Retrieve EC2 Password Data |
AWS |
Credential Access |
Steal EC2 Instance Credentials |
AWS |
Credential Access |
Retrieve a High Number of Secrets Manager secrets (Batch) |
AWS |
Credential Access |
Retrieve a High Number of Secrets Manager secrets |
AWS |
Credential Access |
Retrieve And Decrypt SSM Parameters |
AWS |
Credential Access |
Delete CloudTrail Trail |
AWS |
Defense Evasion |
Disable CloudTrail Logging Through Event Selectors |
AWS |
Defense Evasion |
CloudTrail Logs Impairment Through S3 Lifecycle Rule |
AWS |
Defense Evasion |
Stop CloudTrail Trail |
AWS |
Defense Evasion |
Delete DNS query logs |
AWS |
Defense Evasion |
Attempt to Leave the AWS Organization |
AWS |
Defense Evasion |
Remove VPC Flow Logs |
AWS |
Defense Evasion |
Execute Discovery Commands on an EC2 Instance |
AWS |
Discovery |
Download EC2 Instance User Data |
AWS |
Discovery |
Enumerate SES |
AWS |
Discovery |
Launch Unusual EC2 instances |
AWS |
Execution |
Execute Commands on EC2 Instance via User Data |
AWS |
Execution, Privilege Escalation |
Usage of ssm:SendCommand on multiple instances |
AWS |
Execution |
Usage of ssm:StartSession on multiple instances |
AWS |
Execution |
Open Ingress Port 22 on a Security Group |
AWS |
Exfiltration |
Exfiltrate an AMI by Sharing It |
AWS |
Exfiltration |
Exfiltrate EBS Snapshot by Sharing It |
AWS |
Exfiltration |
Exfiltrate RDS Snapshot by Sharing |
AWS |
Exfiltration |
Backdoor an S3 Bucket via its Bucket Policy |
AWS |
Exfiltration |
Invoke Bedrock Model |
AWS |
Impact |
S3 Ransomware through batch file deletion |
AWS |
Impact |
S3 Ransomware through client-side encryption |
AWS |
Impact |
S3 Ransomware through individual file deletion |
AWS |
Impact |
Console Login without MFA |
AWS |
Initial Access |
Usage of EC2 Serial Console to push SSH public key |
AWS |
Lateral Movement |
Usage of EC2 Instance Connect on multiple instances |
AWS |
Lateral Movement |
Backdoor an IAM Role |
AWS |
Persistence |
Create an Access Key on an IAM User |
AWS |
Persistence, Privilege Escalation |
Create an administrative IAM User |
AWS |
Persistence, Privilege Escalation |
Create a backdoored IAM Role |
AWS |
Persistence |
Create a Login Profile on an IAM User |
AWS |
Persistence, Privilege Escalation |
Backdoor Lambda Function Through Resource-Based Policy |
AWS |
Persistence |
Add a Malicious Lambda Extension |
AWS |
Persistence, Privilege Escalation |
Overwrite Lambda Function Code |
AWS |
Persistence |
Create an IAM Roles Anywhere trust anchor |
AWS |
Persistence, Privilege Escalation |
Generate temporary AWS credentials using GetFederationToken |
AWS |
Persistence |
Change IAM user password |
AWS |
Privilege Escalation |
Execute Command on Virtual Machine using Custom Script Extension |
Azure |
Execution |
Execute Commands on Virtual Machine using Run Command |
Azure |
Execution |
Export Disk Through SAS URL |
Azure |
Exfiltration |
Create Azure VM Bastion shareable link |
Azure |
Persistence |
Create Admin EKS Access Entry |
EKS |
Lateral Movement |
Backdoor aws-auth EKS ConfigMap |
EKS |
Persistence, Privilege Escalation |
Backdoor Entra ID application through service principal |
Entra ID |
Persistence, Privilege Escalation |
Backdoor Entra ID application |
Entra ID |
Persistence, Privilege Escalation |
Create Guest User |
Entra ID |
Persistence |
Create Hidden Scoped Role Assignment Through HiddenMembership AU |
Entra ID |
Persistence |
Create Application |
Entra ID |
Persistence, Privilege Escalation |
Create Sticky Backdoor User Through Restricted Management AU |
Entra ID |
Persistence |
Exfiltrate Compute Disk by sharing it |
GCP |
Exfiltration |
Exfiltrate Compute Image by sharing it |
GCP |
Exfiltration |
Exfiltrate Compute Disk by sharing a snapshot |
GCP |
Exfiltration |
Backdoor a GCP Service Account through its IAM Policy |
GCP |
Persistence |
Create an Admin GCP Service Account |
GCP |
Persistence, Privilege Escalation |
Create a GCP Service Account Key |
GCP |
Persistence, Privilege Escalation |
Invite an External User to a GCP Project |
GCP |
Persistence |
Dump All Secrets |
Kubernetes |
Credential Access |
Steal Pod Service Account Token |
Kubernetes |
Credential Access |
Create Admin ClusterRole |
Kubernetes |
Persistence, Privilege Escalation |
Create Client Certificate Credential |
Kubernetes |
Persistence |
Create Long-Lived Token |
Kubernetes |
Persistence |
Container breakout via hostPath volume mount |
Kubernetes |
Privilege Escalation |
Privilege escalation through node/proxy permissions |
Kubernetes |
Privilege Escalation |
Run a Privileged Pod |
Kubernetes |
Privilege Escalation |
Impersonate GCP Service Accounts |
GCP |
Privilege Escalation |