Vendor: Amazon Product: AWS CloudTrail Rules Models MITRE ATT&CK® TTPs Activity Types Parsers 496 140 136 76 76 Use-Case Activity Types/Parsers MITRE ATT&CK® TTP Content Abnormal Authentication & Access app-activity ↳amazon-awscloudtrail-cef-app-activity-awsapicall ↳amazon-awscloudtrail-cef-app-activity-assumedrole ↳amazon-awscloudtrail-json-app-activity-success-getrolecredentials ↳amazon-awscloudtrail-json-app-authentication-success-cognitoauth ↳amazon-awscloudtrail-json-app-authentication-success-oauth2auth ↳amazon-awscloudtrail-json-app-authentication-success-saml2response ↳amazon-awscloudtrail-json-app-authentication-success-userauth ↳amazon-awscloudtrail-json-app-authentication-success-newclientconn ↳amazon-awscloudtrail-sk4-app-authentication-success-cloudtrail ↳amazon-awscloudtrail-json-app-success-activityauthentication ↳amazon-awscloudtrail-json-disk-create-success-snapcreated ↳amazon-awscloudtrail-json-secret-delete-success-secretvdelete ↳amazon-awscloudtrail-json-secret-delete-success-endsecretdelete ↳amazon-awscloudtrail-json-app-activity-fail-errorget ↳amazon-awscloudtrail-json-database-query-success-querydb ↳amazon-awscloudtrail-json-app-logout-success-logout ↳amazon-awscloudtrail-json-policy-apply-success-policyexecution ↳amazon-awscloudtrail-sk4-user-token-create-success-tokenpost authentication-failed ↳amazon-awscloudtrail-json-app-success-activityauthentication ↳amazon-awscloudtrail-json-app-activity-success-userinfo ↳amazon-awscloudtrail-json-app-activity-success-cloudtraildigest ↳amazon-awscloudtrail-json-app-activity-success-getanalysis ↳amazon-awscloudtrail-sk4-app-activity-success-redshift ↳amazon-awscloudtrail-sk4-app-activity-success-backupjobstarted ↳amazon-awscloudtrail-sk4-user-create-createmembers T1078 - Valid AccountsT1133 - External Remote Services 15 Rules4 Models Account Manipulation app-activity ↳amazon-awscloudtrail-cef-app-activity-awsapicall ↳amazon-awscloudtrail-cef-app-activity-assumedrole ↳amazon-awscloudtrail-json-app-activity-success-getrolecredentials ↳amazon-awscloudtrail-json-app-authentication-success-cognitoauth ↳amazon-awscloudtrail-json-app-authentication-success-oauth2auth ↳amazon-awscloudtrail-json-app-authentication-success-saml2response ↳amazon-awscloudtrail-json-app-authentication-success-userauth ↳amazon-awscloudtrail-json-app-authentication-success-newclientconn ↳amazon-awscloudtrail-sk4-app-authentication-success-cloudtrail ↳amazon-awscloudtrail-json-app-success-activityauthentication ↳amazon-awscloudtrail-json-disk-create-success-snapcreated ↳amazon-awscloudtrail-json-secret-delete-success-secretvdelete ↳amazon-awscloudtrail-json-secret-delete-success-endsecretdelete ↳amazon-awscloudtrail-json-app-activity-fail-errorget ↳amazon-awscloudtrail-json-database-query-success-querydb ↳amazon-awscloudtrail-json-app-logout-success-logout ↳amazon-awscloudtrail-json-policy-apply-success-policyexecution ↳amazon-awscloudtrail-sk4-user-token-create-success-tokenpost process-created ↳amazon-awscloudtrail-json-app-notification-success-digests3object T1003 - OS Credential DumpingT1003.003 - T1003.003T1021.003 - T1021.003T1059.001 - Command and Scripting Interperter: PowerShellT1059.003 - T1059.003T1078 - Valid AccountsT1098 - Account ManipulationT1098.002 - Account Manipulation: Exchange Email Delegate PermissionsT1136 - Create AccountT1136.001 - Create Account: Create: Local AccountT1218.010 - Signed Binary Proxy Execution: Regsvr32T1531 - Account Access RemovalT1559.002 - T1559.002 16 Rules7 Models Audit Tampering process-created ↳amazon-awscloudtrail-json-app-notification-success-digests3object T1059 - Command and Scripting InterperterT1070 - Indicator Removal on HostT1070.001 - Indicator Removal on Host: Clear Windows Event LogsT1546.003 - T1546.003T1562 - Impair DefensesT1562.006 - T1562.006 4 Rules Cryptomining aws-instance-create ↳amazon-awscloudtrail-json-endpoint-create-runinstances process-created ↳amazon-awscloudtrail-json-app-notification-success-digests3object T1074 - Data StagedT1496 - Resource Hijacking 2 Rules1 Models Data Exfiltration file-write ↳amazon-awscloudtrail-json-endpoint-notification-success-awscloudtrailinsight process-created ↳amazon-awscloudtrail-json-app-notification-success-digests3object T1003 - OS Credential DumpingT1040 - Network SniffingT1041 - Exfiltration Over C2 ChannelT1048 - Exfiltration Over Alternative ProtocolT1059 - Command and Scripting InterperterT1071.001 - Application Layer Protocol: Web ProtocolsT1071.002 - Application Layer Protocol: File Transfer ProtocolsT1071.004 - Application Layer Protocol: DNST1552.001 - T1552.001T1560 - Archive Collected DataT1572 - Protocol TunnelingTA0002 - TA0002 9 Rules1 Models Evasion process-created ↳amazon-awscloudtrail-json-app-notification-success-digests3object T1027 - Obfuscated Files or InformationT1027.004 - Obfuscated Files or Information: Compile After DeliveryT1036 - MasqueradingT1036.003 - Masquerading: Rename System UtilitiesT1036.005 - Masquerading: Match Legitimate Name or LocationT1059 - Command and Scripting InterperterT1059.001 - Command and Scripting Interperter: PowerShellT1059.005 - T1059.005T1070 - Indicator Removal on HostT1070.001 - Indicator Removal on Host: Clear Windows Event LogsT1105 - Ingress Tool TransferT1127.001 - Trusted Developer Utilities Proxy Execution: MSBuildT1140 - Deobfuscate/Decode Files or InformationT1197 - BITS JobsT1202 - Indirect Command ExecutionT1203 - Exploitation for Client ExecutionT1218 - Signed Binary Proxy ExecutionT1218.002 - Signed Binary Proxy Execution: Control PanelT1218.004 - Signed Binary Proxy Execution: InstallUtilT1218.008 - T1218.008T1218.009 - Signed Binary Proxy Execution: Regsvcs/RegasmT1218.010 - Signed Binary Proxy Execution: Regsvr32T1218.011 - Signed Binary Proxy Execution: Rundll32T1484.001 - T1484.001T1542.003 - T1542.003T1543.003 - Create or Modify System Process: Windows ServiceT1552.006 - T1552.006T1562 - Impair DefensesT1562.001 - T1562.001T1562.004 - Impair Defenses: Disable or Modify System FirewallT1562.006 - T1562.006T1564.001 - T1564.001T1564.004 - Hide Artifacts: NTFS File AttributesT1574 - Hijack Execution Flow 44 Rules3 Models Phishing process-created ↳amazon-awscloudtrail-json-app-notification-success-digests3object T1566.001 - T1566.001 1 Rules Next Page -->> MITRE ATT&CK® Framework for Enterprise Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact External Remote ServicesValid AccountsValid Accounts: Cloud AccountsExploit Public Fasing ApplicationPhishing Windows Management InstrumentationCommand and Scripting InterperterScheduled Task/JobInter-Process CommunicationSystem ServicesExploitation for Client ExecutionUser ExecutionScheduled Task/Job: Scheduled TaskCommand and Scripting Interperter: PowerShellScheduled Task/Job: At (Windows) Pre-OS BootBoot or Logon Initialization ScriptsCreate AccountCreate or Modify System ProcessExternal Remote ServicesValid AccountsHijack Execution FlowServer Software Component: Web ShellAccount ManipulationBITS JobsCreate or Modify System Process: Windows ServiceScheduled Task/JobServer Software ComponentEvent Triggered ExecutionBoot or Logon Autostart ExecutionCreate Account: Create: Local AccountAccount Manipulation: Exchange Email Delegate Permissions Access Token Manipulation: Token Impersonation/TheftBoot or Logon Initialization ScriptsCreate or Modify System ProcessValid AccountsAccess Token ManipulationExploitation for Privilege EscalationHijack Execution FlowGroup Policy ModificationProcess InjectionScheduled Task/JobAbuse Elevation Control MechanismEvent Triggered ExecutionBoot or Logon Autostart ExecutionProcess Injection: Dynamic-link Library InjectionAbuse Elevation Control Mechanism: Bypass User Account Control Hide ArtifactsIndirect Command ExecutionImpair DefensesIndicator Removal on Host: Clear Windows Event LogsGroup Policy ModificationTrusted Developer Utilities Proxy ExecutionMasquerading: Match Legitimate Name or LocationMasquerading: Rename System UtilitiesFile and Directory Permissions Modification: Windows File and Directory Permissions ModificationObfuscated Files or Information: Compile After DeliveryHijack Execution Flow: DLL Side-LoadingMasqueradingValid AccountsModify RegistryBITS JobsUse Alternate Authentication MaterialHide Artifacts: NTFS File AttributesIndicator Removal on HostUse Alternate Authentication Material: Pass the TicketPre-OS BootFile and Directory Permissions ModificationDeobfuscate/Decode Files or InformationAbuse Elevation Control MechanismImpair Defenses: Disable or Modify System FirewallObfuscated Files or InformationSigned Binary Proxy Execution: Compiled HTML FileAccess Token ManipulationHijack Execution FlowProcess InjectionSigned Binary Proxy Execution: MsiexecSigned Binary Proxy ExecutionSigned Binary Proxy Execution: Regsvcs/RegasmSigned Binary Proxy Execution: CMSTPUnused/Unsupported Cloud RegionsSigned Binary Proxy Execution: Control PanelSigned Binary Proxy Execution: InstallUtilSigned Binary Proxy Execution: Regsvr32Trusted Developer Utilities Proxy Execution: MSBuildSigned Binary Proxy Execution: Rundll32 OS Credential DumpingUnsecured CredentialsSteal or Forge Kerberos TicketsCredentials from Password StoresSteal or Forge Kerberos Tickets: KerberoastingNetwork Sniffing Account DiscoveryDomain Trust DiscoverySystem Service DiscoverySystem Network Connections DiscoveryAccount Discovery: Local AccountAccount Discovery: Domain AccountFile and Directory DiscoveryNetwork SniffingSystem Information DiscoveryNetwork Share DiscoveryQuery RegistryProcess DiscoverySystem Owner/User DiscoverySoftware DiscoveryRemote System DiscoverySystem Network Configuration Discovery Exploitation of Remote ServicesRemote Service Session HijackingRemote ServicesRemote Services: SMB/Windows Admin SharesUse Alternate Authentication MaterialRemote Services: Remote Desktop Protocol Screen CaptureEmail CollectionAudio CaptureData from Cloud Storage ObjectArchive Collected DataData StagedEmail Collection: Email Forwarding Rule Protocol TunnelingApplication Layer Protocol: DNSApplication Layer Protocol: File Transfer ProtocolsApplication Layer Protocol: Web ProtocolsRemote Access SoftwareIngress Tool TransferProxy: Multi-hop ProxyApplication Layer ProtocolProxy Exfiltration Over Alternative ProtocolExfiltration Over C2 Channel Account Access RemovalResource HijackingData Encrypted for ImpactInhibit System Recovery