MITRE Map

MITRE ATT&CK Map

Events grouped by tactic and cloud provider. Click any event to go to its detail page, or click a tactic header to see all events under that tactic.

Initial Access 9 events

AWS 8

AssumeRole AssumeRoleWithSAML AssumeRoleWithWebIdentity AuthorizeSecurityGroupIngress ConsoleLogin GetFederationToken GetSigninToken PasswordRecoveryRequested

GCP 1

compute.instances.addAccessConfig

Execution 24 events

AWS 12

AddPermission20150331v2 CreateStack EnableSerialConsoleAccess Invoke ModifyInstanceAttribute ResumeSession SendCommand SendSerialConsoleSSHPublicKey StartBuild StartSession UpdateFunctionCode20150331v2 UpdateFunctionConfiguration20150331v2

Azure 9

Microsoft.Automation/automationAccounts/jobs/write Microsoft.Automation/automationAccounts/runbooks/write Microsoft.Automation/automationAccounts/webhooks/action Microsoft.Automation/automationAccounts/webhooks/write Microsoft.Compute/virtualMachines/extensions/write Microsoft.Compute/virtualMachines/runCommand/action Microsoft.Compute/virtualMachines/write (CustomScriptExtension) Microsoft.ContainerService/managedClusters/runCommand/action Microsoft.SerialConsole/serialPorts/connect/action

GCP 3

Compute.instances.setMetadata compute.projects.setCommonInstanceMetadata google.ssh-serialport.v1.connect

Persistence 78 events

AWS 37

AddPermission20150331v2 AddRoleToInstanceProfile AddUserToGroup AttachGroupPolicy AttachRolePolicy AttachUserPolicy ChangePassword CreateAccessEntry CreateAccessKey CreateAccount CreateAssociation CreateKeyPair CreateLoginProfile CreateOpenIDConnectProvider CreatePolicy CreateRole CreateSAMLProvider CreateStack CreateUser CreateVirtualMFADevice DeleteVirtualMFADevice EnableRegion ImportKeyPair PassRole PutGroupPolicy PutImage PutRolePolicy PutRule PutTargets PutUserPolicy ReplaceIamInstanceProfileAssociation SendSSHPublicKey UpdateAccessKey UpdateAssumeRolePolicy UpdateFunctionCode20150331v2 UpdateFunctionConfiguration20150331v2 UpdateLoginProfile

Azure 27

Add App Role Assignment To Service Principal Add Application Add Eligible Member To Role In Pim Completed Add Federated Identity Credential Add Member To Role Add Owner To Application Add Role Definition Add Service Principal Add User Add Verified Domain Admin Registered Security Info Consent To Application Disable Strong Authentication Invite External User Microsoft.Authorization/roleAssignments/write Microsoft.Automation/automationAccounts/jobs/write Microsoft.Automation/automationAccounts/runbooks/write Microsoft.Automation/automationAccounts/webhooks/write Microsoft.Compute/sshPublicKeys/write Microsoft.Compute/virtualMachines/extensions/write Microsoft.Compute/virtualMachines/write (CustomScriptExtension) Microsoft.Directory/groups/members/update Microsoft.Directory/servicePrincipals/credentials/update Microsoft.ManagedIdentity/userAssignedIdentities/assign/action Reset User Password Update Role Definition Update User Authentication Methods

GCP 14

add-iam-policy-binding compute.disks.setIamPolicy Compute.instances.setMetadata compute.projects.setCommonInstanceMetadata CreateRole EnableServiceAccount google.iam.admin.v1.CreateServiceAccountKey google.iam.admin.v1.SetIAMPolicy or SetIAMPolicy google.iam.admin.v1.UploadServiceAccountKey iam.roles.update iam.serviceAccountKeys.create storage.hmacKeys.create users.importSshPublicKey users.sshPublicKeys.patch

Privilege Escalation 64 events

AWS 35

AddRoleToInstanceProfile AddUserToGroup AssociateIamInstanceProfile AssumeRole AssumeRoleWithSAML AssumeRoleWithWebIdentity AttachGroupPolicy AttachRolePolicy AttachUserPolicy CreateAccessEntry CreateDevEndpoint CreateLoginProfile CreateOpenIDConnectProvider CreatePolicy CreatePolicyVersion CreateRole CreateSAMLProvider CreateServiceLinkedRole DeleteRolePermissionsBoundary DeleteRolePolicy DeleteUserPermissionsBoundary DeleteUserPolicy DetachRolePolicy DetachUserPolicy GetFederationToken GetSessionToken PassRole PutGroupPolicy PutKeyPolicy PutRolePolicy PutUserPolicy ReplaceIamInstanceProfileAssociation SetDefaultPolicyVersion UpdateAssumeRolePolicy UpdateDevEndpoint

Azure 16

Add App Role Assignment To Service Principal Add Application Add Eligible Member To Role In Pim Completed Add Member To Role Add Owner To Application Add Owner To Group Add Role Definition Add Service Principal Consent To Application Microsoft.Authorization/elevateAccess/action Microsoft.Authorization/roleAssignments/write Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action Microsoft.Directory/groups/members/update Microsoft.Directory/servicePrincipals/credentials/update Microsoft.ManagedIdentity/userAssignedIdentities/assign/action Update Role Definition

GCP 13

add-iam-policy-binding compute.disks.setIamPolicy compute.instances.setServiceAccount CreateRole EnableServiceAccount generateAccessToken google.iam.admin.v1.SetIAMPolicy or SetIAMPolicy iam.roles.update iam.serviceAccountKeys.implicitDelegation iam.serviceAccounts.actAs iam.serviceAccounts.getAccessToken iam.serviceAccounts.signJwt storage.setIamPermissions

Defense Evasion 97 events

AWS 58

ArchiveFindings AuthorizeDBSecurityGroupIngress AuthorizeSecurityGroupEgress AuthorizeSecurityGroupIngress CreateFilter CreateIPSet CreateNetworkAclEntry DeactivateMFADevice DeleteAccessKey DeleteAlarms DeleteBucket DeleteBucketPolicy DeleteConfigRule DeleteConfigurationRecorder DeleteDeliveryChannel DeleteDetector DeleteEventDataStore DeleteFlowLogs DeleteLogGroup DeleteLoginProfile DeleteLogStream DeleteMembers DeleteNetworkAcl DeleteNetworkAclEntry DeleteRolePermissionsBoundary DeleteRolePolicy DeleteRuleGroup DeleteTrail DeleteUser DeleteUserPermissionsBoundary DeleteUserPolicy DeleteWebACL DetachRolePolicy DetachUserPolicy DisassociateFromMasterAccount DisassociateMembers EnableRegion LeaveOrganization ModifyImageAttribute ModifyInstanceAttribute PutBucketAcl PutBucketLifecycle PutBucketLifecycleConfiguration PutBucketPolicy PutBucketPublicAccessBlock PutEventSelectors PutRolePermissionsBoundary PutUserPermissionsBoundary RemoveAccountFromOrganization ScheduleKeyDeletion StopConfigurationRecorder StopLogging StopMonitoringMembers TerminateInstances UpdateDetector UpdateFindingsFeedback UpdateIPSet UpdateTrail

Azure 24

Microsoft.Authorization/locks/delete Microsoft.Compute/virtualMachines/delete Microsoft.EventHub/namespaces/eventhubs/delete Microsoft.HybridCompute/machines/extensions/delete Microsoft.Insights/activityLogAlerts/delete Microsoft.Insights/diagnosticSettings/delete Microsoft.Insights/metricAlerts/delete Microsoft.KeyVault/vaults/delete Microsoft.KeyVault/vaults/secrets/delete Microsoft.Network/networkSecurityGroups/delete Microsoft.Network/networkSecurityGroups/securityRules/write Microsoft.Network/networkWatchers/flowLogs/delete Microsoft.OperationalInsights/workspaces/delete Microsoft.RecoveryServices/vaults/backupProtectedItems/delete Microsoft.Security/alertsSuppressionRules/write Microsoft.Security/autoProvisioningSettings/write Microsoft.Security/pricings/write Microsoft.Security/securitySolutions/delete Microsoft.Storage/storageAccounts/delete Microsoft.Storage/storageAccounts/stopLogging/action Update Conditional Access Policy Update named location Update User Authentication Methods VaultPatch

GCP 15

compute.firewalls.delete compute.firewalls.patch google.cloud.securitycenter.v1.SecurityCenter.SetMute google.iam.admin.v1.DeleteServiceAccountKey google.logging.v2.ConfigServiceV2.DeleteLog google.logging.v2.ConfigServiceV2.UpdateExclusion logging.projects.exclusions.create logging.sinks.delete logging.sinks.update secretmanager.secrets.delete SecretManagerService.DestroySecretVersion Securitycenter.settings.update Securitycenter.sources.delete storage.buckets.delete storage.setIamPermissions

Credential Access 34 events

AWS 11

ChangePassword CreateAccessKey GetAuthorizationToken GetFederationToken GetParameters GetPasswordData GetSecretValue GetSessionToken GetSigninToken PasswordRecoveryRequested UpdateLoginProfile

Azure 17

Microsoft.AppConfiguration/configurationStores/listKeys/action Microsoft.Automation/automationAccounts/credentials/read Microsoft.Batch/batchAccounts/listKeys/action Microsoft.ContainerRegistry/registries/listCredentials/action Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action Microsoft.ContainerService/managedClusters/listClusterUserCredential/action Microsoft.Directory/servicePrincipals/credentials/update Microsoft.KeyVault/vaults/accessPolicies/write Microsoft.KeyVault/vaults/certificates/read Microsoft.KeyVault/vaults/keys/read Microsoft.KeyVault/vaults/secrets/read Microsoft.OperationalInsights/workspaces/sharedKeys/action Microsoft.ServiceBus/namespaces/authorizationRules/listKeys/action Microsoft.Storage/storageAccounts/listKeys/action Microsoft.Storage/storageAccounts/regenerateKey/action Microsoft.Web/sites/host/listKeys/action VaultPatch

GCP 6

generateAccessToken google.iam.admin.v1.CreateServiceAccountKey iam.serviceAccountKeys.create iam.serviceAccounts.getAccessToken iam.serviceAccounts.signJwt SecretManagerService.AccessSecretVersion

Discovery 16 events

AWS 2

GetParameters GetSecretValue

Azure 13

Microsoft.AppConfiguration/configurationStores/listKeys/action Microsoft.Automation/automationAccounts/credentials/read Microsoft.Batch/batchAccounts/listKeys/action Microsoft.ContainerRegistry/registries/listCredentials/action Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action Microsoft.ContainerService/managedClusters/listClusterUserCredential/action Microsoft.KeyVault/vaults/certificates/read Microsoft.KeyVault/vaults/keys/read Microsoft.KeyVault/vaults/secrets/read Microsoft.OperationalInsights/workspaces/sharedKeys/action Microsoft.ServiceBus/namespaces/authorizationRules/listKeys/action Microsoft.Storage/storageAccounts/listKeys/action Microsoft.Web/sites/host/listKeys/action

GCP 1

SecretManagerService.AccessSecretVersion

Lateral Movement 25 events

AWS 12

AssumeRole AssumeRoleWithSAML AssumeRoleWithWebIdentity CreateKeyPair EnableSerialConsoleAccess GetSigninToken ImportKeyPair ResumeSession SendCommand SendSerialConsoleSSHPublicKey SendSSHPublicKey StartSession

Azure 6

Microsoft.Compute/sshPublicKeys/write Microsoft.Compute/virtualMachines/runCommand/action Microsoft.ContainerService/managedClusters/runCommand/action Microsoft.Network/networkSecurityGroups/securityRules/write Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write Microsoft.SerialConsole/serialPorts/connect/action

GCP 7

Compute.instances.setMetadata compute.projects.setCommonInstanceMetadata google.ssh-serialport.v1.connect iam.serviceAccountKeys.implicitDelegation iam.serviceAccounts.actAs users.importSshPublicKey users.sshPublicKeys.patch

Collection 20 events

AWS 13

CopyObject CreateDBSnapshot CreateImage CreateInstanceExportTask CreateSnapshot DeleteBucketPolicy GetObject ModifyDBSnapshotAttribute ModifyImageAttribute ModifySnapshotAttribute SharedSnapshotCopyInitiated SharedSnapshotVolumeCreated StartExportTask

Azure 4

CopyBlob Microsoft.Compute/disks/beginGetAccess/action Microsoft.Compute/snapshots/beginGetAccess/action Microsoft.Sql/servers/databases/export/action

GCP 3

bigquery.jobs.insert cloudsql.instances.export storage.setIamPermissions

Exfiltration 24 events

AWS 18

AuthorizeSecurityGroupEgress CopyObject CreateDBSnapshot CreateImage CreateInstanceExportTask CreateSnapshot GetObject ModifyDBInstance ModifyDBSnapshotAttribute ModifyImageAttribute ModifySnapshotAttribute PutBucketAcl PutBucketPolicy PutBucketReplication RestoreDBInstanceFromDBSnapshot SharedSnapshotCopyInitiated SharedSnapshotVolumeCreated StartExportTask

Azure 4

CopyBlob Microsoft.Compute/disks/beginGetAccess/action Microsoft.Compute/snapshots/beginGetAccess/action Microsoft.Sql/servers/databases/export/action

GCP 2

bigquery.jobs.insert cloudsql.instances.export

Impact 35 events

AWS 19

ChangePassword DeleteAccessKey DeleteBucket DeleteDBCluster DeleteDBInstance DeleteFileSystem DeleteGlobalCluster DeleteLoginProfile DeleteObject DeleteObjects DeleteSnapshot DeleteUser DeleteVolume DisableKey PutBucketLifecycle PutBucketLifecycleConfiguration ScheduleKeyDeletion TerminateInstances UpdateLoginProfile

Azure 11

Microsoft.Authorization/roleAssignments/delete Microsoft.Compute/virtualMachines/delete Microsoft.EventHub/namespaces/eventhubs/delete Microsoft.KeyVault/vaults/delete Microsoft.KeyVault/vaults/secrets/delete Microsoft.OperationalInsights/workspaces/delete Microsoft.RecoveryServices/vaults/backupProtectedItems/delete Microsoft.Sql/servers/databases/delete Microsoft.Storage/storageAccounts/blobServices/containers/delete Microsoft.Storage/storageAccounts/delete Microsoft.Storage/storageAccounts/regenerateKey/action

GCP 5

google.iam.admin.v1.DeleteServiceAccount secretmanager.secrets.delete SecretManagerService.DestroySecretVersion storage.buckets.delete storage.objects.delete