Clankerusecase
AWS detection coverage
 ← Back to main site
Home/ Targets/ AWS

☁️AWS detections

Clankerusecase tracks 119 detection use cases covering the AWS attack surface across 66 MITRE ATT&CK techniques.

Detections targeting AWS infrastructure — CloudTrail, IAM, S3, EC2, Lambda, KMS, GuardDuty.

Open Detection Library → View on the matrix
119Use cases
66Techniques
16Articles
5Kill-chain phases

Top techniques on AWS (25)

T1078.004Cloud Accounts18T1562.008T1562.00812T1586.003Cloud Accounts11T1078Valid Accounts10T1098Account Manipulation9T1537Transfer Data to Cloud Account8T1535Unused/Unsupported Cloud Regions7T1071.001Web Protocols7T1562.001T1562.0016T1136.003Cloud Account5T1190Exploit Public-Facing Application5T1530Data from Cloud Storage5T1110Brute Force4T1485Data Destruction4T1199Trusted Relationship4T1580Cloud Infrastructure Discovery4T1550.001Application Access Token3T1550Use Alternate Authentication Material3T1531Account Access Removal3T1195.002Compromise Software Supply Chain3T1204.003Malicious Image3T1110.003Password Spraying3T1110.004Credential Stuffing3T1105Ingress Tool Transfer3T1098.003Additional Cloud Roles2

Delivery (7)

AWS brute-force ConsoleLogin then AssumeRole Internal delivery · alerting DDCW AWS Console login without MFA + impossible travel Internal delivery · alerting DDCW Impossible travel observed for IAM user Internal delivery · alerting DDCW AWS root account activity (any action) Internal delivery · alerting DDCW AWS CloudTrail AccessDenied spike Internal delivery · alerting DD [LLM] Public inbound to PraisonAI Flask listener on TCP/8005 (default port, 0.0.0.0 bind) Bespoke delivery · alerting DSPDDCSCW [LLM] WAV-disguised stager pull from TeamPCP loader 83.142.209.203:8080 Bespoke delivery · hunting DSΣPDDCS

Exploitation (4)

[WEEKLY] Sub-admin grants Owner/Administrator role then grantee signs in from a different source within 60 minutes Internal exploit · alerting DSPDDCW [LLM] AssumeRoleWithWebIdentity from GitHub OIDC with unexpected repo/branch sub claim Bespoke exploit · hunting PDD [LLM] BodySnatcher (CVE-2025-12420) — Hardcoded 'servicenowexternalagent' Token Observed in HTTP Traffic Bespoke exploit · alerting DSΣPDDCS [LLM] ServiceNow Virtual Agent Invocation of Hidden AIA-Agent Invoker AutoChat Topic (CVE-2025-12420) Bespoke exploit · alerting DSPDDCS

Installation (20)

AWS CloudTrail logging configuration modified Internal install · alerting DDCW AWS Config service modified or stopped Internal install · alerting DDCW AWS EC2 security group rules modified Internal install · alerting DDCW AWS GuardDuty detector disabled or deleted Internal install · alerting DDCW AWS IAM AdministratorAccess policy applied to a user Internal install · alerting DDCW AWS IAM policy created / updated / version changed Internal install · alerting DDCW AWS Lambda function code or configuration modified Internal install · alerting DDCW AWS S3 bucket policy modified Internal install · alerting DDCW AWS SecurityHub disabled Internal install · alerting DDCW AWS VPC Flow Log deleted Internal install · alerting DDCW AWS Bedrock model invocation logging disabled Internal install · alerting DD AWS CloudWatch rule deleted Internal install · alerting DD AWS Detective behaviour graph deleted Internal install · alerting DD AWS EBS default encryption disabled Internal install · alerting DD AWS EC2 key-pair created Internal install · alerting DD AWS GuardDuty findings publishing disabled Internal install · alerting DD AWS Network ACL modified Internal install · alerting DD AWS Route53 query logging disabled Internal install · alerting DD AWS S3 public-access-block removed Internal install · alerting DD [LLM] AWS IAM role trust policy created with set-qualified operator on GitHub OIDC sub claim Bespoke install · alerting ΣPDD

Command & Control (8)

[LLM] AWS CloudTrail UpdateTrail config tampering (S3 destination swap or validation disabled) Bespoke c2 · alerting DSPDDCW [LLM] Outbound endpoint connections to BRICKSTORM C2 IP 149.248.11.71 Bespoke c2 · hunting DSΣPDDCSCW [LLM] Egress to typosquatted C2 flipboxstudio.info (Laravel-Lang Composer SC) Bespoke c2 · alerting DSΣPDDCS [LLM] Outbound connection to TeamPCP C2 IP 83.142.209.194 Bespoke c2 · hunting DSΣPDDCS [LLM] Trust Wallet Shai-Hulud C2 callback to metrics-trustwallet.com / 138.124.70.40 Bespoke c2 · alerting DSΣPDDCS [LLM] Outbound C2 callback to xygeni-action backdoor IP 91.214.78.178 from CI runner Bespoke c2 · hunting DSΣPDDCS [LLM] Glassworm stage-2/stage-3 C2 callback to 45.32.150.251 or 217.69.3.152 Bespoke c2 · hunting DSΣPDD [LLM] Exfiltration to kubernetes-el attacker webhook.site UUIDs (Pwn Request payload) Bespoke c2 · alerting DSΣPDD

Actions on Objectives (80)

AWS access key created (programmatic credential) Internal actions · alerting DDCW AWS ECS cluster deleted Internal actions · alerting DDCW AWS KMS key deleted or scheduled for deletion Internal actions · alerting DDCW AWS RDS DB cluster deleted Internal actions · alerting DDCW AWS S3 bucket ACL / policy made public Internal actions · alerting DDCW AWS EC2 AMI shared publicly Internal actions · alerting DD AWS EBS snapshot made public Internal actions · alerting DD AWS Organization leave initiated Internal actions · alerting DD AWS S3 anomalous bulk download (exfil) Internal actions · alerting DD AWS Secrets Manager retrieval by unfamiliar principal Internal actions · alerting DD [WEEKLY] Vendor / Third-Party OAuth App or SP Sign-in From Unbaselined Egress Followed by Bulk SaaS Object Read Internal actions · alerting DSPDD ASL AWS IAM AccessDenied Discovery Events ESCU actions · hunting P ASL AWS IAM Assume Role Policy Brute Force ESCU actions · alerting P AWS AMI Attribute Modification for Exfiltration ESCU actions · alerting P AWS Bedrock Delete GuardRails ESCU actions · alerting P AWS Bedrock Delete Knowledge Base ESCU actions · alerting P AWS Bedrock Invoke Model Access Denied ESCU actions · alerting P AWS Console Login Failed During MFA Challenge ESCU actions · alerting P AWS Create Policy Version to allow all resources ESCU actions · alerting P AWS CreateAccessKey ESCU actions · hunting P AWS CreateLoginProfile ESCU actions · alerting P AWS Credential Access Failed Login ESCU actions · alerting P AWS Credential Access GetPasswordData ESCU actions · hunting P AWS Credential Access RDS Password reset ESCU actions · alerting P AWS Defense Evasion PutBucketLifecycle ESCU actions · hunting P AWS Detect Users creating keys with encrypt policy without MFA ESCU actions · alerting P AWS Detect Users with KMS keys performing encryption S3 ESCU actions · hunting P AWS Disable Bucket Versioning ESCU actions · hunting P AWS EC2 Snapshot Shared Externally ESCU actions · alerting P AWS ECR Container Scanning Findings High ESCU actions · alerting P AWS ECR Container Scanning Findings Low Informational Unknown ESCU actions · hunting P AWS ECR Container Scanning Findings Medium ESCU actions · hunting P AWS Exfiltration via Anomalous GetObject API Activity ESCU actions · hunting P AWS Exfiltration via Bucket Replication ESCU actions · alerting P AWS Exfiltration via EC2 Snapshot ESCU actions · alerting P AWS High Number Of Failed Authentications For User ESCU actions · hunting P AWS High Number Of Failed Authentications From Ip ESCU actions · hunting P AWS IAM AccessDenied Discovery Events ESCU actions · hunting P AWS IAM Assume Role Policy Brute Force ESCU actions · alerting P AWS Lambda UpdateFunctionCode ESCU actions · hunting P AWS Multiple Failed MFA Requests For User ESCU actions · hunting P AWS Multiple Users Failing To Authenticate From Ip ESCU actions · hunting P AWS Network Access Control List Created with All Open Ports ESCU actions · alerting P AWS Network Access Control List Deleted ESCU actions · hunting P AWS SAML Update identity provider ESCU actions · alerting P AWS Successful Console Authentication From Multiple IPs ESCU actions · hunting P AWS Successful Single-Factor Authentication ESCU actions · alerting P AWS Unusual Number of Failed Authentications From Ip ESCU actions · hunting P AWS UpdateLoginProfile ESCU actions · alerting P Detect AWS Console Login by New User ESCU actions · hunting P Detect AWS Console Login by User from New City ESCU actions · hunting P Detect AWS Console Login by User from New Country ESCU actions · hunting P Detect AWS Console Login by User from New Region ESCU actions · hunting P Detect New Open S3 buckets ESCU actions · alerting P Detect New Open S3 Buckets over AWS CLI ESCU actions · alerting P Detect Spike in S3 Bucket deletion ESCU actions · hunting P ASL AWS CreateAccessKey ESCU actions · hunting P AWS Cloud Provisioning From Previously Unseen City ESCU actions · hunting P AWS Cloud Provisioning From Previously Unseen Country ESCU actions · hunting P AWS Cloud Provisioning From Previously Unseen Region ESCU actions · hunting P aws detect attach to role policy ESCU actions · hunting P aws detect permanent key creation ESCU actions · hunting P aws detect role creation ESCU actions · hunting P aws detect sts assume role abuse ESCU actions · hunting P aws detect sts get session token abuse ESCU actions · hunting P AWS SAML Access by Provider User and Principal ESCU actions · hunting P Detect new API calls from user roles ESCU actions · hunting P Detect new user AWS Console Login ESCU actions · hunting P Detect Spike in AWS API Activity ESCU actions · hunting P Detect Spike in Security Group Activity ESCU actions · hunting P EC2 Instance Modified With Previously Unseen User ESCU actions · hunting P EC2 Instance Started With Previously Unseen User ESCU actions · hunting P [LLM] AWS CloudTrail trail disabled or deleted (StopLogging / DeleteTrail) Bespoke actions · alerting DSΣPDDCW [LLM] AWS CloudTrail S3 destination bucket emptied or deleted Bespoke actions · alerting DSPDDCW [LLM] AWS CloudWatch Logs group deleted or retention shortened to 1 day Bespoke actions · alerting DSPDDCW [LLM] AWS CloudTrail log file integrity validation disabled (EnableLogFileValidation=false) Bespoke actions · alerting DSΣPDDCW [LLM] Lateral movement via aws ssm send-command or kubectl exec spawned by python/node Bespoke actions · alerting DSΣPDDCSCW [LLM] postmark-mcp BCC exfil to giftshop.club Bespoke actions · alerting DSΣPDDCS [LLM] AWS SSM SendCommand Fan-out from EC2 Instance Role (TeamPCP Worm Propagation) Bespoke actions · hunting PDD [LLM] Bun/Node initiating multi-cloud secret-manager enumeration burst (Sha1-Hulud aL0 harvest) Bespoke actions · alerting DSPDDCS

Recent articles citing AWS-targeted detections

high Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and Visibility
crit VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances
high Why EDR and proxy won’t save you from supply chain malware
high Laravel-Lang Supply Chain Attack: Every Tag Across Multiple Composer Packages Rewritten to Steal CI Secrets
crit [GHSA / CRITICAL] CVE-2026-47393: PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default
high What MDM can't protect on developer machines (and what to do about it)
crit [GHSA / CRITICAL] GHSA-q2f7-m237-v562: @hulumi/policies: GitHub OIDC trust policy bypass via AWS set-qualified condition operators
crit The AntV Supply Chain Campaign Expands: Microsoft's `durabletask` PyPI Package Compromised
crit [GHSA / CRITICAL] CVE-2026-45758: Malicious code in guardrails-ai 0.10.1 (supply chain compromise)
high Securing Vibe Coding and AI Coding Agents: An End-to-End Approach with StepSecurity
high You Patched LiteLLM, But Do You Know Your AI Blast Radius?
high xygeni-action Compromised: C2 Reverse Shell Backdoor Injected via Tag Poisoning
high Glassworm Strikes Popular React Native Phone Number Packages
high kubernetes-el Compromised: How a Pwn Request Exploited a Popular Emacs Package
high ServiceNow's Virtual Agent Vulnerability Shows Why AI Security Needs Traditional AppSec Foundations
high Sha1-Hulud: The Second Coming - Zapier, ENS Domains, and Other Prominent NPM Packages Compromised