Threat Technique Catalog Matrix - Threat Technique Catalog for AWS (TTC)

Threat Technique Catalog for AWS

MITRE Techniques	AWS Techniques
Appended or updated MITRE techniques with information on common event names that are logged in Cloudtrail event history as a result of the technique being used; and in most cases, add more detail around methods for detection and options for mitigation.	New techniques or sub-techniques to allow us to capture data on the different methods that threat actors are utilizing as part of their unauthorized actions. The catalog will be a continual work-in-progress as techniques and sub-techniques are observed by the AWS CIRT during security events.

Resource Development		Initial Access		Execution		Persistence		Privilege Escalation		Defense Evasion		Credential Access		Discovery		Lateral Movement		Collection		Impact
Acquire Infrastructure		Application API Abuse		Cloud Administration Command		Account Manipulation		Account Manipulation		Domain or Tenant Policy Modification		Unsecured Credentials		Account Discovery		Assume Root into Organization Member Account		Data from Cloud Storage		Account Access Removal
↳	Domains	↳	API Gateway	Command and Scripting Interpreter		↳	AWS Support Case Closure	↳	AWS Support Case Closure	↳	Trust Modification	↳	Cloud Instance Metadata API	↳	Cloud Account	Domain or Tenant Policy Modification		↳	S3 Object Collection	Data Destruction
		Cloud Service Dashboard		↳	Cloud API	↳	Additional Cloud Credentials	↳	Additional Cloud Credentials	Impair Defenses		↳	Credentials In Files	Cloud Database Discovery		↳	Trust Modification	Data from Information Repositories		↳	AMI Image Deletion
		Exploit Public-Facing Application		Serverless Execution		↳	Additional Cloud Roles	↳	Additional Cloud Roles	↳	Disable Cloud Logs			↳	Query RDS	EKS Modification - Workload Integrity Degradation		↳	RDS Instance Manipulation	↳	Lifecycle-Triggered Deletion
		↳	EC2 Hosted Application Compromise	↳	Invoking Lambda Function	↳	Cognito Refresh Token Abuse	↳	Cognito Refresh Token Abuse	↳	Disable or Modify Cloud Firewall			Cloud Service Dashboard		Trusted Relationship				↳	RDS Instances and Backups
		↳	EKS	↳	Malicious code from Compromised Third Party Packages	Application API Abuse		Domain or Tenant Policy Modification		↳	Disable or Modify GuardDuty			Cloud Storage Discovery		↳	Role Assumption and Federated Access			↳	S3 Object and Bucket Deletion
		↳	Overly Permissive VPC Security Groups			↳	API Gateway	↳	Trust Modification	Indicator Removal				↳	S3 Object and Bucket Enumeration					Data Encrypted for Impact
		Trusted Relationship				Cloud Service Dashboard		Valid Accounts		↳	Delete IAM Entities									↳	EC2/EBS Data Encryption
		↳	Role Assumption and Federated Access			Create Account		↳	Account Root User	Modify Cloud Compute Infrastructure										↳	RDS Data Encryption
		Valid Accounts				↳	Create Cloud Account	↳	IAM Users	↳	Create Cloud Instance									↳	S3 Encryption - SSE-C Key Encryption
		↳	Account Root User			EKS Modification - Workload Integrity Degradation				↳	Create Snapshot									Defacement
		↳	IAM Users			Serverless Execution				↳	Delete Cloud Instance									↳	Subdomain Takeover
						↳	Invoking Lambda Function			↳	Modify Cloud Compute Configurations									Modify Cloud Compute Infrastructure
						↳	Malicious code from Compromised Third Party Packages			Modify Cloud Resource Hierarchy										↳	Create Cloud Instance
						Trusted Relationship				↳	Create or Invite AWS Account									↳	Create Snapshot
						↳	Role Assumption and Federated Access			↳	Invite Accounts to Unknown Organization									↳	Delete Cloud Instance
						Valid Accounts				↳	Leave AWS Organization									↳	Modify Cloud Compute Configurations
						↳	Account Root User			Unused/Unsupported Cloud Regions										Resource Hijacking
						↳	IAM Users			Valid Accounts										↳	Cloud Service Hijacking
										↳	Account Root User									↳	Cloud Service Hijacking - Bedrock LLM Abuse
										↳	IAM Users									↳	Cloud Service Hijacking - SES Messaging
																				↳	Compute Hijacking
																				↳	Compute Hijacking - EC2 Use
																				↳	Compute Hijacking - ECS
																				↳	Compute Hijacking - EKS
																				↳	Compute Hijacking - WorkSpaces
																				↳	SMS Pumping