|
Tactics
This page lists all tactics.
| ID | Name | Description |
|---|---|---|
| TA0042 | Resource Development | The adversary is trying to establish resources they can use to support operations. Resource Development consists of techniques that involve adversaries creating, purchasing, or compromising/stealing resources that can be used to support targeting. Such resources include infrastructure, accounts, or capabilities. These resources can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using purchased domains to support Command and Control, email accounts for phishing as a part of Initial Access, or stealing code signing certificates to help with Defense Evasion. |
| TA0001 | Initial Access | The adversary is trying to get into your AWS environment. Initial Access consists of techniques that use various entry vectors to gain their initial foothold within an AWS environment. Techniques used to gain a foothold include exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords. |
| TA0002 | Execution | The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on an AWS account/service. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring an AWS environment or stealing data. For example, an adversary might invoke a Lambda function to run a Python script that does IAM Discovery. |
| TA0003 | Persistence | The adversary is trying to maintain their foothold. Persistence consists of techniques that adversaries use to keep access to AWS services across restarts/updates, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on the AWS environment, such as creating a new IAM user with programmatic access. |
| TA0004 | Privilege Escalation | The adversary is trying to gain higher-level permissions. Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on an AWS service or within an AWS environment. Common approaches are to take advantage of IAM permission misconfigurations, service misconfigurations, and vulnerabilities. |
| TA0005 | Defense Evasion | The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactic techniques are cross-listed here when those techniques include the added benefit of subverting defenses. |
| TA0006 | Credential Access | The adversary is trying to steal account names and passwords. Credential Access consists of techniques for stealing credentials like IAM access and secret keys. Techniques used to get credentials include using the Cloud Instance Metadata API and finding Credentials in Files. Using legitimate credentials can give adversaries persistent access to AWS services and make them harder to detect, ultimately helping the adversary achieve their goals. |
| TA0007 | Discovery | The adversary is trying to figure out your environment. Discovery consists of techniques an adversary may use to gain knowledge about the AWS environment. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what is around their entry point in order to discover how it could benefit their current objective. |
| TA0008 | Lateral Movement | The adversary is trying to move through your AWS organization. Lateral Movement consists of techniques that adversaries use to enter and control remote AWS accounts and or AWS services. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple services and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials in conjunction with native services, which may be stealthier. |
| TA0009 | Collection | The adversary is trying to gather data of interest for their goal. Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources within AWS include S3, DynamoDB, RDS, and Redshift. |
| TA0040 | Impact | The adversary is trying to manipulate, interrupt, or destroy your systems and data. Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach. |