diff --git a/docs/attack-techniques/AWS/aws.credential-access.secretsmanager-batch-retrieve-secrets.md b/docs/attack-techniques/AWS/aws.credential-access.secretsmanager-batch-retrieve-secrets.md
index 62d63cd3d..176de028e 100755
--- a/docs/attack-techniques/AWS/aws.credential-access.secretsmanager-batch-retrieve-secrets.md
+++ b/docs/attack-techniques/AWS/aws.credential-access.secretsmanager-batch-retrieve-secrets.md
@@ -31,6 +31,8 @@ An attacker may attempt to retrieve a high number of secrets by batch, to avoid
References:
+- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
+- https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/
- https://aws.amazon.com/blogs/security/how-to-use-the-batchgetsecretsvalue-api-to-improve-your-client-side-applications-with-aws-secrets-manager/
diff --git a/docs/attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets.md b/docs/attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets.md
index 0aaf4c63b..f6b41eae4 100755
--- a/docs/attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets.md
+++ b/docs/attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets.md
@@ -28,6 +28,11 @@ Retrieves a high number of Secrets Manager secrets, through secretsmanager:GetSe
- Enumerate the secrets through secretsmanager:ListSecrets
- Retrieve each secret value, one by one through secretsmanager:GetSecretValue
+References:
+
+- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
+- https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/
+
## Instructions
diff --git a/docs/attack-techniques/AWS/aws.defense-evasion.organizations-leave.md b/docs/attack-techniques/AWS/aws.defense-evasion.organizations-leave.md
index 52c937d5e..70f9a3e2e 100755
--- a/docs/attack-techniques/AWS/aws.defense-evasion.organizations-leave.md
+++ b/docs/attack-techniques/AWS/aws.defense-evasion.organizations-leave.md
@@ -49,10 +49,10 @@ Use the CloudTrail event LeaveOrganization
.
The following CloudTrail events are generated when this technique is detonated[^1]:
-- `organizations:LeaveOrganization`
-
- `sts:AssumeRole`
+- `organizations:LeaveOrganization`
+
??? "View raw detonation logs"
diff --git a/docs/attack-techniques/AWS/aws.execution.ssm-send-command.md b/docs/attack-techniques/AWS/aws.execution.ssm-send-command.md
index 212d70a50..5157061ea 100755
--- a/docs/attack-techniques/AWS/aws.execution.ssm-send-command.md
+++ b/docs/attack-techniques/AWS/aws.execution.ssm-send-command.md
@@ -71,12 +71,12 @@ While this technique uses a single call to ssm:SendCommand
on sever
The following CloudTrail events are generated when this technique is detonated[^1]:
+- `ssm:DescribeInstanceInformation`
+
- `ssm:GetCommandInvocation`
- `ssm:SendCommand`
-- `ssm:DescribeInstanceInformation`
-
??? "View raw detonation logs"
diff --git a/docs/attack-techniques/AWS/aws.execution.ssm-start-session.md b/docs/attack-techniques/AWS/aws.execution.ssm-start-session.md
index 2fbd64820..7e3196957 100755
--- a/docs/attack-techniques/AWS/aws.execution.ssm-start-session.md
+++ b/docs/attack-techniques/AWS/aws.execution.ssm-start-session.md
@@ -66,12 +66,12 @@ Identify, through CloudTrail's StartSession
event, when a user is s
The following CloudTrail events are generated when this technique is detonated[^1]:
-- `ssm:DescribeInstanceInformation`
-
- `ssm:TerminateSession`
- `ssm:StartSession`
+- `ssm:DescribeInstanceInformation`
+
??? "View raw detonation logs"
diff --git a/docs/attack-techniques/AWS/aws.persistence.iam-backdoor-user.md b/docs/attack-techniques/AWS/aws.persistence.iam-backdoor-user.md
index 36145b1de..3725e6652 100755
--- a/docs/attack-techniques/AWS/aws.persistence.iam-backdoor-user.md
+++ b/docs/attack-techniques/AWS/aws.persistence.iam-backdoor-user.md
@@ -31,6 +31,7 @@ Establishes persistence by creating an access key on an existing IAM user.
References:
- https://sysdig.com/blog/scarleteel-2-0/
+- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
## Instructions
diff --git a/docs/attack-techniques/AWS/aws.persistence.iam-create-admin-user.md b/docs/attack-techniques/AWS/aws.persistence.iam-create-admin-user.md
index 0e1cb0691..ef318fdac 100755
--- a/docs/attack-techniques/AWS/aws.persistence.iam-create-admin-user.md
+++ b/docs/attack-techniques/AWS/aws.persistence.iam-create-admin-user.md
@@ -32,6 +32,9 @@ References:
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/
- https://blog.darklab.hk/2021/07/06/trouble-in-paradise/
- https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/
+- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
+- https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/
+- https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
## Instructions
diff --git a/docs/attack-techniques/AWS/aws.persistence.iam-create-backdoor-role.md b/docs/attack-techniques/AWS/aws.persistence.iam-create-backdoor-role.md
index b731c2897..34059fcb9 100755
--- a/docs/attack-techniques/AWS/aws.persistence.iam-create-backdoor-role.md
+++ b/docs/attack-techniques/AWS/aws.persistence.iam-create-backdoor-role.md
@@ -83,10 +83,10 @@ which generates a finding when a role can be assumed from a new AWS account or p
The following CloudTrail events are generated when this technique is detonated[^1]:
-- `iam:AttachRolePolicy`
-
- `iam:CreateRole`
+- `iam:AttachRolePolicy`
+
??? "View raw detonation logs"
diff --git a/docs/attack-techniques/AWS/aws.persistence.iam-create-user-login-profile.md b/docs/attack-techniques/AWS/aws.persistence.iam-create-user-login-profile.md
index e033d9e07..3ad9df11f 100755
--- a/docs/attack-techniques/AWS/aws.persistence.iam-create-user-login-profile.md
+++ b/docs/attack-techniques/AWS/aws.persistence.iam-create-user-login-profile.md
@@ -31,10 +31,12 @@ user intended to be used programmatically through the AWS console usual login pr
References:
+- https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/
- https://permiso.io/blog/s/approach-to-detection-androxgh0st-greenbot-persistence/
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/
- https://blog.darklab.hk/2021/07/06/trouble-in-paradise/
- https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/
+- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
## Instructions
diff --git a/docs/attack-techniques/AWS/aws.persistence.rolesanywhere-create-trust-anchor.md b/docs/attack-techniques/AWS/aws.persistence.rolesanywhere-create-trust-anchor.md
index fef2e1e86..82f863159 100755
--- a/docs/attack-techniques/AWS/aws.persistence.rolesanywhere-create-trust-anchor.md
+++ b/docs/attack-techniques/AWS/aws.persistence.rolesanywhere-create-trust-anchor.md
@@ -58,10 +58,10 @@ Identify when a trust anchor is created, through CloudTrail's CreateTrustA
The following CloudTrail events are generated when this technique is detonated[^1]:
-- `rolesanywhere:CreateProfile`
-
- `rolesanywhere:CreateTrustAnchor`
+- `rolesanywhere:CreateProfile`
+
??? "View raw detonation logs"
diff --git a/v2/internal/attacktechniques/aws/credential-access/secretsmanager-batch-retrieve-secrets/main.go b/v2/internal/attacktechniques/aws/credential-access/secretsmanager-batch-retrieve-secrets/main.go
index 61432f1f8..16dd244d7 100644
--- a/v2/internal/attacktechniques/aws/credential-access/secretsmanager-batch-retrieve-secrets/main.go
+++ b/v2/internal/attacktechniques/aws/credential-access/secretsmanager-batch-retrieve-secrets/main.go
@@ -43,6 +43,8 @@ Detonation:
References:
+- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
+- https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/
- https://aws.amazon.com/blogs/security/how-to-use-the-batchgetsecretsvalue-api-to-improve-your-client-side-applications-with-aws-secrets-manager/
`,
Detection: `
diff --git a/v2/internal/attacktechniques/aws/credential-access/secretsmanager-retrieve-secrets/main.go b/v2/internal/attacktechniques/aws/credential-access/secretsmanager-retrieve-secrets/main.go
index f9eed702f..ef0790158 100644
--- a/v2/internal/attacktechniques/aws/credential-access/secretsmanager-retrieve-secrets/main.go
+++ b/v2/internal/attacktechniques/aws/credential-access/secretsmanager-retrieve-secrets/main.go
@@ -30,6 +30,11 @@ Detonation:
- Enumerate the secrets through secretsmanager:ListSecrets
- Retrieve each secret value, one by one through secretsmanager:GetSecretValue
+
+References:
+
+- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
+- https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/
`,
Detection: `
Identify principals retrieving a high number of secrets, through CloudTrail's GetSecretValue event.
diff --git a/v2/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.go b/v2/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.go
index d3ab00162..e7db46a4c 100644
--- a/v2/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.go
+++ b/v2/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.go
@@ -30,13 +30,14 @@ Detonation:
References:
- https://sysdig.com/blog/scarleteel-2-0/
+- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
`,
Detection: `
Through CloudTrail's CreateAccessKey
event. This event can hardly be considered suspicious by itself, unless
correlated with other indicators.
'`,
- Platform: stratus.AWS,
-
+ Platform: stratus.AWS,
+
IsIdempotent: false, // iam:CreateAccessKey can only be called twice (limit of 2 access keys per user)
MitreAttackTactics: []mitreattack.Tactic{mitreattack.Persistence, mitreattack.PrivilegeEscalation},
PrerequisitesTerraformCode: tf,
diff --git a/v2/internal/attacktechniques/aws/persistence/iam-create-admin-user/main.go b/v2/internal/attacktechniques/aws/persistence/iam-create-admin-user/main.go
index 49606c975..d15ee1d52 100644
--- a/v2/internal/attacktechniques/aws/persistence/iam-create-admin-user/main.go
+++ b/v2/internal/attacktechniques/aws/persistence/iam-create-admin-user/main.go
@@ -34,6 +34,9 @@ References:
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/
- https://blog.darklab.hk/2021/07/06/trouble-in-paradise/
- https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/
+- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
+- https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/
+- https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
`,
Detection: `
Through CloudTrail's CreateUser
, AttachUserPolicy
and CreateAccessKey
events.
diff --git a/v2/internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.go b/v2/internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.go
index aa3e27132..a99450332 100644
--- a/v2/internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.go
+++ b/v2/internal/attacktechniques/aws/persistence/iam-create-user-login-profile/main.go
@@ -32,10 +32,12 @@ Detonation:
References:
+- https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/
- https://permiso.io/blog/s/approach-to-detection-androxgh0st-greenbot-persistence/
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/
- https://blog.darklab.hk/2021/07/06/trouble-in-paradise/
- https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/
+- https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
`,
Detection: `
Through CloudTrail's CreateLoginProfile
or UpdateLoginProfile
events.