diff --git a/v2/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.go b/v2/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.go index ee78912d..d3ab0016 100644 --- a/v2/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.go +++ b/v2/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.go @@ -28,6 +28,7 @@ Detonation: - Create an IAM access key on the user. References: + - https://sysdig.com/blog/scarleteel-2-0/ `, Detection: ` diff --git a/v2/internal/attacktechniques/aws/persistence/iam-create-admin-user/main.go b/v2/internal/attacktechniques/aws/persistence/iam-create-admin-user/main.go index 4476a3a9..49606c97 100644 --- a/v2/internal/attacktechniques/aws/persistence/iam-create-admin-user/main.go +++ b/v2/internal/attacktechniques/aws/persistence/iam-create-admin-user/main.go @@ -31,6 +31,7 @@ Detonation: References: - https://permiso.io/blog/s/approach-to-detection-androxgh0st-greenbot-persistence/ +- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ - https://blog.darklab.hk/2021/07/06/trouble-in-paradise/ - https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/ `, diff --git a/v2/internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.go b/v2/internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.go index 5b03f9d9..aa3e2713 100644 --- a/v2/internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.go +++ b/v2/internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.go @@ -31,7 +31,9 @@ Detonation: - Create an IAM Login Profile on the user References: + - https://permiso.io/blog/s/approach-to-detection-androxgh0st-greenbot-persistence/ +- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ - https://blog.darklab.hk/2021/07/06/trouble-in-paradise/ - https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/ `, diff --git a/v2/internal/attacktechniques/aws/persistence/lambda-overwrite-code/main.go b/v2/internal/attacktechniques/aws/persistence/lambda-overwrite-code/main.go index 104948a0..7e7067c0 100644 --- a/v2/internal/attacktechniques/aws/persistence/lambda-overwrite-code/main.go +++ b/v2/internal/attacktechniques/aws/persistence/lambda-overwrite-code/main.go @@ -34,6 +34,7 @@ Detonation: - Update the Lambda function code. References: + - https://research.splunk.com/cloud/aws_lambda_updatefunctioncode/ - Expel's AWS security mindmap `, diff --git a/v2/internal/attacktechniques/gcp/persistence/create-admin-service-account/main.go b/v2/internal/attacktechniques/gcp/persistence/create-admin-service-account/main.go index 106adfc8..8cb975fe 100644 --- a/v2/internal/attacktechniques/gcp/persistence/create-admin-service-account/main.go +++ b/v2/internal/attacktechniques/gcp/persistence/create-admin-service-account/main.go @@ -33,6 +33,7 @@ Detonation: - Update the current GCP project's IAM policy to bind the service account to the owner role' References: + - https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/ `, Detection: `