildiscover.cloud/#CloudFront-CreateFunction)\n\n**Description:** Creates a CloudFront function.\n\n**Related Research:**\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", @@ -17430,7 +17613,7 @@ } }, { - "id": 1631997732, + "id": 1035751961, "definition": { "title": "CreateFunction", "title_size": "16", @@ -17472,7 +17655,7 @@ } }, { - "id": 358800410, + "id": 109383549, "definition": { "type": "note", "content": "### [CreateInstanceExportTask](https://traildiscover.cloud/#EC2-CreateInstanceExportTask)\n\n**Description:** Exports a running or stopped instance to an Amazon S3 bucket.\n\n**Related Research:**\n- [AWS EC2 VM Export Failure](https://www.elastic.co/guide/en/security/current/aws-ec2-vm-export-failure.html)\n", @@ -17491,7 +17674,7 @@ } }, { - "id": 1549051816, + "id": 4100518007, "definition": { "title": "CreateInstanceExportTask", "title_size": "16", @@ -17533,7 +17716,7 @@ } }, { - "id": 1316605569, + "id": 640218367, "definition": { "type": "note", "content": "### [CreateTrafficMirrorTarget](https://traildiscover.cloud/#EC2-CreateTrafficMirrorTarget)\n\n**Description:** Creates a target for your Traffic Mirror session.\n\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -17552,7 +17735,7 @@ } }, { - "id": 2407518088, + "id": 435724416, "definition": { "title": "CreateTrafficMirrorTarget", "title_size": "16", @@ -17594,7 +17777,7 @@ } }, { - "id": 272138067, + "id": 3989388103, "definition": { "type": "note", "content": "### [CreateTrafficMirrorSession](https://traildiscover.cloud/#EC2-CreateTrafficMirrorSession)\n\n**Description:** Creates a Traffic Mirror session.\n\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -17613,7 +17796,7 @@ } }, { - "id": 3510534234, + "id": 3784894152, "definition": { "title": "CreateTrafficMirrorSession", "title_size": "16", @@ -17655,7 +17838,7 @@ } }, { - "id": 1418721380, + "id": 1344651122, "definition": { "type": "note", "content": "### [CreateRoute](https://traildiscover.cloud/#EC2-CreateRoute)\n\n**Description:** Creates a route in a route table within a VPC.\n\n**Related Research:**\n- [Ensure CloudWatch has an Alarm for Route Table Changes](https://www.intelligentdiscovery.io/controls/cloudwatch/cloudwatch-alarm-route-table-change)\n- [AWS Incident Response](https://easttimor.github.io/aws-incident-response/)\n", @@ -17674,7 +17857,7 @@ } }, { - "id": 461489138, + "id": 1040818284, "definition": { "title": "CreateRoute", "title_size": "16", @@ -17716,7 +17899,7 @@ } }, { - "id": 116025671, + "id": 4233973702, "definition": { "type": "note", "content": "### [CreateTrafficMirrorFilter](https://traildiscover.cloud/#EC2-CreateTrafficMirrorFilter)\n\n**Description:** Creates a Traffic Mirror filter.\n\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -17735,7 +17918,7 @@ } }, { - "id": 1206938190, + "id": 4029479751, "definition": { "title": "CreateTrafficMirrorFilter", "title_size": "16", @@ -17777,7 +17960,7 @@ } }, { - "id": 363455248, + "id": 4014941761, "definition": { "type": "note", "content": "### [CreateTrafficMirrorFilterRule](https://traildiscover.cloud/#EC2-CreateTrafficMirrorFilterRule)\n\n**Description:** Creates a Traffic Mirror filter rule.\n\n**Related Research:**\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -17796,7 +17979,7 @@ } }, { - "id": 3601851415, + "id": 1563625275, "definition": { "title": "CreateTrafficMirrorFilterRule", "title_size": "16", @@ -17841,13 +18024,13 @@ }, "layout": { "x": 0, - "y": 209, + "y": 211, "width": 12, "height": 10 } }, { - "id": 944522163, + "id": 1174040331, "definition": { "type": "group", "layout_type": "ordered", @@ -17856,7 +18039,7 @@ "show_title": true, "widgets": [ { - "id": 94448197, + "id": 122250724, "definition": { "type": "note", "content": "### [CreateUser](https://traildiscover.cloud/#TransferFamily-CreateUser)\n\n**Description:** Creates a user and associates them with an existing file transfer protocol-enabled server.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -17875,7 +18058,7 @@ } }, { - "id": 3432183251, + "id": 4212724069, "definition": { "title": "CreateUser", "title_size": "16", @@ -17917,7 +18100,7 @@ } }, { - "id": 1200333787, + "id": 1446216826, "definition": { "type": "note", "content": "### [CreateServer](https://traildiscover.cloud/#TransferFamily-CreateServer)\n\n**Description:** Instantiates an auto-scaling virtual server based on the selected file transfer protocol in AWS.\n\n**Related Incidents:**\n- [Muddled Libra\u2019s Evolution to the Cloud](https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/)\n", @@ -17936,7 +18119,7 @@ } }, { - "id": 143762658, + "id": 1241722875, "definition": { "title": "CreateServer", "title_size": "16", @@ -17978,7 +18161,7 @@ } }, { - "id": 3398390663, + "id": 1604933058, "definition": { "type": "note", "content": "### [PutBucketPolicy](https://traildiscover.cloud/#S3-PutBucketPolicy)\n\n**Description:** Applies an Amazon S3 bucket policy to an Amazon S3 bucket.\n\n**Related Research:**\n- [Detecting and removing risky actions out of your IAM security policies](https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/)\n", @@ -17997,7 +18180,7 @@ } }, { - "id": 2341819534, + "id": 1400439107, "definition": { "title": "PutBucketPolicy", "title_size": "16", @@ -18039,7 +18222,7 @@ } }, { - "id": 491363762, + "id": 714143955, "definition": { "type": "note", "content": "### [PutBucketAcl](https://traildiscover.cloud/#S3-PutBucketAcl)\n\n**Description:** Sets the permissions on an existing bucket using access control lists (ACL).\n\n**Related Research:**\n- [AWS S3 Bucket ACL made public](https://docs.datadoghq.com/security/default_rules/aws-bucket-acl-made-public/)\n", @@ -18058,7 +18241,7 @@ } }, { - "id": 1681615168, + "id": 509650004, "definition": { "title": "PutBucketAcl", "title_size": "16", @@ -18100,7 +18283,7 @@ } }, { - "id": 1729649822, + "id": 1295818687, "definition": { "type": "note", "content": "### [PutBucketVersioning](https://traildiscover.cloud/#S3-PutBucketVersioning)\n\n**Description:** Sets the versioning state of an existing bucket.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n**Related Research:**\n- [Exfiltrating S3 Data with Bucket Replication Policies](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -18119,7 +18302,7 @@ } }, { - "id": 2919901228, + "id": 3238808384, "definition": { "title": "PutBucketVersioning", "title_size": "16", @@ -18161,7 +18344,7 @@ } }, { - "id": 3420310642, + "id": 1503929630, "definition": { "type": "note", "content": "### [PutBucketReplication](https://traildiscover.cloud/#S3-PutBucketReplication)\n\n**Description:** Creates a replication configuration or replaces an existing one.\n\n**Related Research:**\n- [Exfiltrating S3 Data with Bucket Replication Policies](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -18180,7 +18363,7 @@ } }, { - "id": 216255865, + "id": 1299435679, "definition": { "title": "PutBucketReplication", "title_size": "16", @@ -18222,10 +18405,10 @@ } }, { - "id": 147687221, + "id": 988935562, "definition": { "type": "note", - "content": "### [GetObject](https://traildiscover.cloud/#S3-GetObject)\n\n**Description:** Retrieves an object from Amazon S3.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Incident 2 - Additional details of the attack](https://support.lastpass.com/s/document-item?language=en_US&bundleId=lastpass&topicId=LastPass/incident-2-details.html&_LANG=enus)\n- [Aruba Central Security Incident](https://www.arubanetworks.com/support-services/security-bulletins/central-incident-faq/)\n- [Sendtech Pte. Ltd](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Sendtech-Pte-Ltd---220721.ashx?la=en)\n- [GotRoot! AWS root Account Takeover](https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1)\n- [A Technical Analysis of the Capital One Cloud Misconfiguration Breach](https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach)\n- [Chegg, Inc](https://www.ftc.gov/system/files/ftc_gov/pdf/2023151-Chegg-Complaint.pdf)\n- [Scattered Spider Attack Analysis](https://www.reliaquest.com/blog/scattered-spider-attack-analysis-account-compromise/)\n- [Enumerate AWS Account ID from a Public S3 Bucket](https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n**Related Research:**\n- [Data Exfiltration through S3 Server Access Logs](https://hackingthe.cloud/aws/exploitation/s3_server_access_logs/)\n- [S3 Streaming Copy](https://hackingthe.cloud/aws/exploitation/s3_streaming_copy/)\n", + "content": "### [GetObject](https://traildiscover.cloud/#S3-GetObject)\n\n**Description:** Retrieves an object from Amazon S3.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Incident 2 - Additional details of the attack](https://support.lastpass.com/s/document-item?language=en_US&bundleId=lastpass&topicId=LastPass/incident-2-details.html&_LANG=enus)\n- [Aruba Central Security Incident](https://www.arubanetworks.com/support-services/security-bulletins/central-incident-faq/)\n- [Sendtech Pte. Ltd](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Sendtech-Pte-Ltd---220721.ashx?la=en)\n- [GotRoot! AWS root Account Takeover](https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1)\n- [A Technical Analysis of the Capital One Cloud Misconfiguration Breach](https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach)\n- [Chegg, Inc](https://www.ftc.gov/system/files/ftc_gov/pdf/2023151-Chegg-Complaint.pdf)\n- [Scattered Spider Attack Analysis](https://www.reliaquest.com/blog/scattered-spider-attack-analysis-account-compromise/)\n- [Enumerate AWS Account ID from a Public S3 Bucket](https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n**Related Research:**\n- [Data Exfiltration through S3 Server Access Logs](https://hackingthe.cloud/aws/exploitation/s3_server_access_logs/)\n- [S3 Streaming Copy](https://hackingthe.cloud/aws/exploitation/s3_streaming_copy/)\n- [Encrypting buckets for compliance and ransom - How Attackers Can Use KMS to Ransomware S3 Buckets](https://blog.pepperclipp.com/pepperclipp-public/encrypting-buckets-for-compliance-and-ransom-how-attackers-can-use-kms-to-ransomware-s3-buckets)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -18241,7 +18424,7 @@ } }, { - "id": 1238599740, + "id": 784441611, "definition": { "title": "GetObject", "title_size": "16", @@ -18283,7 +18466,7 @@ } }, { - "id": 2573990492, + "id": 457121977, "definition": { "type": "note", "content": "### [JobCreated](https://traildiscover.cloud/#S3-JobCreated)\n\n**Description:** When a Batch Operations job is created, it is recorded as a JobCreated event in CloudTrail.\n\n**Related Research:**\n- [Exfiltrating S3 Data with Bucket Replication Policies](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -18302,7 +18485,7 @@ } }, { - "id": 1517419363, + "id": 2400111674, "definition": { "title": "JobCreated", "title_size": "16", @@ -18344,7 +18527,7 @@ } }, { - "id": 1429885312, + "id": 2462162356, "definition": { "type": "note", "content": "### [CreateInstanceExportTask](https://traildiscover.cloud/#EC2-CreateInstanceExportTask)\n\n**Description:** Exports a running or stopped instance to an Amazon S3 bucket.\n\n**Related Research:**\n- [AWS EC2 VM Export Failure](https://www.elastic.co/guide/en/security/current/aws-ec2-vm-export-failure.html)\n", @@ -18363,7 +18546,7 @@ } }, { - "id": 472653070, + "id": 110184757, "definition": { "title": "CreateInstanceExportTask", "title_size": "16", @@ -18405,7 +18588,7 @@ } }, { - "id": 3454356583, + "id": 3622416415, "definition": { "type": "note", "content": "### [ModifySnapshotAttribute](https://traildiscover.cloud/#EC2-ModifySnapshotAttribute)\n\n**Description:** Adds or removes permission settings for the specified snapshot.\n\n**Related Incidents:**\n- [CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/)\n", @@ -18424,7 +18607,7 @@ } }, { - "id": 250301806, + "id": 3318583577, "definition": { "title": "ModifySnapshotAttribute", "title_size": "16", @@ -18466,7 +18649,7 @@ } }, { - "id": 337798740, + "id": 746488934, "definition": { "type": "note", "content": "### [SharedSnapshotCopyInitiated](https://traildiscover.cloud/#EC2-SharedSnapshotCopyInitiated)\n\n**Description:** Modifies the specified attribute of the specified instance.\n\n**Related Incidents:**\n- [M-Trends Report - 2020](https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf)\n- [Democratic National Committee hack](https://www.politico.com/f/?id=00000168-6161-de11-af7d-ef7327ea0000)\n**Related Research:**\n- [Detecting exfiltration of EBS snapshots in AWS](https://twitter.com/christophetd/status/1574681313218506753)\n", @@ -18485,7 +18668,7 @@ } }, { - "id": 1428711259, + "id": 2689478631, "definition": { "title": "SharedSnapshotCopyInitiated", "title_size": "16", @@ -18527,7 +18710,7 @@ } }, { - "id": 1288863462, + "id": 41598652, "definition": { "type": "note", "content": "### [SharedSnapshotVolumeCreated](https://traildiscover.cloud/#EC2-SharedSnapshotVolumeCreated)\n\n**Description:** Modifies the specified attribute of the specified instance.\n\n**Related Incidents:**\n- [M-Trends Report - 2020](https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf)\n- [Democratic National Committee hack](https://www.politico.com/f/?id=00000168-6161-de11-af7d-ef7327ea0000)\n**Related Research:**\n- [Detecting exfiltration of EBS snapshots in AWS](https://twitter.com/christophetd/status/1574681313218506753)\n", @@ -18546,7 +18729,7 @@ } }, { - "id": 232292333, + "id": 4032733110, "definition": { "title": "SharedSnapshotVolumeCreated", "title_size": "16", @@ -18588,7 +18771,7 @@ } }, { - "id": 3916382145, + "id": 1794160949, "definition": { "type": "note", "content": "### [CreateSnapshot](https://traildiscover.cloud/#EC2-CreateSnapshot)\n\n**Description:** Creates a snapshot of an EBS volume and stores it in Amazon S3.\n\n**Related Incidents:**\n- [CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n**Related Research:**\n- [Stealing an EBS snapshot by creating a snapshot and sharing it](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-ebs-snapshot/)\n- [Exfiltrate EBS Snapshot by Sharing It](https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/)\n", @@ -18607,7 +18790,7 @@ } }, { - "id": 2959149903, + "id": 3737150646, "definition": { "title": "CreateSnapshot", "title_size": "16", @@ -18649,7 +18832,7 @@ } }, { - "id": 2116292689, + "id": 3070985993, "definition": { "type": "note", "content": "### [CreateImage](https://traildiscover.cloud/#EC2-CreateImage)\n\n**Description:** Creates an Amazon EBS-backed AMI from an Amazon EBS-backed instance that is either running or stopped.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n", @@ -18668,7 +18851,7 @@ } }, { - "id": 1059721560, + "id": 2866492042, "definition": { "title": "CreateImage", "title_size": "16", @@ -18710,7 +18893,7 @@ } }, { - "id": 228405295, + "id": 3049991017, "definition": { "type": "note", "content": "### [AuthorizeSecurityGroupEgress](https://traildiscover.cloud/#EC2-AuthorizeSecurityGroupEgress)\n\n**Description:** Adds the specified outbound (egress) rules to a security group.\n\n**Related Incidents:**\n- [Trouble in Paradise](https://blog.darklab.hk/2021/07/06/trouble-in-paradise/)\n", @@ -18729,7 +18912,7 @@ } }, { - "id": 3466801462, + "id": 2746158179, "definition": { "title": "AuthorizeSecurityGroupEgress", "title_size": "16", @@ -18771,7 +18954,7 @@ } }, { - "id": 559741012, + "id": 4019700236, "definition": { "type": "note", "content": "### [ModifyImageAttribute](https://traildiscover.cloud/#EC2-ModifyImageAttribute)\n\n**Description:** Modifies the specified attribute of the specified AMI.\n\n**Related Research:**\n- [AWS AMI Atttribute Modification for Exfiltration](https://research.splunk.com/cloud/f2132d74-cf81-4c5e-8799-ab069e67dc9f/)\n", @@ -18790,7 +18973,7 @@ } }, { - "id": 1749992418, + "id": 1568383750, "definition": { "title": "ModifyImageAttribute", "title_size": "16", @@ -18832,7 +19015,7 @@ } }, { - "id": 2095872761, + "id": 1733500573, "definition": { "type": "note", "content": "### [ModifyDBSnapshotAttribute](https://traildiscover.cloud/#RDS-ModifyDBSnapshotAttribute)\n\n**Description:** Adds an attribute and values to, or removes an attribute and values from, a manual DB snapshot.\n\n**Related Incidents:**\n- [Imperva Security Update](https://www.imperva.com/blog/ceoblog/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Stealing an RDS database by creating a snapshot and sharing it](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-rds-snapshot/)\n- [Hunting AWS RDS security events with Sysdig](https://sysdig.com/blog/aws-rds-security-events-sysdig/)\n", @@ -18851,7 +19034,7 @@ } }, { - "id": 1039301632, + "id": 1529006622, "definition": { "title": "ModifyDBSnapshotAttribute", "title_size": "16", @@ -18893,7 +19076,7 @@ } }, { - "id": 2027587161, + "id": 714427113, "definition": { "type": "note", "content": "### [StartExportTask](https://traildiscover.cloud/#RDS-StartExportTask)\n\n**Description:** Starts an export of DB snapshot or DB cluster data to Amazon S3.\n\n**Related Research:**\n- [AWS - RDS Post Exploitation](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation)\n", @@ -18912,7 +19095,7 @@ } }, { - "id": 1070354919, + "id": 2657416810, "definition": { "title": "StartExportTask", "title_size": "16", @@ -18954,7 +19137,7 @@ } }, { - "id": 4091730418, + "id": 810257223, "definition": { "type": "note", "content": "### [CreateDBSecurityGroup](https://traildiscover.cloud/#RDS-CreateDBSecurityGroup)\n\n**Description:** Creates a new DB security group. DB security groups control access to a DB instance.\n\n**Related Research:**\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [Hunting AWS RDS security events with Sysdig](https://sysdig.com/blog/aws-rds-security-events-sysdig/)\n", @@ -18973,7 +19156,7 @@ } }, { - "id": 987014528, + "id": 605763272, "definition": { "title": "CreateDBSecurityGroup", "title_size": "16", @@ -19015,7 +19198,7 @@ } }, { - "id": 4126823345, + "id": 3318532310, "definition": { "type": "note", "content": "### [CreateDBSnapshot](https://traildiscover.cloud/#RDS-CreateDBSnapshot)\n\n**Description:** Creates a snapshot of a DB instance.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [Stealing an RDS database by creating a snapshot and sharing it](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/sharing-rds-snapshot/)\n", @@ -19034,7 +19217,7 @@ } }, { - "id": 3169591103, + "id": 966554711, "definition": { "title": "CreateDBSnapshot", "title_size": "16", @@ -19079,13 +19262,13 @@ }, "layout": { "x": 0, - "y": 219, + "y": 221, "width": 12, "height": 16 } }, { - "id": 2989913633, + "id": 2552247058, "definition": { "type": "group", "layout_type": "ordered", @@ -19094,7 +19277,7 @@ "show_title": true, "widgets": [ { - "id": 1624151106, + "id": 1059027990, "definition": { "type": "note", "content": "### [ChangeResourceRecordSets](https://traildiscover.cloud/#Route53-ChangeResourceRecordSets)\n\n**Description:** Creates, changes, or deletes a resource record set, which contains authoritative DNS information for a specified domain name or subdomain name.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS API Call Hijacking via ACM-PCA](https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/)\n", @@ -19113,7 +19296,7 @@ } }, { - "id": 567579977, + "id": 854534039, "definition": { "title": "ChangeResourceRecordSets", "title_size": "16", @@ -19155,7 +19338,7 @@ } }, { - "id": 1516722453, + "id": 1162352065, "definition": { "type": "note", "content": "### [RegisterDomain](https://traildiscover.cloud/#route53domains-RegisterDomain)\n\n**Description:** This operation registers a domain. For some top-level domains (TLDs), this operation requires extra parameters.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -19174,7 +19357,7 @@ } }, { - "id": 460151324, + "id": 957858114, "definition": { "title": "RegisterDomain", "title_size": "16", @@ -19216,7 +19399,7 @@ } }, { - "id": 844393550, + "id": 515854709, "definition": { "type": "note", "content": "### [CreateHostedZone](https://traildiscover.cloud/#Route53-CreateHostedZone)\n\n**Description:** Creates a new public or private hosted zone. You create records in a public hosted zone to define how you want to route traffic on the internet for a domain, such as example.com, and its subdomains.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n**Related Research:**\n- [AWS API Call Hijacking via ACM-PCA](https://hackingthe.cloud/aws/exploitation/route53_modification_privilege_escalation/)\n", @@ -19235,7 +19418,7 @@ } }, { - "id": 1935306069, + "id": 212021871, "definition": { "title": "CreateHostedZone", "title_size": "16", @@ -19277,7 +19460,7 @@ } }, { - "id": 3703708522, + "id": 1930186149, "definition": { "type": "note", "content": "### [CreateStack](https://traildiscover.cloud/#CloudFormation-CreateStack)\n\n**Description:** Creates a stack as specified in the template.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", @@ -19296,7 +19479,7 @@ } }, { - "id": 598992632, + "id": 1626353311, "definition": { "title": "CreateStack", "title_size": "16", @@ -19338,7 +19521,7 @@ } }, { - "id": 600431283, + "id": 41249875, "definition": { "type": "note", "content": "### [Publish](https://traildiscover.cloud/#SNS-Publish)\n\n**Description:** Sends a message to an Amazon SNS topic, a text message (SMS message) directly to a phone number, or a message to a mobile platform endpoint (when you specify the TargetArn).\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -19357,7 +19540,7 @@ } }, { - "id": 3838827450, + "id": 4032384333, "definition": { "title": "Publish", "title_size": "16", @@ -19399,7 +19582,7 @@ } }, { - "id": 2179943015, + "id": 3098822266, "definition": { "type": "note", "content": "### [CreateFunction20150331](https://traildiscover.cloud/#Lambda-CreateFunction20150331)\n\n**Description:** Creates a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -19418,7 +19601,7 @@ } }, { - "id": 1222710773, + "id": 2894328315, "definition": { "title": "CreateFunction20150331", "title_size": "16", @@ -19460,7 +19643,7 @@ } }, { - "id": 643805442, + "id": 2790939420, "definition": { "type": "note", "content": "### [UpdateFunctionCode20150331v2](https://traildiscover.cloud/#Lambda-UpdateFunctionCode20150331v2)\n\n**Description:** Updates a Lambda function's code. If code signing is enabled for the function, the code package must be signed by a trusted publisher.\n\n**Related Research:**\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Enhancing Your Security Visibility and DetectionResponse Operations in AWS](https://pages.awscloud.com/rs/112-TZM-766/images/Visibility_detect_respond_AWS_SANS_whitepaper.pdf)\n- [How Attackers Can Misuse AWS CloudFront Access to Make It \u2018Rain\u2019 Cookies](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c)\n", @@ -19479,7 +19662,7 @@ } }, { - "id": 1834056848, + "id": 339622934, "definition": { "title": "UpdateFunctionCode20150331v2", "title_size": "16", @@ -19521,7 +19704,7 @@ } }, { - "id": 2950420138, + "id": 693063297, "definition": { "type": "note", "content": "### [Invoke](https://traildiscover.cloud/#Lambda-Invoke)\n\n**Description:** Invokes a Lambda function.\n\n**Related Incidents:**\n- [Mining Crypto](https://twitter.com/jonnyplatt/status/1471453527390277638)\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n", @@ -19540,7 +19723,7 @@ } }, { - "id": 4041332657, + "id": 2536714107, "definition": { "title": "Invoke", "title_size": "16", @@ -19582,7 +19765,7 @@ } }, { - "id": 3886538117, + "id": 3947408268, "definition": { "type": "note", "content": "### [DeleteFileSystem](https://traildiscover.cloud/#elasticfilesystem-DeleteFileSystem)\n\n**Description:** Deletes a file system, permanently severing access to its contents.\n\n**Related Research:**\n- [AWS EFS File System or Mount Deleted](https://www.elastic.co/guide/en/security/7.17/aws-efs-file-system-or-mount-deleted.html)\n", @@ -19601,7 +19784,7 @@ } }, { - "id": 2929305875, + "id": 1496091782, "definition": { "title": "DeleteFileSystem", "title_size": "16", @@ -19643,7 +19826,7 @@ } }, { - "id": 3886495392, + "id": 3861994590, "definition": { "type": "note", "content": "### [DeleteMountTarget](https://traildiscover.cloud/#elasticfilesystem-DeleteMountTarget)\n\n**Description:** Deletes the specified mount target.\n\n**Related Research:**\n- [AWS EFS File System or Mount Deleted](https://www.elastic.co/guide/en/security/7.17/aws-efs-file-system-or-mount-deleted.html)\n", @@ -19662,7 +19845,7 @@ } }, { - "id": 2929263150, + "id": 1410678104, "definition": { "title": "DeleteMountTarget", "title_size": "16", @@ -19704,7 +19887,7 @@ } }, { - "id": 2460275265, + "id": 985940686, "definition": { "type": "note", "content": "### [DeleteRule](https://traildiscover.cloud/#events-DeleteRule)\n\n**Description:** Deletes the specified rule.\n\n**Related Research:**\n- [AWS EventBridge Rule Disabled or Deleted](https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html)\n- [AWS EventBridge rule disabled or deleted](https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/)\n", @@ -19723,7 +19906,7 @@ } }, { - "id": 3551187784, + "id": 682107848, "definition": { "title": "DeleteRule", "title_size": "16", @@ -19765,7 +19948,7 @@ } }, { - "id": 1718983697, + "id": 3586892452, "definition": { "type": "note", "content": "### [RemoveTargets](https://traildiscover.cloud/#events-RemoveTargets)\n\n**Description:** Removes the specified targets from the specified rule.\n\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -19784,7 +19967,7 @@ } }, { - "id": 2809896216, + "id": 3283059614, "definition": { "title": "RemoveTargets", "title_size": "16", @@ -19826,7 +20009,7 @@ } }, { - "id": 1627031521, + "id": 228177079, "definition": { "type": "note", "content": "### [DisableRule](https://traildiscover.cloud/#events-DisableRule)\n\n**Description:** Disables the specified rule.\n\n**Related Research:**\n- [AWS EventBridge Rule Disabled or Deleted](https://www.elastic.co/guide/en/security/7.17/rules-api-delete.html)\n- [AWS EventBridge rule disabled or deleted](https://docs.datadoghq.com/security/default_rules/aws-eventbridge-rule-disabled-or-deleted/)\n", @@ -19845,7 +20028,7 @@ } }, { - "id": 2717944040, + "id": 23683128, "definition": { "title": "DisableRule", "title_size": "16", @@ -19887,7 +20070,7 @@ } }, { - "id": 1545268228, + "id": 3747869408, "definition": { "type": "note", "content": "### [PutRule](https://traildiscover.cloud/#events-PutRule)\n\n**Description:** Creates or updates the specified rule.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Modify GuardDuty Configuration](https://hackingthe.cloud/aws/avoiding-detection/modify-guardduty-config/)\n", @@ -19906,7 +20089,7 @@ } }, { - "id": 488697099, + "id": 1296552922, "definition": { "title": "PutRule", "title_size": "16", @@ -19948,7 +20131,7 @@ } }, { - "id": 60194484, + "id": 3770435620, "definition": { "type": "note", "content": "### [CreateInstances](https://traildiscover.cloud/#Lightsail-CreateInstances)\n\n**Description:** Creates one or more Amazon Lightsail instances.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -19967,7 +20150,7 @@ } }, { - "id": 3298590651, + "id": 1418458021, "definition": { "title": "CreateInstances", "title_size": "16", @@ -20009,7 +20192,7 @@ } }, { - "id": 3638392050, + "id": 4144051793, "definition": { "type": "note", "content": "### [GenerateDataKeyWithoutPlaintext](https://traildiscover.cloud/#KMS-GenerateDataKeyWithoutPlaintext)\n\n**Description:** Returns a unique symmetric data key for use outside of AWS KMS.\n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", @@ -20028,7 +20211,7 @@ } }, { - "id": 2681159808, + "id": 3840218955, "definition": { "title": "GenerateDataKeyWithoutPlaintext", "title_size": "16", @@ -20070,10 +20253,10 @@ } }, { - "id": 473497719, + "id": 1061380679, "definition": { "type": "note", - "content": "### [ScheduleKeyDeletion](https://traildiscover.cloud/#KMS-ScheduleKeyDeletion)\n\n**Description:** Schedules the deletion of a KMS key.\n\n**Related Research:**\n- [ Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", + "content": "### [PutKeyPolicy](https://traildiscover.cloud/#KMS-PutKeyPolicy)\n\n**Description:** Attaches a key policy to the specified KMS key.\n\n**Related Research:**\n- [Encrypting buckets for compliance and ransom - How Attackers Can Use KMS to Ransomware S3 Buckets](https://blog.pepperclipp.com/pepperclipp-public/encrypting-buckets-for-compliance-and-ransom-how-attackers-can-use-kms-to-ransomware-s3-buckets)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -20089,9 +20272,9 @@ } }, { - "id": 3811232773, + "id": 2905031489, "definition": { - "title": "ScheduleKeyDeletion", + "title": "PutKeyPolicy", "title_size": "16", "title_align": "left", "type": "query_value", @@ -20109,7 +20292,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:ScheduleKeyDeletion $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PutKeyPolicy $userIdentity.arn $network.client.ip $account" } } ], @@ -20131,10 +20314,10 @@ } }, { - "id": 2000087617, + "id": 2611959616, "definition": { "type": "note", - "content": "### [Encrypt](https://traildiscover.cloud/#KMS-Encrypt)\n\n**Description:** Encrypts plaintext of up to 4,096 bytes using a KMS key. \n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n", + "content": "### [ScheduleKeyDeletion](https://traildiscover.cloud/#KMS-ScheduleKeyDeletion)\n\n**Description:** Schedules the deletion of a KMS key.\n\n**Related Research:**\n- [ Threat Hunting with CloudTrail and GuardDuty in Splunk](https://www.chrisfarris.com/post/reinforce-threat-hunting/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -20150,9 +20333,9 @@ } }, { - "id": 1042855375, + "id": 259982017, "definition": { - "title": "Encrypt", + "title": "ScheduleKeyDeletion", "title_size": "16", "title_align": "left", "type": "query_value", @@ -20170,7 +20353,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:Encrypt $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:ScheduleKeyDeletion $userIdentity.arn $network.client.ip $account" } } ], @@ -20192,10 +20375,10 @@ } }, { - "id": 2845019087, + "id": 3055559038, "definition": { "type": "note", - "content": "### [PutObject](https://traildiscover.cloud/#S3-PutObject)\n\n**Description:** Adds an object to a bucket.\n\n**Related Incidents:**\n- [Incident Report: TaskRouter JS SDK Security Incident - July 19, 2020](https://www.twilio.com/en-us/blog/incident-report-taskrouter-js-sdk-july-2020)\n- [LA Times homicide website throttles cryptojacking attack](https://www.tripwire.com/state-of-security/la-times-website-cryptojacking-attack)\n", + "content": "### [Encrypt](https://traildiscover.cloud/#KMS-Encrypt)\n\n**Description:** Encrypts plaintext of up to 4,096 bytes using a KMS key. \n\n**Related Incidents:**\n- [Cloud Security Stories: From Risky Permissions to Ransomware Execution](https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/)\n**Related Research:**\n- [Encrypting buckets for compliance and ransom - How Attackers Can Use KMS to Ransomware S3 Buckets](https://blog.pepperclipp.com/pepperclipp-public/encrypting-buckets-for-compliance-and-ransom-how-attackers-can-use-kms-to-ransomware-s3-buckets)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -20211,9 +20394,9 @@ } }, { - "id": 4035270493, + "id": 2851065087, "definition": { - "title": "PutObject", + "title": "Encrypt", "title_size": "16", "title_align": "left", "type": "query_value", @@ -20231,7 +20414,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutObject $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:Encrypt $userIdentity.arn $network.client.ip $account" } } ], @@ -20253,10 +20436,10 @@ } }, { - "id": 3232371856, + "id": 461916175, "definition": { "type": "note", - "content": "### [PutBucketVersioning](https://traildiscover.cloud/#S3-PutBucketVersioning)\n\n**Description:** Sets the versioning state of an existing bucket.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n**Related Research:**\n- [Exfiltrating S3 Data with Bucket Replication Policies](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", + "content": "### [CreateKey](https://traildiscover.cloud/#KMS-CreateKey)\n\n**Description:** Creates a unique customer managed KMS key in your AWS account and Region.\n\n**Related Research:**\n- [Encrypting buckets for compliance and ransom - How Attackers Can Use KMS to Ransomware S3 Buckets](https://blog.pepperclipp.com/pepperclipp-public/encrypting-buckets-for-compliance-and-ransom-how-attackers-can-use-kms-to-ransomware-s3-buckets)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -20272,9 +20455,9 @@ } }, { - "id": 28317079, + "id": 2404905872, "definition": { - "title": "PutBucketVersioning", + "title": "CreateKey", "title_size": "16", "title_align": "left", "type": "query_value", @@ -20292,7 +20475,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutBucketVersioning $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:CreateKey $userIdentity.arn $network.client.ip $account" } } ], @@ -20314,10 +20497,10 @@ } }, { - "id": 1539225098, + "id": 1437359938, "definition": { "type": "note", - "content": "### [PutBucketLifecycle](https://traildiscover.cloud/#S3-PutBucketLifecycle)\n\n**Description:** Creates a new lifecycle configuration for the bucket or replaces an existing lifecycle configuration.\n\n**Related Incidents:**\n- [USA VS Nickolas Sharp](https://www.justice.gov/usao-sdny/press-release/file/1452706/dl)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", + "content": "### [PutObject](https://traildiscover.cloud/#S3-PutObject)\n\n**Description:** Adds an object to a bucket.\n\n**Related Incidents:**\n- [Incident Report: TaskRouter JS SDK Security Incident - July 19, 2020](https://www.twilio.com/en-us/blog/incident-report-taskrouter-js-sdk-july-2020)\n- [LA Times homicide website throttles cryptojacking attack](https://www.tripwire.com/state-of-security/la-times-website-cryptojacking-attack)\n**Related Research:**\n- [Encrypting buckets for compliance and ransom - How Attackers Can Use KMS to Ransomware S3 Buckets](https://blog.pepperclipp.com/pepperclipp-public/encrypting-buckets-for-compliance-and-ransom-how-attackers-can-use-kms-to-ransomware-s3-buckets)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -20333,9 +20516,9 @@ } }, { - "id": 2729476504, + "id": 3281010748, "definition": { - "title": "PutBucketLifecycle", + "title": "PutObject", "title_size": "16", "title_align": "left", "type": "query_value", @@ -20353,7 +20536,7 @@ "aggregation": "count" }, "search": { - "query": "source:cloudtrail @evt.name:PutBucketLifecycle $userIdentity.arn $network.client.ip $account" + "query": "source:cloudtrail @evt.name:PutObject $userIdentity.arn $network.client.ip $account" } } ], @@ -20375,10 +20558,10 @@ } }, { - "id": 1339693669, + "id": 2726076801, "definition": { "type": "note", - "content": "### [DeleteBucket](https://traildiscover.cloud/#S3-DeleteBucket)\n\n**Description:** Deletes the S3 bucket.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", + "content": "### [PutBucketVersioning](https://traildiscover.cloud/#S3-PutBucketVersioning)\n\n**Description:** Sets the versioning state of an existing bucket.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n**Related Research:**\n- [Exfiltrating S3 Data with Bucket Replication Policies](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -20394,7 +20577,129 @@ } }, { - "id": 283122540, + "id": 2521582850, + "definition": { + "title": "PutBucketVersioning", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "search": { + "query": "source:cloudtrail @evt.name:PutBucketVersioning $userIdentity.arn $network.client.ip $account" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 14, + "width": 2, + "height": 2 + } + }, + { + "id": 3897043442, + "definition": { + "type": "note", + "content": "### [PutBucketLifecycle](https://traildiscover.cloud/#S3-PutBucketLifecycle)\n\n**Description:** Creates a new lifecycle configuration for the bucket or replaces an existing lifecycle configuration.\n\n**Related Incidents:**\n- [USA VS Nickolas Sharp](https://www.justice.gov/usao-sdny/press-release/file/1452706/dl)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "has_padding": true + }, + "layout": { + "x": 4, + "y": 14, + "width": 2, + "height": 2 + } + }, + { + "id": 1545065843, + "definition": { + "title": "PutBucketLifecycle", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "search": { + "query": "source:cloudtrail @evt.name:PutBucketLifecycle $userIdentity.arn $network.client.ip $account" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 6, + "y": 14, + "width": 2, + "height": 2 + } + }, + { + "id": 446471734, + "definition": { + "type": "note", + "content": "### [DeleteBucket](https://traildiscover.cloud/#S3-DeleteBucket)\n\n**Description:** Deletes the S3 bucket.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "has_padding": true + }, + "layout": { + "x": 8, + "y": 14, + "width": 2, + "height": 2 + } + }, + { + "id": 241977783, "definition": { "title": "DeleteBucket", "title_size": "16", @@ -20429,14 +20734,75 @@ "precision": 2 }, "layout": { - "x": 2, + "x": 10, "y": 14, "width": 2, "height": 2 } }, { - "id": 1471879893, + "id": 4183624403, + "definition": { + "type": "note", + "content": "### [PutBucketEncryption](https://traildiscover.cloud/#S3-PutBucketEncryption)\n\n**Description:** This operation configures default encryption and Amazon S3 Bucket Keys for an existing bucket.\n\n**Related Research:**\n- [Encrypting buckets for compliance and ransom - How Attackers Can Use KMS to Ransomware S3 Buckets](https://blog.pepperclipp.com/pepperclipp-public/encrypting-buckets-for-compliance-and-ransom-how-attackers-can-use-kms-to-ransomware-s3-buckets)\n", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "has_padding": true + }, + "layout": { + "x": 0, + "y": 16, + "width": 2, + "height": 2 + } + }, + { + "id": 3979130452, + "definition": { + "title": "PutBucketEncryption", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "search": { + "query": "source:cloudtrail @evt.name:PutBucketEncryption $userIdentity.arn $network.client.ip $account" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 16, + "width": 2, + "height": 2 + } + }, + { + "id": 1337993294, "definition": { "type": "note", "content": "### [DeleteObject](https://traildiscover.cloud/#S3-DeleteObject)\n\n**Description:** Removes an object from a bucket. The behavior depends on the bucket's versioning state.\n\n**Related Incidents:**\n- [Ransomware in the cloud](https://www.invictus-ir.com/news/ransomware-in-the-cloud)\n- [The attack on ONUS \u2013 A real-life case of the Log4Shell vulnerability](https://cystack.net/research/the-attack-on-onus-a-real-life-case-of-the-log4shell-vulnerability)\n- [20/20 Eye Care Network and Hearing Care Network notify 3,253,822 health plan members of breach that deleted contents of AWS buckets](https://www.databreaches.net/20-20-eye-care-network-and-hearing-care-network-notify-3253822-health-plan-members-of-breach-that-deleted-contents-of-aws-buckets/)\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n", @@ -20449,13 +20815,13 @@ }, "layout": { "x": 4, - "y": 14, + "y": 16, "width": 2, "height": 2 } }, { - "id": 2562792412, + "id": 3181644104, "definition": { "title": "DeleteObject", "title_size": "16", @@ -20491,16 +20857,16 @@ }, "layout": { "x": 6, - "y": 14, + "y": 16, "width": 2, "height": 2 } }, { - "id": 1340330003, + "id": 2892784367, "definition": { "type": "note", - "content": "### [InvokeModel](https://traildiscover.cloud/#Bedrock-InvokeModel)\n\n**Description:** Invokes the specified Amazon Bedrock model to run inference using the prompt and inference parameters provided in the request body.\n\n**Related Incidents:**\n- [LLMjacking: Stolen Cloud Credentials Used in New AI Attack](https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n- [When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying](https://permiso.io/blog/exploiting-hosted-models)\n- [New Developments in LLM Hijacking Activity](https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws)\n", + "content": "### [InvokeModel](https://traildiscover.cloud/#Bedrock-InvokeModel)\n\n**Description:** Invokes the specified Amazon Bedrock model to run inference using the prompt and inference parameters provided in the request body.\n\n**Related Incidents:**\n- [LLMjacking: Stolen Cloud Credentials Used in New AI Attack](https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/)\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n- [When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying](https://permiso.io/blog/exploiting-hosted-models)\n- [New Developments in LLM Hijacking Activity](https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws)\n- [Datadog threat roundup: top insights for Q4 2024](https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -20510,13 +20876,13 @@ }, "layout": { "x": 8, - "y": 14, + "y": 16, "width": 2, "height": 2 } }, { - "id": 383097761, + "id": 540806768, "definition": { "title": "InvokeModel", "title_size": "16", @@ -20552,13 +20918,13 @@ }, "layout": { "x": 10, - "y": 14, + "y": 16, "width": 2, "height": 2 } }, { - "id": 3916995784, + "id": 1544987205, "definition": { "type": "note", "content": "### [PutFoundationModelEntitlement](https://traildiscover.cloud/#Bedrock-PutFoundationModelEntitlement)\n\n**Description:** Grants permission to put entitlement to access a foundation model.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying](https://permiso.io/blog/exploiting-hosted-models)\n", @@ -20571,13 +20937,13 @@ }, "layout": { "x": 0, - "y": 16, + "y": 18, "width": 2, "height": 2 } }, { - "id": 712941007, + "id": 1340493254, "definition": { "title": "PutFoundationModelEntitlement", "title_size": "16", @@ -20613,13 +20979,13 @@ }, "layout": { "x": 2, - "y": 16, + "y": 18, "width": 2, "height": 2 } }, { - "id": 1333747597, + "id": 315971101, "definition": { "type": "note", "content": "### [InvokeModelWithResponseStream](https://traildiscover.cloud/#Bedrock-InvokeModelWithResponseStream)\n\n**Description:** Grants permission to invoke the specified Bedrock model to run inference using the input provided in the request body with streaming response.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n- [New Developments in LLM Hijacking Activity](https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws)\n", @@ -20632,13 +20998,13 @@ }, "layout": { "x": 4, - "y": 16, + "y": 18, "width": 2, "height": 2 } }, { - "id": 2424660116, + "id": 2258960798, "definition": { "title": "InvokeModelWithResponseStream", "title_size": "16", @@ -20674,16 +21040,16 @@ }, "layout": { "x": 6, - "y": 16, + "y": 18, "width": 2, "height": 2 } }, { - "id": 3765344185, + "id": 687447857, "definition": { "type": "note", - "content": "### [PutUseCaseForModelAccess](https://traildiscover.cloud/#Bedrock-PutUseCaseForModelAccess)\n\n**Description:** Grants permission to put a use case for model access.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying](https://permiso.io/blog/exploiting-hosted-models)\n- [New Developments in LLM Hijacking Activity](https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws)\n", + "content": "### [PutUseCaseForModelAccess](https://traildiscover.cloud/#Bedrock-PutUseCaseForModelAccess)\n\n**Description:** Grants permission to put a use case for model access.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying](https://permiso.io/blog/exploiting-hosted-models)\n- [New Developments in LLM Hijacking Activity](https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws)\n- [Datadog threat roundup: top insights for Q4 2024](https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/)\n", "background_color": "white", "font_size": "14", "text_align": "left", @@ -20693,13 +21059,13 @@ }, "layout": { "x": 8, - "y": 16, + "y": 18, "width": 2, "height": 2 } }, { - "id": 660628295, + "id": 482953906, "definition": { "title": "PutUseCaseForModelAccess", "title_size": "16", @@ -20735,13 +21101,13 @@ }, "layout": { "x": 10, - "y": 16, + "y": 18, "width": 2, "height": 2 } }, { - "id": 3997465091, + "id": 797262961, "definition": { "type": "note", "content": "### [CreateFoundationModelAgreement](https://traildiscover.cloud/#Bedrock-CreateFoundationModelAgreement)\n\n**Description:** Grants permission to create a new foundation model agreement.\n\n**Related Incidents:**\n- [Detecting AI resource-hijacking with Composite Alerts](https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts)\n- [When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying](https://permiso.io/blog/exploiting-hosted-models)\n- [New Developments in LLM Hijacking Activity](https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws)\n", @@ -20754,13 +21120,13 @@ }, "layout": { "x": 0, - "y": 18, + "y": 20, "width": 2, "height": 2 } }, { - "id": 793410314, + "id": 592769010, "definition": { "title": "CreateFoundationModelAgreement", "title_size": "16", @@ -20796,13 +21162,13 @@ }, "layout": { "x": 2, - "y": 18, + "y": 20, "width": 2, "height": 2 } }, { - "id": 964139264, + "id": 663708682, "definition": { "type": "note", "content": "### [DeleteVolume](https://traildiscover.cloud/#EC2-DeleteVolume)\n\n**Description:** Deletes the specified EBS volume. The volume must be in the available state (not attached to an instance).\n\n**Related Incidents:**\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", @@ -20815,13 +21181,13 @@ }, "layout": { "x": 4, - "y": 18, + "y": 20, "width": 2, "height": 2 } }, { - "id": 2055051783, + "id": 359875844, "definition": { "title": "DeleteVolume", "title_size": "16", @@ -20857,13 +21223,13 @@ }, "layout": { "x": 6, - "y": 18, + "y": 20, "width": 2, "height": 2 } }, { - "id": 1107119633, + "id": 3214901639, "definition": { "type": "note", "content": "### [StartInstances](https://traildiscover.cloud/#EC2-StartInstances)\n\n**Description:** Starts an Amazon EBS-backed instance that you've previously stopped.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -20876,13 +21242,13 @@ }, "layout": { "x": 8, - "y": 18, + "y": 20, "width": 2, "height": 2 } }, { - "id": 149887391, + "id": 763585153, "definition": { "title": "StartInstances", "title_size": "16", @@ -20918,13 +21284,13 @@ }, "layout": { "x": 10, - "y": 18, + "y": 20, "width": 2, "height": 2 } }, { - "id": 4220665973, + "id": 2325890647, "definition": { "type": "note", "content": "### [CreateDefaultVpc](https://traildiscover.cloud/#EC2-CreateDefaultVpc)\n\n**Description:** Creates a default VPC with a size /16 IPv4 CIDR block and a default subnet in each Availability Zone.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -20937,13 +21303,13 @@ }, "layout": { "x": 0, - "y": 20, + "y": 22, "width": 2, "height": 2 } }, { - "id": 1016611196, + "id": 2121396696, "definition": { "title": "CreateDefaultVpc", "title_size": "16", @@ -20979,13 +21345,13 @@ }, "layout": { "x": 2, - "y": 20, + "y": 22, "width": 2, "height": 2 } }, { - "id": 2416430180, + "id": 1683119794, "definition": { "type": "note", "content": "### [TerminateInstances](https://traildiscover.cloud/#EC2-TerminateInstances)\n\n**Description:** Shuts down the specified instances. This operation is idempotent; if you terminate an instance more than once, each call succeeds.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Former Cisco engineer sentenced to prison for deleting 16k Webex accounts](https://www.zdnet.com/article/former-cisco-engineer-sentenced-to-prison-for-deleting-16k-webex-accounts/)\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", @@ -20998,13 +21364,13 @@ }, "layout": { "x": 4, - "y": 20, + "y": 22, "width": 2, "height": 2 } }, { - "id": 3606681586, + "id": 1478625843, "definition": { "title": "TerminateInstances", "title_size": "16", @@ -21040,13 +21406,13 @@ }, "layout": { "x": 6, - "y": 20, + "y": 22, "width": 2, "height": 2 } }, { - "id": 2885405672, + "id": 2498560809, "definition": { "type": "note", "content": "### [StopInstances](https://traildiscover.cloud/#EC2-StopInstances)\n\n**Description:** Stops an Amazon EBS-backed instance.\n\n**Related Incidents:**\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n**Related Research:**\n- [Executing commands through EC2 user data](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/executing-commands-through-user-data/)\n- [Attack Paths Into VMs in the Cloud](https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/)\n", @@ -21059,13 +21425,13 @@ }, "layout": { "x": 8, - "y": 20, + "y": 22, "width": 2, "height": 2 } }, { - "id": 1928173430, + "id": 2294066858, "definition": { "title": "StopInstances", "title_size": "16", @@ -21101,13 +21467,13 @@ }, "layout": { "x": 10, - "y": 20, + "y": 22, "width": 2, "height": 2 } }, { - "id": 3879624235, + "id": 2180779923, "definition": { "type": "note", "content": "### [DeleteSnapshot](https://traildiscover.cloud/#EC2-DeleteSnapshot)\n\n**Description:** Deletes the specified snapshot.\n\n**Related Incidents:**\n- [Hacker Puts Hosting Service Code Spaces Out of Business](https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/)\n", @@ -21120,13 +21486,13 @@ }, "layout": { "x": 0, - "y": 22, + "y": 24, "width": 2, "height": 2 } }, { - "id": 2922391993, + "id": 1976285972, "definition": { "title": "DeleteSnapshot", "title_size": "16", @@ -21162,13 +21528,13 @@ }, "layout": { "x": 2, - "y": 22, + "y": 24, "width": 2, "height": 2 } }, { - "id": 3979852272, + "id": 4182629567, "definition": { "type": "note", "content": "### [RunInstances](https://traildiscover.cloud/#EC2-RunInstances)\n\n**Description:** Launches the specified number of instances using an AMI for which you have permissions.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [DXC spills AWS private keys on public GitHub](https://www.theregister.com/2017/11/14/dxc_github_aws_keys_leaked/)\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [Behind the scenes in the Expel SOC: Alert-to-fix in AWS](https://expel.com/blog/behind-the-scenes-expel-soc-alert-aws/)\n- [When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability](https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/)\n- [SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto](https://sysdig.com/blog/scarleteel-2-0/)\n- [ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING](https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/)\n- [UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR](https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/)\n- [Clear and Uncommon Story About Overcoming Issues With AWS](https://topdigital.agency/clear-and-uncommon-story-about-overcoming-issues-with-aws/)\n- [onelogin 2017 Security Incident](https://web.archive.org/web/20210620180614/https://www.onelogin.com/blog/may-31-2017-security-incident)\n- [BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability](https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/)\n- [Navigating the Cloud: Exploring Lateral Movement Techniques](https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n- [Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments](https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/)\n**Related Research:**\n- [Launching EC2 instances](https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/launching-ec2-instances/)\n- [Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident](https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide)\n- [AWS IAM Privilege Escalation Techniques](https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/)\n- [Abusing VPC Traffic Mirroring in AWS](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/)\n", @@ -21181,13 +21547,13 @@ }, "layout": { "x": 4, - "y": 22, + "y": 24, "width": 2, "height": 2 } }, { - "id": 2923281143, + "id": 3878796729, "definition": { "title": "RunInstances", "title_size": "16", @@ -21223,13 +21589,13 @@ }, "layout": { "x": 6, - "y": 22, + "y": 24, "width": 2, "height": 2 } }, { - "id": 4065113202, + "id": 2618342603, "definition": { "type": "note", "content": "### [DeleteGlobalCluster](https://traildiscover.cloud/#RDS-DeleteGlobalCluster)\n\n**Description:** Deletes a global database cluster. The primary and secondary clusters must already be detached or destroyed first.\n\n**Related Research:**\n- [AWS Deletion of RDS Instance or Cluster](https://www.elastic.co/guide/en/security/current/aws-deletion-of-rds-instance-or-cluster.html)\n", @@ -21242,13 +21608,13 @@ }, "layout": { "x": 8, - "y": 22, + "y": 24, "width": 2, "height": 2 } }, { - "id": 3008542073, + "id": 2413848652, "definition": { "title": "DeleteGlobalCluster", "title_size": "16", @@ -21284,13 +21650,13 @@ }, "layout": { "x": 10, - "y": 22, + "y": 24, "width": 2, "height": 2 } }, { - "id": 2166150838, + "id": 3652564906, "definition": { "type": "note", "content": "### [DeleteDBCluster](https://traildiscover.cloud/#RDS-DeleteDBCluster)\n\n**Description:** The DeleteDBCluster action deletes a previously provisioned DB cluster.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n**Related Research:**\n- [Hunting AWS RDS security events with Sysdig](https://sysdig.com/blog/aws-rds-security-events-sysdig/)\n- [AWS Deletion of RDS Instance or Cluster](https://www.elastic.co/guide/en/security/current/aws-deletion-of-rds-instance-or-cluster.html)\n", @@ -21303,13 +21669,13 @@ }, "layout": { "x": 0, - "y": 24, + "y": 26, "width": 2, "height": 2 } }, { - "id": 1208918596, + "id": 3348732068, "definition": { "title": "DeleteDBCluster", "title_size": "16", @@ -21345,13 +21711,13 @@ }, "layout": { "x": 2, - "y": 24, + "y": 26, "width": 2, "height": 2 } }, { - "id": 2348860085, + "id": 1369524372, "definition": { "type": "note", "content": "### [DeleteDBInstance](https://traildiscover.cloud/#RDS-DeleteDBInstance)\n\n**Description:** Deletes a previously provisioned DB instance.\n\n**Related Incidents:**\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", @@ -21364,13 +21730,13 @@ }, "layout": { "x": 4, - "y": 24, + "y": 26, "width": 2, "height": 2 } }, { - "id": 1292288956, + "id": 1165030421, "definition": { "title": "DeleteDBInstance", "title_size": "16", @@ -21406,13 +21772,13 @@ }, "layout": { "x": 6, - "y": 24, + "y": 26, "width": 2, "height": 2 } }, { - "id": 2478876094, + "id": 419198030, "definition": { "type": "note", "content": "### [CreateEmailIdentity](https://traildiscover.cloud/#SES-CreateEmailIdentity)\n\n**Description:** Starts the process of verifying an email identity. An identity is an email address or domain that you use when you send email.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n", @@ -21425,13 +21791,13 @@ }, "layout": { "x": 8, - "y": 24, + "y": 26, "width": 2, "height": 2 } }, { - "id": 3669127500, + "id": 2262848840, "definition": { "title": "CreateEmailIdentity", "title_size": "16", @@ -21467,13 +21833,13 @@ }, "layout": { "x": 10, - "y": 24, + "y": 26, "width": 2, "height": 2 } }, { - "id": 2852953170, + "id": 1279292368, "definition": { "type": "note", "content": "### [UpdateAccountSendingEnabled](https://traildiscover.cloud/#SES-UpdateAccountSendingEnabled)\n\n**Description:** Enables or disables email sending across your entire Amazon SES account in the current AWS Region.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n- [SES-PIONAGE](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)\n", @@ -21486,13 +21852,13 @@ }, "layout": { "x": 0, - "y": 26, + "y": 28, "width": 2, "height": 2 } }, { - "id": 1895720928, + "id": 3222282065, "definition": { "title": "UpdateAccountSendingEnabled", "title_size": "16", @@ -21528,13 +21894,13 @@ }, "layout": { "x": 2, - "y": 26, + "y": 28, "width": 2, "height": 2 } }, { - "id": 2505448745, + "id": 1819621997, "definition": { "type": "note", "content": "### [VerifyEmailIdentity](https://traildiscover.cloud/#SES-VerifyEmailIdentity)\n\n**Description:** Adds an email address to the list of identities for your Amazon SES account in the current AWS Region and attempts to verify it.\n\n**Related Incidents:**\n- [Compromised Cloud Compute Credentials: Case Studies From the Wild](https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab)\n", @@ -21547,13 +21913,13 @@ }, "layout": { "x": 4, - "y": 26, + "y": 28, "width": 2, "height": 2 } }, { - "id": 3596361264, + "id": 1515789159, "definition": { "title": "VerifyEmailIdentity", "title_size": "16", @@ -21589,13 +21955,13 @@ }, "layout": { "x": 6, - "y": 26, + "y": 28, "width": 2, "height": 2 } }, { - "id": 4123711108, + "id": 3375814332, "definition": { "type": "note", "content": "### [RegisterTaskDefinition](https://traildiscover.cloud/#ECS-RegisterTaskDefinition)\n\n**Description:** Registers a new task definition from the supplied family and containerDefinitions.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -21608,13 +21974,13 @@ }, "layout": { "x": 8, - "y": 26, + "y": 28, "width": 2, "height": 2 } }, { - "id": 919656331, + "id": 1023836733, "definition": { "title": "RegisterTaskDefinition", "title_size": "16", @@ -21650,13 +22016,13 @@ }, "layout": { "x": 10, - "y": 26, + "y": 28, "width": 2, "height": 2 } }, { - "id": 2837011868, + "id": 1224151, "definition": { "type": "note", "content": "### [CreateService](https://traildiscover.cloud/#ECS-CreateService)\n\n**Description:** Runs and maintains your desired number of tasks from a specified task definition.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n", @@ -21669,13 +22035,13 @@ }, "layout": { "x": 0, - "y": 28, + "y": 30, "width": 2, "height": 2 } }, { - "id": 1879779626, + "id": 1944213848, "definition": { "title": "CreateService", "title_size": "16", @@ -21711,13 +22077,13 @@ }, "layout": { "x": 2, - "y": 28, + "y": 30, "width": 2, "height": 2 } }, { - "id": 3073378852, + "id": 681946865, "definition": { "type": "note", "content": "### [CreateCluster](https://traildiscover.cloud/#ECS-CreateCluster)\n\n**Description:** Creates a new Amazon ECS cluster.\n\n**Related Incidents:**\n- [Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining](https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/)\n- [New tactics and techniques for proactive threat detection](https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf)\n", @@ -21730,13 +22096,13 @@ }, "layout": { "x": 4, - "y": 28, + "y": 30, "width": 2, "height": 2 } }, { - "id": 2116146610, + "id": 2525597675, "definition": { "title": "CreateCluster", "title_size": "16", @@ -21772,13 +22138,13 @@ }, "layout": { "x": 6, - "y": 28, + "y": 30, "width": 2, "height": 2 } }, { - "id": 3241026039, + "id": 324586611, "definition": { "type": "note", "content": "### [RequestServiceQuotaIncrease](https://traildiscover.cloud/#ServiceQuotas-RequestServiceQuotaIncrease)\n\n**Description:** Submits a quota increase request for the specified quota at the account or resource level.\n\n**Related Incidents:**\n- [The curious case of DangerDev@protonmail.me](https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me)\n- [Incident report: From CLI to console, chasing an attacker in AWS](https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/)\n", @@ -21791,13 +22157,13 @@ }, "layout": { "x": 8, - "y": 28, + "y": 30, "width": 2, "height": 2 } }, { - "id": 36971262, + "id": 120092660, "definition": { "title": "RequestServiceQuotaIncrease", "title_size": "16", @@ -21833,7 +22199,7 @@ }, "layout": { "x": 10, - "y": 28, + "y": 30, "width": 2, "height": 2 } @@ -21842,9 +22208,9 @@ }, "layout": { "x": 0, - "y": 235, + "y": 237, "width": 12, - "height": 32 + "height": 34 } } ], diff --git a/docs/events.csv b/docs/events.csv index b8f7737..d78b810 100644 --- a/docs/events.csv +++ b/docs/events.csv @@ -70,6 +70,7 @@ CreateSAMLProvider,iam.amazonaws.com,IAM,Creates an IAM resource that describes ListAccessKeys,iam.amazonaws.com,IAM,Returns information about the access key IDs associated with the specified IAM user.,TA0007 - Discovery,T1087 - Account Discovery,T1087.004 - Account Discovery: Cloud Account,True,"[{""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}]",[],Attackers might use ListAccessKeys to identify and exploit unused or unmonitored AWS IAM access keys.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-access-keys --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-ListAccessKeys,"[{""technique"": ""T1589 - Gather Victim Identity Information"", ""reason"": ""Access key information can reveal details about the IAM user's identity, such as their role and permissions, which can be valuable for planning further attacks.""}, {""technique"": ""T1580 - Cloud Infrastructure Discovery"", ""reason"": ""By listing access keys, attackers can identify existing cloud infrastructure accounts and keys, revealing how the cloud environment is structured.""}]" DeleteRolePolicy,iam.amazonaws.com,IAM,Deletes the specified inline policy that is embedded in the specified IAM role.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use DeleteRolePolicy to remove security policies, potentially escalating their privileges.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam delete-role-policy --role-name TrailDiscover-Role --policy-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-DeleteRolePolicy,"[{""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Deleting inline policies from IAM roles can remove critical permissions, effectively locking out legitimate users or restricting their access. This action can hinder incident response and obscure the attacker's presence in the environment.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""By deleting IAM role policies, an attacker could impair security tools that rely on those policies for correct operation, effectively reducing the efficacy of security defenses.""}]" DetachRolePolicy,iam.amazonaws.com,IAM,Removes the specified managed policy from the specified role.,"TA0005 - Defense Evasion, TA0004 - Privilege Escalation","T1578 - Modify Cloud Compute Infrastructure, T1098 - Account Manipulation",,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]","[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use DetachRolePolicy to remove crucial permissions from IAM roles, disrupting AWS services.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam detach-role-policy --role-name TrailDiscover --policy-arn arn:aws:iam::123456789012:policy/FederatedTesterAccessPolicy""}]",https://aws.permissions.cloud/iam/iam#iam-DetachRolePolicy,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""By detaching policies from roles, attackers can invalidate certain permissions, reducing the risk of detection while using compromised accounts.""}, {""technique"": ""T1531 - Account Access Removal"", ""reason"": ""By detaching policies, attackers can remove access permissions, disrupting legitimate user operations and evading detection.""}, {""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Removing policies can be part of a strategy to clean up indicators of malicious activity on the account, aiding in defense evasion.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Detaching policies may impair security configurations, reducing the ability of the environment to detect or prevent further malicious activities.""}]" +ListUserPolicies,iam.amazonaws.com,IAM,Lists the names of the inline policies embedded in the specified IAM user.,TA0007 - Discovery,T1087 - Account Discovery,,True,"[{""description"": ""Datadog threat roundup: top insights for Q4 2024"", ""link"": ""https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/""}]",[],Attackers might use ListUserPolicies to identify permissions associated with various users in AWS.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-user-policies --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-ListUserPolicies,[] UpdateLoginProfile,iam.amazonaws.com,IAM,"Changes the password for the specified IAM user. You can use the AWS CLI, the AWS API, or the Users page in the IAM console to change the password for any IAM user.","TA0003 - Persistence, TA0004 - Privilege Escalation",T1098 - Account Manipulation,,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Incident report: From CLI to console, chasing an attacker in AWS"", ""link"": ""https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/""}, {""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}]","[{""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use UpdateLoginProfile to change the password of an IAM user, gaining unauthorized access to it.","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_update_login_profile.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws iam update-login-profile --user-name TrailDiscover --password TrailDiscover""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-user-login-profile""}]",https://aws.permissions.cloud/iam/iam#iam-UpdateLoginProfile,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Changing an IAM user's password allows an attacker to maintain access using a legitimate account.""}, {""technique"": ""T1556 - Modify Authentication Process"", ""reason"": ""Changing the password directly impacts the authentication process, potentially locking out legitimate users and ensuring only the attacker has access.""}, {""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Changing the password of an IAM user can also serve as a means to remove legitimate account access for the rightful user, ensuring only the attacker can access the account.""}]" SimulatePrincipalPolicy,iam.amazonaws.com,IAM,Simulate how a set of IAM policies attached to an IAM entity works with a list of API operations and AWS resources to determine the policies' effective permissions.,TA0007 - Discovery,T1087 - Account Discovery,,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}]",[],"Attackers might use SimulatePrincipalPolicy to understand the permissions of a principal, to later potentially exploiting any over-permissive policies. Using this technique might allow attackers to evade defenses while enumerating permissions.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::123456789012:user/TrailDiscover --action-names codecommit:ListRepositories""}]",https://aws.permissions.cloud/iam/iam#iam-SimulatePrincipalPolicy,"[{""technique"": ""T1069 - Permission Groups Discovery"", ""reason"": "" Using this API, attackers can determine the permissions associated with specific IAM roles or users, aiding in privilege escalation planning.""}, {""technique"": ""T1615 - Group Policy Discovery"", ""reason"": ""By simulating principal policies, attackers can identify the group policies and their impact on IAM roles and entities.""}]" CreatePolicy,iam.amazonaws.com,IAM,Creates a new managed policy for your AWS account.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,T1098.003 - Account Manipulation: Additional Cloud Roles,True,"[{""description"": ""New Developments in LLM Hijacking Activity"", ""link"": ""https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws""}]",[],Attackers might use CreatePolicy to create new IAM policies that later they can use for potentially granting themselves elevated permissions.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam create-policy --policy-name TrailDiscoverPolicy --policy-document {}""}]",https://aws.permissions.cloud/iam/iam#iam-CreatePolicy,[] @@ -77,11 +78,12 @@ GetAccountAuthorizationDetails,iam.amazonaws.com,IAM,"Retrieves information abou AddUserToGroup,iam.amazonaws.com,IAM,Adds the specified user to the specified group.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use AddUserToGroup to add unauthorized users to privileged groups, gaining unauthorized access or escalating privileges.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam add-user-to-group --user-name TrailDiscover --group-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-AddUserToGroup,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Adding a user to a group with elevated permissions can allow the user to maintain access to the AWS environment with legitimate credentials.""}]" ListGroups,iam.amazonaws.com,IAM,Lists the IAM groups that have the specified path prefix.,TA0007 - Discovery,T1087 - Account Discovery,T1087.004 - Account Discovery: Cloud Account,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]","[{""description"": ""AWS - IAM Enum"", ""link"": ""https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum""}]",Attackers might use ListGroups to identify potential targets by gathering information about IAM groups and their permissions.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-groups""}]",https://aws.permissions.cloud/iam/iam#iam-ListGroups,"[{""technique"": ""T1069 - Permission Groups Discovery"", ""reason"": ""Listing IAM groups helps identify the permission groups within an AWS environment, which is crucial for understanding the access levels and privileges assigned to different users.""}]" UpdateAccessKey,iam.amazonaws.com,IAM,"Changes the status of the specified access key from Active to Inactive, or vice versa.",TA0003 - Persistence,T1098 - Account Manipulation,,False,[],"[{""description"": ""AWS - IAM Privesc"", ""link"": ""https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc""}]","Attackers might use UpdateAccessKey to modify existing IAM user access keys, potentially gaining unauthorized access to AWS services.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam update-access-key --access-key-id AKIAIOSFODNN7EXAMPLE --status Inactive --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-UpdateAccessKey,"[{""technique"": ""T1070. - Indicator Removal"", ""reason"": ""Disabling keys can be a tactic to remove indicators of compromise, because keys need to be disabled before deletion, preventing detection and forensic analysis.""}, {""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Temporarily deactivating keys to remove access can help adversaries evade detection while they perform malicious activities.""}]" -ListUsers,iam.amazonaws.com,IAM,"Lists the IAM users that have the specified path prefix. If no path prefix is specified, the operation returns all users in the AWS account.",TA0007 - Discovery,T1087 - Account Discovery,T1087.004 - Account Discovery: Cloud Account,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}, {""description"": ""Incident report: From CLI to console, chasing an attacker in AWS"", ""link"": ""https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}, {""description"": ""Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments"", ""link"": ""https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]","Attackers might use ListUsers to enumerate IAM users for further attacks, such as adding keys or creating a login profile for persistence.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-users""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance""}]",https://aws.permissions.cloud/iam/iam#iam-ListUsers,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Attackers may use the ListUsers API call to discover valid user accounts within an AWS environment. Knowledge of valid accounts can help in attempts to compromise or leverage these accounts.""}, {""technique"": ""T1057 - Process Discovery"", ""reason"": ""Knowledge of IAM users can help an attacker identify which processes might be running under specific user accounts, assisting in further exploitation or lateral movement within the cloud environment.""}]" +ListUsers,iam.amazonaws.com,IAM,"Lists the IAM users that have the specified path prefix. If no path prefix is specified, the operation returns all users in the AWS account.",TA0007 - Discovery,T1087 - Account Discovery,T1087.004 - Account Discovery: Cloud Account,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Ransomware in the cloud"", ""link"": ""https://www.invictus-ir.com/news/ransomware-in-the-cloud""}, {""description"": ""Incident report: From CLI to console, chasing an attacker in AWS"", ""link"": ""https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}, {""description"": ""Cloud-Conscious Tactics, Techniques,and Procedures (TTPs)"", ""link"": ""https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf""}, {""description"": ""Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments"", ""link"": ""https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/""}, {""description"": ""Datadog threat roundup: top insights for Q4 2024"", ""link"": ""https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/""}]","[{""description"": ""Following attackers\u2019 (Cloud)trail in AWS: Methodology and findings in the wild"", ""link"": ""https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/""}]","Attackers might use ListUsers to enumerate IAM users for further attacks, such as adding keys or creating a login profile for persistence.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-users""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance""}]",https://aws.permissions.cloud/iam/iam#iam-ListUsers,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Attackers may use the ListUsers API call to discover valid user accounts within an AWS environment. Knowledge of valid accounts can help in attempts to compromise or leverage these accounts.""}, {""technique"": ""T1057 - Process Discovery"", ""reason"": ""Knowledge of IAM users can help an attacker identify which processes might be running under specific user accounts, assisting in further exploitation or lateral movement within the cloud environment.""}]" UpdateAssumeRolePolicy,iam.amazonaws.com,IAM,Updates the policy that grants an IAM entity permission to assume a role.,"TA0003 - Persistence, TA0004 - Privilege Escalation",T1098 - Account Manipulation,,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}, {""description"": ""AWS IAM Persistence Methods"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/iam_persistence/""}]",Attackers might use UpdateAssumeRolePolicy to modify the assume role policy allowing access from an attacker compromised account.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam update-assume-role-policy --role-name TrailDiscover-Role --policy-document {}""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-backdoor-role""}]",https://aws.permissions.cloud/iam/iam#iam-UpdateAssumeRolePolicy,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Updating the assume role policy can allow attackers to use valid IAM roles to maintain access.""}, {""technique"": ""T1036 - Masquerading"", ""reason"": ""Attackers can allow access from an account they control to assume a valid role that is used in the organization making the access appear legitimate""}]" CreateAccessKey,iam.amazonaws.com,IAM,Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active.,"TA0003 - Persistence, TA0004 - Privilege Escalation","T1136 - Create Account, T1078 - Valid Accounts","T1078.004 - Valid Accounts: Cloud Accounts, T1136.003 - Create Account: Cloud Account",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Incident report: From CLI to console, chasing an attacker in AWS"", ""link"": ""https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/""}, {""description"": ""SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto"", ""link"": ""https://sysdig.com/blog/scarleteel-2-0/""}, {""description"": ""ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING"", ""link"": ""https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}, {""description"": ""BrowserStack analysis: unpatched inactive machine compromised by shellshock vulnerability"", ""link"": ""https://www.databreaches.net/browserstack-analysis-unpatched-inactive-machine-compromised-by-shellshock-vulnerability/""}, {""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}, {""description"": ""New Developments in LLM Hijacking Activity"", ""link"": ""https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws""}]","[{""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}, {""description"": ""AWS IAM Persistence Methods"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/iam_persistence/""}]","Attackers might use CreateAccessKey to generate unauthorized access keys, enabling them to gain illicit access to AWS services and resources.","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml""}, {""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws iam create-access-key --user-name TrailDiscover""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-admin-user""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-backdoor-user""}]",https://aws.permissions.cloud/iam/iam#iam-CreateAccessKey,"[{""technique"": ""T1098 - Account Manipulation"", ""reason"": ""New keys can be used for account manipulation activities, providing additional or unauthorized access.""}]" CreatePolicyVersion,iam.amazonaws.com,IAM,Creates a new version of the specified managed policy.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,T1098.003 - Account Manipulation: Additional Cloud Roles,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use CreatePolicyVersion to modify IAM policies, potentially granting themselves elevated permissions.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam create-policy-version --policy-arn arn:aws:iam::123456789012:policy/TrailDiscover --policy-document {}""}]",https://aws.permissions.cloud/iam/iam#iam-CreatePolicyVersion,"[{""technique"": ""T1531 - Account Access Removal"", ""reason"": ""By altering IAM policies, attackers can remove access for legitimate users, ensuring only malicious actors maintain control.""}, {""technique"": ""T1489 - Service Stop"", ""reason"": ""By altering permissions with a new policy version, an attacker could restrict or stop critical services within an AWS environment.""}]" DeleteUserPolicy,iam.amazonaws.com,IAM,Deletes the specified inline policy that is embedded in the specified IAM user.,"TA0005 - Defense Evasion, TA0004 - Privilege Escalation","T1578 - Modify Cloud Compute Infrastructure, T1098 - Account Manipulation",,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}]","[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]",Attackers might use DeleteUserPolicy to remove security policies and gain unauthorized access to AWS resources.,"[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam delete-user-policy --user-name TrailDiscover --policy-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-DeleteUserPolicy,"[{""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Removing a policy from an IAM user could be a step to disable access for an account, which aligns with tactics for impact.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Removing policies can help adversaries to evade detection and persist in the environment by modifying account permissions.""}]" +ListAttachedUserPolicies,iam.amazonaws.com,IAM,Lists all managed policies that are attached to the specified IAM user.,TA0007 - Discovery,T1087 - Account Discovery,T1087.004 - Account Discovery: Cloud Account,True,"[{""description"": ""Datadog threat roundup: top insights for Q4 2024"", ""link"": ""https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/""}]",[],Attackers might use ListAttachedUserPolicies to identify and exploit permissions associated with various users in AWS.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-attached-user-policies --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-ListAttachedUserPolicies,[] ListRoles,iam.amazonaws.com,IAM,Lists the IAM roles that have the specified path prefix. ,TA0007 - Discovery,T1087 - Account Discovery,,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]","[{""description"": ""AWS - IAM Enum"", ""link"": ""https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum""}]",Attackers might use ListRoles to identify potential targets for privilege escalation attacks in AWS.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-roles""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance""}]",https://aws.permissions.cloud/iam/iam#iam-ListRoles,"[{""technique"": ""T1069 - Permission Groups Discovery"", ""reason"": ""Discovering IAM roles helps adversaries understand their permissions and group memberships, enabling them to identify roles with excessive privileges that can be misused for unauthorized activities.""}, {""technique"": ""T1518 - Software Discovery"", ""reason"": ""Listing IAM roles can reveal roles associated with various software applications, including security, administrative, and operational tools.""}]" UpdateSAMLProvider,iam.amazonaws.com,IAM,Updates the metadata document for an existing SAML provider resource object.,"TA0003 - Persistence, TA0004 - Privilege Escalation",T1098 - Account Manipulation,,False,[],"[{""description"": ""Gaining AWS Persistence by Updating a SAML Identity Provider"", ""link"": ""https://medium.com/@adan.alvarez/gaining-aws-persistence-by-updating-a-saml-identity-provider-ef57ebdc8db5""}]",Attackers might use UpdateSAMLProvider to change the metadata document from a SAML provider for latter being able to assume the roles that trust this provider.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam update-saml-provider --saml-metadata-document file://TrailDiscoverSAMLMetaData.xml --saml-provider-arn arn:aws:iam::123456789012:saml-provider/traildiscover""}]",https://aws.permissions.cloud/iam/iam#iam-UpdateSAMLProvider,"[{""technique"": ""T1556 - Modify Authentication Process"", ""reason"": ""The UpdateSAMLProvider API call allows changing the SAML metadata document, directly affecting how AWS handles authentication through SAML assertions. This can enable an attacker to alter authentication mechanisms or potentially introduce unauthorized access methods.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""By changing the SAML metadata document, an attacker could gain access to valid accounts. The new or altered assertions in the SAML metadata can be used to authenticate as legitimate AWS users or roles.""}, {""technique"": ""T1550 - Use Alternate Authentication Material"", ""reason"": ""Altering the SAML metadata document provides an opportunity to use different authentication material. An attacker could insert alternate cryptographic keys or certificates into the SAML assertions, allowing them to authenticate to AWS resources as a trusted user or entity.""}]" PutRolePermissionsBoundary,iam.amazonaws.com,IAM,Adds or updates the policy that is specified as the IAM role's permissions boundary.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use PutRolePermissionsBoundary to modify permissions boundaries, potentially escalating privileges or enabling unauthorized access.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam put-role-permissions-boundary --permissions-boundary arn:aws:iam::123456789012:policy/intern-boundary --role-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-PutRolePermissionsBoundary,"[{""technique"": ""T1212 - Exploitation for Privilege Escalation"", ""reason"": ""Modifying permissions boundaries can be used to elevate the privileges of the role, enabling actions that would otherwise be restricted.""}, {""technique"": ""T1556 - Modify Authentication Process"", ""reason"": ""By altering the permissions boundary, attackers can change the authentication process for the role to grant themselves higher privileges.""}]" @@ -89,7 +91,7 @@ StartSSO,sso.amazonaws.com,SSO,Initialize AWS IAM Identity Center,TA0003 - Persi PutUserPermissionsBoundary,iam.amazonaws.com,IAM,Adds or updates the policy that is specified as the IAM user's permissions boundary.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use PutUserPermissionsBoundary to modify the permissions boundary for an IAM user, potentially escalating privileges or enabling unauthorized access.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam put-user-permissions-boundary --permissions-boundary arn:aws:iam::123456789012:policy/intern-boundary --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-PutUserPermissionsBoundary,"[{""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Setting a permissions boundary might be part of a strategy to later remove access to certain resources or actions, effectively controlling or limiting account capabilities.""}, {""technique"": ""T1556 - Modify Authentication Process"", ""reason"": ""Attackers may modify permissions boundaries to ensure their access is maintained across cloud accounts, preventing account lockout or access removal.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Changing the permissions boundary might be used to impact security settings or access, impairing the effectiveness of security tools and preventing detection or response to malicious activity.""}]" ListSAMLProviders,iam.amazonaws.com,IAM,Lists the SAML provider resource objects defined in IAM in the account.,TA0007 - Discovery,T1087 - Account Discovery,,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],Attackers might use ListSAMLProviders to discover if there are SAML providers configured.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-saml-providers""}]",https://aws.permissions.cloud/iam/iam#iam-ListSAMLProviders,"[{""technique"": ""T1580 - Cloud Infrastructure Discovery"", ""reason"": ""Listing SAML providers can help attackers map out the cloud infrastructure and understand how identity federation is being handled within the account.""}, {""technique"": ""T1592 - Gather Victim Host Information"", ""reason"": ""Identifying SAML providers can reveal details about the host environment and configurations, which may be used to further map the attack surface.""}, {""technique"": ""T1589 - Gather Victim Identity Information"", ""reason"": ""Listing SAML providers can help attackers collect information about identities and roles within the target environment, aiding in crafting more targeted attacks""}]" DeleteUserPermissionsBoundary,iam.amazonaws.com,IAM,Deletes the permissions boundary for the specified IAM user.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]",Attackers might use DeleteUserPermissionsBoundary to remove restrictions and gain unauthorized access to AWS resources.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam delete-user-permissions-boundary --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-DeleteUserPermissionsBoundary,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Compromised cloud accounts can be manipulated by deleting permissions boundaries, giving adversaries increased permissions to execute further malicious activities.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Deleting the permissions boundary could be part of a broader strategy to disable or modify security tools or settings to avoid detection.""}]" -GetUser,iam.amazonaws.com,IAM,"Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN.",TA0007 - Discovery,T1087 - Account Discovery,T1087.004 - Account Discovery: Cloud Account,True,"[{""description"": ""GotRoot! AWS root Account Takeover"", ""link"": ""https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1""}, {""description"": ""Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/""}]",[],Attackers might use GetUser to obtain user information.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam get-user --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-GetUser,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Adversaries use existing cloud accounts to gain access to cloud services. The GetUser API call can reveal information useful for identifying valid accounts.""}, {""technique"": ""T1082 - System Information Discovery"", ""reason"": ""By retrieving information about IAM users, adversaries can gather details about the system environment and user configurations.""}, {""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Adversaries may enumerate existing IAM users to identify which accounts can be targeted for access removal in order to evade detection and maintain access.""}]" +GetUser,iam.amazonaws.com,IAM,"Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN.",TA0007 - Discovery,T1087 - Account Discovery,T1087.004 - Account Discovery: Cloud Account,True,"[{""description"": ""GotRoot! AWS root Account Takeover"", ""link"": ""https://medium.com/@gchib/naturesbasket-aws-root-account-takeover-e4aa5c5e95e1""}, {""description"": ""Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/""}, {""description"": ""Datadog threat roundup: top insights for Q4 2024"", ""link"": ""https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/""}]",[],Attackers might use GetUser to obtain user information.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam get-user --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-GetUser,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Adversaries use existing cloud accounts to gain access to cloud services. The GetUser API call can reveal information useful for identifying valid accounts.""}, {""technique"": ""T1082 - System Information Discovery"", ""reason"": ""By retrieving information about IAM users, adversaries can gather details about the system environment and user configurations.""}, {""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Adversaries may enumerate existing IAM users to identify which accounts can be targeted for access removal in order to evade detection and maintain access.""}]" DeleteAccessKey,iam.amazonaws.com,IAM,Deletes the access key pair associated with the specified IAM user.,TA0005 - Defense Evasion,"T1578 - Modify Cloud Compute Infrastructure, T1070 - Indicator Removal",,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}]",[],"Attackers might use DeleteAccessKey to revoke legitimate user access to AWS services. Also, it can be used to delete previously used keys to avoid detection.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam delete-access-key --access-key-id AKIDPMS9RO4H3FEXAMPLE --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-DeleteAccessKey,"[{""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Deleting the access key pair is a direct method to remove access credentials, which aligns with the technique of account access removal.""}]" DeleteUser,iam.amazonaws.com,IAM,Deletes the specified IAM user.,TA0005 - Defense Evasion,"T1578 - Modify Cloud Compute Infrastructure, T1070 - Indicator Removal",,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Insider Threat Risks to Flat Environments"", ""link"": ""https://www.mandiant.com/sites/default/files/2021-09/rpt-mtrends-2021-3.pdf""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}]",[],"Attackers might use DeleteUser to remove users and their permissions, disrupting access control in AWS. Also, it can be used to delete previously used users to avoid detection.",[],"[{""type"": ""commandLine"", ""value"": ""aws iam delete-user --user-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-DeleteUser,"[{""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Deleting a user account immediately revokes all permissions and access rights associated with that IAM user, disrupting access to critical resources. This action can prevent legitimate users from performing essential tasks, effectively halting operations and response efforts.""}, {""technique"": ""T1485 - Data Destruction"", ""reason"": "" The deletion of an IAM user can be part of a deliberate attempt to destroy data or disrupt normal operations. Users often have associated data, policies, and access controls that, when removed, can result in data loss or corruption. ""}]" AttachRolePolicy,iam.amazonaws.com,IAM,"Attaches the specified managed policy to the specified IAM role. When you attach a managed policy to a role, the managed policy becomes part of the role's permission (access) policy.",TA0004 - Privilege Escalation,T1098 - Account Manipulation,,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Tales from the cloud trenches: Unwanted visitor"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-unwanted-visitor/""}, {""description"": ""Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments"", ""link"": ""https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/""}]","[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers use AttachRolePolicy to grant malicious policies to IAM roles, potentially escalating privileges or enabling unauthorized access to AWS resources.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/TrailDiscover --role-name TrailDiscover""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-backdoor-role""}]",https://aws.permissions.cloud/iam/iam#iam-AttachRolePolicy,"[{""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Attaching policies with permissions that affect logging or monitoring tools can be used to evade detection by modifying the environment to reduce visibility.""}]" @@ -101,7 +103,7 @@ ListAttachedRolePolicies,iam.amazonaws.com,IAM,Lists all managed policies that a PutUserPolicy,iam.amazonaws.com,IAM,Adds or updates an inline policy document that is embedded in the specified IAM user.,"TA0003 - Persistence, TA0004 - Privilege Escalation",T1098 - Account Manipulation,T1098.003 - Account Manipulation: Additional Cloud Roles,True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""ANATOMY OF AN ATTACK: EXPOSED KEYS TO CRYPTO MINING"", ""link"": ""https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}]","[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers use PutUserPolicy to grant an inline policy to IAM users, potentially escalating privileges or enabling unauthorized access to AWS resources.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}, {""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws iam put-user-policy --user-name TrailDiscover --policy-name TrailDiscover --policy-document {}""}]",https://aws.permissions.cloud/iam/iam#iam-PutUserPolicy,"[{""technique"": ""T1562 - Impair Defenses"", ""reason"": ""By embedding policies that allow for disabling or bypassing security controls, adversaries can impair defense mechanisms.""}, {""technique"": ""T1531 - Account Access Removal"", ""reason"": ""Adversaries may use PutUserPolicy to remove access rights for legitimate users, causing disruption.""}, {""technique"": ""T1068 - Exploitation for Privilege Escalation"", ""reason"": ""If an adversary can modify policies to grant administrative privileges, they effectively escalate their privileges.""}, {""technique"": ""T1556 - Modify Authentication Process"", ""reason"": ""Inline policies can be changed to weaken authentication requirements, making it easier for adversaries to access the account.""}]" ListServiceSpecificCredentials,iam.amazonaws.com,IAM,Returns information about the service-specific credentials associated with the specified IAM user.,TA0007 - Discovery,T1087 - Account Discovery,,True,"[{""description"": ""Muddled Libra\u2019s Evolution to the Cloud"", ""link"": ""https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/""}]",[],Attackers might use ListServiceSpecificCredentials to get information about the relationship about users and services and gather CredentialIds.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-service-specific-credentials --user-name traildiscover --service-name codecommit.amazonaws.com""}]",https://aws.permissions.cloud/iam/iam#iam-ListServiceSpecificCredentials,"[{""technique"": ""T1580 - Cloud Infrastructure Discovery"", ""reason"": ""Adversaries may enumerate cloud infrastructure to understand the environment better, and listing service-specific credentials provides information about the associated IAM users""}]" DeleteRolePermissionsBoundary,iam.amazonaws.com,IAM,Deletes the permissions boundary for the specified IAM role.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]",Attackers might use DeleteRolePermissionsBoundary to remove restrictions and gain unauthorized access to AWS resources.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam delete-role-permissions-boundary --role-name trail-discover""}]",https://aws.permissions.cloud/iam/iam#iam-DeleteRolePermissionsBoundary,"[{""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Removing permissions boundaries can weaken the security posture by reducing the effectiveness of policies designed to limit role actions.""}, {""technique"": ""T1068 - Exploitation for Privilege Escalation"", ""reason"": ""Removing permissions boundaries may be used as part of exploiting a misconfiguration to gain elevated privileges.""}]" -ListRolePolicies,iam.amazonaws.com,IAM,Lists the names of the inline policies that are embedded in the specified IAM role.,TA0007 - Discovery,T1087 - Account Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],Attackers might use ListRolePolicies to identify permissions associated with various roles in AWS.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-role-policies --role-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-ListRolePolicies,"[{""technique"": ""T1484 - Domain Policy Discovery"", ""reason"": ""Inline policies may reveal roles with the ability to discover or enumerate domain policies, which can be used to further understand the security posture and potential attack paths within the environment.""}, {""technique"": ""T1057 - Process Discovery"", ""reason"": ""Inline policies may help identify roles with permissions to discover running processes, aiding in reconnaissance activities.""}]" +ListRolePolicies,iam.amazonaws.com,IAM,Lists the names of the inline policies that are embedded in the specified IAM role.,TA0007 - Discovery,T1087 - Account Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}, {""description"": ""Datadog threat roundup: top insights for Q4 2024"", ""link"": ""https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/""}]",[],Attackers might use ListRolePolicies to identify permissions associated with various roles in AWS.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam list-role-policies --role-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-ListRolePolicies,"[{""technique"": ""T1484 - Domain Policy Discovery"", ""reason"": ""Inline policies may reveal roles with the ability to discover or enumerate domain policies, which can be used to further understand the security posture and potential attack paths within the environment.""}, {""technique"": ""T1057 - Process Discovery"", ""reason"": ""Inline policies may help identify roles with permissions to discover running processes, aiding in reconnaissance activities.""}]" PutGroupPolicy,iam.amazonaws.com,IAM,Adds or updates an inline policy document that is embedded in the specified IAM group.,TA0004 - Privilege Escalation,T1098 - Account Manipulation,,False,[],"[{""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}]","Attackers might use PutGroupPolicy to modify permissions of a group, potentially granting unauthorized access to sensitive resources.","[{""type"": ""cloudwatchCISControls"", ""value"": ""https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-4""}]","[{""type"": ""commandLine"", ""value"": ""aws iam put-group-policy --group-name TrailDiscover --policy-document {} --policy-name TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-PutGroupPolicy,"[{""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Inline policies can be altered to disable or impair security features such as monitoring and alerting.""}, {""technique"": ""T1556 - Modify Authentication Process"", ""reason"": ""Inline policies can be modified to change authentication processes, making it easier to bypass existing security controls.""}]" ChangePassword,iam.amazonaws.com,IAM,Changes the password of the IAM user who is calling this operation.,"TA0003 - Persistence, TA0004 - Privilege Escalation","T1136 - Create Account, T1078 - Valid Accounts",T1078.004 - Valid Accounts: Cloud Accounts,False,[],"[{""description"": ""AWS CloudTrail cheat sheet"", ""link"": ""https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet""}, {""description"": ""IAM User Changes Alarm"", ""link"": ""https://asecure.cloud/a/cwalarm_iam_user_changes/""}]",Attackers might use ChangePassword to alter user credentials.,[],"[{""type"": ""commandLine"", ""value"": ""aws iam change-password --old-password TrailDiscover --new-password TrailDiscover""}]",https://aws.permissions.cloud/iam/iam#iam-ChangePassword,"[{""technique"": ""T1098 - Account Manipulation"", ""reason"": ""Changing the password of an IAM user can be used to maintain access to an account, thus manipulating account credentials.""}, {""technique"": ""T1556 - Modify Authentication Process"", ""reason"": ""Changing the password modifies the authentication process for the IAM user, which can be a method to evade detection.""}, {""technique"": ""T1531 - Account Access Removal"", ""reason"": ""An attacker might change a password to lock out the legitimate user, removing their access.""}]" CreateLoginProfile,iam.amazonaws.com,IAM,Creates a password for the specified IAM user. A password allows an IAM user to access AWS services through the AWS Management Console.,"TA0003 - Persistence, TA0004 - Privilege Escalation","T1098 - Account Manipulation, T1078 - Valid Accounts","T1078.004 - Valid Accounts: Cloud Accounts, T1078.001 - Valid Accounts: Local Accounts, T1098.001 - Account Manipulation: Additional Cloud Credentials",True,"[{""description"": ""The curious case of DangerDev@protonmail.me"", ""link"": ""https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me""}, {""description"": ""Incident report: From CLI to console, chasing an attacker in AWS"", ""link"": ""https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/""}, {""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""UNMASKING GUI-VIL: FINANCIALLY MOTIVATED CLOUD THREAT ACTOR"", ""link"": ""https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/""}, {""description"": ""LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD"", ""link"": ""https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud""}, {""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""Tales from the cloud trenches: Unwanted visitor"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-unwanted-visitor/""}, {""description"": ""New Developments in LLM Hijacking Activity"", ""link"": ""https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws""}]","[{""description"": ""Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident"", ""link"": ""https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide""}, {""description"": ""AWS IAM Privilege Escalation Techniques"", ""link"": ""https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/""}, {""description"": ""AWS IAM Persistence Methods"", ""link"": ""https://hackingthe.cloud/aws/post_exploitation/iam_persistence/""}]","Attackers use CreateLoginProfile to create login credentials for IAM users, allowing them access to the user via the AWS console.","[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws iam create-login-profile --user-name TrailDiscover --password TrailDiscover""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-user-login-profile""}]",https://aws.permissions.cloud/iam/iam#iam-CreateLoginProfile,"[{""technique"": ""T1556 - Modify Authentication Process"", ""reason"": ""The CreateLoginProfile API call can be used to set a new password for an existing IAM user, effectively modifying the authentication process for that user.""}]" @@ -177,17 +179,17 @@ DeleteObject,s3.amazonaws.com,S3,Removes an object from a bucket. The behavior d GetBucketRequestPayment,s3.amazonaws.com,S3,Returns the request payment configuration of a bucket.,TA0007 - Discovery,T1526 - Cloud Service Discovery,,True,"[{""description"": ""Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments"", ""link"": ""https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/""}]",[],Attackers might use GetBucketRequestPayment to check who pays for request and the data download.,[],"[{""type"": ""commandLine"", ""value"": ""aws s3api get-object-lock-configuration --bucket TrailDiscoverBucket""}]",https://aws.permissions.cloud/iam/s3#s3-GetBucketRequestPayment,[] JobCreated,s3.amazonaws.com,S3,"When a Batch Operations job is created, it is recorded as a JobCreated event in CloudTrail.",TA0010 - Exfiltration,T1537 - Transfer Data to Cloud Account,,False,[],"[{""description"": ""Exfiltrating S3 Data with Bucket Replication Policies"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}]",Attackers might use Batch Operations jobs to initiate unauthorized data transfer or manipulation tasks in S3.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",N/A,"[{""technique"": ""T1560 - Archive Collected Data"", ""reason"": ""An attacker could use the S3 Batch Operations to aggregate and compress large amounts of data for exfiltration, creating a job that is recorded as a JobCreated event.""}, {""technique"": ""T1074 - Data Staged"", ""reason"": ""The JobCreated event indicates that data could be staged in an S3 bucket, possibly in preparation for further actions such as exfiltration.""}, {""technique"": ""T1020 - Automated Exfiltration"", ""reason"": ""The job creation could be part of an automated process designed to move data out of the environment, with minimal manual intervention required once set up.""}, {""technique"": ""T1105 - Ingress Tool Transfer"", ""reason"": ""A JobCreated event could be used to transfer tools or scripts into the environment, using S3 as a storage mechanism before execution.""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""The Batch Operations job may involve communication over standard protocols (like HTTPS) for command and control, making it harder to detect malicious activity.""}, {""technique"": ""T1098 - Account Manipulation"", ""reason"": ""Attackers may manipulate or create new accounts with the necessary permissions to execute Batch Operations jobs, facilitating unauthorized data access or exfiltration.""}]" ListObjects,s3.amazonaws.com,S3,"Returns some or all (up to 1,000) of the objects in a bucket.",TA0007 - Discovery,T1619 - Cloud Storage Object Discovery,,True,"[{""description"": ""Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/""}, {""description"": ""Cloud Security Stories: From Risky Permissions to Ransomware Execution"", ""link"": ""https://sonraisecurity.com/blog/cloud-security-stories-from-risky-permissions-to-ransomware-execution/""}, {""description"": ""Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets"", ""link"": ""https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/""}]",[],Attackers might use ListObjects to identify potentially sensitive objects stored in S3 buckets.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",N/A,"[{""technique"": ""T1083 - File and Directory Discovery"", ""reason"": ""Even though directory buckets are not supported, ListObjects allows an attacker to discover the contents and structure of an S3 bucket by listing objects.""}, {""technique"": ""T1213 - Data from Information Repositories"", ""reason"": ""The ListObjects call enables the retrieval of data stored within S3 buckets, which are often utilized as information repositories.""}]" -InvokeModel,bedrock.amazonaws.com,Bedrock,Invokes the specified Amazon Bedrock model to run inference using the prompt and inference parameters provided in the request body.,"TA0007 - Discovery, TA0040 - Impact","T1580 - Cloud Infrastructure Discovery, T1496 - Resource Hijacking",,True,"[{""description"": ""LLMjacking: Stolen Cloud Credentials Used in New AI Attack"", ""link"": ""https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/""}, {""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}, {""description"": ""When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying"", ""link"": ""https://permiso.io/blog/exploiting-hosted-models""}, {""description"": ""New Developments in LLM Hijacking Activity"", ""link"": ""https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws""}]",[],Attackers might use InvokeModel to check if the credentials have access to the LLMs and they have been enabled and invoke the model for resource hijacking.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-InvokeModel,"[{""technique"": ""T1020 - Automated Exfiltration"", ""reason"": ""The InvokeModel API call can be scripted to run repeatedly, allowing for the continuous extraction of data. For example, an attacker could automate requests to the API, each time providing new or varied prompts that extract different pieces of sensitive information""}, {""technique"": ""T1567 - Exfiltration Over Web Service"", ""reason"": ""An attacker who has access to AWS credentials can set up a process where InvokeModel API calls are made to generate sensitive information in small chunks. Each chunk of data, once generated, can be immediately sent to an S3 bucket or another cloud storage service controlled by the attacker. This method ensures that data is consistently moved out of the compromised environment without raising alarms associated with large data transfers.""}, {""technique"": ""T1203 - Exploitation for Client Execution"", ""reason"": ""Exploiting vulnerabilities in a model's interface could trigger unintended code execution through the InvokeModel API.""}]" +InvokeModel,bedrock.amazonaws.com,Bedrock,Invokes the specified Amazon Bedrock model to run inference using the prompt and inference parameters provided in the request body.,"TA0007 - Discovery, TA0040 - Impact","T1580 - Cloud Infrastructure Discovery, T1496 - Resource Hijacking",,True,"[{""description"": ""LLMjacking: Stolen Cloud Credentials Used in New AI Attack"", ""link"": ""https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/""}, {""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}, {""description"": ""When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying"", ""link"": ""https://permiso.io/blog/exploiting-hosted-models""}, {""description"": ""New Developments in LLM Hijacking Activity"", ""link"": ""https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws""}, {""description"": ""Datadog threat roundup: top insights for Q4 2024"", ""link"": ""https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/""}]",[],Attackers might use InvokeModel to check if the credentials have access to the LLMs and they have been enabled and invoke the model for resource hijacking.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.bedrock-invoke-model""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-InvokeModel,"[{""technique"": ""T1020 - Automated Exfiltration"", ""reason"": ""The InvokeModel API call can be scripted to run repeatedly, allowing for the continuous extraction of data. For example, an attacker could automate requests to the API, each time providing new or varied prompts that extract different pieces of sensitive information""}, {""technique"": ""T1567 - Exfiltration Over Web Service"", ""reason"": ""An attacker who has access to AWS credentials can set up a process where InvokeModel API calls are made to generate sensitive information in small chunks. Each chunk of data, once generated, can be immediately sent to an S3 bucket or another cloud storage service controlled by the attacker. This method ensures that data is consistently moved out of the compromised environment without raising alarms associated with large data transfers.""}, {""technique"": ""T1203 - Exploitation for Client Execution"", ""reason"": ""Exploiting vulnerabilities in a model's interface could trigger unintended code execution through the InvokeModel API.""}]" GetUseCaseForModelAccess,bedrock.amazonaws.com,Bedrock,Grants permission to retrieve a use case for model access.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying"", ""link"": ""https://permiso.io/blog/exploiting-hosted-models""}]",[],Attackers might use GetUseCaseForModelAccess to enumerate accessible models.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-GetUseCaseForModelAccess,"[{""technique"": ""T1078 - Valid Accounts: Cloud Accounts"", ""reason"": ""If an attacker obtains credentials to use the GetUseCaseForModelAccess API call, they can gather sensitive information about model access use cases, which may aid further malicious activity.""}, {""technique"": ""T1082 - System Information Discovery"", ""reason"": ""The GetUseCaseForModelAccess API call can be used to collect details about model access, revealing important information about the environment and configurations, which is a form of system discovery.""}, {""technique"": ""T1005 - Data from Local System"", ""reason"": ""The API call can potentially be used to extract detailed data regarding model use cases, equivalent to gathering sensitive data from the local cloud environment.""}, {""technique"": ""T1530 - Data from Cloud Storage"", ""reason"": ""If the GetUseCaseForModelAccess API provides links or references to data stored in cloud storage, an attacker could use it to access and exfiltrate sensitive data.""}, {""technique"": ""T1020 - Automated Exfiltration"", ""reason"": ""An attacker could script the API call to automatically extract and exfiltrate information about model use cases over time.""}, {""technique"": ""T1074 - Data Staged"", ""reason"": ""Step-by-step explanation: The results from the GetUseCaseForModelAccess call could be staged locally in the attacker's environment for later exfiltration or use.""}]" ListProvisionedModelThroughputs,bedrock.amazonaws.com,Bedrock,Grants permission to list provisioned model throughputs that you created earlier.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}]",[],Attackers might use ListProvisionedModelThroughputs to gather information on existing inputs and outputs for models in use.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-ListProvisionedModelThroughputs,"[{""technique"": ""T1087.004 - Cloud Account"", ""reason"": ""The ListProvisionedModelThroughputs API call can help an attacker identify active cloud accounts and associated resources by listing the provisioned models, providing insight into the resources allocated in the cloud environment.""}, {""technique"": ""T1082 - System Information Discovery"", ""reason"": ""This API call can be used to gather information about the configuration and state of the provisioned model throughputs, which contributes to understanding the system's current setup and operational status.""}, {""technique"": ""T1530 - Data from Cloud Storage Object"", ""reason"": ""By listing provisioned model throughputs, an attacker can potentially identify models and associated data stored in cloud storage, enabling them to target specific data repositories.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Legitimate cloud accounts with access to this API call can be used to gather information on provisioned models. If an attacker gains control of such an account, they can enumerate resources to assess what data and services are available within the cloud environment.""}]" -PutFoundationModelEntitlement,bedrock.amazonaws.com,Bedrock,Grants permission to put entitlement to access a foundation model.,TA0040 - Impact,T1496 - Resource Hijacking,,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying"", ""link"": ""https://permiso.io/blog/exploiting-hosted-models""}]",[],Attackers might use PutFoundationModelEntitlement to prepare for using foundation models for resource hijacking.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-PutFoundationModelEntitlement,"[{""technique"": ""T1098 - Account Manipulation"", ""reason"": ""By modifying account entitlements, an attacker could adjust or extend permissions, gaining higher privileges or persistence within the cloud environment.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Authorized accounts might be modified or managed to maintain persistent access to foundational models. Cloud accounts could be granted additional entitlements, leading to unauthorized access or privileges within the cloud environment. Access might be granted to default accounts, which could be exploited if not properly managed. Local accounts could be granted access, potentially leading to unauthorized activities within the environment.""}, {""technique"": ""T1059 - Command and Scripting Interpreter"", ""reason"": ""The granted entitlements may include permissions that enable the execution of scripts or code, potentially facilitating the execution of malicious scripts under legitimate operations within a controlled environment.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Adjusting entitlements could be used to weaken security controls and mechanisms, aiding in defense evasion.""}]" +PutFoundationModelEntitlement,bedrock.amazonaws.com,Bedrock,Grants permission to put entitlement to access a foundation model.,TA0040 - Impact,T1496 - Resource Hijacking,,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying"", ""link"": ""https://permiso.io/blog/exploiting-hosted-models""}]",[],Attackers might use PutFoundationModelEntitlement to prepare for using foundation models for resource hijacking.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.bedrock-invoke-model""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-PutFoundationModelEntitlement,"[{""technique"": ""T1098 - Account Manipulation"", ""reason"": ""By modifying account entitlements, an attacker could adjust or extend permissions, gaining higher privileges or persistence within the cloud environment.""}, {""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Authorized accounts might be modified or managed to maintain persistent access to foundational models. Cloud accounts could be granted additional entitlements, leading to unauthorized access or privileges within the cloud environment. Access might be granted to default accounts, which could be exploited if not properly managed. Local accounts could be granted access, potentially leading to unauthorized activities within the environment.""}, {""technique"": ""T1059 - Command and Scripting Interpreter"", ""reason"": ""The granted entitlements may include permissions that enable the execution of scripts or code, potentially facilitating the execution of malicious scripts under legitimate operations within a controlled environment.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Adjusting entitlements could be used to weaken security controls and mechanisms, aiding in defense evasion.""}]" InvokeModelWithResponseStream,bedrock.amazonaws.com,Bedrock,Grants permission to invoke the specified Bedrock model to run inference using the input provided in the request body with streaming response.,TA0040 - Impact,T1496 - Resource Hijacking,,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""New tactics and techniques for proactive threat detection"", ""link"": ""https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf""}, {""description"": ""New Developments in LLM Hijacking Activity"", ""link"": ""https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws""}]",[],Attackers might use InvokeModelWithResponseStream to invoke the model for resource hijacking.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-InvokeModelWithResponseStream,"[{""technique"": ""T1059 - Command and Scripting Interpreter"", ""reason"": ""Attackers could potentially exploit the model invocation process to execute arbitrary commands or scripts, depending on how the input data to the model is handled and interpreted.""}, {""technique"": ""T1020 - Automated Exfiltration"", ""reason"": ""The streaming response can be used to automatically exfiltrate data as it is processed by the model.""}, {""technique"": ""T1041 - Exfiltration Over C2 Channel"", ""reason"": ""The streaming response feature can be exploited to send sensitive data back to an attacker over an established C2 channel.""}, {""technique"": ""T1005 - Data from Local System"", ""reason"": ""If the Bedrock model has access to and processes local system data, attackers could leverage the API call to collect sensitive information. This scenario assumes that the model's processing involves data that might include confidential or proprietary information.""}, {""technique"": ""T1071.004 - Application Layer Protocol: DNS"", ""reason"": ""DNS can be used for exfiltration or command and control if the model's streaming response can be encoded into DNS queries/responses.""}]" -PutUseCaseForModelAccess,bedrock.amazonaws.com,Bedrock,Grants permission to put a use case for model access.,TA0040 - Impact,T1496 - Resource Hijacking,,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying"", ""link"": ""https://permiso.io/blog/exploiting-hosted-models""}, {""description"": ""New Developments in LLM Hijacking Activity"", ""link"": ""https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws""}]",[],Attackers might use PutUseCaseForModelAccess to prepare for using foundation models for resource hijacking.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-PutUseCaseForModelAccess,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Although not creating new users, it enables valid accounts to access models, which can be exploited for continued access.""}, {""technique"": ""T1098 - Account Manipulation"", ""reason"": ""This API call allows manipulation of permissions related to model access, which can be leveraged for privilege escalation or maintaining access.""}]" -GetFoundationModelAvailability,bedrock.amazonaws.com,Bedrock,Grants permission to get the availability of a foundation model.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying"", ""link"": ""https://permiso.io/blog/exploiting-hosted-models""}]",[],Attackers might use GetFoundationModelAvailability to enumerate accessible models,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-GetFoundationModelAvailability,"[{""technique"": ""T1082 - System Information Discovery"", ""reason"": ""Querying the availability of foundation models is a form of system information discovery, as it provides insight into the operational aspects of the system.""}, {""technique"": ""T1590 - Gather Victim Network Information"", ""reason"": ""The GetFoundationModelAvailability call can be used to determine the state and availability of foundation models, which is valuable host information.""}]" -ListFoundationModels,bedrock.amazonaws.com,Bedrock,Grants permission to list Bedrock foundation models that you can use.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}]",[],Attackers might use ListFoundationModels to enumerate accessible models.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-ListFoundationModels,"[{""technique"": ""T1087 - Account Discovery"", ""reason"": ""Listing foundation models can help an adversary understand what cloud resources are available and their configurations""}, {""technique"": ""T1057 - Process Discovery"", ""reason"": ""Listing foundation models can be a step towards understanding the processes and operations running within the cloud environment.""}, {""technique"": ""T1069 - Permission Groups Discovery"", ""reason"": ""Identifying which models are accessible can reveal information about permission groups and roles within the cloud environment""}, {""technique"": ""T1082 - System Information Discovery"", ""reason"": ""Listing foundation models helps in gathering detailed system information.""}, {""technique"": ""T1482 - Domain Trust Discovery"", ""reason"": ""Adversaries may list foundation models to understand the trust relationships and dependencies between different cloud resources.""}]" -ListFoundationModelAgreementOffers,bedrock.amazonaws.com,Bedrock,Grants permission to get a list of foundation model agreement offers.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}]",[],Attackers might use ListFoundationModelAgreementOffers to enumerate accessible models.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-ListFoundationModelAgreementOffers,"[{""technique"": ""T1591.002 - Gather Victim Org Information: Business Relationships"", ""reason"": ""The list of foundation model agreement offers can provide insights into the organization's partnerships and agreements with other entities, revealing valuable business relationship details.""}, {""technique"": ""T1591 - Gather Victim Org Information"", ""reason"": ""This API call might yield information about the internal structure of the organization, such as departments or teams involved with foundation models, contributing to a broader understanding of the target's organizational setup.""}, {""technique"": ""T1069 - Permission Groups Discovery"", ""reason"": ""The information retrieved from this API call could indicate which groups or roles within the AWS account have permissions to access these foundation models, helping to understand the permission hierarchy and potential targets for privilege escalation or further discovery.""}]" +PutUseCaseForModelAccess,bedrock.amazonaws.com,Bedrock,Grants permission to put a use case for model access.,TA0040 - Impact,T1496 - Resource Hijacking,,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying"", ""link"": ""https://permiso.io/blog/exploiting-hosted-models""}, {""description"": ""New Developments in LLM Hijacking Activity"", ""link"": ""https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws""}, {""description"": ""Datadog threat roundup: top insights for Q4 2024"", ""link"": ""https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/""}]",[],Attackers might use PutUseCaseForModelAccess to prepare for using foundation models for resource hijacking.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.bedrock-invoke-model""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-PutUseCaseForModelAccess,"[{""technique"": ""T1078 - Valid Accounts"", ""reason"": ""Although not creating new users, it enables valid accounts to access models, which can be exploited for continued access.""}, {""technique"": ""T1098 - Account Manipulation"", ""reason"": ""This API call allows manipulation of permissions related to model access, which can be leveraged for privilege escalation or maintaining access.""}]" +GetFoundationModelAvailability,bedrock.amazonaws.com,Bedrock,Grants permission to get the availability of a foundation model.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying"", ""link"": ""https://permiso.io/blog/exploiting-hosted-models""}, {""description"": ""Datadog threat roundup: top insights for Q4 2024"", ""link"": ""https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/""}]",[],Attackers might use GetFoundationModelAvailability to enumerate accessible models,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.bedrock-invoke-model""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-GetFoundationModelAvailability,"[{""technique"": ""T1082 - System Information Discovery"", ""reason"": ""Querying the availability of foundation models is a form of system information discovery, as it provides insight into the operational aspects of the system.""}, {""technique"": ""T1590 - Gather Victim Network Information"", ""reason"": ""The GetFoundationModelAvailability call can be used to determine the state and availability of foundation models, which is valuable host information.""}]" +ListFoundationModels,bedrock.amazonaws.com,Bedrock,Grants permission to list Bedrock foundation models that you can use.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""Datadog threat roundup: top insights for Q4 2024"", ""link"": ""https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/""}]",[],Attackers might use ListFoundationModels to enumerate accessible models.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-ListFoundationModels,"[{""technique"": ""T1087 - Account Discovery"", ""reason"": ""Listing foundation models can help an adversary understand what cloud resources are available and their configurations""}, {""technique"": ""T1057 - Process Discovery"", ""reason"": ""Listing foundation models can be a step towards understanding the processes and operations running within the cloud environment.""}, {""technique"": ""T1069 - Permission Groups Discovery"", ""reason"": ""Identifying which models are accessible can reveal information about permission groups and roles within the cloud environment""}, {""technique"": ""T1082 - System Information Discovery"", ""reason"": ""Listing foundation models helps in gathering detailed system information.""}, {""technique"": ""T1482 - Domain Trust Discovery"", ""reason"": ""Adversaries may list foundation models to understand the trust relationships and dependencies between different cloud resources.""}]" +ListFoundationModelAgreementOffers,bedrock.amazonaws.com,Bedrock,Grants permission to get a list of foundation model agreement offers.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}]",[],Attackers might use ListFoundationModelAgreementOffers to enumerate accessible models.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.bedrock-invoke-model""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-ListFoundationModelAgreementOffers,"[{""technique"": ""T1591.002 - Gather Victim Org Information: Business Relationships"", ""reason"": ""The list of foundation model agreement offers can provide insights into the organization's partnerships and agreements with other entities, revealing valuable business relationship details.""}, {""technique"": ""T1591 - Gather Victim Org Information"", ""reason"": ""This API call might yield information about the internal structure of the organization, such as departments or teams involved with foundation models, contributing to a broader understanding of the target's organizational setup.""}, {""technique"": ""T1069 - Permission Groups Discovery"", ""reason"": ""The information retrieved from this API call could indicate which groups or roles within the AWS account have permissions to access these foundation models, helping to understand the permission hierarchy and potential targets for privilege escalation or further discovery.""}]" GetModelInvocationLoggingConfiguration,bedrock.amazonaws.com,Bedrock,Get the current configuration values for model invocation logging.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""LLMjacking: Stolen Cloud Credentials Used in New AI Attack"", ""link"": ""https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/""}, {""description"": ""New Developments in LLM Hijacking Activity"", ""link"": ""https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws""}]",[],Attackers might use GetModelInvocationLoggingConfiguration to check S3 and Cloudwatch logging configuration.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-GetModelInvocationLoggingConfiguration,"[{""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Knowing the logging setup allows attackers to delete or alter logs to avoid detection and cover their tracks.""}, {""technique"": ""T1027 - Obfuscated Files or Information"", ""reason"": ""Attackers may use knowledge of logging configurations to craft their actions in ways that avoid triggering specific logging mechanisms.""}, {""technique"": ""T1518.001 - Software Discovery"", ""reason"": ""Understanding how model invocation is logged can reveal what security software is in use.""}, {""technique"": ""T1562 - Impair Defenses"", ""reason"": ""Knowing the logging configuration can help attackers understand how to disable or evade defensive logging.""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""Attackers might tailor their command and control communication methods based on the logging configurations discovered.""}, {""technique"": ""T1212 - Exploitation for Credential Access"", ""reason"": ""If the option textDataDeliveryEnabled is activated there could be credentials in it which attackers can exploit. If the option imageDataDeliveryEnabled is activated there could be sensitive information in the images which are delivered in the logs.""}]" -CreateFoundationModelAgreement,bedrock.amazonaws.com,Bedrock,Grants permission to create a new foundation model agreement.,TA0040 - Impact,T1496 - Resource Hijacking,,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying"", ""link"": ""https://permiso.io/blog/exploiting-hosted-models""}, {""description"": ""New Developments in LLM Hijacking Activity"", ""link"": ""https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws""}]",[],Attackers might use CreateFoundationModelAgreement to prepare for using foundation models for resource hijacking.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-CreateFoundationModelAgreement,"[{""technique"": ""T1098 - Account Manipulation"", ""reason"": ""The CreateFoundationModelAgreement API call allows users to create or modify agreements, which can be used to manipulate account permissions. Attackers can create agreements with elevated privileges or modify existing ones to gain unauthorized access or escalate privileges.""}]" +CreateFoundationModelAgreement,bedrock.amazonaws.com,Bedrock,Grants permission to create a new foundation model agreement.,TA0040 - Impact,T1496 - Resource Hijacking,,True,"[{""description"": ""Detecting AI resource-hijacking with Composite Alerts"", ""link"": ""https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts""}, {""description"": ""When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying"", ""link"": ""https://permiso.io/blog/exploiting-hosted-models""}, {""description"": ""New Developments in LLM Hijacking Activity"", ""link"": ""https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws""}]",[],Attackers might use CreateFoundationModelAgreement to prepare for using foundation models for resource hijacking.,[],"[{""type"": ""commandLine"", ""value"": ""N/A""}, {""type"": ""stratusRedTeam"", ""value"": ""https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.bedrock-invoke-model""}]",https://aws.permissions.cloud/iam/bedrock#bedrock-CreateFoundationModelAgreement,"[{""technique"": ""T1098 - Account Manipulation"", ""reason"": ""The CreateFoundationModelAgreement API call allows users to create or modify agreements, which can be used to manipulate account permissions. Attackers can create agreements with elevated privileges or modify existing ones to gain unauthorized access or escalate privileges.""}]" CreateInstanceExportTask,ec2.amazonaws.com,EC2,Exports a running or stopped instance to an Amazon S3 bucket.,"TA0009 - Collection, TA0010 - Exfiltration","T1005 - Data from Local System, T1537 - Transfer Data to Cloud Account",,False,[],"[{""description"": ""AWS EC2 VM Export Failure"", ""link"": ""https://www.elastic.co/guide/en/security/current/aws-ec2-vm-export-failure.html""}]",Attackers might use CreateInstanceExportTask to extract or exfiltrate information,"[{""type"": ""sigma"", ""value"": ""https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_ec2_vm_export_failure.yml""}]","[{""type"": ""commandLine"", ""value"": ""aws ec2 create-instance-export-task --instance-id TrailDiscoverInstanceId --target-environment TrailDiscoverTargetEnvironment --export-to-s3-task DiskImageFormat=TrailDiscoverDiskImageFormat,ContainerFormat=TrailDiscoverContainerFormat,S3Bucket=TrailDiscoverS3Bucket,S3Prefix=TrailDiscoverS3Prefix""}]",https://aws.permissions.cloud/iam/ec2#ec2-CreateInstanceExportTask,"[{""technique"": ""T1567 - Exfiltration Over Web Service"", ""reason"": ""Exporting an EC2 instance to an S3 bucket involves transferring data over a web service, which aligns with exfiltrating data through a web-based method.""}, {""technique"": ""T1071 - Application Layer Protocol"", ""reason"": ""The export task utilizes application layer protocols for communication, relevant for exfiltrating data using such protocols.""}, {""technique"": ""T1005 - Data from Local System"", ""reason"": ""The instance's data being exported can be seen as collecting data from a local system before transferring it to another location.""}]" GetConsoleScreenshot,ec2.amazonaws.com,EC2,Retrieve a JPG-format screenshot of a running instance to help with troubleshooting.,TA0007 - Discovery,T1580 - Cloud Infrastructure Discovery,,True,"[{""description"": ""Compromised Cloud Compute Credentials: Case Studies From the Wild"", ""link"": ""https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab""}]",[],"Attackers might use GetConsoleScreenshot to capture the current state of an EC2 instance's console, potentially revealing sensitive information displayed on the screen or identifying misconfigurations.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 get-console-screenshot --instance-id TrailDiscoverInstanceId""}]",https://aws.permissions.cloud/iam/ec2#ec2-GetConsoleScreenshot,"[{""technique"": ""T1113 - Screen Capture"", ""reason"": ""The GetConsoleScreenshot API call captures a screenshot of a running EC2 instance, providing a visual snapshot of the system's state. This can reveal sensitive information displayed on the screen, such as open applications, user activities, or visible credentials.""}, {""technique"": ""T1087 - Account Discovery"", ""reason"": ""The screenshot can provide insights into user accounts and other details visible on the instance, aiding in account discovery.""}, {""technique"": ""T1057 - Process Discovery"", ""reason"": ""The screenshot might reveal running processes or applications, helping in process discovery.""}, {""technique"": ""T1016 - System Network Configuration Discovery"", ""reason"": ""Screenshots may reveal network configurations displayed on the system's desktop.""}, {""technique"": ""T1018 - Remote System Discovery"", ""reason"": ""Information visible in the screenshot might provide details about other systems or network topology.""}, {""technique"": ""T1110 - Brute Force"", ""reason"": ""If the screenshot shows login prompts or error messages related to login attempts, it can aid in brute force attempts.""}]" DeleteVolume,ec2.amazonaws.com,EC2,Deletes the specified EBS volume. The volume must be in the available state (not attached to an instance).,TA0040 - Impact,T1485 - Data Destruction,,True,"[{""description"": ""Hacker Puts Hosting Service Code Spaces Out of Business"", ""link"": ""https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/""}]",[],"Attackers might use DeleteVolume to remove Elastic Block Store (EBS) volumes, leading to data loss and potentially disrupting operations.",[],"[{""type"": ""commandLine"", ""value"": ""aws ec2 delete-volume --volume-id TrailDiscoverVolumeId""}]",https://aws.permissions.cloud/iam/ec2#ec2-DeleteVolume,"[{""technique"": ""T1070 - Indicator Removal"", ""reason"": ""Deleting an EBS volume can be used to remove evidence of malicious activity, such as log files or other data stored on the volume.""}, {""technique"": ""T1485 - Data Destruction"", ""reason"": ""The deletion of an EBS volume results in the permanent loss of the data it contained, which is a form of data destruction.""}, {""technique"": ""T1561 - Disk Wipe"", ""reason"": ""Deleting the volume ensures that all data on the volume is removed, which is similar to a disk wipe.""}]" diff --git a/docs/events.json b/docs/events.json index 92cf80d..39d7442 100644 --- a/docs/events.json +++ b/docs/events.json @@ -3706,6 +3706,37 @@ ], "permissions": "https://aws.permissions.cloud/iam/iam#iam-DetachRolePolicy" }, + { + "eventName": "ListUserPolicies", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Lists the names of the inline policies embedded in the specified IAM user.", + "mitreAttackTactics": [ + "TA0007 - Discovery" + ], + "mitreAttackTechniques": [ + "T1087 - Account Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [], + "usedInWild": true, + "incidents": [ + { + "description": "Datadog threat roundup: top insights for Q4 2024", + "link": "https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use ListUserPolicies to identify permissions associated with various users in AWS.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws iam list-user-policies --user-name TrailDiscover" + } + ], + "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListUserPolicies" + }, { "eventName": "UpdateLoginProfile", "eventSource": "iam.amazonaws.com", @@ -4077,6 +4108,10 @@ { "description": "Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments", "link": "https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/" + }, + { + "description": "Datadog threat roundup: top insights for Q4 2024", + "link": "https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/" } ], "researchLinks": [ @@ -4350,6 +4385,39 @@ ], "permissions": "https://aws.permissions.cloud/iam/iam#iam-DeleteUserPolicy" }, + { + "eventName": "ListAttachedUserPolicies", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Lists all managed policies that are attached to the specified IAM user.", + "mitreAttackTactics": [ + "TA0007 - Discovery" + ], + "mitreAttackTechniques": [ + "T1087 - Account Discovery" + ], + "mitreAttackSubTechniques": [ + "T1087.004 - Account Discovery: Cloud Account" + ], + "unverifiedMitreAttackTechniques": [], + "usedInWild": true, + "incidents": [ + { + "description": "Datadog threat roundup: top insights for Q4 2024", + "link": "https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use ListAttachedUserPolicies to identify and exploit permissions associated with various users in AWS.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws iam list-attached-user-policies --user-name TrailDiscover" + } + ], + "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListAttachedUserPolicies" + }, { "eventName": "ListRoles", "eventSource": "iam.amazonaws.com", @@ -4689,6 +4757,10 @@ { "description": "Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/" + }, + { + "description": "Datadog threat roundup: top insights for Q4 2024", + "link": "https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/" } ], "researchLinks": [], @@ -5265,6 +5337,10 @@ { "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + }, + { + "description": "Datadog threat roundup: top insights for Q4 2024", + "link": "https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/" } ], "researchLinks": [], @@ -9248,6 +9324,10 @@ { "description": "New Developments in LLM Hijacking Activity", "link": "https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws" + }, + { + "description": "Datadog threat roundup: top insights for Q4 2024", + "link": "https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/" } ], "researchLinks": [], @@ -9257,6 +9337,10 @@ { "type": "commandLine", "value": "N/A" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.bedrock-invoke-model" } ], "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-InvokeModel" @@ -9417,6 +9501,10 @@ { "type": "commandLine", "value": "N/A" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.bedrock-invoke-model" } ], "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-PutFoundationModelEntitlement" @@ -9516,6 +9604,10 @@ { "description": "New Developments in LLM Hijacking Activity", "link": "https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws" + }, + { + "description": "Datadog threat roundup: top insights for Q4 2024", + "link": "https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/" } ], "researchLinks": [], @@ -9525,6 +9617,10 @@ { "type": "commandLine", "value": "N/A" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.bedrock-invoke-model" } ], "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-PutUseCaseForModelAccess" @@ -9560,6 +9656,10 @@ { "description": "When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying", "link": "https://permiso.io/blog/exploiting-hosted-models" + }, + { + "description": "Datadog threat roundup: top insights for Q4 2024", + "link": "https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/" } ], "researchLinks": [], @@ -9569,6 +9669,10 @@ { "type": "commandLine", "value": "N/A" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.bedrock-invoke-model" } ], "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-GetFoundationModelAvailability" @@ -9612,6 +9716,10 @@ { "description": "Detecting AI resource-hijacking with Composite Alerts", "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + }, + { + "description": "Datadog threat roundup: top insights for Q4 2024", + "link": "https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/" } ], "researchLinks": [], @@ -9665,6 +9773,10 @@ { "type": "commandLine", "value": "N/A" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.bedrock-invoke-model" } ], "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-ListFoundationModelAgreementOffers" @@ -9769,6 +9881,10 @@ { "type": "commandLine", "value": "N/A" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.bedrock-invoke-model" } ], "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-CreateFoundationModelAgreement" diff --git a/docs/logExamples/ListAttachedUserPolicies.json.cloudtrail b/docs/logExamples/ListAttachedUserPolicies.json.cloudtrail new file mode 100644 index 0000000..9bc69d0 --- /dev/null +++ b/docs/logExamples/ListAttachedUserPolicies.json.cloudtrail @@ -0,0 +1,49 @@ +[ + { + "awsRegion": "us-east-1", + "errorCode": "NoSuchEntityException", + "errorMessage": "The user with name TrailDiscover cannot be found.", + "eventCategory": "Management", + "eventID": "9a396e10-d67f-4f05-9f32-859ae5cade36", + "eventName": "ListAttachedUserPolicies", + "eventSource": "iam.amazonaws.com", + "eventTime": "2025-02-15T15:40:57Z", + "eventType": "AwsApiCall", + "eventVersion": "1.10", + "managementEvent": true, + "readOnly": true, + "recipientAccountId": "345594607949", + "requestID": "20de2ce1-33ee-4bb4-943b-2ff84ecfda78", + "requestParameters": { + "userName": "TrailDiscover" + }, + "responseElements": null, + "sourceIPAddress": "46.6.38.8", + "tlsDetails": { + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "iam.amazonaws.com", + "tlsVersion": "TLSv1.3" + }, + "userAgent": "aws-cli/2.17.32 md/awscrt#0.21.2 ua/2.0 os/linux#5.15.153.1-microsoft-standard-WSL2 md/arch#x86_64 lang/python#3.11.9 md/pyimpl#CPython exec-env/grimoire_2801d487-3878-4c1f-983f-84915804c148 cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#iam.list-attached-user-policies", + "userIdentity": { + "accessKeyId": "ASIAVA5YLHFG22UNOASA", + "accountId": "345594607949", + "arn": "arn:aws:sts::345594607949:assumed-role/AWSReservedSSO_ReadOnlyAccess_ff7f8c5c5851db50/AdanAlvarez", + "principalId": "AROAVA5YLHFGXTTEWKGQX:AdanAlvarez", + "sessionContext": { + "attributes": { + "creationDate": "2025-02-15T14:50:08Z", + "mfaAuthenticated": "false" + }, + "sessionIssuer": { + "accountId": "345594607949", + "arn": "arn:aws:iam::345594607949:role/aws-reserved/sso.amazonaws.com/us-east-2/AWSReservedSSO_ReadOnlyAccess_ff7f8c5c5851db50", + "principalId": "AROAVA5YLHFGXTTEWKGQX", + "type": "Role", + "userName": "AWSReservedSSO_ReadOnlyAccess_ff7f8c5c5851db50" + } + }, + "type": "AssumedRole" + } + } +] \ No newline at end of file diff --git a/docs/logExamples/ListUserPolicies.json.cloudtrail b/docs/logExamples/ListUserPolicies.json.cloudtrail new file mode 100644 index 0000000..fe57362 --- /dev/null +++ b/docs/logExamples/ListUserPolicies.json.cloudtrail @@ -0,0 +1,49 @@ +[ + { + "awsRegion": "us-east-1", + "errorCode": "NoSuchEntityException", + "errorMessage": "The user with name TrailDiscover cannot be found.", + "eventCategory": "Management", + "eventID": "0da25550-3bef-4363-b108-ce251458810b", + "eventName": "ListUserPolicies", + "eventSource": "iam.amazonaws.com", + "eventTime": "2025-02-15T15:43:34Z", + "eventType": "AwsApiCall", + "eventVersion": "1.10", + "managementEvent": true, + "readOnly": true, + "recipientAccountId": "345594607949", + "requestID": "defb94d0-1b25-4aff-a0c7-4a504d404c51", + "requestParameters": { + "userName": "TrailDiscover" + }, + "responseElements": null, + "sourceIPAddress": "46.6.38.8", + "tlsDetails": { + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "iam.amazonaws.com", + "tlsVersion": "TLSv1.3" + }, + "userAgent": "aws-cli/2.17.32 md/awscrt#0.21.2 ua/2.0 os/linux#5.15.153.1-microsoft-standard-WSL2 md/arch#x86_64 lang/python#3.11.9 md/pyimpl#CPython exec-env/grimoire_6d40e0be-ce78-4b14-9c52-518635abb5cb cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#iam.list-user-policies", + "userIdentity": { + "accessKeyId": "ASIAVA5YLHFG22UNOASA", + "accountId": "345594607949", + "arn": "arn:aws:sts::345594607949:assumed-role/AWSReservedSSO_ReadOnlyAccess_ff7f8c5c5851db50/AdanAlvarez", + "principalId": "AROAVA5YLHFGXTTEWKGQX:AdanAlvarez", + "sessionContext": { + "attributes": { + "creationDate": "2025-02-15T14:50:08Z", + "mfaAuthenticated": "false" + }, + "sessionIssuer": { + "accountId": "345594607949", + "arn": "arn:aws:iam::345594607949:role/aws-reserved/sso.amazonaws.com/us-east-2/AWSReservedSSO_ReadOnlyAccess_ff7f8c5c5851db50", + "principalId": "AROAVA5YLHFGXTTEWKGQX", + "type": "Role", + "userName": "AWSReservedSSO_ReadOnlyAccess_ff7f8c5c5851db50" + } + }, + "type": "AssumedRole" + } + } +] \ No newline at end of file diff --git a/events/Bedrock/CreateFoundationModelAgreement.json b/events/Bedrock/CreateFoundationModelAgreement.json index b7ab8a1..2943e17 100644 --- a/events/Bedrock/CreateFoundationModelAgreement.json +++ b/events/Bedrock/CreateFoundationModelAgreement.json @@ -38,6 +38,10 @@ { "type": "commandLine", "value": "N/A" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.bedrock-invoke-model" } ], "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-CreateFoundationModelAgreement" diff --git a/events/Bedrock/GetFoundationModelAvailability.json b/events/Bedrock/GetFoundationModelAvailability.json index 389f99d..fede95f 100644 --- a/events/Bedrock/GetFoundationModelAvailability.json +++ b/events/Bedrock/GetFoundationModelAvailability.json @@ -29,6 +29,10 @@ { "description": "When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying", "link": "https://permiso.io/blog/exploiting-hosted-models" + }, + { + "description": "Datadog threat roundup: top insights for Q4 2024", + "link": "https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/" } ], "researchLinks": [], @@ -38,6 +42,10 @@ { "type": "commandLine", "value": "N/A" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.bedrock-invoke-model" } ], "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-GetFoundationModelAvailability" diff --git a/events/Bedrock/InvokeModel.json b/events/Bedrock/InvokeModel.json index 0d9afd4..e022f2a 100644 --- a/events/Bedrock/InvokeModel.json +++ b/events/Bedrock/InvokeModel.json @@ -47,6 +47,10 @@ { "description": "New Developments in LLM Hijacking Activity", "link": "https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws" + }, + { + "description": "Datadog threat roundup: top insights for Q4 2024", + "link": "https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/" } ], "researchLinks": [], @@ -56,6 +60,10 @@ { "type": "commandLine", "value": "N/A" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.bedrock-invoke-model" } ], "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-InvokeModel" diff --git a/events/Bedrock/ListFoundationModelAgreementOffers.json b/events/Bedrock/ListFoundationModelAgreementOffers.json index 7584e36..6d7a1fc 100644 --- a/events/Bedrock/ListFoundationModelAgreementOffers.json +++ b/events/Bedrock/ListFoundationModelAgreementOffers.json @@ -38,6 +38,10 @@ { "type": "commandLine", "value": "N/A" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.bedrock-invoke-model" } ], "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-ListFoundationModelAgreementOffers" diff --git a/events/Bedrock/ListFoundationModels.json b/events/Bedrock/ListFoundationModels.json index 77a35b6..dfa6704 100644 --- a/events/Bedrock/ListFoundationModels.json +++ b/events/Bedrock/ListFoundationModels.json @@ -37,6 +37,10 @@ { "description": "Detecting AI resource-hijacking with Composite Alerts", "link": "https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts" + }, + { + "description": "Datadog threat roundup: top insights for Q4 2024", + "link": "https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/" } ], "researchLinks": [], diff --git a/events/Bedrock/PutFoundationModelEntitlement.json b/events/Bedrock/PutFoundationModelEntitlement.json index a04e984..4b623ca 100644 --- a/events/Bedrock/PutFoundationModelEntitlement.json +++ b/events/Bedrock/PutFoundationModelEntitlement.json @@ -46,6 +46,10 @@ { "type": "commandLine", "value": "N/A" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.bedrock-invoke-model" } ], "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-PutFoundationModelEntitlement" diff --git a/events/Bedrock/PutUseCaseForModelAccess.json b/events/Bedrock/PutUseCaseForModelAccess.json index 14c3d8d..b284d88 100644 --- a/events/Bedrock/PutUseCaseForModelAccess.json +++ b/events/Bedrock/PutUseCaseForModelAccess.json @@ -33,6 +33,10 @@ { "description": "New Developments in LLM Hijacking Activity", "link": "https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws" + }, + { + "description": "Datadog threat roundup: top insights for Q4 2024", + "link": "https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/" } ], "researchLinks": [], @@ -42,6 +46,10 @@ { "type": "commandLine", "value": "N/A" + }, + { + "type": "stratusRedTeam", + "value": "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.bedrock-invoke-model" } ], "permissions": "https://aws.permissions.cloud/iam/bedrock#bedrock-PutUseCaseForModelAccess" diff --git a/events/IAM/GetUser.json b/events/IAM/GetUser.json index 0dddcab..eef0aae 100644 --- a/events/IAM/GetUser.json +++ b/events/IAM/GetUser.json @@ -35,6 +35,10 @@ { "description": "Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets", "link": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/" + }, + { + "description": "Datadog threat roundup: top insights for Q4 2024", + "link": "https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/" } ], "researchLinks": [], diff --git a/events/IAM/ListAttachedUserPolicies.json b/events/IAM/ListAttachedUserPolicies.json new file mode 100644 index 0000000..9083916 --- /dev/null +++ b/events/IAM/ListAttachedUserPolicies.json @@ -0,0 +1,33 @@ +{ + "eventName": "ListAttachedUserPolicies", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Lists all managed policies that are attached to the specified IAM user.", + "mitreAttackTactics": [ + "TA0007 - Discovery" + ], + "mitreAttackTechniques": [ + "T1087 - Account Discovery" + ], + "mitreAttackSubTechniques": [ + "T1087.004 - Account Discovery: Cloud Account" + ], + "unverifiedMitreAttackTechniques": [], + "usedInWild": true, + "incidents": [ + { + "description": "Datadog threat roundup: top insights for Q4 2024", + "link": "https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use ListAttachedUserPolicies to identify and exploit permissions associated with various users in AWS.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws iam list-attached-user-policies --user-name TrailDiscover" + } + ], + "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListAttachedUserPolicies" +} \ No newline at end of file diff --git a/events/IAM/ListAttachedUserPolicies.json.cloudtrail b/events/IAM/ListAttachedUserPolicies.json.cloudtrail new file mode 100644 index 0000000..9bc69d0 --- /dev/null +++ b/events/IAM/ListAttachedUserPolicies.json.cloudtrail @@ -0,0 +1,49 @@ +[ + { + "awsRegion": "us-east-1", + "errorCode": "NoSuchEntityException", + "errorMessage": "The user with name TrailDiscover cannot be found.", + "eventCategory": "Management", + "eventID": "9a396e10-d67f-4f05-9f32-859ae5cade36", + "eventName": "ListAttachedUserPolicies", + "eventSource": "iam.amazonaws.com", + "eventTime": "2025-02-15T15:40:57Z", + "eventType": "AwsApiCall", + "eventVersion": "1.10", + "managementEvent": true, + "readOnly": true, + "recipientAccountId": "345594607949", + "requestID": "20de2ce1-33ee-4bb4-943b-2ff84ecfda78", + "requestParameters": { + "userName": "TrailDiscover" + }, + "responseElements": null, + "sourceIPAddress": "46.6.38.8", + "tlsDetails": { + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "iam.amazonaws.com", + "tlsVersion": "TLSv1.3" + }, + "userAgent": "aws-cli/2.17.32 md/awscrt#0.21.2 ua/2.0 os/linux#5.15.153.1-microsoft-standard-WSL2 md/arch#x86_64 lang/python#3.11.9 md/pyimpl#CPython exec-env/grimoire_2801d487-3878-4c1f-983f-84915804c148 cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#iam.list-attached-user-policies", + "userIdentity": { + "accessKeyId": "ASIAVA5YLHFG22UNOASA", + "accountId": "345594607949", + "arn": "arn:aws:sts::345594607949:assumed-role/AWSReservedSSO_ReadOnlyAccess_ff7f8c5c5851db50/AdanAlvarez", + "principalId": "AROAVA5YLHFGXTTEWKGQX:AdanAlvarez", + "sessionContext": { + "attributes": { + "creationDate": "2025-02-15T14:50:08Z", + "mfaAuthenticated": "false" + }, + "sessionIssuer": { + "accountId": "345594607949", + "arn": "arn:aws:iam::345594607949:role/aws-reserved/sso.amazonaws.com/us-east-2/AWSReservedSSO_ReadOnlyAccess_ff7f8c5c5851db50", + "principalId": "AROAVA5YLHFGXTTEWKGQX", + "type": "Role", + "userName": "AWSReservedSSO_ReadOnlyAccess_ff7f8c5c5851db50" + } + }, + "type": "AssumedRole" + } + } +] \ No newline at end of file diff --git a/events/IAM/ListRolePolicies.json b/events/IAM/ListRolePolicies.json index 3466e8f..a41a99b 100644 --- a/events/IAM/ListRolePolicies.json +++ b/events/IAM/ListRolePolicies.json @@ -25,6 +25,10 @@ { "description": "Compromised Cloud Compute Credentials: Case Studies From the Wild", "link": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab" + }, + { + "description": "Datadog threat roundup: top insights for Q4 2024", + "link": "https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/" } ], "researchLinks": [], diff --git a/events/IAM/ListUserPolicies.json b/events/IAM/ListUserPolicies.json new file mode 100644 index 0000000..9ff76a8 --- /dev/null +++ b/events/IAM/ListUserPolicies.json @@ -0,0 +1,31 @@ +{ + "eventName": "ListUserPolicies", + "eventSource": "iam.amazonaws.com", + "awsService": "IAM", + "description": "Lists the names of the inline policies embedded in the specified IAM user.", + "mitreAttackTactics": [ + "TA0007 - Discovery" + ], + "mitreAttackTechniques": [ + "T1087 - Account Discovery" + ], + "mitreAttackSubTechniques": [], + "unverifiedMitreAttackTechniques": [], + "usedInWild": true, + "incidents": [ + { + "description": "Datadog threat roundup: top insights for Q4 2024", + "link": "https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/" + } + ], + "researchLinks": [], + "securityImplications": "Attackers might use ListUserPolicies to identify permissions associated with various users in AWS.", + "alerting": [], + "simulation": [ + { + "type": "commandLine", + "value": "aws iam list-user-policies --user-name TrailDiscover" + } + ], + "permissions": "https://aws.permissions.cloud/iam/iam#iam-ListUserPolicies" +} \ No newline at end of file diff --git a/events/IAM/ListUserPolicies.json.cloudtrail b/events/IAM/ListUserPolicies.json.cloudtrail new file mode 100644 index 0000000..fe57362 --- /dev/null +++ b/events/IAM/ListUserPolicies.json.cloudtrail @@ -0,0 +1,49 @@ +[ + { + "awsRegion": "us-east-1", + "errorCode": "NoSuchEntityException", + "errorMessage": "The user with name TrailDiscover cannot be found.", + "eventCategory": "Management", + "eventID": "0da25550-3bef-4363-b108-ce251458810b", + "eventName": "ListUserPolicies", + "eventSource": "iam.amazonaws.com", + "eventTime": "2025-02-15T15:43:34Z", + "eventType": "AwsApiCall", + "eventVersion": "1.10", + "managementEvent": true, + "readOnly": true, + "recipientAccountId": "345594607949", + "requestID": "defb94d0-1b25-4aff-a0c7-4a504d404c51", + "requestParameters": { + "userName": "TrailDiscover" + }, + "responseElements": null, + "sourceIPAddress": "46.6.38.8", + "tlsDetails": { + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "iam.amazonaws.com", + "tlsVersion": "TLSv1.3" + }, + "userAgent": "aws-cli/2.17.32 md/awscrt#0.21.2 ua/2.0 os/linux#5.15.153.1-microsoft-standard-WSL2 md/arch#x86_64 lang/python#3.11.9 md/pyimpl#CPython exec-env/grimoire_6d40e0be-ce78-4b14-9c52-518635abb5cb cfg/retry-mode#standard md/installer#exe md/distrib#ubuntu.24 md/prompt#off md/command#iam.list-user-policies", + "userIdentity": { + "accessKeyId": "ASIAVA5YLHFG22UNOASA", + "accountId": "345594607949", + "arn": "arn:aws:sts::345594607949:assumed-role/AWSReservedSSO_ReadOnlyAccess_ff7f8c5c5851db50/AdanAlvarez", + "principalId": "AROAVA5YLHFGXTTEWKGQX:AdanAlvarez", + "sessionContext": { + "attributes": { + "creationDate": "2025-02-15T14:50:08Z", + "mfaAuthenticated": "false" + }, + "sessionIssuer": { + "accountId": "345594607949", + "arn": "arn:aws:iam::345594607949:role/aws-reserved/sso.amazonaws.com/us-east-2/AWSReservedSSO_ReadOnlyAccess_ff7f8c5c5851db50", + "principalId": "AROAVA5YLHFGXTTEWKGQX", + "type": "Role", + "userName": "AWSReservedSSO_ReadOnlyAccess_ff7f8c5c5851db50" + } + }, + "type": "AssumedRole" + } + } +] \ No newline at end of file diff --git a/events/IAM/ListUsers.json b/events/IAM/ListUsers.json index 5f878b4..70f4070 100644 --- a/events/IAM/ListUsers.json +++ b/events/IAM/ListUsers.json @@ -51,6 +51,10 @@ { "description": "Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments", "link": "https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/" + }, + { + "description": "Datadog threat roundup: top insights for Q4 2024", + "link": "https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/" } ], "researchLinks": [