Add references (#556)

docs/attack-techniques/AWS/aws.credential-access.secretsmanager-batch-retrieve-secrets.md

@@ -31,6 +31,8 @@ An attacker may attempt to retrieve a high number of secrets by batch, to avoid
 
 References:
 
+- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
+- https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/
 - https://aws.amazon.com/blogs/security/how-to-use-the-batchgetsecretsvalue-api-to-improve-your-client-side-applications-with-aws-secrets-manager/
 
 

docs/attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets.md

@@ -28,6 +28,11 @@ Retrieves a high number of Secrets Manager secrets, through secretsmanager:GetSe
 - Enumerate the secrets through secretsmanager:ListSecrets
 - Retrieve each secret value, one by one through secretsmanager:GetSecretValue
 
+References:
+
+- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
+- https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/
+
 
 ## Instructions
 

docs/attack-techniques/AWS/aws.defense-evasion.organizations-leave.md

@@ -49,10 +49,10 @@ Use the CloudTrail event <code>LeaveOrganization</code>.
 The following CloudTrail events are generated when this technique is detonated[^1]:
 
 
-- `organizations:LeaveOrganization`
-
 - `sts:AssumeRole`
 
+- `organizations:LeaveOrganization`
+
 
 ??? "View raw detonation logs"
 

docs/attack-techniques/AWS/aws.execution.ssm-start-session.md

@@ -66,12 +66,12 @@ Identify, through CloudTrail's <code>StartSession</code> event, when a user is s
 The following CloudTrail events are generated when this technique is detonated[^1]:
 
 
-- `ssm:DescribeInstanceInformation`
-
 - `ssm:TerminateSession`
 
 - `ssm:StartSession`
 
+- `ssm:DescribeInstanceInformation`
+
 
 ??? "View raw detonation logs"
 

docs/attack-techniques/AWS/aws.persistence.iam-backdoor-user.md

@@ -31,6 +31,7 @@ Establishes persistence by creating an access key on an existing IAM user.
 References:
 
 - https://sysdig.com/blog/scarleteel-2-0/
+- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
 
 
 ## Instructions

docs/attack-techniques/AWS/aws.persistence.iam-create-admin-user.md

@@ -32,6 +32,9 @@ References:
 - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/
 - https://blog.darklab.hk/2021/07/06/trouble-in-paradise/
 - https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/
+- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
+- https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/
+- https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
 
 
 ## Instructions

docs/attack-techniques/AWS/aws.persistence.iam-create-backdoor-role.md

@@ -84,10 +84,10 @@ which generates a finding when a role can be assumed from a new AWS account or p
 The following CloudTrail events are generated when this technique is detonated[^1]:
 
 
-- `iam:AttachRolePolicy`
-
 - `iam:CreateRole`
 
+- `iam:AttachRolePolicy`
+
 
 ??? "View raw detonation logs"
 

docs/attack-techniques/AWS/aws.persistence.iam-create-user-login-profile.md

@@ -31,10 +31,12 @@ user intended to be used programmatically through the AWS console usual login pr
 
 References:
 
+- https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/
 - https://permiso.io/blog/s/approach-to-detection-androxgh0st-greenbot-persistence/
 - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/
 - https://blog.darklab.hk/2021/07/06/trouble-in-paradise/
 - https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/
+- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
 
 
 ## Instructions

docs/attack-techniques/AWS/aws.persistence.rolesanywhere-create-trust-anchor.md

@@ -58,10 +58,10 @@ Identify when a trust anchor is created, through CloudTrail's <code>CreateTrustA
 The following CloudTrail events are generated when this technique is detonated[^1]:
 
 
-- `rolesanywhere:CreateProfile`
-
 - `rolesanywhere:CreateTrustAnchor`
 
+- `rolesanywhere:CreateProfile`
+
 
 ??? "View raw detonation logs"
 

v2/internal/attacktechniques/aws/credential-access/secretsmanager-batch-retrieve-secrets/main.go

@@ -43,6 +43,8 @@ Detonation:
 
 References:
 
+- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
+- https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/
 - https://aws.amazon.com/blogs/security/how-to-use-the-batchgetsecretsvalue-api-to-improve-your-client-side-applications-with-aws-secrets-manager/
 `,
  Detection: `

v2/internal/attacktechniques/aws/credential-access/secretsmanager-retrieve-secrets/main.go

@@ -30,6 +30,11 @@ Detonation:
 
 - Enumerate the secrets through secretsmanager:ListSecrets
 - Retrieve each secret value, one by one through secretsmanager:GetSecretValue
+
+References:
+
+- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
+- https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/
 `,
  Detection: `
 Identify principals retrieving a high number of secrets, through CloudTrail's GetSecretValue event.

v2/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.go

@@ -30,13 +30,14 @@ Detonation:
 References:
 
 - https://sysdig.com/blog/scarleteel-2-0/
+- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
 `,
  Detection: `
 Through CloudTrail's <code>CreateAccessKey</code> event. This event can hardly be considered suspicious by itself, unless
 correlated with other indicators.
 '`,
- Platform:  stratus.AWS,
- 
+ Platform: stratus.AWS,
+
  IsIdempotent: false, // iam:CreateAccessKey can only be called twice (limit of 2 access keys per user)
  MitreAttackTactics: []mitreattack.Tactic{mitreattack.Persistence, mitreattack.PrivilegeEscalation},
  PrerequisitesTerraformCode: tf,

v2/internal/attacktechniques/aws/persistence/iam-create-admin-user/main.go

@@ -34,6 +34,9 @@ References:
 - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/
 - https://blog.darklab.hk/2021/07/06/trouble-in-paradise/
 - https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/
+- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
+- https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/
+- https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
 `,
  Detection: `
 Through CloudTrail's <code>CreateUser</code>, <code>AttachUserPolicy</code> and <code>CreateAccessKey</code> events.

v2/internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.go

@@ -32,10 +32,12 @@ Detonation:
 
 References:
 
+- https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/
 - https://permiso.io/blog/s/approach-to-detection-androxgh0st-greenbot-persistence/
 - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/
 - https://blog.darklab.hk/2021/07/06/trouble-in-paradise/
 - https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/
+- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
 `,
  Detection: `
 Through CloudTrail's <code>CreateLoginProfile</code> or <code>UpdateLoginProfile</code> events.