From 3f6d5e4c2b283057b995521ceffee37d4dbcace2 Mon Sep 17 00:00:00 2001 From: Michael Carenzo <79934822+mikecarenzo@users.noreply.github.com> Date: Wed, 11 Dec 2024 18:54:28 -0500 Subject: [PATCH] MAPEX-284: Add AWS (v12.12.24) Mappings (#104) * re-enable azure build * add AWS 12.12.2024 mappings * remove print statement * build all projects * fix preview build * increment to 16.1 * re-enable standard build procedure --- .github/workflows/build-web.yml | 1 + ...aws-12.12.2024_attack-16.1-enterprise.json | 7557 +++++++++++++++++ src/mappings_explorer/site_builder.py | 13 +- 3 files changed, 7569 insertions(+), 2 deletions(-) create mode 100644 mappings/aws/attack-16.1/aws-12.12.2024/enterprise/aws-12.12.2024_attack-16.1-enterprise.json diff --git a/.github/workflows/build-web.yml b/.github/workflows/build-web.yml index 6da3147e..2aae124b 100644 --- a/.github/workflows/build-web.yml +++ b/.github/workflows/build-web.yml @@ -36,6 +36,7 @@ jobs: - name: Install dependencies run: poetry install - name: Build Web Site + # run: poetry run build-mappings-explorer --url-prefix 'https://mappingsexplorer.z13.web.core.windows.net/${{env.BRANCH_NAME}}/' run: poetry run build-mappings-explorer --url-prefix 'https://center-for-threat-informed-defense.github.io/mappings-explorer/' - name: Export Download Artifacts run: poetry run mapex export ${GITHUB_WORKSPACE}/mappings ${GITHUB_WORKSPACE}/output/data diff --git a/mappings/aws/attack-16.1/aws-12.12.2024/enterprise/aws-12.12.2024_attack-16.1-enterprise.json b/mappings/aws/attack-16.1/aws-12.12.2024/enterprise/aws-12.12.2024_attack-16.1-enterprise.json new file mode 100644 index 00000000..a38cdb8f --- /dev/null +++ b/mappings/aws/attack-16.1/aws-12.12.2024/enterprise/aws-12.12.2024_attack-16.1-enterprise.json @@ -0,0 +1,7557 @@ +{ + "metadata": { + "mapping_version": "", + "technology_domain": "enterprise", + "attack_version": "16.1", + "mapping_framework": "aws", + "mapping_framework_version": "12/12/2024", + "author": null, + "contact": "ctid@mitre-engenuity.org", + "organization": null, + "creation_date": "09/21/2021", + "last_update": "12/11/2024", + "mapping_types": { + "technique_scores": { + "name": "technique_scores", + "description": "" + } + }, + "capability_groups": { + "aws_rds": "AWS RDS", + "aws_config": "AWS Config", + "aws_s3": "AWS S3", + "amazon_guardduty": "Amazon GuardDuty", + "aws_shield": "AWS Shield", + "aws_resource_access_manager": "AWS Resource Access Manager", + "aws_iot_device_defender": "AWS IoT Device Defender", + "aws_organizations": "AWS Organizations", + "aws_cloudendure_disaster_recovery": "AWS CloudEndure Disaster Recovery", + "aws_key_management_service": "AWS Key Management Service", + "amazon_inspector": "Amazon Inspector", + "aws_cloudtrail": "AWS CloudTrail", + "aws_directory_service": "AWS Directory Service", + "aws_artifact": "AWS Artifact", + "amazon_virtual_private_cloud": "Amazon Virtual Private Cloud", + "amazon_cognito": "Amazon Cognito", + "aws_web_application_firewall": "AWS Web Application Firewall", + "amazon_detective": "Amazon Detective", + "aws_cloudwatch": "AWS CloudWatch", + "aws_security_hub": "AWS Security Hub", + "aws_firewall_manager": "AWS Firewall Manager", + "aws_identity_and_access_management": "AWS Identity and Access Management", + "aws_certificate_manager": "AWS Certificate Manager", + "aws_secrets_manager": "AWS Secrets Manager", + "aws_network_firewall": "AWS Network Firewall", + "aws_single_sign-on": "AWS Single Sign-On", + "aws_audit_manager": "AWS Audit Manager", + "aws_cloudhsm": "AWS CloudHSM", + "aws_security_lake": "AWS Security Lake", + "amazon_macie": "Amazon Macie" + } + }, + "mapping_objects": [ + { + "capability_id": "amazon_cognito", + "capability_description": "Amazon Cognito", + "mapping_type": "technique_scores", + "attack_object_id": "T1078", + "attack_object_name": "Valid Accounts", + "capability_group": "amazon_cognito", + "score_category": "protect", + "score_value": "minimal", + "comments": "This control provides partial protection for one of this technique's sub-techniques and a few of its procedure examples resulting in an overall Minimal protection score.", + "references": [ + "https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html", + "https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html", + "https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_cognito", + "capability_description": "Amazon Cognito", + "mapping_type": "technique_scores", + "attack_object_id": "T1078.004", + "attack_object_name": "Cloud Accounts", + "capability_group": "amazon_cognito", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1078", + "comments": "Amazon Cognito has the ability to alert and block accounts where credentials were found to be compromised elsewhere (compromised credential protection). The service also detects unusual sign-in activity, such as sign-in attempts from new locations and devices and can either prompt users for additional verification or block the sign-in request. There was insufficient detail on the operation of these capabilities and therefore a conservative assessment of a Partial score has been assigned.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_cognito", + "capability_description": "Amazon Cognito", + "mapping_type": "technique_scores", + "attack_object_id": "T1110", + "attack_object_name": "Brute Force", + "capability_group": "amazon_cognito", + "score_category": "protect", + "score_value": "significant", + "comments": "Amazon Cognito's MFA capability provides significant protection against password compromises, requiring the adversary to complete an additional authentication method before their access is permitted.", + "references": [ + "https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html", + "https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html", + "https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_cognito", + "capability_description": "Amazon Cognito", + "mapping_type": "technique_scores", + "attack_object_id": "T1110.001", + "attack_object_name": "Password Guessing", + "capability_group": "amazon_cognito", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1110", + "comments": "MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_cognito", + "capability_description": "Amazon Cognito", + "mapping_type": "technique_scores", + "attack_object_id": "T1110.002", + "attack_object_name": "Password Cracking", + "capability_group": "amazon_cognito", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1110", + "comments": "MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_cognito", + "capability_description": "Amazon Cognito", + "mapping_type": "technique_scores", + "attack_object_id": "T1110.003", + "attack_object_name": "Password Spraying", + "capability_group": "amazon_cognito", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1110", + "comments": "MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_cognito", + "capability_description": "Amazon Cognito", + "mapping_type": "technique_scores", + "attack_object_id": "T1110.004", + "attack_object_name": "Credential Stuffing", + "capability_group": "amazon_cognito", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1110", + "comments": "MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1020", + "attack_object_name": "Automated Exfiltration", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "comments": "The following GuardDuty finding type flags events that may indicate adversaries attempting to exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.\nBehavior:EC2/TrafficVolumeUnusual Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1021.008", + "attack_object_name": "Direct Cloud VM Connections", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1021", + "comments": "GuardDuty findings including UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B can aid in detection of this technique.", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-consoleloginsuccessb" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1029", + "attack_object_name": "Scheduled Transfer", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "minimal", + "comments": "The following GuardDuty finding type flags events that may indicate adversaries attempting to exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.\nBehavior:EC2/TrafficVolumeUnusual\nAccuracy and Coverage is unknown, as this finding flags traffic volume that differs from a baseline.", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1041", + "attack_object_name": "Exfiltration Over C2 Channel", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "minimal", + "comments": "The following GuardDuty finding type flags events that may indicate adversaries attempting to exfiltrate data, such as sensitive documents.\nBehavior:EC2/TrafficVolumeUnusual\nAccuracy and Coverage is unknown, as this finding flags traffic volume that differs from a baseline.", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1046", + "attack_object_name": "Network Service Scanning", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "comments": "The following GuardDuty finding types reflect flagged events where there is an attempt to get a list of services running on a remote host.\nRecon:EC2/PortProbeEMRUnprotectedPort Recon:EC2/PortProbeUnprotectedPort Recon:EC2/Portscan Impact:EC2/PortSweep", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1048", + "attack_object_name": "Exfiltration Over Alternative Protocol", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "comments": "The following GuardDuty finding type flags events where adversaries may steal data by exfiltrating it over a different protocol than that of the existing command-and-control channel.\nTrojan:EC2/DNSDataExfiltration Behavior:EC2/TrafficVolumeUnusual", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1048.003", + "attack_object_name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1048", + "comments": "The following GuardDuty finding type flags events where adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel.\nTrojan:EC2/DNSDataExfiltration Behavior:EC2/TrafficVolumeUnusual", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1059.009", + "attack_object_name": "Cloud API", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1059", + "comments": "The GuardDuty finding Impact:IAMUser/AnomalousBehavior can aid in the detection of abuse of AWS APIs.", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#impact-iam-anomalousbehavior" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1071", + "attack_object_name": "Application Layer Protocol", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "comments": "GuardDuty flags events matching the following finding types that relate to adversaries attempting to communicate using application layer protocols to avoid detection.\nUnauthorizedAccess:EC2/MaliciousIPCaller.Custom Trojan:EC2/DropPoint!DNS Trojan:EC2/DropPoint Backdoor:EC2/C&CActivity.B!DNS Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS\n", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1071.001", + "attack_object_name": "Web Protocols", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1071", + "comments": "GuardDuty flags events matching the following finding types that relate to adversaries attempting to communicate using application layer protocols to avoid detection.\nUnauthorizedAccess:EC2/MaliciousIPCaller.Custom Backdoor:EC2/C&CActivity.B Backdoor:EC2/C&CActivity.B!DNS Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DropPoint Trojan:EC2/DropPoint!DNS Backdoor:EC2/C&CActivity.B Impact:EC2/MaliciousDomainRequest.Reputation Impact:EC2/SuspiciousDomainRequest.Reputation", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1071.002", + "attack_object_name": "File Transfer Protocols", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1071", + "comments": "GuardDuty flags events matching the following finding types that relate to adversaries attempting to communicate using application layer protocols to avoid detection.\nUnauthorizedAccess:EC2/MaliciousIPCaller.Custom Backdoor:EC2/C&CActivity.B Backdoor:EC2/C&CActivity.B!DNS Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DropPoint Trojan:EC2/DropPoint!DNS Backdoor:EC2/C&CActivity.B Impact:EC2/MaliciousDomainRequest.Reputation Impact:EC2/SuspiciousDomainRequest.Reputation", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1071.003", + "attack_object_name": "Mail Protocols", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1071", + "comments": "GuardDuty flags events matching the following finding types that relate to adversaries attempting to communicate using application layer protocols to avoid detection.\nUnauthorizedAccess:EC2/MaliciousIPCaller.Custom Backdoor:EC2/C&CActivity.B Backdoor:EC2/C&CActivity.B!DNS Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DropPoint Trojan:EC2/DropPoint!DNS Backdoor:EC2/C&CActivity.B Impact:EC2/MaliciousDomainRequest.Reputation Impact:EC2/SuspiciousDomainRequest.Reputation", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1071.004", + "attack_object_name": "DNS", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1071", + "comments": "GuardDuty flags events matching the following finding types that relate to adversaries attempting to communicate using application layer protocols to avoid detection.\nUnauthorizedAccess:EC2/MaliciousIPCaller.Custom Backdoor:EC2/C&CActivity.B Backdoor:EC2/C&CActivity.B!DNS Trojan:EC2/BlackholeTraffic Trojan:EC2/BlackholeTraffic!DNS Trojan:EC2/DropPoint Trojan:EC2/DropPoint!DNS Backdoor:EC2/C&CActivity.B Impact:EC2/MaliciousDomainRequest.Reputation Impact:EC2/SuspiciousDomainRequest.Reputation", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1078", + "attack_object_name": "Valid Accounts", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "comments": "GuardDuty implements a finding that flags occurrences unattended behavior from an IAM User in the Account.\nPenTest:IAMUser/KaliLinux, PenTest:IAMUser/ParrotLinux, PenTest:IAMUser/PentooLinux, Policy:IAMUser/RootCredentialUsage, PrivilegeEscalation:IAMUser/AdministrativePermissions, UnauthorizedAccess:IAMUser/ConsoleLogin, UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B, UnauthorizedAccess:IAMUser/MaliciousIPCaller, UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom, UnauthorizedAccess:IAMUser/TorIPCaller, Policy:S3/AccountBlockPublicAccessDisabled, Policy:S3/BucketAnonymousAccessGranted, Policy:S3/BucketBlockPublicAccessDisabled, Policy:S3/BucketPublicAccessGranted, CredentialAccess:IAMUser/AnomalousBehavior, DefenseEvasion:IAMUser/AnomalousBehavior, Discovery:IAMUser/AnomalousBehavior, Exfiltration:IAMUser/AnomalousBehavior, Impact:IAMUser/AnomalousBehavior, Persistence:IAMUser/AnomalousBehavior, Recon:IAMUser/MaliciousIPCaller, Recon:IAMUser/MaliciousIPCaller.Custom, UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1078.001", + "attack_object_name": "Default Accounts", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1078", + "comments": "Listed findings above flag instances where there are indications of account compromise.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1078.004", + "attack_object_name": "Cloud Accounts", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1078", + "comments": "Listed findings above flag instances where there are indications of account compromise.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1090", + "attack_object_name": "Proxy", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "minimal", + "comments": "The following GuardDuty finding type flags events where adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command-and-control server to avoid direct connections to their infrastructure.\nUnauthorizedAccess:EC2/TorClient UnauthorizedAccess:EC2/TorRelay\nDue to the detection being limited to a specific type of proxy, Tor, its coverage is Minimal resulting in a Minimal score.", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1090.001", + "attack_object_name": "Internal Proxy", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "minimal", + "related_score": "T1090", + "comments": "The UnauthorizedAccess:EC2/TorClient GuardDuty finding type flags events where adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command-and-control server to avoid direct connections to their infrastructure.\nDue to the detection being limited to a specific type of proxy, Tor, its coverage is Minimal resulting in a Minimal score.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1090.002", + "attack_object_name": "External Proxy", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "minimal", + "related_score": "T1090", + "comments": "The UnauthorizedAccess:EC2/TorClient GuardDuty finding type flags events where adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command-and-control server to avoid direct connections to their infrastructure.\nDue to the detection being limited to a specific type of proxy, Tor, its coverage is Minimal resulting in a Minimal score.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1090.003", + "attack_object_name": "Multi-hop Proxy", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "minimal", + "related_score": "T1090", + "comments": "The UnauthorizedAccess:EC2/TorClient GuardDuty finding type flags events where adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command-and-control server to avoid direct connections to their infrastructure.\nDue to the detection being limited to a specific type of proxy, Tor, its coverage is Minimal resulting in a Minimal score.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1098", + "attack_object_name": "Account Manipulation", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "comments": "GuardDuty has a finding types that flag events where an adversary may have compromised an AWS IAM User. Finding Type: Persistence:IAMUser/AnomalousBehavior", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1098.001", + "attack_object_name": "Additional Cloud Credentials", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1098", + "comments": "The Persistence:IAMUser/AnomalousBehavior finding can detect anomalous API requests that can be used by adversaries to maintain persistence such as CreateAccessKey, ImportKeyPair.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1098.004", + "attack_object_name": "SSH Authorized Keys", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1098", + "comments": "The Persistence:IAMUser/AnomalousBehavior finding can detect anomalous API requests that can be used by adversaries to maintain persistence such as CreateAccessKey, ImportKeyPair.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1110", + "attack_object_name": "Brute Force", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "minimal", + "comments": "Finding types such as UnauthorizedAccess:EC2/RDPBruteForce, UnauthorizedAccess:EC2/SSHBruteForce, Impact:EC2/WinRMBruteForce, and Stealth:IAMUser/PasswordPolicyChange can detect when an EC2 instance may be involved in a brute force attack aimed at obtaining passwords. Due to the detection being limited to a specific set of application protocols, its coverage is Minimal resulting in a Minimal score.", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1110.001", + "attack_object_name": "Password Guessing", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "minimal", + "related_score": "T1110", + "comments": "Due to the detection being limited to a specific set of application protocols, its coverage is Minimal resulting in a Minimal score.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1110.003", + "attack_object_name": "Password Spraying", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "minimal", + "related_score": "T1110", + "comments": "Due to the detection being limited to a specific set of application protocols, its coverage is Minimal resulting in a Minimal score.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1110.004", + "attack_object_name": "Credential Stuffing", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "minimal", + "related_score": "T1110", + "comments": "Due to the detection being limited to a specific set of application protocols, its coverage is Minimal resulting in a Minimal score.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1189", + "attack_object_name": "Drive-by Compromise", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "comments": "There is a GuardDuty Finding that flags this behavior: Trojan:EC2/DriveBySourceTraffic!DNS", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1190", + "attack_object_name": "Exploit Public-Facing Application", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "minimal", + "comments": "There is a GuardDuty finding type that captures when vulnerable publicly facing resources are leveraged to capture data not intended to be viewable (e.g., IAM credentials associated with the resource).\nUnauthorizedAccess:EC2/MetadataDNSRebind - This finding type only detects MetadataDNSRebind and is more focused on the EC2 instance and not the application running on the instance itself resulting in Minimal coverage.", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1485", + "attack_object_name": "Data Destruction", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "comments": "The following GuardDuty finding type flags events where adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.\nImpact:S3/MaliciousIPCaller, Impact:IAMUser/AnomalousBehavior Stealth:S3/ServerAccessLoggingDisabled UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller PenTest:S3/PentooLinux PenTest:S3/ParrotLinux PenTest:S3/KaliLinux", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1486", + "attack_object_name": "Data Encrypted for Impact", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "comments": "The following GuardDuty finding type flags events where adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.\nImpact:S3/MaliciousIPCaller Stealth:S3/ServerAccessLoggingDisabled UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller PenTest:S3/PentooLinux PenTest:S3/ParrotLinux PenTest:S3/KaliLinux", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1491", + "attack_object_name": "Defacement", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "comments": "GuardDuty provides multiple finding types that flag malicious activity against resources. These findings focus on API calls that look suspicious and although they do not flag events such as Defacement specifically, it can be inferred that these findings can result in mitigating this technique's negative impact. With this assumption the score is capped at Partial. ", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1491.001", + "attack_object_name": "Internal Defacement", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1491", + "comments": "The following finding types can be used to detect behavior that can lead to the defacement of\ncloud resources:\nImpact:S3/MaliciousIPCaller\nExfiltration:S3/MaliciousIPCaller\nExfiltration:S3/ObjectRead.Unusual\nPenTest:S3/KaliLinux\nPenTest:S3/ParrotLinux\nPenTest:S3/PentooLinux\nUnauthorizedAccess:S3/MaliciousIPCaller.Custom\nUnauthorizedAccess:S3/TorIPCaller", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1491.002", + "attack_object_name": "External Defacement", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1491", + "comments": "The following finding types can be used to detect behavior that can lead to the defacement of\ncloud resources:\nImpact:S3/MaliciousIPCaller\nExfiltration:S3/MaliciousIPCaller\nExfiltration:S3/ObjectRead.Unusual\nPenTest:S3/KaliLinux\nPenTest:S3/ParrotLinux\nPenTest:S3/PentooLinux\nUnauthorizedAccess:S3/MaliciousIPCaller.Custom\nUnauthorizedAccess:S3/TorIPCaller", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1496", + "attack_object_name": "Resource Hijacking", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "comments": "The following GuardDuty finding types flag events where adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability.\nCryptoCurrency:EC2/BitcoinTool.B CryptoCurrency:EC2/BitcoinTool.B!DNS Impact:EC2/BitcoinDomainRequest.Reputation UnauthorizedAccess:EC2/TorRelay", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1498", + "attack_object_name": "Network Denial of Service", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "comments": "The following finding types in GuardDuty flag events where adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users.\nBackdoor:EC2/DenialOfService.UdpOnTcpPorts Backdoor:EC2/DenialOfService.UnusualProtocol Backdoor:EC2/DenialOfService.Udp Backdoor:EC2/DenialOfService.Tcp Backdoor:EC2/DenialOfService.Dns", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1498.001", + "attack_object_name": "Direct Network Flood", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1498", + "comments": "The following finding types in GuardDuty flag events where adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users.\nBackdoor:EC2/DenialOfService.UdpOnTcpPorts Backdoor:EC2/DenialOfService.UnusualProtocol Backdoor:EC2/DenialOfService.Udp Backdoor:EC2/DenialOfService.Tcp Backdoor:EC2/DenialOfService.Dns", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1498.002", + "attack_object_name": "Reflection Amplification", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1498", + "comments": "The following finding types in GuardDuty flag events where adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users.\nBackdoor:EC2/DenialOfService.UdpOnTcpPorts Backdoor:EC2/DenialOfService.UnusualProtocol Backdoor:EC2/DenialOfService.Udp Backdoor:EC2/DenialOfService.Tcp Backdoor:EC2/DenialOfService.Dns", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1526", + "attack_object_name": "Cloud Service Discovery", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "comments": "GuardDuty flags events where there is an attempt to discover information about resources. GuardDuty monitors for potential threats and suspicious behavior to discover information about cloud services.", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1530", + "attack_object_name": "Data from Cloud Storage Object", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "comments": "The following GuardDuty finding types flag events where adversaries may have access data objects from improperly secured cloud storage.\nUnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1531", + "attack_object_name": "Account Access Removal", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "comments": "The following GuardDuty Finding type flags events where adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.\nImpact:IAMUser/AnomalousBehavior", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1552", + "attack_object_name": "Unsecured Credentials", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "minimal", + "comments": "This control provides minimal to partial coverage for a minority of this technique's sub-techniques, and without specific coverage for its procedures, resulting in an overall score of Minimal.", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1552.001", + "attack_object_name": "Credentials In Files", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1552", + "comments": "The following finding types in Amazon GuardDuty can be used to identify potentially malicious interactions with S3 which may lead to the compromise of any credential files stored in S3: Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller\nThe score is capped at Partial since the findings only apply to credential files stored within S3 buckets and only certain types of suspicious behaviors.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1552.005", + "attack_object_name": "Cloud Instance Metadata API", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "minimal", + "related_score": "T1552", + "comments": "The UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration finding type flags attempts to run AWS API operations from a host outside of EC2 using temporary AWS credentials that were created on an EC2 instance in your AWS environment. This may indicate that the temporary credentials have been compromised. Score is capped at Minimal because external use is required for detection.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1562", + "attack_object_name": "Impair Defenses", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "comments": "GuardDuty flags the following finding type DefenseEvasion:IAMUser/AnomalousBehavior as a defense evasion technique. It looks for API calls that delete, disable, or stop operations, such as, DeleteFlowLogs, DisableAlarmActions, or StopLogging. The following Finding types are examples:\nStealth:IAMUser/CloudTrailLoggingDisabled Stealth:IAMUser/PasswordPolicyChange Stealth:S3/ServerAccessLoggingDisabled", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1562.001", + "attack_object_name": "Disable or Modify Tools", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1562", + "comments": "The following GuardDuty findings provide indicators of malicious activity in defense measures:\nStealth:IAMUser/CloudTrailLoggingDisabled Stealth:IAMUser/PasswordPolicyChange Stealth:S3/ServerAccessLoggingDisabled Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1562.006", + "attack_object_name": "Indicator Blocking", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1562", + "comments": "The following GuardDuty findings provide indicators of malicious activity in defense measures:\nStealth:IAMUser/CloudTrailLoggingDisabled Stealth:IAMUser/PasswordPolicyChange Stealth:S3/ServerAccessLoggingDisabled Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1562.008", + "attack_object_name": "Disable Cloud Logs", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1562", + "comments": "The following GuardDuty findings provide indicators of malicious activity in defense measures:\nStealth:IAMUser/CloudTrailLoggingDisabled Stealth:IAMUser/PasswordPolicyChange Stealth:S3/ServerAccessLoggingDisabled Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller\n\n \"Amazon GuardDuty is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in GuardDuty.\"", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/logging-using-cloudtrail.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1565", + "attack_object_name": "Data Manipulation", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "comments": "The following GuardDuty finding type flags events where adversaries may insert, delete, or manipulate data in order to manipulate external outcomes or hide activity.\nImpact:S3/MaliciousIPCaller", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1565.001", + "attack_object_name": "Stored Data Manipulation", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1565", + "comments": "The Impact:S3/MaliciousIPCaller finding type is looking for API calls commonly associated with Impact tactic of techniques where an adversary is trying to manipulate, interrupt, or destroy data within your AWS environment.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1566", + "attack_object_name": "Phishing", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "comments": "GuardDuty implements a finding type that flags/alerts when an EC2 service queries a Domain known to be tied to a phishing attack.\nTrojan:EC2/PhishingDomainRequest!DNS", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1566.001", + "attack_object_name": "Spearphishing Attachment", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1566", + "comments": "The domain associated with phishing can be delivered by various means these sub-techniques are added to the mapping and scoring of this Security service.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1566.002", + "attack_object_name": "Spearphishing Link", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1566", + "comments": "The domain associated with phishing can be delivered by various means these sub-techniques are added to the mapping and scoring of this Security service.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1566.003", + "attack_object_name": "Spearphishing via Service", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1566", + "comments": "The domain associated with phishing can be delivered by various means these sub-techniques are added to the mapping and scoring of this Security service.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1567", + "attack_object_name": "Exfiltration Over Web Service", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "comments": "The following finding types in GuardDuty flag events where adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command-and-control channel.\nExfiltration:S3/ObjectRead.Unusual Exfiltration:S3/MaliciousIPCaller Exfiltration:IAMUser/AnomalousBehavior Behavior:EC2/TrafficVolumeUnusual", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1567.001", + "attack_object_name": "Exfiltration to Code Repository", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1567", + "comments": "The following finding types in GuardDuty flag events where adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command-and-control channel.\nExfiltration:S3/ObjectRead.Unusual Exfiltration:S3/MaliciousIPCaller Exfiltration:IAMUser/AnomalousBehavior Behavior:EC2/TrafficVolumeUnusual", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1567.002", + "attack_object_name": "Exfiltration to Cloud Storage", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1567", + "comments": "The following finding types in GuardDuty flag events where adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command-and-control channel.\nExfiltration:S3/ObjectRead.Unusual Exfiltration:S3/MaliciousIPCaller Exfiltration:IAMUser/AnomalousBehavior Behavior:EC2/TrafficVolumeUnusual", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1567.003", + "attack_object_name": "Exfiltration to Text Storage Sites", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1567", + "comments": "The following finding types in GuardDuty flag events where adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command-and-control channel.\nExfiltration:S3/ObjectRead.Unusual Exfiltration:S3/MaliciousIPCaller Exfiltration:IAMUser/AnomalousBehavior Behavior:EC2/TrafficVolumeUnusual", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1567.004", + "attack_object_name": "Exfiltration Over Webhook", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1567", + "comments": "The following finding types in GuardDuty flag events where adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command-and-control channel.\nExfiltration:S3/ObjectRead.Unusual Exfiltration:S3/MaliciousIPCaller Exfiltration:IAMUser/AnomalousBehavior Behavior:EC2/TrafficVolumeUnusual", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1568", + "attack_object_name": "Dynamic Resolution", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "comments": "GuardDuty has the following finding types to flag events where adversaries may dynamically establish connections to command-and-control infrastructure to evade common detections and remediations.\nTrojan:EC2/DGADomainRequest.B Trojan:EC2/DGADomainRequest.C!DNS", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1568.002", + "attack_object_name": "Domain Generation Algorithms", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1568", + "comments": "GuardDuty has the following finding types to flag events where adversaries may dynamically establish connections to command-and-control infrastructure to evade common detections and remediations.\nTrojan:EC2/DGADomainRequest.B Trojan:EC2/DGADomainRequest.C!DNS", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1571", + "attack_object_name": "Non-Standard Port", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "comments": "GuardDuty has the following finding type to flag events where adversaries may communicate using a protocol and port paring that are typically not associated.\nBehavior:EC2/NetworkPortUnusual", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1580", + "attack_object_name": "Cloud Infrastructure Discovery", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "comments": "The following GuardDuty finding types flag events that are linked to Discovery techniques and can be used to capture events where a malicious user may be searching through the account looking for available resources. The finding types are also used to flag certain signatures of running services to detect malicious user activities from commonly used pentest operating systems.\nDiscovery:IAMUser/AnomalousBehavior Discovery:S3/MaliciousIPCaller Discovery:S3/MaliciousIPCaller.Custom Discovery:S3/TorIPCaller PenTest:IAMUser/KaliLinux PenTest:IAMUser/ParrotLinux PenTest:IAMUser/PentooLinux PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1595", + "attack_object_name": "Active Scanning", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "comments": "Documentation states that the Service can flag such attempts: Reconnaissance -- Activity suggesting reconnaissance by an attacker, such as unusual API activity, intra-VPC port scanning, unusual patterns of failed login requests, or unblocked port probing from a known bad IP. Note: This is from the perspective of the resource running in the AWS account. Meaning GuardDuty has several finding types that flag events that take place via a resource (e.g., EC2, IAM, S3).", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan", + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1595.001", + "attack_object_name": "Scanning IP Blocks", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1595", + "comments": "There are a few finding types offered by GuardDuty that flag this behavior: Recon:EC2/PortProbeEMRUnprotectedPort, Recon:EC2/PortProbeUnprotectedPort, Recon:EC2/Portscan, Impact:EC2/PortSweep.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1595.002", + "attack_object_name": "Vulnerability Scanning", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1595", + "comments": "There are finding types that show when an EC2 instance is probing other AWS resources for information. Recon:EC2/PortProbeEMRUnprotectedPort, Recon:EC2/PortProbeUnprotectedPort, Recon:EC2/Portscan, Impact:EC2/PortSweep", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1619", + "attack_object_name": "Cloud Storage Object Discovery", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "comments": "The GuardDuty finding Discovery:IAMUser/AnomalousBehavior can be used to detect this technique.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1622", + "attack_object_name": "Debugger Evasion", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "comments": "Amazon GuardDuty finding DefenseEvasion:Runtime/PtraceAntiDebugging can aid in the detection of a specific type of Debugger Evasion.", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#defenseevasion-runtime-ptrace-anti-debug" + ], + "status": "complete" + }, + { + "capability_id": "amazon_guardduty", + "capability_description": "Amazon GuardDuty", + "mapping_type": "technique_scores", + "attack_object_id": "T1649", + "attack_object_name": "Steal or Forge Authentication Certificates", + "capability_group": "amazon_guardduty", + "score_category": "detect", + "score_value": "partial", + "comments": "Amazon GuardDuty finding AttackSequence:IAM/CompromisedCredentials can aid in the detection of compromised credentials.", + "references": [ + "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-attack-sequence-finding-types.html#attack-sequence-iam-compromised-credentials" + ], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1003", + "attack_object_name": "OS Credential Dumping", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal. ", + "references": [ + "https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1003.007", + "attack_object_name": "Proc Filesystem", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1003", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1003.008", + "attack_object_name": "/etc/passwd and /etc/shadow", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1003", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1021", + "attack_object_name": "Remote Services", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "comments": "The Amazon Inspector Best Practices assessment package can detect a security control setting related to remote service access on Linux endpoints. Specifically, \"Disable root login over SSH\". This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against adversaries accessing remote services. Given Amazon Inspector can only assess this security control on Linux platforms (although it also supports Windows), it only restricts access to remote services for one user account, and only supports one sub-technique, the coverage score is Minimal leading to an overall Minimal score.", + "references": [ + "https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1021.004", + "attack_object_name": "SSH", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1021", + "comments": "The Amazon Inspector Best Practices assessment package can detect a security control setting related to remote service access on Linux endpoints. Specifically, \"Disable root login over SSH\". This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against adversaries accessing remote services. Given Amazon Inspector can only assess this security control on Linux platforms (although it also supports Windows) and it only restricts access to remote services for one user account, the coverage score is Minimal leading to an overall Minimal score.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1037", + "attack_object_name": "Boot or Logon Initialization Scripts", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal. ", + "references": [ + "https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1037.004", + "attack_object_name": "RC Scripts", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1037", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this, the score is capped at Partial. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1046", + "attack_object_name": "Network Service Scanning", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "partial", + "comments": "The Amazon Inspector Network Reachability assessment package can assess whether or not cloud/network components are vulnerable (e.g., publicly accessible from the Internet). Amazon Inspector does not directly protect cloud/network components rather reports on vulnerabilities that it identifies which can then be used to securely configure the cloud/network components. Due to this, the score is capped at Partial. ", + "references": [ + "https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1053", + "attack_object_name": "Scheduled Task/Job", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal. ", + "references": [ + "https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1053.001", + "attack_object_name": "At (Linux)", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1053", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1053.003", + "attack_object_name": "Cron", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1053", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1053.006", + "attack_object_name": "Systemd Timers", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1053", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1068", + "attack_object_name": "Exploitation for Privilege Escalation", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "partial", + "comments": "Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints. Furthermore, the Amazon Inspector Best Practices assessment package can assess security controls for \"Enable Address Space Layout Randomization (ASLR)\" and \"Enable Data Execution Prevention (DEP)\" that makes it more difficult for an attacker to exploit vulnerabilities in software. This information can be used to patch, isolate, and remove vulnerable software and endpoints. Amazon Inspector does not directly protect against exploitation and it is not effective against zero-day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.", + "references": [ + "https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1070", + "attack_object_name": "Indicator Removal on Host", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal. ", + "references": [ + "https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1070.002", + "attack_object_name": "Clear Linux or Mac System Logs", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1070", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1070.003", + "attack_object_name": "Clear Command History", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1070", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1070.004", + "attack_object_name": "File Deletion", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1070", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1070.005", + "attack_object_name": "Network Share Connection Removal", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1070", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1070.006", + "attack_object_name": "Timestomp", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1070", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1070.007", + "attack_object_name": "Clear Network Connection History and Configurations", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1070", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1070.008", + "attack_object_name": "Clear Mailbox Data", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1070", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1070.009", + "attack_object_name": "Clear Persistence", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1070", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1110", + "attack_object_name": "Brute Force", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "comments": "The Amazon Inspector Best Practices assessment package can detect security control settings related to authentication and password policies on Linux endpoints. Specific security controls it can assess include \"Disable password authentication over SSH\", \"Configure password maximum age\", \"Configure password minimum length\", and \"Configure password complexity\" all of which impact the ability to brute force a password. This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against brute force attacks. Given Amazon Inspector can only assess these security controls on Linux platforms (although it also supports Windows), the coverage score is Minimal leading to an overall Minimal score.", + "references": [ + "https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1110.001", + "attack_object_name": "Password Guessing", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1110", + "comments": "The Amazon Inspector Best Practices assessment package can detect security control settings related to authentication and password policies on Linux endpoints. Specific security controls it can assess include \"Disable password authentication over SSH\", \"Configure password maximum age\", \"Configure password minimum length\", and \"Configure password complexity\" all of which impact the ability to brute force a password. This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against brute force attacks. Given Amazon Inspector can only assess these security controls on Linux platforms (although it also supports Windows), the coverage score is Minimal leading to an overall Minimal score.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1110.002", + "attack_object_name": "Password Cracking", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1110", + "comments": "The Amazon Inspector Best Practices assessment package can detect security control settings related to authentication and password policies on Linux endpoints. Specific security controls it can assess include \"Disable password authentication over SSH\", \"Configure password maximum age\", \"Configure password minimum length\", and \"Configure password complexity\" all of which impact the ability to brute force a password. This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against brute force attacks. Given Amazon Inspector can only assess these security controls on Linux platforms (although it also supports Windows), the coverage score is Minimal leading to an overall Minimal score.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1110.003", + "attack_object_name": "Password Spraying", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1110", + "comments": "The Amazon Inspector Best Practices assessment package can detect security control settings related to authentication and password policies on Linux endpoints. Specific security controls it can assess include \"Disable password authentication over SSH\", \"Configure password maximum age\", \"Configure password minimum length\", and \"Configure password complexity\" all of which impact the ability to brute force a password. This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against brute force attacks. Given Amazon Inspector can only assess these security controls on Linux platforms (although it also supports Windows), the coverage score is Minimal leading to an overall Minimal score.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1110.004", + "attack_object_name": "Credential Stuffing", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1110", + "comments": "The Amazon Inspector Best Practices assessment package can detect security control settings related to authentication and password policies on Linux endpoints. Specific security controls it can assess include \"Disable password authentication over SSH\", \"Configure password maximum age\", \"Configure password minimum length\", and \"Configure password complexity\" all of which impact the ability to brute force a password. This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against brute force attacks. Given Amazon Inspector can only assess these security controls on Linux platforms (although it also supports Windows), the coverage score is Minimal leading to an overall Minimal score.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1133", + "attack_object_name": "External Remote Services", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "comments": "The Amazon Inspector Best Practices assessment package can detect a security control setting related to remote service access on Linux endpoints. Specifically, \"Disable root login over SSH\". This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against adversaries accessing remote services. Given Amazon Inspector can only assess this security control on Linux platforms (although it also supports Windows) and it only restricts access to remote services for one user account, the coverage score is Minimal leading to an overall Minimal score.", + "references": [ + "https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1189", + "attack_object_name": "Drive-by Compromise", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "partial", + "comments": "Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints. Furthermore, the Amazon Inspector Best Practices assessment package can assess security controls for \"Enable Address Space Layout Randomization (ASLR)\" and \"Enable Data Execution Prevention (DEP)\" that makes it more difficult for an attacker to exploit vulnerabilities in software. This information can be used to patch, isolate, and remove vulnerable software and endpoints. Amazon Inspector does not directly protect against exploitation and it is not effective against zero-day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.", + "references": [ + "https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1190", + "attack_object_name": "Exploit Public-Facing Application", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "partial", + "comments": "Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints. Furthermore, the Amazon Inspector Best Practices assessment package can assess security controls for \"Enable Address Space Layout Randomization (ASLR)\" and \"Enable Data Execution Prevention (DEP)\" that makes it more difficult for an attacker to exploit vulnerabilities in software. This information can be used to patch, isolate, and remove vulnerable software and endpoints. Amazon Inspector does not directly protect against exploitation and it is not effective against zero-day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.", + "references": [ + "https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1203", + "attack_object_name": "Exploitation for Client Execution", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "partial", + "comments": "Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints. Furthermore, the Amazon Inspector Best Practices assessment package can assess security controls for \"Enable Address Space Layout Randomization (ASLR)\" and \"Enable Data Execution Prevention (DEP)\" that makes it more difficult for an attacker to exploit vulnerabilities in software. This information can be used to patch, isolate, and remove vulnerable software and endpoints. Amazon Inspector does not directly protect against exploitation and it is not effective against zero-day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.", + "references": [ + "https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1210", + "attack_object_name": "Exploitation of Remote Services", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "partial", + "comments": "Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints. This information can be used to patch, isolate, and remove vulnerable software and endpoints. Furthermore, the Amazon Inspector Best Practices assessment package can assess a security control \"Support SSH version 2 only\" that prevents the use of a vulnerable version of SSH from being used as well as assess security controls for \"Enable Address Space Layout Randomization (ASLR)\" and \"Enable Data Execution Prevention (DEP)\" that makes it more difficult for an attacker to exploit vulnerabilities in software. Amazon Inspector does not directly protect against exploitation and it is not effective against zero-day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.", + "references": [ + "https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1211", + "attack_object_name": "Exploitation for Defense Evasion", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "partial", + "comments": "Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints. Furthermore, the Amazon Inspector Best Practices assessment package can assess security controls for \"Enable Address Space Layout Randomization (ASLR)\" and \"Enable Data Execution Prevention (DEP)\" that makes it more difficult for an attacker to exploit vulnerabilities in software. This information can be used to patch, isolate, and remove vulnerable software and endpoints. Amazon Inspector does not directly protect against exploitation and it is not effective against zero-day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.", + "references": [ + "https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1212", + "attack_object_name": "Exploitation for Credential Access", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "partial", + "comments": "Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints. Furthermore, the Amazon Inspector Best Practices assessment package can assess security controls for \"Enable Address Space Layout Randomization (ASLR)\" and \"Enable Data Execution Prevention (DEP)\" that makes it more difficult for an attacker to exploit vulnerabilities in software. This information can be used to patch, isolate, and remove vulnerable software and endpoints. Amazon Inspector does not directly protect against exploitation and it is not effective against zero-day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.", + "references": [ + "https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1222", + "attack_object_name": "File and Directory Permissions Modification", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", + "references": [ + "https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1222.002", + "attack_object_name": "Linux and Mac File and Directory Permissions Modification", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1222", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this the score is capped at Partial. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1489", + "attack_object_name": "Service Stop", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", + "references": [ + "https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1529", + "attack_object_name": "System Shutdown/Reboot", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", + "references": [ + "https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1543", + "attack_object_name": "Create or Modify System Process", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal. ", + "references": [ + "https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1543.002", + "attack_object_name": "Systemd Service", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1543", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this, the score is capped at Partial. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1548", + "attack_object_name": "Abuse Elevation Control Mechanism", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal. ", + "references": [ + "https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1548.003", + "attack_object_name": "Sudo and Sudo Caching", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1548", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1562", + "attack_object_name": "Impair Defenses", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal. ", + "references": [ + "https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1562.001", + "attack_object_name": "Disable or Modify Tools", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1562", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", + "references": [ + "https://docs.aws.amazon.com/inspector/latest/user/disaster-recovery-resiliency.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1562.003", + "attack_object_name": "Impair Command History Logging", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1562", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", + "references": [ + "https://docs.aws.amazon.com/inspector/v1/userguide/inspector_security-best-practices.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1562.004", + "attack_object_name": "Disable or Modify System Firewall", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1562", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", + "references": [ + "https://docs.aws.amazon.com/inspector/v1/userguide/inspector_security-best-practices.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1562.006", + "attack_object_name": "Indicator Blocking", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1562", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. ", + "references": [ + "https://docs.aws.amazon.com/inspector/v1/userguide/inspector_security-best-practices.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1595", + "attack_object_name": "Active Scanning", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "partial", + "comments": "The Amazon Inspector Network Reachability assessment package can assess whether or not cloud/network components are vulnerable (e.g., publicly accessible from the Internet). Amazon Inspector does not directly protect cloud/network components rather reports on vulnerabilities that it identifies which can then be used to securely configure the cloud/network components. Due to this, the score is capped at Partial. ", + "references": [ + "https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1595.001", + "attack_object_name": "Scanning IP Blocks", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1595", + "comments": "The Amazon Inspector Network Reachability assessment package can assess whether or not cloud/network components are vulnerable (e.g., publicly accessible from the Internet). Amazon Inspector does not directly protect cloud/network components rather reports on vulnerabilities that it identifies which can then be used to securely configure the cloud/network components. Due to this, the score is capped at Partial. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1595.002", + "attack_object_name": "Vulnerability Scanning", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1595", + "comments": "The Amazon Inspector Network Reachability assessment package can assess whether or not cloud/network components are vulnerable (e.g., publicly accessible from the Internet). Amazon Inspector does not directly protect cloud/network components rather reports on vulnerabilities that it identifies which can then be used to securely configure the cloud/network components. Due to this, the score is capped at Partial. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1599", + "attack_object_name": "Network Boundary Bridging", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal. ", + "references": [ + "https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_inspector", + "capability_description": "Amazon Inspector", + "mapping_type": "technique_scores", + "attack_object_id": "T1599.001", + "attack_object_name": "Network Address Translation Traversal", + "capability_group": "amazon_inspector", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1599", + "comments": "The Amazon Inspector Best Practices assessment package can assess security control \"Configure permissions for system directories\" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1008", + "attack_object_name": "Fallback Channels", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "comments": "VPC security groups and network access control lists (NACLs) can be used to restrict external network access to the minimum required and can therefore mitigate an adversary utilizing a fallback or alternative communication channels. In environments where unrestricted Internet access is required, security groups and NACLs can still be used to block known malicious endpoints. Because in such environments the protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.", + "references": [ + "https://docs.aws.amazon.com/vpc/latest/userguide/security.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1018", + "attack_object_name": "Remote System Discovery", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "comments": "VPC security groups and network access control lists (NACLs) can filter network traffic and therefore can be effective for mitigating network based remote system discovery. Other remote system discovery methods such as discovering hosts from local host files are not mitigated resulting in Partial coverage score and an overall score of Partial.", + "references": [ + "https://docs.aws.amazon.com/vpc/latest/userguide/security.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1021", + "attack_object_name": "Remote Services", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "comments": "VPC security groups and network access control lists (NACLs) can provide partial protection for all of its sub-techniques and procedure examples resulting in an overall score of Partial.", + "references": [ + "https://docs.aws.amazon.com/vpc/latest/userguide/security.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1021.001", + "attack_object_name": "Remote Desktop Protocol", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1021", + "comments": "VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1021.002", + "attack_object_name": "SMB/Windows Admin Shares", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1021", + "comments": "VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1021.003", + "attack_object_name": "Distributed Component Object Model", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1021", + "comments": "VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1021.004", + "attack_object_name": "SSH", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1021", + "comments": "VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1021.005", + "attack_object_name": "VNC", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1021", + "comments": "VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1021.006", + "attack_object_name": "Windows Remote Management", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1021", + "comments": "VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1021.007", + "attack_object_name": "Cloud Services", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1021", + "comments": "VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1040", + "attack_object_name": "Network Sniffing", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "significant", + "comments": "The VPC service's support for the AWS Virtual Private Network (VPN) can be used to encrypt traffic traversing over untrusted networks which can prevent information from being gathered via network sniffing.", + "references": [ + "https://docs.aws.amazon.com/vpc/latest/userguide/security.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1046", + "attack_object_name": "Network Service Scanning", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "significant", + "comments": "VPC security groups and network access control lists (NACLs) can filter both internal and external network traffic and therefore, can mitigate unauthorized network service scanning.", + "references": [ + "https://docs.aws.amazon.com/vpc/latest/userguide/security.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1048", + "attack_object_name": "Exfiltration Over Alternative Protocol", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "comments": "VPC security groups and network access control lists (NACLs) can limit access to external hosts and can therefore provide mitigation of this technique. For environments where Internet access is required, these controls can be used to block known malicious addresses. Because this latter protection is limited to known malicious endpoints, it provides Partial coverage resulting in an overall Partial score.", + "references": [ + "https://docs.aws.amazon.com/vpc/latest/userguide/security.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1048.001", + "attack_object_name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1048", + "comments": "VPC security groups and network access control lists (NACLs) can limit access to the minimum required ports and therefore protect against adversaries attempting to exfiltrate data using a different protocol than that of the existing command and control channel. In environments where unrestricted Internet access is required, security groups and NACLs can still be used to block known malicious endpoints. Because in such environments the protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1048.002", + "attack_object_name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1048", + "comments": "VPC security groups and network access control lists (NACLs) can limit access to the minimum required ports and therefore protect against adversaries attempting to exfiltrate data using a different protocol than that of the existing command and control channel. In environments where unrestricted Internet access is required, security groups and NACLs can still be used to block known malicious endpoints. Because in such environments the protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1048.003", + "attack_object_name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1048", + "comments": "VPC security groups and network access control lists (NACLs) can limit access to the minimum required ports and therefore protect against adversaries attempting to exfiltrate data using a different protocol than that of the existing command and control channel. In environments where unrestricted Internet access is required, security groups and NACLs can still be used to block known malicious endpoints. Because in such environments the protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1072", + "attack_object_name": "Software Deployment Tools", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "comments": "VPC security groups and network access control lists (NACLs) can be used to limit access to critical network systems such as software deployment tools.", + "references": [ + "https://docs.aws.amazon.com/vpc/latest/userguide/security.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1090", + "attack_object_name": "Proxy", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "comments": "VPC security groups and network access control lists (NACLs) can restrict ports and inter-system / inter-enclave connections as described by the Proxy related sub-techniques although it doesn't provide protection for domain-fronting. It furthermore provides partial protection of this technique's procedure examples resulting in an overall Partial score.", + "references": [ + "https://docs.aws.amazon.com/vpc/latest/userguide/security.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1090.001", + "attack_object_name": "Internal Proxy", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1090", + "comments": "VPC security groups and network access control lists (NACLs) can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1090.002", + "attack_object_name": "External Proxy", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1090", + "comments": "VPC security groups and network access control lists (NACLs) can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1090.003", + "attack_object_name": "Multi-hop Proxy", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1090", + "comments": "VPC security groups and network access control lists (NACLs) can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1095", + "attack_object_name": "Non-Application Layer Protocol", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "comments": "VPC security groups and network access control lists (NACLs) can be used to restrict external network access to the minimum required and can therefore mitigate adversary attempts to utilize non-application layer protocols for communication. In environments where unrestricted Internet access is required, security groups and NACLs can still be used to block known malicious endpoints. Because in such environments the protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.", + "references": [ + "https://docs.aws.amazon.com/vpc/latest/userguide/security.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1133", + "attack_object_name": "External Remote Services", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "comments": "VPC security groups and network access control lists (NACLs) can limit access to external remote services to the minimum necessary.", + "references": [ + "https://docs.aws.amazon.com/vpc/latest/userguide/security.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1199", + "attack_object_name": "Trusted Relationship", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "comments": "VPC network access control lists (NACLs) can isolate portions of the network that do not require network-wide access, limiting some attackers that leverage trusted relationships such as remote access for vendor maintenance. Coverage partial, Temporal Immediate.", + "references": [ + "https://docs.aws.amazon.com/vpc/latest/userguide/security.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1205", + "attack_object_name": "Traffic Signaling", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "comments": "VPC security groups and network access control lists (NACLs) can provide significant protection for some variations of this technique, for example Port Knocking. Other variations of this technique such as using traffic signaling to execute a malicious task is not easily mitigated by security groups or NACLs. Consequently, its coverage score is Partial resulting in an overall Partial score.", + "references": [ + "https://docs.aws.amazon.com/vpc/latest/userguide/security.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1205.001", + "attack_object_name": "Port Knocking", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1205", + "comments": "VPC security groups and network access control lists (NACLs) can protect against this sub-technique by enforcing limited access to only required ports. Consequently, even if the adversary is able to utilize port knocking to open additional ports at the host level, it is still blocked at the security group or NACL level. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1210", + "attack_object_name": "Exploitation of Remote Services", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "comments": "VPC security groups and network access control lists (NACLs) can be used to restrict access to remote services to the minimum necessary.", + "references": [ + "https://docs.aws.amazon.com/vpc/latest/userguide/security.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1219", + "attack_object_name": "Remote Access Software", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "comments": "VPC security groups and network access control lists (NACLs) can be used to limit outgoing traffic to only sites and services used by authorized remote access tools. This is scored as partial because it doesn't protect against an adversary using an authorized remote access tool for malicious activity.", + "references": [ + "https://docs.aws.amazon.com/vpc/latest/userguide/security.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1482", + "attack_object_name": "Domain Trust Discovery", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "comments": "VPC security groups and network access control lists (NACLs) can be used to isolate sensitive domains to limit discovery.", + "references": [ + "https://docs.aws.amazon.com/vpc/latest/userguide/security.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1498", + "attack_object_name": "Network Denial of Service", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "minimal", + "comments": "VPC security groups and network access control lists (NACLs) can be used to restrict access to endpoints but will prove effective at mitigating only low-end DOS attacks resulting in a Minimal score.", + "references": [ + "https://docs.aws.amazon.com/vpc/latest/userguide/security.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1499", + "attack_object_name": "Endpoint Denial of Service", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "minimal", + "comments": "VPC security groups and network access control lists (NACLs) provides minimal protection for a majority of this control's sub-techniques and procedure examples resulting in an overall score of Minimal.", + "references": [ + "https://docs.aws.amazon.com/vpc/latest/userguide/security.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1499.001", + "attack_object_name": "OS Exhaustion Flood", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1499", + "comments": "VPC security groups and network access control lists (NACLs) can be used to restrict access to endpoints but will prove effective at mitigating only low-end DOS attacks resulting in a Minimal score.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1499.002", + "attack_object_name": "Service Exhaustion Flood", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1499", + "comments": "VPC security groups and network access control lists (NACLs) can be used to restrict access to endpoints but will prove effective at mitigating only low-end DOS attacks resulting in a Minimal score.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1499.003", + "attack_object_name": "Application Exhaustion Flood", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1499", + "comments": "VPC security groups and network access control lists (NACLs) can be used to restrict access to endpoints but will prove effective at mitigating only low-end DOS attacks resulting in a Minimal score.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1542", + "attack_object_name": "Pre-OS Boot", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "minimal", + "comments": "VPC security groups and network access control lists (NACLs) can provide partial protection coverage of Pre-OS Boot mechanisms that utilize TFTP boot resulting in an overall score of Minimal.", + "references": [ + "https://docs.aws.amazon.com/vpc/latest/userguide/security.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1542.005", + "attack_object_name": "TFTP Boot", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1542", + "comments": "VPC security groups and network access control lists (NACLs) can be used to restrict clients to connecting (and therefore booting) from only trusted network resources.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1557", + "attack_object_name": "Man-in-the-Middle", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "significant", + "comments": "The VPC service's support for the AWS Virtual Private Network (VPN) can be used to encrypt traffic traversing over untrusted networks which can mitigate Man-in-the-Middle attacks that manipulate network protocol data in transit. VPC Peering can also be utilized to route traffic privately between two VPCs which can reduce the Man-in-the-Middle attack surface. VPC Endpoints can also similarly reduce the attack surface of Man-in-the-Middle attacks by ensuring network traffic between a VPC and supported AWS services are not exposed to the Internet.", + "references": [ + "https://docs.aws.amazon.com/vpc/latest/userguide/security.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1557.001", + "attack_object_name": "LLMNR/NBT-NS Poisoning and SMB Relay", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1557", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1557.002", + "attack_object_name": "ARP Cache Poisoning", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1557", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1557.003", + "attack_object_name": "DHCP Spoofing", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1557", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1565", + "attack_object_name": "Data Manipulation", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "comments": "The VPC service's support for the AWS Virtual Private Network (VPN) can be used to encrypt traffic traversing over untrusted networks which can provide protection against one sub-technique (Transmitted Data Manipulation) of this technique while not providing protection for its remaining sub-techniques resulting in overall score of Partial.", + "references": [ + "https://docs.aws.amazon.com/vpc/latest/userguide/security.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1565.002", + "attack_object_name": "Transmitted Data Manipulation", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1565", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1570", + "attack_object_name": "Lateral Tool Transfer", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "comments": "VPC security groups and network access control lists (NACLs) can be used to limit traffic between systems and enclaves to minimum necessary for example via a zero-trust strategy.", + "references": [ + "https://docs.aws.amazon.com/vpc/latest/userguide/security.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1571", + "attack_object_name": "Non-Standard Port", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "significant", + "comments": "VPC security groups and network access control lists (NACLs) can limit access to the minimum required ports and therefore, protect against adversaries attempting to use non-standard ports for C2 traffic.", + "references": [ + "https://docs.aws.amazon.com/vpc/latest/userguide/security.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1590", + "attack_object_name": "Gather Victim Network Information", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "comments": "VPC security groups and network access control lists (NACLs) can prevent the gathering of victim network information via (active) scanning methods but is not effective against other methods of gathering victim network information such as via Phishing or online databases (e.g. WHOIS) resulting in a Partial coverage score and an overall Partial score.", + "references": [ + "https://docs.aws.amazon.com/vpc/latest/userguide/security.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1590.001", + "attack_object_name": "Domain Properties", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1590", + "comments": "VPC security groups and network access control lists (NACLs) can prevent the gathering of victim network information via (active) scanning methods but is not effective against other methods of gathering victim network information such as via Phishing or online databases (e.g. WHOIS) resulting in a Partial coverage score and an overall Partial score.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1590.004", + "attack_object_name": "Network Topology", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1590", + "comments": "VPC security groups and network access control lists (NACLs) can prevent the gathering of victim network information via (active) scanning methods but is not effective against other methods of gathering victim network information such as via Phishing or online databases (e.g. WHOIS) resulting in a Partial coverage score and an overall Partial score.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1590.005", + "attack_object_name": "IP Addresses", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1590", + "comments": "VPC security groups and network access control lists (NACLs) can prevent the gathering of victim network information via (active) scanning methods but is not effective against other methods of gathering victim network information such as via Phishing or online databases (e.g. WHOIS) resulting in a Partial coverage score and an overall Partial score.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1590.006", + "attack_object_name": "Network Security Appliances", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1590", + "comments": "VPC security groups and network access control lists (NACLs) can prevent the gathering of victim network information via (active) scanning methods but is not effective against other methods of gathering victim network information such as via Phishing or online databases (e.g. WHOIS) resulting in a Partial coverage score and an overall Partial score.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1595", + "attack_object_name": "Active Scanning", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "comments": "VPC security groups and network access control lists (NACLs) can be used to restrict inbound traffic that can protect against active scanning techniques such as Scanning IP Blocks and/or Vulnerability Scanning. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.", + "references": [ + "https://docs.aws.amazon.com/vpc/latest/userguide/security.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1595.001", + "attack_object_name": "Scanning IP Blocks", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1595", + "comments": "VPC security groups and network access control lists (NACLs) can be used to restrict inbound traffic that can protect against active scanning techniques such as Scanning IP Blocks and/or Vulnerability Scanning. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1595.002", + "attack_object_name": "Vulnerability Scanning", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1595", + "comments": "VPC security groups and network access control lists (NACLs) can be used to restrict inbound traffic that can protect against active scanning techniques such as Scanning IP Blocks and/or Vulnerability Scanning. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1602", + "attack_object_name": "Data from Configuration Repository", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "comments": "VPC security groups and network access control lists (NACLs) can limit attackers' access to configuration repositories such as SNMP management stations, or to dumps of client configurations from common management ports.", + "references": [ + "https://docs.aws.amazon.com/vpc/latest/userguide/security.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1602.001", + "attack_object_name": "SNMP (MIB Dump)", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1602", + "comments": "Can limit access to client management interfaces or configuration databases.", + "references": [], + "status": "complete" + }, + { + "capability_id": "amazon_virtual_private_cloud", + "capability_description": "Amazon Virtual Private Cloud", + "mapping_type": "technique_scores", + "attack_object_id": "T1602.002", + "attack_object_name": "Network Device Configuration Dump", + "capability_group": "amazon_virtual_private_cloud", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1602", + "comments": "Can limit access to client management interfaces or configuration databases.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_cloudendure_disaster_recovery", + "capability_description": "AWS CloudEndure Disaster Recovery", + "mapping_type": "technique_scores", + "attack_object_id": "T1190", + "attack_object_name": "Exploit Public-Facing Application", + "capability_group": "aws_cloudendure_disaster_recovery", + "score_category": "respond", + "score_value": "significant", + "comments": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that a public-facing application or server is compromised, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.", + "references": [ + "https://aws.amazon.com/cloudendure-disaster-recovery/", + "https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm" + ], + "status": "complete" + }, + { + "capability_id": "aws_cloudendure_disaster_recovery", + "capability_description": "AWS CloudEndure Disaster Recovery", + "mapping_type": "technique_scores", + "attack_object_id": "T1485", + "attack_object_name": "Data Destruction", + "capability_group": "aws_cloudendure_disaster_recovery", + "score_category": "respond", + "score_value": "significant", + "comments": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that data on servers is destroyed, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.", + "references": [ + "https://aws.amazon.com/cloudendure-disaster-recovery/", + "https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm" + ], + "status": "complete" + }, + { + "capability_id": "aws_cloudendure_disaster_recovery", + "capability_description": "AWS CloudEndure Disaster Recovery", + "mapping_type": "technique_scores", + "attack_object_id": "T1486", + "attack_object_name": "Data Encrypted for Impact", + "capability_group": "aws_cloudendure_disaster_recovery", + "score_category": "respond", + "score_value": "significant", + "comments": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that data on servers is encrypted (e.g., ransomware), AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.\n", + "references": [ + "https://aws.amazon.com/cloudendure-disaster-recovery/", + "https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm" + ], + "status": "complete" + }, + { + "capability_id": "aws_cloudendure_disaster_recovery", + "capability_description": "AWS CloudEndure Disaster Recovery", + "mapping_type": "technique_scores", + "attack_object_id": "T1490", + "attack_object_name": "Inhibit System Recovery", + "capability_group": "aws_cloudendure_disaster_recovery", + "score_category": "respond", + "score_value": "significant", + "comments": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that servers are modified to disrupt recovery, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.", + "references": [ + "https://aws.amazon.com/cloudendure-disaster-recovery/", + "https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm" + ], + "status": "complete" + }, + { + "capability_id": "aws_cloudendure_disaster_recovery", + "capability_description": "AWS CloudEndure Disaster Recovery", + "mapping_type": "technique_scores", + "attack_object_id": "T1491", + "attack_object_name": "Defacement", + "capability_group": "aws_cloudendure_disaster_recovery", + "score_category": "respond", + "score_value": "significant", + "comments": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that servers are defaced, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. This mapping is given a score of Significant because it supports all of the sub-techniques (2 of 2 at the time of this mapping).", + "references": [ + "https://aws.amazon.com/cloudendure-disaster-recovery/", + "https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm" + ], + "status": "complete" + }, + { + "capability_id": "aws_cloudendure_disaster_recovery", + "capability_description": "AWS CloudEndure Disaster Recovery", + "mapping_type": "technique_scores", + "attack_object_id": "T1491.001", + "attack_object_name": "Internal Defacement", + "capability_group": "aws_cloudendure_disaster_recovery", + "score_category": "respond", + "score_value": "significant", + "related_score": "T1491", + "comments": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that servers are defaced, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_cloudendure_disaster_recovery", + "capability_description": "AWS CloudEndure Disaster Recovery", + "mapping_type": "technique_scores", + "attack_object_id": "T1491.002", + "attack_object_name": "External Defacement", + "capability_group": "aws_cloudendure_disaster_recovery", + "score_category": "respond", + "score_value": "significant", + "related_score": "T1491", + "comments": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that servers are defaced, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_cloudendure_disaster_recovery", + "capability_description": "AWS CloudEndure Disaster Recovery", + "mapping_type": "technique_scores", + "attack_object_id": "T1561", + "attack_object_name": "Disk Wipe", + "capability_group": "aws_cloudendure_disaster_recovery", + "score_category": "respond", + "score_value": "significant", + "comments": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that server disks are wiped, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. This mapping is given a score of Significant because it supports all of the sub-techniques (2 of 2).", + "references": [ + "https://aws.amazon.com/cloudendure-disaster-recovery/", + "https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.html", + "https://aws.amazon.com/disaster-recovery/when-to-choose-aws-drs/?cloud-endure-blogs.sort-by=item.additionalFields.createdDate&cloud-endure-blogs.sort-order=desc" + ], + "status": "complete" + }, + { + "capability_id": "aws_cloudendure_disaster_recovery", + "capability_description": "AWS CloudEndure Disaster Recovery", + "mapping_type": "technique_scores", + "attack_object_id": "T1561.001", + "attack_object_name": "Disk Content Wipe", + "capability_group": "aws_cloudendure_disaster_recovery", + "score_category": "respond", + "score_value": "significant", + "related_score": "T1561", + "comments": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that server disks are wiped, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.", + "references": [ + "https://aws.amazon.com/cloudendure-disaster-recovery/", + "https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.html", + "https://aws.amazon.com/disaster-recovery/when-to-choose-aws-drs/?cloud-endure-blogs.sort-by=item.additionalFields.createdDate&cloud-endure-blogs.sort-order=desc" + ], + "status": "complete" + }, + { + "capability_id": "aws_cloudendure_disaster_recovery", + "capability_description": "AWS CloudEndure Disaster Recovery", + "mapping_type": "technique_scores", + "attack_object_id": "T1561.002", + "attack_object_name": "Disk Structure Wipe", + "capability_group": "aws_cloudendure_disaster_recovery", + "score_category": "respond", + "score_value": "significant", + "related_score": "T1561", + "comments": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that server disks are wiped, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.", + "references": [ + "https://aws.amazon.com/cloudendure-disaster-recovery/", + "https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.html", + "https://aws.amazon.com/disaster-recovery/when-to-choose-aws-drs/?cloud-endure-blogs.sort-by=item.additionalFields.createdDate&cloud-endure-blogs.sort-order=desc" + ], + "status": "complete" + }, + { + "capability_id": "aws_cloudendure_disaster_recovery", + "capability_description": "AWS CloudEndure Disaster Recovery", + "mapping_type": "technique_scores", + "attack_object_id": "T1565", + "attack_object_name": "Data Manipulation", + "capability_group": "aws_cloudendure_disaster_recovery", + "score_category": "respond", + "score_value": "minimal", + "comments": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that data on servers is manipulated, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. This mapping is given a score of Minimal because it only supports a subset (1 of 3) of the sub-techniques.\n", + "references": [ + "https://aws.amazon.com/cloudendure-disaster-recovery/", + "https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm" + ], + "status": "complete" + }, + { + "capability_id": "aws_cloudendure_disaster_recovery", + "capability_description": "AWS CloudEndure Disaster Recovery", + "mapping_type": "technique_scores", + "attack_object_id": "T1565.001", + "attack_object_name": "Stored Data Manipulation", + "capability_group": "aws_cloudendure_disaster_recovery", + "score_category": "respond", + "score_value": "significant", + "related_score": "T1565", + "comments": "AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that data on servers is manipulated, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_cloudhsm", + "capability_description": "AWS CloudHSM", + "mapping_type": "technique_scores", + "attack_object_id": "T1552", + "attack_object_name": "Unsecured Credentials", + "capability_group": "aws_cloudhsm", + "score_category": "protect", + "score_value": "minimal", + "comments": "This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.", + "references": [ + "https://aws.amazon.com/cloudhsm/", + "https://docs.aws.amazon.com/cloudhsm/latest/userguide/use-cases.html", + "https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_cloudhsm", + "capability_description": "AWS CloudHSM", + "mapping_type": "technique_scores", + "attack_object_id": "T1552.001", + "attack_object_name": "Credentials In Files", + "capability_group": "aws_cloudhsm", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1552", + "comments": "This service provides a more secure alternative to storing encryption keys in the file system. As a result of this service only supporting cryptographic keys and not other types of credentials, the coverage score is assessed as Partial resulting in an overall Partial score.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_cloudhsm", + "capability_description": "AWS CloudHSM", + "mapping_type": "technique_scores", + "attack_object_id": "T1552.004", + "attack_object_name": "Private Keys", + "capability_group": "aws_cloudhsm", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1552", + "comments": "This service allows for securely storing encryption keys and enforcing fine-grained access to the keys. The service does not allow anyone access to retrieve plaintext keys from the service.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_cloudhsm", + "capability_description": "AWS CloudHSM", + "mapping_type": "technique_scores", + "attack_object_id": "T1553", + "attack_object_name": "Subvert Trust Controls", + "capability_group": "aws_cloudhsm", + "score_category": "protect", + "score_value": "partial", + "comments": "This service provides protection against sub-techniques involved with stealing credentials, certificates, and keys from the organization.", + "references": [ + "https://aws.amazon.com/cloudhsm/", + "https://docs.aws.amazon.com/cloudhsm/latest/userguide/use-cases.html", + "https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_cloudhsm", + "capability_description": "AWS CloudHSM", + "mapping_type": "technique_scores", + "attack_object_id": "T1553.002", + "attack_object_name": "Code Signing", + "capability_group": "aws_cloudhsm", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1553", + "comments": "Use cases in documentation show that certificate credentials can be stored in AWS CloudHSM which reduces the attack surface and threat from these sub-techniques.", + "references": [ + "https://docs.aws.amazon.com/cloudhsm/latest/userguide/use-cases.html#certificate-authority" + ], + "status": "complete" + }, + { + "capability_id": "aws_cloudhsm", + "capability_description": "AWS CloudHSM", + "mapping_type": "technique_scores", + "attack_object_id": "T1553.004", + "attack_object_name": "Install Root Certificate", + "capability_group": "aws_cloudhsm", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1553", + "comments": "Use cases in documentation show that certificate credentials can be stored in AWS CloudHSM which reduces the attack surface and threat from these sub-techniques.", + "references": [ + "https://docs.aws.amazon.com/cloudhsm/latest/userguide/use-cases.html#certificate-authority" + ], + "status": "complete" + }, + { + "capability_id": "aws_cloudhsm", + "capability_description": "AWS CloudHSM", + "mapping_type": "technique_scores", + "attack_object_id": "T1588", + "attack_object_name": "Obtain Capabilities", + "capability_group": "aws_cloudhsm", + "score_category": "protect", + "score_value": "partial", + "comments": "This service provides protection against sub-techniques involved with stealing credentials, certificates, keys from the organization.", + "references": [ + "https://aws.amazon.com/cloudhsm/", + "https://docs.aws.amazon.com/cloudhsm/latest/userguide/use-cases.html", + "https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_cloudhsm", + "capability_description": "AWS CloudHSM", + "mapping_type": "technique_scores", + "attack_object_id": "T1588.003", + "attack_object_name": "Code Signing Certificates", + "capability_group": "aws_cloudhsm", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1588", + "comments": "Certificate credentials can be stored in AWS CloudHSM which reduces the attack surface and threat from these sub-techniques.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_cloudhsm", + "capability_description": "AWS CloudHSM", + "mapping_type": "technique_scores", + "attack_object_id": "T1588.004", + "attack_object_name": "Digital Certificates", + "capability_group": "aws_cloudhsm", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1588", + "comments": "Certificate credentials can be stored in AWS CloudHSM which reduces the attack surface and threat from these sub-techniques.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_cloudhsm", + "capability_description": "AWS CloudHSM", + "mapping_type": "technique_scores", + "attack_object_id": "T1649", + "attack_object_name": "Steal or Forge Authentication Certificates", + "capability_group": "aws_cloudhsm", + "score_category": "protect", + "score_value": "partial", + "comments": "This service provides protection against sub-techniques involved with stealing credentials, certificates, and keys from the organization.", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_cloudwatch", + "capability_description": "AWS CloudWatch", + "mapping_type": "technique_scores", + "attack_object_id": "T1040", + "attack_object_name": "Network Sniffing", + "capability_group": "aws_cloudwatch", + "score_category": "protect", + "score_value": "significant", + "comments": "AWS CloudWatch uses TLS/SSL connections to communicate with other AWS resources which protects against network sniffing attacks. As a result, this mapping is given a score of Significant.", + "references": [ + "https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_cloudwatch", + "capability_description": "AWS CloudWatch", + "mapping_type": "technique_scores", + "attack_object_id": "T1496", + "attack_object_name": "Resource Hijacking", + "capability_group": "aws_cloudwatch", + "score_category": "detect", + "score_value": "partial", + "comments": "AWS CloudWatch provides various metrics including CPU utilization, connections, disk space, memory, bytes sent/received, and the number of running containers among others. The following metrics (not an exhaustive list) could be used to detect if the usage of a resource has increased such as when an adversary hijacks a resource to perform intensive tasks.\nLinux/Mac OS ------------- cpu_time_active cpu_time_guest cpu_usage_active cpu_usage_guest disk_free disk_total disk_used ethtool_bw_in_allowance_exceeded ethtool_bw_out_allowance_exceeded ethtool_conntrack_allowance_exceeded mem_active mem_available_percent mem_free net_bytes_recv net_bytes_sent net_packets_sent net_packets_recv netstat_tcp_established netstat_tcp_listen processes_running processes_total swap_free swap_used\nContainers ---------- CpuUtilized MemoryUtilized NetworkRxBytes NetworkTxBytes node_cpu_usage_total node_cpu_utilization node_filesystem_utilization node_memory_utilization\nThis mapping is given a score of Partial because it is not possible to differentiate between an authorized and unauthorized increase in resource utilization. ", + "references": [ + "https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_cloudwatch", + "capability_description": "AWS CloudWatch", + "mapping_type": "technique_scores", + "attack_object_id": "T1610", + "attack_object_name": "Deploy Container", + "capability_group": "aws_cloudwatch", + "score_category": "detect", + "score_value": "partial", + "comments": "AWS CloudWatch provides various metrics including CPU utilization, connections, disk space, memory, bytes sent/received, and the number of running containers among others. The following metric could be used to detect if an adversary deployed a new container in the environment. \nnode_number_of_running_containers\nThis mapping is given a score of Partial because it is not possible to differentiate between an authorized and unauthorized deployment of a new container. ", + "references": [ + "https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_cloudwatch", + "capability_description": "AWS CloudWatch", + "mapping_type": "technique_scores", + "attack_object_id": "T1654", + "attack_object_name": "Log Enumeration", + "capability_group": "aws_cloudwatch", + "score_category": "detect", + "score_value": "minimal", + "comments": "CloudWatch can be configured to alarm for monitoring the \"aws-collect-system-logs\" command which could detect this technique. However, this command is often used for diagnostics and may lead to false positives.", + "references": [ + "https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Alarm-On-Logs.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1020", + "attack_object_name": "Automated Exfiltration", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "minimal", + "comments": "This control provides partial coverage for this technique's only sub-technique, but without specific coverage for its procedures, resulting in an overall score of Minimal.", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1020.001", + "attack_object_name": "Traffic Duplication", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1020", + "comments": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure SSL/TLS encryption is enabled to protect network traffic: \"acm-certificate-expiration-check\" for nearly expired certificates in AWS Certificate Manager (ACM); \"alb-http-to-https-redirection-check\" for Application Load Balancer (ALB) HTTP listeners; \"api-gw-ssl-enabled\" for API Gateway REST API stages; \"cloudfront-custom-ssl-certificate\", \"cloudfront-sni-enabled\", and \"cloudfront-viewer-policy-https\", for Amazon CloudFront distributions; \"elb-acm-certificate-required\", \"elb-custom-security-policy-ssl-check\", \"elb-predefined-security-policy-ssl-check\", and \"elb-tls-https-listeners-only\" for Elastic Load Balancing (ELB) Classic Load Balancer listeners; \"redshift-require-tls-ssl\" for Amazon Redshift cluster connections to SQL clients; \"s3-bucket-ssl-requests-only\" for requests for S3 bucket contents; and \"elasticsearch-node-to-node-encryption-check\" for Amazon ElasticSearch Service node-to-node communications.\nAll of these are run on configuration changes except \"alb-http-to-https-redirection-check\", which is run periodically. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and can only mitigate behavior for adversaries who are unable to decrypt the relevant traffic, resulting in an overall score of Partial.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1040", + "attack_object_name": "Network Sniffing", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "partial", + "comments": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure SSL/TLS encryption is enabled to protect network traffic: \"acm-certificate-expiration-check\" for nearly expired certificates in AWS Certificate Manager (ACM); \"alb-http-to-https-redirection-check\" for Application Load Balancer (ALB) HTTP listeners; \"api-gw-ssl-enabled\" for API Gateway REST API stages; \"cloudfront-custom-ssl-certificate\", \"cloudfront-sni-enabled\", and \"cloudfront-viewer-policy-https\", for Amazon CloudFront distributions; \"elb-acm-certificate-required\", \"elb-custom-security-policy-ssl-check\", \"elb-predefined-security-policy-ssl-check\", and \"elb-tls-https-listeners-only\" for Elastic Load Balancing (ELB) Classic Load Balancer listeners; \"redshift-require-tls-ssl\" for Amazon Redshift cluster connections to SQL clients; \"s3-bucket-ssl-requests-only\" for requests for S3 bucket contents; and \"elasticsearch-node-to-node-encryption-check\" for Amazon ElasticSearch Service node-to-node communications.\nThe following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that private traffic is routed securely and only within VPCs rather than on the public Internet: \"api-gw-endpoint-type-check\" for Amazon API Gateway APIs, \"elasticsearch-in-vpc-only\" for Amazon ElasticSearch Service domains, and \"redshift-enhanced-vpc-routing-enabled\" for Amazon Redshift cluster traffic.\nAll of these are run on configuration changes except \"alb-http-to-https-redirection-check\" and \"elasticsearch-in-vpc-only\", which are run periodically. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and can only mitigate behavior for adversaries who are unable to decrypt the relevant traffic and/or do not have access to traffic within the relevant VPCs, resulting in an overall score of Partial.", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1053", + "attack_object_name": "Scheduled Task/Job", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "minimal", + "comments": "This control provides partial coverage for one of this technique's sub-techniques, resulting in an overall score of Minimal.", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1053.007", + "attack_object_name": "Container Orchestration Job", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1053", + "comments": "The \"eks-endpoint-no-public-access\" managed rule can identify whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoints are misconfigured to allow public endpoint access, which should be fixed in order to prevent malicious external access to the Kubernetes API server, including malicious attempts to create or modify orchestration jobs. It is run periodically and only provides partial coverage because it is specific to public access, resulting in an overall score of Partial.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1068", + "attack_object_name": "Exploitation for Privilege Escalation", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "partial", + "comments": "The \"ec2-managedinstance-applications-blacklisted\" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances. It can be used to identify the presence of vulnerable applications (prompting removal before they can be exploited) and/or to identify the presence of allowed packages below a minimum version (prompting updates before they can be exploited). The \"ec2-managedinstance-platform-check\" managed rule verifies that managed instances are running desired platform types, including using a desired version (as opposed to an out-of-date one). Both can reduce instances' attack surface for adversary exploitation, including for privilege escalation.\nThe \"ecs-task-definition-user-for-host-mode-check\" managed rule can identify Amazon Elastic Container Service (ECS) task definitions for containers with host networking mode and 'privileged' or 'user' container definitions, which may enable adversaries to break out of containers and gain access to the underlying host, increasing their access and privileges.\nAll of these are run on configuration changes. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect against certain forms of identifiable exploitation, resulting in an overall score of Partial.", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1078", + "attack_object_name": "Valid Accounts", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "minimal", + "comments": "This control provides significant coverage for one of this technique's sub-techniques, resulting in an overall score of Minimal.", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1078.004", + "attack_object_name": "Cloud Accounts", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1078", + "comments": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can provide protection against attempted misuse of cloud accounts: \"iam-user-mfa-enabled\", \"mfa-enabled-for-iam-console-access\", \"root-account-hardware-mfa-enabled\", and \"root-account-mfa-enabled\". All of these controls are run periodically.\nThe following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that appropriate AWS Identity and Access Management (IAM) policies are in place to enforce fine-grained access policies and mitigate the impact of compromised valid accounts: \"iam-customer-policy-blocked-kms-actions\", \"iam-inline-policy-blocked-kms-actions\", \"iam-no-inline-policy-check\", \"iam-group-has-users-check\", \"iam-policy-blacklisted-check\", \"iam-policy-no-statements-with-admin-access\", \"iam-policy-no-statements-with-full-access\", \"iam-role-managed-policy-check\", \"iam-user-group-membership-check\", \"iam-user-no-policies-check\", and \"ec2-instance-profile-attached\" are run on configuration changes. \"iam-password-policy\", \"iam-policy-in-use\", \"iam-root-access-key-check\", \"iam-user-mfa-enabled\", \"iam-user-unused-credentials-check\", and \"mfa-enabled-for-iam-console-access\" are run periodically. The \"access-keys-rotated\" managed rule ensures that IAM access keys are rotated at an appropriate rate.\nGiven that these rules provide robust coverage for a variety of IAM configuration problems and most are evaluated on configuration changes, they result in an overall score of Significant.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1098", + "attack_object_name": "Account Manipulation", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "minimal", + "comments": "This control provides significant coverage for one of this technique's sub-techniques, resulting in an overall score of Minimal.", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1098.001", + "attack_object_name": "Additional Cloud Credentials", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1098", + "comments": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can provide protection against attempted manipulation of cloud accounts: \"iam-user-mfa-enabled\", \"mfa-enabled-for-iam-console-access\", \"root-account-hardware-mfa-enabled\", and \"root-account-mfa-enabled\". All of these controls are run periodically and provide partial coverage, since adversaries may be able to manipulate cloud credentials via other mechanisms, resulting in an overall score of Partial.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1098.005", + "attack_object_name": "Device Registration", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1098", + "comments": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can provide protection against attempted device registration: \"iam-user-mfa-enabled\", \"mfa-enabled-for-iam-console-access\", \"root-account-hardware-mfa-enabled\", and \"root-account-mfa-enabled\". All of these controls are run periodically and provide partial coverage, since adversaries may be able to register devices via other mechanisms, resulting in an overall score of Partial.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1110", + "attack_object_name": "Brute Force", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "significant", + "comments": "This control provides significant coverage for all of this technique's sub-techniques, resulting in an overall score of Significant.", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1110.001", + "attack_object_name": "Password Guessing", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1110", + "comments": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can significantly impede brute force authentication attempts by requiring adversaries to provide a second form of authentication even if they succeed in brute forcing a password via one of these sub-techniques: \"iam-user-mfa-enabled\", \"mfa-enabled-for-iam-console-access\", \"root-account-hardware-mfa-enabled\", and \"root-account-mfa-enabled\".\nThe \"iam-password-policy\" managed rule can identify insufficient password requirements that should be fixed in order to make brute force authentication more difficult by increasing the complexity of user passwords and decreasing the amount of time before they are rotated, giving adversaries less time to brute force passwords and making it more time consuming and resource intensive to do so. This is especially important in the case of Password Cracking, since adversaries in possession of password hashes may be able to recover usable credentials more quickly and do so without generating detectable noise via invalid login attempts.\nAll of these controls are run periodically, but implemented policies are enforced continuously once set and coverage factor is significant, resulting in an overall score of Significant.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1110.002", + "attack_object_name": "Password Cracking", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1110", + "comments": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can significantly impede brute force authentication attempts by requiring adversaries to provide a second form of authentication even if they succeed in brute forcing a password via one of these sub-techniques: \"iam-user-mfa-enabled\", \"mfa-enabled-for-iam-console-access\", \"root-account-hardware-mfa-enabled\", and \"root-account-mfa-enabled\".\nThe \"iam-password-policy\" managed rule can identify insufficient password requirements that should be fixed in order to make brute force authentication more difficult by increasing the complexity of user passwords and decreasing the amount of time before they are rotated, giving adversaries less time to brute force passwords and making it more time consuming and resource intensive to do so. This is especially important in the case of Password Cracking, since adversaries in possession of password hashes may be able to recover usable credentials more quickly and do so without generating detectable noise via invalid login attempts.\nAll of these controls are run periodically, but implemented policies are enforced continuously once set and coverage factor is significant, resulting in an overall score of Significant.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1110.003", + "attack_object_name": "Password Spraying", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1110", + "comments": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can significantly impede brute force authentication attempts by requiring adversaries to provide a second form of authentication even if they succeed in brute forcing a password via one of these sub-techniques: \"iam-user-mfa-enabled\", \"mfa-enabled-for-iam-console-access\", \"root-account-hardware-mfa-enabled\", and \"root-account-mfa-enabled\".\nThe \"iam-password-policy\" managed rule can identify insufficient password requirements that should be fixed in order to make brute force authentication more difficult by increasing the complexity of user passwords and decreasing the amount of time before they are rotated, giving adversaries less time to brute force passwords and making it more time consuming and resource intensive to do so. This is especially important in the case of Password Cracking, since adversaries in possession of password hashes may be able to recover usable credentials more quickly and do so without generating detectable noise via invalid login attempts.\nAll of these controls are run periodically, but implemented policies are enforced continuously once set and coverage factor is significant, resulting in an overall score of Significant.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1110.004", + "attack_object_name": "Credential Stuffing", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1110", + "comments": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can significantly impede brute force authentication attempts by requiring adversaries to provide a second form of authentication even if they succeed in brute forcing a password via one of these sub-techniques: \"iam-user-mfa-enabled\", \"mfa-enabled-for-iam-console-access\", \"root-account-hardware-mfa-enabled\", and \"root-account-mfa-enabled\".\nThe \"iam-password-policy\" managed rule can identify insufficient password requirements that should be fixed in order to make brute force authentication more difficult by increasing the complexity of user passwords and decreasing the amount of time before they are rotated, giving adversaries less time to brute force passwords and making it more time consuming and resource intensive to do so. This is especially important in the case of Password Cracking, since adversaries in possession of password hashes may be able to recover usable credentials more quickly and do so without generating detectable noise via invalid login attempts.\nAll of these controls are run periodically, but implemented policies are enforced continuously once set and coverage factor is significant, resulting in an overall score of Significant.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1119", + "attack_object_name": "Automated Collection", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "minimal", + "comments": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that storage volumes are encrypted, which may mitigate adversary attempts to automate collection within cloud environments: \"ec2-ebs-encryption-by-default\" which is run periodically and \"encrypted-volumes\" which is run on configuration changes.\nCoverage factor is minimal for these rules, since they are specific to EBS volumes and will only prevent certain forms of collection since adversaries with access to mounted volumes may be able to decrypt their contents, resulting in an overall score of Minimal.", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1136", + "attack_object_name": "Create Account", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "minimal", + "comments": "This control provides partial coverage for one of this technique's sub-techniques, resulting in an overall score of Minimal.", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1136.003", + "attack_object_name": "Cloud Account", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1136", + "comments": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can provide significant protection against attempted manipulation of cloud accounts, including the creation of new ones: \"iam-user-mfa-enabled\", \"mfa-enabled-for-iam-console-access\", \"root-account-hardware-mfa-enabled\", and \"root-account-mfa-enabled\". All of these controls are run periodically and provide partial coverage, since adversaries may be able to create cloud credentials via other mechanisms, resulting in an overall score of Partial.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1190", + "attack_object_name": "Exploit Public-Facing Application", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "partial", + "comments": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that applications intended for internal use cannot be accessed externally for exploitation: \"api-gw-endpoint-type-check\" can ensure that Amazon API Gateway APIs are private and can only be accessed from within VPCs, \"elasticsearch-in-vpc-only\" can ensure that Amazon ElasticSearch Service (Amazon ES) domains are in the same VPC and the domain endpoint is not public, \"lambda-function-public-access-prohibited\" can verify that AWS Lambda functions are not publicly available, and \"ec2-instance-no-public-ip\" can verify whether EC2 instances have public IP addresses.\nThe following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that insecure applications are not installed and installed packages are kept updated, reducing the likelihood of adversary exploitation: the \"ec2-managedinstance-applications-blacklisted\" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances. It can be used to identify the presence of vulnerable applications (prompting removal before they can be exploited) and/or to identify the presence of allowed packages below a minimum version (prompting updates before they can be exploited). The \"ec2-managedinstance-platform-check\" managed rule verifies that managed instances are running desired platform types, including using a desired version (as opposed to an out-of-date one). Both can reduce instances' attack surface for adversary exploitation. \"rds-automatic-minor-version-upgrade-enabled\" can verify that Amazon RDS is being patched, and \"elastic-beanstalk-managed-updates-enabled\" can verify that Elastic Beanstalk is being patched.\nCoverage factor is partial for these rules, since they are specific to a subset of the available AWS services that can be used to host public-facing applications and will only protect against certain forms of identifiable exploitation, resulting in an overall score of Partial.", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1203", + "attack_object_name": "Exploitation for Client Execution", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "partial", + "comments": "The \"ec2-managedinstance-applications-blacklisted\" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances. It can be used to identify the presence of vulnerable applications (prompting removal before they can be exploited) and/or to identify the presence of allowed packages below a minimum version (prompting updates before they can be exploited). The \"ec2-managedinstance-platform-check\" managed rule verifies that managed instances are running desired platform types, including using a desired version (as opposed to an out-of-date one). Both can reduce instances' attack surface for adversary exploitation, including for client execution.\nAll of these are run on configuration changes. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect against certain forms of identifiable exploitation, resulting in an overall score of Partial.", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1204", + "attack_object_name": "User Execution", + "capability_group": "aws_config", + "score_category": "detect", + "score_value": "minimal", + "comments": "This control provides significant coverage for one of this technique's sub-techniques, resulting in an overall score of Minimal.", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1204.003", + "attack_object_name": "Malicious Image", + "capability_group": "aws_config", + "score_category": "detect", + "score_value": "significant", + "related_score": "T1204", + "comments": "The following AWS Config managed rules can identify running instances that are not using AMIs within a specified allow list: \"approved-amis-by-id\" and \"approved-amis-by-tag\", both of which are run on configuration changes. They provide significant coverage, resulting in an overall score of Significant.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1210", + "attack_object_name": "Exploitation of Remote Services", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "partial", + "comments": "The \"ec2-managedinstance-applications-blacklisted\" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances. It can be used to identify the presence of vulnerable applications (prompting removal before they can be exploited) and/or to identify the presence of allowed packages below a minimum version (prompting updates before they can be exploited), both of which can reduce instances' attack surface for adversary exploitation, including via those applications' exposed remote services. The \"ec2-instance-no-public-ip\" managed rule identifies EC2 instances with public IP associations, which should be removed unless necessary to avoid exposing services publicly for adversary access.\nAll of these are run on configuration changes. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect against certain forms of identifiable exploitation, resulting in an overall score of Partial.", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1211", + "attack_object_name": "Exploitation for Defense Evasion", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "partial", + "comments": "The \"ec2-managedinstance-applications-blacklisted\" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances. It can be used to identify the presence of vulnerable applications (prompting removal before they can be exploited) and/or to identify the presence of allowed packages below a minimum version (prompting updates before they can be exploited). The \"ec2-managedinstance-platform-check\" managed rule verifies that managed instances are running desired platform types, including using a desired version (as opposed to an out-of-date one). Both can reduce instances' attack surface for adversary exploitation, including for defense evasion.\nAll of these are run on configuration changes. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect against certain forms of identifiable exploitation, resulting in an overall score of Partial.", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1212", + "attack_object_name": "Exploitation for Credential Access", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "partial", + "comments": "The \"ec2-managedinstance-applications-blacklisted\" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances. It can be used to identify the presence of vulnerable applications (prompting removal before they can be exploited) and/or to identify the presence of allowed packages below a minimum version (prompting updates before they can be exploited). The \"ec2-managedinstance-platform-check\" managed rule verifies that managed instances are running desired platform types, including using a desired version (as opposed to an out-of-date one).Both can reduce instances' attack surface for adversary exploitation, including for credential access.\nAll of these are run on configuration changes. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect against certain forms of identifiable exploitation, resulting in an overall score of Partial.", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1485", + "attack_object_name": "Data Destruction", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "partial", + "comments": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious write access to data within Amazon Simple Storage Service (S3) storage, which may include data destruction: \"s3-bucket-blacklisted-actions-prohibited\" checks whether bucket policies prohibit disallowed actions (including S3:DeleteObject) for principals from other AWS accounts, \"s3-bucket-default-lock-enabled\" checks whether a bucket that should be locked in write-once-read-many (WORM) mode is configured to prevent modification, and \"s3-bucket-public-write-prohibited\" checks whether a bucket is configured to allow public access and modification. All of these controls are run on configuration changes.\nThe following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure backups and redundancy are in place which can mitigate the effects of data destruction: \"aurora-mysql-backtracking-enabled\" for data in Aurora MySQL; \"db-instance-backup-enabled\" and \"rds-in-backup-plan\" for Amazon Relational Database Service (RDS) data; \"dynamodb-in-backup-plan\" and \"dynamodb-pitr-enabled\" for Amazon DynamoDB table contents; \"ebs-in-backup-plan\" for Elastic Block Store (EBS) volumes; \"efs-in-backup-plan\" for Amazon Elastic File System (EFS) file systems; \"elasticache-redis-cluster-automatic-backup-check\" for Amazon ElastiCache Redis cluster data; \"redshift-backup-enabled\" and \"redshift-cluster-maintenancesettings-check\" for Redshift; \"s3-bucket-replication-enabled\" and \"s3-bucket-versioning-enabled\" for S3 storage; and \"cloudfront-origin-failover-enabled\" for CloudFront.\nThe following AWS Config managed rules provide specific detections for configuration problems that should be fixed in order to prevent malicious deletion of specific data: \"elb-deletion-protection-enabled\" for Elastic Block Store (EBS) volumes, and \"rds-cluster-deletion-protection-enabled\" and \"rds-instance-deletion-protection-enabled\" for RDS data.\nCoverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect certain types of data against destruction, resulting in an overall score of Partial.", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1486", + "attack_object_name": "Data Encrypted for Impact", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "partial", + "comments": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious changes to data encryption within Amazon Simple Storage Service (S3) storage: \"s3-bucket-blacklisted-actions-prohibited\" checks whether bucket policies prohibit disallowed actions (including encryption configuration changes) for principals from other AWS accounts, \"s3-bucket-default-lock-enabled\" checks whether a bucket that should be locked in write-once-read-many (WORM) mode is configured to prevent modification, and \"s3-bucket-public-write-prohibited\" checks whether a bucket is configured to allow public access and modification. All of these controls are run on configuration changes.\nThe following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure backups and redundancy are in place which can mitigate the effects of malicious changes to data encryption: \"aurora-mysql-backtracking-enabled\" for data in Aurora MySQL; \"db-instance-backup-enabled\" and \"rds-in-backup-plan\" for Amazon Relational Database Service (RDS) data; \"dynamodb-in-backup-plan\" and \"dynamodb-pitr-enabled\" for Amazon DynamoDB table contents; \"ebs-in-backup-plan\" for Elastic Block Store (EBS) volumes; \"efs-in-backup-plan\" for Amazon Elastic File System (EFS) file systems; \"elasticache-redis-cluster-automatic-backup-check\" for Amazon ElastiCache Redis cluster data; \"redshift-backup-enabled\" and \"redshift-cluster-maintenancesettings-check\" for Redshift; \"s3-bucket-replication-enabled\" and \"s3-bucket-versioning-enabled\" for S3 storage; and \"cloudfront-origin-failover-enabled\" for CloudFront.\nCoverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect certain types of data against malicious encryption changes, resulting in an overall score of Partial.", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1491", + "attack_object_name": "Defacement", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "significant", + "comments": "This control provides significant coverage for all of this technique's sub-techniques, resulting in an overall score of Significant.", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1491.001", + "attack_object_name": "Internal Defacement", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1491", + "comments": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious write access to data within Amazon Simple Storage Service (S3) storage, which may include internal and/or external defacement: \"s3-bucket-blacklisted-actions-prohibited\" checks whether bucket policies prohibit disallowed actions (including encryption configuration changes) for principals from other AWS accounts, \"s3-bucket-default-lock-enabled\" checks whether a bucket that should be locked in write-once-read-many (WORM) mode is configured to prevent modification, and \"s3-bucket-public-write-prohibited\" checks whether a bucket is configured to allow public access and modification. All of these controls are run on configuration changes.\nThe following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure backups and redundancy are in place which can mitigate the effects of malicious defacement: \"aurora-mysql-backtracking-enabled\" for data in Aurora MySQL; \"db-instance-backup-enabled\" and \"rds-in-backup-plan\" for Amazon Relational Database Service (RDS) data; \"dynamodb-in-backup-plan\" and \"dynamodb-pitr-enabled\" for Amazon DynamoDB table contents; \"ebs-in-backup-plan\" for Elastic Block Store (EBS) volumes; \"efs-in-backup-plan\" for Amazon Elastic File System (EFS) file systems; \"elasticache-redis-cluster-automatic-backup-check\" for Amazon ElastiCache Redis cluster data; \"redshift-backup-enabled\" and \"redshift-cluster-maintenancesettings-check\" for Redshift; \"s3-bucket-replication-enabled\" and \"s3-bucket-versioning-enabled\" for S3 storage; and \"cloudfront-origin-failover-enabled\" for CloudFront.\nCoverage factor is significant for these rules, since they cover a wide range of services used to host content for websites within AWS, resulting in an overall score of Significant.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1491.002", + "attack_object_name": "External Defacement", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1491", + "comments": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious write access to data within Amazon Simple Storage Service (S3) storage, which may include internal and/or external defacement: \"s3-bucket-blacklisted-actions-prohibited\" checks whether bucket policies prohibit disallowed actions (including encryption configuration changes) for principals from other AWS accounts, \"s3-bucket-default-lock-enabled\" checks whether a bucket that should be locked in write-once-read-many (WORM) mode is configured to prevent modification, and \"s3-bucket-public-write-prohibited\" checks whether a bucket is configured to allow public access and modification. All of these controls are run on configuration changes.\nThe following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure backups and redundancy are in place which can mitigate the effects of malicious defacement: \"aurora-mysql-backtracking-enabled\" for data in Aurora MySQL; \"db-instance-backup-enabled\" and \"rds-in-backup-plan\" for Amazon Relational Database Service (RDS) data; \"dynamodb-in-backup-plan\" and \"dynamodb-pitr-enabled\" for Amazon DynamoDB table contents; \"ebs-in-backup-plan\" for Elastic Block Store (EBS) volumes; \"efs-in-backup-plan\" for Amazon Elastic File System (EFS) file systems; \"elasticache-redis-cluster-automatic-backup-check\" for Amazon ElastiCache Redis cluster data; \"redshift-backup-enabled\" and \"redshift-cluster-maintenancesettings-check\" for Redshift; \"s3-bucket-replication-enabled\" and \"s3-bucket-versioning-enabled\" for S3 storage; and \"cloudfront-origin-failover-enabled\" for CloudFront.\nCoverage factor is significant for these rules, since they cover a wide range of services used to host content for websites within AWS, resulting in an overall score of Significant.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1496", + "attack_object_name": "Resource Hijacking", + "capability_group": "aws_config", + "score_category": "detect", + "score_value": "partial", + "comments": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure alarms exist for spikes in resource utilization, which help to identify malicious use of resources within a cloud environment: \"cloudwatch-alarm-action-check\", \"cloudwatch-alarm-resource-check\", \"cloudwatch-alarm-settings-check\", \"desired-instance-tenancy\", \"desired-instance-type\", \"dynamodb-autoscaling-enabled\", \"dynamodb-throughput-limit-check\", \"ec2-instance-detailed-monitoring-enabled\", and \"rds-enhanced-monitoring-enabled\".\nCoverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only detect resource hijacking that results in a change in utilization that is significant enough to trigger alarms, resulting in an overall score of Partial.", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1498", + "attack_object_name": "Network Denial of Service", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "minimal", + "comments": "This control provides minimal coverage for this technique's sub-techniques as well as its procedures, resulting in an overall score of Minimal.", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1498.001", + "attack_object_name": "Direct Network Flood", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1498", + "comments": "The \"elb-cross-zone-load-balancing-enabled\" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. \"cloudfront-origin-failover-enabled\" can verify that failover policies are in place to increase CloudFront content availability.\nCoverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1498.002", + "attack_object_name": "Reflection Amplification", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1498", + "comments": "The \"elb-cross-zone-load-balancing-enabled\" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. \"cloudfront-origin-failover-enabled\" can verify that failover policies are in place to increase CloudFront content availability.\nCoverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1499", + "attack_object_name": "Endpoint Denial of Service", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "minimal", + "comments": "This control provides minimal coverage for this technique's sub-techniques as well as its procedures, resulting in an overall score of Minimal.", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1499.001", + "attack_object_name": "OS Exhaustion Flood", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1499", + "comments": "The \"elb-cross-zone-load-balancing-enabled\" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. \"cloudfront-origin-failover-enabled\" can verify that failover policies are in place to increase CloudFront content availability.\nCoverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1499.002", + "attack_object_name": "Service Exhaustion Flood", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1499", + "comments": "The \"elb-cross-zone-load-balancing-enabled\" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. \"cloudfront-origin-failover-enabled\" can verify that failover policies are in place to increase CloudFront content availability.\nCoverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1499.003", + "attack_object_name": "Application Exhaustion Flood", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1499", + "comments": "The \"elb-cross-zone-load-balancing-enabled\" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. \"cloudfront-origin-failover-enabled\" can verify that failover policies are in place to increase CloudFront content availability.\nCoverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1499.004", + "attack_object_name": "Application or System Exploitation", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1499", + "comments": "The \"elb-cross-zone-load-balancing-enabled\" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. \"cloudfront-origin-failover-enabled\" can verify that failover policies are in place to increase CloudFront content availability.\nCoverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1525", + "attack_object_name": "Implant Internal Image", + "capability_group": "aws_config", + "score_category": "detect", + "score_value": "minimal", + "comments": "The following AWS Config managed rules can identify running instances that are not using AMIs within a specified allow list: \"approved-amis-by-id\" and \"approved-amis-by-tag\", both of which are run on configuration changes. This does not provide detection of the image implanting itself, but does provide detection for any subsequent use of images that are implanted and not present within the allow list, resulting in a score of Minimal.", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1530", + "attack_object_name": "Data from Cloud Storage Object", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "significant", + "comments": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious access of data within Amazon Simple Storage Service (S3) storage: \"s3-account-level-public-access-blocks\", \"s3-bucket-level-public-access-prohibited\", \"s3-bucket-public-read-prohibited\", \"s3-bucket-policy-not-more-permissive\", \"cloudfront-origin-access-identity-enabled\", and \"cloudfront-default-root-object-configured\" identify objects that are publicly available or subject to overly permissive access policies; \"s3-bucket-blacklisted-actions-prohibited\" checks whether bucket policies prohibit disallowed actions for principals from other AWS accounts; and \"s3-bucket-policy-grantee-check\" checks whether bucket policies appropriately control which AWS principals, federated users, service principals, IP addresses, and VPCs have access. All of these controls are run on configuration changes.\nThe following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious access of data from other AWS services: \"dms-replication-not-public\" for AWS Database Migration Service; \"emr-master-no-public-ip\" for Amazon Elastic MapReduce (EMR); \"rds-cluster-iam-authentication-enabled\", \"rds-instance-iam-authentication-enabled\", \"rds-instance-public-access-check\" and \"rds-snapshots-public-prohibited\" for Amazon Relational Database Service; \"redshift-cluster-public-access-check\" for Amazon Redshift; and \"sagemaker-notebook-no-direct-internet-access\" for SageMaker.\nThe following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that cloud storage data are encrypted to prevent malicious access: \"dax-encryption-enabled\", \"dynamodb-table-encrypted-kms\", and \"dynamodb-table-encryption-enabled\" for Amazon DynamoDB table contents; \"efs-encrypted-check\" for Amazon Elastic File System (EFS) file systems; \"elasticsearch-encrypted-at-rest\" for Elasticsearch Service (ES) domains; \"rds-snapshot-encrypted\" and \"rds-storage-encrypted\" for Amazon Relational Database Service; \"s3-bucket-server-side-encryption-enabled\" and \"s3-default-encryption-kms\" for S3 storage; \"sns-encrypted-kms\" for Amazon Simple Notification Service (SNS); \"redshift-cluster-configuration-check\" and \"redshift-cluster-kms-enabled\" for Redshift clusters; \"sagemaker-endpoint-configuration-kms-key-configured\" and \"sagemaker-notebook-instance-kms-key-configured\" for SageMaker.\nThese rules provide a wide range of coverage for many AWS services, especially those most significant to procedures for this technique, resulting in an overall score of Significant.", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1538", + "attack_object_name": "Cloud Service Dashboard", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "significant", + "comments": "The \"mfa-enabled-for-iam-console-access\" managed rule checks whether multi-factor authentication is enabled for all AWS IAM users that use a console password, protecting against misuse of those accounts' dashboard access. It is run periodically, and provides significant coverage, resulting in an overall score of Significant.", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1552", + "attack_object_name": "Unsecured Credentials", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "partial", + "comments": "The following AWS Config managed rules can identify insecure plaintext credentials within specific parts of a cloud environment: \"codebuild-project-envvar-awscred-check\" for credentials (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) stored within environment variables, \"codebuild-project-source-repo-url-check\" for personal access tokens and/or credentials within source repository URLs.\nThe following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that the contents of secrets in AWS Secrets Manager (including credentials) are properly secured to avoid adversary access: \"secretsmanager-rotation-enabled-check\", \"secretsmanager-scheduled-rotation-success-check\", \"secretsmanager-secret-periodic-rotation\", and \"secretsmanager-using-cmk\".\nThis control provides partial coverage for a minority of this technique's sub-techniques, in addition to the parent coverage above, resulting in an overall score of Partial.", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1552.001", + "attack_object_name": "Credentials In Files", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1552", + "comments": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious access of data within Amazon Simple Storage Service (S3) storage, which may include files containing credentials: \"s3-account-level-public-access-blocks\", \"s3-bucket-level-public-access-prohibited\", \"s3-bucket-public-read-prohibited\", \"s3-bucket-policy-not-more-permissive\", \"cloudfront-origin-access-identity-enabled\", and \"cloudfront-default-root-object-configured\" identify objects that are publicly available or subject to overly permissive access policies; and \"s3-bucket-policy-grantee-check\" checks whether bucket policies appropriately control which AWS principals, federated users, service principals, IP addresses, and VPCs have access. All of these controls are run on configuration changes.\nThe following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that cloud storage data - which may include files containing credentials - are encrypted to prevent malicious access: \"s3-bucket-server-side-encryption-enabled\" and \"s3-default-encryption-kms\" for S3 storage, \"ec2-ebs-encryption-by-default\" and \"encrypted-volumes\" for EBS volumes.\nCoverage factor is partial for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Partial.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1552.005", + "attack_object_name": "Cloud Instance Metadata API", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1552", + "comments": "The \"ec2-imdsv2-check\" managed rule can identify instances which are configured to use the outdated Instance Metadata Service Version 1 (IMDSv1), which is less secure than IMDSv2. This provides partial coverage, since adversaries may find ways to exploit the more secure IMDSv2, resulting in an overall score of Partial.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1552.007", + "attack_object_name": "Container API", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1552", + "comments": "The \"eks-endpoint-no-public-access\" managed rule can identify whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoints are misconfigured to allow public endpoint access, which should be fixed in order to prevent malicious external access to the Kubernetes API server, including malicious attempts to gather credentials via the API. The \"eks-secrets-encrypted\" managed rule can identify configuration problems that should be fixed in order to ensure that Kubernetes secrets (including those containing credentials) are encrypted to prevent malicious access. Both controls are run periodically and only provide partial coverage because they are specific to public access and adversaries without the ability to decrypt secrets, respectively, resulting in an overall score of Partial.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1557", + "attack_object_name": "Man-in-the-Middle", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "minimal", + "comments": "The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure SSL/TLS encryption is enabled to protect network traffic: \"acm-certificate-expiration-check\" for nearly expired certificates in AWS Certificate Manager (ACM); \"alb-http-to-https-redirection-check\" for Application Load Balancer (ALB) HTTP listeners; \"api-gw-ssl-enabled\" for API Gateway REST API stages; \"cloudfront-custom-ssl-certificate\", \"cloudfront-sni-enabled\", and \"cloudfront-viewer-policy-https\", for Amazon CloudFront distributions; \"elb-acm-certificate-required\", \"elb-custom-security-policy-ssl-check\", \"elb-predefined-security-policy-ssl-check\", and \"elb-tls-https-listeners-only\" for Elastic Load Balancing (ELB) Classic Load Balancer listeners; \"redshift-require-tls-ssl\" for Amazon Redshift cluster connections to SQL clients; \"s3-bucket-ssl-requests-only\" for requests for S3 bucket contents; and \"elasticsearch-node-to-node-encryption-check\" for Amazon ElasticSearch Service node-to-node communications.\nAll of these are run on configuration changes except \"alb-http-to-https-redirection-check\", which is run periodically. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and can only mitigate behavior for adversaries who are unable to decrypt the relevant traffic. This control does not provide specific coverage for this technique's sub-techniques, resulting in an overall score of Minimal.", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1562", + "attack_object_name": "Impair Defenses", + "capability_group": "aws_config", + "score_category": "detect", + "score_value": "minimal", + "comments": "This control provides significant coverage for a minority of this technique's sub-techniques, resulting in an overall score of Minimal. \"Detect the use of insecure network services and protocols with known security weaknesses\"", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1562.001", + "attack_object_name": "Disable or Modify Tools", + "capability_group": "aws_config", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1562", + "comments": "The \"ec2-managedinstance-applications-required\" managed rule verifies that all applications in a pre-defined list of requirements are installed on specified managed instances, and is run on configuration changes. It will not detect modification to those applications, but will detect if they are uninstalled. The \"ec2-managedinstance-applications-blacklisted\" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances, and can be used to detect installation of applications below a minimum version, which can identify adversary attempts to downgrade required tools to insecure or ineffective older versions. Given the host-based scoping of this technique, coverage is partial, resulting in an overall score of Partial.", + "references": [ + "https://docs.aws.amazon.com/config/latest/developerguide/ec2-managedinstance-applications-required.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1562.007", + "attack_object_name": "Disable or Modify Cloud Firewall", + "capability_group": "aws_config", + "score_category": "detect", + "score_value": "significant", + "related_score": "T1562", + "comments": "The following AWS Config managed rules can identify potentially malicious changes to cloud firewall status and ensure that a WAF is enabled and enforcing specified ACLs: \"lab-waf-enabled\" for Application Load Balancers; \"api-gw-associated-with-waf\" for Amazon API Gateway API stages; \"cloudfront-associated-with-waf\" for Amazon CloudFront distributions; \"fms-webacl-resource-policy-check\", \"fms-webacl-resource-policy-check\", and \"fms-webacl-rulegroup-association-check\" for AWS Firewall Manager; \"vpc-default-security-group-closed\", \"vpc-network-acl-unused-check\", and \"vpc-sg-open-only-to-authorized-ports\" for VPC security groups; and \"ec2-security-group-attached-to-eni\" for EC2 and ENI security groups; all of which are run on configuration changes.\nThe following AWS Config managed rules can identify specific configuration changes to VPC configuration that may suggest malicious modification to bypass protections: \"internet-gateway-authorized-vpc-only\" can identify Internet gateways (IGWs) attached to unauthorized VPCs, which can allow unwanted communication between a VPC and the Internet; \"lambda-inside-vpc\" can identify VPCs that have granted execution access to unauthorized Lambda functions; \"service-vpc-endpoint-enabled\" can verify that endpoints are active for the appropriate services across VPCs; \"subnet-auto-assign-public-ip-disabled\" checks for public IP addresses assigned to subnets within VPCs.\nCoverage factor is significant for these rules, since they cover firewall configuration for and via a wide range of services, resulting in an overall score of Significant.", + "references": [ + "https://docs.aws.amazon.com/waf/latest/developerguide/enable-config.html", + "https://docs.aws.amazon.com/config/latest/developerguide/service-integrations.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1562.008", + "attack_object_name": "Disable Cloud Logs", + "capability_group": "aws_config", + "score_category": "detect", + "score_value": "significant", + "related_score": "T1562", + "comments": "The following AWS Config managed rules can identify potentially malicious changes to cloud logging: \"api-gw-execution-logging-enabled\", \"cloudfront-accesslogs-enabled\", \"elasticsearch-logs-to-cloudwatch\", \"elb-logging-enabled\", \"redshift-cluster-configuration-check\", \"rds-logging-enabled\", and \"s3-bucket-logging-enabled\" are run on configuration changes. \"cloudtrail-security-trail-enabled\", \"cloud-trail-cloud-watch-logs-enabled\", \"cloudtrail-s3-dataevents-enabled\", \"vpc-flow-logs-enabled\", \"waf-classic-logging-enabled\", and \"wafv2-logging-enabled\" are run periodically.\nCoverage factor is significant for these rules, since they cover logging configuration for a wide range of services, resulting in an overall score of Significant. \n\n\"AWS Config is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in AWS Config. \"", + "references": [ + "https://docs.aws.amazon.com/config/latest/developerguide/security-logging-and-monitoring.html", + "https://docs.aws.amazon.com/config/latest/developerguide/log-api-calls.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1578.005", + "attack_object_name": "Modify Cloud Compute Configurations", + "capability_group": "aws_config", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1578", + "comments": "AWS Config managed rules can periodically evaluate resource configurations to provide partial detection coverage for Cloud Compute Configuration changes.", + "references": [ + "https://docs.aws.amazon.com/config/latest/developerguide/evaluating-your-resources.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1609", + "attack_object_name": "Container Administration Command", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "partial", + "comments": "The \"eks-endpoint-no-public-access\" managed rule can identify whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoints are misconfigured to allow public endpoint access, which should be fixed in order to prevent malicious external access to the Kubernetes API server, including malicious attempts to execute commands via the API. It is run periodically and only provides partial coverage because it is specific to public access, resulting in an overall score of Partial.", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1610", + "attack_object_name": "Deploy Container", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "partial", + "comments": "The \"eks-endpoint-no-public-access\" managed rule can identify whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoints are misconfigured to allow public endpoint access, which should be fixed in order to prevent malicious external access to the Kubernetes API server, including malicious attempts to deploy containers. It is run periodically and only provides partial coverage because it is specific to public access, resulting in an overall score of Partial.", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1611", + "attack_object_name": "Escape to Host", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "partial", + "comments": "The \"ecs-task-definition-user-for-host-mode-check\" managed rule can identify Amazon Elastic Container Service (ECS) task definitions for containers with host networking mode and 'privileged' or 'user' container definitions, which may enable adversaries to break out of containers and gain access to the underlying host. It is run on configuration changes. Coverage is partial, since adversaries may find other means to escape a container to the underlying host, resulting in an overall score of Partial.", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1613", + "attack_object_name": "Container and Resource Discovery", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "partial", + "comments": "The \"eks-endpoint-no-public-access\" managed rule can identify whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoints are misconfigured to allow public endpoint access, which should be fixed in order to prevent malicious external access to the Kubernetes API server, including malicious attempts to discover containers and other resources. It is run periodically and only provides partial coverage because it is specific to public access, resulting in an overall score of Partial.", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_config", + "capability_description": "AWS Config", + "mapping_type": "technique_scores", + "attack_object_id": "T1651", + "attack_object_name": "Cloud Administration Command", + "capability_group": "aws_config", + "score_category": "protect", + "score_value": "significant", + "comments": "The \"mfa-enabled-for-iam-console-access\" managed rule checks whether multi-factor authentication is enabled for all AWS IAM users,vprotecting against misuse of those accounts' access to Amazon System Manager and the ability to run cloud administration commands. It is run periodically, and provides significant coverage, resulting in an overall score of Significant.", + "references": [ + "https://docs.aws.amazon.com/config", + "https://docs.aws.amazon.com/config/latest/developerguide", + "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_identity_and_access_management", + "capability_description": "AWS Identity and Access Management", + "mapping_type": "technique_scores", + "attack_object_id": "T1021.007", + "attack_object_name": "Cloud Services", + "capability_group": "aws_identity_and_access_management", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1021", + "comments": "AWS Identity and Access Management supports multi-factor authentication, which can mitigate an adversary's ability to use valid credentials obtained on one cloud to access another cloud service.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_identity_and_access_management", + "capability_description": "AWS Identity and Access Management", + "mapping_type": "technique_scores", + "attack_object_id": "T1078", + "attack_object_name": "Valid Accounts", + "capability_group": "aws_identity_and_access_management", + "score_category": "protect", + "score_value": "partial", + "references": [ + "https://docs.aws.amazon.com/iam/index.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_identity_and_access_management", + "capability_description": "AWS Identity and Access Management", + "mapping_type": "technique_scores", + "attack_object_id": "T1078", + "attack_object_name": "Valid Accounts", + "capability_group": "aws_identity_and_access_management", + "score_category": "detect", + "score_value": "partial", + "references": [ + "https://docs.aws.amazon.com/iam/index.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_identity_and_access_management", + "capability_description": "AWS Identity and Access Management", + "mapping_type": "technique_scores", + "attack_object_id": "T1078.004", + "attack_object_name": "Cloud Accounts", + "capability_group": "aws_identity_and_access_management", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1078", + "comments": "This control may mitigate the impact of compromised valid accounts by enabling fine-grained access policies and implementing least-privilege policies. MFA can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_identity_and_access_management", + "capability_description": "AWS Identity and Access Management", + "mapping_type": "technique_scores", + "attack_object_id": "T1078.004", + "attack_object_name": "Cloud Accounts", + "capability_group": "aws_identity_and_access_management", + "score_category": "detect", + "score_value": "minimal", + "related_score": "T1078", + "comments": "The Access Analyzer tool may detect when an external entity has been granted access to cloud resources through use of access policies. This tool will scan upon any change to access policies or periodically within 24 hours.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_identity_and_access_management", + "capability_description": "AWS Identity and Access Management", + "mapping_type": "technique_scores", + "attack_object_id": "T1098", + "attack_object_name": "Account Manipulation", + "capability_group": "aws_identity_and_access_management", + "score_category": "detect", + "score_value": "minimal", + "comments": "This control may generate logs for creation and manipulation of accounts but the relevant security information would be handled by another security control.", + "references": [ + "https://docs.aws.amazon.com/iam/index.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_identity_and_access_management", + "capability_description": "AWS Identity and Access Management", + "mapping_type": "technique_scores", + "attack_object_id": "T1098.001", + "attack_object_name": "Additional Cloud Credentials", + "capability_group": "aws_identity_and_access_management", + "score_category": "detect", + "score_value": "minimal", + "related_score": "T1098", + "comments": "The Access Analyzer tool may detect when an external entity has been granted access to cloud resources through use of access policies. This tool will scan upon any change to access policies or periodically within 24 hours.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_identity_and_access_management", + "capability_description": "AWS Identity and Access Management", + "mapping_type": "technique_scores", + "attack_object_id": "T1098.005", + "attack_object_name": "Device Registration", + "capability_group": "aws_identity_and_access_management", + "score_category": "detect", + "score_value": "minimal", + "related_score": "T1098", + "comments": "The IAM MFA fields can provide data on device registration to help detect unexpected registrations.", + "references": [ + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_MFADevice.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_identity_and_access_management", + "capability_description": "AWS Identity and Access Management", + "mapping_type": "technique_scores", + "attack_object_id": "T1110", + "attack_object_name": "Brute Force", + "capability_group": "aws_identity_and_access_management", + "score_category": "protect", + "score_value": "significant", + "references": [ + "https://docs.aws.amazon.com/iam/index.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_identity_and_access_management", + "capability_description": "AWS Identity and Access Management", + "mapping_type": "technique_scores", + "attack_object_id": "T1110.001", + "attack_object_name": "Password Guessing", + "capability_group": "aws_identity_and_access_management", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1110", + "comments": "This control may mitigate brute force attacks by enforcing multi-factor authentication, enforcing strong password policies, and rotating credentials periodically. These recommendations are IAM best practices but must be explicitly implemented by a cloud administrator.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_identity_and_access_management", + "capability_description": "AWS Identity and Access Management", + "mapping_type": "technique_scores", + "attack_object_id": "T1110.003", + "attack_object_name": "Password Spraying", + "capability_group": "aws_identity_and_access_management", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1110", + "comments": "This control may mitigate brute force attacks by enforcing multi-factor authentication, enforcing strong password policies, and rotating credentials periodically. These recommendations are IAM best practices but must be explicitly implemented by a cloud administrator.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_identity_and_access_management", + "capability_description": "AWS Identity and Access Management", + "mapping_type": "technique_scores", + "attack_object_id": "T1110.004", + "attack_object_name": "Credential Stuffing", + "capability_group": "aws_identity_and_access_management", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1110", + "comments": "This control may mitigate brute force attacks by enforcing multi-factor authentication, enforcing strong password policies, and rotating credentials periodically. These recommendations are IAM best practices but must be explicitly implemented by a cloud administrator.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_identity_and_access_management", + "capability_description": "AWS Identity and Access Management", + "mapping_type": "technique_scores", + "attack_object_id": "T1528", + "attack_object_name": "Steal Application Access Token", + "capability_group": "aws_identity_and_access_management", + "score_category": "protect", + "score_value": "minimal", + "comments": "This control may mitigate against application access token theft if the application is configured to retrieve temporary security credentials using an IAM role. This recommendation is a best practice for IAM but must be explicitly implemented by the application developer.", + "references": [ + "https://docs.aws.amazon.com/iam/index.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_identity_and_access_management", + "capability_description": "AWS Identity and Access Management", + "mapping_type": "technique_scores", + "attack_object_id": "T1548.005", + "attack_object_name": "Temporary Elevated Cloud Access", + "capability_group": "aws_identity_and_access_management", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1548", + "comments": "AWS Identity and Access Management (IAM) policy variables can limit actions based on specific variables such as ip address or username and can provide protection from unauthorized temporary elevated cloud access.", + "references": [ + "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_identity_and_access_management", + "capability_description": "AWS Identity and Access Management", + "mapping_type": "technique_scores", + "attack_object_id": "T1550", + "attack_object_name": "Use Alternate Authentication Material", + "capability_group": "aws_identity_and_access_management", + "score_category": "protect", + "score_value": "minimal", + "references": [ + "https://docs.aws.amazon.com/iam/index.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_identity_and_access_management", + "capability_description": "AWS Identity and Access Management", + "mapping_type": "technique_scores", + "attack_object_id": "T1550.001", + "attack_object_name": "Application Access Token", + "capability_group": "aws_identity_and_access_management", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1550", + "comments": "This control may mitigate against application access token theft if the application is configured to retrieve temporary security credentials using an IAM role. This recommendation is a best practice for IAM but must be explicitly implemented by the application developer. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_identity_and_access_management", + "capability_description": "AWS Identity and Access Management", + "mapping_type": "technique_scores", + "attack_object_id": "T1621", + "attack_object_name": "Multi-Factor Authentication Request Generation", + "capability_group": "aws_identity_and_access_management", + "score_category": "protect", + "score_value": "significant", + "comments": "AWS Identity and Access Management can be configured to lock at user out after repeated Multi-Factor Authentication requests.", + "references": [ + "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_identity_and_access_management", + "capability_description": "AWS Identity and Access Management", + "mapping_type": "technique_scores", + "attack_object_id": "T1648", + "attack_object_name": "Serverless Execution", + "capability_group": "aws_identity_and_access_management", + "score_category": "protect", + "score_value": "partial", + "comments": "AWS Identity and Access Management variables can be used to allow or deny malicious severless execution behavior based on variables like aws:SourceIp and aws:username.", + "references": [ + "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_iot_device_defender", + "capability_description": "AWS IoT Device Defender", + "mapping_type": "technique_scores", + "attack_object_id": "T1020", + "attack_object_name": "Automated Exfiltration", + "capability_group": "aws_iot_device_defender", + "score_category": "protect", + "score_value": "minimal", + "comments": "This control provides partial coverage for this technique's only sub-technique, but without specific coverage for its procedures, resulting in an overall score of Minimal.", + "references": [ + "https://aws.amazon.com/iot-device-defender/", + "https://docs.aws.amazon.com/iot-device-defender", + "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", + "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", + "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", + "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect" + ], + "status": "complete" + }, + { + "capability_id": "aws_iot_device_defender", + "capability_description": "AWS IoT Device Defender", + "mapping_type": "technique_scores", + "attack_object_id": "T1020.001", + "attack_object_name": "Traffic Duplication", + "capability_group": "aws_iot_device_defender", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1020", + "comments": "The following AWS IoT Device Defender audit checks and corresponding mitigation actions can identify and resolve configuration problems that should be fixed in order to ensure SSL/TLS encryption is enabled and secure to protect network traffic to/from IoT devices: \"CA certificate expiring\" (\"CA_CERTIFICATE_EXPIRING_CHECK\" in the CLI and API), \"CA certificate key quality\" (\"CA_CERTIFICATE_KEY_QUALITY_CHECK\" in the CLI and API), and \"CA certificate revoked but device certificates still active\" (\"REVOKED_CA_CERTIFICATE_STILL_ACTIVE_CHECK\" in the CLI and API) can identify problems with certificate authority (CA) certificates being used for signing and support the \"UPDATE_CA_CERTIFICATE\" mitigation action which can resolve them. \"Device certificate expiring\" (\"DEVICE_CERTIFICATE_EXPIRING_CHECK\" in the CLI and API), \"Device certificate key quality\" (\"DEVICE_CERTIFICATE_KEY_QUALITY_CHECK\" in the CLI and API), \"Device certificate shared\" (\"DEVICE_CERTIFICATE_SHARED_CHECK\" in the CLI and API), and \"Revoked device certificate still active\" (\"REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK\" in the CLI and API) can identify problems with IoT devices' certificates and support the \"UPDATE_DEVICE_CERTIFICATE\" and \"ADD_THINGS_TO_THING_GROUP\" mitigation actions which can resolve them.\nCoverage factor is partial for these checks and mitigations, since they are specific to IoT device communication and can only mitigate behavior for adversaries who are unable to decrypt the relevant traffic, resulting in an overall score of Partial.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_iot_device_defender", + "capability_description": "AWS IoT Device Defender", + "mapping_type": "technique_scores", + "attack_object_id": "T1040", + "attack_object_name": "Network Sniffing", + "capability_group": "aws_iot_device_defender", + "score_category": "protect", + "score_value": "partial", + "comments": "The following AWS IoT Device Defender audit checks and corresponding mitigation actions can identify and resolve configuration problems that should be fixed in order to ensure SSL/TLS encryption is enabled and secure to protect network traffic to/from IoT devices: \"CA certificate expiring\" (\"CA_CERTIFICATE_EXPIRING_CHECK\" in the CLI and API), \"CA certificate key quality\" (\"CA_CERTIFICATE_KEY_QUALITY_CHECK\" in the CLI and API), and \"CA certificate revoked but device certificates still active\" (\"REVOKED_CA_CERTIFICATE_STILL_ACTIVE_CHECK\" in the CLI and API) can identify problems with certificate authority (CA) certificates being used for signing and support the \"UPDATE_CA_CERTIFICATE\" mitigation action which can resolve them. \"Device certificate expiring\" (\"DEVICE_CERTIFICATE_EXPIRING_CHECK\" in the CLI and API), \"Device certificate key quality\" (\"DEVICE_CERTIFICATE_KEY_QUALITY_CHECK\" in the CLI and API), \"Device certificate shared\" (\"DEVICE_CERTIFICATE_SHARED_CHECK\" in the CLI and API), and \"Revoked device certificate still active\" (\"REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK\" in the CLI and API) can identify problems with IoT devices' certificates and support the \"UPDATE_DEVICE_CERTIFICATE\" and \"ADD_THINGS_TO_THING_GROUP\" mitigation actions which can resolve them.\nCoverage factor is partial for these checks and mitigations, since they are specific to IoT device communication and can only mitigate behavior for adversaries who are unable to decrypt the relevant traffic, resulting in an overall score of Partial.", + "references": [ + "https://aws.amazon.com/iot-device-defender/", + "https://docs.aws.amazon.com/iot-device-defender", + "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", + "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", + "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", + "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect" + ], + "status": "complete" + }, + { + "capability_id": "aws_iot_device_defender", + "capability_description": "AWS IoT Device Defender", + "mapping_type": "technique_scores", + "attack_object_id": "T1041", + "attack_object_name": "Exfiltration Over C2 Channel", + "capability_group": "aws_iot_device_defender", + "score_category": "detect", + "score_value": "partial", + "comments": "The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be exfiltrating collected data from compromised AWS IoT devices using an established command and control channel to/from those devices: \"Destination IPs\" (\"aws:destination-ip-addresses\") outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. \"Bytes in\" (\"aws:all-bytes-in\"), \"Bytes out\" (\"aws:all-bytes-out\"), \"Packets in\" (\"aws:all-packets-in\"), and \"Packets out\" (\"aws:all-packets-out\") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include exfiltration of stolen data. \"Listening TCP ports\" (\"aws:listening-tcp-ports\"), \"Listening TCP port count\" (\"aws:num-listening-tcp-ports\"), \"Established TCP connections count\" (\"aws:num-established-tcp-connections\"), \"Listening UDP ports\" (\"aws:listening-udp-ports\"), and \"Listening UDP port count\" (\"aws:num-listening-udp-ports\") values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols, which may include exfiltration of data over command and control channels.\nCoverage factor is partial, since these metrics are limited to exfiltration from IoT devices, resulting in an overall score of Partial.", + "references": [ + "https://aws.amazon.com/iot-device-defender/", + "https://docs.aws.amazon.com/iot-device-defender", + "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", + "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", + "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", + "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect" + ], + "status": "complete" + }, + { + "capability_id": "aws_iot_device_defender", + "capability_description": "AWS IoT Device Defender", + "mapping_type": "technique_scores", + "attack_object_id": "T1046", + "attack_object_name": "Network Service Scanning", + "capability_group": "aws_iot_device_defender", + "score_category": "detect", + "score_value": "partial", + "comments": "The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices to search their networks for other hosts and their running services, possibly to subsequently carry out lateral movement techniques: \"Destination IPs\" (\"aws:destination-ip-addresses\") outside of expected IP address ranges may suggest that a device is communicating with unexpected devices. \"Bytes in\" (\"aws:all-bytes-in\"), \"Bytes out\" (\"aws:all-bytes-out\"), \"Packets in\" (\"aws:all-packets-in\"), and \"Packets out\" (\"aws:all-packets-out\") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may traffic used to discover other hosts/services. \"Listening TCP ports\" (\"aws:listening-tcp-ports\"), \"Listening TCP port count\" (\"aws:num-listening-tcp-ports\"), \"Established TCP connections count\" (\"aws:num-established-tcp-connections\"), \"Listening UDP ports\" (\"aws:listening-udp-ports\"), and \"Listening UDP port count\" (\"aws:num-listening-udp-ports\") values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols that may suggest scanning is taking place.\nCoverage factor is partial, since these metrics are limited to IoT device communication and detection is only based on network traffic, resulting in an overall score of Partial.", + "references": [ + "https://aws.amazon.com/iot-device-defender/", + "https://docs.aws.amazon.com/iot-device-defender", + "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", + "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", + "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", + "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect" + ], + "status": "complete" + }, + { + "capability_id": "aws_iot_device_defender", + "capability_description": "AWS IoT Device Defender", + "mapping_type": "technique_scores", + "attack_object_id": "T1048", + "attack_object_name": "Exfiltration Over Alternative Protocol", + "capability_group": "aws_iot_device_defender", + "score_category": "detect", + "score_value": "partial", + "comments": "This control provides partial coverage for this technique and all of its sub-techniques, resulting in an overall score of Partial.", + "references": [ + "https://aws.amazon.com/iot-device-defender/", + "https://docs.aws.amazon.com/iot-device-defender", + "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", + "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", + "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", + "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect" + ], + "status": "complete" + }, + { + "capability_id": "aws_iot_device_defender", + "capability_description": "AWS IoT Device Defender", + "mapping_type": "technique_scores", + "attack_object_id": "T1048.001", + "attack_object_name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", + "capability_group": "aws_iot_device_defender", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1048", + "comments": "The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be exfiltrating collected data from compromised AWS IoT devices over a given channel to/from those devices: \"Destination IPs\" (\"aws:destination-ip-addresses\") outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. \"Bytes in\" (\"aws:all-bytes-in\"), \"Bytes out\" (\"aws:all-bytes-out\"), \"Packets in\" (\"aws:all-packets-in\"), and \"Packets out\" (\"aws:all-packets-out\") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include exfiltration of stolen data. \"Listening TCP ports\" (\"aws:listening-tcp-ports\"), \"Listening TCP port count\" (\"aws:num-listening-tcp-ports\"), \"Established TCP connections count\" (\"aws:num-established-tcp-connections\"), \"Listening UDP ports\" (\"aws:listening-udp-ports\"), and \"Listening UDP port count\" (\"aws:num-listening-udp-ports\") values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols, which may include exfiltration of data over those ports/protocols.\nCoverage factor is partial, since these metrics are limited to exfiltration from IoT devices, resulting in an overall score of Partial.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_iot_device_defender", + "capability_description": "AWS IoT Device Defender", + "mapping_type": "technique_scores", + "attack_object_id": "T1048.002", + "attack_object_name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", + "capability_group": "aws_iot_device_defender", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1048", + "comments": "The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be exfiltrating collected data from compromised AWS IoT devices over a given channel to/from those devices: \"Destination IPs\" (\"aws:destination-ip-addresses\") outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. \"Bytes in\" (\"aws:all-bytes-in\"), \"Bytes out\" (\"aws:all-bytes-out\"), \"Packets in\" (\"aws:all-packets-in\"), and \"Packets out\" (\"aws:all-packets-out\") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include exfiltration of stolen data. \"Listening TCP ports\" (\"aws:listening-tcp-ports\"), \"Listening TCP port count\" (\"aws:num-listening-tcp-ports\"), \"Established TCP connections count\" (\"aws:num-established-tcp-connections\"), \"Listening UDP ports\" (\"aws:listening-udp-ports\"), and \"Listening UDP port count\" (\"aws:num-listening-udp-ports\") values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols, which may include exfiltration of data over those ports/protocols.\nCoverage factor is partial, since these metrics are limited to exfiltration from IoT devices, resulting in an overall score of Partial.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_iot_device_defender", + "capability_description": "AWS IoT Device Defender", + "mapping_type": "technique_scores", + "attack_object_id": "T1048.003", + "attack_object_name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", + "capability_group": "aws_iot_device_defender", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1048", + "comments": "The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be exfiltrating collected data from compromised AWS IoT devices over a given channel to/from those devices: \"Destination IPs\" (\"aws:destination-ip-addresses\") outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. \"Bytes in\" (\"aws:all-bytes-in\"), \"Bytes out\" (\"aws:all-bytes-out\"), \"Packets in\" (\"aws:all-packets-in\"), and \"Packets out\" (\"aws:all-packets-out\") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include exfiltration of stolen data. \"Listening TCP ports\" (\"aws:listening-tcp-ports\"), \"Listening TCP port count\" (\"aws:num-listening-tcp-ports\"), \"Established TCP connections count\" (\"aws:num-established-tcp-connections\"), \"Listening UDP ports\" (\"aws:listening-udp-ports\"), and \"Listening UDP port count\" (\"aws:num-listening-udp-ports\") values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols, which may include exfiltration of data over those ports/protocols.\nCoverage factor is partial, since these metrics are limited to exfiltration from IoT devices, resulting in an overall score of Partial.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_iot_device_defender", + "capability_description": "AWS IoT Device Defender", + "mapping_type": "technique_scores", + "attack_object_id": "T1071", + "attack_object_name": "Application Layer Protocol", + "capability_group": "aws_iot_device_defender", + "score_category": "detect", + "score_value": "minimal", + "comments": "The following AWS IoT Device Defender cloud-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices and application layer protocols - especially the Message Queuing Telemetry Transport (MQTT) protocol - to communicate for command and control purposes: \"Source IP\" (\"aws:source-ip-address\") values outside of expected IP address ranges may suggest that a device has been stolen. \"Messages sent\" (\"aws:num-messages-sent\"), \"Messages received\" (\"aws:num-messages-received\"), and \"Message size\" (\"aws:message-byte-size\") values outside of expected norms may indicate that devices are sending and/or receiving non-standard traffic, which may include command and control traffic.\nThe following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices and application layer protocols - especially the Message Queuing Telemetry Transport (MQTT) protocol - to communicate for command and control purposes: \"Destination IPs\" (\"aws:destination-ip-addresses\") outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. \"Bytes in\" (\"aws:all-bytes-in\"), \"Bytes out\" (\"aws:all-bytes-out\"), \"Packets in\" (\"aws:all-packets-in\"), and \"Packets out\" (\"aws:all-packets-out\") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include command and control traffic. \"Listening TCP ports\" (\"aws:listening-tcp-ports\"), \"Listening TCP port count\" (\"aws:num-listening-tcp-ports\"), \"Established TCP connections count\" (\"aws:num-established-tcp-connections\"), \"Listening UDP ports\" (\"aws:listening-udp-ports\"), and \"Listening UDP port count\" (\"aws:num-listening-udp-ports\") values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols that may suggest application layer command and control traffic.\nCoverage factor is minimal, since these metrics are limited to IoT device communication and none of this technique's sub-techniques are addressed, resulting in an overall score of Minimal.", + "references": [ + "https://aws.amazon.com/iot-device-defender/", + "https://docs.aws.amazon.com/iot-device-defender", + "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", + "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", + "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", + "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect" + ], + "status": "complete" + }, + { + "capability_id": "aws_iot_device_defender", + "capability_description": "AWS IoT Device Defender", + "mapping_type": "technique_scores", + "attack_object_id": "T1078", + "attack_object_name": "Valid Accounts", + "capability_group": "aws_iot_device_defender", + "score_category": "detect", + "score_value": "minimal", + "comments": "This control provides partial detection capability for one of this technique's sub-techniques and a few of its procedure examples resulting in an overall Minimal protection score.", + "references": [ + "https://aws.amazon.com/iot-device-defender/", + "https://docs.aws.amazon.com/iot-device-defender", + "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", + "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", + "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", + "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect" + ], + "status": "complete" + }, + { + "capability_id": "aws_iot_device_defender", + "capability_description": "AWS IoT Device Defender", + "mapping_type": "technique_scores", + "attack_object_id": "T1078", + "attack_object_name": "Valid Accounts", + "capability_group": "aws_iot_device_defender", + "score_category": "protect", + "score_value": "minimal", + "comments": "This control provides partial protection for one of this technique's sub-techniques and a few of its procedure examples resulting in an overall Minimal protection score.", + "references": [ + "https://aws.amazon.com/iot-device-defender/", + "https://docs.aws.amazon.com/iot-device-defender", + "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", + "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", + "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", + "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect" + ], + "status": "complete" + }, + { + "capability_id": "aws_iot_device_defender", + "capability_description": "AWS IoT Device Defender", + "mapping_type": "technique_scores", + "attack_object_id": "T1078.004", + "attack_object_name": "Cloud Accounts", + "capability_group": "aws_iot_device_defender", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1078", + "comments": "The following AWS IoT Device Defender audit checks can identify potentially malicious use of valid cloud credentials by AWS IoT devices, which may indicate that devices have been compromised: \"CA certificate revoked but device certificates still active\" (\"REVOKED_CA_CERTIFICATE_STILL_ACTIVE_CHECK\" in the CLI and API) indicates that device certificates signed using a revoked CA certificate are still active, which may indicate that devices using those certificates are controlled by an adversary if the CA certificate was revoked due to compromise. \"Device certificate shared\" (\"DEVICE_CERTIFICATE_SHARED_CHECK\" in the CLI and API), \"Revoked device certificate still active\" (\"REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK\" in the CLI and API), and \"Conflicting MQTT client IDs\" (\"CONFLICTING_CLIENT_IDS_CHECK\" in the CLI and API) can indicate that devices are in use with duplicate certificates and/or IDs and/or certificates that have been revoked due to compromise, all of which suggest that an adversary may be using clones of compromised devices to leverage their access.\nThe following AWS IoT Device Defender cloud-side detection metrics can identify potentially malicious use of valid cloud credentials by IoT devices, which may indicate that devices have been compromised: \"Source IP\" (\"aws:source-ip-address\") values outside of expected IP address ranges may suggest that a device has been stolen. \"Authorization failures\" (\"aws:num-authorization-failures\") counts above a typical threshold may indicate that a compromised device is attempting to use its connection to AWS IoT to access resources for which it does not have access and being denied. High counts for \"Disconnects\" (\"aws:num-disconnects\"), especially in conjunction with high counts for \"Connection attempts\" (\"aws:num-connection-attempts\"), which include successful attempts, may indicate that a compromised device is connecting and disconnecting from AWS IoT using the device's associated access.\nCoverage factor is partial for these metrics, checks, and mitigations, since they are specific to use of cloud accounts for AWS IoT access and actions, resulting in an overall score of Partial.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_iot_device_defender", + "capability_description": "AWS IoT Device Defender", + "mapping_type": "technique_scores", + "attack_object_id": "T1078.004", + "attack_object_name": "Cloud Accounts", + "capability_group": "aws_iot_device_defender", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1078", + "comments": "The following AWS IoT Device Defender audit checks and corresponding mitigation actions can identify and in some cases resolve configuration problems that should be fixed in order to limit the potential impact of compromised accounts with access to AWS IoT resources: The \"Authenticated Cognito role overly permissive\" (\"AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK\" in the CLI and API) audit check can identify policies which grant excessive privileges and permissions for AWS IoT actions to Amazon Cognito identity pool roles. The \"Unauthenticated Cognito role overly permissive\" (\"UNAUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK\" in the CLI and API) audit check can identify policies which grant excessive privileges and permissions for AWS IoT actions to Amazon Cognito identity pool roles and do not require authentication, which pose a substantial risk because they can be trivially accessed. The \"AWS IoT policies overly permissive\" (\"IOT_POLICY_OVERLY_PERMISSIVE_CHECK\" in the CLI and API) audit check can identify AWS IoT policies which grant excessive privileges and permissions for AWS IoT actions and supports the \"REPLACE_DEFAULT_POLICY_VERSION\" mitigation action which can reduce permissions to limit potential misuse. The \"Role alias allows access to unused services\" (\"IOT_ROLE_ALIAS_ALLOWS_ACCESS_TO_UNUSED_SERVICES_CHECK\" in the CLI and API) and \"Role alias overly permissive\" (\"IOT_ROLE_ALIAS_OVERLY_PERMISSIVE_CHECK\" in the CLI and API) audit checks can identify AWS IoT role aliases which allow connected devices to authenticate using their certificates and obtain short-lived AWS credentials from an associated IAM role which grant permissions and privileges beyond those necessary to the devices' functions and should be fixed in order to prevent further account compromise from compromised devices.\nCoverage factor is partial for these checks and mitigations, since they are specific to use of cloud accounts for AWS IoT access and actions, resulting in an overall score of Partial.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_iot_device_defender", + "capability_description": "AWS IoT Device Defender", + "mapping_type": "technique_scores", + "attack_object_id": "T1095", + "attack_object_name": "Non-Application Layer Protocol", + "capability_group": "aws_iot_device_defender", + "score_category": "detect", + "score_value": "minimal", + "comments": "The following AWS IoT Device Defender cloud-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices and non-application layer protocols - especially TCP and UDP - to communicate for command and control purposes: \"Source IP\" (\"aws:source-ip-address\") values outside of expected IP address ranges may suggest that a device has been stolen. \"Messages sent\" (\"aws:num-messages-sent\"), \"Messages received\" (\"aws:num-messages-received\"), and \"Message size\" (\"aws:message-byte-size\") values outside of expected norms may indicate that devices are sending and/or receiving non-standard traffic, which may include command and control traffic.\nThe following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices and non-application layer protocols - especially TCP and UDP - to communicate for command and control purposes: \"Destination IPs\" (\"aws:destination-ip-addresses\") outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. \"Bytes in\" (\"aws:all-bytes-in\"), \"Bytes out\" (\"aws:all-bytes-out\"), \"Packets in\" (\"aws:all-packets-in\"), and \"Packets out\" (\"aws:all-packets-out\") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include command and control traffic. \"Listening TCP ports\" (\"aws:listening-tcp-ports\"), \"Listening TCP port count\" (\"aws:num-listening-tcp-ports\"), \"Established TCP connections count\" (\"aws:num-established-tcp-connections\"), \"Listening UDP ports\" (\"aws:listening-udp-ports\"), and \"Listening UDP port count\" (\"aws:num-listening-udp-ports\") values outside of expected norms may indicate that devices are communicating via TCP and/or UDP on unexpected ports that may suggest command and control traffic.\nCoverage factor is minimal, since these metrics are limited to IoT device communication and none of this technique's sub-techniques are addressed, resulting in an overall score of Minimal.", + "references": [ + "https://aws.amazon.com/iot-device-defender/", + "https://docs.aws.amazon.com/iot-device-defender", + "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", + "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", + "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", + "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect" + ], + "status": "complete" + }, + { + "capability_id": "aws_iot_device_defender", + "capability_description": "AWS IoT Device Defender", + "mapping_type": "technique_scores", + "attack_object_id": "T1496", + "attack_object_name": "Resource Hijacking", + "capability_group": "aws_iot_device_defender", + "score_category": "detect", + "score_value": "partial", + "comments": "The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices' resources to perform resource-intensive operations like mining cryptocurrency or performing denial of service attacks on other environments: \"Destination IPs\" (\"aws:destination-ip-addresses\") outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. \"Bytes in\" (\"aws:all-bytes-in\"), \"Bytes out\" (\"aws:all-bytes-out\"), \"Packets in\" (\"aws:all-packets-in\"), and \"Packets out\" (\"aws:all-packets-out\") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include traffic related to resource hijacking activities. \"Listening TCP ports\" (\"aws:listening-tcp-ports\"), \"Listening TCP port count\" (\"aws:num-listening-tcp-ports\"), \"Established TCP connections count\" (\"aws:num-established-tcp-connections\"), \"Listening UDP ports\" (\"aws:listening-udp-ports\"), and \"Listening UDP port count\" (\"aws:num-listening-udp-ports\") values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols which may include traffic related to resource hijacking activities.\nCoverage factor is partial, since these metrics are limited to IoT device hijacking, resulting in an overall score of Partial.", + "references": [ + "https://aws.amazon.com/iot-device-defender/", + "https://docs.aws.amazon.com/iot-device-defender", + "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", + "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", + "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", + "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect" + ], + "status": "complete" + }, + { + "capability_id": "aws_iot_device_defender", + "capability_description": "AWS IoT Device Defender", + "mapping_type": "technique_scores", + "attack_object_id": "T1530", + "attack_object_name": "Data from Cloud Storage Object", + "capability_group": "aws_iot_device_defender", + "score_category": "detect", + "score_value": "partial", + "comments": "The following AWS IoT Device Defender cloud-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices and the Message Queuing Telemetry Transport (MQTT) protocol for unauthorized data transfer from cloud-side data sources: \"Source IP\" (\"aws:source-ip-address\") values outside of expected IP address ranges may suggest that a device has been stolen. \"Messages sent\" (\"aws:num-messages-sent\"), \"Messages received\" (\"aws:num-messages-received\"), and \"Message size\" (\"aws:message-byte-size\") values outside of expected norms may indicate that devices are sending and/or receiving non-standard traffic, which may include data retrieved from cloud storage.\nThe following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices and the Message Queuing Telemetry Transport (MQTT) protocol for unauthorized data transfer from cloud-side data sources: \"Bytes in\" (\"aws:all-bytes-in\"), \"Bytes out\" (\"aws:all-bytes-out\"), \"Packets in\" (\"aws:all-packets-in\"), and \"Packets out\" (\"aws:all-packets-out\") values outside of expected norms may indicate that devices are sending and/or receiving non-standard traffic, which may include data retrieved from cloud storage.\nCoverage factor is partial, since these metrics are limited to IoT device-based collection, resulting in an overall score of Partial.", + "references": [ + "https://aws.amazon.com/iot-device-defender/", + "https://docs.aws.amazon.com/iot-device-defender", + "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", + "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", + "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", + "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect" + ], + "status": "complete" + }, + { + "capability_id": "aws_iot_device_defender", + "capability_description": "AWS IoT Device Defender", + "mapping_type": "technique_scores", + "attack_object_id": "T1552", + "attack_object_name": "Unsecured Credentials", + "capability_group": "aws_iot_device_defender", + "score_category": "detect", + "score_value": "minimal", + "comments": "This control provides partial coverage for a minority of this technique's sub-techniques, resulting in an overall score of Minimal.", + "references": [ + "https://aws.amazon.com/iot-device-defender/", + "https://docs.aws.amazon.com/iot-device-defender", + "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", + "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", + "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", + "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect" + ], + "status": "complete" + }, + { + "capability_id": "aws_iot_device_defender", + "capability_description": "AWS IoT Device Defender", + "mapping_type": "technique_scores", + "attack_object_id": "T1552.004", + "attack_object_name": "Private Keys", + "capability_group": "aws_iot_device_defender", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1552", + "comments": "The following AWS IoT Device Defender audit checks can identify potentially malicious use of private keys associated with AWS IoT devices, which may indicate that the keys have been taken from compromised devices and repurposed by an adversary: \"Device certificate shared\" (\"DEVICE_CERTIFICATE_SHARED_CHECK\" in the CLI and API) and \"Revoked device certificate still active\" (\"REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK\" in the CLI and API) can indicate that devices are in use with duplicate certificates and/or certificates that have been revoked due to compromise, both of which suggest that an adversary may be misusing stolen private keys.\nCoverage factor is partial for these checks and mitigations, since they are specific to use of private keys associated with AWS IoT devices, resulting in an overall score of Partial.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_iot_device_defender", + "capability_description": "AWS IoT Device Defender", + "mapping_type": "technique_scores", + "attack_object_id": "T1557", + "attack_object_name": "Man-in-the-Middle", + "capability_group": "aws_iot_device_defender", + "score_category": "protect", + "score_value": "minimal", + "comments": "The following AWS IoT Device Defender audit checks and corresponding mitigation actions can identify and resolve configuration problems that should be fixed in order to ensure SSL/TLS encryption is enabled and secure to protect network traffic to/from IoT devices: \"CA certificate expiring\" (\"CA_CERTIFICATE_EXPIRING_CHECK\" in the CLI and API), \"CA certificate key quality\" (\"CA_CERTIFICATE_KEY_QUALITY_CHECK\" in the CLI and API), and \"CA certificate revoked but device certificates still active\" (\"REVOKED_CA_CERTIFICATE_STILL_ACTIVE_CHECK\" in the CLI and API) can identify problems with certificate authority (CA) certificates being used for signing and support the \"UPDATE_CA_CERTIFICATE\" mitigation action which can resolve them. \"Device certificate expiring\" (\"DEVICE_CERTIFICATE_EXPIRING_CHECK\" in the CLI and API), \"Device certificate key quality\" (\"DEVICE_CERTIFICATE_KEY_QUALITY_CHECK\" in the CLI and API), \"Device certificate shared\" (\"DEVICE_CERTIFICATE_SHARED_CHECK\" in the CLI and API), and \"Revoked device certificate still active\" (\"REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK\" in the CLI and API) can identify problems with IoT devices' certificates and support the \"UPDATE_DEVICE_CERTIFICATE\" and \"ADD_THINGS_TO_THING_GROUP\" mitigation actions which can resolve them.\nCoverage factor is partial for these checks and mitigations, since they are specific to IoT device communication and can only mitigate behavior for adversaries who are unable to decrypt the relevant traffic, resulting in an overall score of Partial. This control does not provide specific coverage for this technique's sub-techniques, resulting in an overall score of Minimal.", + "references": [ + "https://aws.amazon.com/iot-device-defender/", + "https://docs.aws.amazon.com/iot-device-defender", + "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", + "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", + "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", + "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect" + ], + "status": "complete" + }, + { + "capability_id": "aws_iot_device_defender", + "capability_description": "AWS IoT Device Defender", + "mapping_type": "technique_scores", + "attack_object_id": "T1562", + "attack_object_name": "Impair Defenses", + "capability_group": "aws_iot_device_defender", + "score_category": "detect", + "score_value": "minimal", + "comments": "This control provides partial coverage for a minority of this technique's sub-techniques, resulting in an overall score of Minimal. \"plan the appropriate remediation to prevent unauthorized device access or data disclosure.\"", + "references": [ + "https://aws.amazon.com/iot-device-defender/", + "https://docs.aws.amazon.com/iot-device-defender", + "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", + "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", + "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", + "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect" + ], + "status": "complete" + }, + { + "capability_id": "aws_iot_device_defender", + "capability_description": "AWS IoT Device Defender", + "mapping_type": "technique_scores", + "attack_object_id": "T1562", + "attack_object_name": "Impair Defenses", + "capability_group": "aws_iot_device_defender", + "score_category": "respond", + "score_value": "minimal", + "comments": "This control provides partial coverage for a minority of this technique's sub-techniques, resulting in an overall score of Minimal. \"you can continuously ingest and evaluate message size data, which can point to issues such as credential abuse.\"", + "references": [ + "https://aws.amazon.com/iot-device-defender/", + "https://docs.aws.amazon.com/iot-device-defender", + "https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions", + "https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases", + "https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics", + "https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit", + "https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect" + ], + "status": "complete" + }, + { + "capability_id": "aws_iot_device_defender", + "capability_description": "AWS IoT Device Defender", + "mapping_type": "technique_scores", + "attack_object_id": "T1562.008", + "attack_object_name": "Disable Cloud Logs", + "capability_group": "aws_iot_device_defender", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1562", + "comments": "The \"Logging disabled\" audit check (\"LOGGING_DISABLED_CHECK\" in the CLI and API) can identify potentially malicious changes to AWS IoT logs (both V1 and V2), which should be enabled in Amazon CloudWatch. Score is limited to Partial since this control only addresses IoT logging.", + "references": [ + "https://docs.aws.amazon.com/iot-device-defender/latest/devguide/dd-detect-security-use-cases.html", + "https://docs.aws.amazon.com/iot-device-defender/latest/devguide/audit-chk-logging-disabled.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_iot_device_defender", + "capability_description": "AWS IoT Device Defender", + "mapping_type": "technique_scores", + "attack_object_id": "T1562.008", + "attack_object_name": "Disable Cloud Logs", + "capability_group": "aws_iot_device_defender", + "score_category": "respond", + "score_value": "partial", + "related_score": "T1562", + "comments": "The \"ENABLE_IOT_LOGGING\" mitigation action (which is supported by the \"Logging disabled\" audit check) enables AWS IoT logging if it is not enabled when the check is run, effectively reversing the adversary behavior if those logs were disabled due to malicious changes. Score is limited to Partial since this control only addresses IoT logging.", + "references": [ + "https://docs.aws.amazon.com/iot-device-defender/latest/devguide/dd-mitigation-actions.html", + "https://docs.aws.amazon.com/iot-device-defender/latest/devguide/audit-chk-logging-disabled.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_key_management_service", + "capability_description": "AWS Key Management Service", + "mapping_type": "technique_scores", + "attack_object_id": "T1552", + "attack_object_name": "Unsecured Credentials", + "capability_group": "aws_key_management_service", + "score_category": "protect", + "score_value": "minimal", + "comments": "This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.", + "references": [ + "https://aws.amazon.com/kms/", + "https://docs.aws.amazon.com/kms/latest/developerguide/overview.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_key_management_service", + "capability_description": "AWS Key Management Service", + "mapping_type": "technique_scores", + "attack_object_id": "T1552.001", + "attack_object_name": "Credentials In Files", + "capability_group": "aws_key_management_service", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1552", + "comments": "This service provides a more secure alternative to storing encryption keys in the file system. As a result of this service only supporting cryptographic keys and not other types of credentials, the coverage score is assessed as Partial resulting in an overall Partial score.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_key_management_service", + "capability_description": "AWS Key Management Service", + "mapping_type": "technique_scores", + "attack_object_id": "T1552.004", + "attack_object_name": "Private Keys", + "capability_group": "aws_key_management_service", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1552", + "comments": "This service allows for securely storing encryption keys and enforcing fine-grained access to the keys. The service does not allow anyone access to retrieve plaintext keys from the service.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_key_management_service", + "capability_description": "AWS Key Management Service", + "mapping_type": "technique_scores", + "attack_object_id": "T1588", + "attack_object_name": "Obtain Capabilities", + "capability_group": "aws_key_management_service", + "score_category": "protect", + "score_value": "partial", + "comments": "Provides protection against sub-techniques involved with stealing credentials, certificates, and keys from the organization. As documented, access can be provisioned and monitored.", + "references": [ + "https://aws.amazon.com/kms/", + "https://docs.aws.amazon.com/kms/latest/developerguide/overview.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_key_management_service", + "capability_description": "AWS Key Management Service", + "mapping_type": "technique_scores", + "attack_object_id": "T1588.003", + "attack_object_name": "Code Signing Certificates", + "capability_group": "aws_key_management_service", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1588", + "comments": "The encryption key for the certificate can be stored in KMS, reducing its attack surface. Score is capped at Partial because adversaries can still misuse keys/certs if KMS and KMS resources are compromised.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_key_management_service", + "capability_description": "AWS Key Management Service", + "mapping_type": "technique_scores", + "attack_object_id": "T1588.004", + "attack_object_name": "Digital Certificates", + "capability_group": "aws_key_management_service", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1588", + "comments": "The encryption key for the certificate can be stored in KMS, reducing its attack surface. Score is capped at Partial because adversaries can still misuse keys/certs if KMS and KMS resources are compromised.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1008", + "attack_object_name": "Fallback Channels", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block communication with known fallback channels by filtering based on known bad IP addresses and domains. This mapping is given a score of Partial because it only protects against known fallback channels and not channels yet to be identified. ", + "references": [ + "https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1018", + "attack_object_name": "Remote System Discovery", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from discovering endpoints behind the firewall. This mapping is given a score of Partial because it does not protect against discovering endpoints within the network and behind the firewall. ", + "references": [ + "https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1021", + "attack_object_name": "Remote Services", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts for most of the sub-techniques (5 of 6), it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack.", + "references": [ + "https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1021.001", + "attack_object_name": "Remote Desktop Protocol", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1021", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1021.002", + "attack_object_name": "SMB/Windows Admin Shares", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1021", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1021.004", + "attack_object_name": "SSH", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1021", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1021.005", + "attack_object_name": "VNC", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1021", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1021.006", + "attack_object_name": "Windows Remote Management", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1021", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1041", + "attack_object_name": "Exfiltration Over C2 Channel", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance. ", + "references": [ + "https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1046", + "attack_object_name": "Network Service Scanning", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against network service scanning. This mapping is given a score of Partial because it only protects against network service scanning attacks that originate from outside the firewall and not from within network protected by the firewall. ", + "references": [ + "https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1048", + "attack_object_name": "Exfiltration Over Alternative Protocol", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance and AWS Network Firewall wouldn't have deep packet inspection visibility into encrypted non-C2 protocols. ", + "references": [ + "https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1048.001", + "attack_object_name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1048", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance and AWS Network Firewall wouldn't have deep packet inspection visibility into encrypted non-C2 protocols. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1048.002", + "attack_object_name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1048", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance and AWS Network Firewall wouldn't have deep packet inspection visibility into encrypted non-C2 protocols. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1048.003", + "attack_object_name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1048", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance and AWS Network Firewall wouldn't have deep packet inspection visibility into encrypted non-C2 protocols. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1071", + "attack_object_name": "Application Layer Protocol", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "significant", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block malicious or unwanted traffic leveraging application layer protocols. Given this supports all sub-techniques, the mapping is given a score of Significant.", + "references": [ + "https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1071.001", + "attack_object_name": "Web Protocols", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1071", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block malicious or unwanted traffic leveraging application layer protocols. As a result, this mapping is given a score of Significant.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1071.002", + "attack_object_name": "File Transfer Protocols", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1071", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block malicious or unwanted traffic leveraging application layer protocols. As a result, this mapping is given a score of Significant.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1071.003", + "attack_object_name": "Mail Protocols", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1071", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block malicious or unwanted traffic leveraging application layer protocols. As a result, this mapping is given a score of Significant.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1071.004", + "attack_object_name": "DNS", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1071", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block malicious or unwanted traffic leveraging application layer protocols. As a result, this mapping is given a score of Significant.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1090", + "attack_object_name": "Proxy", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic from known bad IP addresses and to known bad domains that serve as proxies for adversaries. This mapping is given a score of partial because it only supports a subset of the sub-techniques, and because it only blocks known bad IP addresses and domains and does not protect against unknown ones.", + "references": [ + "https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1090.002", + "attack_object_name": "External Proxy", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1090", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic from known bad IP addresses and to known bad domains that serve as proxies for adversaries. This mapping is given a score of partial because it only blocks known bad IP addresses and domains and does not protect against unknown ones.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1090.003", + "attack_object_name": "Multi-hop Proxy", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1090", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic from known bad IP addresses and to known bad domains that serve as proxies for adversaries. This mapping is given a score of partial because it only blocks known bad IP addresses and domains and does not protect against unknown ones.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1095", + "attack_object_name": "Non-Application Layer Protocol", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "significant", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block malicious or unwanted traffic leveraging non-application layer protocols. Given this, the mapping is given a score of Significant.", + "references": [ + "https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1104", + "attack_object_name": "Multi-Stage Channels", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block communication with known command and control channels by filtering based on known bad IP addresses and domains. This mapping is given a score of Partial because it only protects against known channels and not channels yet to be identified. ", + "references": [ + "https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1133", + "attack_object_name": "External Remote Services", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow certain remote services to be available. Futhermore, it can enforce restrictions such that remote services are only from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because while it can limit which external remote services and hosts can be used to access the network, it cannot protect against the misuse of legitimate external remote services (e.g., it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack).", + "references": [ + "https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1187", + "attack_object_name": "Forced Authentication", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "significant", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block SMB and WebDAV traffic from exiting the network which can protect against adversaries from forcing authentication over SMB and WebDAV. This mapping is given a score of Significant because AWS Network Firewall can block this traffic or restrict where it can go to. ", + "references": [ + "https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1205", + "attack_object_name": "Traffic Signaling", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic to unused ports from reaching hosts on the network which may help protect against traffic signaling from external systems. This mapping is given a score of partial because the AWS Network Firewall does not do anything to protect against traffic signaling among hosts within the network and behind the firewall.", + "references": [ + "https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1205.001", + "attack_object_name": "Port Knocking", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1205", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic to unused ports from reaching hosts on the network which may help protect against port knocking from external systems. This mapping is given a score of partial because the AWS Network Firewall does not do anything to protect against port knocking among hosts within the network and behind the firewall.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1205.002", + "attack_object_name": "Socket Filters", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1205", + "comments": "AWS Network Firewall can be used to block traffic to unused ports from reaching hosts on the network which may help protect against traffic signaling from external systems. This mapping is given a score of partial because the AWS Network Firewall does not do anything to protect against traffic signaling among hosts within the network and behind the firewall.", + "references": [ + "https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1219", + "attack_object_name": "Remote Access Software", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote access software from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote access software traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote access software as part of an attack.", + "references": [ + "https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1498", + "attack_object_name": "Network Denial of Service", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "minimal", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block the sources of smaller-scale network denial of service attacks. While AWS Network Firewall supports all sub-techniques (2 of 2 at the time of this mapping), this mapping is given a score of Minimal because often times it is necessary to block the traffic at an Internet Service Provider or Content Provider Network level. ", + "references": [ + "https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1498.001", + "attack_object_name": "Direct Network Flood", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1498", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block the sources of smaller-scale network denial of service attacks. This mapping is given a score of Minimal because often times it is necessary to block the traffic at an Internet Service Provider or Content Provider Network level. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1498.002", + "attack_object_name": "Reflection Amplification", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1498", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block the sources of smaller-scale network denial of service attacks. This mapping is given a score of Minimal because often times it is necessary to block the traffic at an Internet Service Provider or Content Provider Network level. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1499", + "attack_object_name": "Endpoint Denial of Service", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from carrying out denial of service attacks by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists) as well as which protocol traffic is permitted. That is, the AWS Network Firewall could block the source of the denial of service attack. This mapping is given a score of Partial because it only supports a subset of the sub-techniques, and because the source of the attack would have to be known before rules could be put in place to protect against it. ", + "references": [ + "https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1499.001", + "attack_object_name": "OS Exhaustion Flood", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1499", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from carrying out denial of service attacks by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists) as well as which protocol traffic is permitted. That is, the AWS Network Firewall could block the source of the denial of service attack. This mapping is given a score of Partial because the source of the attack would have to be known before rules could be put in place to protect against it. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1499.002", + "attack_object_name": "Service Exhaustion Flood", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1499", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from carrying out denial of service attacks by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists) as well as which protocol traffic is permitted. That is, the AWS Network Firewall could block the source of the denial of service attack. This mapping is given a score of Partial because the source of the attack would have to be known before rules could be put in place to protect against it. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1499.003", + "attack_object_name": "Application Exhaustion Flood", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1499", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from carrying out denial of service attacks by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists) as well as which protocol traffic is permitted. That is, the AWS Network Firewall could block the source of the denial of service attack. This mapping is given a score of Partial because the source of the attack would have to be known before rules could be put in place to protect against it. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1530", + "attack_object_name": "Data from Cloud Storage Object", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from accessing resources such as cloud storage objects by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists). However, since cloud storage objects are located outside the virtual private cloud where the AWS Network Firewall protects, the mapping is only given a score of Partial.", + "references": [ + "https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1542", + "attack_object_name": "Pre-OS Boot", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "minimal", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic over known TFTP ports. This mapping is given a score of Minimal because AWS Network Firewall only supports a subset of sub-techniques, and it does not do anything to protect against TFTP booting among hosts within the network and behind the firewall.", + "references": [ + "https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1542.005", + "attack_object_name": "TFTP Boot", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1542", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic over known TFTP ports. This mapping is given a score of Partial because AWS Network Firewall does not do anything to protect against TFTP booting among hosts within the network and behind the firewall.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1571", + "attack_object_name": "Non-Standard Port", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "significant", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict which protocols and port numbers are allowed through the firewall and prevent adversaries from using non-standard ports. As a result, this mapping is given a score of Significant. ", + "references": [ + "https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1572", + "attack_object_name": "Protocol Tunneling", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic from known bad IP addresses and domains which could protect against protocol tunneling by adversaries. This mapping is given a score of partial because it only blocks known bad IP addresses and domains and does not protect against unknown ones.", + "references": [ + "https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1589", + "attack_object_name": "Gather Victim Identity Information", + "capability_group": "aws_network_firewall", + "score_category": "detect", + "score_value": "partial", + "comments": "AWS Network Firewall inspects inbound traffic flows and provides outbound traffic filtering. The capability has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. It is given a score of Partial because it only protects against attempts to gather information via scanning that originate from outside the firewall and it does not protect against phishing. ", + "references": [ + "https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1589.001", + "attack_object_name": "Credentials", + "capability_group": "aws_network_firewall", + "score_category": "detect", + "score_value": "minimal", + "related_score": "T1589", + "comments": "AWS Network Firewall inspects inbound traffic flows and provides outbound traffic filtering. The capability has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. It is given a score of Minimal because much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.", + "references": [ + "https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1589.002", + "attack_object_name": "Email Addresses", + "capability_group": "aws_network_firewall", + "score_category": "detect", + "score_value": "partial", + "related_score": "T1589", + "comments": "AWS Network Firewall inspects inbound traffic flows and provides outbound traffic filtering. The capability has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. It is given a score of Partial because it only protects against attempts to gather information via scanning that originate from outside the firewall and it does not protect against phishing. ", + "references": [ + "https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1589.003", + "attack_object_name": "Employee Names", + "capability_group": "aws_network_firewall", + "score_category": "detect", + "score_value": "minimal", + "related_score": "T1589", + "comments": "AWS Network Firewall inspects inbound traffic flows and provides outbound traffic filtering. The capability has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload.It is given a score of Minimal because much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.", + "references": [ + "https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1590", + "attack_object_name": "Gather Victim Network Information", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against adversaries gathering information about the network. While this mapping supports most of the sub-techniques (4 of 6), it is only given a score of Partial because it only protects against attempts to gather information via scanning that originate from outside the firewall and it does not protect against phishing. ", + "references": [ + "https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1590.001", + "attack_object_name": "Domain Properties", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1590", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against adversaries gathering information about the network. This mapping is given a score of Partial because it only protects against attempts to gather information via scanning that originate from outside the firewall and it does not protect against phishing. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1590.004", + "attack_object_name": "Network Topology", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1590", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against adversaries gathering information about the network. This mapping is given a score of Partial because it only protects against attempts to gather information via scanning that originate from outside the firewall and it does not protect against phishing. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1590.005", + "attack_object_name": "IP Addresses", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1590", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against adversaries gathering information about the network. This mapping is given a score of Partial because it only protects against attempts to gather information via scanning that originate from outside the firewall and it does not protect against phishing. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1590.006", + "attack_object_name": "Network Security Appliances", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1590", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against adversaries gathering information about the network. This mapping is given a score of Partial because it only protects against attempts to gather information via scanning that originate from outside the firewall and it does not protect against phishing. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1595", + "attack_object_name": "Active Scanning", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against active scanning. While this mapping supports al sub-techniques (2 of 2), this mapping is given a score of Partial because it only protects against active scanning attacks that originate from outside the firewall and not from within network protected by the firewall. ", + "references": [ + "https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1595.001", + "attack_object_name": "Scanning IP Blocks", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1595", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against active scanning. This mapping is given a score of Partial because it only protects against active scanning attacks that originate from outside the firewall and not from within network protected by the firewall. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_network_firewall", + "capability_description": "AWS Network Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1595.002", + "attack_object_name": "Vulnerability Scanning", + "capability_group": "aws_network_firewall", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1595", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against active scanning. This mapping is given a score of Partial because it only protects against active scanning attacks that originate from outside the firewall and not from within network protected by the firewall. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_organizations", + "capability_description": "AWS Organizations", + "mapping_type": "technique_scores", + "attack_object_id": "T1078", + "attack_object_name": "Valid Accounts", + "capability_group": "aws_organizations", + "score_category": "protect", + "score_value": "partial", + "comments": "This control may protect against malicious use of cloud accounts but may not mitigate exploitation of local, domain, or default accounts present within deployed resources.", + "references": [ + "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html", + "https://aws.amazon.com/organizations/getting-started/best-practices/" + ], + "status": "complete" + }, + { + "capability_id": "aws_organizations", + "capability_description": "AWS Organizations", + "mapping_type": "technique_scores", + "attack_object_id": "T1078.004", + "attack_object_name": "Cloud Accounts", + "capability_group": "aws_organizations", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1078", + "comments": "This control may protect against malicious use of cloud accounts by implementing service control policies that define what actions an account may take. If best practices are followed, AWS accounts should only have the least amount of privileges required.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_organizations", + "capability_description": "AWS Organizations", + "mapping_type": "technique_scores", + "attack_object_id": "T1087", + "attack_object_name": "Account Discovery", + "capability_group": "aws_organizations", + "score_category": "protect", + "score_value": "minimal", + "comments": "This control may protect against cloud account discovery but does not mitigate against other forms of account discovery.", + "references": [ + "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html", + "https://aws.amazon.com/organizations/getting-started/best-practices/" + ], + "status": "complete" + }, + { + "capability_id": "aws_organizations", + "capability_description": "AWS Organizations", + "mapping_type": "technique_scores", + "attack_object_id": "T1087.004", + "attack_object_name": "Cloud Account", + "capability_group": "aws_organizations", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1087", + "comments": "This control may protect against cloud account discovery by segmenting accounts into separate organizational units and restricting to least privileges between groups. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_organizations", + "capability_description": "AWS Organizations", + "mapping_type": "technique_scores", + "attack_object_id": "T1538", + "attack_object_name": "Cloud Service Dashboard", + "capability_group": "aws_organizations", + "score_category": "protect", + "score_value": "partial", + "comments": "This control may protect against cloud service dashboard abuse by segmenting accounts into separate organizational units and restricting dashboard access by least privilege.", + "references": [ + "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html", + "https://aws.amazon.com/organizations/getting-started/best-practices/" + ], + "status": "complete" + }, + { + "capability_id": "aws_organizations", + "capability_description": "AWS Organizations", + "mapping_type": "technique_scores", + "attack_object_id": "T1580", + "attack_object_name": "Cloud Infrastructure Discovery", + "capability_group": "aws_organizations", + "score_category": "protect", + "score_value": "partial", + "comments": "This control may protect against cloud infrastructure discovery by segmenting accounts into separate organizational units and restricting infrastructure access by least privilege.", + "references": [ + "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html", + "https://aws.amazon.com/organizations/getting-started/best-practices/" + ], + "status": "complete" + }, + { + "capability_id": "aws_organizations", + "capability_description": "AWS Organizations", + "mapping_type": "technique_scores", + "attack_object_id": "T1651", + "attack_object_name": "Cloud Administration Command", + "capability_group": "aws_organizations", + "score_category": "protect", + "score_value": "partial", + "comments": "This control may protect against cloud administration command abuse by segmenting accounts into separate organizational units and restricting Amazon Security Manager access by least privilege.", + "references": [ + "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html", + "https://aws.amazon.com/organizations/getting-started/best-practices/" + ], + "status": "complete" + }, + { + "capability_id": "aws_rds", + "capability_description": "AWS RDS", + "mapping_type": "technique_scores", + "attack_object_id": "T1040", + "attack_object_name": "Network Sniffing", + "capability_group": "aws_rds", + "score_category": "protect", + "score_value": "significant", + "comments": "AWS RDS and AWS RDS Proxy support TLS/SSL connections to database instances which protects against network sniffing attacks. As a result, this mapping is given a score of Significant.", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_rds", + "capability_description": "AWS RDS", + "mapping_type": "technique_scores", + "attack_object_id": "T1190", + "attack_object_name": "Exploit Public-Facing Application", + "capability_group": "aws_rds", + "score_category": "protect", + "score_value": "partial", + "comments": "AWS RDS supports the automatic patching of minor versions of database instances. This can result in security flaws in the database instances being fixed before they can be exploited. This mapping is given a score of Partial because it does not protect against misconfigured database instances which may be susceptible to exploitation. ", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_rds", + "capability_description": "AWS RDS", + "mapping_type": "technique_scores", + "attack_object_id": "T1190", + "attack_object_name": "Exploit Public-Facing Application", + "capability_group": "aws_rds", + "score_category": "respond", + "score_value": "significant", + "comments": "AWS RDS supports the replication and recovery of database instances. In the event that a database instance is compromised, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_rds", + "capability_description": "AWS RDS", + "mapping_type": "technique_scores", + "attack_object_id": "T1210", + "attack_object_name": "Exploitation of Remote Services", + "capability_group": "aws_rds", + "score_category": "protect", + "score_value": "partial", + "comments": "AWS RDS supports the automatic patching of minor versions of database instances. This can result in security flaws in the database instances being fixed before they can be exploited. This mapping is given a score of Partial because it does not protect against misconfigured database instances which may be susceptible to exploitation. ", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_rds", + "capability_description": "AWS RDS", + "mapping_type": "technique_scores", + "attack_object_id": "T1210", + "attack_object_name": "Exploitation of Remote Services", + "capability_group": "aws_rds", + "score_category": "respond", + "score_value": "significant", + "comments": "AWS RDS supports the replication and recovery of database instances. In the event that a database instance is compromised, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_rds", + "capability_description": "AWS RDS", + "mapping_type": "technique_scores", + "attack_object_id": "T1485", + "attack_object_name": "Data Destruction", + "capability_group": "aws_rds", + "score_category": "protect", + "score_value": "significant", + "comments": "AWS RDS provides deletion protection which prevents any user from deleting a database instance. If applied, the setting may mitigate attempts to delete a database instance. As a result, this mapping is given a score of Significant.", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_rds", + "capability_description": "AWS RDS", + "mapping_type": "technique_scores", + "attack_object_id": "T1485", + "attack_object_name": "Data Destruction", + "capability_group": "aws_rds", + "score_category": "detect", + "score_value": "partial", + "comments": "AWS RDS generates events for database instances and includes the following events that may indicate that an adversary has destroyed the database instance.\nRDS-EVENT-0003: The DB instance has been deleted RDS-EVENT-0041: A DB snapshot has been deleted\nThis mapping is given a score of Partial because it can't differentiate between an authorized and unauthorized deletion.\n", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_rds", + "capability_description": "AWS RDS", + "mapping_type": "technique_scores", + "attack_object_id": "T1485", + "attack_object_name": "Data Destruction", + "capability_group": "aws_rds", + "score_category": "respond", + "score_value": "significant", + "comments": "AWS RDS supports the replication and recovery of database instances. In the event that a database instance is deleted, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_rds", + "capability_description": "AWS RDS", + "mapping_type": "technique_scores", + "attack_object_id": "T1486", + "attack_object_name": "Data Encrypted for Impact", + "capability_group": "aws_rds", + "score_category": "respond", + "score_value": "significant", + "comments": "AWS RDS supports the replication and recovery of database instances. In the event that a database instance is encrypted by an adversary (e.g., ransomware), AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_rds", + "capability_description": "AWS RDS", + "mapping_type": "technique_scores", + "attack_object_id": "T1489", + "attack_object_name": "Service Stop", + "capability_group": "aws_rds", + "score_category": "detect", + "score_value": "partial", + "comments": "AWS RDS generates events for database instances and includes the following event that may indicate that an adversary has attempted to stop a database instance.\nRDS-EVENT-0087: The DB instance has been stopped\nThis mapping is given a score of Partial because it can't differentiate between an authorized and unauthorized stopping of the database instance.\n", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_rds", + "capability_description": "AWS RDS", + "mapping_type": "technique_scores", + "attack_object_id": "T1490", + "attack_object_name": "Inhibit System Recovery", + "capability_group": "aws_rds", + "score_category": "detect", + "score_value": "partial", + "comments": "AWS RDS generates events for database instances and includes the following event that may indicate that an adversary has attempted to inhibit system recovery.\nRDS-EVENT-0028: Automatic backups for this DB instance have been disabled\nThis mapping is given a score of Partial because it can't differentiate between an authorized and unauthorized disabling of automatic backups.\n", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_rds", + "capability_description": "AWS RDS", + "mapping_type": "technique_scores", + "attack_object_id": "T1490", + "attack_object_name": "Inhibit System Recovery", + "capability_group": "aws_rds", + "score_category": "respond", + "score_value": "significant", + "comments": "AWS RDS supports the replication and recovery of database instances. In the event that a database instance is compromised and modified to disrupt recovery, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_rds", + "capability_description": "AWS RDS", + "mapping_type": "technique_scores", + "attack_object_id": "T1529", + "attack_object_name": "System Shutdown/Reboot", + "capability_group": "aws_rds", + "score_category": "detect", + "score_value": "partial", + "comments": "AWS RDS generates events for database instances and includes the following events that may indicate that an adversary has shutdown or rebooted the database instance. \nRDS-EVENT-0006: The DB instance restarted, RDS-EVENT-0004: The DB instance shutdown, RDS-EVENT-0022: An error has occurred while restarting MySQL or MariaDB\nThis mapping is given a score of Partial because it can't differentiate between an authorized and unauthorized shutdown/reboot.", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_rds", + "capability_description": "AWS RDS", + "mapping_type": "technique_scores", + "attack_object_id": "T1530", + "attack_object_name": "Data from Cloud Storage Object", + "capability_group": "aws_rds", + "score_category": "protect", + "score_value": "significant", + "comments": "AWS RDS supports the encryption of the underlying storage for database instances, backups, read replicas, and snapshots using the AES-256 encryption algorithm. This can protect against an adversary from gaining access to a database instance in the event they get access to the underlying system where the database instance is hosted or to S3 where the backups are stored. Furthermore, with AWS RDS, there is a setting that specifies whether or not a database instances is publicly accessible. When public accessibility is turned off, the database instance will not be available outside the VPC in which it was created. As a result, this mapping is given a score of Significant.", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_rds", + "capability_description": "AWS RDS", + "mapping_type": "technique_scores", + "attack_object_id": "T1557", + "attack_object_name": "Man-in-the-Middle", + "capability_group": "aws_rds", + "score_category": "protect", + "score_value": "partial", + "comments": "AWS RDS and AWS RDS Proxy support TLS/SSL connections to database instances which protects against man-in-the-middle attacks. However, given that it does not support any sub-techniques, the mapping is given a score of Partial.", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_rds", + "capability_description": "AWS RDS", + "mapping_type": "technique_scores", + "attack_object_id": "T1561", + "attack_object_name": "Disk Wipe", + "capability_group": "aws_rds", + "score_category": "respond", + "score_value": "minimal", + "comments": "AWS RDS supports the replication and recovery of database instances. In the event that a database instance is deleted during a disk wipe, AWS RDS can be used to restore the database instance to a previous point in time. However, this mapping is only given a score of Minimal because AWS RDS only provides a backup of the database instance and not the underlying system that it is hosted on.", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html", + "https://docs.aws.amazon.com/prescriptive-guidance/latest/backup-recovery/rds.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_rds", + "capability_description": "AWS RDS", + "mapping_type": "technique_scores", + "attack_object_id": "T1561.001", + "attack_object_name": "Disk Content Wipe", + "capability_group": "aws_rds", + "score_category": "respond", + "score_value": "minimal", + "related_score": "T1561", + "comments": "AWS RDS supports the replication and recovery of database instances. In the event that a database instance is deleted during a disk wipe, AWS RDS can be used to restore the database instance to a previous point in time. However, this mapping is only given a score of Partial because AWS RDS only provides a backup of the database instance and not the underlying system that it is hosted on.", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html", + "https://docs.aws.amazon.com/prescriptive-guidance/latest/backup-recovery/rds.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_rds", + "capability_description": "AWS RDS", + "mapping_type": "technique_scores", + "attack_object_id": "T1561.002", + "attack_object_name": "Disk Structure Wipe", + "capability_group": "aws_rds", + "score_category": "respond", + "score_value": "minimal", + "related_score": "T1561", + "comments": "AWS RDS supports the replication and recovery of database instances. In the event that a database instance is deleted during a disk wipe, AWS RDS can be used to restore the database instance to a previous point in time. However, this mapping is only given a score of Partial because AWS RDS only provides a backup of the database instance and not the underlying system that it is hosted on.", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html", + "https://docs.aws.amazon.com/prescriptive-guidance/latest/backup-recovery/rds.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_rds", + "capability_description": "AWS RDS", + "mapping_type": "technique_scores", + "attack_object_id": "T1565", + "attack_object_name": "Data Manipulation", + "capability_group": "aws_rds", + "score_category": "protect", + "score_value": "partial", + "comments": "AWS RDS supports the encryption of database instances using the AES-256 encryption algorithm. This can protect database instances from being modified at rest. Furthermore, AWS RDS supports TLS/SSL connections which protect data from being modified during transit. This mapping is given a score of Partial because it only supports a subset of the sub-techniques (2 of 3). ", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_rds", + "capability_description": "AWS RDS", + "mapping_type": "technique_scores", + "attack_object_id": "T1565", + "attack_object_name": "Data Manipulation", + "capability_group": "aws_rds", + "score_category": "respond", + "score_value": "significant", + "comments": "AWS RDS supports the replication and recovery of database instances. In the event that data is manipulated, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.", + "references": [ + "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_rds", + "capability_description": "AWS RDS", + "mapping_type": "technique_scores", + "attack_object_id": "T1565.001", + "attack_object_name": "Stored Data Manipulation", + "capability_group": "aws_rds", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1565", + "comments": "AWS RDS supports the encryption of database instances using the AES-256 encryption algorithm. This can protect database instances from being modified at rest. Furthermore, AWS RDS supports TLS/SSL connections which protect data from being modified during transit. As a result, this mapping is given a score of Significant.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_rds", + "capability_description": "AWS RDS", + "mapping_type": "technique_scores", + "attack_object_id": "T1565.001", + "attack_object_name": "Stored Data Manipulation", + "capability_group": "aws_rds", + "score_category": "respond", + "score_value": "significant", + "related_score": "T1565", + "comments": "AWS RDS supports the replication and recovery of database instances. In the event that data is manipulated, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_rds", + "capability_description": "AWS RDS", + "mapping_type": "technique_scores", + "attack_object_id": "T1565.002", + "attack_object_name": "Transmitted Data Manipulation", + "capability_group": "aws_rds", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1565", + "comments": "AWS RDS supports the encryption of database instances using the AES-256 encryption algorithm. This can protect database instances from being modified at rest. Furthermore, AWS RDS supports TLS/SSL connections which protect data from being modified during transit. As a result, this mapping is given a score of Significant.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_rds", + "capability_description": "AWS RDS", + "mapping_type": "technique_scores", + "attack_object_id": "T1565.002", + "attack_object_name": "Transmitted Data Manipulation", + "capability_group": "aws_rds", + "score_category": "respond", + "score_value": "significant", + "related_score": "T1565", + "comments": "AWS RDS supports the replication and recovery of database instances. In the event that data is manipulated, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_s3", + "capability_description": "AWS S3", + "mapping_type": "technique_scores", + "attack_object_id": "T1485", + "attack_object_name": "Data Destruction", + "capability_group": "aws_s3", + "score_category": "protect", + "score_value": "significant", + "comments": "AWS S3 may protect against data destruction through application of several best practices. Multi-factor authentication can be enabled for delete operations and for changing the versioning state of a bucket. Versioning can be enabled to revert objects to a previous state after malicious destruction or corruption. S3 Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. In addition, S3 Cross Region Replication can be used to replicate S3 buckets to another AWS region for add protection.", + "references": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_s3", + "capability_description": "AWS S3", + "mapping_type": "technique_scores", + "attack_object_id": "T1530", + "attack_object_name": "Data from Cloud Storage Object", + "capability_group": "aws_s3", + "score_category": "protect", + "score_value": "significant", + "comments": "S3 provides full control of access via Identity and Access Management (IAM) policies and with its access control lists (ACLs). The S3 Block Public Access feature allows for policies limiting public access to Amazon S3 resources that are enforced regardless of how the resources are created or associated IAM policies. Server-side encryption can be enabled for data at rest and allows for use of S3-managed keys, AWS Key Management Service managed keys, or customer-provided keys.", + "references": [ + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_secrets_manager", + "capability_description": "AWS Secrets Manager", + "mapping_type": "technique_scores", + "attack_object_id": "T1212", + "attack_object_name": "Exploitation for Credential Access", + "capability_group": "aws_secrets_manager", + "score_category": "protect", + "score_value": "partial", + "comments": "This control may protect against exploitation for credential access by removing credentials and secrets from applications that can be exploited and requiring authenticated API calls to retrieve those credentials and secrets.", + "references": [ + "https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html", + "https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_secrets_manager", + "capability_description": "AWS Secrets Manager", + "mapping_type": "technique_scores", + "attack_object_id": "T1528", + "attack_object_name": "Steal Application Access Token", + "capability_group": "aws_secrets_manager", + "score_category": "protect", + "score_value": "partial", + "comments": "This control may prevent theft of application access tokens by replacing those tokens with authenticated and encrypted API calls to AWS Secrets Manager. This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user.", + "references": [ + "https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html", + "https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_secrets_manager", + "capability_description": "AWS Secrets Manager", + "mapping_type": "technique_scores", + "attack_object_id": "T1552", + "attack_object_name": "Unsecured Credentials", + "capability_group": "aws_secrets_manager", + "score_category": "protect", + "score_value": "partial", + "comments": "This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user.", + "references": [ + "https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html", + "https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_secrets_manager", + "capability_description": "AWS Secrets Manager", + "mapping_type": "technique_scores", + "attack_object_id": "T1552.001", + "attack_object_name": "Credentials In Files", + "capability_group": "aws_secrets_manager", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1552", + "comments": "This control may prevent harvesting of unsecured credentials by removing credentials and secrets from applications and configuration files and requiring authenticated API calls to retrieve those credentials and secrets. This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_secrets_manager", + "capability_description": "AWS Secrets Manager", + "mapping_type": "technique_scores", + "attack_object_id": "T1552.002", + "attack_object_name": "Credentials in Registry", + "capability_group": "aws_secrets_manager", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1552", + "comments": "This control may prevent harvesting of unsecured credentials by removing credentials and secrets from applications and configuration files and requiring authenticated API calls to retrieve those credentials and secrets. This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_secrets_manager", + "capability_description": "AWS Secrets Manager", + "mapping_type": "technique_scores", + "attack_object_id": "T1552.004", + "attack_object_name": "Private Keys", + "capability_group": "aws_secrets_manager", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1552", + "comments": "This control may prevent harvesting of unsecured credentials by removing credentials and secrets from applications and configuration files and requiring authenticated API calls to retrieve those credentials and secrets. This control is relevant for credentials stored in applications or configuration files but not credentials entered directly by a user.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_secrets_manager", + "capability_description": "AWS Secrets Manager", + "mapping_type": "technique_scores", + "attack_object_id": "T1555", + "attack_object_name": "Credentials from Password Stores", + "capability_group": "aws_secrets_manager", + "score_category": "protect", + "score_value": "partial", + "comments": "This control may prevent harvesting of credentials from password stores by providing a secure, finely controlled location for secrets storage. This control is only relevant for credentials that would be used from application and configuration files and not those entered directly by an end user.", + "references": [ + "https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html", + "https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_secrets_manager", + "capability_description": "AWS Secrets Manager", + "mapping_type": "technique_scores", + "attack_object_id": "T1555.006", + "attack_object_name": "Cloud Secrets Management Stores", + "capability_group": "aws_secrets_manager", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1555", + "comments": "This control may prevent harvesting of credentials from password stores by providing a secure, finely controlled location for secrets storage. This control is only relevant for credentials that would be used from application and configuration files and not those entered directly by an end user.", + "references": [ + "https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html", + "https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1068", + "attack_object_name": "Exploitation for Privilege Escalation", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "partial", + "comments": "AWS Security Hub reports on EC2 instances that are missing security patches for vulnerabilities which could enable an adversary to exploit vulnerabilities through the attack lifecycle. AWS Security Hub provides this detection with the following managed insight.\nEC2 instances that have missing security patches for important vulnerabilities\nThis is scored as Partial because the checks associated with Security Hub would only report on missing patches for known vulnerabilities. It doesn't not cover zero-day vulnerabilities.", + "references": [ + "https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1078", + "attack_object_name": "Valid Accounts", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "minimal", + "comments": "AWS Security Hub detects suspicious activity by AWS accounts which could indicate valid accounts being leveraged by an adversary. AWS Security Hub provides these detections with the following managed insights.\nAWS principals with suspicious access key activity Credentials that may have leaked AWS resources with unauthorized access attempts IAM users with suspicious activity\nAWS Security Hub also performs checks from the AWS Foundations CIS Benchmark and PCI-DSS security standard that, if implemented, would help towards detecting the misuse of valid accounts. AWS Security Hub provides these detections with the following checks.\n3.1 Ensure a log metric filter and alarm exist for unauthorized API calls 3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA 3.3 Ensure a log metric filter and alarm exist for usage of \"root\" account 3.4 Ensure a log metric filter and alarm exist for IAM policy changes 3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures [PCI.CW.1] A log metric filter and alarm should exist for usage of the \"root\" user\nBy monitoring the root account, activity where accounts make unauthorized API calls, and changes to IAM permissions among other things, it may be possible to detect valid accounts that are being misused and are potentially compromised.\nThis is scored as Minimal because it only supports a subset of the sub-techniques. ", + "references": [ + "https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1078.004", + "attack_object_name": "Cloud Accounts", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "significant", + "related_score": "T1078", + "comments": "AWS Security Hub detects suspicious activity by AWS accounts which could indicate valid accounts being leveraged by an adversary. AWS Security Hub provides these detections with the following managed insights.\nAWS principals with suspicious access key activity Credentials that may have leaked AWS resources with unauthorized access attempts IAM users with suspicious activity\nAWS Security Hub also performs checks from the AWS Foundations CIS Benchmark and PCI-DSS security standard that, if implemented, would help towards detecting the misuse of valid accounts. AWS Security Hub provides these detections with the following checks.\n3.1 Ensure a log metric filter and alarm exist for unauthorized API calls 3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA 3.3 Ensure a log metric filter and alarm exist for usage of \"root\" account 3.4 Ensure a log metric filter and alarm exist for IAM policy changes 3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures [PCI.CW.1] A log metric filter and alarm should exist for usage of the \"root\" user\nBy monitoring the root account, activity where accounts make unauthorized API calls, and changes to IAM permissions among other things, it may be possible to detect valid accounts that are being misused and are potentially compromised.\nThis is scored as Significant because it reports on suspicious activity by AWS accounts. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1098", + "attack_object_name": "Account Manipulation", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "minimal", + "comments": "AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the manipulation of accounts. AWS Security Hub provides this detection with the following check.\n3.4 Ensure a log metric filter and alarm exist for IAM policy changes \nThis is scored as Minimal because it only supports a subset of the sub-techniques.", + "references": [ + "https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1098.001", + "attack_object_name": "Additional Cloud Credentials", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "significant", + "related_score": "T1098", + "comments": "AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the manipulation of accounts. AWS Security Hub provides this detection with the following check.\n3.4 Ensure a log metric filter and alarm exist for IAM policy changes \nThis is scored as Significant because it can monitor all changes to IAM policy which can be used to detect any changes made to accounts. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1110", + "attack_object_name": "Brute Force", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "minimal", + "comments": "AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the brute forcing of accounts. AWS Security Hub provides this detection with the following checks.\n3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\nThis is scored as Minimal because it only applies to the AWS Management Console and not other access mechanisms (e.g., CLI, SDK, etc.) and it only supports a subset of the sub-techniques. Furthermore, it does not detect brute-forcing methods for other components such as EC2 instances. ", + "references": [ + "https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1110.001", + "attack_object_name": "Password Guessing", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "minimal", + "related_score": "T1110", + "comments": "AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the brute forcing of accounts. AWS Security Hub provides this detection with the following checks.\n3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\nThis is scored as Minimal because it only applies to the AWS Management Console and not other access mechanisms (e.g., CLI, SDK, etc.). Furthermore, it does not detect brute-forcing methods for other components such as EC2 instances. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1110.003", + "attack_object_name": "Password Spraying", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "minimal", + "related_score": "T1110", + "comments": "AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the brute forcing of accounts. AWS Security Hub provides this detection with the following checks.\n3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\nThis is scored as Minimal because it only applies to the AWS Management Console and not other access mechanisms (e.g., CLI, SDK, etc.). Furthermore, it does not detect brute-forcing methods for other components such as EC2 instances. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1110.004", + "attack_object_name": "Credential Stuffing", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "minimal", + "related_score": "T1110", + "comments": "AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the brute forcing of accounts. AWS Security Hub provides this detection with the following checks.\n3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures\nThis is scored as Minimal because it only applies to the AWS Management Console and not other access mechanisms (e.g., CLI, SDK, etc.). Furthermore, it does not detect brute-forcing methods for other components such as EC2 instances. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1190", + "attack_object_name": "Exploit Public-Facing Application", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "partial", + "comments": "AWS Security Hub reports on EC2 instances that are missing security patches for vulnerabilities which could enable an adversary to exploit vulnerabilities through the attack lifecycle. AWS Security Hub provides this detection with the following managed insight.\nEC2 instances that have missing security patches for important vulnerabilities\nThis is scored as Partial because the checks associated with Security Hub would only report on missing patches for known vulnerabilities. It doesn't not cover zero-day vulnerabilities.", + "references": [ + "https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1203", + "attack_object_name": "Exploitation for Client Execution", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "partial", + "comments": "AWS Security Hub reports on EC2 instances that are missing security patches for vulnerabilities which could enable an adversary to exploit vulnerabilities through the attack lifecycle. AWS Security Hub provides this detection with the following managed insight.\nEC2 instances that have missing security patches for important vulnerabilities\nThis is scored as Partial because the checks associated with Security Hub would only report on missing patches for known vulnerabilities. It doesn't not cover zero-day vulnerabilities.", + "references": [ + "https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1210", + "attack_object_name": "Exploitation of Remote Services", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "partial", + "comments": "AWS Security Hub reports on EC2 instances that are missing security patches for vulnerabilities which could enable an adversary to exploit vulnerabilities through the attack lifecycle. AWS Security Hub provides this detection with the following managed insight.\nEC2 instances that have missing security patches for important vulnerabilities\nThis is scored as Partial because the checks associated with Security Hub would only report on missing patches for known vulnerabilities. It doesn't not cover zero-day vulnerabilities.", + "references": [ + "https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1211", + "attack_object_name": "Exploitation for Defense Evasion", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "partial", + "comments": "AWS Security Hub reports on EC2 instances that are missing security patches for vulnerabilities which could enable an adversary to exploit vulnerabilities through the attack lifecycle. AWS Security Hub provides this detection with the following managed insight.\nEC2 instances that have missing security patches for important vulnerabilities\nThis is scored as Partial because the checks associated with Security Hub would only report on missing patches for known vulnerabilities. It doesn't not cover zero-day vulnerabilities.", + "references": [ + "https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1212", + "attack_object_name": "Exploitation for Credential Access", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "partial", + "comments": "AWS Security Hub reports on EC2 instances that are missing security patches for vulnerabilities which could enable an adversary to exploit vulnerabilities through the attack lifecycle. AWS Security Hub provides this detection with the following managed insight.\nEC2 instances that have missing security patches for important vulnerabilities\nThis is scored as Partial because the checks associated with Security Hub would only report on missing patches for known vulnerabilities. It doesn't not cover zero-day vulnerabilities.", + "references": [ + "https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1485", + "attack_object_name": "Data Destruction", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "minimal", + "comments": "AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the scheduled destruction of Customer Master Keys (CMKs) which are critical for being able to decrypt data. AWS Security Hub provides this detection with the following check.\nEnsure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs\nThis is scored as Minimal because CMKs only represent one type of data that could be destroyed by an adversary. ", + "references": [ + "https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1530", + "attack_object_name": "Data from Cloud Storage Object", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "partial", + "comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to data in cloud storage. AWS Security Hub provides this detection with the following managed insight.\nS3 buckets with public write or read permissions\nAWS Security Hub also performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting improperly secured S3 buckets which could result in them being discovered. AWS Security Hub provides this detection with the following check.\n3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes \nThis is scored as Partial because it only detects when S3 buckets have public read or write access and doesn't detect improperly secured data in other storage types (e.g., DBs, NFS, etc.).", + "references": [ + "https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1531", + "attack_object_name": "Account Access Removal", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "partial", + "comments": "AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the modification of accounts. AWS Security Hub provides this detection with the following check.\n3.4 Ensure a log metric filter and alarm exist for IAM policy changes \nThis is scored as Partial because it only supports the monitoring of changes to AWS IAM accounts and not the accounts on instances of operating systems. ", + "references": [ + "https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1543.005", + "attack_object_name": "Container Service", + "capability_group": "aws_security_hub", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1543", + "comments": "AWS Security Hub offers controls for Amazon Elastic Container Service (ECS). There are a variety of ECS security controls available, resulting in a score of Significant.", + "references": [ + "https://docs.aws.amazon.com/securityhub/latest/userguide/ecs-controls.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1562", + "attack_object_name": "Impair Defenses", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "partial", + "comments": "AWS Security Hub performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting changes to key AWS services. AWS Security Hub provides these detections with the following checks.\n3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes 3.10 Ensure a log metric filter and alarm exist for security group changes 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) 3.12 Ensure a log metric filter and alarm exist for changes to network gateways 3.13 Ensure a log metric filter and alarm exist for route table changes 3.14 Ensure a log metric filter and alarm exist for VPC changes\nThis is scored as Partial because it only supports a subset of the sub-techniques (3 of 8). ", + "references": [ + "https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1562.001", + "attack_object_name": "Disable or Modify Tools", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "significant", + "related_score": "T1562", + "comments": "AWS Security Hub performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting changes to key AWS services. AWS Security Hub provides these detections with the following checks.\n3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes 3.10 Ensure a log metric filter and alarm exist for security group changes 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) 3.12 Ensure a log metric filter and alarm exist for changes to network gateways 3.13 Ensure a log metric filter and alarm exist for route table changes 3.14 Ensure a log metric filter and alarm exist for VPC changes\nThis is scored as Significant because it can detect when changes are made to key AWS services (e.g., CloudTrail, Config, etc.) such as when they stop logging or other configuration changes are made. \n\n\n\"Security Hub collects security data across AWS accounts, AWS services, and supported third-party products and helps you analyze your security trends and identify the highest priority security issues\"", + "references": [ + "https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1562.007", + "attack_object_name": "Disable or Modify Cloud Firewall", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "significant", + "related_score": "T1562", + "comments": "AWS Security Hub performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting changes to key AWS services. AWS Security Hub provides these detections with the following checks.\n3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes 3.10 Ensure a log metric filter and alarm exist for security group changes 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) 3.12 Ensure a log metric filter and alarm exist for changes to network gateways 3.13 Ensure a log metric filter and alarm exist for route table changes 3.14 Ensure a log metric filter and alarm exist for VPC changes\nThis is scored as Significant because it can detect when changes are made to key AWS services (e.g., CloudTrail, Config, etc.) such as when they stop logging or other configuration changes are made. ", + "references": [ + "https://docs.aws.amazon.com/securityhub/latest/userguide/networkfirewall-controls.html", + "https://docs.aws.amazon.com/waf/latest/developerguide/fms-findings.html", + "https://aws.amazon.com/about-aws/whats-new/2019/12/aws-security-hub-integrates-with-aws-firewall-manager/" + ], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1562.008", + "attack_object_name": "Disable Cloud Logs", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "significant", + "related_score": "T1562", + "comments": "AWS Security Hub performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting changes to key AWS services. AWS Security Hub provides these detections with the following checks.\n3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes 3.10 Ensure a log metric filter and alarm exist for security group changes 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) 3.12 Ensure a log metric filter and alarm exist for changes to network gateways 3.13 Ensure a log metric filter and alarm exist for route table changes 3.14 Ensure a log metric filter and alarm exist for VPC changes\nThis is scored as Significant because it can detect when changes are made to key AWS services (e.g., CloudTrail, Config, etc.) such as when they stop logging or other configuration changes are made. ", + "references": [ + "https://docs.aws.amazon.com/securityhub/latest/userguide/cis-aws-foundations-benchmark.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1580", + "attack_object_name": "Cloud Infrastructure Discovery", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "partial", + "comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access as well as accessible EC2 instances that may result in an adversary learning about cloud infrastructure used by the organization. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions EC2 instances that have ports accessible from the Internet EC2 instances that are open to the Internet\nAWS Security Hub also performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting improperly secured S3 buckets which could result in them being discovered. AWS Security Hub provides this detection with the following check.\n3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes \nThis is scored as Partial because S3 and EC2 only represent a subset of available cloud infrastructure components. ", + "references": [ + "https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1589", + "attack_object_name": "Gather Victim Identity Information", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "minimal", + "comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", + "references": [ + "https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1589.001", + "attack_object_name": "Credentials", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "minimal", + "related_score": "T1589", + "comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1589.002", + "attack_object_name": "Email Addresses", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "minimal", + "related_score": "T1589", + "comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1589.003", + "attack_object_name": "Employee Names", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "minimal", + "related_score": "T1589", + "comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1590", + "attack_object_name": "Gather Victim Network Information", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "minimal", + "comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", + "references": [ + "https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1590.001", + "attack_object_name": "Domain Properties", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "minimal", + "related_score": "T1590", + "comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1590.002", + "attack_object_name": "DNS", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "minimal", + "related_score": "T1590", + "comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1590.003", + "attack_object_name": "Network Trust Dependencies", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "minimal", + "related_score": "T1590", + "comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1590.004", + "attack_object_name": "Network Topology", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "minimal", + "related_score": "T1590", + "comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1590.005", + "attack_object_name": "IP Addresses", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "minimal", + "related_score": "T1590", + "comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1590.006", + "attack_object_name": "Network Security Appliances", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "minimal", + "related_score": "T1590", + "comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1591", + "attack_object_name": "Gather Victim Org Information", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "minimal", + "comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", + "references": [ + "https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1591.001", + "attack_object_name": "Determine Physical Locations", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "minimal", + "related_score": "T1591", + "comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1591.002", + "attack_object_name": "Business Relationships", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "minimal", + "related_score": "T1591", + "comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1591.003", + "attack_object_name": "Identify Business Tempo", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "minimal", + "related_score": "T1591", + "comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1591.004", + "attack_object_name": "Identify Roles", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "minimal", + "related_score": "T1591", + "comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1592", + "attack_object_name": "Gather Victim Host Information", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "minimal", + "comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", + "references": [ + "https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1592.001", + "attack_object_name": "Hardware", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "minimal", + "related_score": "T1592", + "comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1592.002", + "attack_object_name": "Software", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "minimal", + "related_score": "T1592", + "comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1592.003", + "attack_object_name": "Firmware", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "minimal", + "related_score": "T1592", + "comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1592.004", + "attack_object_name": "Client Configurations", + "capability_group": "aws_security_hub", + "score_category": "detect", + "score_value": "minimal", + "related_score": "T1592", + "comments": "AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access that may result in an adversary getting access to information that could be used during targeting. AWS Security Hub provides these detections with the following managed insights.\nS3 buckets with public write or read permissions S3 buckets with sensitive data\nThis is scored as Minimal because S3 only represents one of many available sources of information that an adversary could use for targeting. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_security_hub", + "capability_description": "AWS Security Hub", + "mapping_type": "technique_scores", + "attack_object_id": "T1651", + "attack_object_name": "Cloud Administration Command", + "capability_group": "aws_security_hub", + "score_category": "protect", + "score_value": "partial", + "comments": "AWS Security Hub controls for System Manager can be configured to prevent unauthorized Cloud Administration Commands from being executed.", + "references": [ + "https://docs.aws.amazon.com/securityhub/latest/userguide/ssm-controls.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_shield", + "capability_description": "AWS Shield", + "mapping_type": "technique_scores", + "attack_object_id": "T1498", + "attack_object_name": "Network Denial of Service", + "capability_group": "aws_shield", + "score_category": "respond", + "score_value": "significant", + "references": [ + "https://aws.amazon.com/shield/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc", + "https://aws.amazon.com/shield/features/" + ], + "status": "complete" + }, + { + "capability_id": "aws_shield", + "capability_description": "AWS Shield", + "mapping_type": "technique_scores", + "attack_object_id": "T1498.001", + "attack_object_name": "Direct Network Flood", + "capability_group": "aws_shield", + "score_category": "respond", + "score_value": "significant", + "related_score": "T1498", + "comments": "AWS Shield will set and use a static network flow threshold to detect incoming traffic to AWS services. This will reduce direct network DOS attacks by applying an undisclosed combination of traffic signatures, anomaly algorithms, and other analysis techniques to detect malicious traffic in real-time. AWS Shield Advance identifies anomalies in network traffic to flag attempted attacks and execute inline mitigations to resolve the issue. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_shield", + "capability_description": "AWS Shield", + "mapping_type": "technique_scores", + "attack_object_id": "T1498.002", + "attack_object_name": "Reflection Amplification", + "capability_group": "aws_shield", + "score_category": "respond", + "score_value": "significant", + "related_score": "T1498", + "comments": "AWS Shield will set and use a static network flow threshold to detect incoming traffic to AWS services. This will reduce direct network DOS attacks by applying an undisclosed combination of traffic signatures, anomaly algorithms, and other analysis techniques to detect malicious traffic in real-time. AWS Shield Advance identifies anomalies in network traffic to flag attempted attacks and execute inline mitigations to resolve the issue. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_shield", + "capability_description": "AWS Shield", + "mapping_type": "technique_scores", + "attack_object_id": "T1499", + "attack_object_name": "Endpoint Denial of Service", + "capability_group": "aws_shield", + "score_category": "respond", + "score_value": "significant", + "references": [ + "https://aws.amazon.com/shield/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc", + "https://aws.amazon.com/shield/features/" + ], + "status": "complete" + }, + { + "capability_id": "aws_shield", + "capability_description": "AWS Shield", + "mapping_type": "technique_scores", + "attack_object_id": "T1499.001", + "attack_object_name": "OS Exhaustion Flood", + "capability_group": "aws_shield", + "score_category": "respond", + "score_value": "significant", + "related_score": "T1499", + "comments": "AWS Shield Standard provides protection and response to these Denial of Service attacks in real time by using a network traffic baseline and identifying anomalies among other techniques. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_shield", + "capability_description": "AWS Shield", + "mapping_type": "technique_scores", + "attack_object_id": "T1499.002", + "attack_object_name": "Service Exhaustion Flood", + "capability_group": "aws_shield", + "score_category": "respond", + "score_value": "significant", + "related_score": "T1499", + "comments": "AWS Shield Standard provides protection and response to these Denial of Service attacks in real time by using a network traffic baseline and identifying anomalies among other techniques. ", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_shield", + "capability_description": "AWS Shield", + "mapping_type": "technique_scores", + "attack_object_id": "T1499.003", + "attack_object_name": "Application Exhaustion Flood", + "capability_group": "aws_shield", + "score_category": "respond", + "score_value": "significant", + "related_score": "T1499", + "comments": "AWS Shield Advance allows for customized detection and mitigations for custom applications that are running on EC2 instances.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_single_sign-on", + "capability_description": "AWS Single Sign-On", + "mapping_type": "technique_scores", + "attack_object_id": "T1078", + "attack_object_name": "Valid Accounts", + "capability_group": "aws_single_sign-on", + "score_category": "protect", + "score_value": "partial", + "references": [ + "https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_single_sign-on", + "capability_description": "AWS Single Sign-On", + "mapping_type": "technique_scores", + "attack_object_id": "T1078.002", + "attack_object_name": "Domain Accounts", + "capability_group": "aws_single_sign-on", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1078", + "comments": "This control may protect against malicious use of valid accounts by implementing fine grained and least privilege access through use of permission sets (a collection of administrator-defined policies that AWS SSO uses to determine a user's effective permissions to access a given AWS account). The ability to reduce the set of credentials and accounts needed for a user allows for simpler and safer access and privilege management.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_single_sign-on", + "capability_description": "AWS Single Sign-On", + "mapping_type": "technique_scores", + "attack_object_id": "T1078.004", + "attack_object_name": "Cloud Accounts", + "capability_group": "aws_single_sign-on", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1078", + "comments": "This control may protect against malicious use of valid accounts by implementing fine grained and least privilege access through use of permission sets (a collection of administrator-defined policies that AWS SSO uses to determine a user's effective permissions to access a given AWS account). The ability to reduce the set of credentials and accounts needed for a user allows for simpler and safer access and privilege management.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_single_sign-on", + "capability_description": "AWS Single Sign-On", + "mapping_type": "technique_scores", + "attack_object_id": "T1110", + "attack_object_name": "Brute Force", + "capability_group": "aws_single_sign-on", + "score_category": "protect", + "score_value": "partial", + "comments": "This control may not provide any mitigation against password cracking.", + "references": [ + "https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_single_sign-on", + "capability_description": "AWS Single Sign-On", + "mapping_type": "technique_scores", + "attack_object_id": "T1110.001", + "attack_object_name": "Password Guessing", + "capability_group": "aws_single_sign-on", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1110", + "comments": "This control may protect against brute force techniques by enabling multi-factor authentication. All accounts that can be replace with single sign-on can benefit from a unified multi-factor authentication requirement.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_single_sign-on", + "capability_description": "AWS Single Sign-On", + "mapping_type": "technique_scores", + "attack_object_id": "T1110.003", + "attack_object_name": "Password Spraying", + "capability_group": "aws_single_sign-on", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1110", + "comments": "This control may protect against brute force techniques by enabling multi-factor authentication. All accounts that can be replace with single sign-on can benefit from a unified multi-factor authentication requirement.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_single_sign-on", + "capability_description": "AWS Single Sign-On", + "mapping_type": "technique_scores", + "attack_object_id": "T1110.004", + "attack_object_name": "Credential Stuffing", + "capability_group": "aws_single_sign-on", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1110", + "comments": "This control may protect against brute force techniques by enabling multi-factor authentication. All accounts that can be replace with single sign-on can benefit from a unified multi-factor authentication requirement.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_single_sign-on", + "capability_description": "AWS Single Sign-On", + "mapping_type": "technique_scores", + "attack_object_id": "T1133", + "attack_object_name": "External Remote Services", + "capability_group": "aws_single_sign-on", + "score_category": "protect", + "score_value": "significant", + "comments": "This control may protect against abuse of external remote services by requiring multi-factor authentication for single sign-on accounts. ", + "references": [ + "https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_web_application_firewall", + "capability_description": "AWS Web Application Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1046", + "attack_object_name": "Network Service Scanning", + "capability_group": "aws_web_application_firewall", + "score_category": "protect", + "score_value": "partial", + "comments": "AWS WAF protects against bots that run scans against web applications such as Nessus (vulnerability assessments) and Nmap (IP address and port scans) among others. AWS WAF does this by blocking malicious traffic that indicate bad bots such as those listed above (e.g., via User-Agent values). AWS WAF uses the following rule sets to provide this protection.\nAWSManagedRulesCommonRuleSet AWSManagedRulesBotControlRuleSet\nThis is scored as Partial because the rule sets, while they block malicious traffic in near real-time, only protect web applications against scans performed by bots.", + "references": [ + "https://aws.amazon.com/waf/", + "https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html", + "https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html", + "https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_web_application_firewall", + "capability_description": "AWS Web Application Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1059", + "attack_object_name": "Command and Scripting Interpreter", + "capability_group": "aws_web_application_firewall", + "score_category": "protect", + "score_value": "partial", + "comments": "The AWS WAF protects web applications from injection attacks that leverage command and scripting interpreters. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications: AWSManagedRulesCommonRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet\nThis is given a score of Partial (instead of Minimal) because while it only protects against a subset of sub-techniques, it does provide protections for command and scripting interpreters that do not have sub-techniques (SQL, PHP, etc.). Furthermore, it blocks the malicious content in near real-time.", + "references": [ + "https://aws.amazon.com/waf/", + "https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html", + "https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html", + "https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_web_application_firewall", + "capability_description": "AWS Web Application Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1059.001", + "attack_object_name": "PowerShell", + "capability_group": "aws_web_application_firewall", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1059", + "comments": "The AWS WAF protects web applications from injection attacks that leverage command and scripting interpreters. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications.\nAWSManagedRulesCommonRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet\nThis is given a score of Significant because it provides protections for PowerShell, Unix, and JavaScript command and scripting interpreters by blocking the malicious content in near real-time.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_web_application_firewall", + "capability_description": "AWS Web Application Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1059.004", + "attack_object_name": "Unix Shell", + "capability_group": "aws_web_application_firewall", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1059", + "comments": "The AWS WAF protects web applications from injection attacks that leverage command and scripting interpreters. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications.\nAWSManagedRulesCommonRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet\nThis is given a score of Significant because it provides protections for PowerShell, Unix, and JavaScript command and scripting interpreters by blocking the malicious content in near real-time.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_web_application_firewall", + "capability_description": "AWS Web Application Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1059.007", + "attack_object_name": "JavaScript", + "capability_group": "aws_web_application_firewall", + "score_category": "protect", + "score_value": "significant", + "related_score": "T1059", + "comments": "The AWS WAF protects web applications from injection attacks that leverage command and scripting interpreters. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications.\nAWSManagedRulesCommonRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet\nThis is given a score of Significant because it provides protections for PowerShell, Unix, and JavaScript command and scripting interpreters by blocking the malicious content in near real-time.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_web_application_firewall", + "capability_description": "AWS Web Application Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1071", + "attack_object_name": "Application Layer Protocol", + "capability_group": "aws_web_application_firewall", + "score_category": "protect", + "score_value": "minimal", + "comments": "AWS WAF protects against this by inspecting incoming requests and blocking malicious traffic. AWS WAF uses the following rule sets to provide this protection.\nAWSManagedRulesCommonRuleSet AWSManagedRulesAdminProtectionRuleSet AWSManagedRulesKnownBadInputsRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesLinuxRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet AWSManagedRulesBotControlRuleSet\nThis is scored as Minimal because the rule sets only protect against a subset of the sub-techniques (1 of 4).", + "references": [ + "https://aws.amazon.com/waf/", + "https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html", + "https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html", + "https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_web_application_firewall", + "capability_description": "AWS Web Application Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1071.001", + "attack_object_name": "Web Protocols", + "capability_group": "aws_web_application_firewall", + "score_category": "protect", + "score_value": "minimal", + "related_score": "T1071", + "comments": "AWS WAF protects against this by inspecting incoming requests and blocking malicious traffic. AWS WAF uses the following rule sets to provide this protection.\nAWSManagedRulesCommonRuleSet AWSManagedRulesAdminProtectionRuleSet AWSManagedRulesKnownBadInputsRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesLinuxRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet AWSManagedRulesBotControlRuleSet\nThis is scored as Minimal because the rule sets only protect against the web protocols sub-technique.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_web_application_firewall", + "capability_description": "AWS Web Application Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1090", + "attack_object_name": "Proxy", + "capability_group": "aws_web_application_firewall", + "score_category": "protect", + "score_value": "partial", + "comments": "The AWS WAF protects web applications from access by adversaries that leverage tools that obscure their identity (e.g., VPN, proxies, Tor, hosting providers). AWS WAF provides this protection via the following rule set that blocks incoming traffic from IP addresses known to anonymize connection information or be less likely to source end user traffic.\nAWSManagedRulesAnonymousIpList\nThis is given a score of Partial because it provides protections for only a subset of the sub-techniques, and is based only on known IP addresses. Furthermore, it blocks the malicious content in near real-time.", + "references": [ + "https://aws.amazon.com/waf/", + "https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html", + "https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html", + "https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_web_application_firewall", + "capability_description": "AWS Web Application Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1090.002", + "attack_object_name": "External Proxy", + "capability_group": "aws_web_application_firewall", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1090", + "comments": "The AWS WAF protects web applications from access by adversaries that leverage tools that obscure their identity (e.g., VPN, proxies, Tor, hosting providers). AWS WAF provides this protection via the following rule set that blocks incoming traffic from IP addresses known to anonymize connection information or be less likely to source end user traffic.\nAWSManagedRulesAnonymousIpList\nThis is given a score of Partial because it provide protections based only on known IP addresses. Furthermore, it blocks the malicious content in near real-time.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_web_application_firewall", + "capability_description": "AWS Web Application Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1090.003", + "attack_object_name": "Multi-hop Proxy", + "capability_group": "aws_web_application_firewall", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1090", + "comments": "The AWS WAF protects web applications from access by adversaries that leverage tools that obscure their identity (e.g., VPN, proxies, Tor, hosting providers). AWS WAF provides this protection via the following rule set that blocks incoming traffic from IP addresses known to anonymize connection information or be less likely to source end user traffic.\nAWSManagedRulesAnonymousIpList\nThis is given a score of Partial because it provide protections based only on known IP addresses. Furthermore, it blocks the malicious content in near real-time.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_web_application_firewall", + "capability_description": "AWS Web Application Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1189", + "attack_object_name": "Drive-by Compromise", + "capability_group": "aws_web_application_firewall", + "score_category": "protect", + "score_value": "significant", + "comments": "AWS WAF protects against drive-by compromises by blocking malicious traffic that contains cross-site scripting patterns with the following rule set.\nAWSManagedRulesCommonRuleSet\nThis is scored as Significant because the rule set is broadly applicable to web applications and blocks the malicious traffic in near real-time.", + "references": [ + "https://aws.amazon.com/waf/", + "https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html", + "https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html", + "https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_web_application_firewall", + "capability_description": "AWS Web Application Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1190", + "attack_object_name": "Exploit Public-Facing Application", + "capability_group": "aws_web_application_firewall", + "score_category": "protect", + "score_value": "significant", + "comments": "The AWS WAF protects public-facing applications against a range of vulnerabilities including those listed in the OWASP Top 10. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications.\nAWSManagedRulesCommonRuleSet AWSManagedRulesKnownBadInputRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesLinuxRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet\nThis is given a score of Significant because it protects against vulnerabilities across multiple operating systems (Windows, Linux, POSIX) and technologies (JavaScript, SQL, PHP, WordPress). Furthermore, it blocks the malicious content in near real-time.", + "references": [ + "https://aws.amazon.com/waf/", + "https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html", + "https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html", + "https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_web_application_firewall", + "capability_description": "AWS Web Application Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1203", + "attack_object_name": "Exploitation for Client Execution", + "capability_group": "aws_web_application_firewall", + "score_category": "protect", + "score_value": "significant", + "comments": "AWS WAF protects against exploitation for client execution (browser-based exploitation) by blocking malicious traffic that contains cross-site scripting patterns with the following rule set.\nAWSManagedRulesCommonRuleSet\nThis is scored as Significant because the rule set is broadly applicable to web applications and blocks the malicious traffic in near real-time.", + "references": [ + "https://aws.amazon.com/waf/", + "https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html", + "https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html", + "https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_web_application_firewall", + "capability_description": "AWS Web Application Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1595", + "attack_object_name": "Active Scanning", + "capability_group": "aws_web_application_firewall", + "score_category": "protect", + "score_value": "partial", + "comments": "AWS WAF protects against bots that run scans against web applications such as Nessus (vulnerability assessments) and Nmap (IP address and port scans) among others. AWS WAF does this by blocking malicious traffic that indicates bad bots such as those listed above (e.g., via User-Agent values). AWS WAF uses the following rule sets to provide this protection.\nAWSManagedRulesCommonRuleSet AWSManagedRulesBotControlRuleSet\nThis is scored as Partial because the rule sets, while they block malicious traffic in near real-time, only protect web applications against scans performed by bots.", + "references": [ + "https://aws.amazon.com/waf/", + "https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html", + "https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html", + "https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html" + ], + "status": "complete" + }, + { + "capability_id": "aws_web_application_firewall", + "capability_description": "AWS Web Application Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1595.001", + "attack_object_name": "Scanning IP Blocks", + "capability_group": "aws_web_application_firewall", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1595", + "comments": "AWS WAF protects against bots that run scans against web applications such as Nessus (vulnerability assessments) and Nmap (IP address and port scans) among others. AWS WAF does this by blocking malicious traffic that indicate bad bots such as those listed above (e.g., via User-Agent values). AWS WAF uses the following rule sets to provide this protection.\nAWSManagedRulesCommonRuleSet AWSManagedRulesBotControlRuleSet\nThis is scored as Partial because the rule sets, while they block malicious traffic in near real-time, only protect web applications against scans performed by bots.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_web_application_firewall", + "capability_description": "AWS Web Application Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1595.002", + "attack_object_name": "Vulnerability Scanning", + "capability_group": "aws_web_application_firewall", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1595", + "comments": "AWS WAF protects against bots that run scans against web applications such as Nessus (vulnerability assessments) and Nmap (IP address and port scans) among others. AWS WAF does this by blocking malicious traffic that indicate bad bots such as those listed above (e.g., via User-Agent values). AWS WAF uses the following rule sets to provide this protection.\nAWSManagedRulesCommonRuleSet AWSManagedRulesBotControlRuleSet\nThis is scored as Partial because the rule sets, while they block malicious traffic in near real-time, only protect web applications against scans performed by bots.", + "references": [], + "status": "complete" + }, + { + "capability_id": "aws_web_application_firewall", + "capability_description": "AWS Web Application Firewall", + "mapping_type": "technique_scores", + "attack_object_id": "T1595.003", + "attack_object_name": "Wordlist Scanning", + "capability_group": "aws_web_application_firewall", + "score_category": "protect", + "score_value": "partial", + "related_score": "T1595", + "comments": "AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against active scanning. This mapping is given a score of Partial because it only protects against active scanning attacks that originate from outside the firewall and not from within network protected by the firewall. ", + "references": [ + "https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html" + ], + "status": "complete" + }, + { + "capability_id": "amazon_detective", + "capability_description": "Amazon Detective", + "mapping_type": "non_mappable", + "attack_object_id": null, + "attack_object_name": null, + "capability_group": "amazon_detective", + "comments": "", + "references": [], + "status": "non_mappable" + }, + { + "capability_id": "aws_artifact", + "capability_description": "AWS Artifact", + "mapping_type": "non_mappable", + "attack_object_id": null, + "attack_object_name": null, + "capability_group": "aws_artifact", + "comments": "", + "references": [], + "status": "non_mappable" + }, + { + "capability_id": "aws_audit_manager", + "capability_description": "AWS Audit Manager", + "mapping_type": "non_mappable", + "attack_object_id": null, + "attack_object_name": null, + "capability_group": "aws_audit_manager", + "comments": "", + "references": [], + "status": "non_mappable" + }, + { + "capability_id": "aws_certificate_manager", + "capability_description": "AWS Certificate Manager", + "mapping_type": "non_mappable", + "attack_object_id": null, + "attack_object_name": null, + "capability_group": "aws_certificate_manager", + "comments": "", + "references": [], + "status": "non_mappable" + }, + { + "capability_id": "aws_cloudtrail", + "capability_description": "AWS CloudTrail", + "mapping_type": "non_mappable", + "attack_object_id": null, + "attack_object_name": null, + "capability_group": "aws_cloudtrail", + "comments": "", + "references": [], + "status": "non_mappable" + }, + { + "capability_id": "aws_directory_service", + "capability_description": "AWS Directroy Service", + "mapping_type": "non_mappable", + "attack_object_id": null, + "attack_object_name": null, + "capability_group": "aws_directory_service", + "comments": "", + "references": [], + "status": "non_mappable" + }, + { + "capability_id": "aws_firewall_manager", + "capability_description": "AWS Firewall Manager", + "mapping_type": "non_mappable", + "attack_object_id": null, + "attack_object_name": null, + "capability_group": "aws_firewall_manager", + "comments": "", + "references": [], + "status": "non_mappable" + }, + { + "capability_id": "aws_resource_access_manager", + "capability_description": "AWS Resource Access Manager", + "mapping_type": "non_mappable", + "attack_object_id": null, + "attack_object_name": null, + "capability_group": "aws_resource_access_manager", + "comments": "", + "references": [], + "status": "non_mappable" + }, + { + "capability_id": "aws_security_lake", + "capability_description": "AWS Security Lake", + "mapping_type": "non_mappable", + "attack_object_id": null, + "attack_object_name": null, + "capability_group": "aws_security_lake", + "comments": "", + "references": [], + "status": "non_mappable" + }, + { + "capability_id": "amazon_macie", + "capability_description": "Amazon Macie", + "mapping_type": "non_mappable", + "attack_object_id": null, + "attack_object_name": null, + "capability_group": "amazon_macie", + "comments": "", + "references": [], + "status": "non_mappable" + } + ] +} diff --git a/src/mappings_explorer/site_builder.py b/src/mappings_explorer/site_builder.py index ed6ba711..3bcc5333 100644 --- a/src/mappings_explorer/site_builder.py +++ b/src/mappings_explorer/site_builder.py @@ -114,6 +114,8 @@ class ExternalControl: # "13.1", # "14.0", "14.1", + # "16.0", + "16.1" ], "ICS": [ "8.2", @@ -276,10 +278,11 @@ def load_projects(): """ aws.attackDomains = ["Enterprise"] aws.attackDomain = aws.attackDomains[0] - aws.attackVersions = ["9.0"] - aws.versions = ["09.21.2021"] + aws.attackVersions = ["16.1", "9.0"] + aws.versions = ["12.12.2024", "09.21.2021"] aws.validVersions = [ ("09.21.2021", "9.0", "Enterprise"), + ("12.12.2024", "16.1", "Enterprise"), ] aws.mappings = [] aws.resources = [ @@ -1731,6 +1734,8 @@ def build_matrix(url_prefix, projects, breadcrumbs): "13.1", "14.0", "14.1", + "16.0", + "16.1" ], "ICS": [ "8.2", @@ -1747,6 +1752,8 @@ def build_matrix(url_prefix, projects, breadcrumbs): "13.1", "14.0", "14.1", + "16.0", + "16.1" ], "Mobile": [ "8.2", @@ -1760,6 +1767,8 @@ def build_matrix(url_prefix, projects, breadcrumbs): "13.1", "14.0", "14.1", + "16.0", + "16.1" ], }