Skip to content

Commit

Permalink
Add ransomware references (#553)
Browse files Browse the repository at this point in the history
  • Loading branch information
christophetd authored Aug 26, 2024
1 parent 0381e8b commit 7afda93
Show file tree
Hide file tree
Showing 13 changed files with 30 additions and 8 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,8 @@ See also: [Known detection bypasses](https://hackingthe.cloud/aws/avoiding-detec
The following CloudTrail events are generated when this technique is detonated[^1]:


- `ssm:SendCommand`

- `ssm:DescribeInstanceInformation`

- `sts:GetCallerIdentity`
Expand All @@ -62,8 +64,6 @@ The following CloudTrail events are generated when this technique is detonated[^

- `ssm:GetCommandInvocation`

- `ssm:SendCommand`


??? "View raw detonation logs"

Expand Down
8 changes: 4 additions & 4 deletions docs/attack-techniques/AWS/aws.execution.ec2-user-data.md
Original file line number Diff line number Diff line change
Expand Up @@ -61,14 +61,14 @@ provisioned before instantiation.
The following CloudTrail events are generated when this technique is detonated[^1]:


- `ec2:DescribeInstances`

- `ec2:StartInstances`

- `ec2:ModifyInstanceAttribute`

- `ec2:StopInstances`

- `ec2:DescribeInstances`

- `ec2:StartInstances`


??? "View raw detonation logs"

Expand Down
4 changes: 2 additions & 2 deletions docs/attack-techniques/AWS/aws.execution.ssm-send-command.md
Original file line number Diff line number Diff line change
Expand Up @@ -71,12 +71,12 @@ While this technique uses a single call to <code>ssm:SendCommand</code> on sever
The following CloudTrail events are generated when this technique is detonated[^1]:


- `ssm:DescribeInstanceInformation`

- `ssm:GetCommandInvocation`

- `ssm:SendCommand`

- `ssm:DescribeInstanceInformation`


??? "View raw detonation logs"

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,8 @@ References:
- [Ransomware in the cloud](https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82)
- https://www.firemon.com/what-you-need-to-know-about-ransomware-in-aws/
- https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
- https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
- https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/


## Instructions
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ References:

- https://www.firemon.com/what-you-need-to-know-about-ransomware-in-aws/
- https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
- https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
- https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/


## Instructions
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,8 @@ References:
- https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
- https://www.invictus-ir.com/news/ransomware-in-the-cloud
- https://dfir.ch/posts/aws_ransomware/
- https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
- https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/


## Instructions
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ an external, fictitious attack AWS account.
References:

- https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
- https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/


## Instructions
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,10 @@ Establishes persistence by backdooring a lambda function to allow its invocation

- Modify the Lambda function resource-base policy to allow lambda:InvokeFunction from an external, fictitious AWS account.

References:

- https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/


## Instructions

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,8 @@ References:
- [Ransomware in the cloud](https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82)
- https://www.firemon.com/what-you-need-to-know-about-ransomware-in-aws/
- https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
- https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
- https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/
`,
Detection: `
You can detect ransomware activity by identifying abnormal patterns of objects being downloaded or deleted in the bucket.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,8 @@ References:
- https://www.firemon.com/what-you-need-to-know-about-ransomware-in-aws/
- https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
- https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
- https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/
`,
Detection: `
You can detect ransomware activity by identifying abnormal patterns of objects being downloaded or deleted in the bucket.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,8 @@ References:
- https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
- https://www.invictus-ir.com/news/ransomware-in-the-cloud
- https://dfir.ch/posts/aws_ransomware/
- https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
- https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/
`,
Detection: `
You can detect ransomware activity by identifying abnormal patterns of objects being downloaded or deleted in the bucket.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ Detonation:
References:
- https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
- https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
`,
Detection: `
- Through [IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-resources.html#access-analyzer-iam-role),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,10 @@ Warm-up:
Detonation:
- Modify the Lambda function resource-base policy to allow lambda:InvokeFunction from an external, fictitious AWS account.
References:
- https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
`,
Detection: `
- Using CloudTrail's <code>AddPermission20150331</code> and <code>AddPermission20150331v2</code> events.
Expand Down

0 comments on commit 7afda93

Please sign in to comment.