Vendor: Amazon

June 14, 2023 · View on GitHub

Product: AWS CloudTrail

Rules	Models	MITRE ATT&CK® TTPs	Event Types	Parsers
155	85	24	88	88

Use-Case	Event Types/Parsers	MITRE ATT&CK® TTP	Content
Abnormal Authentication & Access	app-activity ↳s-aws-cloudtrail-assumedrole-json ↳s-aws-cloudtrail-activity-json ↳aws-cloudtrail-app-activity app-login ↳s-aws-cloudtrail-login-json cloud-admin-activity ↳s-aws-cloudtrail-iam cloud-admin-activity-failed ↳s-aws-cloudtrail-iam failed-app-login ↳s-aws-cloudtrail-login-json storage-access ↳s-aws-cloudtrail-s3-activity ↳s-aws-s3-cloud-storage-activity ↳s-aws-data-access storage-activity ↳s-aws-cloudtrail-s3-activity ↳s-aws-s3-cloud-storage-activity ↳s-aws-data-access storage-activity-failed ↳s-aws-cloudtrail-s3-activity ↳s-aws-s3-cloud-storage-activity ↳s-aws-data-access	T1078 - Valid Accounts T1078.004 - Valid Accounts: Cloud Accounts T1133 - External Remote Services T1136.003 - Create Account: Create: Cloud Account T1530 - Data from Cloud Storage Object	33 Rules 13 Models
Account Manipulation	app-activity ↳s-aws-cloudtrail-assumedrole-json ↳s-aws-cloudtrail-activity-json ↳aws-cloudtrail-app-activity cloud-admin-activity ↳s-aws-cloudtrail-iam cloud-admin-activity-failed ↳s-aws-cloudtrail-iam storage-access ↳s-aws-cloudtrail-s3-activity ↳s-aws-s3-cloud-storage-activity ↳s-aws-data-access storage-activity ↳s-aws-cloudtrail-s3-activity ↳s-aws-s3-cloud-storage-activity ↳s-aws-data-access storage-activity-failed ↳s-aws-cloudtrail-s3-activity ↳s-aws-s3-cloud-storage-activity ↳s-aws-data-access	T1078.004 - Valid Accounts: Cloud Accounts T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136.003 - Create Account: Create: Cloud Account T1530 - Data from Cloud Storage Object	13 Rules 6 Models
Cryptomining	aws-instance-create ↳aws-runinstances-json	T1074 - Data Staged T1496 - Resource Hijacking	1 Rules 1 Models
Data Access	app-activity ↳s-aws-cloudtrail-assumedrole-json ↳s-aws-cloudtrail-activity-json ↳aws-cloudtrail-app-activity app-login ↳s-aws-cloudtrail-login-json failed-app-login ↳s-aws-cloudtrail-login-json	T1078 - Valid Accounts	20 Rules 11 Models
Data Leak	app-activity ↳s-aws-cloudtrail-assumedrole-json ↳s-aws-cloudtrail-activity-json ↳aws-cloudtrail-app-activity	T1114.003 - Email Collection: Email Forwarding Rule	3 Rules
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
External Remote Services Valid Accounts Valid Accounts: Cloud Accounts Exploit Public Fasing Application	User Execution	Boot or Logon Initialization Scripts Create Account External Remote Services Valid Accounts Account Manipulation Create Account: Create: Cloud Account Account Manipulation: Exchange Email Delegate Permissions	Boot or Logon Initialization Scripts Valid Accounts	Valid Accounts Unused/Unsupported Cloud Regions		Account Discovery		Screen Capture Email Collection Data from Cloud Storage Object Data Staged Email Collection: Email Forwarding Rule	Proxy: Multi-hop Proxy Proxy		Resource Hijacking