An evolving repository of CloudTrail events with detailed descriptions, MITRE ATT&CK insights, real-world incidents, references and security implications
An evolving repository of CloudTrail events with detailed descriptions, MITRE ATT&CK insights, real-world incidents references, other research references and security implications.
I started TrailDiscover because I often wondered if certain AWS commands had been used in past cyber attacks and what information was available about them. Since most API actions create a CloudTrail event with the same name, I decided to focus on CloudTrail events, also because aproaching it this way might help using this information with SIEMs. This project is about making it easier to understand which AWS actions have been misused before, how others might be misused and the event they generate. I hope this helps people decide what to watch out for, speed up figuring out what happened in an attack, and inspire new security research.
The easiest way to consume this information is via the website: https://traildiscover.cloud/
Here's what you'll find in TrailDiscover:
CloudTrail/DeleteTrail.json
or Cognito/GetCredentialsForIdentity.json
.Each event in the json files contains:
This is just the start, and there's a lot of manual work behind it, so there might be mistakes. The way I've mapped events to MITRE ATT&CK tactics and techniques is my best guess, based on how these commands work and what's been seen in attacks, but there are many ways to look at it.
PRs are welcome. Here’s how you can contribute:
Adding New Events: You can contribute by adding new event files to the events
folder within the respective service directory. Make sure to include all the relevant details as described in the event structure section.
Update Event Details: Add any new findings or details that can provide a better understanding of the event's implications, use in real-world attacks, or links to researchs where the event is mentioned.
Updating The Web: After adding or updating events, use the tools in the tools
folder to generate the updated CSV and JSON files for the web. This ensures that the website stays up-to-date with the latest event information.
In the Tools folder, the datadog_dashboard.py
script, when executed, generates the JSON file datadog_dashboard.json
in the docs folder. This JSON can be imported into Datadog as a dashboard.
The dashboard has an overview section with a 'Top 10 CloudTrail Events exploited in the wild' showcasing the top 10 events happening in the account/s that are known to be used in the wild by attackers. Additionally, it includes a 'MITRE ATT&CK Tactics Events Timeline' that groups events from TrailDiscover into MITRE ATT&CK Tactics and shows when they are happening in our account/s.
Then, events are organized according to MITRE ATT&CK tactics. Each event is presented with two widgets: one provides a description, a direct link to traildiscover.cloud, and references to related incidents and research; the other features a counter displaying the frequency of these events in your AWS environment.
⚠️ Warning
This dashboard is resource-intensive. If you want to generate a dashboard with fewer data it is possible to use the options
--on-the-wild-only
to only add events that have been seen in the wild, or the--tactics
option to only add specific tactics. Example usage:python3 datadog_dashboard.py --on-the-wild-only --tactics "TA0005 - Defense Evasion" "TA0008 - Lateral Movement"