CATALOGUE· 6 chains · 28 techniques· last commit · ab12fc · 2 days ago

peer-reviewed · open source

Attack catalogue

Six chains. Every step published, audited, reproducible.

Each scenario is a Pulumi stack, a peer-reviewed boto3 module, and a runnable chain. We publish the technique map, the CloudTrail it produces, and the detection rule that should catch it.

Filter sort · severity ▾

§01

Critical

~12smedian run

AttachRolePolicy chain

A leaked IAM user assumes a role that holds iam:AttachRolePolicy on itself, then attaches AdministratorAccess. One of the most-seen privilege paths in real breach forensics.

T1548.005 T1098 T1078.004 T1550.001

▶ Run scenario View teardown ↗ Detection rule ↗

1IAM USER u/maint-bot

2ROLE assumed sts:AssumeRole

3AdminAccess attached iam:AttachRolePolicy

§02

Critical

~1m04smedian run

KMS-imported ransomware

Create a new KMS key with external key material, re-encrypt every object in a bucket with it, then drop the import. The data is technically intact and absolutely unreadable. CISA put out an alert in 2024.

T1486 T1485 T1548.005 T1578

▶ Run scenario View teardown ↗ Detection rule ↗

1Create external KMS key kms:CreateKey origin=EXTERNAL

2Re-encrypt S3 objects s3:CopyObject with new SSE-KMS

3Delete imported material kms:DeleteImportedKeyMaterial

§03

High

~42smedian run

S3 enumeration & exfiltration

List every bucket, identify the readable ones, sweep GetObject with parallel sessions, exfiltrate to an attacker-controlled bucket in a different region. Matches the Capital One IR pattern.

T1530 T1567.002 T1119 T1580

▶ Run scenario View teardown ↗ Detection rule ↗

1List buckets & policies s3:ListAllMyBuckets

2Parallel GetObject sweep 12 sessions · 4.2 GB

3Exfil to attacker bucket s3:PutObject (cross-region)

§04

High

~18smedian run

IAM eventual consistency window

An access key is revoked, but IAM propagation takes seconds-to-minutes. We race the window - open a session before revocation lands, run a chain of mutations before the cached creds invalidate. Disclosed 2020, still works.

T1078 T1098 T1531 T1528

▶ Run scenario View teardown ↗ Detection rule ↗

1Cache valid session boto3.Session before revoke

2Trigger revocation iam:DeleteAccessKey

3Mutate during window iam:DetachRolePolicy · iam:DeleteRole

§05

Medium

~31smedian run

Service permission mapping

A precursor, not a payload. We sweep iam:SimulatePrincipalPolicy across IAM / EC2 / Lambda / RDS / KMS to enumerate exactly which actions a stolen identity can call. Cheap, quiet, hugely valuable to an attacker.

T1087.004 T1580 T1526 T1069.003

▶ Run scenario View teardown ↗ Detection rule ↗

1Enumerate principals iam:ListUsers · ListRoles

2Simulate per-service iam:SimulatePrincipalPolicy × 47

3Build action graph → ./runs/05/graph.json

§06

High

~27smedian run

CloudTrail blind-spot abuse

Not every API call lands in CloudTrail. We chain a quiet read (e.g. sts:GetCallerIdentity) into a non-logged action, then resume normal traffic. The chain is invisible to log-only detections.

T1556.005 T1078 T1027

▶ Run scenario View teardown ↗ Detection rule ↗

1Quiet identity check sts:GetCallerIdentity

2Non-logged action (action redacted in catalogue)

3Resume normal traffic indistinguishable in trail

Have a chain we should ship next?

The catalogue is community-driven. Open an RFC on GitHub or email [email protected].

Open an RFC →