From 4d9b504842acbe57a20791fc11c442fd6a64e435 Mon Sep 17 00:00:00 2001
From: Christophe Tafani-Dereeper <christophe.tafanidereeper@datadoghq.com>
Date: Thu, 14 Sep 2023 21:46:23 +0200
Subject: [PATCH] Add references to docs and fix line feeds (#409)

* Add reference to IAM user create profile attack technique

* Add Permiso reference to create IAM user technique

* Fix line feed

* Fix line feed

* Fix line feed

* Update main.go
---
 .../attacktechniques/aws/persistence/iam-backdoor-user/main.go  | 1 +
 .../aws/persistence/iam-create-admin-user/main.go               | 1 +
 .../aws/persistence/iam-create-user-login-profile/main.go       | 2 ++
 .../aws/persistence/lambda-overwrite-code/main.go               | 1 +
 .../gcp/persistence/create-admin-service-account/main.go        | 1 +
 5 files changed, 6 insertions(+)

diff --git a/v2/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.go b/v2/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.go
index ee78912d..d3ab0016 100644
--- a/v2/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.go
+++ b/v2/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.go
@@ -28,6 +28,7 @@ Detonation:
 - Create an IAM access key on the user.
 
 References:
+
 - https://sysdig.com/blog/scarleteel-2-0/
 `,
 		Detection: `
diff --git a/v2/internal/attacktechniques/aws/persistence/iam-create-admin-user/main.go b/v2/internal/attacktechniques/aws/persistence/iam-create-admin-user/main.go
index 4476a3a9..49606c97 100644
--- a/v2/internal/attacktechniques/aws/persistence/iam-create-admin-user/main.go
+++ b/v2/internal/attacktechniques/aws/persistence/iam-create-admin-user/main.go
@@ -31,6 +31,7 @@ Detonation:
 References:
 
 - https://permiso.io/blog/s/approach-to-detection-androxgh0st-greenbot-persistence/
+- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/
 - https://blog.darklab.hk/2021/07/06/trouble-in-paradise/
 - https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/
 `,
diff --git a/v2/internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.go b/v2/internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.go
index 5b03f9d9..aa3e2713 100644
--- a/v2/internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.go
+++ b/v2/internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.go
@@ -31,7 +31,9 @@ Detonation:
 - Create an IAM Login Profile on the user
 
 References:
+
 - https://permiso.io/blog/s/approach-to-detection-androxgh0st-greenbot-persistence/
+- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/
 - https://blog.darklab.hk/2021/07/06/trouble-in-paradise/
 - https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/
 `,
diff --git a/v2/internal/attacktechniques/aws/persistence/lambda-overwrite-code/main.go b/v2/internal/attacktechniques/aws/persistence/lambda-overwrite-code/main.go
index 104948a0..7e7067c0 100644
--- a/v2/internal/attacktechniques/aws/persistence/lambda-overwrite-code/main.go
+++ b/v2/internal/attacktechniques/aws/persistence/lambda-overwrite-code/main.go
@@ -34,6 +34,7 @@ Detonation:
 - Update the Lambda function code.
 
 References:
+
 - https://research.splunk.com/cloud/aws_lambda_updatefunctioncode/
 - Expel's AWS security mindmap
 `,
diff --git a/v2/internal/attacktechniques/gcp/persistence/create-admin-service-account/main.go b/v2/internal/attacktechniques/gcp/persistence/create-admin-service-account/main.go
index 106adfc8..8cb975fe 100644
--- a/v2/internal/attacktechniques/gcp/persistence/create-admin-service-account/main.go
+++ b/v2/internal/attacktechniques/gcp/persistence/create-admin-service-account/main.go
@@ -33,6 +33,7 @@ Detonation:
 - Update the current GCP project's IAM policy to bind the service account to the <code>owner</code> role'
 
 References:
+
 - https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/
 `,
 		Detection: `