{
	"id": "0e0efb3a-262b-42a2-a184-5e48ac27afad",
	"created_at": "2026-04-29T02:21:35.262668Z",
	"updated_at": "2026-04-29T08:23:10.225763Z",
	"deleted_at": null,
	"sha1_hash": "0d5925d1053ecc7709116982ce78db8653825ee4",
	"title": "",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "2024-06-18T05:51:35Z",
	"file_modification_date": "2026-02-06T21:10:41Z",
	"file_size": 3228234,
	"plain_text": "© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nNew tactics and techniques for\r\nproactive threat detection\r\nBen Fletcher\r\nTDR 432\r\n(he/him)\r\nAWS EMEA CIRT LEAD\r\nAmazon Web Services\r\nSteve de Vera\r\n(he/him)\r\nAWS CIRT Manager\r\nAmazon Web Services\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\n• About AWS CIRT\r\n• Statistics\r\n• Current threat actor tactics\r\n• New threat actor tactics\r\n• Security best practices\r\nAgenda\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nTHIS SESSION IS INTERACTIVE!\r\nFeel free to ask questions,\r\nmake comments, participate\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nAbout AWS CIRT\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nAWS Customer Incident Response Team (CIRT)\r\nA specialized team that assists and advises customers during suspected\r\nactive security events, on the customer’s side of the AWS Shared\r\nResponsibility Model\r\nGlobal team 24/7, follow-the-sun model\r\nRespond\r\nAssist and advise customers\r\nwith active triage and\r\nrecovery from their security\r\nevent on AWS\r\nRecover\r\nAssist in root cause\r\nanalysis of a customer’s\r\nAWS service logs for their\r\nactive security event\r\nLearn\r\nProvide advice to\r\ncustomers for long-term\r\nrecovery from their\r\nactive security event\r\nEducate\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nStatistics\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nCross-account\r\npermissions\r\nVulnerable\r\nweb apps\r\n#1 #2\r\nBrute force\r\nLost/leaked access\r\nkeys/credentials\r\n#3\r\n#4\r\nOpen S3 buckets DDoS\r\n#5 #6\r\nThreat actors use which initial access method\r\nmost often?\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nLost/leaked access\r\nkeys/credentials\r\n#4\r\nThreat actors use which initial access method\r\nmost often?\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nvalid IAM credentials\r\n66%\r\nLost/leaked access\r\nkeys/credentials\r\n#4\r\nThreat actors use which initial access method\r\nmost often?\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nvalid IAM credentials\r\n66%\r\nLost/leaked access\r\nkeys/credentials\r\n#4\r\nof those are root credentials\r\n1/3\r\n[20% of all initial access method use]\r\nThreat actors use which initial access method\r\nmost often?\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nvalid IAM credentials\r\n66%\r\nLost/leaked access\r\nkeys/credentials\r\n#4\r\nPublic-facing EC2 instance\r\n13%\r\nof those are root credentials\r\n1/3\r\n[20% of all initial access method use]\r\nThreat actors use which initial access method\r\nmost often?\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nOpportunistic\r\nResource hijack Ransom events destruction\r\nA zero trust strategy\r\nThreat primary tactics\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nGet the keys MITRE ATT\u0026CK\r\nTactic: Initial access\r\nTechnique: Valid cloud credentials\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\n~Two weeks ~One week\r\n#1 #2\r\n24 hours\r\n4 hours\r\n#3\r\n#4\r\nMinutes, if not\r\nseconds\r\n#5\r\nIf keys are posted on GitHub, how long until they\r\nare used?\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nGitHub\r\nhttps://thehackernews.com/2024/03/github-rolls-out-default-secret.html\r\nMITRE ATT\u0026CK\r\nTactic: Initial access\r\nTechnique: Valid cloud credentials\r\nMinutes, if not\r\nseconds\r\n#5\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nCurrent threat actor tactics\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nDISCLAIMER:\r\nTactics and techniques presented\r\ndo not constitute vulnerabilities\r\nwithin AWS\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nResource hijacking: Premise\r\n1)\r\n2)\r\n3)\r\n•\r\n•\r\n•\r\n4)\r\nMITRE ATT\u0026CK\r\nTactic: Impact\r\nTechnique: Resource hijacking\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nResource hijacking: Premise\r\n1) Threat actor obtains access to AWS\r\naccount or hosted resource\r\n2)\r\n3)\r\n•\r\n•\r\n•\r\n4)\r\nMITRE ATT\u0026CK\r\nTactic: Impact\r\nTechnique: Resource hijacking\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nResource hijacking: Premise\r\n1) Threat actor obtains access to AWS\r\naccount or hosted resource\r\n2) Threat actor will mine cryptocurrency\r\nfrom the resource\r\n3)\r\n•\r\n•\r\n•\r\n4)\r\nMITRE ATT\u0026CK\r\nTactic: Impact\r\nTechnique: Resource hijacking\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nResource hijacking: Premise\r\n1) Threat actor obtains access to AWS\r\naccount or hosted resource\r\n2) Threat actor will mine cryptocurrency\r\nfrom the resource\r\n3) Resources created in AWS account:\r\n• RunInstances\r\n• CreateStack\r\n• CreateCluster\r\n4)\r\nMITRE ATT\u0026CK\r\nTactic: Impact\r\nTechnique: Resource hijacking\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nResource hijacking: Premise\r\n1) Threat actor obtains access to AWS\r\naccount or hosted resource\r\n2) Threat actor will mine cryptocurrency\r\nfrom the resource\r\n3) Resources created in AWS account:\r\n• RunInstances\r\n• CreateStack\r\n• CreateCluster\r\n4) Resources created in unused\r\nAWS Regions\r\nMITRE ATT\u0026CK\r\nTactic: Impact\r\nTechnique: Resource hijacking\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nResource hijacking: Mitigations\r\n• Use SCPs to prevent resource creation – especially in unused Regions\r\n• Apply principle of least privilege to assigned permissions\r\nMITRE ATT\u0026CK\r\nTactic: Impact\r\nTechnique: Resource hijacking\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nSubDomain takeover: Premise\r\n1)\r\n2)\r\n3)\r\nMITRE ATT\u0026CK\r\nTactic: Impact\r\nTechnique: Defacement\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nSubDomain takeover: Premise\r\n1) Customer has CNAME pointing to a resource (S3 bucket, EC2\r\ninstance, Elastic IP)\r\n2)\r\n3)\r\nMITRE ATT\u0026CK\r\nTactic: Impact\r\nTechnique: Defacement\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nSubDomain takeover: Premise\r\n1) Customer has CNAME pointing to a resource (S3 bucket, EC2\r\ninstance, Elastic IP)\r\n2) The resource is deleted, but the CNAME still exists\r\n3)\r\nMITRE ATT\u0026CK\r\nTactic: Impact\r\nTechnique: Defacement\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nSubDomain takeover: Premise\r\n1) Customer has CNAME pointing to a resource (S3 bucket, EC2\r\ninstance, Elastic IP)\r\n2) The resource is deleted, but the CNAME still exists\r\n3) Threat actor creates a resource that the CNAME still points to\r\nMITRE ATT\u0026CK\r\nTactic: Impact\r\nTechnique: Defacement\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nSubDomain takeover: Premise\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nSubDomain takeover: Premise\r\nCustomer\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nSubDomain takeover: Premise\r\ns3-newco-random\r\nS3 bucket\r\nCustomer\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nSubDomain takeover: Premise\r\ns3-newco-random http://s3-newco-random\r\n.s3-website-us-east-1.amazonaws.com\r\nS3 bucket S3 bucket configured as static website\r\nCustomer\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nSubDomain takeover: Premise\r\ns3-newco-random http://s3-newco-random\r\n.s3-website-us-east-1.amazonaws.com\r\nCNAME: app1.newco.com\r\npoints to:\r\nhttp://s3-newco-random\r\n.s3-website-us-east-1.amazonaws.com\r\nS3 bucket S3 bucket configured as static website CNAME pointing to S3 bucket\r\nconfigured as static website\r\nCustomer\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nSubDomain takeover: Premise\r\ns3-newco-random http://s3-newco-random\r\n.s3-website-us-east-1.amazonaws.com\r\nCNAME: app1.newco.com\r\npoints to:\r\nhttp://s3-newco-random\r\n.s3-website-us-east-1.amazonaws.com\r\nS3 bucket S3 bucket configured as static website CNAME pointing to S3 bucket\r\nconfigured as static website\r\nCustomer\r\nX X\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nSubDomain takeover: Premise\r\ns3-newco-random http://s3-newco-random\r\n.s3-website-us-east-1.amazonaws.com\r\nCNAME: app1.newco.com\r\npoints to:\r\nhttp://s3-newco-random\r\n.s3-website-us-east-1.amazonaws.com\r\nS3 bucket S3 bucket configured as static website CNAME pointing to S3 bucket\r\nconfigured as static website\r\nCustomer\r\nThreat\r\nactor\r\nX X\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nSubDomain takeover: Premise\r\ns3-newco-random http://s3-newco-random\r\n.s3-website-us-east-1.amazonaws.com\r\nCNAME: app1.newco.com\r\npoints to:\r\nhttp://s3-newco-random\r\n.s3-website-us-east-1.amazonaws.com\r\nS3 bucket S3 bucket configured as static website CNAME pointing to S3 bucket\r\nconfigured as static website\r\nCustomer\r\nThreat\r\nactor\r\nX\r\ns3-newco-random\r\nS3 bucket\r\nrecreated\r\nX\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nSubDomain takeover: Premise\r\ns3-newco-random http://s3-newco-random\r\n.s3-website-us-east-1.amazonaws.com\r\nCNAME: app1.newco.com\r\npoints to:\r\nhttp://s3-newco-random\r\n.s3-website-us-east-1.amazonaws.com\r\nS3 bucket S3 bucket configured as static website CNAME pointing to S3 bucket\r\nconfigured as static website\r\nCustomer\r\nThreat\r\nactor\r\nX\r\ns3-newco-random\r\nS3 bucket\r\nrecreated\r\nhttp://s3-newco-random\r\n.s3-website-us-east-1.amazonaws.com\r\nS3 bucket configured as static website\r\nwith malicious content\r\nX\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nSubDomain takeover: Premise\r\ns3-newco-random http://s3-newco-random\r\n.s3-website-us-east-1.amazonaws.com\r\nCNAME: app1.newco.com\r\npoints to:\r\nhttp://s3-newco-random\r\n.s3-website-us-east-1.amazonaws.com\r\nS3 bucket S3 bucket configured as static website CNAME pointing to S3 bucket\r\nconfigured as static website\r\nCustomer\r\nThreat\r\nactor\r\nX\r\ns3-newco-random\r\nS3 bucket\r\nrecreated\r\nhttp://s3-newco-random\r\n.s3-website-us-east-1.amazonaws.com\r\nS3 bucket configured as static website\r\nwith malicious content\r\nX\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nSubDomain takeover: Mitigations\r\n• Review hosted zones and delete unused CNAMEs\r\n• When de-provisioning, remove CNAMEs first\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nData destruction: Premise\r\n1)\r\n2)\r\n3)\r\n•\r\n•\r\n•\r\n•\r\n•\r\n•\r\nMITRE ATT\u0026CK\r\nTactic: Impact\r\nTechnique: Data destruction\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nData destruction: Premise\r\n1) Threat actor obtains access to AWS account or resource (Amazon S3\r\nor Amazon RDS)\r\n2)\r\n3)\r\n•\r\n•\r\n•\r\n•\r\n•\r\n•\r\nMITRE ATT\u0026CK\r\nTactic: Impact\r\nTechnique: Data destruction\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nData destruction: Premise\r\n1) Threat actor obtains access to AWS account or resource (Amazon S3\r\nor Amazon RDS)\r\n2) Threat actor will attempt to delete resources or data\r\n3)\r\n•\r\n•\r\n•\r\n•\r\n•\r\n•\r\nMITRE ATT\u0026CK\r\nTactic: Impact\r\nTechnique: Data destruction\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nData destruction: Premise\r\n1) Threat actor obtains access to AWS account or resource (Amazon S3\r\nor Amazon RDS)\r\n2) Threat actor will attempt to delete resources or data\r\n3) Resources deleted in AWS account:\r\n• DeleteBucket\r\n• DeleteObject\r\n• DeleteDBInstance\r\n• DeleteDBCluser\r\n• DeleteDBSnapshot\r\n• AuthorizeSecurityGroupIngress\r\nMITRE ATT\u0026CK\r\nTactic: Impact\r\nTechnique: Data destruction\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nData destruction: Mitigations\r\n• Apply and review policies (resource policies and lifecycle policies),\r\nS3 Object Lock\r\n• Principle of least privilege\r\n• Use and test backup methodologies\r\nMITRE ATT\u0026CK\r\nTactic: Impact\r\nTechnique: Data destruction\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nIMDSv1 credential access: Premise\r\n1)\r\n2)\r\nMITRE ATT\u0026CK\r\nTactic: Credential access\r\nTechnique: Unsecured credentials\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nIMDSv1 credential access: Premise\r\n1) Threat actor obtains ability to obtain IMDSv1 credentials\r\nfrom resource\r\n2)\r\nMITRE ATT\u0026CK\r\nTactic: Credential access\r\nTechnique: Unsecured credentials\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nIMDSv1 credential access: Premise\r\n1) Threat actor obtains ability to obtain IMDSv1 credentials\r\nfrom resource\r\n2) Threat actor exports and uses credentials\r\nMITRE ATT\u0026CK\r\nTactic: Credential access\r\nTechnique: Unsecured credentials\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nIMDSv1 credential access: Premise\r\nVirtual private cloud (VPC)\r\nPublic subnet\r\nWeb application\r\non EC2\r\nAttached\r\nThreat role (webdev)\r\nactor\r\nAWS account\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nIMDSv1 credential access: Premise\r\nVirtual private cloud (VPC)\r\nPublic subnet\r\nWeb application\r\non EC2\r\nAttached\r\nThreat role (webdev)\r\nactor\r\nAWS account\r\nUse SSRF to exploit web application\r\nvulnerability\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nIMDSv1 credential access: Premise\r\nVirtual private cloud (VPC)\r\nPublic subnet\r\nWeb application\r\non EC2\r\nAttached\r\nThreat role (webdev)\r\nactor\r\nAWS account\r\nObtain credentials using IMDSv1 API\r\nUse SSRF to exploit web application\r\nvulnerability\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nIMDSv1 credential access: Premise\r\nVirtual private cloud (VPC)\r\nPublic subnet\r\nWeb application\r\non EC2\r\nAttached\r\nThreat role (webdev)\r\nactor\r\nAWS account\r\nObtain credentials using IMDSv1 API\r\nUse credentials to access AWS account\r\nUse SSRF to exploit web application\r\nvulnerability\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nIMDSv1 credential access: Premise\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nIMDSv1 credential access: Premise\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nIMDSv1 credential access: Premise\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nIMDSv1 credential access: Premise\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nIMDSv1 credential access: Premise\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nIMDSv1 credential access: Premise\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nIMDSv1 credential access: Premise\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nIMDSv1 credential access: Premise\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\n•\r\n•\r\n•\r\nMITRE ATT\u0026CK\r\nTactic: Credential access\r\nTechnique: Unsecured credentials\r\nIMDSv1 credential access:\r\nMitigations\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\n• Use require IMDSv2\r\n•\r\n•\r\nMITRE ATT\u0026CK\r\nTactic: Credential access\r\nTechnique: Unsecured credentials\r\nIMDSv1 credential access:\r\nMitigations\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\n• Use require IMDSv2\r\n• Use principle of least privilege on EC2\r\ninstance profile\r\n•\r\nMITRE ATT\u0026CK\r\nTactic: Credential access\r\nTechnique: Unsecured credentials\r\nIMDSv1 credential access:\r\nMitigations\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\n• Use require IMDSv2\r\n• Use principle of least privilege on EC2\r\ninstance profile\r\n• Use the\r\naws:EC2InstanceSourceVPC\r\nor\r\naws:EC2InstanceSourcePrivate\r\nIPv4 global condition keys in Service\r\nControl Policies\r\nMITRE ATT\u0026CK\r\nTactic: Credential access\r\nTechnique: Unsecured credentials\r\nIMDSv1 credential access:\r\nMitigations\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\n1) Credentials exported\r\nMITRE ATT\u0026CK\r\nTactic: Persistence\r\nTechnique: Additional cloud\r\ncredentials\r\nGetFederationToken: Premise\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\n2) Federation token generated\r\nGetFederationToken: Premise\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\n3) Threat actor exports and assumes federation token credentials\r\nGetFederationToken: Premise\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\n4) Use exported\r\ncredentials from\r\nfederation token\r\nGetFederationToken: Premise\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\n• The session name or ‘user\r\nname’ can be changed\r\n• Still need to review actions\r\nby ‘masked’ user\r\nGetFederationToken: Premise\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\n• GetSessionToken also used\r\n• Generally considered unauthorized if observed\r\n• With both GetFederationToken and\r\nGetSessionToken, you can delete the originating\r\naccess key and the session will persist\r\n• Can delete/recreate the user\r\nGetFederationToken: Mitigations\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nGetFederationToken: Mitigations\r\n• Apply inline policy to IAM user (deny based on\r\naws:TokenIssueTime)\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nNovel threat actor tactics\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nCreate account: Premise\r\n1) Threat actor creates an account\r\nin an AWS organization\r\n2)\r\nMITRE ATT\u0026CK\r\nTactic: Defense evasion\r\nTechnique: Unused/unsupported\r\ncloud regions\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nCreate account: Premise\r\n1) Threat actor creates an account\r\nin an AWS organization\r\n2) Created account is used for\r\ndefense evasion, resource\r\nhijacking\r\nMITRE ATT\u0026CK\r\nTactic: Defense evasion\r\nTechnique: Unused/unsupported\r\ncloud regions\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nCreate account: Alternative\r\n1) Threat actor creates a standalone\r\naccount with a stolen credit card\r\n2)\r\nMITRE ATT\u0026CK\r\nTactic: Defense evasion\r\nTechnique: Unused/unsupported\r\ncloud regions\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nCreate account: Alternative\r\n1) Threat actor creates a standalone\r\naccount with a stolen credit card\r\n2) Invites account to compromised\r\nAWS organization\r\nMITRE ATT\u0026CK\r\nTactic: Defense evasion\r\nTechnique: Unused/unsupported\r\ncloud regions\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nCreate account: Premise\r\n1) Threat actor can remove\r\nOrganizationAccountAccessRole\r\n2)\r\n3)\r\nMITRE ATT\u0026CK\r\nTactic: Defense evasion\r\nTechnique: Unused/unsupported\r\ncloud regions\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nCreate account: Premise\r\n1) Threat actor can remove\r\nOrganizationAccountAccessRole\r\n2) Victim can apply SCPs, but\r\nthis prevents new actions\r\n(existing threat actor resources\r\nnot affected)\r\n3)\r\nMITRE ATT\u0026CK\r\nTactic: Defense evasion\r\nTechnique: Unused/unsupported\r\ncloud regions\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nCreate account: Premise\r\n1) Threat actor can remove\r\nOrganizationAccountAccessRole\r\n2) Victim can apply SCPs, but\r\nthis prevents new actions\r\n(existing threat actor resources\r\nnot affected)\r\n3) May need support case to\r\nremove account\r\nMITRE ATT\u0026CK\r\nTactic: Defense evasion\r\nTechnique: Unused/unsupported\r\ncloud regions\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nCreate account: Premise\r\n1) Threat actor can remove\r\nOrganizationAccountAccessRole\r\n2) Victim can apply SCPs, but\r\nthis prevents new actions\r\n(existing threat actor resources\r\nnot affected)\r\n3) May need support case to\r\nremove account\r\nMITRE ATT\u0026CK\r\nTactic: Defense evasion\r\nTechnique: Unused/unsupported\r\ncloud regions\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nCreate account: Mitigations\r\n• Create custom groups or roles\r\n• Use principle of least privilege to restrict\r\naccount creation\r\n• Amazon CloudWatch alarm/SCP for\r\nInviteAccountToOrganization API call\r\nMITRE ATT\u0026CK\r\nTactic: Defense evasion\r\nTechnique: Unused/unsupported\r\ncloud regions\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nLifecycle deletion: Premise\r\n1) Threat actor uses S3 lifecycle\r\npolicies to set parameters to\r\ndelete objects within 1 day\r\n2)\r\n3)\r\nMITRE ATT\u0026CK\r\nTactic: Impact\r\nTechnique: Data destruction\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nLifecycle deletion: Premise\r\n1) Threat actor uses S3 lifecycle\r\npolicies to set parameters to\r\ndelete objects within 1 day\r\n2)\r\n3)\r\nMITRE ATT\u0026CK\r\nTactic: Impact\r\nTechnique: Data destruction\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nLifecycle deletion: Premise\r\n1) Threat actor uses S3 lifecycle\r\npolicies to set parameters to\r\ndelete objects within 1 day\r\n2) Form of data destruction\r\n3)\r\nMITRE ATT\u0026CK\r\nTactic: Impact\r\nTechnique: Data destruction\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nLifecycle deletion: Premise\r\n1) Threat actor uses S3 lifecycle\r\npolicies to set parameters to\r\ndelete objects within 1 day\r\n2) Form of data destruction\r\n3) Bypasses permissions and\r\ndetections against\r\nDeleteObject\r\nMITRE ATT\u0026CK\r\nTactic: Impact\r\nTechnique: Data destruction\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nLifecycle deletion: Mitigations\r\n• Apply SCPs to prevent use of PutBucketLifecycle\r\n• Use principle of least privilege\r\n• AWS Config rule for s3-lifecycle-policy-check\r\nMITRE ATT\u0026CK\r\nTactic: Impact\r\nTechnique: Data destruction\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nSMS pumping: Premise\r\n1) Threat actor obtains block of high rate SMS phone numbers from\r\ntelecom provider\r\n2) Threat actor identifies service that sends SMS text messages\r\n3) Service used to send numerous text messages\r\nMITRE ATT\u0026CK\r\nTactic: Impact\r\nTechnique: Resource hijacking\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nSMS pumping: Premise\r\n4) Amazon Cognito used\r\n5)\r\nMITRE ATT\u0026CK\r\nTactic: Impact\r\nTechnique: Resource hijacking\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nSMS pumping: Premise\r\n4) Amazon Cognito used\r\n5) APIs observed are SignUp or\r\nResendConfirmationCode\r\nMITRE ATT\u0026CK\r\nTactic: Impact\r\nTechnique: Resource hijacking\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nSMS pumping: Mitigations\r\n• Change attribute verification and user account confirmation\r\n• Apply AWS WAF to present CAPTCHA\r\n• Apply web ACL rule to inspect request body and match the\r\nSMS area code\r\n• Amazon Fraud Detector (may require rearchitected solution)\r\nMITRE ATT\u0026CK\r\nTactic: Impact\r\nTechnique: Resource hijacking\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nLeave organization: Premise\r\n1) Threat actor attempts to leave\r\nan AWS organization\r\n2)\r\n3)\r\nMITRE ATT\u0026CK\r\nTactic: Defense evasion\r\nTechnique: Indicator removal\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nLeave organization: Premise\r\n1) Threat actor attempts to leave\r\nan AWS organization\r\n2)\r\n3)\r\nMITRE ATT\u0026CK\r\nTactic: Defense evasion\r\nTechnique: Indicator removal\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nLeave organization: Premise\r\n1) Threat actor attempts to leave\r\nan AWS organization\r\n2) Prevents SCPs from being\r\napplied, used for resource\r\nhijacking\r\n3)\r\nMITRE ATT\u0026CK\r\nTactic: Defense evasion\r\nTechnique: Indicator removal\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nLeave organization: Premise\r\n1) Threat actor attempts to leave\r\nan AWS organization\r\n2) Prevents SCPs from being\r\napplied, used for resource\r\nhijacking\r\n3) Form of defense evasion,\r\nAWS billing reports migrate\r\nMITRE ATT\u0026CK\r\nTactic: Defense evasion\r\nTechnique: Indicator removal\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nLeave organization: Mitigations\r\n• Apply SCPs to prevent LeaveOrganization API\r\ncall in member account\r\n• Use principle of least privilege to limit use of\r\nRemoveAccountFromOrganization in\r\nmanagement account\r\nMITRE ATT\u0026CK\r\nTactic: Defense evasion\r\nTechnique: Indicator removal\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nCreate identity provider:\r\nPremise\r\n1) Threat actor gains access to an\r\nAWS organization\r\n2)\r\n3)\r\nMITRE ATT\u0026CK\r\nTactic: Persistence\r\nTechnique: Create account\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nCreate identity provider:\r\nPremise\r\n1) Threat actor gains access to an\r\nAWS organization\r\n2) AWS IAM Identity Center\r\nenabled to provision access\r\nto accounts\r\n3)\r\nMITRE ATT\u0026CK\r\nTactic: Persistence\r\nTechnique: Create account\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nCreate identity provider:\r\nPremise\r\n1) Threat actor gains access to an\r\nAWS organization\r\n2) AWS IAM Identity Center\r\nenabled to provision access\r\nto accounts\r\n3) Adds extra steps to containment\r\nMITRE ATT\u0026CK\r\nTactic: Persistence\r\nTechnique: Create account\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nCreate identity provider:\r\nAlternative\r\n3) Access to a specific account/s\r\nwithin an AWS organization\r\n4)\r\n5)\r\nMITRE ATT\u0026CK\r\nTactic: Persistence\r\nTechnique: Create account\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nCreate identity provider:\r\nAlternative\r\n3) Access to a specific account/s\r\nwithin an AWS organization\r\n4) IAM used to add a SAML or\r\nOpenIDC provider\r\n5)\r\nMITRE ATT\u0026CK\r\nTactic: Persistence\r\nTechnique: Create account\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nCreate identity provider:\r\nAlternative\r\n3) Access to a specific account/s\r\nwithin an AWS organization\r\n4) IAM used to add a SAML or\r\nOpenIDC provider\r\n5) Look for CreateSAMLProvider\r\nor CreateOIDCProvider events\r\nin AWS CloudTrail\r\nMITRE ATT\u0026CK\r\nTactic: Persistence\r\nTechnique: Create account\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nCreate identity provider:\r\nMitigations\r\n• Remove identity provider from\r\nIAM Identity Center or IAM\r\n•\r\nMITRE ATT\u0026CK\r\nTactic: Persistence\r\nTechnique: Create account\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nCreate identity provider:\r\nMitigations\r\n• Remove identity provider from\r\nIAM Identity Center or IAM\r\n• Use Amazon EventBridge to\r\nwatch for StartSSO,\r\nCreateSAMLProvider or\r\nCreateOIDCProvider events\r\nin CloudTrail\r\nMITRE ATT\u0026CK\r\nTactic: Persistence\r\nTechnique: Create account\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nLaravel framework access:\r\nPremise\r\n1)\r\n•\r\n•\r\n2)\r\n3)\r\nMITRE ATT\u0026CK\r\nTactic: Initial access\r\nTechnique: Exploit public-facing\r\napplication\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nLaravel framework access:\r\nPremise\r\n1) Threat actor identifies vulnerable\r\nversion of Laravel\r\n• CVE-2021-3129\r\n• Debug mode\r\n2)\r\n3)\r\nMITRE ATT\u0026CK\r\nTactic: Initial access\r\nTechnique: Exploit public-facing\r\napplication\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nLaravel framework access:\r\nPremise\r\n1) Threat actor identifies vulnerable\r\nversion of Laravel\r\n• CVE-2021-3129\r\n• Debug mode\r\n2) Debug mode allows access to .env file\r\n3)\r\nMITRE ATT\u0026CK\r\nTactic: Initial access\r\nTechnique: Exploit public-facing\r\napplication\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nLaravel framework access:\r\nPremise\r\n1) Threat actor identifies vulnerable\r\nversion of Laravel\r\n• CVE-2021-3129\r\n• Debug mode\r\n2) Debug mode allows access to .env file\r\n3) .env configured with AWS credentials\r\nMITRE ATT\u0026CK\r\nTactic: Initial access\r\nTechnique: Exploit public-facing\r\napplication\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nLaravel framework access:\r\nPremise\r\n3) For server in debug mode, specific\r\ndata sent generates a debug file\r\n4)\r\nMITRE ATT\u0026CK\r\nTactic: Initial access\r\nTechnique: Exploit public-facing\r\napplication\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nLaravel framework access:\r\nPremise\r\n3) For server in debug mode, specific\r\ndata sent generates a debug file\r\n4) File contains .env variables including\r\nAWS credentials\r\nMITRE ATT\u0026CK\r\nTactic: Initial access\r\nTechnique: Exploit public-facing\r\napplication\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nLaravel framework access:\r\nMitigations\r\n• Confirm Laravel is up-to-date and fully patched\r\n• Disable debug mode in production – set APP_DEBUG = FALSE\r\n• Use principle of least privilege for credentials in Laravel .env\r\n• AWS Secrets Manager for hardcoded secrets\r\nMITRE ATT\u0026CK\r\nTactic: Initial access\r\nTechnique: Exploit public-facing\r\napplication\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nCloudTrail modification:\r\nPremise\r\n1) Threat actor gains access to\r\nAWS account\r\n2)\r\n3)\r\nMITRE ATT\u0026CK\r\nTactic: Defense evasion\r\nTechnique: Impair defenses\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nCloudTrail modification:\r\nPremise\r\n1) Threat actor gains access to\r\nAWS account\r\n2) Modifies CloudTrail using\r\nPutEventSelectors\r\n3)\r\nMITRE ATT\u0026CK\r\nTactic: Defense evasion\r\nTechnique: Impair defenses\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nCloudTrail modification:\r\nPremise\r\n1) Threat actor gains access to\r\nAWS account\r\n2) Modifies CloudTrail using\r\nPutEventSelectors\r\n3) Prevents logging of\r\nmutating events\r\nMITRE ATT\u0026CK\r\nTactic: Defense evasion\r\nTechnique: Impair defenses\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nCloudTrail modification:\r\nAlternative\r\n1) Threat actor gains access to\r\nAWS account\r\n2) Modifies CloudTrail using\r\nPutEventSelectors\r\n3)\r\nMITRE ATT\u0026CK\r\nTactic: Defense evasion\r\nTechnique: Impair defenses\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nCloudTrail modification:\r\nAlternative\r\n1) Threat actor gains access to\r\nAWS account\r\n2) Modifies CloudTrail using\r\nPutEventSelectors\r\n3) Prevents logging of\r\nmanagement events\r\nMITRE ATT\u0026CK\r\nTactic: Defense evasion\r\nTechnique: Impair defenses\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nCloudTrail modification:\r\nAlternative\r\n1) Threat actor gains access to\r\nAWS account\r\n2) Modifies CloudTrail using\r\nPutEventSelectors\r\n3) Prevents logging of\r\nmanagement events\r\nMITRE ATT\u0026CK\r\nTactic: Defense evasion\r\nTechnique: Impair defenses\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nCloudTrail modification:\r\nMitigations\r\n• Use SCPs to restrict CloudTrail modification including\r\nuse of PutEventSelectors API\r\n• Consider AWS Config remediation rules for CloudTrail\r\nMITRE ATT\u0026CK\r\nTactic: Defense evasion\r\nTechnique: Impair defenses\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nLLM resource hijacking: Premise\r\n1) Threat actor obtains access to AWS account\r\n2)\r\n3)\r\n•\r\n•\r\n4)\r\nMITRE ATT\u0026CK\r\nTactic: Impact\r\nTechnique: Resource hijacking\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nLLM resource hijacking: Premise\r\n1) Threat actor obtains access to AWS account\r\n2) Threat actor enables access to LLMs\r\n through Amazon Bedrock\r\n3)\r\n•\r\n•\r\n4)\r\nMITRE ATT\u0026CK\r\nTactic: Impact\r\nTechnique: Resource hijacking\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nLLM resource hijacking: Premise\r\n1) Threat actor obtains access to AWS account\r\n2) Threat actor enables access to LLMs\r\n through Amazon Bedrock\r\n3)\r\n•\r\n•\r\n4)\r\nMITRE ATT\u0026CK\r\nTactic: Impact\r\nTechnique: Resource hijacking\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nLLM resource hijacking: Premise\r\n1) Threat actor obtains access to AWS account\r\n2) Threat actor enables access to LLMs\r\n through Amazon Bedrock\r\n3) Models used and prompts sent:\r\n• InvokeModel\r\n• InvokeModelWithResponseStream\r\n4)\r\nMITRE ATT\u0026CK\r\nTactic: Impact\r\nTechnique: Resource hijacking\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nLLM resource hijacking: Premise\r\n1) Threat actor obtains access to AWS account\r\n2) Threat actor enables access to LLMs\r\n through Amazon Bedrock\r\n3) Models used and prompts sent:\r\n• InvokeModel\r\n• InvokeModelWithResponseStream\r\n4) Can be performed in unused\r\nAWS Regions\r\nMITRE ATT\u0026CK\r\nTactic: Impact\r\nTechnique: Resource hijacking\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nLLM resource hijacking:\r\nMitigations\r\nUse SCPs to limit access to Amazon Bedrock using\r\n• Specific principals\r\n• Specific Regions\r\nMITRE ATT\u0026CK\r\nTactic: Impact\r\nTechnique: Resource hijacking\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nSecurity best practices\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nSwiss cheese model (industrial accidents)\r\nA failure cannot be traced back to a\r\nsingle root cause;\r\naccidents are often the result of a\r\ncombination of factors\n\n© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.\r\nLack of continuous\r\nvulnerability management\r\nUnintended disclosure of\r\ncredentials and secrets\r\nIneffective response to\r\ndetective controls\r\nInaccurate AWS account\r\ncontact information\r\nInsecure AWS resource\r\nconfiguration\r\nGet the basics right",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"pdf"
	],
	"references": [
		"https://d1.awsstatic.com/onedam/marketing-channels/website/aws/en_US/events/approved/reinforce-2025/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"
	],
	"report_names": [
		"TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-29T06:58:57.977922Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1777429295,
	"ts_updated_at": 1777450990,
	"ts_creation_date": 1718689895,
	"ts_modification_date": 1770412241,
	"files": {
		"pdf": "https://archive.orkl.eu/0d5925d1053ecc7709116982ce78db8653825ee4.pdf",
		"text": "https://archive.orkl.eu/0d5925d1053ecc7709116982ce78db8653825ee4.txt",
		"img": "https://archive.orkl.eu/0d5925d1053ecc7709116982ce78db8653825ee4.jpg"
	}
}