Skip to content

Latest commit

 

History

History
24 lines (22 loc) · 44.8 KB

ds_amazon_aws_cloudtrail.md

File metadata and controls

24 lines (22 loc) · 44.8 KB
Raw

Vendor: Amazon

Product: AWS CloudTrail

Rules Models MITRE ATT&CK® TTPs Activity Types Parsers
496 140 136 76 76
Use-Case Activity Types/Parsers MITRE ATT&CK® TTP Content
Abnormal Authentication & Access app-activity
amazon-awscloudtrail-cef-app-activity-awsapicall
amazon-awscloudtrail-cef-app-activity-assumedrole
amazon-awscloudtrail-json-app-activity-success-getrolecredentials
amazon-awscloudtrail-json-app-authentication-success-cognitoauth
amazon-awscloudtrail-json-app-authentication-success-oauth2auth
amazon-awscloudtrail-json-app-authentication-success-saml2response
amazon-awscloudtrail-json-app-authentication-success-userauth
amazon-awscloudtrail-json-app-authentication-success-newclientconn
amazon-awscloudtrail-sk4-app-authentication-success-cloudtrail
amazon-awscloudtrail-json-app-success-activityauthentication
amazon-awscloudtrail-json-disk-create-success-snapcreated
amazon-awscloudtrail-json-secret-delete-success-secretvdelete
amazon-awscloudtrail-json-secret-delete-success-endsecretdelete
amazon-awscloudtrail-json-app-activity-fail-errorget
amazon-awscloudtrail-json-database-query-success-querydb
amazon-awscloudtrail-json-app-logout-success-logout
amazon-awscloudtrail-json-policy-apply-success-policyexecution
amazon-awscloudtrail-sk4-user-token-create-success-tokenpost

authentication-failed
amazon-awscloudtrail-json-app-success-activityauthentication
amazon-awscloudtrail-json-app-activity-success-userinfo
amazon-awscloudtrail-json-app-activity-success-cloudtraildigest
amazon-awscloudtrail-json-app-activity-success-getanalysis
amazon-awscloudtrail-sk4-app-activity-success-redshift
amazon-awscloudtrail-sk4-app-activity-success-backupjobstarted
amazon-awscloudtrail-sk4-user-create-createmembers
 T1078 - Valid Accounts
T1133 - External Remote Services
  • 15 Rules
  • 4 Models
Account Manipulation app-activity
amazon-awscloudtrail-cef-app-activity-awsapicall
amazon-awscloudtrail-cef-app-activity-assumedrole
amazon-awscloudtrail-json-app-activity-success-getrolecredentials
amazon-awscloudtrail-json-app-authentication-success-cognitoauth
amazon-awscloudtrail-json-app-authentication-success-oauth2auth
amazon-awscloudtrail-json-app-authentication-success-saml2response
amazon-awscloudtrail-json-app-authentication-success-userauth
amazon-awscloudtrail-json-app-authentication-success-newclientconn
amazon-awscloudtrail-sk4-app-authentication-success-cloudtrail
amazon-awscloudtrail-json-app-success-activityauthentication
amazon-awscloudtrail-json-disk-create-success-snapcreated
amazon-awscloudtrail-json-secret-delete-success-secretvdelete
amazon-awscloudtrail-json-secret-delete-success-endsecretdelete
amazon-awscloudtrail-json-app-activity-fail-errorget
amazon-awscloudtrail-json-database-query-success-querydb
amazon-awscloudtrail-json-app-logout-success-logout
amazon-awscloudtrail-json-policy-apply-success-policyexecution
amazon-awscloudtrail-sk4-user-token-create-success-tokenpost

process-created
amazon-awscloudtrail-json-app-notification-success-digests3object
 T1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
  • 16 Rules
  • 7 Models
Audit Tampering process-created
amazon-awscloudtrail-json-app-notification-success-digests3object
 T1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
  • 4 Rules
Cryptomining aws-instance-create
amazon-awscloudtrail-json-endpoint-create-runinstances

process-created
amazon-awscloudtrail-json-app-notification-success-digests3object
 T1074 - Data Staged
T1496 - Resource Hijacking
  • 2 Rules
  • 1 Models
Data Exfiltration file-write
amazon-awscloudtrail-json-endpoint-notification-success-awscloudtrailinsight

process-created
amazon-awscloudtrail-json-app-notification-success-digests3object
 T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
TA0002 - TA0002
  • 9 Rules
  • 1 Models
Evasion process-created
amazon-awscloudtrail-json-app-notification-success-digests3object
 T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.003 - Masquerading: Rename System Utilities
T1036.005 - Masquerading: Match Legitimate Name or Location
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.005 - T1059.005
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1105 - Ingress Tool Transfer
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1140 - Deobfuscate/Decode Files or Information
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1218 - Signed Binary Proxy Execution
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.008 - T1218.008
T1218.009 - Signed Binary Proxy Execution: Regsvcs/Regasm
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1484.001 - T1484.001
T1542.003 - T1542.003
T1543.003 - Create or Modify System Process: Windows Service
T1552.006 - T1552.006
T1562 - Impair Defenses
T1562.001 - T1562.001
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1562.006 - T1562.006
T1564.001 - T1564.001
T1564.004 - Hide Artifacts: NTFS File Attributes
T1574 - Hijack Execution Flow
  • 44 Rules
  • 3 Models
Phishing process-created
amazon-awscloudtrail-json-app-notification-success-digests3object
 T1566.001 - T1566.001
  • 1 Rules
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
External Remote Services

Valid Accounts

Valid Accounts: Cloud Accounts

Exploit Public Fasing Application

Phishing

 Windows Management Instrumentation

Command and Scripting Interperter

Scheduled Task/Job

Inter-Process Communication

System Services

Exploitation for Client Execution

User Execution

Scheduled Task/Job: Scheduled Task

Command and Scripting Interperter: PowerShell

Scheduled Task/Job: At (Windows)

 Pre-OS Boot

Boot or Logon Initialization Scripts

Create Account

Create or Modify System Process

External Remote Services

Valid Accounts

Hijack Execution Flow

Server Software Component: Web Shell

Account Manipulation

BITS Jobs

Create or Modify System Process: Windows Service

Scheduled Task/Job

Server Software Component

Event Triggered Execution

Boot or Logon Autostart Execution

Create Account: Create: Local Account

Account Manipulation: Exchange Email Delegate Permissions

 Access Token Manipulation: Token Impersonation/Theft

Boot or Logon Initialization Scripts

Create or Modify System Process

Valid Accounts

Access Token Manipulation

Exploitation for Privilege Escalation

Hijack Execution Flow

Group Policy Modification

Process Injection

Scheduled Task/Job

Abuse Elevation Control Mechanism

Event Triggered Execution

Boot or Logon Autostart Execution

Process Injection: Dynamic-link Library Injection

Abuse Elevation Control Mechanism: Bypass User Account Control

 Hide Artifacts

Indirect Command Execution

Impair Defenses

Indicator Removal on Host: Clear Windows Event Logs

Group Policy Modification

Trusted Developer Utilities Proxy Execution

Masquerading: Match Legitimate Name or Location

Masquerading: Rename System Utilities

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Obfuscated Files or Information: Compile After Delivery

Hijack Execution Flow: DLL Side-Loading

Masquerading

Valid Accounts

Modify Registry

BITS Jobs

Use Alternate Authentication Material

Hide Artifacts: NTFS File Attributes

Indicator Removal on Host

Use Alternate Authentication Material: Pass the Ticket

Pre-OS Boot

File and Directory Permissions Modification

Deobfuscate/Decode Files or Information

Abuse Elevation Control Mechanism

Impair Defenses: Disable or Modify System Firewall

Obfuscated Files or Information

Signed Binary Proxy Execution: Compiled HTML File

Access Token Manipulation

Hijack Execution Flow

Process Injection

Signed Binary Proxy Execution: Msiexec

Signed Binary Proxy Execution

Signed Binary Proxy Execution: Regsvcs/Regasm

Signed Binary Proxy Execution: CMSTP

Unused/Unsupported Cloud Regions

Signed Binary Proxy Execution: Control Panel

Signed Binary Proxy Execution: InstallUtil

Signed Binary Proxy Execution: Regsvr32

Trusted Developer Utilities Proxy Execution: MSBuild

Signed Binary Proxy Execution: Rundll32

 OS Credential Dumping

Unsecured Credentials

Steal or Forge Kerberos Tickets

Credentials from Password Stores

Steal or Forge Kerberos Tickets: Kerberoasting

Network Sniffing

 Account Discovery

Domain Trust Discovery

System Service Discovery

System Network Connections Discovery

Account Discovery: Local Account

Account Discovery: Domain Account

File and Directory Discovery

Network Sniffing

System Information Discovery

Network Share Discovery

Query Registry

Process Discovery

System Owner/User Discovery

Software Discovery

Remote System Discovery

System Network Configuration Discovery

 Exploitation of Remote Services

Remote Service Session Hijacking

Remote Services

Remote Services: SMB/Windows Admin Shares

Use Alternate Authentication Material

Remote Services: Remote Desktop Protocol

 Screen Capture

Email Collection

Audio Capture

Data from Cloud Storage Object

Archive Collected Data

Data Staged

Email Collection: Email Forwarding Rule

 Protocol Tunneling

Application Layer Protocol: DNS

Application Layer Protocol: File Transfer Protocols

Application Layer Protocol: Web Protocols

Remote Access Software

Ingress Tool Transfer

Proxy: Multi-hop Proxy

Application Layer Protocol

Proxy

 Exfiltration Over Alternative Protocol

Exfiltration Over C2 Channel

 Account Access Removal

Resource Hijacking

Data Encrypted for Impact

Inhibit System Recovery