Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Initial Access/ T1199

T1199Trusted Relationship

T1199 — Trusted Relationship is a MITRE ATT&CK technique in the Initial Access tactic. Clankerusecase tracks 12 detection use cases covering it and 7 threat-intel articles citing it.

Initial Access
View on the matrix → Filter Detection Library MITRE official spec ↗
12Use cases
7Articles
0Sub-techniques
1Tactic

Use cases covering this technique (12)

AWS EC2 key-pair created Internal install · alerting DD [WEEKLY] Vendor / Third-Party OAuth App or SP Sign-in From Unbaselined Egress Followed by Bulk SaaS Object Read Internal actions · alerting DSPDD Github Commit Changes In Master ESCU actions · hunting P Github Commit In Develop ESCU actions · hunting P [LLM] OAuth consent grant to unfamiliar third-party AI / SaaS app — Vercel-style trust chain attack Bespoke delivery · hunting DSΣDD [LLM] First-seen device/user authenticating to Tchap (tchap.gouv.fr) matrix endpoint Bespoke delivery · hunting DSPDDCS [LLM] AWS IAM role trust policy created with set-qualified operator on GitHub OIDC sub claim Bespoke install · alerting ΣPDD [LLM] AssumeRoleWithWebIdentity from GitHub OIDC with unexpected repo/branch sub claim Bespoke exploit · hunting PDD [LLM] GitHub workflow references actions-cool/issues-helper or maintain-one-comment by tag Bespoke delivery · alerting SPDD [LLM] Hoppscotch cross-team request injection via moveRequest GraphQL with null nextRequestID Bespoke exploit · hunting SPDD [LLM] MuddyWater SimpleHelp RMM client spawning shell or recon LOLBin Bespoke install · alerting DSΣP [LLM] Tag deletion/repointing on critical GitHub Action repositories (configure-aws-credentials v4.3.0 pattern) Bespoke weapon · alerting SΣPDD

Articles citing this technique (7)

crit Early Warning Signs of Supply-Chain Attacks Live in the Dark Web art-27
med Over 73,000 French govt employees affected in Tchap messenger breach art-35
crit [GHSA / CRITICAL] GHSA-q2f7-m237-v562: @hulumi/policies: GitHub OIDC trust policy bypass via AWS set-qualified condition operators art-226
med actions-cool/issues-helper GitHub Action Compromised: All Tags Point to Imposter Commit That Exfiltrates CI/CD Credentials art-268
high Aikido Attack finds multiple 0-days in Hoppscotch art-406
crit Cyber fallout from the Iran war: What to have on your radar art-474
high Suspicious Tag Movement in AWS’s GitHub Action: What Happened and Why It Matters art-814