From 4ee052aa1141f38884f3b7a2d550a0969c742e39 Mon Sep 17 00:00:00 2001 From: Christophe Tafani-Dereeper Date: Thu, 14 Sep 2023 21:37:42 +0200 Subject: [PATCH 1/6] Add reference to IAM user create profile attack technique --- .../aws/persistence/iam-create-user-login-profile/main.go | 1 + 1 file changed, 1 insertion(+) diff --git a/v2/internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.go b/v2/internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.go index 5b03f9d9..e2fe9a93 100644 --- a/v2/internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.go +++ b/v2/internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.go @@ -32,6 +32,7 @@ Detonation: References: - https://permiso.io/blog/s/approach-to-detection-androxgh0st-greenbot-persistence/ +- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ - https://blog.darklab.hk/2021/07/06/trouble-in-paradise/ - https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/ `, From 90b406d5429d80a722a13ff16be62d2d396f908a Mon Sep 17 00:00:00 2001 From: Christophe Tafani-Dereeper Date: Thu, 14 Sep 2023 21:38:36 +0200 Subject: [PATCH 2/6] Add Permiso reference to create IAM user technique --- .../aws/persistence/iam-create-admin-user/main.go | 1 + 1 file changed, 1 insertion(+) diff --git a/v2/internal/attacktechniques/aws/persistence/iam-create-admin-user/main.go b/v2/internal/attacktechniques/aws/persistence/iam-create-admin-user/main.go index 4476a3a9..49606c97 100644 --- a/v2/internal/attacktechniques/aws/persistence/iam-create-admin-user/main.go +++ b/v2/internal/attacktechniques/aws/persistence/iam-create-admin-user/main.go @@ -31,6 +31,7 @@ Detonation: References: - https://permiso.io/blog/s/approach-to-detection-androxgh0st-greenbot-persistence/ +- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ - https://blog.darklab.hk/2021/07/06/trouble-in-paradise/ - https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/ `, From e50f7c1c9e0a394e1fe363c24ed1af24dca81f83 Mon Sep 17 00:00:00 2001 From: Christophe Tafani-Dereeper Date: Thu, 14 Sep 2023 21:42:52 +0200 Subject: [PATCH 3/6] Fix line feed --- .../aws/persistence/iam-create-user-login-profile/main.go | 1 + 1 file changed, 1 insertion(+) diff --git a/v2/internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.go b/v2/internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.go index e2fe9a93..aa3e2713 100644 --- a/v2/internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.go +++ b/v2/internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.go @@ -31,6 +31,7 @@ Detonation: - Create an IAM Login Profile on the user References: + - https://permiso.io/blog/s/approach-to-detection-androxgh0st-greenbot-persistence/ - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ - https://blog.darklab.hk/2021/07/06/trouble-in-paradise/ From ed1eddbea6d15190ae0219cce7dac9b964c26ebc Mon Sep 17 00:00:00 2001 From: Christophe Tafani-Dereeper Date: Thu, 14 Sep 2023 21:43:48 +0200 Subject: [PATCH 4/6] Fix line feed --- .../attacktechniques/aws/persistence/iam-backdoor-user/main.go | 1 + 1 file changed, 1 insertion(+) diff --git a/v2/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.go b/v2/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.go index ee78912d..d3ab0016 100644 --- a/v2/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.go +++ b/v2/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.go @@ -28,6 +28,7 @@ Detonation: - Create an IAM access key on the user. References: + - https://sysdig.com/blog/scarleteel-2-0/ `, Detection: ` From c71cdca7bbb09d3617145f0e72c807fa0f663f17 Mon Sep 17 00:00:00 2001 From: Christophe Tafani-Dereeper Date: Thu, 14 Sep 2023 21:44:17 +0200 Subject: [PATCH 5/6] Fix line feed --- .../gcp/persistence/create-admin-service-account/main.go | 1 + 1 file changed, 1 insertion(+) diff --git a/v2/internal/attacktechniques/gcp/persistence/create-admin-service-account/main.go b/v2/internal/attacktechniques/gcp/persistence/create-admin-service-account/main.go index 106adfc8..8cb975fe 100644 --- a/v2/internal/attacktechniques/gcp/persistence/create-admin-service-account/main.go +++ b/v2/internal/attacktechniques/gcp/persistence/create-admin-service-account/main.go @@ -33,6 +33,7 @@ Detonation: - Update the current GCP project's IAM policy to bind the service account to the owner role' References: + - https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/ `, Detection: ` From c89a85a60789b034177bec597da2f046a00d3dbb Mon Sep 17 00:00:00 2001 From: Christophe Tafani-Dereeper Date: Thu, 14 Sep 2023 21:44:40 +0200 Subject: [PATCH 6/6] Update main.go --- .../aws/persistence/lambda-overwrite-code/main.go | 1 + 1 file changed, 1 insertion(+) diff --git a/v2/internal/attacktechniques/aws/persistence/lambda-overwrite-code/main.go b/v2/internal/attacktechniques/aws/persistence/lambda-overwrite-code/main.go index 104948a0..7e7067c0 100644 --- a/v2/internal/attacktechniques/aws/persistence/lambda-overwrite-code/main.go +++ b/v2/internal/attacktechniques/aws/persistence/lambda-overwrite-code/main.go @@ -34,6 +34,7 @@ Detonation: - Update the Lambda function code. References: + - https://research.splunk.com/cloud/aws_lambda_updatefunctioncode/ - Expel's AWS security mindmap `,