CreateStack
Event
Creates a CloudFormation stack by provisioning AWS resources defined in a specified template.
Security Context
- Infrastructure-as-code deployments can be abused to provision malicious resources or modify existing configurations at scale.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Execution Persistence
Techniques:
- T1072 — Software Deployment Tools — Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine adminis...
- T1059 — Command and Scripting Interpreter — Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms.