| Cloud Data Protection | aws-bucket-create
↳aws-createbucket-json
aws-bucket-policy
↳aws-putbucketpolicy-json
aws-bucket-policy-failed
↳aws-putbucketpolicy-json
aws-bucket-putaccessblock
↳aws-putbucketpublicaccessblock-json
aws-general-activity
↳aws-general-activity
aws-image-modify
↳aws-modifyimageattribute-json
aws-instance-creds-write
↳aws-createkeypair-json
aws-instance-login
↳aws-sendsshpublickey-json
aws-instance-screenshot
↳aws-getconsolescreenshot-json
aws-policy-attach
↳aws-attachgrouppolicy-json
↳aws-attachrolepolicy-json
↳aws-attachuserpolicy-json
aws-policy-list
↳aws-listattachedrolepolicies-json
↳aws-listgrouppolicies-json
↳aws-listrolepolicies-json
↳aws-listattacheduserpolicies-json
↳aws-listattachedgrouppolicies-json
↳aws-listuserpolicies-json
↳aws-general-activity
aws-policy-setversion
↳aws-setpolicyversion-json
aws-policy-write
↳aws-createpolicyversion-json
↳aws-createpolicy-json
↳aws-putgrouppolicy-json
↳aws-putrolepolicy-json
↳aws-putuserpolicy-json
aws-role-assume
↳aws-assumerole-json
aws-role-assumepolicy
↳aws-updateassumerolepolicy-json
aws-role-switch
↳aws-switchrole-json
aws-role-write
↳aws-createrole-json
aws-snapshot-create
↳aws-createsnapshot-json
aws-snapshot-modify
↳aws-modifysnapshotattribute-json
aws-storage-acl
↳aws-putbucketacl-json
↳aws-putobjectacl-json
aws-storage-acl-failed
↳aws-putbucketacl-json
↳aws-putobjectacl-json
aws-storage-list
↳aws-general-activity
aws-volume-attach
↳aws-attachvolume-json
aws-volume-create
↳aws-createvolume-json
| T1074 - Data Staged
T1113 - Screen Capture
T1530 - Data from Cloud Storage Object
T1580 - T1580
TA0001 - TA0001
TA0004 - TA0004
TA0007 - TA0007
TA0009 - TA0009
| |
| Compromised Credentials | app-activity
↳s-aws-cloudtrail-assumedrole-json
↳s-aws-cloudtrail-activity-json
↳aws-cloudtrail-app-activity
app-login
↳s-aws-cloudtrail-login-json
aws-bucket-cors
↳aws-putbucketcors-json
aws-bucket-cors-failed
↳aws-putbucketcors-json
aws-bucket-create
↳aws-createbucket-json
aws-bucket-create-failed
↳aws-createbucket-json
aws-bucket-policy
↳aws-putbucketpolicy-json
aws-bucket-policy-failed
↳aws-putbucketpolicy-json
aws-bucket-putaccessblock
↳aws-putbucketpublicaccessblock-json
aws-bucket-putaccessblock-failed
↳aws-putbucketpublicaccessblock-json
aws-compute-list
↳aws-general-activity
aws-compute-list-failed
↳aws-general-activity
aws-function-write
↳aws-createfunction-json
↳aws-updatefunctioncode-json
↳aws-updatefunctionconfiguration-json
aws-function-write-failed
↳aws-createfunction-json
↳aws-updatefunctioncode-json
↳aws-updatefunctionconfiguration-json
aws-general-activity
↳aws-general-activity
aws-general-activity-failed
↳aws-general-activity
aws-identity-addtogroup
↳aws-addusertogroup-json
aws-identity-addtogroup-failed
↳aws-addusertogroup-json
aws-identity-creds-write
↳aws-createaccesskey-json
aws-identity-creds-write-failed
↳aws-createaccesskey-json
aws-identity-list
↳aws-general-activity
aws-identity-list-failed
↳aws-general-activity
aws-identity-loginprofile
↳aws-updateloginprofile-json
↳aws-createloginprofile-json
aws-identity-loginprofile-failed
↳aws-updateloginprofile-json
↳aws-createloginprofile-json
aws-identity-write
↳aws-creategroup-json
↳aws-createuser-json
aws-identity-write-failed
↳aws-creategroup-json
↳aws-createuser-json
aws-image-create
↳aws-createimage-json
aws-image-create-failed
↳aws-createimage-json
aws-image-modify
↳aws-modifyimageattribute-json
aws-image-modify-failed
↳aws-modifyimageattribute-json
aws-instance-command
↳aws-sendcommand-json
aws-instance-command-failed
↳aws-sendcommand-json
aws-instance-create
↳aws-runinstances-json
aws-instance-create-failed
↳aws-runinstances-json
aws-instance-creds-read
↳aws-getpassworddata-json
aws-instance-creds-read-failed
↳aws-getpassworddata-json
aws-instance-creds-write
↳aws-createkeypair-json
aws-instance-creds-write-failed
↳aws-createkeypair-json
aws-instance-login
↳aws-sendsshpublickey-json
aws-instance-login-failed
↳aws-sendsshpublickey-json
aws-instance-modify
↳aws-modifyinstanceattribute-json
aws-instance-screenshot
↳aws-getconsolescreenshot-json
aws-instance-screenshot-failed
↳aws-getconsolescreenshot-json
aws-key-policy
↳aws-putkeypolicy-json
aws-key-policy-failed
↳aws-putkeypolicy-json
aws-login
↳aws-consolelogin-json
aws-policy-attach
↳aws-attachgrouppolicy-json
↳aws-attachrolepolicy-json
↳aws-attachuserpolicy-json
aws-policy-attach-failed
↳aws-attachgrouppolicy-json
↳aws-attachrolepolicy-json
↳aws-attachuserpolicy-json
aws-policy-list
↳aws-listattachedrolepolicies-json
↳aws-listgrouppolicies-json
↳aws-listrolepolicies-json
↳aws-listattacheduserpolicies-json
↳aws-listattachedgrouppolicies-json
↳aws-listuserpolicies-json
↳aws-general-activity
aws-policy-list-failed
↳aws-listattachedrolepolicies-json
↳aws-listgrouppolicies-json
↳aws-listrolepolicies-json
↳aws-listattacheduserpolicies-json
↳aws-listattachedgrouppolicies-json
↳aws-listuserpolicies-json
↳aws-general-activity
aws-policy-setversion
↳aws-setpolicyversion-json
aws-policy-setversion-failed
↳aws-general-activity
aws-policy-write
↳aws-createpolicyversion-json
↳aws-createpolicy-json
↳aws-putgrouppolicy-json
↳aws-putrolepolicy-json
↳aws-putuserpolicy-json
aws-policy-write-failed
↳aws-createpolicyversion-json
↳aws-createpolicy-json
↳aws-putgrouppolicy-json
↳aws-putrolepolicy-json
↳aws-putuserpolicy-json
aws-role-assume
↳aws-assumerole-json
aws-role-assume-failed
↳aws-renewrole-json
↳aws-assumerole-json
aws-role-assumepolicy
↳aws-updateassumerolepolicy-json
aws-role-assumepolicy-failed
↳aws-updateassumerolepolicy-json
aws-role-switch
↳aws-switchrole-json
aws-role-switch-failed
↳aws-switchrole-json
aws-role-write
↳aws-createrole-json
aws-role-write-failed
↳aws-createrole-json
aws-snapshot-create
↳aws-createsnapshot-json
aws-snapshot-create-failed
↳aws-createsnapshot-json
aws-snapshot-modify
↳aws-modifysnapshotattribute-json
aws-snapshot-modify-failed
↳aws-modifysnapshotattribute-json
aws-storage-acl
↳aws-putbucketacl-json
↳aws-putobjectacl-json
aws-storage-acl-failed
↳aws-putbucketacl-json
↳aws-putobjectacl-json
aws-storage-list
↳aws-general-activity
aws-storage-list-failed
↳aws-general-activity
aws-storageobject-copy
↳aws-copyobject-json
aws-storageobject-copy-failed
↳aws-copyobject-json
aws-storageobject-read
↳aws-getobject-json
aws-storageobject-write
↳aws-putobject-json
aws-storageobject-write-failed
↳aws-putobject-json
aws-volume-attach
↳aws-attachvolume-json
aws-volume-attach-failed
↳aws-attachvolume-json
aws-volume-create
↳aws-createvolume-json
aws-volume-create-failed
↳aws-createvolume-json
aws-volume-modify
↳aws-modifyvolume-json
aws-volume-modify-failed
↳aws-modifyvolume-json
failed-app-login
↳s-aws-cloudtrail-login-json
| T1078 - Valid Accounts
T1078.004 - Valid Accounts: Cloud Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1535 - Unused/Unsupported Cloud Regions
TA0001 - TA0001
| |
| Lateral Movement | app-activity
↳s-aws-cloudtrail-assumedrole-json
↳s-aws-cloudtrail-activity-json
↳aws-cloudtrail-app-activity
app-activity-failed
↳s-aws-cloudtrail-assumedrole-json
↳s-aws-cloudtrail-activity-json
app-login
↳s-aws-cloudtrail-login-json
failed-app-login
↳s-aws-cloudtrail-login-json
| T1078 - Valid Accounts
T1090.003 - Proxy: Multi-hop Proxy
| |
| Malware | app-activity
↳s-aws-cloudtrail-assumedrole-json
↳s-aws-cloudtrail-activity-json
↳aws-cloudtrail-app-activity
app-login
↳s-aws-cloudtrail-login-json
aws-general-activity
↳aws-general-activity
aws-image-create
↳aws-createimage-json
aws-instance-command
↳aws-sendcommand-json
aws-instance-modify
↳aws-modifyinstanceattribute-json
aws-storageobject-write
↳aws-putobject-json
| T1037 - Boot or Logon Initialization Scripts
T1078 - Valid Accounts
T1204.002 - T1204.002
T1204.003 - T1204.003
TA0002 - TA0002
| |
| Privilege Abuse | app-activity
↳s-aws-cloudtrail-assumedrole-json
↳s-aws-cloudtrail-activity-json
↳aws-cloudtrail-app-activity
app-activity-failed
↳s-aws-cloudtrail-assumedrole-json
↳s-aws-cloudtrail-activity-json
app-login
↳s-aws-cloudtrail-login-json
aws-identity-addtogroup
↳aws-addusertogroup-json
aws-identity-creds-write
↳aws-createaccesskey-json
aws-identity-list
↳aws-general-activity
aws-identity-loginprofile
↳aws-updateloginprofile-json
↳aws-createloginprofile-json
aws-identity-write
↳aws-creategroup-json
↳aws-createuser-json
aws-identity-write-failed
↳aws-creategroup-json
↳aws-createuser-json
cloud-admin-activity
↳s-aws-cloudtrail-iam
cloud-admin-activity-failed
↳s-aws-cloudtrail-iam
failed-app-login
↳s-aws-cloudtrail-login-json
| T1078 - Valid Accounts
T1078.004 - Valid Accounts: Cloud Accounts
T1087.004 - T1087.004
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1530 - Data from Cloud Storage Object
TA0003 - TA0003
TA0004 - TA0004
| |
| Privilege Escalation | app-activity
↳s-aws-cloudtrail-assumedrole-json
↳s-aws-cloudtrail-activity-json
↳aws-cloudtrail-app-activity
aws-instance-creds-read
↳aws-getpassworddata-json
aws-policy-attach
↳aws-attachgrouppolicy-json
↳aws-attachrolepolicy-json
↳aws-attachuserpolicy-json
aws-policy-write
↳aws-createpolicyversion-json
↳aws-createpolicy-json
↳aws-putgrouppolicy-json
↳aws-putrolepolicy-json
↳aws-putuserpolicy-json
aws-role-assume
↳aws-assumerole-json
aws-role-assumepolicy
↳aws-updateassumerolepolicy-json
aws-role-switch
↳aws-switchrole-json
| T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
TA0004 - TA0004
| |
| Privileged Activity | app-activity
↳s-aws-cloudtrail-assumedrole-json
↳s-aws-cloudtrail-activity-json
↳aws-cloudtrail-app-activity
app-activity-failed
↳s-aws-cloudtrail-assumedrole-json
↳s-aws-cloudtrail-activity-json
app-login
↳s-aws-cloudtrail-login-json
failed-app-login
↳s-aws-cloudtrail-login-json
| T1078 - Valid Accounts
| |
| Ransomware | app-activity
↳s-aws-cloudtrail-assumedrole-json
↳s-aws-cloudtrail-activity-json
↳aws-cloudtrail-app-activity
app-activity-failed
↳s-aws-cloudtrail-assumedrole-json
↳s-aws-cloudtrail-activity-json
app-login
↳s-aws-cloudtrail-login-json
failed-app-login
↳s-aws-cloudtrail-login-json
| T1078 - Valid Accounts
| |