Threat Technique Catalog Matrix - Threat Technique Catalog for AWS (TTC)

Threat Technique Catalog for AWS

MITRE Techniques	AWS Techniques
Appended or updated MITRE techniques with information on common event names that are logged in Cloudtrail event history as a result of the technique being used; and in most cases, add more detail around methods for detectino and options for mitigation.	New techniques or sub-techniques to allow us to capture data on the different methods that threat actors are utilizing as part of their unauthorized actions. The catalog will be a continual work-in-progress as techniques and sub-techniques are observed by the AWS CIRT during security events.

Resource Development		Initial Access		Execution		Persistence		Privilege Escalation		Defense Evasion		Credential Access		Discovery		Lateral Movement		Collection		Impact
Acquire Infrastructure		Cloud Service Dashboard		Cloud Administration Command		Account Manipulation		Account Manipulation		Domain or Tenant Policy Modification		Unsecured Credentials		Account Discovery		Domain or Tenant Policy Modification		Data from Cloud Storage		Account Access Removal
↳	Domains	Exploit Public-Facing Application		Command and Scripting Interpreter		↳	Additional Cloud Credentials	↳	Additional Cloud Credentials	↳	Trust Modification	↳	Cloud Instance Metadata API	↳	Cloud Account	↳	Trust Modification	↳	S3 Object Collection	Data Destruction
		↳	EC2 Hosted Application Compromise	↳	Cloud API	↳	Additional Cloud Roles	↳	Additional Cloud Roles	Impair Defenses		↳	Credentials In Files	Cloud Database Discovery		Trusted Relationship		Data from Information Repositories		↳	Lifecycle-Triggered Deletion
		↳	Overly Permissive VPC Security Groups	Serverless Execution		Application API Abuse		Domain or Tenant Policy Modification		↳	Disable Cloud Logs			↳	Query RDS	↳	Role Assumption and Federated Access	↳	RDS Instance Manipulation	↳	RDS Instances and Backups
		Trusted Relationship		↳	Invoking Lambda Function	↳	API Gateway	↳	Trust Modification	↳	Disable or Modify Cloud Firewall			Cloud Service Dashboard						↳	S3 Object and Bucket Deletion
		↳	Role Assumption and Federated Access			Cloud Service Dashboard		Valid Accounts		↳	Disable or Modify GuardDuty			Cloud Storage Discovery						Data Encrypted for Impact
		Valid Accounts				Create Account		↳	Account Root User	Indicator Removal				↳	S3 Object and Bucket Enumeration					↳	S3 Encryption - SSE-C Key Encryption
		↳	Account Root User			↳	Create Cloud Account	↳	IAM Users	↳	Delete IAM Entities									Defacement
		↳	IAM Users			Serverless Execution				Modify Cloud Compute Infrastructure										↳	Subdomain Takeover
						↳	Invoking Lambda Function			↳	Create Cloud Instance									Modify Cloud Compute Infrastructure
						Trusted Relationship				↳	Create Snapshot									↳	Create Cloud Instance
						↳	Role Assumption and Federated Access			↳	Delete Cloud Instance									↳	Create Snapshot
						Valid Accounts				↳	Modify Cloud Compute Configurations									↳	Delete Cloud Instance
						↳	Account Root User			Modify Cloud Resource Hierarchy										↳	Modify Cloud Compute Configurations
						↳	IAM Users			↳	Create or Invite AWS Account									Resource Hijacking
										↳	Leave AWS Organization									↳	Cloud Service Hijacking
										Unused/Unsupported Cloud Regions										↳	Cloud Service Hijacking - Bedrock LLM Abuse
										Valid Accounts										↳	Cloud Service Hijacking - SES Messaging
										↳	Account Root User									↳	Compute Hijacking
										↳	IAM Users									↳	Compute Hijacking - EC2 Use
																				↳	Compute Hijacking - ECS
																				↳	SMS Pumping