Threat Technique Catalog Matrix - Threat Technique Catalog for AWS (TTC)

Threat Technique Catalog for AWS

MITRE Techniques	AWS Techniques
Appended or updated MITRE techniques with information on common event names that are logged in Cloudtrail event history as a result of the technique being used; and in most cases, add more detail around methods for detection and options for mitigation.	New techniques or sub-techniques to allow us to capture data on the different methods that threat actors are utilizing as part of their unauthorized actions. The catalog will be a continual work-in-progress as techniques and sub-techniques are observed by the AWS CIRT during security events.

Resource Development		Initial Access		Execution		Persistence		Privilege Escalation		Defense Evasion		Credential Access		Discovery		Lateral Movement		Collection		Impact
Acquire Infrastructure		Application API Abuse		Cloud Administration Command		Account Manipulation		Account Manipulation		Domain or Tenant Policy Modification		Unsecured Credentials		Account Discovery		Domain or Tenant Policy Modification		Data from Cloud Storage		Account Access Removal
↳	Domains	↳	API Gateway	Command and Scripting Interpreter		↳	AWS Support Case Closure	↳	AWS Support Case Closure	↳	Trust Modification	↳	Cloud Instance Metadata API	↳	Cloud Account	↳	Trust Modification	↳	S3 Object Collection	Data Destruction
		Cloud Service Dashboard		↳	Cloud API	↳	Additional Cloud Credentials	↳	Additional Cloud Credentials	Impair Defenses		↳	Credentials In Files	Cloud Database Discovery		Trusted Relationship		Data from Information Repositories		↳	Lifecycle-Triggered Deletion
		Exploit Public-Facing Application		Serverless Execution		↳	Additional Cloud Roles	↳	Additional Cloud Roles	↳	Disable Cloud Logs			↳	Query RDS	↳	Role Assumption and Federated Access	↳	RDS Instance Manipulation	↳	RDS Instances and Backups
		↳	EC2 Hosted Application Compromise	↳	Invoking Lambda Function	Application API Abuse		Domain or Tenant Policy Modification		↳	Disable or Modify Cloud Firewall			Cloud Service Dashboard						↳	S3 Object and Bucket Deletion
		↳	Overly Permissive VPC Security Groups	↳	Malicious code from Compromised Third Party Packages	↳	API Gateway	↳	Trust Modification	↳	Disable or Modify GuardDuty			Cloud Storage Discovery						Data Encrypted for Impact
		Trusted Relationship				Cloud Service Dashboard		Valid Accounts		Indicator Removal				↳	S3 Object and Bucket Enumeration					↳	EC2/EBS Data Encryption
		↳	Role Assumption and Federated Access			Create Account		↳	Account Root User	↳	Delete IAM Entities									↳	RDS Data Encryption
		Valid Accounts				↳	Create Cloud Account	↳	IAM Users	Modify Cloud Compute Infrastructure										↳	S3 Encryption - SSE-C Key Encryption
		↳	Account Root User			Serverless Execution				↳	Create Cloud Instance									Defacement
		↳	IAM Users			↳	Invoking Lambda Function			↳	Create Snapshot									↳	Subdomain Takeover
						↳	Malicious code from Compromised Third Party Packages			↳	Delete Cloud Instance									Modify Cloud Compute Infrastructure
						Trusted Relationship				↳	Modify Cloud Compute Configurations									↳	Create Cloud Instance
						↳	Role Assumption and Federated Access			Modify Cloud Resource Hierarchy										↳	Create Snapshot
						Valid Accounts				↳	Create or Invite AWS Account									↳	Delete Cloud Instance
						↳	Account Root User			↳	Leave AWS Organization									↳	Modify Cloud Compute Configurations
						↳	IAM Users			Unused/Unsupported Cloud Regions										Resource Hijacking
										Valid Accounts										↳	Cloud Service Hijacking
										↳	Account Root User									↳	Cloud Service Hijacking - Bedrock LLM Abuse
										↳	IAM Users									↳	Cloud Service Hijacking - SES Messaging
																				↳	Compute Hijacking
																				↳	Compute Hijacking - EC2 Use
																				↳	Compute Hijacking - ECS
																				↳	Compute Hijacking - WorkSpaces
																				↳	SMS Pumping