| Retrieve EC2 Password Data |
AWS |
Credential Access |
| Steal EC2 Instance Credentials |
AWS |
Credential Access |
| Retrieve a High Number of Secrets Manager secrets (Batch) |
AWS |
Credential Access |
| Retrieve a High Number of Secrets Manager secrets |
AWS |
Credential Access |
| Retrieve And Decrypt SSM Parameters |
AWS |
Credential Access |
| Delete CloudTrail Trail |
AWS |
Defense Evasion |
| Disable CloudTrail Logging Through Event Selectors |
AWS |
Defense Evasion |
| CloudTrail Logs Impairment Through S3 Lifecycle Rule |
AWS |
Defense Evasion |
| Stop CloudTrail Trail |
AWS |
Defense Evasion |
| Delete DNS query logs |
AWS |
Defense Evasion |
| Attempt to Leave the AWS Organization |
AWS |
Defense Evasion |
| Remove VPC Flow Logs |
AWS |
Defense Evasion |
| Execute Discovery Commands on an EC2 Instance |
AWS |
Discovery |
| Download EC2 Instance User Data |
AWS |
Discovery |
| Enumerate SES |
AWS |
Discovery |
| Launch Unusual EC2 instances |
AWS |
Execution |
| Execute Commands on EC2 Instance via User Data |
AWS |
Execution, Privilege Escalation |
| Usage of ssm:SendCommand on multiple instances |
AWS |
Execution |
| Usage of ssm:StartSession on multiple instances |
AWS |
Execution |
| Open Ingress Port 22 on a Security Group |
AWS |
Exfiltration |
| Exfiltrate an AMI by Sharing It |
AWS |
Exfiltration |
| Exfiltrate EBS Snapshot by Sharing It |
AWS |
Exfiltration |
| Exfiltrate RDS Snapshot by Sharing |
AWS |
Exfiltration |
| Backdoor an S3 Bucket via its Bucket Policy |
AWS |
Exfiltration |
| Invoke Bedrock Model |
AWS |
Impact |
| S3 Ransomware through batch file deletion |
AWS |
Impact |
| S3 Ransomware through client-side encryption |
AWS |
Impact |
| S3 Ransomware through individual file deletion |
AWS |
Impact |
| Console Login without MFA |
AWS |
Initial Access |
| Usage of EC2 Instance Connect on multiple instances |
AWS |
Lateral Movement |
| Backdoor an IAM Role |
AWS |
Persistence |
| Create an Access Key on an IAM User |
AWS |
Persistence, Privilege Escalation |
| Create an administrative IAM User |
AWS |
Persistence, Privilege Escalation |
| Create a backdoored IAM Role |
AWS |
Persistence |
| Create a Login Profile on an IAM User |
AWS |
Persistence, Privilege Escalation |
| Backdoor Lambda Function Through Resource-Based Policy |
AWS |
Persistence |
| Add a Malicious Lambda Extension |
AWS |
Persistence, Privilege Escalation |
| Overwrite Lambda Function Code |
AWS |
Persistence |
| Create an IAM Roles Anywhere trust anchor |
AWS |
Persistence, Privilege Escalation |
| Change IAM user password |
AWS |
Privilege Escalation |
| Execute Command on Virtual Machine using Custom Script Extension |
Azure |
Execution |
| Execute Commands on Virtual Machine using Run Command |
Azure |
Execution |
| Export Disk Through SAS URL |
Azure |
Exfiltration |
| Create Azure VM Bastion shareable link |
Azure |
Persistence |
| Create Admin EKS Access Entry |
EKS |
Lateral Movement |
| Backdoor aws-auth EKS ConfigMap |
EKS |
Persistence, Privilege Escalation |
| Backdoor Entra ID application through service principal |
Entra ID |
Persistence, Privilege Escalation |
| Backdoor Entra ID application |
Entra ID |
Persistence, Privilege Escalation |
| Create Guest User |
Entra ID |
Persistence |
| Create Hidden Scoped Role Assignment Through HiddenMembership AU |
Entra ID |
Persistence |
| Create Application |
Entra ID |
Persistence, Privilege Escalation |
| Create Sticky Backdoor User Through Restricted Management AU |
Entra ID |
Persistence |
| Exfiltrate Compute Disk by sharing it |
GCP |
Exfiltration |
| Exfiltrate Compute Image by sharing it |
GCP |
Exfiltration |
| Exfiltrate Compute Disk by sharing a snapshot |
GCP |
Exfiltration |
| Backdoor a GCP Service Account through its IAM Policy |
GCP |
Persistence |
| Create an Admin GCP Service Account |
GCP |
Persistence, Privilege Escalation |
| Create a GCP Service Account Key |
GCP |
Persistence, Privilege Escalation |
| Invite an External User to a GCP Project |
GCP |
Persistence |
| Dump All Secrets |
Kubernetes |
Credential Access |
| Steal Pod Service Account Token |
Kubernetes |
Credential Access |
| Create Admin ClusterRole |
Kubernetes |
Persistence, Privilege Escalation |
| Create Client Certificate Credential |
Kubernetes |
Persistence |
| Create Long-Lived Token |
Kubernetes |
Persistence |
| Container breakout via hostPath volume mount |
Kubernetes |
Privilege Escalation |
| Privilege escalation through node/proxy permissions |
Kubernetes |
Privilege Escalation |
| Run a Privileged Pod |
Kubernetes |
Privilege Escalation |
| Impersonate GCP Service Accounts |
GCP |
Privilege Escalation |