Threat Technique Catalog Matrix - Threat Technique Catalog for AWS (TTC)

Threat Technique Catalog for AWS

MITRE Techniques	AWS Techniques
Appended or updated MITRE techniques with information on common event names that are logged in Cloudtrail event history as a result of the technique being used; and in most cases, add more detail around methods for detection and options for mitigation.	New techniques or sub-techniques to allow us to capture data on the different methods that threat actors are utilizing as part of their unauthorized actions. The catalog will be a continual work-in-progress as techniques and sub-techniques are observed by the AWS CIRT during security events.

Resource Development		Initial Access		Execution		Persistence		Privilege Escalation		Defense Evasion		Credential Access		Discovery		Lateral Movement		Collection		Impact
Acquire Infrastructure		Application API Abuse		Cloud Administration Command		Account Manipulation		Account Manipulation		Domain or Tenant Policy Modification		Unsecured Credentials		Account Discovery		Domain or Tenant Policy Modification		Data from Cloud Storage		Account Access Removal
↳	Domains	↳	API Gateway	Command and Scripting Interpreter		↳	AWS Support Case Closure	↳	AWS Support Case Closure	↳	Trust Modification	↳	Cloud Instance Metadata API	↳	Cloud Account	↳	Trust Modification	↳	S3 Object Collection	Data Destruction
		Cloud Service Dashboard		↳	Cloud API	↳	Additional Cloud Credentials	↳	Additional Cloud Credentials	Impair Defenses		↳	Credentials In Files	Cloud Database Discovery		Trusted Relationship		Data from Information Repositories		↳	AMI Image Deletion
		Exploit Public-Facing Application		Serverless Execution		↳	Additional Cloud Roles	↳	Additional Cloud Roles	↳	Disable Cloud Logs			↳	Query RDS	↳	Role Assumption and Federated Access	↳	RDS Instance Manipulation	↳	Lifecycle-Triggered Deletion
		↳	EC2 Hosted Application Compromise	↳	Invoking Lambda Function	↳	Cognito Refresh Token Abuse	↳	Cognito Refresh Token Abuse	↳	Disable or Modify Cloud Firewall			Cloud Service Dashboard						↳	RDS Instances and Backups
		↳	Overly Permissive VPC Security Groups	↳	Malicious code from Compromised Third Party Packages	Application API Abuse		Domain or Tenant Policy Modification		↳	Disable or Modify GuardDuty			Cloud Storage Discovery						↳	S3 Object and Bucket Deletion
		Trusted Relationship				↳	API Gateway	↳	Trust Modification	Indicator Removal				↳	S3 Object and Bucket Enumeration					Data Encrypted for Impact
		↳	Role Assumption and Federated Access			Cloud Service Dashboard		Valid Accounts		↳	Delete IAM Entities									↳	EC2/EBS Data Encryption
		Valid Accounts				Create Account		↳	Account Root User	Modify Cloud Compute Infrastructure										↳	RDS Data Encryption
		↳	Account Root User			↳	Create Cloud Account	↳	IAM Users	↳	Create Cloud Instance									↳	S3 Encryption - SSE-C Key Encryption
		↳	IAM Users			Serverless Execution				↳	Create Snapshot									Defacement
						↳	Invoking Lambda Function			↳	Delete Cloud Instance									↳	Subdomain Takeover
						↳	Malicious code from Compromised Third Party Packages			↳	Modify Cloud Compute Configurations									Modify Cloud Compute Infrastructure
						Trusted Relationship				Modify Cloud Resource Hierarchy										↳	Create Cloud Instance
						↳	Role Assumption and Federated Access			↳	Create or Invite AWS Account									↳	Create Snapshot
						Valid Accounts				↳	Leave AWS Organization									↳	Delete Cloud Instance
						↳	Account Root User			Unused/Unsupported Cloud Regions										↳	Modify Cloud Compute Configurations
						↳	IAM Users			Valid Accounts										Resource Hijacking
										↳	Account Root User									↳	Cloud Service Hijacking
										↳	IAM Users									↳	Cloud Service Hijacking - Bedrock LLM Abuse
																				↳	Cloud Service Hijacking - SES Messaging
																				↳	Compute Hijacking
																				↳	Compute Hijacking - EC2 Use
																				↳	Compute Hijacking - ECS
																				↳	Compute Hijacking - WorkSpaces
																				↳	SMS Pumping